Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners