JsSfx – JavaScript compression/obfuscation
Warning: preg_split() [function.preg-split]: Compilation failed: lookbehind assertion is not fixed length at offset 14 in...
View ArticleIssue 17 – Msxml2.XMLHTTP.3.0 response handling memory corruption
Warning: preg_split() [function.preg-split]: Compilation failed: lookbehind assertion is not fixed length at offset 14 in...
View ArticleExploits, ASLR and randomness
When trying to bypass DEP, I often use a heap spray to get data (including my shellcode) in a predictable location first. Next, I use ret-into-libc to call VirtualProtect in an attempt to give the...
View Articlew32 MessageBox shellcode
I’ve created and published various very small versions of often used shellcodes for 32-bit versions of Windows, such as a bindshell, download & LoadLibrary shellcode and calc.exe executing...
View ArticleIssue 21 – Microsoft Windows Media Player memory corruption using popups
About 4 months ago I finally tracked down a memory corruption issue that my fuzzers had been hitting on occasion. It appeared that the root cause was some kind of memory corruption or stale pointer...
View ArticleIssue 23 – Oracle Java OBJECT tag “launchjnlp”/”docbase” property stack...
About a month and a half ago, information about an 0-day vulnerability in the Apple QuickTime plugin was published. It reminded of a project I had planned to implement for a while (since 2004 to be...
View ArticleIssue 18 – Oracle Java APPLET tag children property memory corruption
About half a year ago, I found a memory corruption issue in Oracle Java Version 6 Update 20 which could be triggered by loading Java in MSIE through the “APPLET” tag and accessing the “children”...
View ArticleIssue 32 – Oracle Java plugin2 non-exploitable memory corruption
About two years ago I found what appeared to be a memory corruption issue in SUN (now owned by Oracle) Java Version 6 Update 10. I failed to find any evidence that the issue allows remote code...
View ArticleBypassing Export address table Address Filter (EAF)
(An unfinished version of this blog post was accidentally published last week. In case you got a hold of a copy: I’ve made only small modifications, so no need to re-read the entire post. However, I...
View Articlew32 speaking shellcode – Pwn in style
Over the past few weeks I created a new shellcode that uses the Microsoft Speech API to have the target computer say “You got pwned!” over the speakers. Needless to say, the practical applications are...
View Article
More Pages to Explore .....