Quantcast
Channel: Skypher » Security
Browsing all 10 articles
Browse latest View live

JsSfx – JavaScript compression/obfuscation

Warning: preg_split() [function.preg-split]: Compilation failed: lookbehind assertion is not fixed length at offset 14 in...

View Article



Issue 17 – Msxml2.XMLHTTP.3.0 response handling memory corruption

Warning: preg_split() [function.preg-split]: Compilation failed: lookbehind assertion is not fixed length at offset 14 in...

View Article

Exploits, ASLR and randomness

When trying to bypass DEP, I often use a heap spray to get data (including my shellcode) in a predictable location first. Next, I use ret-into-libc to call VirtualProtect in an attempt to give the...

View Article

w32 MessageBox shellcode

I’ve created and published various very small versions of often used shellcodes for 32-bit versions of Windows, such as a bindshell, download & LoadLibrary shellcode and calc.exe executing...

View Article

Issue 21 – Microsoft Windows Media Player memory corruption using popups

About 4 months ago I finally tracked down a memory corruption issue that my fuzzers had been hitting on occasion. It appeared that the root cause was some kind of memory corruption or stale pointer...

View Article


Issue 23 – Oracle Java OBJECT tag “launchjnlp”/”docbase” property stack...

About a month and a half ago, information about an 0-day vulnerability in the Apple QuickTime plugin was published. It reminded of a project I had planned to implement for a while (since 2004 to be...

View Article

Issue 18 – Oracle Java APPLET tag children property memory corruption

About half a year ago, I found a memory corruption issue in Oracle Java Version 6 Update 20 which could be triggered by loading Java in MSIE through the “APPLET” tag and accessing the “children”...

View Article

Issue 32 – Oracle Java plugin2 non-exploitable memory corruption

About two years ago I found what appeared to be a memory corruption issue in SUN (now owned by Oracle) Java Version 6 Update 10. I failed to find any evidence that the issue allows remote code...

View Article


Bypassing Export address table Address Filter (EAF)

(An unfinished version of this blog post was accidentally published last week. In case you got a hold of a copy: I’ve made only small modifications, so no need to re-read the entire post. However, I...

View Article


w32 speaking shellcode – Pwn in style

Over the past few weeks I created a new shellcode that uses the Microsoft Speech API to have the target computer say “You got pwned!” over the speakers. Needless to say, the practical applications are...

View Article
Browsing all 10 articles
Browse latest View live




Latest Images