12 matches found
Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution
Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution Sources: https://phoenhex.re/2017-06-02/arrayspread https://github.com/phoenhex/files/blob/master/exploits/spread-overflow JavaScriptCore will allocate a JSFixedArray for every spread operand of the array literal in...
Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution
Sources: https://phoenhex.re/2017-06-02/arrayspread https://github.com/phoenhex/files/blob/master/exploits/spread-overflow JavaScriptCore will allocate a JSFixedArray for every spread operand of the array literal in slowpathspread. As such, roughly 4 billion JSValues will have to be allocated,...
QNAP NVR / NAS Overflows Vulnerability
QNAP NVR and NAS devices suffer from multiple overflows. Various makes and models are affected. Full exploitation details provided. STX Subject: QNAP NVR/NAS Heap / Stack / Heap Feng Shui overflow, and "Heack Combo" to pwn Researcher: bashis January 2017 Release date: February 1, 2017 Device Mode...
QNAP NVR/NAS Devices - Buffer Overflow (PoC)
Device Model: QNAP VioStor NVR, QNAP NAS, Fujitsu Celvin NAS May be additional re-branded Attack Vector: Remote Attack Models: 1. Classic Heap Overflows 2. Classic Stack Overflow 3. Heap Feng Shui Overflow 4. "Heack Combo" Heap / Stack Combination Overflow Timeline 07/01/2017: QNAP contacted me...
Microsoft Internet Explorer 8 jscript - 'RegExpBase::FBadHeader' Use-After-Free (MS15
Exploit for windows platform in category dos / poc // This PoC attempts to exploit a use-after-free bug in Microsoft Internet // Explorer 8. // See http://blog.skylined.nl/20161116001.html for details. var r=new RegExp"A|x|x|xx|xxxxxxxxxxxxxxxxxxxx+", "g"; "A".replacer, function // Force OLEAUT...
Microsoft Internet Explorer 8 - jscript RegExpBase::FBadHeader Use-After-Free (MS15-018)
Microsoft Internet Explorer 8 - jscript RegExpBase::FBadHeader Use-After-Free MS15-018 // This PoC attempts to exploit a use-after-free bug in Microsoft Internet // Explorer 8. // See http://blog.skylined.nl/20161116001.html for details. var r=new RegExp"A|x|x|xx|xxxxxxxxxxxxxxxxxxxx+", "g";...
VBScript 5.8.7600.16385 / 5.8.9600.16384 - RegExpComp::PnodeParse Out-of-Bounds Read Exploit
Exploit for windows platform in category dos / poc !-- Source: http://blog.skylined.nl/20161108001.html Synopsis A specially crafted script can cause the VBScript engine to read data beyond a memory block for use as a regular expression. An attacker that is able to run such a script in any...
VBScript 5.8.7600.16385/5.8.9600.16384 - RegExpComp::PnodeParse Out-of-Bounds Read
!-- Source: http://blog.skylined.nl/20161108001.html Synopsis A specially crafted script can cause the VBScript engine to read data beyond a memory block for use as a regular expression. An attacker that is able to run such a script in any application that embeds the VBScript engine may be able t...
Microsoft Visual Studio - Msmask32.ocx ActiveX Remote Buffer Overflow
Microsoft Visual Studio - Msmask32.ocx ActiveX Remote Buffer Overflow Microsoft Visual Studio Msmask32.ocx ActiveX Remote Buffer Overflow Exploit Author: Koshi Original POC: http://www.milw0rm.com/exploits/6244 Not by me My first ActiveX exploit, learned quite a bit playing with this one. Heaps a...
Microsoft Visual Studio (Msmask32.ocx) ActiveX Remote BOF Exploit
Exploit for unknown platform in category remote exploits ================================================================= Microsoft Visual Studio Msmask32.ocx ActiveX Remote BOF Exploit ================================================================= Microsoft Visual Studio Msmask32.ocx ActiveX...
Microsoft Visual Studio - 'Msmask32.ocx' ActiveX Remote Buffer Overflow
Microsoft Visual Studio Msmask32.ocx ActiveX Remote Buffer Overflow Exploit Author: Koshi Original POC: http://www.milw0rm.com/exploits/6244 Not by me My first ActiveX exploit, learned quite a bit playing with this one. Heaps are handy. Loaded File: C:\WINDOWS\system32\MSMASK32.OCX Name: MSMask...
Microsoft Windows - Animated Cursor .ani Universal Generator
Microsoft Windows - Animated Cursor .ani Universal Generator -------------------------------------------------------------------------------- Info: .ANI RIFF Cursors 2007 universal exploit generator Tested on MS Internet Explorer 6.x-7.x, Windows XP SP2, Windows Vista Author: Yag Kohha 10xnGr33tz...