what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 34 RSS Feed

Files from Chris Evans

Email addressscarybeasts at gmail.com
First Active2000-05-17
Last Active2016-12-15
Gstreamer 0.10.x Logic Error
Posted Dec 15, 2016
Authored by Chris Evans | Site scarybeastsecurity.blogspot.com

A vulnerability and a separate logic error exist in the gstreamer 0.10.x player for NSF music files. Combined, they allow for very reliable exploitation and the bypass of 64-bit ASLR, DEP, etc. The reliability is provided by the presence of a turing complete "scripting" inside a music player. Read the homepage link for full analysis. Proof of concept exploit included in this archive.

tags | exploit, proof of concept
SHA-256 | efc0146838d9c8d7a192a4e776050cdf88ee6e0ad5ec639d2c832f8efc66e28b
Gstreamer Heap Corruption
Posted Nov 25, 2016
Authored by Chris Evans

A full analysis and proof of concept 0-day exploits for a heap corruption vulnerability in the gstreamer decoder.

tags | exploit, proof of concept
SHA-256 | b3a3dfb6b4b156d010d88b6ada470f62c2eeef56abcf655a4cb2263086fc11ec
Adobe Flash Wild Write Crash
Posted Mar 22, 2016
Authored by Chris Evans, Google Security Research

Adobe Flash suffers from a wild write at 0x453b0cf0 in color conversion that causes a crash.

tags | exploit
systems | linux
advisories | CVE-2015-5575
SHA-256 | 051621ef0094ab8b55b05d6b364d50f6b9948eb005475d56a5738771d2f6685f
Adobe Flash Content Information Leak
Posted Mar 22, 2016
Authored by Chris Evans, Google Security Research

Adobe Flash suffers from an information leak that may render non-deterministic content that apparently contains pointers.

tags | exploit
systems | linux
advisories | CVE-2015-5576
SHA-256 | 41c6dbb42e26cd157241d1aeb71129cad02abd56098cd0be0d24a4218914f04d
Adobe Flash AAC Audio Handling Out-Of-Bounds Read
Posted Mar 22, 2016
Authored by Chris Evans, Google Security Research

Adobe Flash suffers from an out-of-bounds read in AAC audio handling.

tags | exploit
systems | linux
advisories | CVE-2015-5577
SHA-256 | 4bcaa997a98d2899f0ece2d75dffe49e567d8dc983b849e3e2064ea6b326e3c7
Adobe Flash Negative Table Indexing Out-Of-Bounds Crash
Posted Mar 22, 2016
Authored by Chris Evans, Google Security Research

Adobe Flash suffers from an out-of-bounds crash due to a negative table indexing error loading an 8-byte wide value.

tags | exploit
systems | linux
advisories | CVE-2015-5578
SHA-256 | b3ad0dc02ed41ab14eba6c462db84fb45a39c098eb29704bf6b8223a07f586b3
Adobe Flash Corrupt Stack Crash
Posted Mar 22, 2016
Authored by Chris Evans, Google Security Research

Adobe Flash has an issue where a corrupt stack leads to misaligned XMM instruction decoding h.264.

tags | exploit
systems | linux
advisories | CVE-2015-5579
SHA-256 | 086db050537a7703e18f330b90eadb38bd185e96a3d67e197511bc2195eeb98f
Adobe Flash Wild Pointer Crash
Posted Mar 22, 2016
Authored by Chris Evans, Google Security Research

Adobe Flash suffers from a crash due to a wild pointer 0x1808121a502959a4 decoding h.264.

tags | exploit
systems | linux
advisories | CVE-2015-5580
SHA-256 | 74a5f32e448690af1d7c9d399017241a40f3bdb279dde7a3861f9ea7c03354ce
Adobe Flash Use-After-Free
Posted Mar 22, 2016
Authored by Chris Evans, Google Security Research

There is an apparent use-after-free in Adobe Flash video decoding, which can be manifesting by running a specific SWF file.

tags | advisory
systems | linux
advisories | CVE-2015-5584
SHA-256 | 723433120939057b04d68a11edd9e1ad87990051b590609ba3cc7d93f7fbcb70
Libstagefright Saio Tag Integer Overflow / Heap Corruption
Posted Oct 29, 2015
Authored by Chris Evans, Google Security Research

Code auditing discovered a Libstagefright integer overflow and heap corruption vulnerability in the Saio tag.

tags | exploit, overflow
systems | linux
advisories | CVE-2015-3868
SHA-256 | de3c115352c90fa8f2310b17c7ea48cfcb49051855371160b2525f16b5d92a47
Flash Bypass Of Length Vs. Cookie Validation
Posted Aug 21, 2015
Authored by Chris Evans, Google Security Research

Flash version 18.0.0.209 contains new mitigations to defend against corruptions of Vector.<uint> (and other) lengths. One of these mitigations, at Vector access time, compares the Vector's in-memory length with a representation of the same length XOR'ed with a secret cookie. The bypass comes about because the secret cookie value is stored inside a structure, and a pointer to that structure is stored alongside the Vector length.

tags | exploit
systems | linux
advisories | CVE-2015-5125
SHA-256 | fcdf12cd364c0ea733d2eac6b27e7d2f9f878fe5206bb8c75cbfc449ce599745
Flash Bad / Wild Write In XML When Callback Modifies XML Tree
Posted Aug 21, 2015
Authored by Chris Evans, Google Security Research

The proof of concept works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.

tags | exploit, proof of concept
systems | linux
advisories | CVE-2015-5549
SHA-256 | d354b53a4080ae486dd69761b4252b5e10b5e424aae7f11b794443c70d285daa
Adobe Flash Player Drawing Fill Shader Memory Corruption
Posted Jun 27, 2015
Authored by Chris Evans, juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits a memory corruption happening when applying a Shader as a drawing fill as exploited in the wild on June 2015. This Metasploit module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188, Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188, and Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.

tags | exploit
systems | linux, windows
advisories | CVE-2015-3105
SHA-256 | a2184f47ed1174e50ad69f7fd1808a0bfb8843fb0450d0e5bd5891aa520131cd
Adobe Flash Player ShaderJob Buffer Overflow
Posted Jun 19, 2015
Authored by Chris Evans, juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits a buffer overflow vulnerability related to the ShaderJob workings on Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute of the ShaderJob after starting the job it's possible to create a buffer overflow condition where the size of the destination buffer and the length of the copy are controlled.

tags | exploit, overflow
advisories | CVE-2015-3090
SHA-256 | 85ac61cf4df86a48ba3ebb5575fe809cd20d6d403d015526e3943526ed3262d0
Adobe Flash Player copyPixelsToByteArray Integer Overflow
Posted Apr 19, 2015
Authored by Chris Evans, Nicolas Joly, juan vazquez, hdarwin | Site metasploit.com

This Metasploit module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the copyPixelsToByteArray method from the BitmapData object. The position field of the destination ByteArray can be used to cause an integer overflow and write contents out of the ByteArray buffer. This Metasploit module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145 and 14.0.0.125.

tags | exploit, overflow
systems | windows
advisories | CVE-2014-0556
SHA-256 | 0261f65421dd66c2140dc4d01ec869ffa16a08028c90426650ee76ecbe40cc47
glibc __gconv_translit_find() Privilege Escalation
Posted Aug 26, 2014
Authored by Chris Evans, Tavis Ormandy

glibc __gconv_translit_find() single-fixed-byte heap metadata overflow local root exploit for Fedora 20 32-bit. This issue is not specific to Fedora, but the proof of concept is specifically for Fedora 20 32-bit.

tags | exploit, overflow, local, root, proof of concept
systems | linux, unix, fedora
advisories | CVE-2014-5119
SHA-256 | 330176e29f7a995ed48f5d0fc2ba71392f2e4a5144f7fae13882ef998e79a6d1
Foxit PDF Reader 4.2 Javascript File Write
Posted Mar 14, 2011
Authored by Chris Evans, bannedit | Site metasploit.com

This Metasploit module exploits an unsafe Javascript API implemented in Foxit PDF Reader version 4.2. The createDataObject() Javascript API function allows for writing arbitrary files to the file system. This issue was fixed in version 4.3.1.0218. Note: This exploit uses the All Users directory currently, which required administrator privileges to write to. This means an administrative user has to open the file to be successful. Kind of lame but thats how it goes sometimes in the world of file write bugs.

tags | exploit, arbitrary, javascript
advisories | OSVDB-71104
SHA-256 | d026ecdeb70b4e79e1a300231786aff558d631a15efcc80798eb6c642d176d5e
glibc alloca() Memory Corruption
Posted Feb 25, 2011
Authored by Chris Evans | Site scarybeastsecurity.blogspot.com

Interesting blog entry that discusses how a glibc alloca()-based memory corruption vulnerability allowed for code execution.

tags | paper, code execution
SHA-256 | 6b372618ec2a21f674080b0819cbfb4ca8ee6bc398a1fbc24854277dc3dca356
Internet Explorer Cross-Origin Leak
Posted Oct 22, 2010
Authored by Chris Evans

Microsoft Internet Explorer suffers from a cross-origin leak vulnerability.

tags | advisory
SHA-256 | 53499dc63a1db7878a76102343c1baf73d12e3bc3f97685e9fc61b7aa875f0dd
Microsoft Internet Explorer 8 Forced Tweeting
Posted Sep 3, 2010
Authored by Chris Evans

Microsoft Internet Explorer 8 suffers from a vulnerability that allows an arbitrary web site the ability to force a victim to make tweets.

tags | advisory, web, arbitrary
SHA-256 | 8269887c6dc615aa7b380185ff2cddb02707773fa120bc701801b7bafec70899
Open Source CERT Security Advisory 2009.10
Posted Jul 14, 2009
Authored by Chris Evans, Damien Miller, Open Source CERT

The mimeTeX and mathTeX CGIs suffer from several buffer overflows as well as command injection which result in remote code execution. Unfortunately mimeTeX and mathTex are provided without version numbers by the maintainer, who releases version-less zip archives. It is therefore impossible to provide affected version numbers.

tags | advisory, remote, overflow, cgi, code execution
advisories | CVE-2009-1382, CVE-2009-1383
SHA-256 | 0181f431cd410e4c33142e0c3e7cd11c54e2c56b58df8719276e741e9c0c3aed
Apple Safari XXE Local File Theft
Posted Jun 9, 2009
Authored by Chris Evans

Apple Safari versions prior to 4 may permit an evil web page to steal files from the local system by mounting an XXE attack against the parsing of the XSL XML.

tags | exploit, web, local, xxe
systems | apple
SHA-256 | e9629230c391f216896d6065eb1e80b55c3825799e35430b12dbef7a474701b8
Chris Evans Security Advisory 2009.3
Posted Mar 20, 2009
Authored by Chris Evans

LittleCMS versions prior to 1.18beta2 suffers from various integer and buffer overflows as well as memory leak errors.

tags | advisory, overflow, memory leak
SHA-256 | e08b60bf2eb57ab4cae3a2831d2547cb74b70029d9d52d83b1c5a3cd3d0f3ac8
Chris Evans Security Advisory 2009.1
Posted Jan 24, 2009
Authored by Chris Evans

There is a trick which may permit the bypassing of policies in technologies which do syscall filtering on the Linux x86_64 kernel. The trick is made possible by the fact that the 32-bit and 64-bit kernel tables are different, combined with the fact that a 64-bit process can make a 32-bit syscall and visa versa. The syscall "number" check can get confused and permit a syscall it did not intend to.

tags | advisory, kernel
systems | linux
SHA-256 | 71f9f1ada6ae634228b54736464e7a4841b30f48b31c56977488fe81bf3eae53
Chris Evans Security Advisory 2008.9
Posted Nov 19, 2008
Authored by Chris Evans

Firefox versions 2.0.0.18 and below and WebKit nightly are affected by a cross-domain arbitrary image theft vulnerability.

tags | advisory, arbitrary
advisories | CVE-2008-5012
SHA-256 | d0194747a05587197d8e8c47a948cf9b3eee714682e19c5c1a8a0ea718f09d2e
Page 1 of 2
Back12Next

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close