Exploit the possiblities
Showing 1 - 25 of 34 RSS Feed

Files from Chris Evans

Email addressscarybeasts at gmail.com
First Active2000-05-17
Last Active2016-12-15
Gstreamer 0.10.x Logic Error
Posted Dec 15, 2016
Authored by Chris Evans | Site scarybeastsecurity.blogspot.com

A vulnerability and a separate logic error exist in the gstreamer 0.10.x player for NSF music files. Combined, they allow for very reliable exploitation and the bypass of 64-bit ASLR, DEP, etc. The reliability is provided by the presence of a turing complete "scripting" inside a music player. Read the homepage link for full analysis. Proof of concept exploit included in this archive.

tags | exploit, proof of concept
MD5 | da231d9408e25a8f4d0e8b1c067159dc
Gstreamer Heap Corruption
Posted Nov 25, 2016
Authored by Chris Evans

A full analysis and proof of concept 0-day exploits for a heap corruption vulnerability in the gstreamer decoder.

tags | exploit, proof of concept
MD5 | 3a4f02974a472c9519faae24f2a7c085
Adobe Flash Wild Write Crash
Posted Mar 22, 2016
Authored by Chris Evans, Google Security Research

Adobe Flash suffers from a wild write at 0x453b0cf0 in color conversion that causes a crash.

tags | exploit
systems | linux
advisories | CVE-2015-5575
MD5 | 4fe5ff4936c2217816cb31ea4e1bed3f
Adobe Flash Content Information Leak
Posted Mar 22, 2016
Authored by Chris Evans, Google Security Research

Adobe Flash suffers from an information leak that may render non-deterministic content that apparently contains pointers.

tags | exploit
systems | linux
advisories | CVE-2015-5576
MD5 | 2619b990ef9018d089ba2ecd0f6c95fc
Adobe Flash AAC Audio Handling Out-Of-Bounds Read
Posted Mar 22, 2016
Authored by Chris Evans, Google Security Research

Adobe Flash suffers from an out-of-bounds read in AAC audio handling.

tags | exploit
systems | linux
advisories | CVE-2015-5577
MD5 | 306d5671231318b046a9d4adc763245a
Adobe Flash Negative Table Indexing Out-Of-Bounds Crash
Posted Mar 22, 2016
Authored by Chris Evans, Google Security Research

Adobe Flash suffers from an out-of-bounds crash due to a negative table indexing error loading an 8-byte wide value.

tags | exploit
systems | linux
advisories | CVE-2015-5578
MD5 | 4ee4ee091b092e9ea0e972e6f8dffb06
Adobe Flash Corrupt Stack Crash
Posted Mar 22, 2016
Authored by Chris Evans, Google Security Research

Adobe Flash has an issue where a corrupt stack leads to misaligned XMM instruction decoding h.264.

tags | exploit
systems | linux
advisories | CVE-2015-5579
MD5 | 643aad0ddef85b6fcf98a1e8a5e08bf0
Adobe Flash Wild Pointer Crash
Posted Mar 22, 2016
Authored by Chris Evans, Google Security Research

Adobe Flash suffers from a crash due to a wild pointer 0x1808121a502959a4 decoding h.264.

tags | exploit
systems | linux
advisories | CVE-2015-5580
MD5 | 3fbfcc03c8b7af8cf191f0344a22cbcd
Adobe Flash Use-After-Free
Posted Mar 22, 2016
Authored by Chris Evans, Google Security Research

There is an apparent use-after-free in Adobe Flash video decoding, which can be manifesting by running a specific SWF file.

tags | advisory
systems | linux
advisories | CVE-2015-5584
MD5 | 3efa6eb6fabbdbef9f913fe3a9146888
Libstagefright Saio Tag Integer Overflow / Heap Corruption
Posted Oct 29, 2015
Authored by Chris Evans, Google Security Research

Code auditing discovered a Libstagefright integer overflow and heap corruption vulnerability in the Saio tag.

tags | exploit, overflow
systems | linux
advisories | CVE-2015-3868
MD5 | 7e916b78b0e2070a0f07e3934a07f382
Flash Bypass Of Length Vs. Cookie Validation
Posted Aug 21, 2015
Authored by Chris Evans, Google Security Research

Flash version 18.0.0.209 contains new mitigations to defend against corruptions of Vector.<uint> (and other) lengths. One of these mitigations, at Vector access time, compares the Vector's in-memory length with a representation of the same length XOR'ed with a secret cookie. The bypass comes about because the secret cookie value is stored inside a structure, and a pointer to that structure is stored alongside the Vector length.

tags | exploit
systems | linux
advisories | CVE-2015-5125
MD5 | 7127d0015fa3af278bed72923a08cb0e
Flash Bad / Wild Write In XML When Callback Modifies XML Tree
Posted Aug 21, 2015
Authored by Chris Evans, Google Security Research

The proof of concept works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.

tags | exploit, proof of concept
systems | linux
advisories | CVE-2015-5549
MD5 | 88e8e3fa92bf4020d2477ece9d57f59a
Adobe Flash Player Drawing Fill Shader Memory Corruption
Posted Jun 27, 2015
Authored by Chris Evans, juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits a memory corruption happening when applying a Shader as a drawing fill as exploited in the wild on June 2015. This Metasploit module has been tested successfully on: Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188, Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188, Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188, and Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460.

tags | exploit
systems | linux, windows, 7
advisories | CVE-2015-3105
MD5 | 27d8201ab2355b45ec75bb2d93ef2629
Adobe Flash Player ShaderJob Buffer Overflow
Posted Jun 19, 2015
Authored by Chris Evans, juan vazquez, temp66 | Site metasploit.com

This Metasploit module exploits a buffer overflow vulnerability related to the ShaderJob workings on Adobe Flash Player. The vulnerability happens when trying to apply a Shader setting up the same Bitmap object as src and destination of the ShaderJob. Modifying the "width" attribute of the ShaderJob after starting the job it's possible to create a buffer overflow condition where the size of the destination buffer and the length of the copy are controlled.

tags | exploit, overflow
advisories | CVE-2015-3090
MD5 | 27e6364d703ca0c934dda145b1becbea
Adobe Flash Player copyPixelsToByteArray Integer Overflow
Posted Apr 19, 2015
Authored by Chris Evans, Nicolas Joly, juan vazquez, hdarwin | Site metasploit.com

This Metasploit module exploits an integer overflow in Adobe Flash Player. The vulnerability occurs in the copyPixelsToByteArray method from the BitmapData object. The position field of the destination ByteArray can be used to cause an integer overflow and write contents out of the ByteArray buffer. This Metasploit module has been tested successfully on Windows 7 SP1 (32-bit), IE 8 to IE 11 and Flash 14.0.0.176, 14.0.0.145 and 14.0.0.125.

tags | exploit, overflow
systems | windows, 7
advisories | CVE-2014-0556
MD5 | 4cff6de22707258e03d6b5a94098eea8
glibc __gconv_translit_find() Privilege Escalation
Posted Aug 26, 2014
Authored by Chris Evans, Tavis Ormandy

glibc __gconv_translit_find() single-fixed-byte heap metadata overflow local root exploit for Fedora 20 32-bit. This issue is not specific to Fedora, but the proof of concept is specifically for Fedora 20 32-bit.

tags | exploit, overflow, local, root, proof of concept
systems | linux, unix, fedora
advisories | CVE-2014-5119
MD5 | 793916b5756ad9ad1e630a13328c6fa9
Foxit PDF Reader 4.2 Javascript File Write
Posted Mar 14, 2011
Authored by Chris Evans, bannedit | Site metasploit.com

This Metasploit module exploits an unsafe Javascript API implemented in Foxit PDF Reader version 4.2. The createDataObject() Javascript API function allows for writing arbitrary files to the file system. This issue was fixed in version 4.3.1.0218. Note: This exploit uses the All Users directory currently, which required administrator privileges to write to. This means an administrative user has to open the file to be successful. Kind of lame but thats how it goes sometimes in the world of file write bugs.

tags | exploit, arbitrary, javascript
advisories | OSVDB-71104
MD5 | 0a5eec385cb35fcdc29d85f762cafb84
glibc alloca() Memory Corruption
Posted Feb 25, 2011
Authored by Chris Evans | Site scarybeastsecurity.blogspot.com

Interesting blog entry that discusses how a glibc alloca()-based memory corruption vulnerability allowed for code execution.

tags | paper, code execution
MD5 | e56c4d56e87ef64c4b60687bca94b955
Internet Explorer Cross-Origin Leak
Posted Oct 22, 2010
Authored by Chris Evans

Microsoft Internet Explorer suffers from a cross-origin leak vulnerability.

tags | advisory
MD5 | 14d1c372a570dedccc3158153e8fac77
Microsoft Internet Explorer 8 Forced Tweeting
Posted Sep 3, 2010
Authored by Chris Evans

Microsoft Internet Explorer 8 suffers from a vulnerability that allows an arbitrary web site the ability to force a victim to make tweets.

tags | advisory, web, arbitrary
MD5 | 51e26942b1d61bf8696ece2a57b00b66
Open Source CERT Security Advisory 2009.10
Posted Jul 14, 2009
Authored by Chris Evans, Damien Miller, Open Source CERT

The mimeTeX and mathTeX CGIs suffer from several buffer overflows as well as command injection which result in remote code execution. Unfortunately mimeTeX and mathTex are provided without version numbers by the maintainer, who releases version-less zip archives. It is therefore impossible to provide affected version numbers.

tags | advisory, remote, overflow, cgi, code execution
advisories | CVE-2009-1382, CVE-2009-1383
MD5 | c7054415cf4b97f427efeec7cef352ed
Apple Safari XXE Local File Theft
Posted Jun 9, 2009
Authored by Chris Evans

Apple Safari versions prior to 4 may permit an evil web page to steal files from the local system by mounting an XXE attack against the parsing of the XSL XML.

tags | exploit, web, local
systems | apple
MD5 | 0c66cbfa46563336f3729fe78925cd1d
Chris Evans Security Advisory 2009.3
Posted Mar 20, 2009
Authored by Chris Evans

LittleCMS versions prior to 1.18beta2 suffers from various integer and buffer overflows as well as memory leak errors.

tags | advisory, overflow, memory leak
MD5 | bb38dbc806d63d06a94a21d1530a58fc
Chris Evans Security Advisory 2009.1
Posted Jan 24, 2009
Authored by Chris Evans

There is a trick which may permit the bypassing of policies in technologies which do syscall filtering on the Linux x86_64 kernel. The trick is made possible by the fact that the 32-bit and 64-bit kernel tables are different, combined with the fact that a 64-bit process can make a 32-bit syscall and visa versa. The syscall "number" check can get confused and permit a syscall it did not intend to.

tags | advisory, kernel
systems | linux
MD5 | 9bb2e29345e0e8c679ca3e5aadf00d06
Chris Evans Security Advisory 2008.9
Posted Nov 19, 2008
Authored by Chris Evans

Firefox versions 2.0.0.18 and below and WebKit nightly are affected by a cross-domain arbitrary image theft vulnerability.

tags | advisory, arbitrary
advisories | CVE-2008-5012
MD5 | a5218b3dbe84d9457e5d725d2e5b90c9
Page 1 of 2
Back12Next

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close