exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 24 of 24 RSS Feed

Files from Peter Vreugdenhil

Email addresssecurity at petervreugdenhil.nl
First Active2005-08-10
Last Active2013-09-09
MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free
Posted Sep 9, 2013
Authored by Peter Vreugdenhil, sinn3r, Orange Tsai | Site metasploit.com

In IE8 standards mode, it's possible to cause a use-after-free condition by first creating an illogical table tree, where a CPhraseElement comes after CTableRow, with the final node being a sub table element. When the CPhraseElement's outer content is reset by using either outerText or outerHTML through an event handler, this triggers a free of its child element (in this case, a CAnchorElement, but some other objects apply too), but a reference is still kept in function SRunPointer::SpanQualifier. This function will then pass on the invalid reference to the next functions, eventually used in mshtml!CElement::Doc when it's trying to make a call to the object's SecurityContext virtual function at offset +0x70, which results a crash. An attacker can take advantage of this by first creating an CAnchorElement object, let it free, and then replace the freed memory with another fake object. Successfully doing so may allow arbitrary code execution under the context of the user. This bug is specific to Internet Explorer 8 only. It was originally discovered by Orange Tsai at Hitcon 2013, but was silently patched in the July 2013 update.

tags | exploit, arbitrary, code execution
SHA-256 | 1c003b48b2f0c41a3c3ef91938ebd714d766a2510222a8c5b84652445ec8f591
MS10-002 Internet Explorer Object Memory Use-After-Free
Posted Mar 22, 2012
Authored by Peter Vreugdenhil, sinn3r, juan vazquez | Site metasploit.com

This Metasploit module exploits a vulnerability found in Internet Explorer's mshtml component. Due to the way IE handles objects in memory, it is possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext to be used even after it gets freed, therefore allowing remote code execution under the context of the user. This particular vulnerability was also one of 2012's Pwn2Own challenges, and was later explained by Peter Vreugdenhil with exploitation details. Instead of Peter's method, this module uses heap spraying like the 99% to store a specially crafted memory layout before re-using the freed memory.

tags | exploit, remote, code execution
advisories | CVE-2010-0248, OSVDB-61914
SHA-256 | 80aa8fe12f19503ea93e85f9cbe5047a17dec97794103ad2756b25cd88a949ee
Oracle Java True Type Font IDEF Opcode Parsing Remote Code Execution
Posted Feb 23, 2012
Authored by Peter Vreugdenhil | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Java handles True Type Font files. When reading a font file, Java will use the MaxInstructionSize from the maxp table to create a heap memory location to store all the Instruction Definition found in the Font Program 'fpgm' table. However, when Java encounters an IDEF opcode (0x89) in the opcode stream it never checks the size of the MaxInstructionSize which can result in a heap buffer overflow. This can lead to remote code execution under the context of the current process.

tags | advisory, java, remote, overflow, arbitrary, code execution
SHA-256 | 7d7c2f550994a2e5cd5e28b925d468c48c1d40628d005eac85f1b8d0d1c73513
Java MixerSequencer Object GM_Song Structure Handling
Posted Feb 17, 2012
Authored by Peter Vreugdenhil, juan vazquez | Site metasploit.com

This Metasploit module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability "ebx" points to a fake event in the MIDI file which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the exploit reliable over java updates.

tags | exploit, java, shellcode
advisories | CVE-2010-0842, OSVDB-63493
SHA-256 | 4bfc86d5bc0fc319751b4a58608edff9318f0cb3cc5c83f4040fa6a97b6f8907
Oracle Java ICC Profile rcs2 Tag Parsing Remote Code Execution
Posted Jun 16, 2011
Authored by Peter Vreugdenhil | Site tippingpoint.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Oracle Java Runtime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the way Java handles color profiles. When parsing a color profile containing a invalid 'rcs2' tag, the process can be forced to overflow an integer value during an arithmetic operation. The newly calculated value is then used to allocate memory on the heap. By providing specific values it is possible to cause a memory corruption that can lead to remote code being executed under to user running the browser.

tags | advisory, java, remote, overflow, arbitrary
advisories | CVE-2011-0862
SHA-256 | 8e3be2c1be593c530a4670d03a601ce9798a4842c472af7bed8ad4b21ecff0d3
Microsoft Data Access Components Vulnerability
Posted Jan 12, 2011
Authored by Peter Vreugdenhil

Proof of concept code for the Microsoft Data Access components vulnerability as disclosed in MS11-002.

tags | exploit, proof of concept
SHA-256 | 02c9d2b9d3b5ecbcba0b02245ace1b6c1e7edd1e0320a89cc9bd03d9d017ce3f
Pwn2Own 2010 Windows 7 Internet Explorer 8
Posted Mar 28, 2010
Authored by Peter Vreugdenhil

Whitepaper documenting the recent Pwn2Own 2010 Windows 7 Internet Explorer compromise.

tags | paper
systems | windows
SHA-256 | 98aa82f07d8894e65cff840e18ab39473886dee9071e52d31cb111db7f4a2fb8
iDEFENSE Security Advisory 2009-07-28.1
Posted Aug 10, 2009
Authored by iDefense Labs, Peter Vreugdenhil | Site idefense.com

iDefense Security Advisory 07.28.09 - Remote exploitation of a use after free vulnerability in Microsoft Corp.'s Internet Explorer could allow an attacker to execute arbitrary code with the privileges of the current user. iDefense has confirmed the existence of this vulnerability in Internet Explorer versions 6, 7, and 8. Internet Explorer 5 does not appear to be vulnerable.

tags | advisory, remote, arbitrary
advisories | CVE-2009-1917
SHA-256 | 917be1ed0bdfbaec473ea16724416deeb91ee19bc0f5a333157bf7af42022f27
Zero Day Initiative Advisory 08-074
Posted Nov 5, 2008
Authored by Peter Vreugdenhil, Tipping Point | Site zerodayinitiative.com

A vulnerability allows remote attackers to execute code on vulnerable installations of Adobe Acrobat. User interaction is required in that a user must visit a malicious web site. The specific flaw exists when processing malicious javascript contained in a PDF document. When creating a Collab object and performing a specific sequence of actions on it, memory corruption occurs potentially resulting in remote code execution. If successfully exploited full control of the affected machine running under the credentials of the currently logged in user can be achieved.

tags | advisory, remote, web, javascript, code execution
advisories | CVE-2008-4813
SHA-256 | 42374904d4b1208ff8703af67298c304e34bf7495b2cddcaac9b42494e5bc072
Zero Day Initiative Advisory 08-072
Posted Nov 5, 2008
Authored by Peter Vreugdenhil, Tipping Point | Site zerodayinitiative.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists in the handling of embedded Javascript code when opening a PDF. Adobe Acrobat has defined it's own set of Javascript functions that can be used in a PDF file. Due to improper parameter checking to one of these functions arbitrary memory can be over-written leading to remote code execution. If successfully exploited remote control of the target system can be gained with the credentials of the logged in user.

tags | advisory, remote, arbitrary, javascript, code execution
advisories | CVE-2008-2992
SHA-256 | 32057ab035963d55bca65f0262c3900d8b1ae3a4ff8d48a1d912e522ba19477c
iDEFENSE Security Advisory 2008-11-04.1
Posted Nov 5, 2008
Authored by iDefense Labs, Peter Vreugdenhil | Site idefense.com

iDefense Security Advisory 11.04.08 - Remote exploitation of a stack based buffer overflow vulnerability in NOS Microsystems Ltd.'s getPlus Download Manager, potentially used by multiple vendors, could allow an attacker to execute arbitrary code with the privileges of the current user. iDefense has confirmed the existence of this vulnerability in getPlus gp.ocx version 1.2.2.50, which is used in web based installations of Adobe Reader 8.1. Previous versions may also be affected.

tags | advisory, remote, web, overflow, arbitrary
advisories | CVE-2008-4817
SHA-256 | f82cd5bb85b3a959d2c8d724ce4105aa767646e05a45b9d840a37588554309e9
Zero Day Initiative Advisory 08-047
Posted Jul 26, 2008
Authored by Peter Vreugdenhil, Tipping Point | Site zerodayinitiative.com

A vulnerability allows remote attackers to execute code on vulnerable installations of RealPlayer. User interaction is required in that a user must visit a malicious web site. The specific flaw exists in the rmoc3260 ActiveX control. Specifying malicious values for the 'Controls' or 'Console' properties with a specific timing results in a memory corruption which can lead to code execution under the context of the current user.

tags | advisory, remote, web, code execution, activex
advisories | CVE-2008-1309
SHA-256 | e5a1b62ac9be31af6068765c6d46144550da0621b7283dcfd5d9530cfd5aafe5
Zero Day Initiative Advisory 08-039
Posted Jun 11, 2008
Authored by Peter Vreugdenhil, Tipping Point, Sebastian Apelt | Site zerodayinitiative.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of various Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the substringData() method when called on a DOM object that has been manipulated in a special way. The attack results in an exploitable heap buffer allowing for code execution under the context of the current user.

tags | advisory, remote, arbitrary, code execution
advisories | CVE-2008-1442
SHA-256 | 199a27adda6f9b915cf6856311e07418574bbd6af52f57dd0a8956c4404ef6a1
iDEFENSE Security Advisory 2008-04-30.1
Posted May 1, 2008
Authored by iDefense Labs, Peter Vreugdenhil | Site idefense.com

iDefense Security Advisory 04.30.08 - Remote exploitation of a design error in Akamai Technologies, Inc's Download Manager allows attackers to execute arbitrary code in the context of the current user. iDefense confirmed the existence of this vulnerability using version 2.2.2.1 of Akamai Technologies Inc's DownloadManagerV2.ocx. Additionally, iDefense confirmed the problem exists in version 2.2.2.0 of the Download Manager Java Applet. All versions prior to the fixed version are suspected to be vulnerable.

tags | advisory, java, remote, arbitrary
advisories | CVE-2008-6339
SHA-256 | f0e0510c73a61c63aa3aab61418d9329d39123888ec190022a7e749ba1be1c5c
iDEFENSE Security Advisory 2008-04-02.2
Posted Apr 4, 2008
Authored by iDefense Labs, Peter Vreugdenhil | Site idefense.com

iDefense Security Advisory 04.02.08 - Remote exploitation of a buffer overflow vulnerability in an ActiveX control installed by Symantec Norton Internet Security 2008 could allow for the execution of arbitrary code. iDefense confirmed that this vulnerability exists in version 2.7.0.1 of the control that is installed with the 2008 version of Norton Internet Security. Other versions may also be available.

tags | advisory, remote, overflow, arbitrary, activex
advisories | CVE-2008-0312
SHA-256 | ca21fd621e3cf9ded91bc115596d8b243f9c036394ddb1f9f3db5e74c636c369
iDEFENSE Security Advisory 2007-12-11.1
Posted Dec 12, 2007
Authored by iDefense Labs, Peter Vreugdenhil | Site idefense.com

iDefense Security Advisory 12.11.07 - Remote exploitation of a heap corruption vulnerability in Microsoft Corp.'s Internet Explorer web browser allows attackers to execute arbitrary code in the context of the current user. The vulnerability lies in the JavaScript setExpression method, which is implemented in mshtml.dll. When malformed parameters are supplied, memory can be corrupted in a way that results in Internet Explorer accessing a previously deleted object. By creating a specially crafted web page, it is possible for an attacker to control the contents of the memory pointed to by the released object. This allows an attacker to execute arbitrary code. As of April 5th, 2007, iDefense testing shows that Internet Explorer 6.0 and Internet Explorer 7.0 with all available security patches are vulnerable. Older versions of Internet Explorer may also be vulnerable.

tags | advisory, remote, web, arbitrary, javascript
advisories | CVE-2007-3902
SHA-256 | c6eea38816e48a936133434a4c88c56569839a288fc99a9ce562f7da2a25286f
Zero Day Initiative Advisory 07-075
Posted Dec 12, 2007
Authored by Peter Vreugdenhil, Tipping Point | Site zerodayinitiative.com

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the handling of document objects that have been created, modified, deleted then accessed by JavaScript. By storing references to document nodes, then removing them by a separate reference, the document model in memory becomes unstable. Accessing the tags property while the document is in this unstable condition results in a heap corruption, allowing the execution of arbitrary code. Affected versions are 6 and 7.

tags | advisory, remote, arbitrary, javascript
advisories | CVE-2007-5344
SHA-256 | 7707761de2c7107636767dcabc56ebaacf46ed8597a770e577ce13ca71b87015
iDEFENSE Security Advisory 2007-06-12.2
Posted Jun 13, 2007
Authored by iDefense Labs, Peter Vreugdenhil | Site idefense.com

iDefense Security Advisory 06.12.07 - Remote exploitation of an input validation error within version 2.1 of YaBB Forum allows attackers to register with forum Administrator privileges. The problem specifically exists due to insufficient validation when writing to the "vars" file for each user. By setting the values of certain variables to contain certain characters, attackers can elevate their privileges to that of the forum Administrator. iDefense confirmed the existence of this vulnerability within version 2.1 of YaBB Forum.

tags | advisory, remote
SHA-256 | 06d0161807f5d979bdc126372527454325d8e75b2db88fdd78b52cc9918931ff
iDEFENSE Security Advisory 2007-05-09.1
Posted May 10, 2007
Authored by iDefense Labs, Peter Vreugdenhil | Site idefense.com

iDefense Security Advisory 05.09.07 - Remote exploitation of a design error vulnerability in an ActiveX control installed by Symantec Norton Internet Security 2006 could allow for the execution of arbitrary code. Defense confirmed the existence of this vulnerability within version 12.2.0.13 of NavOpts.dll as distributed with Norton Internet Security 2006. Prior versions are suspected to be vulnerable.

tags | advisory, remote, arbitrary, activex
advisories | CVE-2006-3456
SHA-256 | c8fe898519159f7cbf84384ab6a00699f5a7103b95f426b56c623aa0a9ba5be8
iDEFENSE Security Advisory 2007-05-08.1
Posted May 10, 2007
Authored by iDefense Labs, Peter Vreugdenhil | Site idefense.com

iDefense Security Advisory 05.08.07 - Remote exploitation of a buffer overflow in an ActiveX control distributed with McAfee Security Center could allow for the execution of arbitrary code. iDefense confirmed the existence of this vulnerability using McAfee Virus Scan 10.0.27 running on Windows XP SP2. However, many additional McAfee products are reported to install this component.

tags | advisory, remote, overflow, arbitrary, virus, activex
systems | windows
SHA-256 | e0b63ce8dab1d5c412d486aca7e7be5a5fc80ee519b246ecb9c10879fee082f3
Zero Day Initiative Advisory 07-021
Posted Apr 23, 2007
Authored by Peter Vreugdenhil, Tipping Point | Site zerodayinitiative.com

A vulnerability allows attackers to execute arbitrary code on vulnerable installations of GraceNote's CDDBControl ActiveX Control. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.

tags | advisory, arbitrary, activex
advisories | CVE-2007-0443
SHA-256 | 05e34559f4666d4770ca80dbb1b470429e352be29c9dd3ab6c092f4e48abe151
iDEFENSE Security Advisory 2007-04-04.1
Posted Apr 5, 2007
Authored by iDefense Labs, Peter Vreugdenhil | Site idefense.com

iDefense Security Advisory 04.04.07 - Remote exploitation of a information disclosure vulnerability in Kaspersky AntiVirus 6 could allow malicious websites to steal files off of a user's machine. iDefense has confirmed the existence of this vulnerability in version 6.0 of Kaspersky Antivirus.

tags | advisory, remote, info disclosure
SHA-256 | b90f0bdcb2ad661747c567945e87febf3ab55b1c4b1b2989b69aa84c70bc6761
Zero Day Initiative Advisory 06-02
Posted Feb 26, 2006
Authored by Peter Vreugdenhil, Tipping Point | Site zerodayinitiative.com

Adobe Macromedia Shockwave is susceptible to a remote code execution flaw. This specific flaw exists within the ActiveX control with CLSID 166B1BCA-3F9C-11CF-8075-444553540000. Specifying large values for two specific parameters to this control results in an exploitable stack based buffer overflow. Due to the nature of this vulnerability, the target user is not required to have fully completed an installation of Shockwave to be vulnerable.

tags | advisory, remote, overflow, code execution, activex
advisories | CVE-2005-3525
SHA-256 | 5cfaec539f1b7ff761308b0fdf9486321ec0325ee3f51ac51d4e9913b27e0688
iDEFENSE Security Advisory 2005-08-09.t
Posted Aug 10, 2005
Authored by iDefense Labs, Peter Vreugdenhil | Site idefense.com

iDEFENSE Security Advisory 08.09.05 - Remote exploitation of an input validation vulnerability in AWStats allows remote attackers to execute arbitrary commands. Versions below 6.4 are affected.

tags | advisory, remote, arbitrary
advisories | CVE-2005-1527
SHA-256 | b551c080e6aa7f7a4b53c8b33df46b0f71c71c4a680b518e26ea51230e52cce6
Page 1 of 1
Back1Next

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close