accept no compromises
Showing 1 - 7 of 7 RSS Feed

Files from Vitaliy Toropov

First Active2011-02-09
Last Active2013-11-26
Microsoft Internet Explorer COALineDashStyleArray Unsafe Memory Access
Posted Nov 26, 2013
Authored by Vitaliy Toropov, juan vazquez, James Forshaw | Site metasploit.com

This Metasploit module exploits a vulnerability on Microsoft Silverlight. The vulnerability exists on the Initialize() method from System.Windows.Browser.ScriptObject, which access memory in an unsafe manner. Since it is accessible for untrusted code (user controlled) it's possible to dereference arbitrary memory which easily leverages to arbitrary code execution. In order to bypass DEP/ASLR a second vulnerability is used, in the public WriteableBitmap class from System.Windows.dll. This Metasploit module has been tested successfully on IE6 - IE10, Windows XP SP3 / Windows 7 SP1 on both x32 and x64 architectures.

tags | exploit, arbitrary, code execution, bug bounty, packet storm
systems | windows, xp, 7
advisories | CVE-2013-0074, CVE-2013-3896, OSVDB-91147, OSVDB-98223
MD5 | db77ce1a58c39fd936f1e6241e3e85cb
Packet Storm Advisory 2013-1022-1 - Microsoft Silverlight Invalid Typecast / Memory Disclosure
Posted Oct 23, 2013
Authored by Vitaliy Toropov | Site packetstormsecurity.com

Microsoft Silverlight 5 suffers from invalid typecast and memory disclosure vulnerabilities that, when leveraged together, allow for arbitrary code execution. A memory disclosure vulnerability exists in the public WriteableBitmap class from System.Windows.dll. This class allows reading of image pixels from the user-defined data stream via the public SetSource() method. BitmapSource.ReadStream() allocates and returns byte array and a count of array items as out parameters. These returned values are taken from the input stream and they can be fully controlled by the untrusted code. When returned "count" is greater than "array.Length", then data outside the "array" are used as input stream data by the native BitmapSource_SetSource() from agcore.dll. Later all data can be viewed via the public WriteableBitmap.Pixels[] property. Exploitation details related to these findings were purchased through the Packet Storm Bug Bounty program.

tags | advisory, arbitrary, vulnerability, code execution, bug bounty, packet storm
systems | windows
advisories | CVE-2013-0074, CVE-2013-3896
MD5 | ca5e7fa75049ea31231c4272bb1b69be
Packet Storm Exploit 2013-1022-1 - Microsoft Silverlight Invalid Typecast / Memory Disclosure
Posted Oct 23, 2013
Authored by Vitaliy Toropov | Site packetstormsecurity.com

This exploit leverages both invalid typecast and memory disclosure vulnerabilities in Microsoft Silverlight 5 in order to achieve code execution. This exploit code demonstrates remote code execution by popping calc.exe. It was obtained through the Packet Storm Bug Bounty program. Google flags this as malware so only use this if you know what you are doing. The password to unarchive this zip is the word "infected".

tags | exploit, remote, vulnerability, code execution, bug bounty, packet storm
systems | windows
advisories | CVE-2013-0074, CVE-2013-3896
MD5 | 8f2f08abc21eb47fcebc2fa155f76257
Packet Storm Advisory 2013-0903-1 - Apple Safari Heap Buffer Overflow
Posted Sep 4, 2013
Authored by Vitaliy Toropov | Site packetstormsecurity.com

A heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. This method accepts the user-defined JavaScript function and calls it from the native code to compare array items. If this compare function reduces array length, then the trailing array items will be written outside the "m_storage->m_vector[]" buffer, which leads to the heap memory corruption. This finding was purchased through the Packet Storm Bug Bounty program.

tags | advisory, overflow, arbitrary, javascript, code execution, bug bounty, packet storm
systems | apple, osx, iphone, ios
advisories | CVE-2012-3748
MD5 | 84be806acc044302df636242b657b7ce
Packet Storm Exploit 2013-0903-1 - Apple Safari Heap Buffer Overflow
Posted Sep 4, 2013
Authored by Vitaliy Toropov | Site packetstormsecurity.com

A heap memory buffer overflow vulnerability exists within the WebKit's JavaScriptCore JSArray::sort(...) method. The exploit for this vulnerability is javascript code which shows how to use it for memory corruption of internal JS objects (Unit32Array and etc.) and subsequent arbitrary code execution (custom ARM/x64 payloads can be pasted into the JS code). This exploit affects Apple Safari version 6.0.1 for iOS 6.0 and OS X 10.7/8. Earlier versions may also be affected. It was obtained through the Packet Storm Bug Bounty program.

tags | exploit, overflow, arbitrary, javascript, code execution, bug bounty, packet storm
systems | apple, osx, iphone, ios
advisories | CVE-2012-3748
MD5 | 787a49feec5e44d9cffe71f5e9015a71
iDefense Security Advisory 08.09.11 - Flash Player Integer Overflow
Posted Aug 11, 2011
Authored by iDefense Labs, Vitaliy Toropov | Site idefense.com

iDefense Security Advisory 08.09.11 - Remote exploitation of an integer overflow vulnerability in Adobe Systems Inc.'s Flash Player could allow an attacker to execute arbitrary code with the privileges of the current user. During the allocation of an array within a certain internal ActionScript function, a size calculation may cause an integer value to overflow. This condition may lead to the bounds of an undersized array being overflown during a memory copy operation. This can result in arbitrary code execution.

tags | advisory, remote, overflow, arbitrary, code execution
advisories | CVE-2011-2416, CVE-2011-2136
MD5 | 058ad608ee057694b986fd202bb74554
iDEFENSE Security Advisory 2011-02-08.4
Posted Feb 9, 2011
Authored by iDefense Labs, Vitaliy Toropov | Site idefense.com

iDefense Security Advisory 02.08.11 - Remote exploitation of an integer overflow vulnerability in Adobe Systems Inc.'s Flash Player could allow an attacker to execute arbitrary code with the privileges of the current user. The vulnerability occurs when parsing a maliciously formatted sequence of ActionScript code inside an Adobe Flash file. The problem exists in the ActionScript method of the built-in "Function" class, which accepts an array object as a second parameter and uses this array's length multiplied by four for a memory allocation without any overflow checks. Then it writes the array's content into the allocated memory, which corrupts memory and leads to an exploitable condition. iDefense has confirmed the existence of this vulnerability in the Flash Plugin version 10.1.82.76 and 10.1.85.3. A full list of vulnerable Adobe products can be found in Adobe Security Bulletin APSB11-02.

tags | advisory, remote, overflow, arbitrary
advisories | CVE-2011-0558
MD5 | 4983ad3404755868726af5999e57a87e
Page 1 of 1
Back1Next

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    2 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close