Email address | berendjanwever at gmail.com |
---|---|
Website | skypher.com |
First Active | 2003-04-10 |
Last Active | 2016-12-21 |
A specially crafted web-page can cause the Javascript engine of Microsoft Internet Explorer 8 to free memory used for a string. The code will keep a reference to the string and can be forced to reuse it when compiling a regular expression.
a44bc80d38c01b629bf33d47219ad52a17a287e1ebeaf43f0e48e32b2c5d2caf
A specially crafted web-page can cause Microsoft Edge to free memory used for a CAttrArray object. The code continues to use the data in freed memory block immediately after freeing it. It does not appear that there is enough time between the free and reuse to exploit this issue.
7b085c40b0b5c32560e511980a285156cb74ab99f30b0b11136ee56130ebcd24
A specially crafted web-page can cause MSIE 11 to interrupt the handling of one readystatechange event with another. This interrupts a call to one of the various C<ElementName>Element::Notify functions to make another such call and at least one of these functions is non-reentrant. This can have various repercussions, e.g. when an attacker triggers this vulnerability using a CMapElement object, a reference to that object can be stored in a linked list and the object itself can be freed. This pointer can later be re-used to cause a classic use-after-free issue.
a298a13c199ace85ce391cd64bb90067724828fbbaf92483dc7624a141955abe
When serializing JavaScript objects for sending to another window using the postMessage method, the code in blink does not handle Symbol objects correctly and attempts to serialize this kind of object as a regular object, which results in a bad cast. An attacker that can trigger this issue may be able to execute arbitrary code. Chrome version 38 is affected.
62430de9384e1fc1e44dd85ff62388f8415cb6ba8958ab0623f192a275046d1c
A specially crafted HTTP response can cause the CHttpHeaderParser::ParseStatusLine method in WININET to read data beyond the end of a buffer. The size of the read can be controlled through the HTTP response. An attacker that is able to get any application that uses WININET to make a request to a server under his/her control may be able to disclose information stored after this memory block. This includes Microsoft Internet Explorer.
94c41624ff0f1959d2d6ec3ad4d68a44468068d2211d86e587904cea67366cf4
Microsoft Internet Explorer versions 9, 10, and 11 suffer from an MSHTML PROPERTYDESC::HandleStyleComponentProperty out-of-bounds read.
69867369c8cff2f756daea66abcef97b67f77b7116041fb4cfb63a932b7b4769
A specially crafted script can cause the VBScript engine to read data beyond a memory block for use as a regular expression. An attacker that is able to run such a script in any application that embeds the VBScript engine may be able to disclose information stored after this memory block. This includes all versions of Microsoft Internet Explorer.
de2a5025554f64ba3382cd282b48b1d88c6ba27472d9213565816e814c3c7bdb
A specially crafted script can cause the VBScript engine to access data before initializing it. An attacker that is able to run such a script in any application that embeds the VBScript engine may be able to control execution flow and execute arbitrary code. This includes all versions of Microsoft Internet Explorer.
b64494b3d3720d952429d019e2e49e61742543b7134bc063c0ba2058e1570f99
Microsoft Internet Explorer 9 suffers from a MSHTML CPtsTextParaclient::CountApes out-of-bounds read vulnerability.
99089ae366a7f7d4e65b3282f45f00fb4bd55bb17255adf843050757f6024bd8
Microsoft Internet Explorer 10 suffers from a MSHTML CElement::GetPlainTextInScope out-of-bounds read vulnerability.
c58c107031dbf172676c012967abab15f19261829cb6779e0fff3c4b540a12be
Setting the listStyleImage property of an Element object causes MSIE 11 to allocate 0x4C bytes for an "image context" structure, which contains a reference to the document object as well as a reference to the same CMarkup object as the document. When the element is removed from the document/document fragment, this image context is freed on the next "draw". However, the code continues to use the freed context almost immediately after it is freed.
7c3474c2032d42f936d3ff0e59c7c8ce6f77233bc469225fdf7ba7bf031ca859
A specially crafted webpage can cause Microsoft Internet Explorer to reallocate a memory buffer in order to grow it in size. The original buffer will be copied to newly allocated memory and then freed. The code continues to use the freed copy of the buffer.
3dcbd15f1686902d2440fd693ec5986ce00f13147b6d267999345ec3f1440334
This is a brief write-up on how magic values in 32-bit processes on 64-bit OSes work and how to exploit them.
0e22f4f695fe5a82d5a78008e35426ae71abb83926c813e23d3e43569e903c82
With MS16-063, Microsoft has patched CVE-2016-0199 which relates to a memory corruption bug in the garbage collector of the JavaScript engine used in Internet Explorer 11.
8d60da32ba3ba0db4a0f218c7ca375ed14206761ebd4594a313e25dd2ebe4eae
Multiple type confusion vulnerabilities have been identified in Microsoft Internet Explorer.
c45987a41ea1716f25b8305b8106839624da2cc538ef5c79eff30b9c9599c037
Recompiling the regular expression pattern during a replace in JScript version 5.7 (MSIE 8) can cause the code to reuse a freed string, but only if the string is freed from the cache by allocating and freeing a number of strings of certain size.
de4b362c98096f2627ba422def8ffe6b298c4c26b1bf19a41b77cd41aab24c77
Chrome suffers from a ui::AXTree::Unserialize related use-after-free vulnerability.
c401c178ffecc2c543e0506717b170b45cb01c6106506bf7304ac67f0c08bfb4
When using the Developer Tools of MSIE 8, one might hover the mouse over a button in the "Script" tab, at which point a "tooltip" is shown. If one then clicks the button, a use-after-free occurs.
cec4afb711d5667871c3fd945bdf77db6ba3ca778cc12958105abb9afe2c84e3
A null-free shellcode for 32-bit versions of Windows 5.0 - 7.0 all service packs that uses the Microsoft Speech API to say "You got pwned!" over the speakers. Includes optional code that fixes stack alignment (adds 5 bytes) and bypasses EAF (adds 29 bytes).
f54fd8dc37595b55a5ab88f6996c820cae4d9d2da1433af720424d2f22dec480
Oracle Java APPLET tag children property memory corruption exploit.
b50d56fbb2f1a6701f2c4a72945340e117fab8e133268070b5d5c9eebfa29427
Firefox versions 3.5.10 and 3.6.6 suffers from a WMP memory corruption vulnerability via pop-ups.
861b3eab07fc3b8178946ceed224790bd9606d1ec07c76a0b524c6a6f4c426ae
Internet Exploiter 12+DEP: Oracle Java 6 OBJECT tag "launchjnlp"/"docbase" parameter buffer overflow exploit.
e9a6ff0b98431f29ebe768bcd88a09a0ffec917f642a6ad5e6d7a436d2daafd4
Msxml2.XMLHTTP.3.0 response handling memory corruption exploit that takes advantage of the vulnerability listed in MS10-051.
36337c841a1ee6b14eb1a761db53bbab0d0efac57cda58f85dc96bb0cb3db271
Internet Exploiter II version 3.0 DHTML memory corruption proof of concept exploit that bypasses DEP.
8d79ef782e79343218a4752b8edf2781a2dc684a0214bce8d86443e1e017905d
ALPHA3 is an alphanumeric shellcode encoder.
ce340cf911a3c7c4b4d3e13db65c19e98a5ba76465416bba9e7ded0b446353e5