In IE8 standards mode, it's possible to cause a use-after-free condition by first creating an illogical table tree, where a CPhraseElement comes after CTableRow, with the final node being a sub table element. When the CPhraseElement's outer content is reset by using either outerText or outerHTML through an event handler, this triggers a free of its child element (in this case, a CAnchorElement, but some other objects apply too), but a reference is still kept in function SRunPointer::SpanQualifier. This function will then pass on the invalid reference to the next functions, eventually used in mshtml!CElement::Doc when it's trying to make a call to the object's SecurityContext virtual function at offset +0x70, which results a crash. An attacker can take advantage of this by first creating an CAnchorElement object, let it free, and then replace the freed memory with another fake object. Successfully doing so may allow arbitrary code execution under the context of the user. This bug is specific to Internet Explorer 8 only. It was originally discovered by Orange Tsai at Hitcon 2013, but was silently patched in the July 2013 update.
1c003b48b2f0c41a3c3ef91938ebd714d766a2510222a8c5b84652445ec8f591This Metasploit module exploits a vulnerability found in Internet Explorer's mshtml component. Due to the way IE handles objects in memory, it is possible to cause a pointer in CTableRowCellsCollectionCacheItem::GetNext to be used even after it gets freed, therefore allowing remote code execution under the context of the user. This particular vulnerability was also one of 2012's Pwn2Own challenges, and was later explained by Peter Vreugdenhil with exploitation details. Instead of Peter's method, this module uses heap spraying like the 99% to store a specially crafted memory layout before re-using the freed memory.
80aa8fe12f19503ea93e85f9cbe5047a17dec97794103ad2756b25cd88a949eeA vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Java handles True Type Font files. When reading a font file, Java will use the MaxInstructionSize from the maxp table to create a heap memory location to store all the Instruction Definition found in the Font Program 'fpgm' table. However, when Java encounters an IDEF opcode (0x89) in the opcode stream it never checks the size of the MaxInstructionSize which can result in a heap buffer overflow. This can lead to remote code execution under the context of the current process.
7d7c2f550994a2e5cd5e28b925d468c48c1d40628d005eac85f1b8d0d1c73513This Metasploit module exploits a flaw within the handling of MixerSequencer objects in Java 6u18 and before. Exploitation id done by supplying a specially crafted MIDI file within an RMF File. When the MixerSequencer objects is used to play the file, the GM_Song structure is populated with a function pointer provided by a SONG block in the RMF. A Midi block that contains a MIDI with a specially crafted controller event is used to trigger the vulnerability. When triggering the vulnerability "ebx" points to a fake event in the MIDI file which stores the shellcode. A "jmp ebx" from msvcr71.dll is used to make the exploit reliable over java updates.
4bfc86d5bc0fc319751b4a58608edff9318f0cb3cc5c83f4040fa6a97b6f8907A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Oracle Java Runtime. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the way Java handles color profiles. When parsing a color profile containing a invalid 'rcs2' tag, the process can be forced to overflow an integer value during an arithmetic operation. The newly calculated value is then used to allocate memory on the heap. By providing specific values it is possible to cause a memory corruption that can lead to remote code being executed under to user running the browser.
8e3be2c1be593c530a4670d03a601ce9798a4842c472af7bed8ad4b21ecff0d3Proof of concept code for the Microsoft Data Access components vulnerability as disclosed in MS11-002.
02c9d2b9d3b5ecbcba0b02245ace1b6c1e7edd1e0320a89cc9bd03d9d017ce3fWhitepaper documenting the recent Pwn2Own 2010 Windows 7 Internet Explorer compromise.
98aa82f07d8894e65cff840e18ab39473886dee9071e52d31cb111db7f4a2fb8iDefense Security Advisory 07.28.09 - Remote exploitation of a use after free vulnerability in Microsoft Corp.'s Internet Explorer could allow an attacker to execute arbitrary code with the privileges of the current user. iDefense has confirmed the existence of this vulnerability in Internet Explorer versions 6, 7, and 8. Internet Explorer 5 does not appear to be vulnerable.
917be1ed0bdfbaec473ea16724416deeb91ee19bc0f5a333157bf7af42022f27A vulnerability allows remote attackers to execute code on vulnerable installations of Adobe Acrobat. User interaction is required in that a user must visit a malicious web site. The specific flaw exists when processing malicious javascript contained in a PDF document. When creating a Collab object and performing a specific sequence of actions on it, memory corruption occurs potentially resulting in remote code execution. If successfully exploited full control of the affected machine running under the credentials of the currently logged in user can be achieved.
42374904d4b1208ff8703af67298c304e34bf7495b2cddcaac9b42494e5bc072A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists in the handling of embedded Javascript code when opening a PDF. Adobe Acrobat has defined it's own set of Javascript functions that can be used in a PDF file. Due to improper parameter checking to one of these functions arbitrary memory can be over-written leading to remote code execution. If successfully exploited remote control of the target system can be gained with the credentials of the logged in user.
32057ab035963d55bca65f0262c3900d8b1ae3a4ff8d48a1d912e522ba19477ciDefense Security Advisory 11.04.08 - Remote exploitation of a stack based buffer overflow vulnerability in NOS Microsystems Ltd.'s getPlus Download Manager, potentially used by multiple vendors, could allow an attacker to execute arbitrary code with the privileges of the current user. iDefense has confirmed the existence of this vulnerability in getPlus gp.ocx version 1.2.2.50, which is used in web based installations of Adobe Reader 8.1. Previous versions may also be affected.
f82cd5bb85b3a959d2c8d724ce4105aa767646e05a45b9d840a37588554309e9A vulnerability allows remote attackers to execute code on vulnerable installations of RealPlayer. User interaction is required in that a user must visit a malicious web site. The specific flaw exists in the rmoc3260 ActiveX control. Specifying malicious values for the 'Controls' or 'Console' properties with a specific timing results in a memory corruption which can lead to code execution under the context of the current user.
e5a1b62ac9be31af6068765c6d46144550da0621b7283dcfd5d9530cfd5aafe5A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of various Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the substringData() method when called on a DOM object that has been manipulated in a special way. The attack results in an exploitable heap buffer allowing for code execution under the context of the current user.
199a27adda6f9b915cf6856311e07418574bbd6af52f57dd0a8956c4404ef6a1iDefense Security Advisory 04.30.08 - Remote exploitation of a design error in Akamai Technologies, Inc's Download Manager allows attackers to execute arbitrary code in the context of the current user. iDefense confirmed the existence of this vulnerability using version 2.2.2.1 of Akamai Technologies Inc's DownloadManagerV2.ocx. Additionally, iDefense confirmed the problem exists in version 2.2.2.0 of the Download Manager Java Applet. All versions prior to the fixed version are suspected to be vulnerable.
f0e0510c73a61c63aa3aab61418d9329d39123888ec190022a7e749ba1be1c5ciDefense Security Advisory 04.02.08 - Remote exploitation of a buffer overflow vulnerability in an ActiveX control installed by Symantec Norton Internet Security 2008 could allow for the execution of arbitrary code. iDefense confirmed that this vulnerability exists in version 2.7.0.1 of the control that is installed with the 2008 version of Norton Internet Security. Other versions may also be available.
ca21fd621e3cf9ded91bc115596d8b243f9c036394ddb1f9f3db5e74c636c369iDefense Security Advisory 12.11.07 - Remote exploitation of a heap corruption vulnerability in Microsoft Corp.'s Internet Explorer web browser allows attackers to execute arbitrary code in the context of the current user. The vulnerability lies in the JavaScript setExpression method, which is implemented in mshtml.dll. When malformed parameters are supplied, memory can be corrupted in a way that results in Internet Explorer accessing a previously deleted object. By creating a specially crafted web page, it is possible for an attacker to control the contents of the memory pointed to by the released object. This allows an attacker to execute arbitrary code. As of April 5th, 2007, iDefense testing shows that Internet Explorer 6.0 and Internet Explorer 7.0 with all available security patches are vulnerable. Older versions of Internet Explorer may also be vulnerable.
c6eea38816e48a936133434a4c88c56569839a288fc99a9ce562f7da2a25286fA vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the handling of document objects that have been created, modified, deleted then accessed by JavaScript. By storing references to document nodes, then removing them by a separate reference, the document model in memory becomes unstable. Accessing the tags property while the document is in this unstable condition results in a heap corruption, allowing the execution of arbitrary code. Affected versions are 6 and 7.
7707761de2c7107636767dcabc56ebaacf46ed8597a770e577ce13ca71b87015iDefense Security Advisory 06.12.07 - Remote exploitation of an input validation error within version 2.1 of YaBB Forum allows attackers to register with forum Administrator privileges. The problem specifically exists due to insufficient validation when writing to the "vars" file for each user. By setting the values of certain variables to contain certain characters, attackers can elevate their privileges to that of the forum Administrator. iDefense confirmed the existence of this vulnerability within version 2.1 of YaBB Forum.
06d0161807f5d979bdc126372527454325d8e75b2db88fdd78b52cc9918931ffiDefense Security Advisory 05.09.07 - Remote exploitation of a design error vulnerability in an ActiveX control installed by Symantec Norton Internet Security 2006 could allow for the execution of arbitrary code. Defense confirmed the existence of this vulnerability within version 12.2.0.13 of NavOpts.dll as distributed with Norton Internet Security 2006. Prior versions are suspected to be vulnerable.
c8fe898519159f7cbf84384ab6a00699f5a7103b95f426b56c623aa0a9ba5be8iDefense Security Advisory 05.08.07 - Remote exploitation of a buffer overflow in an ActiveX control distributed with McAfee Security Center could allow for the execution of arbitrary code. iDefense confirmed the existence of this vulnerability using McAfee Virus Scan 10.0.27 running on Windows XP SP2. However, many additional McAfee products are reported to install this component.
e0b63ce8dab1d5c412d486aca7e7be5a5fc80ee519b246ecb9c10879fee082f3A vulnerability allows attackers to execute arbitrary code on vulnerable installations of GraceNote's CDDBControl ActiveX Control. User interaction is required to exploit this vulnerability in that the target must visit a malicious page.
05e34559f4666d4770ca80dbb1b470429e352be29c9dd3ab6c092f4e48abe151iDefense Security Advisory 04.04.07 - Remote exploitation of a information disclosure vulnerability in Kaspersky AntiVirus 6 could allow malicious websites to steal files off of a user's machine. iDefense has confirmed the existence of this vulnerability in version 6.0 of Kaspersky Antivirus.
b90f0bdcb2ad661747c567945e87febf3ab55b1c4b1b2989b69aa84c70bc6761Adobe Macromedia Shockwave is susceptible to a remote code execution flaw. This specific flaw exists within the ActiveX control with CLSID 166B1BCA-3F9C-11CF-8075-444553540000. Specifying large values for two specific parameters to this control results in an exploitable stack based buffer overflow. Due to the nature of this vulnerability, the target user is not required to have fully completed an installation of Shockwave to be vulnerable.
5cfaec539f1b7ff761308b0fdf9486321ec0325ee3f51ac51d4e9913b27e0688iDEFENSE Security Advisory 08.09.05 - Remote exploitation of an input validation vulnerability in AWStats allows remote attackers to execute arbitrary commands. Versions below 6.4 are affected.
b551c080e6aa7f7a4b53c8b33df46b0f71c71c4a680b518e26ea51230e52cce6
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed