glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated. Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow. Included in this archive is a copy of the Google Security blog post and proof of concept code that demonstrates the vulnerability.
ad59124177a3d305a9e05a03fed4435fe9079fdcafd54b23cbd52bc979ba7a5f
This document presents a new, and just mitigated, technique to leverage the JIT-ed code to serve as an info leaker and therefore bypass the security mitigation ASLR.
e84ddee51625ea3026e889d9a332f82b1c3b784a10b937271f20b254640e07fb
Flash exploit for Win7/IE9 that bypasses ASLR by spraying ROP info leak gadgets.
21ff973f2decc557bafa5724aaef1dde8c1ac3345e644fe4331701d3a4e9e176
Adobe Flash Player versions prior to 10.3.183.16 and 11.x before 11.1.102.63 suffer from an information disclosure vulnerability. This archive has research related to this issue, proof of concept source code, and a swf that demonstrates the issue.
a3e0acb403967ecb2ab50b95e92c7801505af37a7f830f9ad5119219170efa9f