Microsoft Windows .ANI file BITMAPINFOHEADER.biClrUsed bounds check missing

Posted by SkyLined on March 8th, 2010 in , , and · 0 Comments

Quoting http://msdn.microsoft.com/en-us/library/aa930622.aspx:
typedef struct tagBITMAPINFOHEADER {
DWORD biSize;
LONG biWidth;
LONG biHeight;
WORD biPlanes;
WORD biBitCount
DWORD biCompression;
DWORD biSizeImage;
LONG biXPelsPerMeter;
LONG biYPelsPerMeter;
DWORD biClrUsed;
DWORD biClrImportant;
} BITMAPINFOHEADER;

“If the bitmap is a packed bitmap (a bitmap in which the bitmap array immediately follows the BITMAPINFO header and is referenced by a single pointer), the biClrUsed member must be either zero or the actual size of the color table.”

ANI files stores each frame of the animated cursor as a packed bitmap inside the ANI file…

ASPsh – A remote shell written in ASP.

Posted by SkyLined on March 4th, 2010 in , , , and · 2 Comments

Today I am releasing another old project called ASPsh. The goal of this project was to create an ASP page that can be used on a server to provide a “command line shell”-like experience when opening the page in a webbrowser…

Internet Exploiter 2 – bypassing DEP

Posted by SkyLined on March 1st, 2010 in , , , , , and · 14 Comments

In 2005 I released Internet Exploiter 2, which helped make heap spraying popular in browser exploits…

Microsoft Internet Explorer 6.0/7.0 NULL pointer crashes

Posted by SkyLined on January 20th, 2010 in , , , , and · 0 Comments

Two crashes caused by NULL pointer dereferences have been discovered in MSIE 6.0/7.0. These issues do not affect MSIE 8.0…

Advances in heap spraying #1: when size matters.

Posted by SkyLined on January 18th, 2010 in , , , , , , and · 1 Comment

http://skypher.com/SkyLined/heap_spray/small_heap_spray_generator.html

I’ve created a heap-spray generator…

Where’s Waldo SkyLined?

Posted by SkyLined on October 21st, 2009 in , and · 0 Comments


Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox

Posted by SkyLined on October 13th, 2009 in , , , and · 0 Comments

(a.k.a. CVE-2009-2983)

Adobe fixed a bug in various COM objects. Loading and unloading these objects in a webpage in Firefox allows memory corruption, which can be exploited to execute arbitrary code…

MSIE Content-Encoding: deflate memory corruption vulnerability

Posted by SkyLined on October 13th, 2009 in , , and · 2 Comments

(a.k.a. MSRC 8769, MS09-054, CVE-2009-1547, “Data Stream Header Corruption Vulnerability”)

Microsoft fixed a bug in Internet Explorer’s “Content-Encoding:deflate” implementation…

Cross browser parallel asynchronous XMLHttpRequests with timeout.

Posted by SkyLined on September 29th, 2009 in , , , , , and · 2 Comments

AsyncXMLHttpRequest is an extension of XMLHttpRequest with the following improvements:

Uniform behavior on multiple different browsers (Apple Safari, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox and Opera).
Event handlers are called with the AsyncXMLHttpRequest object to which they apply as the first argument…

MS09-014: EMBED element memory corruption

Posted by SkyLined on April 19th, 2009 in , , and · 0 Comments

Microsoft has just released a fix for an issue I reported to them on December 4th, 2008. A simple repro can be found here

« Previous Entries Next Page »