Microsoft Windows .ANI file BITMAPINFOHEADER.biClrUsed bounds check missing

Quoting http://msdn.microsoft.com/en-us/library/aa930622.aspx:
typedef struct tagBITMAPINFOHEADER {
DWORD biSize;
LONG biWidth;
LONG biHeight;
WORD biPlanes;
WORD biBitCount
DWORD biCompression;
DWORD biSizeImage;
LONG biXPelsPerMeter;
LONG biYPelsPerMeter;
DWORD biClrUsed;
DWORD biClrImportant;
} BITMAPINFOHEADER;

“If the bitmap is a packed bitmap (a bitmap in which the bitmap array immediately follows the BITMAPINFO header and is referenced by a single pointer), the biClrUsed member must be either zero or the actual size of the color table.”

ANI files stores each frame of the animated cursor as a packed bitmap inside the ANI file…

Internet Exploiter 2 – bypassing DEP

In 2005 I released Internet Exploiter 2, which helped make heap spraying popular in browser exploits…

Microsoft Internet Explorer 6.0/7.0 NULL pointer crashes

Two crashes caused by NULL pointer dereferences have been discovered in MSIE 6.0/7.0. These issues do not affect MSIE 8.0…

Advances in heap spraying #1: when size matters.

http://skypher.com/SkyLined/heap_spray/small_heap_spray_generator.html

I’ve created a heap-spray generator…

Download and LoadLibrary shellcode released

Everyone and their dog seems to want to use download and execute shellcode in their exploits. Even though this has some drawbacks:

You need to create an .exe file on the system, which will very likely draw unwanted attention…

Testival released

During shellcode development, it makes sense to have a program that can easily load your shellcode at a controlable location, allows you to set registers and memory to certain values and execute the shellcode by setting EIP through a RET or CALL instruction.

The Testival project aims to do all those things and more: it also allows you to test ret-into-libc attacks, set the type of memory allocation you want (RWE flags, etc…), report exceptions in your code to stdout as well as load DLLs to test shellcode in DllMain.

Testival is used by ALPHA3 for automatically testing if all the en-/decoders work.

Testival requires SkyBuild to automatically build all files.

ALPHA3 released

I realized that if I would wait until I had fully documented everything in ALPHA3, it would probably never get released…

Countslide alphanumeric GetPC

One limitation of most alphanumeric shellcode decoders, including those in ALPHA2 and the soon-to-be-released ALPHA3 is that they need to know where they are located in memory in order to decode themselves and run correctly…

w32-bind-ngs-shellcode released

w32-bind-ngs-shellcode is a small, null-free 32-bit Windows port-binding shellcode. The total shellcode is currently 214 bytes and supports Windows 5.0-7.0 all service packs…

BETA3 released

As part of my New Year’s resolutions, I am releasing BETA3, the follow up to BETA2. BETA3 is a multi-format shellcode encoding tool that can be used to turn binary shellcode into text for use in exploits…