This exploit demonstrates a stack-based buffer-overflow vulnerability found in Adobe Reader javascript 'util.printf' function. In order to test this exploit, the exploit script needs to be embedded as JavaScript into a PDF file, then it should be opened using the vulnerable version of Adobe Reader to see the exploit in action. Refer to the CVE for details of affected versions of Adobe Reader.
This vulnerability was made public back in Oct,2007 but there was no publicly available exploit until 2008. Therefore, I wrote the exploit for this issue back in April 2008 under a contract. While the contract did not allow me to make the exploit public due to an IP and non-disclosure agreement, it was agreed with the contractor to allow an exploit demo video to be published.
This vulnerability was made public back in Feb 2008 and I wrote the exploit for this issue back in Oct 2008 but could not release it due to an IP and non-disclosure agreement with my contractor. However, it was agreed with the contractor to allow an exploit demo video to be published.
The Office Genuine Advantage (OGA) check is part of a Microsoft effort to reduce piracy. Though I do not believe in software piracy, I was a bit intrigued to check whether OGA is an effective piracy control. Interestingly it did not take me longer to bypass the piracy protection with simple tricks. Refer to PoC document for details.
Multiple CRLF injection (aka HTTP response splitting) vulnerabilities are identified in Google AdWords, which may be exploited by an external attacker to inject arbitrary HTTP headers.
Multiple CRLF injection (aka HTTP response splitting) vulnerabilities are identified in Shop-Script PREMIUM, which may be exploited by a remote attackers to inject arbitrary HTTP headers
Malicious Flash files with explicit java scripts can be embedded within excel spreadsheets using “Shockwave Flash Object” which can be made to run once the file is opened by the user. It doesn’t require user’s intervention to activate the object rather it runs automatically once the file is opened.
A null pointer dereference issue was identified for the IETab plugin for Firefox which eventually results in FireFox crashing while a specially crafted JavaScript was passed as input via it's input handler. Refer the PoC for more details.
Often developers forget to use the “AspCompat” directive which is required while referencing COM components in ASP.NET. Missing AspCompat directive causes general instability and poor performance of the web application, just a simple increase of load on a web server may cause it to crash. After working for more than one month with Microsoft (MSRC) on this issue, it is finally concluded that the w3wp crash can occur un-expectedly and is due to improper reference of COM or COM+ in the asp.net applications. Refer the PoC (Proof of Concept) for more details.
Google reader is a rss and atom feed reader which displays only those contents which the user has subscribed for however two vulnerabilities has been identified which may allow an attacker to entice it’s victim (using Google reader service) to view unwanted web contents carrying malicious payloads.
In the default installation of phpmychat (version 0.14.5) any unregistered user can gain access to the chat rooms by inputting identical user name and password in the input box. i.e. the user name should be same as password. I tried logging in through various vulnerable sites using identical user id and password combination which granted me un-authorized access to the rooms.
Zone Alarm products with Advance Program Control or OS Firewall Technology enabled, detects and blocks almost all those APIs (like Shell, ShellExecuteEx, SetWindowText, SetDlgItem etc) which are commonly used by malicious programs to send data via HTTP by piggybacking over other trusted programs. However, it is still possible for a malicious program (Trojans or worms etc) to make outbound connections to the evil site by piggybacking over trusted Internet browser using “HTML Modal Dialog” in conjunction with simple “JavaScript”. Here it is assumed that the default browser (IE or Firefox etc) has the authorisation to access the internet. The PoC demonstrate how the ZoneAlarm Advance Program Control and Behavior-Based Technology can be defeated by using HTML Modal Dialog Box in conjunction with JavaScript. Refer the PoC (Proof of Concept) for more details.
Temporarily unavailable.
The Zone Alarm Pro and Free version desktop firewall were found to be vulnerable to an outbound bypass which will allow a malicious program to bypass the desktop firewall outbound restrictions by using DDE-IPC (Direct Data Exchange – Inter-Process Communication). This PoC demonstrates how an untrusted program can make an outbound connection to the attacker by piggybacking over other trusted programs running in the system (Ex: Internet Explorer). Refer to the PoC (Proof of Concept) for more details.
PoC has been archived. Download not available on this website anymore.
Early in the year 2005, Citi-Bank introduced the concept of Virtual Keyboard (aka On-Screen Keyboard) to defend against malicious programs such as keyloggers and spyware etc. However, the Virtual Keyboard concept can be easily defeated by using Win32 APIs to access HTML documents. Refer to the PoC for details.
The PoC was created back in 2005 and was particularly made to work with virtual keyboards on Citibank India website. The same PoC can be modified to make it work for most of the virtual keyboard on any website. The PoC available for download will not currently work with Citibank website as the site has undergone several changes since the PoC was released. Therefore, a little modification will be required to the PoC to make it work for any virtual keyboard
PoC has been archived. Download not available on this website anymore.