Analysis and exploitation (unprivileged)

Vulnerability and exploit analysis and development in unprivileged level.

Buffer overflows

Stack-based buffer overrun

Structured Exception Handler

Nr URL Description Date Author OS/Arch Info
1 https://web.archive.org/web/2012072413294... Understanding SEH (Structured Exception Handler) Exploitation 06-07-2009 Donny Hubener Windows, x86-32 CVE-2004-2466
2 http://www.corelan.be/index.php/2009... Exploit writing tutorial part 3 : SEH Based Exploits 25-07-2009 corelanc0d3r Windows, x86-32 N/A
3 http://www.corelan.be/index.php/2009... Exploit writing tutorial part 3b : SEH Based Exploits – just another example 28-07-2009 corelanc0d3r Windows, x86-32 EDB-ID-9298
4 http://grey-corner.blogspot.com/2010/01/... SEH Stack Based Buffer Overflow Tutorial 07-01-2010 Stephen Bradshaw Windows, x86-32 OSVDB-61386
5 http://www.ethicalhacker.net/content/vie... Tutorial: SEH Based Exploits and the Development Process 04-05-2010 Mark (n1p) Nicholls Windows, x86-32 OSVDB-62779
6 https://docs.google.com/viewer?a=v&pid=e... Debugging an SEH 0day 29-05-2010 mr_me Windows, x86-32 CVE-2010-0688
7 http://resources.infosecinstitute.com/se... SEH Based Overflow Exploit Tutorial 28-04-2011 Stephen Bradshaw Windows, x86-32 N/A

Stack buffer overrun

Nr URL Description Date Author OS/Arch Info
1 http://blogs.securiteam.com/index.php/ar... Heap Spraying: Exploiting Internet Explorer VML 0-day 23-09-2006 Trirat Kira P Windows, x86-32 CVE-2006-4868
2 http://www.corelan.be/index.php/200... Exploit writing tutorial part 1 : Stack Based Overflows 19-07-2009 corelanc0d3r Windows, x86-32 EDB-ID-9177
3 http://www.corelan.be/index.php/200... Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode 23-07-2009 corelanc0d3r Windows, x86-32 N/A
4 http://grey-corner.blogspot.com/2010/01/... Stack Based Buffer Overflow Tutorial 07-01-2010 Stephen Bradshaw Windows, x86-32 CVE-2004-2271
5 http://www.phreedom.org/research/vulnera... Windows ANI header buffer overflow 29-03-2010 Alexander Sotirov Windows, x86-32 CVE-2007-0038
6 http://www.offensive-security.com/vulnde... Evocam Remote Buffer Overflow on OSX 04-06-2010 Paul (d1dn0t) Harrington Mac (Leopard 10.5.8), x86-32 CVE-2010-2309
7 http://turkeyland.net/projects/overflow/... Buffer Overflows and You 04-08-2010 Jeffrey A. Turkstra Linux x86-64 N/A
8 http://dvlabs.tippingpoint.com/blog/2010... Security Advisory for NetWare 6.5 OpenSSH 01-09-2010 Zef Cekaj Windows, x32 ZDI-10-169
9 http://www.vupen.com/blog/20100909.Adobe... Criminals Are Getting Smarter: Analysis of the Adobe Acrobat / Reader 0-Day Exploit 09-09-2010 Nicolas Joly Windows, x86-32 CVE-2010-2883
10 http://www.exploit-db.com/bypassing-uac-... Bypassing UAC with User Privilege under Windows Vista/7 – Mirror 26-11-2010 muts Windows, x86-32 CVE-2010-4398
11 http://www.exploit-db.com/docs/16030.pdf... Non-Executable Stack ARM Exploitation 23-01-2011 Itzhak (Zuk) Avraham ARM N/A
12 http://0x1byte.blogspot.co.il/2011/02/cv... Analysis of CVE 2010-3333 Microsoft Office RTF File Stack Buffer Overflow Vulnerability 20-02-2011 Alexander Gavrun Windows CVE-2010-3333
13 http://resources.infosecinstitute.com/st... Stack Based Buffer Overflow Tutorial, part 1 — Introduction 09-03-2011 Stephen Bradshaw Windows, x86-32 N/A
14 http://resources.infosecinstitute.com/st... Stack Based Buffer Overflow Tutorial, part 2 — Exploiting the stack overflow 09-03-2011 Stephen Bradshaw Windows, x86-32 N/A
15 http://resources.infosecinstitute.com/st... Stack Based Buffer Overflow Tutorial, part 3 — Adding shellcode 09-03-2011 Stephen Bradshaw Windows, x86-32 N/A
16 https://web.archive.org/web/201310071419... Smashing the stack in Windows 8 xx-09-2011 Davide Quarta Windows 8 N/A
17 http://research.reversingcode.com/index.... Apple QuickTime Player H.264 issues 01-09-2011 rmallof Windows, x86-32 CVE-2011-0247
18 http://blogs.securiteam.com/index.php/ar... VMware UDF Stack Buffer Overflow 10-10-2011 Secventure Group Windows, x86-32 CVE-2011-3868
19 http://www.greyhathacker.net/?p=380 RemoteExec Computers List Buffer Overflow ROP Exploit 06-11-2011 Parvez Windows, x86-32 N/A
20 https://web.archive.org/web/20131207185... A Textbook Buffer Overflow: A Look at the FreeBSD telnetd Code 25-12-2011 Dustin Schultz FreeBSD CVE-2011-4862
21 http://www.poppopret.org/?p=40 Anatomy of a SCADA Exploit: Part 1 – From Overflow to EIP 07-01-2012 Michael Coppola Windows, x86-32 N/A
22 http://www.greyhathacker.net/?p=549 Heap spraying in Internet Explorer with rop nops 19-06-2012 Parvez Windows, x86-32 CVE-2007-6387
23 http://www.poppopret.org/?p=141 Anatomy of a SCADA Exploit: Part 2 – From EIP to Shell 21-08-2012 Michael Coppola Windows, x86-32 N/A
24 https://community.rapid7.com/community/m... New Metapsloit Exploit: SAP NetWeaver CVE-2012-2611 06-09-2012 Juan Vasquez Windows, x86-32 CVE-2012-2611
25 http://www.devttys0.com/2012/10/exploiti... Exploiting a MIPS Stack Overflow 08-10-2012 Craig MIPS N/A
26 http://www.cyvera.com/how-to-exploit-cve... HOW TO EXPLOIT CVE-2010-3333 28-11-2012 Gal Badishi Windows CVE-2010-3333
27 http://shar33f12.blogspot.com.es/2012/10... ROP 01-11-2012 shareef12 Linux, x86-32 N/A
28 http://www.exploit-db.com/papers/24085/ Stack Smashing On A Modern Linux System 21-12-2012 jip Linux, x86-64 N/A
29 http://blog.exodusintel.com/2013/01/07/w... DoS? Then Who Was Phone? 07-01-2013 exodusintel.com Linux CVE-2012-5976
30 http://sitsec.net/blog/2013/04/22/stack-... Stack-based Buffer Overflow in the VPN Software tinc for Authenticated Peers 22-04-2013 Martin Schobert *nix CVE-2013-1428
31 https://web.archive.org/web/201307080736... Analysis of nginx 1.3.9/1.4.0 stack buffer overflow and x64 exploitation (CVE-2013-2028) 21-05-2013 w00d Linux CVE-2013-2028
32 http://www.exploit-db.com/docs/27657.pdf... Smashing the stack, an example from 2013 17-08-2013 Benjamin Randazzo Linux N/A
33 http://csmatt.com/notes/?p=96 MIPS Buffer Overflows with Bowcaster 13-10-2013 Matt Defenthaler MIPS N/A
34 http://funoverip.net/2013/10/watchguard-... WatchGuard – CVE-2013-6021 – Stack Based Buffer Overflow Exploit 27-10-2013 foip Linux CVE-2013-6021
35 http://dl.packetstormsecurity.net/papers... 64 Bits Linux Stack Based Buffer Overflow 09-06-2014 Mr.Un1k0d3r Linux N/A
36 https://hatriot.github.io/blog/2015/01/0... Ntpdc Local Buffer Overflow 06-01-2015 Bryan Alexander Linux N/A
37 http://blog.techorganic.com/2015/04/10/64... 64-bit Linux Stack Smashing Tutorial: Part 1 10-04-2015 superkojiman Linux N/A
38 http://blog.techorganic.com/2015/04/21/64... 64-bit Linux Stack Smashing Tutorial: Part 2 21-04-2015 superkojiman Linux N/A
39 http://5d4a.wordpress.com/2010/10/13/my-... Smashing the stack in 2010 xx-09-2015 Mariano Graziano, Andrea Cugliari Linux CVE-2010-0249, CVE-2010-2883
40 http://googleprojectzero.blogspot.de/201... Kaspersky: Mo Unpackers, Mo Problems. 22-09-2015 Tavis Ormandy Windows N/A
41 http://www.payatu.com/from-crash-to-expl... FROM CRASH TO EXPLOIT: CVE-2015-6086 – OUT OF BOUND READ/ASLR BYPASS 18-01-2016 Payatu Windows, IE9-11 CVE-2015-6086
42 https://sourceware.org/ml/libc-alpha/201... [PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow 16-02-2016 Google Security Team, Red Hat, Robert Holiday - CVE-2015-7545
43 https://blog.cloudflare.com/a-tale-of-a-... A tale of a DNS exploit: CVE-2015-7547 29-02-2016 Marek Vavruša - CVE-2015-7545
44 http://j00ru.vexillium.org/?p=2245 Details on a (not so recent now) stack-based buffer overflow in the Adobe CFF rasterizer in FreeType2 (CVE-2014-2240, CVE-2014-9659) 07-06-2016 j00ru Linux CVE-2014-2240, CVE-2014-9659

Unicode Stack Buffer Overrun

Nr URL Description Date Author OS/Arch Info
1 http://newsoft-tech.blogspot.com/2012/01... MS11-014: this is not the bug your are looking for … 10-01-2012 newsoft Windows, x86-32 CVE-2011-0039
2 http://www.floyd.ch/?p=629 Automated generation of code alignment code for Unicode buffer overflow exploitation 17-01-2012 floyd Windows, x86-32 N/A

Heap-based buffer overrun

Out-of-bounds read/write

Off-by-one errors
Nr URL Description Date Author OS/Arch Info
1 http://site.pi3.com.pl/adv/libopie-adv.t... libopie _readrec() off-by one (FreeBSD ftpd remote PoC) 27-05-2010 Maksymilian Arciemowicz, Adam (pi3) Zabrocki FreeBSD CVE-2010-1938
2 https://drive.google.com/file/d/0B6P-iHu... Skype v5.9.0.123 and Below Remote Default Unauthenticated Off-By-One 06-10-2012 Kostya Kortchinsky Windows N/A
3 http://doar-e.github.io/blog/2013/09/09/... Pinpointing Heap-related Issues: OllyDbg2 Off-by-one Story 09-09-2013 Axel (0vercl0k) Souchet Windows N/A
4 http://googleprojectzero.blogspot.de/201... The poisoned NUL byte, 2014 edition 25-08-2014 Chris Evans Fedora 20, x32 CVE-2014-5119

Heap buffer overrun

Nr URL Description Date Author OS/Arch Info
1 http://www.cgsecurity.org/exploit/heaptu... w00w00 on Heap Overflows xx-01-1999 Matt (Shok) Conover Linux N/A
2 http://immunitysec.com/downloads/msrpche...,
http://immunitysec.com/downloads/msrpche
Exploiting the MSRPC Heap Overflow 11-09-2003 Dave Aitel Windows, x86-32 CVE-2003-0352
3 https://web.archive.org/web/201205211422... Windows Heap Overflow Exploitation 02-02-2004 Brett Moore Windows, x86-32 N/A
4 http://www.exploit-db.com/papers/13178/ Windows Heap Overflows using the Process Environment Block (PEB) 31-05-2006 c0ntex Windows, x86-32 N/A
5 http://www.h-online.com/security/feature... A heap of risk: Buffer overflows on the heap and how they are exploited 28-06-2006 Felix (FX) Lindner Windows, x86-32 N/A
6 https://web.archive.org/web/201309030849... Engineering Heap Overflow Exploits with JavaScript 08-09-2008 Mark Daniel, Jake Honoroff, Charlie Miller - N/A
7 http://www.blackhat.com/presentations/bh... Practical Windows XP/2003 Heap Exploitation xx-07-09 John McDonald, Chris Valasek Windows, x86-32 N/A
8 https://web.archive.org/web/201003271111... 0x41 - weekly exploitation matters - Heap overflow fundamentals 23-03-2010 crazylazy Windows, x86-32 CVE-2009-4324
9 http://blogs.cisco.com/security/comments... Exploring Heap-Based Buffer Overflows with the Application Verifier 29-03-2010 Neil Archibald Windows, x86-32 N/A
10 http://grey-corner.blogspot.com/2010/03/... The Difference Between Heap Overflow and Use After Free Vulnerabilities 31-03-2010 Stephen Bradshaw - N/A
11 http://index-of.es/Misc/HeapCacheExploi... Heap Cache Exploitation - White Paper by IBM Internet Security Systems xx-07-2010 Mark Dowd Windows, x86-32 N/A
12 https://web.archive.org/web/201110070918... Heap Overflows For Humans – 101 24-10-2010 mr_me Windows, x86-32 N/A
13 https://web.archive.org/web/201112310609... When A DoS Isn't A DoS 16-12-2010 Nephi Johnson Windows, x86-32 OSVDB-69796
14 http://www.vupen.com/blog/20101221.Exim_... Technical Analysis of Exim "string_vformat()" Buffer Overflow Vulnerability 21-12-2010 Matthieu Bonetti Linux x86-32 CVE-2010-4344
15 https://web.archive.org/web/201111090317... From Patch to Proof-of-Concept: MS10-081 10-01-2011 Nephi Johnson Windows, x86-32 CVE-2010-2746
16 http://vreugdenhilresearch.nl/ms11-002-p... MS11-002 Pwn2Own heap overflow 12-01-2011 Peter Vreugdenhil Windows, x86-32 CVE-2011-0027
17 http://www.skullsecurity.org/blog/2011/a... A deeper look at ms11-058 23-08-2011 Ron Bowes Windows, x86-32 CVE-2011-1966
18 https://web.archive.org/web/201110070919... Heap Overflows For Humans – 102 02-09-2011 mr_me Windows, x86-32 N/A
19 http://www.vupen.com/blog/20120117.Advan... Analysis & Advanced Exploitation of Windows Multimedia Library Heap Overflow (MS12-004) 17-01-2012 Nicolas Joly Windows, x86-32 CVE-2012-0003
20 https://web.archive.org/web/201502190758... Heap Overflows For Humans 104 11-03-2012 mr_me Windows, x86-32 N/A
21 http://www.vupen.com/blog/20120710.Advan... Advanced Exploitation of Internet Explorer Heap Overflow (Pwn2Own 2012 Exploit) 10-07-2012 Alexandre Pelletier Windows, x86-32 CVE-2012-1876
22 https://community.rapid7.com/community/m... New 0day Exploits: Novell File Reporter Vulnerabilities 16-11-2012 Juan Vasquez Windows CVE-2012-4956
23 https://community.rapid7.com/community/m... New Metasploit Exploit: Crystal Reports Viewer CVE-2010-2590 19-12-2012 Juan Vasquez Windows, x86-32 CVE-2010-2590
24 https://www.corelan.be/index.php/2013/02... Root Cause Analysis – Memory Corruption Vulnerabilities 26-02-2013 Jason Kratzer Windows N/A
25 http://blog.binamuse.com/2013/05/readerb... Adobe Reader BMP/RLE heap corruption - CVE-2013-2729 14-05-2013 feliam - CVE-2013-2729
26 http://blog.stalkr.net/2013/06/golang-he... Golang heap corruption during garbage collection 04-06-2013 stalker Linux N/A
27 https://www.fireeye.com/blog/threat-rese... The Dual Use Exploit: CVE-2013-3906 Used in Both Targeted Attacks and Crimeware Campaigns 07-11-2013 Xiaobo Chen, Mike Scott, Dan Caselden Windows CVE-2013-3906
28 http://www.crowdstrike.com/blog/analysis... Analysis of a CVE-2013-3906 Exploit 09-12-2013 Jason Geffner Windows CVE-2013-3906
29 https://hackerone.com/reports/1356 PHP Heap Overflow Vulnerability in imagecrop() 06-02-2014 Kuba Brecka - CVE-2013-7726
30 http://h30499.www3.hp.com/t5/HP-Security... Technical Analysis of CVE-2014-1761 RTF Vulnerability 07-04-2014 Matt Oh Windows CVE-2014-1761
31 http://radare.today/technical-analysis-o... Technical Analysis Of The GnuTLS Hello Vulnerability 01-06-2014 pancake Linux CVE-2014-3466
32 http://h30499.www3.hp.com/t5/HP-Security... ZDI-14-173/CVE-2014-0195 - OpenSSL DTLS Fragment Out-of-Bounds Write: Breaking up is hard to do 05-06-2014 Brian Gorenc Linux CVE-2014-0195
33 http://googleprojectzero.blogspot.de/201... pwn4fun Spring 2014 - Safari - Part I 24-07-2014 Ian Beer Mac OSX N/A
34 http://www.vupen.com/blog/20140725.Advan... Advanced Exploitation of VirtualBox 3D Acceleration VM Escape Vulnerability (CVE-2014-0983) 25-07-2014 Florian Ledoux Windows CVE-2014-0983
35 https://fail0verflow.com/blog/2014/hubca... HubCap: pwning the ChromeCast pt. 1 29-08-2014 axoltl ARMv7 N/A
36 https://fail0verflow.com/blog/2014/hubca... HubCap: pwning the ChromeCast pt. 2 04-09-2014 axoltl ARMv7 N/A
37 http://googleprojectzero.blogspot.de/201... Exploiting CVE-2014-0556 in Flash 23-09-2014 Chris Evans Linux x64 CVE-2014-0556
38 http://acez.re/ps-vita-level-1-webkittie... PS Vita Level 1: Webkitties 31-10-2014 acez ARMv7 N/A
39 https://labs.integrity.pt/articles/from-... FROM 0-DAY TO EXPLOIT – BUFFER OVERFLOW IN BELKIN N750 (CVE-2014-1635) 06-11-2014 Marco Vaz MIPS CVE-2014-1635
40 http://blog.beyondtrust.com/cve-2014-182... CVE-2014-1824 – A New Windows Fuzzing Target 25-11-2014 Beyondtrust RT Windows CVE-2014-1824
41 http://www.openwall.com/lists/oss-securi... GHOST: glibc gethostbyname buffer overflow 27-05-2015 Qualys - CVE-2015-0235
42 http://www.isightpartners.com/2015/07/mi... Microsoft Office Zero-Day CVE-2015-2424 Leveraged By Tsar Team 15-07-2015 Jonathan Leathery Windows CVE-2015-2424
43 http://blogs.cisco.com/security/talos/ap... Vulnerability Spotlight: Apple Quicktime Corrupt stbl Atom Remote Code Execution 30-07-2015 Talos Group Mac CVE-2015-3667
44 http://blog.trendmicro.com/trendlabs-sec... MediaServer Takes Another Hit with Latest Android Vulnerability 17-08-2015 Wish Wu Android CVE-2015-3842
45 https://blog.exodusintel.com/2015/08/13/... STAGEFRIGHT: MISSION ACCOMPLISHED? 13-08-2015 Jordan Gruskovnjak Android CVE-2015-3864
46 http://googleprojectzero.blogspot.de/201... Stagefrightened? 16-09-2015 Mark Brand Android CVE-2015-3864
47 http://blog.fortinet.com/post/windows-jo... Windows Journal Vulnerability Disclosed Plus A Weekend Bonus 18-09-2015 Aamir Lakhani Windows N/A
48 https://www.blackhat.com/docs/us-15/mate... Exploiting Heap Corruption due to Integer Overflow in Android libcutils xx-08-2015 Guang Gong Android CVE-2015-1528
49 https://blog.fortinet.com/post/deep-anal... Deep Analysis of CVE-2016-0010 - Microsoft Office RTF File Handling Heap Overflow Vulnerability 20-01-2016 Kai Lu Windows CVE-2016-0010
50 https://guidovranken.wordpress.com/2016/... OpenSSL CVE-2016-0799: heap corruption via BIO_printf 27-02-2016 Guido Vranken - CVE-2016-0799
51 https://scoding.de/analsysis-of-a-heap-o... Analysis of a Heap Overflow in Foxit Reader 15-05-2016 sash Windows N/A
52 https://www.talosintelligence.com/report... Microsoft Windows PDF API Jpeg2000 csiz Remote Code Execution Vulnerability 09-08-2016 Aleksandar Nikolic Windows CVE-2016-3319
53 https://halbecaf.com/2017/05/24/expl... Exploiting a V8 OOB write 24-05-2017 halbecaf Linux N/A
54 https://phoenhex.re/2017-06-02/array... Exploiting an integer overflow with array spreading (WebKit) 02-06-2017 niklasb, saelo Mac CVE-2017-2536
55 https://www.zerodayinitiative.com/blog/2... DECONSTRUCTING A WINNING WEBKIT PWN2OWN ENTRY 24-08-2017 Jasiel Spelman Mac CVE-2017-2547
56 https://mtalbi.github.io/heap-based/over... The macabre dance of memory chunks 16-09-2017 Mehdi Talbi Linux N/A
57 https://www.zerodayinitiative.com/blog/2... CHECK IT OUT: ENFORCEMENT OF BOUNDS CHECKS IN NATIVE JIT CODE 05-10-2017 Simon Zuckerbraun Windows CVE-2017-0234

Global, static data overrun, and .bss overrun

Data segment contains initialized static local and global data. BSS (Block Started by Symbol) segment contains uninitialized static local and global data.

Nr URL Description Date Author OS/Arch Info
1 http://roeehay.blogspot.com/2008/10/grap... Graphviz Buffer Overflow Code Execution 08-10-2008 Roee Hay - N/A

Buffer overflows in general

Nr URL Description Date Author OS/Arch Info
1 https://azeria-labs.com/process-memory-a... PROCESS MEMORY AND MEMORY CORRUPTIONS xx-07-2017 Azeria ARM N/A

Format string vulnerabilities

Nr URL Description Date Author Info
1 https://docs.google.com/viewer?a=v&pid=e... Windows 2000 Format String Vulnerabilities 01-05-2001 David Litchfield N/A
2 http://crypto.stanford.edu/cs155old/cs15... Exploiting Format String Vulnerabilities 01-09-2001 scut / team teso N/A
3 https://web.archive.org/web/201012121658... Format string exploitation on windows 02-02-2009 Abyssec Inc N/A
4 http://infond.blogspot.com/2010/07/tutor... Tutorial exploitation format string 30-07-2010 infond N/A
5 https://docs.google.com/viewer?a=v&pid=e... Format strings, from %x to calc 24-10-2010 mr_me N/A
6 http://www.exploit-monday.com/2011/06/le... Leveraging format string vulnerabilities to interrogate Win32 process memory 20-06-2011 Matt Graeber N/A
7 http://www.viva64.com/en/b/0129/ Wade not in unknown waters. Part two 01-02-2012 Andrey Karpov N/A
8 http://www.vnsecurity.net/research/2012/... Exploiting Sudo format string vunerability 16-02-2012 longlg CVE-2012-0809
9 https://web.archive.org/web/201211031120... EIP-2012-0001: When wrapping it up goes wrong… 29-08-2012 exodusintel N/A

Integer vulnerabilities

Includes integer overflows, underflows, signedness issues, truncation errors.

Nr URL Description Date Author OS/Arch Info
1 http://blogs.msdn.com/b/oldnewthing/arch... Integer overflow in the new[] operator 01-29-2004 msdn.com - N/A
2 http://www.fefe.de/intof.html Catching Integer Overflows in C 01-26-2007 fefe - N/A
3 http://dividead.wordpress.com/2009/06/01... glibc timezone integer overflow 01-06-2009 dividead Linux N/A
4 http://roeehay.blogspot.com/2009/06/appl... Apple QuickTime Image Description Atom Sign Extension Memory Corruption 02-06-2009 Roee Hay Windows, x86-32 CVE-2009-0955
5 http://site.pi3.com.pl/adv/xpdf.txt Xpdf - Integer overflow which causes heap overflow and NULL pointer derefernce 06-07-2009 Adam Zabrocki - N/A
6 http://roeehay.blogspot.com/2009/08/advi... Advisory: Adobe Flash Player and AIR AVM2 intf_count Integer Overflow 02-08-2009 Roee Hay Windows, x86-32 CVE-2009-1869
7 https://code.google.com/p/em386/download... CVE-2009-3608-explained 01-10-2009 Chris Rohlf - CVE-2009-3608
8 http://site.pi3.com.pl/adv/mod_proxy.txt Mod_proxy from apache 1.3 - Integer overflow which causes heap overflow 27-01-2010 Adam Zabrocki Linux, x86-64 N/A
9 http://projects.webappsec.org/Integer-Ov... Integer Overflows xx-01-2010 Robert Auger - N/A
10 https://web.archive.org/web/201107221137... A delicious, yet slightly cold banquette prepared on the (jump)table xx-03-2010 (?) c0ntex Linux N/A
11 https://www.securecoding.cert.org/conflu... INT32-C. Ensure that operations on signed integers do not result in overflow 09-09-2010 Robert C. Seacord - N/A
12 http://cissrt.blogspot.com/2011/02/cve-2... CVE-2011-0045: MS Windows XP WmiTraceMessageVa Integer Truncation Vulnerability 26-02-2011 Nikita Tarakanov Windows CVE-2011-0045
13 http://scarybeastsecurity.blogspot.de/20... libxml vulnerability and interesting integer issues 27-05-2011 Chris Evans - N/A
14 https://bugzilla.mozilla.org/show_bug.cg... Mozilla Firefox 4.0.1 Array.reduceRight() Vulnerability 14-06-2011 Chris Rohlf, Yan Ivnitskiy - CVE-2011-2371
15 https://web.archive.org/web/201201080914... Exploiting glibc __tzfile_read integer overflow to buffer overflow and vsftpd 13-12-2011 Ramon de C. Valle Linux CVE-2009-5029
16 https://web.archive.org/web/201201080914... More on exploiting glibc __tzfile_read integer overflow to buffer overflow and vsftpd 15-12-2011 Ramon de C. Valle Linux CVE-2009-5029
17 http://kqueue.org/blog/2012/01/10/cve-20... CVE-2012-0038: XFS ACL count integer overflow 10-01-2012 Xi Wang Linux CVE-2012-0038
18 http://www.halfdog.net/Security/2011/Apa... Apache ModSetEnvIf Integer Overflow 11-01-2012 halfdog Linux CVE-2011-3607
19 http://gdtr.wordpress.com/2012/02/22/exp... Exploiting CVE-2011-2371 (FF reduceRight) without non-ASLR modules 22-02-2012 pa_kt - CVE-2011-2371
20 http://kqueue.org/blog/2012/04/12/cve-20... CVE-2012-2100: a fix to fix a fix in ext4 12-04-2012 Xi Wang Linux CVE-2012-2100
21 http://axtaxt.wordpress.com/2012/07/08/a... Analysis of CVE-2011-3545 (ZDI-11-307) 08-07-2012 Peter - CVE-2011-3545
22 http://labs.mwrinfosecurity.com/blog/201... MWR Labs Pwn2Own 2013 Write-up - Webkit Exploit 19-04-2013 MWR Labs Windows CVE-2013-0912
23 http://www.vupen.com/blog/20130522.Advan... Advanced Exploitation of Internet Explorer 10 / Windows 8 Overflow (Pwn2Own 2013) 22-05-2013 Nicolas Joly Windows 8 CVE-2013-2551
24 https://www.corelan.be/index.php/2013/07... Root Cause Analysis – Integer Overflows 02-07-2013 Jason Kratzer Windows, x86-32 N/A
25 http://secunia.com/blog/in-memory-of-a-z... In memory of a zero-day – MS13-051 01-11-2013 Hossein Lotfi Windows CVE-2013-1331
26 http://blog.securitymouse.com/2014/06/ra... Raising Lazarus - The 20 Year Old Bug that Went to Mars 26-06-2014 Don A. Bailey - NA
27 http://blog.lekkertech.net/blog/2014/07/... LZO, on integer overflows and auditing 02-07-2014 Willem Pinckaers - N/A
28 http://googleprojectzero.blogspot.de/201... Analysis and Exploitation of an ESET Vulnerability 23-06-2015 Tavis Ormandy - N/A
29 http://googleprojectzero.blogspot.fr/201... When ‘int’ is the new ‘short’ 07-07-2015 Mark Brand - N/A
30 http://blogs.flexerasoftware.com/vulnera... Vulnerability in Microsoft's Unicode Scripts Processor allows execution of arbitrary code 11-12-2015 Hossein Lotfi Windows CVE-2015-6130
31 https://blog.coresecurity.com/2016/01/12... Analysis of Adobe Flash Player ID3 Tag Parsing Integer Overflow Vulnerability (CVE-2015-5560) 12-01-2016 Nahuel Riva Flash CVE-2015-5560
32 http://www.antiy.net/p/an-analysis-on-t... An Analysis on the Principle of CVE-2015-8651 26-01-2016 Antiy PTA Team Flash CVE-2015-8651
33 http://blog.trendmicro.com/trendlabs-se... A Root Cause Analysis of the Recent Flash Zero-Day Vulnerability, CVE-2016-1010 06-04-2016 Henry Li Flash CVE-2016-1010

NULL pointer issues

Nr URL Description Date Author OS/Arch Info
1 http://www.theregister.co.uk/2007/06/13/... Embedded problems: exploiting NULL pointer dereferences 13-06-2007 Barnaby Jack ARM, XScale N/A
2 http://searchsecurity.techtarget.com.au/... Q&A: Mark Dowd on NULL pointer dereference bugs 02-05-2008 Mark Dowd - N/A
3 https://web.archive.org/web/200907060213... What You May Have Missed About CVE-2008-0017: A Firefox NULL Dereference Bug 26-11-2008 Article Windows, x86-32 CVE-2008-0017
4 http://j00ru.vexillium.org/?p=932 CVE-2011-1282: User-Mode NULL Pointer Dereference & co. 21-07-2011 Mateusz (j00ru) Jurczyk Windows, x86-32 CVE-2011-1282

Data type confusion

Nr URL Description Date Author OS/Arch Info
1 http://em386.blogspot.com/2010/12/webkit... WebKit CSS Type Confusion 15-12-2010 Chris Rohlf - CVE-2010-4577
2 http://www.vupen.com/blog/20110326.Techn... Technical Analysis and Advanced Exploitation of Adobe Flash 0-Day (CVE-2011-0609) 26-03-2011 Nicolas Joly Windows, x86-32 CVE-2011-0609
3 http://blogs.technet.com/b/mmpc/archive/... Analysis of the CVE-2011-0611 Adobe Flash Player vulnerability exploitation 12-04-2011 Marian Radu, Daniel Radu & Jaime Wong Windows, x86-32 CVE-2011-0611
4 http://secunia.com/blog/210 Adobe Flash Player 0-day Exploit Analysis (CVE-2011-0611) 14-04-2011 Secunia Research Windows, x86-32 CVE-2011-0611
5 http://www.offensive-security.com/vulnde... CA ARCserve CVE-2012-2971 30-10-2012 offensive-security.com Windows, x86-32 CVE-2012-2971
6 http://blogs.technet.com/b/srd/archive/2... The story of MS13-002: How incorrectly casting fat pointers can make your code explode 06-08-2013 swiat Windows N/A
7 https://www.sektioneins.de/en/blog/14-08... SPL ArrayObject/SPLObjectStorage Unserialization Type Confusion Vulnerabilities 27-08-2014 Stefan Esser - CVE-2014-3515
7 http://blog.azimuthsecurity.com/2015/01/... Bl8ckPwn: BlackPhone SilentText Type Confusion Vulnerability 27-01-2015 Mark Dowd - N/A
9 http://googleprojectzero.blogspot.de/201... A Tale of Two Exploits 13-04-2015 Natalie Silvanovich - CVE-2015-0336
10 http://blogs.technet.com/b/mmpc/archive/... Understanding type confusion vulnerabilities: CVE-2015-0336 18-06-2015 msft-mmpc Windows CVE-2015-0336
11 http://googleprojectzero.blogspot.com/20... One Perfect Bug: Exploiting Type Confusion in Flash 20-07-2015 Natalie Silvanovich - CVE-2015-3077
12 http://googleprojectzero.blogspot.de/201... Attacking ECMAScript Engines with Redefinition 17-08-2015 Natalie Silvanovich - CVE-2015-3077, CVE-2015-0305, CVE-2015-0327, CVE-2015-3039, CVE-2015-5119, CVE-2015-3120, CVE-2015-3119
13 https://www.coresecurity.com/blog/explo... Exploiting Internet Explorer's MS15-106, Part I: VBScript Filter Type Confusion Vulnerability (CVE-2015-6055) 25-04-2016 Francisco Falcón Windows CVE-2015-6055
14 http://blogs.360.cn/360safe/2016/11/... Three roads lead to Rome 29-11-2016 Luke Viruswalker Windows CVE-2016-7201
15 https://blogs.securiteam.com/index.p... SSD Advisory – Chrome Turbofan Remote Code Execution 16-08-2017 Maor Schwartz - N/A

Object lifetime issues

Use-after-free

Nr URL Description Date Author OS/Arch Info
1 https://www.blackhat.com/presentations/b... Dangling Pointer - Smashing the Pointer for Fun and Profit 02-07-2007 Jonathan Afek, Adi Sharabani Windows, x32 CVE-2005-4360
2 http://grey-corner.blogspot.com/2010/01/... Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability 24-01-2010 Stephen Bradshaw Windows, x86-32 CVE-2010-0249
3 http://d0cs4vage.blogspot.com/2011/06/in... Insecticides don't kill bugs, Patch Tuesdays do (use-after-free) 16-06-2011 d0c_s4vage Windows, x86-32 CVE-2011-1260
4 http://www.exploit-monday.com/2011/07/po... Post-mortem Analysis of a Use-After-Free Vulnerability (CVE-2011-1260) 07-07-2011 Matt Graeber Windows, x86-32 CVE-2011-1260
5 http://blogs.norman.com/2011/malware-det... Drag and Drop Vulnerability in MS11-050 29-07-2011 norman.com Windows, x32 CVE-2011-1254
6 http://picturoku.blogspot.com/2011/08/di... Diaries of a vulnerability: Understanding CVE-2011-1260 17-08-2011 picturoku Windows, x86-32 CVE-2011-1260
7 http://picturoku.blogspot.com/2011/09/di... Diaries of a vulnerability - take 2: Stage 1 exploit - Controlling EIP 01-09-2011 picturoku Windows, x86-32 CVE-2011-1260
8 http://picturoku.blogspot.com/2011/11/di... Diaries of a vulnerability - take 3: Pray after free and use after pray 02-11-2011 picturoku Windows, x86-32 CVE-2011-1260
9 https://community.qualys.com/blogs/secur... MS11-077: From Patch to Proof-of-Concept 02-12-2011 Bharat Jogi Windows, x86-32 CVE-2011-1985
10 http://www.vupen.com/blog/20120110.Techn... Technical Analysis of ProFTPD Response Pool Remote Use-after-free (CVE-2011-4130) - Part I 10-01-2012 Jordan Gruskovnjak Linux, x86-32 CVE-2011-4130
11 http://www.vupen.com/blog/20120116.Advan... Advanced Exploitation of ProFTPD Response Pool Use-after-free (CVE-2011-4130) - Part II 16-01-2012 Jordan Gruskovnjak Linux, x86-32 CVE-2011-4130
12 http://ifsec.blogspot.com/2012/02/reliab..., PoC Reliable Windows 7 Exploitation: A Case Study 28-02-2012 Ivan Fratric Windows, x86-32 CVE-2011-1999
13 http://dvlabs.tippingpoint.com/blog/2012... Pwn2Own Challenges: Heapsprays are for the 99% 15-03-2012 Peter Vreugdenhil Windows, x86-32 CVE-2010-0248
14 http://www.vupen.com/blog/20120625.Advan... Advanced Exploitation of Mozilla Firefox Use-after-free Vulnerability (MFSA 2012-22) 25-06-2012 Jordan Gruskovnjak Windows, x86-32 CVE-2012-0469
15 http://blog.exodusintel.com/2013/01/02/h... Happy New Year Analysis of CVE-2012-4792 02-01-2013 Peter Vreugdenhil Windows, x86-32 CVE-2012-4792
16 http://scarybeastsecurity.blogspot.de/20... Exploiting 64-bit Linux like a boss 03-02-2013 Chris Evans Linux, x86-64 N/A
17 http://securityintelligence.com/use-afte... Use-after-frees: That pointer may be pointing to something bad 01-04-2013 Mark Yason Windows, x86-32 CVE-2012-4969, CVE-2012-4792
18 http://blog.trailofbits.com/2013/05/20/w... Writing Exploits with the Elderwood Kit (Part 2) 20-05-2013 Dan Guido Windows N/A
19 https://securityintelligence.com/cve-201... CVE-2013-1347: Microsoft Internet Explorer CGenericElement object Use-After-Free Vulnerability 22-05-2013 Yong Chuan Koh Windows x86-32 CVE-2013-1347
20 http://blogs.technet.com/b/srd/archive/2... The story of MS13-002: How incorrectly casting fat pointers can make your code explode 06-08-2013 swiat - N/A
21 http://h30499.www3.hp.com/t5/blogs/bloga... CVE-2013-3112: From NULL to Control - Persistence pays off with crashes 26-09-2013 Brian Gorenc Windows, x86-32 CVE-2013-3112
22 http://cyvera.com/cve-2013-3893-analysis... CVE-2013-3893 – ANALYSIS OF THE NEW IE 0-DAY 07-10-2013 Gal Badishi Windows, x86-32 CVE-2013-3893
23 http://cyvera.com/cve-2013-3897-analysis... CVE-2013-3897 – ANALYSIS OF YET ANOTHER IE 0-DAY 08-10-2013 Gal Badishi Windows, x86-32 CVE-2013-3897
24 http://blog.spiderlabs.com/2013/10/anoth... Another Day, SpiderLabs Discovers Another IE Zero-Day xx-08-2013 Daniel Chechki Windows, x86-32 CVE-2013-3897
25 http://blog.spiderlabs.com/2013/10/ie-ze... The Technical Aspects of Exploiting IE Zero-Day CVE-2013-3897 xx-10-2013 SpiderLabs Research Windows, x86-32 CVE-2013-3897
26 http://nakedsecurity.sophos.com/2013/10/... Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1 11-10-2013 Paul Ducklin Windows, x86-32 CVE-2013-3893
27 http://nakedsecurity.sophos.com/2013/10/... Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 2 25-10-2013 Paul Ducklin Windows, x86-32 CVE-2013-3893
28 http://blog.exodusintel.com/2013/11/26/b... A browser is only as strong as its weakest byte 26-11-2013 Peter Vreugdenhil Windows CVE-2013-3147
29 http://www.fireeye.com/blog/technical/cy... CVE-2013-3346/5065 Technical Analysis 06-12-2013 Xiaobo Chen, Dan Caselden Windows CVE-2013-3346, CVE-2013-5065
30 http://blog.exodusintel.com/2013/12/09/a... A browser is only as strong as its weakest byte - Part 2 09-12-2013 Peter Vreugdenhil Windows CVE-2013-3147
31 http://carterjones.logdown.com/posts/201... CVE-2014-0301 Analysis 14-03-2014 Carter Jones Windows CVE-2014-0301
32 http://vrt-blog.snort.org/2014/05/anatom... Anatomy of an exploit: CVE 2014-1776 02-05-2014 Alex McDonnell, Brandon Stultz, Joel Esler, Patrick Mullen, Armin Pelkmann, Craig Williams Windows CVE-2014-1776
33 http://www.cyphort.com/blog/dig-deeper-i... Dig deeper into the IE Vulnerability (CVE-2014-1776) exploit 06-05-2014 Marion Marschalek Windows CVE-2014-1776
34 http://h30499.www3.hp.com/t5/HP-Security... Double-Dip: Using the latest IE 0-day to get RCE and an ASLR Bypass 06-05-2014 Abdul Hariri Windows N/A
35 http://h30499.www3.hp.com/t5/HP-Security... The mechanism behind Internet Explorer CVE-2014-1776 exploits 14-05-2014 Matt Oh Windows CVE-2014-1776
36 http://www.vupen.com/blog/20140520.Advan... Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) 20-05-2014 Arno Windows CVE-2014-1512
37 http://blog.trendmicro.com/trendlabs-sec... “Gifts” From Hacking Team Continue, IE Zero-Day Added to Mix 14-07-2014 Peter Pi Windows CVE-2015-2425
38 http://blog.trendmicro.com/trendlabs-sec... Root Cause Analysis of CVE-2014-1772 – An Internet Explorer Use After Free Vulnerability 05-11-2014 Jack Tang Windows CVE-2014-1772
39 http://googleprojectzero.blogspot.de/201... Exploiting NVMAP to escape the Chrome sandbox - CVE-2014-5332 22-01-2015 Lee Campbell Android CVE-2014-5332
40 https://www.trustwave.com/Resources/Spid... A New Zero-Day of Adobe Flash CVE-2015-0313 Exploited in the Wild 03-02-2015 Ben Hayak Windows CVE-2015-0313
41 http://blog.trendmicro.com/trendlabs-sec... Analyzing CVE-2015-0313: The New Flash Player Zero Day 04-02-2015 Peter Pi Windows CVE-2015-0313
42 https://blog.coresecurity.com/2015/04/13... Analysis of Adobe Flash Player shared ByteArray Use-After-Free Vulnerability 13-04-2015 Nahuel Riva Windows N/A
43 http://labs.bromium.com/2015/07/07/adobe... Adobe Flash Zero Day Vulnerability Exposed to Public 07-07-2015 Nick Cano Windows CVE-2015-0322
44 http://blog.vectranetworks.com/blog/micr... Microsoft Internet Explorer 11 Zero-day 14-07-2015 Vectra Threat Labs Windows CVE-2015-2425
45 http://blog.ropchain.com/2015/07/27/anal... Analyzing VUPEN’s CVE-2012-1856 27-07-2015 Niels Windows CVE-2012-1856
46 http://www.securityfocus.com/archive/1/5... BFS-SA-2015-001: Internet Explorer CTreeNode::GetCascadedLang Use-After-Free Vulnerability 12-08-2015 BlueFrost Security Windows CVE-2015-2444
47 https://cxsecurity.com/issue/WLB-2015080... OpenSSH 6.9p1 Authentication Bypass / Use-After-Free 15-08-2015 BlueFrost Security - N/A
48 https://labs.portcullis.co.uk/blog/cve-2... CVE-2015-5119 Flash ByteArray UaF: A beginner’s walkthrough 24-09-2015 MTB - CVE-2015-5119
49 https://www.nccgroup.trust/uk/our-resear... Exploiting CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free Vulnerability 30-10-2015 Dominic Wang Windows CVE-2015-1642
50 https://www.nccgroup.trust/uk/our-resear... Exploiting CVE-2014-0282 16-12-2015 Katy Winterborn Windows CVE-2014-0282
51 https://www.fireeye.com/blog/threat-rese..., https://www.fireeye.com/content/dam/... The EPS Awakens 16-12-2015 Genwei Jiang, Dan Caselden, Ryann Winters Windows PostScript; CVE-2015-2545
52 http://sourceincite.com/2015/12/15/analy... ANALYSIS OF CVE-2016-0035, A REMOTE CODE EXECUTION IN MICROSOFT OFFICE EXCEL 15-12-2015 steven Windows CVE-2016-0035
53 https://webkit.org/blog/6411/javascriptc... JavaScriptCore CSI: A Crash Site Investigation Story 01-06-2016 Mark Lam Mac N/A
54 http://theori.io/research/jscript9_typed... PATCH ANALYSIS OF MS16-063 (JSCRIPT9.DLL) Theori 27-06-2016 Windows N/A
55 https://www.purehacking.com/blog/lloyd-s... An Introduction to Use After Free Vulnerabilities 05-08-2016 Lloyd Simon Windows N/A
56 http://blog.quarkslab.com/exploiting-ms1... Exploiting MS16-145: MS Edge TypedArray.sort Use-After-Free (CVE-2016-7288) 02-05-2017 Francisco Falcon Windows CVE-2016-7288
57 https://phoenhex.re/2017-05-04/pwn2own17... Pwn2Own 2017: UAF in JSC::CachedCall (WebKit) 04-05-2017 niklasb, saelo Mac CVE-2017-2491
58 https://scarybeastsecurity.blogspot.de/.... Ode to the use-after-free: one vulnerable function, a thousand possibilities 05-05-2017 Chris Evans Linux CVE-2012-3748
59 https://phoenhex.re/2017-06-21/firefox-s... Share with care: Exploiting a Firefox UAF with shared array buffers 21-06-2017 bkth, eboda Linux N/A
60 https://0x00sec.org/t/heap-exploitation-... Heap Exploitation ~ Abusing Use-After-Free 13-09-2017 0xpye Linux N/A

Double-free

Nr URL Description Date Author OS/Arch Info
1 http://www.symantec.com/connect/blogs/do..., http://www.symantec.com/connect/blogs/do... Double Free Vulnerabilities 19/22-01-2007 Article Windows XP SP2, x86-32 N/A
2 http://blog.spiderlabs.com/2014/03/deep-... Deep Analysis of CVE-2014-0502 – A Double Free Story 12-03-2014 Ben Hayak Windows CVE-2014-0502
3 http://www.libnex.org/blog/doublefreeins... Double Free in Standard PHP Library Double Link List [CVE-2016-3132] 13-04-2016 Emmanuel Law - CVE-2016-3132

Other

Nr URL Description Date Author OS/Arch Info
1 https://community.rapid7.com/communi... 12 Days of HaXmas: A Fireside Foray into a Firefox Fracas 29-12-2016 William Webb - N/A

Race conditions

Nr URL Description Date Author OS/Arch Info
1 http://cecs.wright.edu/~pmateti/Internet... Race Condition Exploits xx-xx-2012 Prabhaker Mateti - N/A
2 https://googleprojectzero.blogspot.de/20... Racing MIDI messages in Chrome 04-02-2016 Oliver Chang - N/A

Non-memory-corruption issues

Access control and permission problems

Nr URL Description Date Author OS/Arch Info
1 http://blog.zx2c4.com/749 Linux Local Privilege Escalation via SUID /proc/pid/mem Write 21-01-2012 Jason A. Donenfield Linux CVE-2012-0056
2 http://googleprojectzero.blogspot.de/201... Did the “Man With No Name” Feel Insecure? 20-08-2014 James Forshaw Windows CVE-2014-3196
3 http://googleprojectzero.blogspot.de/201... Internet Explorer EPM Sandbox Escape CVE-2014-6350 01-12-2014 James Forshaw Windows CVE-2014-6350
4 http://blog.trendmicro.com/trendlabs-sec... Escaping the Internet Explorer Sandbox: Analyzing CVE-2014-6349 03-12-2014 Jack Tang Windows CVE-2014-6349
5 http://blog.trendmicro.com/trendlabs-sec... CVE-2015-0016: Escaping the Internet Explorer Sandbox 27-01-2015 Henry Li Windows CVE-2015-0016
6 https://truesecdev.wordpress.com/2015/07... Exploiting rootpipe again 01-07-2015 Emil Kvarnhammar Mac rootpipe; CVE-2015-3673
7 https://www.sektioneins.de/en/blog/15-07... OS X 10.10 DYLD_PRINT_TO_FILE Local Privilege Escalation Vulnerability 07-07-2015 Stefan Esser Mac N/A
8 http://h30499.www3.hp.com/t5/HP-Security... Adobe's CVE-2015-5090 - Updating the Updater to become the bossman 16-07-2015 Adul Hariri Windows CVE-2015-5090
9 http://warchest.fusionx.com/cve-2015-509... CVE-2015-5090 – Adobe Reader/Acrobat Pro Privilege Escalation 19-01-2016 Bryan Alexander Windows CVE-2015-5090
10 https://www.zerodayinitiative.com/blog/2... BUSTING MYTHS IN FOXIT READER 17-08-2017 Abdul-Aziz Hariri Windows CVE-2017-10951, CVE-2017-10952

Implementation Errors

Nr URL Description Date Author OS/Arch Info
1 http://www.saurik.com/id/17 Exploit (& Fix) Android "Master Key" xx-07-2013 Jay Freeman (saurik) Android CVE-2013-4787
2 http://www.contextis.com/resources/blog/... EXPRESSING YOURSELF: ANALYSIS OF A DOT NET ELEVATION OF PRIVILEGE VULNERABILITY 17-12-2013 James Forshaw Windows CVE-2013-3133
3 http://security.coverity.com/blog/2014/N... Eric Lippert Dissects CVE-2014-6332, a 19 year-old Microsoft bug 14-11-2014 Eric Lippert Windows CVE-2014-6332
4 http://researchcenter.paloaltonetworks.c... Addressing CVE-2014-6332 SWF Exploit 26-11-2014 Alon Livne Windows CVE-2014-6332
5 https://community.rapid7.com/community/me... R7-2015-04 Disclosure: Mozilla Firefox Proxy Prototype RCE (CVE-2014-8636) 23-03-2015 Tod Beardsley - CVE-2014-8636
6 https://securityintelligence.com/one-clas... One Class to Rule Them All: New Android Serialization Vulnerability Gives Underprivileged Apps Super Status 10-08-2015 Or Peles, Roee Hay Android CVE-2015-3825, CVE-2015-2000/1/2/3/4/20
7 http://rotlogix.com/2015/08/22/remote-cod... Remote Code Execution in Dolphin Browser for Android 22-08-2015 rotlogix Android N/A
8 http://googleprojectzero.blogspot.de/2015... FireEye Exploitation: Project Zero’s Vulnerability of the Beast 15-12-2015 Tavis Ormandy FireEye appliance N/A
9 https://blog.coresecurity.com/2015/12/09/... Exploiting Windows Media Center 09-12-2015 Francisco Falcón Windows CVE-2015-2509
10 https://www.nccgroup.trust/uk/about-us/n... Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers 05-01-2016 Richard Warren * MS15-132
11 https://googleprojectzero.blogspot.de/20... Raising the Dead 12-01-2016 James Forshaw Windows N/A

Information leakage

Nr URL Description Date Author OS/Arch Info
1 http://blog.binamuse.com/2014/09/coregra... CoreGraphics Information Disclosure - CVE-2014-4378 18-09-2014 binamuse.com iOS 7.1 CVE-2014-4378
2 http://googleprojectzero.blogspot.de/201... Enabling QR codes in Internet Explorer, or a story of a cross-platform memory disclosure 14-09-2015 Mateusz (j00ru) Jurczyk Windows CVE-2015-0089, CVE-2015-3049, CVE-2015-1670, CVE-2015-2169

Uninitialized memory

Nr URL Description Date Author OS/Arch Info
1 http://www.vupen.com/blog/20120717.Advan... Advanced Exploitation of IE MSXML Remote Uninitialized Memory (MS12-043 / CVE-2012-1889) 17-07-2012 Nicolas Joly Windows, x86-32 CVE-2012-1889
2 http://immunityproducts.blogspot.de/2013... Adobe XFA exploits for all! First Part: The Info-leak 24-06-2013 Nico Waisman Windows 7 CVE-2013-0640
3 http://labs.portcullis.co.uk/blog/cve-20... CVE-2013-0640: Adobe Reader XFA oneOfChild Un-initialized memory vulnerability (part 1) 26-09-2013 MTB Windows CVE-2013-0640
4 http://labs.portcullis.co.uk/blog/cve-20... CVE-2013-0640: Adobe Reader XFA oneOfChild Un-initialized memory vulnerability (part 2) 15-10-2013 MTB Windows CVE-2013-0640
5 http://ifsec.blogspot.de/2013/11/exploit... Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview 06-11-2013 Ivan Fratric Windows 8, x86-64 N/A
6 https://labs.mwrinfosecurity.com/system... Microsoft Office Uninitialised Memory Use Vulnerability 25-06-2015 Yong Chuan, Koh Windows CVE-2015-1770
7 http://sourceincite.com/2015/11/16/ms15-... MS15-116 – PARSE THE [POINT]ER OF NO RETURN 16-11-2015 Steven Windows CVE-2015-6038
8 https://www.blackhat.com/docs/eu-15/mate... Hey Man, Have You Forgotten to Initialize Your Memory? xx-xx-2015 Qihoo 360 Vulcan Team Windows CVE-2015-1745

Logic errors

Nr URL Description Date Author OS/Arch Info
1 https://code.google.com/p/google-securit... Flash logic error in bytecode verifier 15-09-2014 Ian Berr - CVE-2014-0590
2 http://h30499.www3.hp.com/t5/HP-Security... Technical analysis of the SandWorm Vulnerability (CVE-2014-4114) 20-10-2014 Matt Oh Windows Sandworm; CVE-2014-4114
3 https://blogs.mcafee.com/mcafee-labs/byp... Bypassing Microsoft’s Patch for the Sandworm Zero Day: a Detailed Look at the Root Cause 11-11-2014 Haifei Li Windows Sandworm; N/A
4 https://blogs.mcafee.com/mcafee-labs/byp... Bypassing Microsoft’s Patch for the Sandworm Zero Day: Even ‘Editing’ Can Cause Harm 12-11-2014 Haifei Li Windows Sandworm; N/A
5 https://www.fireeye.com/blog/threat-rese... CVE-2015-0097 Exploited in the Wild 30-07-2015 Sudeep Singh, Kenneth Hsu Windows CVE-2015-0097
6 https://github.com/QubesOS/qubes-secpack... Critical Xen bug in PV memory virtualization code (XSA 148) 29-10-2015 The Qubes Security Team XEN XSA 148

Chained and multiple bugs

Chained bugs

Nr URL Description Date Author OS/Arch Info
1 http://blog.chromium.org/2012/05/tale-of... A Tale of Two Pwnies (Part 1) 22-05-2012 Jorge Lucangeli Obes, Justin Schuh - CVE-2011-3047, CVE-2011-3063, CVE-2011-3055
2 http://blog.chromium.org/2012/06/tale-of... A Tale Of Two Pwnies (Part 2) 11-06-2012 Ken Buchanan, Chris Evans, Charlie Reis, Tom Sepez - Pwnium; CVE-2011-3063, CVE-2011-3054, CVE-2011-3072, CVE-2011-3084
3 https://web.archive.org/web/201408191742... Postpwnium Writeup 11-06-2013 Ralf-Philipp Weinmann Chrome OS N/A
4 https://web.archive.org/web/201502091121... How I met Firefox: A tale about chained vulnerabilities 02-10-2013 Sebastian Android N/A
5 http://blog.trendmicro.com/trendlabs-sec... A Killer Combo: Critical Vulnerability and ‘Godmode’ Exploitation on CVE-2014-6332 13-11-2014 Weimin Wu Windows CVE-2014-6332
6 http://researchcenter.paloaltonetworks.c... Google Chrome Exploitation – A Case Study 14-12-2014 Alon Livne Windows CVE-2014-1705
7 http://newosxbook.com/articles/28DaysLat... 28 Days Later - TaiG 2 (Part the 1st) 23-07-2015 Jonathan Levin iOS TaiG; N/A

Multiple bugs

Nr URL Description Date Author OS/Arch Info
1 http://www.cis.syr.edu/~wedu/Teaching/Co... Buffer-Overflow Vulnerabilities and Attacks ??? Kevin Du - N/A
2 https://lock.cmpxchg8b.com/sophailv2.pdf Sophail: Applied attacks against Sophos Antivirus xx-10-2012 Tavis Ormandy - N/A
3 http://kqueue.org/blog/2012/03/05/memory... Memory allocator security revisited 05-03-2012 Xi Wang - N/A
4 http://antid0te.com/syscan_2013/SyScan20... Mountain Lion/iOS Vulnerabilities Garage Sale 24-04-2013 Stefan Esser Mac / iOS N/A
5 http://blog.azimuthsecurity.com/2013/06/... Attacking Crypto Phones: Weaknesses in ZRTPCPP 27-06-2013 Mark Dowd - N/A
6 http://seclists.org/fulldisclosure/2014/... Information on recently-fixed Oracle VM VirtualBox vulnerabilities 07-02-2014 Matthew Daley - CVE-2013-5892, CVE-2014-0407, CVE-2014-0405, CVE-2014-0406, CVE-2014-0404
7 http://googleprojectzero.blogspot.de/201... Finding and exploiting ntpd vulnerabilities 02-0-1-2015 Stephen Röttger Mac CVE-2014-9295
8 http://www.coresecurity.com/advisories/s... SAP LZC LZH Compression Multiple Vulnerabilities 12-05-2015 coresecurity - CVE-2015-2282, CVE-2015-2278
9 http://googleprojectzero.blogspot.de/201... Owning Internet Printing - A Case Study in Modern Software Exploitation 19-06-2015 Neel Mehta Linux CVE-2015-1158, CVE-2015-1159
10 https://docs.google.com/document/d/1sIYg... Escaping VMware Workstation through COM1 07-09-2015 Kostya Kortchinsky Windows CVE-2015-2336, CVE-2015-2337, CVE-2015-2338, CVE-2015-2339, CVE-2015-2340
11 http://bits-please.blogspot.de/2016/01... Android privilege escalation to mediaserver from zero permissions (CVE-2014-7920 + CVE-2014-7921) 24-01-2016 laginimaineb Android CVE-2014-7920, CVE-2014-7921
12 https://googleprojectzero.blogspot.de/... Life After the Isolated Heap 28-03-2016 Natalie Silvanovich - CVE-2016-0998, CVE-2016-0984

Arbitrary data manipulation

Nr URL Description Date Author OS/Arch Info
1 http://dvlabs.tippingpoint.com/blog/2009... Exploiting MS Advisory 971778: QuickTime DirectShow 28-05-2009 Aaron Portnoy Windows, x86-32 CVE-2009-1537
2 http://www.offensive-security.com/vulnde... MS11-080 – A Voyage into Ring Zero 06-12-2011 offensive-security.com Windows, x86-32 CVE-2011-2005
3 http://blog.azimuthsecurity.com/2013/02/... Re-visiting the Exynos Memory Mapping Bug 14-02-2013 Dan Rosenberg Android 4.0 N/A
4 https://www.sektioneins.de/advisories/ad... Advisory 01/2013: PHP openssl_x509_parse() Memory Corruption Vulnerability 13-12-2013 Stefan Esser - CVE-2013-6420
5 http://h30499.www3.hp.com/t5/HP-Security... Technical Analysis of CVE-2014-0515 Adobe Flash Player Exploit 21-05-2014 Matt Oh Windows CVE-2014-0515
6 http://googleprojectzero.blogspot.de/201... One font vulnerability to rule them all #1: Introducing the BLEND vulnerability 31-07-2015 Mateusz (j00ru) Jurczyk Windows BLEND; CVE-2015-0093, CVE-2015-3052
7 http://googleprojectzero.blogspot.de/201... One font vulnerability to rule them all #2: Adobe Reader RCE exploitation 06-08-2015 Mateusz (j00ru) Jurczyk Windows BLEND; CVE-2015-0093, CVE-2015-3052

General

Articles, blogs, comments on vulnerabilities and their exploitation which are hard to find category for.

Nr URL Description Date Author OS/Arch Info
1 https://www.sans.org/reading-room/whitep... Buffer Overflows for Dummies 01-05-2002 Josef Nelißen - N/A
2 http://www.viva64.com/en/a/0046/ Safety of 64-bit code 06-08-2009 Andrey Karpov - N/A
3 http://www.matasano.com/research/NaCl_Su... NaCl Contest - Summary of findings xx-xx-2009 Team CJETM - N/A
4 http://www.exploit-db.com/wp-content/the... Exploiting ARM Linux Systems 31-01-2011 Emanuele Acri ARM N/A
5 https://www.virusbtn.com/virusbulletin/a... VB2014 paper: Ubiquitous Flash, ubiquitous exploits, ubiquitous mitigation 01-01-2015 Chun Feng, Elia Florio Windows CVE-2013-5330, CVE-2014-0497
6 http://www.ma.rhul.ac.uk/static/techrep/20... Buffer Overflows in the Microsoft Windows® Environment 16-02-2015 Parvez Anwar Windows N/A
7 http://matthias.vallentin.net/course-work/... On the Evolution of Buffer Overflows 20-05-2015 Matthias Valentin - N/A
8 http://googleprojectzero.blogspot.de/201... What is a "good" memory corruption vulnerability? (Part 1/4) 26-06-2015 Chris Evans - N/A
9 https://cturt.github.io/ps4.html Hacking the PS4, part 1: Introduction to PS4's security, and userland ROP xx-xx-2015 CTurt PS4 CVE-2012-3748
10 https://cturt.github.io/ps4-2.html Hacking the PS4, part 2: Userland code execution xx-xx-2015 CTurt PS4 CVE-2012-3748
11 http://blogs.technet.com/b/srd/archive/20... Triaging the exploitability of IE/EDGE crashes 12-01-2016 swiat Windows N/A
12 http://xlab.tencent.com/en/2016/04/19/exc... Exceptions in Exceptions – Abusing Special Cases in System Exception Handling to Achieve Unbelievable Vulnerability Exploitation 19-04-2016 tombkeeper Windows N/A

results matching ""

    No results matching ""