Browser Exploitation

This page contains all information related to the browser exploitation. Links also do appear in other sections, this page was made to highlight research per vendor though.

Google Chrome, Google Chrome OS, V8

Nr URL Description Date Author OS/Arch Info
1 https://blog.chromium.org/2012/05/tal... A Tale of Two Pwnies (Part 1) 22-05-2012 Jorge Lucangeli Obes, Justin Schuh - N/A
2 https://blog.chromium.org/2012/06/tal... A Tale of Two Pwnies (Part 2) 11-06-2012 Ken Buchanan, Chris Evans, Charlie Reis, Tom Sepez - N/A
3 https://scarybeastsecurity.blogspot.d... 03-02-2013 Exploiting 64-bit Linux like a boss Linux Chris Evans N/A
4 https://labs.mwrinfosecurity.com... MWR Labs Pwn2Own 2013 Write-up - Webkit Exploit 19-04-2013 MWR - N/A
5 https://docs.google.com/document... Mobile Pwn2Own Autumn 2013 - Chrome on Android - Exploit Writeup Autumn 2013 Ian Beer Android N/A
6 https://bugs.chromium.org/p/chromium... Chrome exploit: V8 properties + P2PHostMsg_Send 22-09-2014 Jüri Aedla - CVE-2014-3188
7 http://researchcenter.paloaltonetwor... Google Chrome Exploitation – A Case Study 14-12-2014 Palo Alto Networks - CVE-2014-1705
8 https://bugs.chromium.org/p/chromium... Advanced Exploitation of Chrome 42 64bit on Windows 8.1 + EMET 5.2 19-03-2015 JungHoon (lokihardt) Lee Windows 8.1 N/A
9 https://googleprojectzero.blogspot.d... Racing MIDI messages in Chrome 04-02-2016 Oliver Chang *nix N/A
10 https://bugs.chromium.org/p/chromium... Advanced Exploitation of Chrome 64-bit on Windows 10 17-03-2016 JungHoon (lokihardt) Lee Windows 10 N/A
11 https://bugs.chromium.org/p/chromium... Pwn2Own V8 OOB Bug writeup 26-10-2016 ? Android N/A
12 https://googleprojectzero.blogspot.d... Chrome OS exploit: one byte overflow and symlinks 14-12-2016 ? Chrome OS N/A
13 https://halbecaf.com/2017/05/24/expl... Exploiting a V8 OOB write 24-05-2017 halbecaf Linux N/A
14 https://blogs.securiteam.com/index.p... SSD Advisory – Chrome Turbofan Remote Code Execution 16-08-2017 Maor Schwartz - N/A

Microsoft Edge, Chakra

Nr URL Description Date Author OS/Arch Info
1 http://blogs.360.cn/360safe/2016/11/... Three roads lead to Rome 29-11-2016 Luke Viruswalker Windows CVE-2016-7201
2 http://theori.io/research/chakra-jit-cfg... CHAKRA JIT CFG BYPASS 14-12-2016 Theori Windows MS16-119
3 http://blog.quarkslab.com/exploiting-ms1... Exploiting MS16-145: MS Edge TypedArray.sort Use-After-Free (CVE-2016-7288) 02-05-2017 Francisco Falcon Windows CVE-2016-7288
4 https://www.zerodayinitiative.com/blog/2... CHECK IT OUT: ENFORCEMENT OF BOUNDS CHECKS IN NATIVE JIT CODE 05-10-2017 Simon Zuckerbraun Windows CVE-2017-0234

Microsoft Internet Explorer

Nr URL Description Date Author OS/Arch Info
1 http://vreugdenhilresearch.nl/Pwn2Ow... Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit xx-xx-2010 Peter Vreugdenhil Windows N/A
2 https://ifsec.blogspot.de/2011/06/me... Memory disclosure technique for Internet Explorer 09-06-2011 Ivan Fratric Windows N/A
3 https://d0cs4vage.blogspot.de/2011/0... Insecticides don't kill bugs, Patch Tuesdays do 16-06-2011 d0c_s4vage Windows CVE-2011-1260
4 http://www.exploit-monday.com/2011/0... Post-mortem Analysis of a Use-After-Free Vulnerability (CVE-2011-1260) 07-07-2011 Matt Graeber Windows CVE-2011-1260
5 https://ifsec.blogspot.de/2012/02/re... Reliable Windows 7 Exploitation: A Case Study 28-02-2012 Ivan Fratric Windows CVE-2011-1999
6 https://nakedsecurity.sophos.com/201... Anatomy of an exploit – inside the CVE-2013-3893 Internet Explorer zero-day 11-10-2013 Paul Ducklin Windows CVE-2013-3893
7 https://ifsec.blogspot.de/2013/11/ex... Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview 06-11-2013 Ivan Fratric Windows N/A
8 https://blog.exodusintel.com/2013/11... A BROWSER IS ONLY AS STRONG AS ITS WEAKEST BYTE 26-11-2013 Peter Vreugdenhil Windows CVE-2013-3147
9 https://blog.exodusintel.com/2013/12... A BROWSER IS ONLY AS STRONG AS ITS WEAKEST BYTE – PART 2 09-12-2013 Peter Vreugdenhil Windows CVE-2013-3147
10 https://googleprojectzero.blogspot.d... Internet Explorer EPM Sandbox Escape CVE-2014-6350 01-12-2014 James Forshaw Windows CVE-2014-6350
11 https://ifsec.blogspot.de/2015/06/du... Dude, where’s my heap? 16-06-2015 Ivan Fratric Windows N/A
12 https://www.blackhat.com/docs/us-15/... Abusing Silent Mitigations: Understanding weaknesses within Internet Explorer’s Isolated Heap and MemoryProtection 19-06-2015 Abdul-Aziz Hariri, Simon Zuckerbraun, Brian Gorenc Windows N/A
13 https://www.nccgroup.trust/uk/our-re... Exploiting CVE-2014-0282 16-12-2015 Katy Winterborn Windows CVE-2014-0282
14 http://gsec.hitb.org/materials/sg2016... Look Mom, I don’t use Shellcode: Browser Exploitation Case Study for Internet Explorer 11 xx-xx-2016 Moritz Jodeit Windows N/A
15 http://payatu.com/from-crash-to-expl... FROM CRASH TO EXPLOIT: CVE-2015-6086 – OUT OF BOUND READ/ASLR BYPASS 18-01-2016 payatu Windows CVE-2015-6086
16 https://www.coresecurity.com/blog/ex... Exploiting Internet Explorer's MS15-106, Part I: VBScript Filter Type Confusion Vulnerability (CVE-2015-6055) 25-04-2016 Francisco Falcón Windows CVE-2015-6055
17 https://www.coresecurity.com/blog/ex... Exploiting Internet Explorer’s MS15-106, Part II: JScript ArrayBuffer.slice Memory Disclosure (CVE-2015-6053) 14-06-2016 Francisco Falcón Windows CVE-2015-6053
18 http://theori.io/research/cve-2016-0... PATCH ANALYSIS OF CVE-2016-0189 22-06-216 Theori Windows CVE-2016-0189
19 https://www.purehacking.com/blog/lloyd-s... An Introduction to Use After Free Vulnerabilities 05-08-2016 Lloyd Simon Windows N/A

Mozilla Firefox, Spidermonkey

Nr URL Description Date Author OS/Arch Info
1 https://gdtr.wordpress.com/2012/02/2... Exploiting CVE-2011-2371 (FF reduceRight) without non-ASLR modules 22-02-2012 pakt - CVE-2011-2371
2 https://community.rapid7.com/communi... Here's that FBI Firefox Exploit for You (CVE-2013-1690) 07-08-2013 sinn3r - CVE-2013-1690
3 https://bug1145255.bmoattachments.or... Pwn2Own 2015 Firefox exploit xx-xx-2015 ilxu1a - CVE-2015-0817
4 https://community.rapid7.com/communi... R7-2015-04 Disclosure: Mozilla Firefox Proxy Prototype RCE (CVE-2014-8636) 23-03-2015 Joe Vennix - CVE-2014-8636
5 http://www.phrack.org/issues/69/14..... OR'LYEH? The Shadow over Firefox xx-xx-2016 argp - N/A
6 https://community.rapid7.com/communi... 12 Days of HaXmas: A Fireside Foray into a Firefox Fracas 29-12-2016 William Webb - N/A
7 https://saelo.github.io/posts/firefo... Exploiting a Cross-mmap Overflow in Firefox 10-03-2017 saelo macOS CVE-2016-9066
8 https://phoenhex.re/2017-06-21/firef... Share with care: Exploiting a Firefox UAF with shared array buffers 21-06-2017 bkth, eboda Linux N/A
9 https://rh0dev.github.io/blog/2017/the-r... The Return of the JIT (Part 1) 13-07-2017 Rh0 - CVE-2017-5375, CVE-2017-5400
10 https://rh0dev.github.io/blog/2017/the-r... The Return of the JIT (Part 2) 17-07-2017 Rh0 - CVE-2017-5375, CVE-2017-5400

Apple Safari (and other WebKit-based browsers), JavaScriptCore

Nr URL Description Date Author OS/Arch Info
1 https://securityevaluators.com/knowl... Engineering Heap Overflow Exploits with JavaScript xx-xx-2008 Mark Daniel, Jake Honoroff, Charlie Miller Mac N/A
2 https://cturt.github.io/ps4-2.html Hacking the PS4, part 2: Userland code execution xx-xx-xxxx CTurt PS N/A
3 https://em386.blogspot.de/2010/12/we... WebKit CSS Type Confusion 15-12-2010 Chris Rohlf - N/A
4 https://googleprojectzero.blogspot.d... pwn4fun Spring 2014 - Safari - Part I 24-07-2014 Ian Beer Mac N/A
5 https://webkit.org/blog/6411/javascr... JavaScriptCore CSI: A Crash Site Investigation Story 01-06-2016 Mark Lam Mac N/A
6 https://info.lookout.com/rs/051-ESQ-... Section 1: Pegasus Exploitation of Safari (CVE-2016-4657) xx-xx-2016 Max Bazaliy, Cris Neckar, Greg Sinclair, in7egral iOS CVE-2016-4657
7 https://blog.xyz.is/2016/webkit-360.... Exploiting WebKit on Vita 3.60 18-08-2016 ? PS N/A
8 http://www.phrack.org/papers/attacki... Attacking JavaScript Engines: A case study of JavaScriptCore and CVE-2016-4622 (2016-10-27) 27-10-2016 saelo Mac CVE-2016-4622
9 https://phoenhex.re/2017-05-04/pwn2o... Pwn2Own 2017: UAF in JSC::CachedCall (WebKit) 04-05-2017 niklasb, saelo Mac CVE-2017-2491
10 https://scarybeastsecurity.blogspot.... Ode to the use-after-free: one vulnerable function, a thousand possibilities 05-05-2017 Chris Evans Linux CVE-2012-3748
11 https://phoenhex.re/2017-06-02/array... Exploiting an integer overflow with array spreading (WebKit) 02-06-2017 niklasb, saelo Mac CVE-2017-2536
12 https://www.zerodayinitiative.com/bl... DECONSTRUCTING A WINNING WEBKIT PWN2OWN ENTRY 24-08-2017 Jasiel Spelman Mac CVE-2017-2547

Other browsers

Plugins

Nr URL Description Date Author OS/Arch Info
1 https://googleprojectzero.blogspot.d... Exploiting CVE-2014-0556 in Flash 23-09-2014 Chris Evans - CVE-2014-0556
2 https://googleprojectzero.blogspot.d... (^Exploiting)\s(CVE-2015-0318)\s(in)\s*(Flash$) 12-02-2015 Mark Brand - CVE-2015-0318
3 https://googleprojectzero.blogspot.d... A Tale of Two Exploits 13-04-2015 Natalie Silvanovich - CVE-2015-0336
4 https://googleprojectzero.blogspot.d... One Perfect Bug: Exploiting Type Confusion in Flash 20-06-2015 Natalie Silvanovich - CVE-2015-3077
5 https://googleprojectzero.blogspot.d... Life After the Isolated Heap 28-03-2016 Natalie Silvanovich - CVE-2016-0998, CVE-2016-0984
6 https://blog.bjornweb.nl/2017/08/fla... Playing in the Remote Sandbox: Adobe Flash Windows User Credentials Disclosure Vulnerability (CVE-2017-3085) 08-08-2017 Björn Ruytenberg - CVE-2017-3085

Vulnerability research in general

Nr URL Description Date Author OS/Arch Info
1 https://media.blackhat.com/bh-us-12/... DIGGING DEEP INTO THE FLASH SANDBOXES xx-xx-2012 Paul Sabanal, Mark Vincent Yason - N/A
2 http://documents.trendmicro.com/asse... $hell on Earth: From Browser to System Compromise xx-xx- 2016 Matt Molinyawe, Abdul-Aziz Hariri, Jasiel Spelman - N/A
3 https://expdev-kiuhnm.rhcloud.com/20... Internet Explorer 10/11 Exploitation - Massimiliano Tomassoli Windows N/A
4 https://www.blackhat.com/docs/us-16/... The art of reverse-engineering Flash exploits xx-07-2016 Jeong Wook Oh - CVE-2015-5122, CVE-2015-8651, CVE-2016-1010, CVE-2015-0336, CVE-2015-8446, CVE-2015-8651
5 https://browser-security.x41-dsec.de... Browser Security White Paper 19-09-2017 Markus Vervier, Michele Orrù, Berend-Jan Wever, Eric Sesterhenn N/A -
6 https://cure53.de/#browser-security-... Cure53 Browser Security White Paper 20-09-2017 Mario Heiderich, Alex Inführ, Fabian Fäßler, Nikolai Krein, Masato Kinugawa, Filedescriptor, Dario Weißer N/A -

Misc.

Nr URL Description
1 https://github.com/tunz/js-vuln-db A collection of JavaScript engine CVEs with PoCs
2 https://docs.google.com/document/d/19dspgrz35VoJwdWOboENZvccTSGudjQ_p8J4OPsYztM/ List of Browser Mitigations

results matching ""

    No results matching ""