Tag: ROP

Heap spraying browsers using Adobe Flash’s ActionScript

It’s been a while since my last post so I thought I’d post this article on heap spraying using Adobe Flash which I have been working on to get a better understanding of the ActionScript language, hopefully it will benefit some readers to test their security layers in their own environment. After analysing some actual…


Bypassing Windows ASLR using “skype4COM” protocol handler

While investigating an unrelated issue using SysInternals Autoruns tool I spotted a couple of protocol handlers installed on the system by Skype. Knowing that protocol handlers can be loaded by Internet Explorer without any prompts I decided to check if these libraries have there dynamic base bits set. It turns out that the “skype4com.dll” library…


Bypassing Microsoft Windows ASLR with a little help by MS-Help

Exploiting vulnerabilities on Windows 7 is not as easy as it used to be on Windows XP. Writing an exploit to bypass ASLR and DEP on Windows 7 was still relatively easy if Java 6 was installed as it got shipped with non aslr msvcr71.dll library. Now that Java 7 has been out for a…


Heap spraying in Internet Explorer with rop nops

Lately I have been learning to write some exploits for some of my old discovered vulnerabilities to get it working on Windows 7 with IE9. Previously when exploiting vulnerabilities my POCs had always been on Windows XP IE6 just to make sure it worked and not having to worry about all the mitigations in later…


RemoteExec Computers List Buffer Overflow ROP Exploit

In this post I’ll be writing about a ROP (Return Object Programming) exploit that I had recently developed for a vulnerability I had discovered in an application called “RemoteExec”. The vulnerability is caused when opening a .rec file containing an overly long line triggering a stack-based buffer overflow. It was first published in March 2010…