Browser Exploitation

This page contains all information related to the browser exploitation.

Google Chrome, Google Chrome OS, V8

Nr URL Description Date Author OS/Arch Info
1 https://blog.chromium.org/2012/05/tal... A Tale of Two Pwnies (Part 1) 22-05-2012 Jorge Lucangeli Obes, Justin Schuh - N/A
2 https://blog.chromium.org/2012/06/tal... A Tale of Two Pwnies (Part 2) 11-06-2012 Ken Buchanan, Chris Evans, Charlie Reis, Tom Sepez - N/A
3 https://scarybeastsecurity.blogspot.d... 03-02-2013 Exploiting 64-bit Linux like a boss Linux Chris Evans N/A
4 https://labs.mwrinfosecurity.com... MWR Labs Pwn2Own 2013 Write-up - Webkit Exploit 19-04-2013 MWR - N/A
5 https://docs.google.com/document... Mobile Pwn2Own Autumn 2013 - Chrome on Android - Exploit Writeup Autumn 2013 Ian Beer Android N/A
6 https://bugs.chromium.org/p/chromium... Chrome exploit: V8 properties + P2PHostMsg_Send 22-09-2014 Jüri Aedla - CVE-2014-3188
7 http://researchcenter.paloaltonetwor... Google Chrome Exploitation – A Case Study 14-12-2014 Palo Alto Networks - CVE-2014-1705
8 https://bugs.chromium.org/p/chromium... Advanced Exploitation of Chrome 42 64bit on Windows 8.1 + EMET 5.2 19-03-2015 JungHoon (lokihardt) Lee Windows 8.1 N/A
9 https://googleprojectzero.blogspot.d... Racing MIDI messages in Chrome 04-02-2016 Oliver Chang *nix N/A
10 https://bugs.chromium.org/p/chromium... Advanced Exploitation of Chrome 64-bit on Windows 10 17-03-2016 JungHoon (lokihardt) Lee Windows 10 N/A
11 https://bugs.chromium.org/p/chromium... Pwn2Own V8 OOB Bug writeup 26-10-2016 ? Android N/A
12 https://googleprojectzero.blogspot.d... Chrome OS exploit: one byte overflow and symlinks 14-12-2016 ? Chrome OS N/A
13 https://halbecaf.com/2017/05/24/expl... Exploiting a V8 OOB write 24-05-2017 halbecaf Linux N/A
14 https://blogs.securiteam.com/index.p... SSD Advisory – Chrome Turbofan Remote Code Execution 16-08-2017 Maor Schwartz - N/A

Microsoft Edge, ChakraCore

Nr URL Description Date Author OS/Arch Info
1 http://blogs.360.cn/360safe/2016/11/... Three roads lead to Rome 29-11-2016 Luke Viruswalker Windows CVE-2016-7201
2 http://theori.io/research/chakra-jit-cfg... CHAKRA JIT CFG BYPASS 14-12-2016 Theori Windows MS16-119
3 http://blog.quarkslab.com/exploiting-ms1... Exploiting MS16-145: MS Edge TypedArray.sort Use-After-Free (CVE-2016-7288) 02-05-2017 Francisco Falcon Windows CVE-2016-7288
4 https://www.zerodayinitiative.com/blog/2... CHECK IT OUT: ENFORCEMENT OF BOUNDS CHECKS IN NATIVE JIT CODE 05-10-2017 Simon Zuckerbraun Windows CVE-2017-0234

Microsoft Internet Explorer, jscript, ChakraCore

Nr URL Description Date Author OS/Arch Info
1 http://vreugdenhilresearch.nl/Pwn2Ow... Pwn2Own 2010 Windows 7 Internet Explorer 8 exploit xx-xx-2010 Peter Vreugdenhil Windows N/A
2 https://ifsec.blogspot.de/2011/06/me... Memory disclosure technique for Internet Explorer 09-06-2011 Ivan Fratric Windows N/A
3 https://d0cs4vage.blogspot.de/2011/0... Insecticides don't kill bugs, Patch Tuesdays do 16-06-2011 d0c_s4vage Windows CVE-2011-1260
4 http://www.exploit-monday.com/2011/0... Post-mortem Analysis of a Use-After-Free Vulnerability (CVE-2011-1260) 07-07-2011 Matt Graeber Windows CVE-2011-1260
5 https://ifsec.blogspot.de/2012/02/re... Reliable Windows 7 Exploitation: A Case Study 28-02-2012 Ivan Fratric Windows CVE-2011-1999
6 https://nakedsecurity.sophos.com/201... Anatomy of an exploit – inside the CVE-2013-3893 Internet Explorer zero-day 11-10-2013 Paul Ducklin Windows CVE-2013-3893
7 https://ifsec.blogspot.de/2013/11/ex... Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview 06-11-2013 Ivan Fratric Windows N/A
8 https://blog.exodusintel.com/2013/11... A BROWSER IS ONLY AS STRONG AS ITS WEAKEST BYTE 26-11-2013 Peter Vreugdenhil Windows CVE-2013-3147
9 https://blog.exodusintel.com/2013/12... A BROWSER IS ONLY AS STRONG AS ITS WEAKEST BYTE – PART 2 09-12-2013 Peter Vreugdenhil Windows CVE-2013-3147
10 https://googleprojectzero.blogspot.d... Internet Explorer EPM Sandbox Escape CVE-2014-6350 01-12-2014 James Forshaw Windows CVE-2014-6350
11 https://ifsec.blogspot.de/2015/06/du... Dude, where’s my heap? 16-06-2015 Ivan Fratric Windows N/A
12 https://www.blackhat.com/docs/us-15/... Abusing Silent Mitigations: Understanding weaknesses within Internet Explorer’s Isolated Heap and MemoryProtection 19-06-2015 Abdul-Aziz Hariri, Simon Zuckerbraun, Brian Gorenc Windows N/A
13 https://www.nccgroup.trust/uk/our-re... Exploiting CVE-2014-0282 16-12-2015 Katy Winterborn Windows CVE-2014-0282
14 http://gsec.hitb.org/materials/sg2016... Look Mom, I don’t use Shellcode: Browser Exploitation Case Study for Internet Explorer 11 xx-xx-2016 Moritz Jodeit Windows N/A
15 http://payatu.com/from-crash-to-expl... FROM CRASH TO EXPLOIT: CVE-2015-6086 – OUT OF BOUND READ/ASLR BYPASS 18-01-2016 payatu Windows CVE-2015-6086
16 https://www.coresecurity.com/blog/ex... Exploiting Internet Explorer's MS15-106, Part I: VBScript Filter Type Confusion Vulnerability (CVE-2015-6055) 25-04-2016 Francisco Falcón Windows CVE-2015-6055
17 https://www.coresecurity.com/blog/ex... Exploiting Internet Explorer’s MS15-106, Part II: JScript ArrayBuffer.slice Memory Disclosure (CVE-2015-6053) 14-06-2016 Francisco Falcón Windows CVE-2015-6053
18 http://theori.io/research/cve-2016-0... PATCH ANALYSIS OF CVE-2016-0189 22-06-216 Theori Windows CVE-2016-0189
19 https://www.purehacking.com/blog/lloyd-s... An Introduction to Use After Free Vulnerabilities 05-08-2016 Lloyd Simon Windows N/A

Mozilla Firefox, Spidermonkey

Nr URL Description Date Author OS/Arch Info
1 https://gdtr.wordpress.com/2012/02/2... Exploiting CVE-2011-2371 (FF reduceRight) without non-ASLR modules 22-02-2012 pakt - CVE-2011-2371
2 https://community.rapid7.com/communi... Here's that FBI Firefox Exploit for You (CVE-2013-1690) 07-08-2013 sinn3r - CVE-2013-1690
3 https://bug1145255.bmoattachments.or... Pwn2Own 2015 Firefox exploit xx-xx-2015 ilxu1a - CVE-2015-0817
4 https://community.rapid7.com/communi... R7-2015-04 Disclosure: Mozilla Firefox Proxy Prototype RCE (CVE-2014-8636) 23-03-2015 Joe Vennix - CVE-2014-8636
5 http://www.phrack.org/issues/69/14..... OR'LYEH? The Shadow over Firefox xx-xx-2016 argp - N/A
6 https://community.rapid7.com/communi... 12 Days of HaXmas: A Fireside Foray into a Firefox Fracas 29-12-2016 William Webb - N/A
7 https://saelo.github.io/posts/firefo... Exploiting a Cross-mmap Overflow in Firefox 10-03-2017 saelo macOS CVE-2016-9066
8 https://phoenhex.re/2017-06-21/firef... Share with care: Exploiting a Firefox UAF with shared array buffers 21-06-2017 bkth, eboda Linux N/A
9 https://rh0dev.github.io/blog/2017/the-r... The Return of the JIT (Part 1) 13-07-2017 Rh0 - CVE-2017-5375, CVE-2017-5400
10 https://rh0dev.github.io/blog/2017/the-r... The Return of the JIT (Part 2) 17-07-2017 Rh0 - CVE-2017-5375, CVE-2017-5400

Apple Safari (and other WebKit-based browsers), JavaScriptCore

Nr URL Description Date Author OS/Arch Info
1 https://securityevaluators.com/knowl... Engineering Heap Overflow Exploits with JavaScript xx-xx-2008 Mark Daniel, Jake Honoroff, Charlie Miller Mac N/A
2 https://cturt.github.io/ps4-2.html Hacking the PS4, part 2: Userland code execution xx-xx-xxxx CTurt PS N/A
3 https://em386.blogspot.de/2010/12/we... WebKit CSS Type Confusion 15-12-2010 Chris Rohlf - N/A
4 https://googleprojectzero.blogspot.d... pwn4fun Spring 2014 - Safari - Part I 24-07-2014 Ian Beer Mac N/A
5 https://webkit.org/blog/6411/javascr... JavaScriptCore CSI: A Crash Site Investigation Story 01-06-2016 Mark Lam Mac N/A
6 https://info.lookout.com/rs/051-ESQ-... Section 1: Pegasus Exploitation of Safari (CVE-2016-4657) xx-xx-2016 Max Bazaliy, Cris Neckar, Greg Sinclair, in7egral iOS CVE-2016-4657
7 https://blog.xyz.is/2016/webkit-360.... Exploiting WebKit on Vita 3.60 18-08-2016 ? PS N/A
8 http://www.phrack.org/papers/attacki... Attacking JavaScript Engines: A case study of JavaScriptCore and CVE-2016-4622 (2016-10-27) 27-10-2016 saelo Mac CVE-2016-4622
9 https://phoenhex.re/2017-05-04/pwn2o... Pwn2Own 2017: UAF in JSC::CachedCall (WebKit) 04-05-2017 niklasb, saelo Mac CVE-2017-2491
10 https://scarybeastsecurity.blogspot.... Ode to the use-after-free: one vulnerable function, a thousand possibilities 05-05-2017 Chris Evans Linux CVE-2012-3748
11 https://phoenhex.re/2017-06-02/array... Exploiting an integer overflow with array spreading (WebKit) 02-06-2017 niklasb, saelo Mac CVE-2017-2536
12 https://www.zerodayinitiative.com/bl... DECONSTRUCTING A WINNING WEBKIT PWN2OWN ENTRY 24-08-2017 Jasiel Spelman Mac CVE-2017-2547

Other browsers

Plugins

Nr URL Description Date Author OS/Arch Info
1 https://googleprojectzero.blogspot.d... Exploiting CVE-2014-0556 in Flash 23-09-2014 Chris Evans - CVE-2014-0556
2 https://googleprojectzero.blogspot.d... (^Exploiting)\s(CVE-2015-0318)\s(in)\s*(Flash$) 12-02-2015 Mark Brand - CVE-2015-0318
3 https://googleprojectzero.blogspot.d... A Tale of Two Exploits 13-04-2015 Natalie Silvanovich - CVE-2015-0336
4 https://googleprojectzero.blogspot.d... One Perfect Bug: Exploiting Type Confusion in Flash 20-06-2015 Natalie Silvanovich - CVE-2015-3077
5 https://googleprojectzero.blogspot.d... Life After the Isolated Heap 28-03-2016 Natalie Silvanovich - CVE-2016-0998, CVE-2016-0984
6 https://blog.bjornweb.nl/2017/08/fla... Playing in the Remote Sandbox: Adobe Flash Windows User Credentials Disclosure Vulnerability (CVE-2017-3085) 08-08-2017 Björn Ruytenberg - CVE-2017-3085

Vulnerability research in general

Nr URL Description Date Author OS/Arch Info
1 https://media.blackhat.com/bh-us-12/... DIGGING DEEP INTO THE FLASH SANDBOXES xx-xx-2012 Paul Sabanal, Mark Vincent Yason - N/A
2 http://documents.trendmicro.com/asse... $hell on Earth: From Browser to System Compromise xx-xx- 2016 Matt Molinyawe, Abdul-Aziz Hariri, Jasiel Spelman - N/A
3 https://expdev-kiuhnm.rhcloud.com/20... Internet Explorer 10/11 Exploitation - Massimiliano Tomassoli Windows N/A
4 https://www.blackhat.com/docs/us-16/... The art of reverse-engineering Flash exploits xx-07-2016 Jeong Wook Oh - CVE-2015-5122, CVE-2015-8651, CVE-2016-1010, CVE-2015-0336, CVE-2015-8446, CVE-2015-8651
5 https://browser-security.x41-dsec.de... Browser Security White Paper 19-09-2017 Markus Vervier, Michele Orrù, Berend-Jan Wever, Eric Sesterhenn N/A -
6 https://cure53.de/#browser-security-... Cure53 Browser Security White Paper 20-09-2017 Mario Heiderich, Alex Inführ, Fabian Fäßler, Nikolai Krein, Masato Kinugawa, Filedescriptor, Dario Weißer N/A -

Misc

Nr URL Description
1 https://github.com/tunz/js-vuln-db A collection of JavaScript engine CVEs with PoCs
2 https://docs.google.com/document/d/19dspgrz35VoJwdWOboENZvccTSGudjQ_p8J4OPsYztM/ List of Browser Mitigations

results matching ""

    No results matching ""