A new faster createTextRange exploits was released on milw0rm.com
/*** This one is more faster than all released createTextRange exploits* because it uses last version of SkyLined's heap spraying code,* special 10x goes to him.**/
Also a new untested Windows Help Heap Overflow was released by c0ntex on the FD Security list.
There is a heap based buffer overflow in the rendering engine of .hlp files in winhlp32.exe which will allow some attacker the possibility of modifying the internal structure of the process with a means to execute arbitrary and malicious code. By modifying the value of an image embedded within a .hlp file, (tested with ? image and [] button images) it is possible to trigger this bug and overflow a static buffer that is defined for data sections of the .hlp file. This grants the attacker with the ability to perform an overwrite of block(n) and the following blocks control data.
It should be possible to perform this attack remotly by embedding the .hlp file into an HTML page and tricking a user to click the link, granting remote access to the system with the permissions of the user who executed the help file.
No comments:
Post a Comment