2014_EN_BrowserFuzzing_RosarioValotta

Recommendations

Info

SOME RESULTS #2 Registers: EAX = 0x02F7AE34 - RW- EBX = 0x00000000 - ECX = 0x771B179F - R-X - ntdll!vDbgPrintExWithPrefixInternal EDX = 0x02F7ABD1 - RW- ESI = 0x00620000 - RW- EDI = 0x00645478 - RW- EBP = 0x02F7AE9C - RW- ESP = 0x02F7AE24 - RW- EIP = 0x77253873 - R-X - ntdll!RtlReportCriticalFailure IE 11 Type: heap corruption Exploitable: probably Call Stack: 0x772547A3 - ntdll!RtlpReportHeapFailure 0x77254883 - ntdll!RtlpLogHeapFailure 0x77219D8A - ntdll!RtlpCoalesceFreeBlocks 0x771E6287 - ntdll!RtlpFreeHeap 0x771E65A6 - ntdll!RtlFreeHeap 0x761FC3C4 - kernel32!HeapFree 0x020E0034 - 0x03DA9539 - 0x03DA3167 - 0x673FCEAB - jscript9!Js::JavascriptFunction::CallFunction 0x674B46F2 - jscript9!Js::InterpreterStackFrame::Process 0x67552226 - jscript9!Js::InterpreterStackFrame::OP_TryCatch 0x674B4712 - jscript9!Js::InterpreterStackFrame::Process 0x67400AA3 - jscript9!Js::InterpreterStackFrame::InterpreterThunk
SOME RESULTS #3 Registers: EAX = 0x024C4400 - EBX = 0x00000000 - ECX = 0x047C87F8 - RW- EDX = 0x02C40000 - ESI = 0x00000000 - EDI = 0x08A2BDA0 - RW- EBP = 0x08315D50 - RW- ESP = 0x08315D44 - RW- EIP = 0x62ACBE7D - R-X - mshtml!CWindow::SetTimeoutWithPaintController IE 11 Type: r.A. Violation Exploitable: YES Code: 0x62ACBE7D - mov eax, [edx] 0x62ACBE7F - push edx 0x62ACBE80 - call dword ptr [eax+8] 0x62ACBE83 - jmp 62a7f579h 0x62ACBE88 - mov eax, [ecx] 0x62ACBE8A - push ecx 0x62ACBE8B - call dword ptr [eax+8] 0x62ACBE8E - jmp 62a7f58ah Call Stack: 0x62A7F6FD - mshtml!CWindow::SetTimeoutHelper 0x62A7F914 - mshtml!CWindow::SetTimeoutFromScript 0x62A7F9A6 - mshtml!CFastDOM::CWindow::Trampoline_setTimeout
Page 1 and 2: BROWSER FUZZING IN 2014: David vs G
Page 3 and 4: 你好 ! • Hi beijing! I am rosa
Page 5 and 6: Vulnerabilities market Providers Bu
Page 7 and 8: Memory corruption vulns: a primer
Page 9 and 10: Usual Targets for Browser fuzzing R
Page 11 and 12: DOM fuzzing • DOM has a complex d
Page 13 and 14: Stone #1 - Fuzzing/with/TIME
Page 15 and 16: • browsers are event-driven JS ti
Page 17 and 18: • Event objects are dispatched to
Page 19 and 20: Fuzzing with events setTimeout(fn,0
Page 21 and 22: FUZZing with XHR (2/2) Similar cons
Page 23 and 24: …the other side of the party •
Page 25 and 26: Stone #2 - Fuzzing/with/space
Page 27 and 28: Using legacy engines • By default
Page 29 and 30: Cross engines interactions • When
Page 31 and 32: Introducing fileja • A prototype
Page 33: SOME RESULTS #1 Registers: EAX = 0x
Page 37 and 38: Registers: EAX = 0x00454545 - EBX =
Page 39 and 40: SOME RESULTS #7 Caught a Write Acce
Page 41 and 42: SOME RESULTS #9 Caught a Read Acces
Page 43: Thankyou 谢谢

2014_EN_BrowserFuzzing_RosarioValotta

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?