| CVE-2012-1876 |
IE8 |
Windows |
Heap Buffer Overflow when updating HTML Col Element |
Obtain full RCE bypassing DEP and ASLR by using overflow to get information leak before writing Virtual Function Tables |
| CVE-2015-3104 |
Adobe Flash on Firefox |
Windows |
Integer Overflow when updating Shader Object via Shader Jobs |
Obtain Adobe Flash sandboxed RCE bypassing DEP and ASLR using overflow to first build read/write primitives, before using the primitives to write in shellcode and write Virtual Function Tables. This vulnerability should be found across most browsers and there are Adobe Flash Player sandbox escapes for these specific Adobe Flash versions (17.0.0.188 and prior) running on Internet Explorer |
| CVE-2017-4905 |
VMWare WorkStation |
Windows |
OOB Read via uninitialized buffers |
Obtain information leak from vmware-vmx.exe stack |
| CVE-2017-???? |
VMWare WorkStation |
Windows |
UaF via Drag-And-Drop RPC commands (dnd) |
Obtain full RCE bypassing DEP by creating fake Virtual Function Tables. Chain with CVE-2017-4905 to bypass ASLR |
| CVE-2018-17463 |
Chrome |
Windows |
Type Confusion via Turbofan Optimisation |
Obtain Renderer sandboxed RCE bypassing DEP and ASLR by creating read/write primatives and writing shellcode into WASM/JIT space. If W^X is enabled on JIT space, JIT shellcoding should work too, or just use WASM. |
| CVE-2018-9948 |
Foxit PDF Reader |
Windows |
OOB Read via uninitialized buffers |
Obtain information leak from foxit.exe stack |
| CVE-2018-9958 |
Foxit PDF Reader |
Windows |
UaF via Foxit PDF Reader Text Annotations |
Obtain full RCE bypassing DEP by creating fake Virtual Function Tables. Chain with CVE-2018-9948 to bypass ASLR |
| CVE-2019-13764 |
Chrome |
Windows |
Type Confusion via Turbofan Optimisation |
Obtain Renderer sandboxed RCE bypassing DEP and ASLR by creating read/write primatives and writing shellcode into WASM/JIT space. If W^X is enabled on JIT space, JIT shellcoding should work too, or just use WASM. |
| CVE-2019-13768 |
Chrome |
Windows |
UaF via FileWriterImpl API |
Obtain full RCE by creating fake structures and fake Virtual Function Tables. Chain with a renderer RCE to enable mojo communications between renderer and browser which is disabled by default. |
| CVE-2020-6383 |
Chrome |
Windows |
Type Confusion via Turbofan Optimisation |
Obtain Renderer sandboxed RCE bypassing DEP and ASLR by creating read/write primatives and writing shellcode into WASM/JIT space. If W^X is enabled on JIT space, JIT shellcoding should work too, or just use WASM. |
| CVE-2020-16040 |
Chrome |
Windows |
Type Confusion via Turbofan Optimisation |
Obtain Renderer sandboxed RCE bypassing DEP and ASLR by creating read/write primatives and writing shellcode into WASM/JIT space. If W^X is enabled on JIT space, JIT shellcoding should work too, or just use WASM. |
| CVE-2021-38003 |
Chrome |
Windows |
OOB Read via JSON.stringify() |
Obtain Renderer sandboxed RCE bypassing DEP and ASLR by first leaking TheHole then creating read/write primatives and writing shellcode into WASM/JIT space. If W^X is enabled on JIT space, JIT shellcoding should work too, or just use WASM. |
| CVE-2022-1134 |
Chrome |
Windows |
Type Confusion via super() property access and Inline Caching |
Obtain Renderer sandboxed RCE bypassing DEP and ASLR by leaking blink objects' addresses and their respective v8 addresses using arbitrary read primitives, before constructing fake objects to obtain compressed r/w and addrOf primitives. We then write shellcode into WASM/JIT space. |
| CVE-2023-33693 |
EasyPlayerPro |
Windows |
SEH Overflow via LoadConfig() |
Obtain code execution via an SEH Overflow when player runs and attempts to load configuration file (if available) due to the way strings are parsed from configuration file to the executable |