I finally got around to play with Alexander Sotirov's new heap tricks for attacking browsers. In short: Alexander has reversed the way heap gets allocated and freed in IE and written some tools in JavaScript that allow you to control heap allocations. Where normal heap spraying is quick and dirty and gets the job done often enough, this gives you the control to make an exploit truely reliable. It does take a very deep understanding of the internals of process heaps and how vulnerabilities are actually exploited to understand how it works, which is good because script kiddies suck.
2007-07-31
2007-04-18
Exterminate - Mandelbrot Fractal Zoom Music Video
Five animated zooms into the Mandelbrot set, morphed into one another and synchronized to music. By slowly increasing the number of iterations as we zoom in, we can see the fractal grow. You can watch it on YouTube. Technical details are max. iterations: 6000, max. zoom: 6.2e+14, total rendered frames: 2310 (at 320x240), time to design and create the complete animation: ~50 hrs., rendering time: ~2hrs, rendering software: Ultra Fractal 4.03, video software: VisualDub 1.6.17, music: Snap! - Exterminate, full AVI size: 57.4Mb.
2007-04-14
Ascii Art Mandelbrot Fractal Zoom
As part of my DHTML++ demo, I wrote an ASCII Art Mandebrot Fractal zoomer. Unfortunately, the current version is waaaay to slow to calculate the frames in real-time. Apparently they did not optimize JavaScript in Internet Explorer for rendering fractals in real time. I am working on a much smarter algorithm, which only calculates the fractal once. I intend to use variable accuracy. This means I can get more detail around the area I zoom in to, so I do not need to recalculate the fractal for every frame. However, this is a bit more complex than it sounds, so don't hold your breath. In the mean time, here's an example of what it will look like.
2007-04-13
VBScript Functions for JavaScript
If you're used to languages like JavaScript, C and Java, then VBScript can be a pain to code. But VBScript does offer a number of useful features that JavaScript does not, such as MsgBox, InputBox and String. To make these easily available in JavaScript, I have created a script that creates an object that works as a wrapper for these functions in JavaScript. The object has a method for each VBScript function, which can be used to call these functions. This allows you to use them from JavaScript as if they were a normal part of JavaScript.
To use the script, download it from http://skypher.com/SkyLined/download/vbs.js/vbs.js, put it on your server and add this tag to you HTML file:
<SCRIPT src="vbs.js" type="text/javascript" language="JavaScript"></SCRIPT>
Any script that runs after this script will have access to an object called "vbs", which has a number of properties and methods that can be used to access VBScript features.
Properties: (See MsgBox function documentation at MSDN)
vbOKOnly, vbOKCancel, vbAbortRetryIgnore, vbYesNoCancel, vbYesNo, vbRetryCancel, vbCritical, vbQuestion, vbExclamation, vbInformation, vbDefaultButton1, vbDefaultButton2, vbDefaultButton3, vbDefaultButton4, vbApplicationModal, vbSystemModal
Methods: (see VBScript functions reference at MSDN)
Abs, Array, Asc, Atn, CBool, CByte, CCur, CDate, CDbl, Chr, CInt, CLng, Cos, CreateObject, CSng, CStr, Date, DateAdd, DateDiff, DatePart, DateSerial, DateValue, Day, Escape, Eval, Exp, Filter, Fix, FormatCurrency, FormatDatTime, FormatNumber, FormatPercent, GetLocale, GetObject, GetRef, Hex, Hour, InputBox, InStr, InStrRev, Int, IsArray, IsDate, IsEmpty, IsNull, IsNumeric, IsObject, Join, LBound, LCase, Left, Len, LoadPicture, Log, LTrim, Mid, Minute, Month, MonthName, MsgBox, Now, Oct, Replace, RGB, Right, Rnd, Round, RTrim, ScriptEngine, ScriptEngineBuildVersion, ScriptEngineMajorVersion, ScriptEngineMinorVersion, Second, SetLocale, Sgn, Sin, Space, Split, Sqr, StrComp, String, StrReverse, Tan, Time, Timer, TimeSerial, TimeValue, Trim, TypeName, UBound, UCase, Unescape, VarType, Weekday, WeekDayName, Year
Example:
vbs.MsgBox("Hello, world!", vbs.vbOKOnly | vbs.vbInformation, "JavaScript");
To use the script, download it from http://skypher.com/SkyLined/download/vbs.js/vbs.js, put it on your server and add this tag to you HTML file:
<SCRIPT src="vbs.js" type="text/javascript" language="JavaScript"></SCRIPT>
Any script that runs after this script will have access to an object called "vbs", which has a number of properties and methods that can be used to access VBScript features.
Properties: (See MsgBox function documentation at MSDN)
vbOKOnly, vbOKCancel, vbAbortRetryIgnore, vbYesNoCancel, vbYesNo, vbRetryCancel, vbCritical, vbQuestion, vbExclamation, vbInformation, vbDefaultButton1, vbDefaultButton2, vbDefaultButton3, vbDefaultButton4, vbApplicationModal, vbSystemModal
Methods: (see VBScript functions reference at MSDN)
Abs, Array, Asc, Atn, CBool, CByte, CCur, CDate, CDbl, Chr, CInt, CLng, Cos, CreateObject, CSng, CStr, Date, DateAdd, DateDiff, DatePart, DateSerial, DateValue, Day, Escape, Eval, Exp, Filter, Fix, FormatCurrency, FormatDatTime, FormatNumber, FormatPercent, GetLocale, GetObject, GetRef, Hex, Hour, InputBox, InStr, InStrRev, Int, IsArray, IsDate, IsEmpty, IsNull, IsNumeric, IsObject, Join, LBound, LCase, Left, Len, LoadPicture, Log, LTrim, Mid, Minute, Month, MonthName, MsgBox, Now, Oct, Replace, RGB, Right, Rnd, Round, RTrim, ScriptEngine, ScriptEngineBuildVersion, ScriptEngineMajorVersion, ScriptEngineMinorVersion, Second, SetLocale, Sgn, Sin, Space, Split, Sqr, StrComp, String, StrReverse, Tan, Time, Timer, TimeSerial, TimeValue, Trim, TypeName, UBound, UCase, Unescape, VarType, Weekday, WeekDayName, Year
Example:
vbs.MsgBox("Hello, world!", vbs.vbOKOnly | vbs.vbInformation, "JavaScript");
Subscribe to:
Posts (Atom)