Memory Corruption and Hacker Folklore

Nice work by haroon from Thinkst Applied Research, he is making an interactive timeline of the history of memory corruption vulnerabilities and exploit techniques. You can submit events using this form

Bypassing DEP on Win2003 SP2

David Kennedy “ReL1K” published
Bypassing Hardware based Data Execution Prevention on Windows 2003 Service Pack 2 PDF (497KB)

Good, you can learn from David experience writing an exploit for Windows 2003 SP2. This is the kind of research you have to do to exploit a simple buffer overflow in modern operating systems with protections. What he does manually in this article sometimes is harder or impossible without the help of some automated tool to analyze thousand of different system modules.

Project Shellcode

The first stage of Project Shellcode aims to become the knowledge base for all shellcode related resources, including white papers, tutorials, tools, links, assembly code, and of course shellcode.

http://projectshellcode.com/
Is not clear if the project is active or not.

Return-Oriented Programming: Exploits Without Code Injection

...We describe return-oriented programming, a generalization of return-into-libc that allows an attacker to undertake arbitrary, Turing-complete computation without injecting code.New computations are constructed by linking together code snippets that end with a “ret” instruction. The ret instructions allow an attacker who controls the stack to chain instruction sequences together. Because the executed code is stored in memory marked executable, W^X and DEP will not prevent it from running.
...

PDF

Adventures with a certain Xen vulnerability - Rafal Wojtczuk

  Rafal Wojtczuk paper about the exploitation of a XEN vulnerability 

The Evil Hacker escapes from DomU and gets into Dom0. Using clever
ret-into-libc technique he succeeds with his attack on x86 architecture,
despite the NX and ASLR deployed in Dom0 OS (Fedora Core 8). The Evil
Hacker is also not discouraged by the fact that the target
OS has SELinux protection enabled - he demonstrates how the particular
SELinux policy for Xen, used by default on FC8, can be bypassed.
Ultimately he gets full root access in Dom0. Rafal also discusses
variation of the exploitation on x86_64 architecture - he partially
succeeds, but his x64 exploit doesn't work in certain circumstances.
...

PDF

writing a .NET Security Exploit PoC...mmm?

Let's start out with some convenient types that allow bit twiddeling once we've subverted the type system....

well, not exactly but interesting anyway.

Misplaced Trust: Kerberos 4 Session Keys (1997)

Again, a 10 years old paper in badcoded. Ignore the past, repeat mistakes.

Misplaced Trust: Kerberos 4 Session Keys (1997)

Progress, far from consisting in change, depends on retentiveness. When change is absolute there remains no being to improve and no direction is set for possible improvement: and when experience is not retained, as among savages, infancy is perpetual. Those who cannot remember the past are condemned to repeat it. In the first stage of life the mind is frivolous and easily distracted, it misses progress by failing in consecutiveness and persistence. This is the condition of children and barbarians, in which instinct has learned nothing from experience.

George Santayana, The Life of Reason, Volume 1, 1905

PHRACK #65

April 2008
by The Circle of Lost Hackers

0x01 Introduction                                                      TCLH
0x02 Phrack Prophile of The UNIX Terrorist                             TCLH
0x03 Phrack World News                                                 TCLH
0x04 Stealth Hooking: another way to subvert the Windows kernel     mxatone
                                                                  ivanlefou
0x05 Clawing holes in NAT with UPnP                            felinemenace
0x06 The only laws on Internet are assembly and RFCs                  Julia
0x07 Hacking the System Management Mode       BSDaemon, coideloko, d0nand0n
0x08 Mystifying the debugger for ultimate stealthness              halfdead
0x09 Australian Restricted Defense Networks and FISSO              The Finn
0x0a Phook - The PEB Hooker                                  shearer & dreg
0x0b Hacking the $49 Wifi Finder                                openschemes
0x0c The art of exploitation: Samba WINS stack overflow         max_packetz
0x0d The Underground Myth                                         anonymous
0x0e Hacking your brain: Artificial Conciousness                         -C
0x0f International scenes                                           various

Phrack #65

Download .tgz

Aplication-Specific Attacks - Leveraging the ActionScript Virtual Machine

Memory corruption vulnerabilities are becoming increasingly difficult to exploit, largely due to the protection mechanisms being integrated into most modern operating systems. As general protection mechanisms evolve, attackers are engaging in more specific, low-level application-targeted attacks. In order to refine general countermeasures (or at least raise awareness of their shortcomings), it is important to first understand how memory corruption vulnerabilities are exploited in some unique scenarios.

[...]

Aplication-Specific Attacks - Leveraging the ActionScript Virtual Machine by Mark Dowd PDF

gcc silently discards some wraparound checks...buf+len < buf?

David LeBlanc's Web Log
Vulnerability Note VU#162289

Basically, what it says is that code which looks like this:


char *buf;
int len;

gcc will assume that buf+len >= buf.

As a result, code that performs length checks similar to the following:

len = 1<<30;
[...]
if(buf+len < buf) /* length check */
[...perform some manipulation on len...]

are compiled away by these versions of gcc

User Supplied Format String Vulnerability - everything ever written

2005

Format String Vulnerabilities in Perl Programs
Steve Christey

2002

Advances in format string exploitation
Gerardo Richarte, Ricardo Quesada

Howto remotely and automatically exploit a format bug
Frédéric Raynal

2001

Exploiting Format Strings Vulnerabilities
scut team-teso
v1.1
v1.2

Format String Attack on alpha system
Seunghyun Seo (truefinder)

Format String Technique
sloth@nopninjas.com

Analysis of Format String Bugs
Andreas Thuemmel


Detecting Format String Vulnerabilities with Type Qualifiers
David Wagner

Large-Scale Analysis of Format String Vulnerabilities in Debian Linux
David Wagner

What are format bugs ?
Christophe BLAESS Christophe GRENIER Frédéreric RAYNAL
French

2000

More info on format bugs
Pascal Bouchareine
Español

Format String Attacks
Tim Newsham
TXT

Format Bugs: What are they, Where did they come from,...How to exploit them
Lamagra
Español

Paper sobre format bugs
venomous


Exploiting the Libc Locale Subsystem Format String Vulnerability on Solaris/SPARC
Solar Eclipse

100 Most Influential Books Ever Written


See: scut/teso-team Format String paper

New Microsoft Security Vulnerability Research and Defense blog

New Microsoft technical blog about security vulnerabilities RSS

We are excited to have this outlet to share more in-depth technical information about vulnerabilities serviced by MSRC security updates and ways you can protect your organization from security vulnerabilities. You can read much more about the goals of the blog and about the SWI teams contributing to the blog in our “About” link: http://blogs.technet.com/swi/about.aspx

Double Free Vulnerabilities on Windows

by Matt Conover 2007

To learn to exploit real heap memory corruption vulnerabilities on Windows one of the things you have to do is to read every Matt Conover's publication. The next are two posts in the Symantec Security Response Blog about double free() bugs. More articles and publications by him will be posted later in this blog.

In light of the recent CSRSS double free bug, I wanted to provide some information on the exploitation of double frees on Windows on XP SP2 and later. Prior to XP SP2, double frees were trivial to exploit, but now the security cookie (in each heap chunk) and safe unlinking checks make it more difficult to exploit. So this blog entry will discuss the exploitability on XP SP2 and later heap implements.

Double Free Vulnerabilities Part 1

Double Free Vulnerabilities Part 2

Smashing The Modern Stack For Fun And Profit

Craig J. Heffner article about the problems he found while reading and following the examples in Smashing The Stack For Fun And Profit using a modern Linux system.

"...the GNU C Compiler (gcc) has evolved since 1998, and as a result, many people are left wondering why they can't get the examples to work for them, or if they do get the code to work, why they had to make the changes that they did. Having these same problems myself, and being unable to find an updated version of Aleph One's document on the web, I set out to identify the source of these variations on my own. ..."
Smashing The Modern Stack For Fun And Profit

Valgrind 3.3.0 released

Valgrind is an award-winning suite of tools for debugging and profiling Linux programs. With the tools that come with Valgrind, you can automatically detect many memory management and threading bugs, avoiding hours of frustrating bug-hunting, making your programs more stable. You can also perform detailed profiling, to speed up and reduce memory use of your programs.

The Valgrind distribution currently includes four tools: a memory error detector, a cache (time) profiler, a call-graph profiler, and a heap (space) profiler. It runs on the following platforms: X86/Linux, AMD64/Linux, PPC32/Linux, PPC64/Linux.

The main excitement in 3.3.0 is new and improved tools. Helgrind
works again, Massif has been completely overhauled and much improved,
Cachegrind now does branch-misprediction profiling, and a new category
of experimental tools has been created, containing two new tools:
Omega and DRD. There are many other smaller improvements. [...]