Tuesday, June 1, 2010

Memory Corruption and Hacker Folklore

Nice work by Thinkst Applied Research, he is making an interactive timeline of the history of memory corruption vulnerabilities and exploit techniques. You can submit events using this form

Thursday, June 11, 2009

Bypassing DEP on Win2003 SP2

David Kennedy “ReL1K” published
Bypassing Hardware based Data Execution Prevention on Windows 2003 Service Pack 2 PDF (497KB)

Good, you can learn from David experience writing an exploit for Windows 2003 SP2. This is the kind of research you have to do to exploit a simple buffer overflow in modern operating systems with protections. What he does manually in this article sometimes is harder or impossible without the help of some automated tool to analyze thousand of different system modules.

Friday, April 17, 2009

Project Shellcode

The first stage of Project Shellcode aims to become the knowledge base for all shellcode related resources, including white papers, tutorials, tools, links, assembly code, and of course shellcode.

Is not clear if the project is active or not.

Friday, January 2, 2009

Return-Oriented Programming: Exploits Without Code Injection

...We describe return-oriented programming, a generalization of return-into-libc that allows an attacker to undertake arbitrary, Turing-complete computation without injecting code.New computations are constructed by linking together code snippets that end with a “ret” instruction. The ret instructions allow an attacker who controls the stack to chain instruction sequences together. Because the executed code is stored in memory marked executable, W^X and DEP will not prevent it from running.


Sunday, November 2, 2008

Adventures with a certain Xen vulnerability - Rafal Wojtczuk

  Rafal Wojtczuk paper about the exploitation of a XEN vulnerability 

The Evil Hacker escapes from DomU and gets into Dom0. Using clever
ret-into-libc technique he succeeds with his attack on x86 architecture,
despite the NX and ASLR deployed in Dom0 OS (Fedora Core 8). The Evil
Hacker is also not discouraged by the fact that the target
OS has SELinux protection enabled - he demonstrates how the particular
SELinux policy for Xen, used by default on FC8, can be bypassed.
Ultimately he gets full root access in Dom0. Rafal also discusses
variation of the exploitation on x86_64 architecture - he partially
succeeds, but his x64 exploit doesn't work in certain circumstances.


Monday, September 15, 2008

writing a .NET Security Exploit PoC...mmm?

Let's start out with some convenient types that allow bit twiddeling once we've subverted the type system....

well, not exactly but interesting anyway.

Wednesday, May 14, 2008

Misplaced Trust: Kerberos 4 Session Keys (1997)

Again, a 10 years old paper in badcoded. Ignore the past, repeat mistakes.

Misplaced Trust: Kerberos 4 Session Keys (1997)

Progress, far from consisting in change, depends on retentiveness. When change is absolute there remains no being to improve and no direction is set for possible improvement: and when experience is not retained, as among savages, infancy is perpetual. Those who cannot remember the past are condemned to repeat it. In the first stage of life the mind is frivolous and easily distracted, it misses progress by failing in consecutiveness and persistence. This is the condition of children and barbarians, in which instinct has learned nothing from experience.

George Santayana, The Life of Reason, Volume 1, 1905

Wednesday, April 16, 2008


April 2008
by The Circle of Lost Hackers

0x01 Introduction TCLH
0x02 Phrack Prophile of The UNIX Terrorist TCLH
0x03 Phrack World News TCLH
0x04 Stealth Hooking: another way to subvert the Windows kernel mxatone
0x05 Clawing holes in NAT with UPnP felinemenace
0x06 The only laws on Internet are assembly and RFCs Julia
0x07 Hacking the System Management Mode BSDaemon, coideloko, d0nand0n
0x08 Mystifying the debugger for ultimate stealthness halfdead
0x09 Australian Restricted Defense Networks and FISSO The Finn
0x0a Phook - The PEB Hooker shearer & dreg
0x0b Hacking the $49 Wifi Finder openschemes
0x0c The art of exploitation: Samba WINS stack overflow max_packetz
0x0d The Underground Myth anonymous
0x0e Hacking your brain: Artificial Conciousness -C
0x0f International scenes various

Monday, April 14, 2008

Aplication-Specific Attacks - Leveraging the ActionScript Virtual Machine

Memory corruption vulnerabilities are becoming increasingly difficult to exploit, largely due to the protection mechanisms being integrated into most modern operating systems. As general protection mechanisms evolve, attackers are engaging in more specific, low-level application-targeted attacks. In order to refine general countermeasures (or at least raise awareness of their shortcomings), it is important to first understand how memory corruption vulnerabilities are exploited in some unique scenarios.


Aplication-Specific Attacks - Leveraging the ActionScript Virtual Machine by Mark Dowd PDF

Saturday, April 5, 2008

gcc silently discards some wraparound checks...buf+len < buf?

David LeBlanc's Web Log
Vulnerability Note VU#162289

Basically, what it says is that code which looks like this:

char *buf;
int len;

gcc will assume that buf+len >= buf.

As a result, code that performs length checks similar to the following:

len = 1<<30;
if(buf+len < buf) /* length check */
[...perform some manipulation on len...]

are compiled away by these versions of gcc

Tuesday, January 1, 2008

User Supplied Format String Vulnerability - everything ever written

Format String Vulnerabilities in Perl Programs
Steve Christey

Advances in format string exploitation

Gerardo Richarte, Ricardo Quesada

Howto remotely and automatically exploit a format bug
Frédéric Raynal

Exploiting Format Strings Vulnerabilities
scut team-teso

Format String Attack on alpha system
Seunghyun Seo (truefinder)

Format String Technique

Analysis of Format String Bugs
Andreas Thuemmel

Detecting Format String Vulnerabilities with Type Qualifiers
David Wagner

Large-Scale Analysis of Format String Vulnerabilities in Debian Linux
David Wagner

What are format bugs ?

Christophe BLAESS Christophe GRENIER Frédéreric RAYNAL

More info on format bugs
Pascal Bouchareine

Format String Attacks
Tim Newsham

Format Bugs: What are they, Where did they come from,...How to exploit them

Paper sobre format bugs

Exploiting the Libc Locale Subsystem Format String Vulnerability on Solaris/SPARC

Solar Eclipse

100 Most Influential Books Ever Written

See: scut/teso-team Format String paper

Friday, December 28, 2007

New Microsoft Security Vulnerability Research and Defense blog

New Microsoft technical blog about security vulnerabilities RSS

We are excited to have this outlet to share more in-depth technical information about vulnerabilities serviced by MSRC security updates and ways you can protect your organization from security vulnerabilities. You can read much more about the goals of the blog and about the SWI teams contributing to the blog in our “About” link: http://blogs.technet.com/swi/about.aspx

Thursday, December 20, 2007

Double Free Vulnerabilities on Windows

by Matt Conover 2007

To learn to exploit real heap memory corruption vulnerabilities on Windows one of the things you have to do is to read every Matt Conover's publication. The next are two posts in the Symantec Security Response Blog about double free() bugs. More articles and publications by him will be posted later in this blog.

In light of the recent CSRSS double free bug, I wanted to provide some information on the exploitation of double frees on Windows on XP SP2 and later. Prior to XP SP2, double frees were trivial to exploit, but now the security cookie (in each heap chunk) and safe unlinking checks make it more difficult to exploit. So this blog entry will discuss the exploitability on XP SP2 and later heap implements.

Double Free Vulnerabilities Part 1

Double Free Vulnerabilities Part 2

Tuesday, December 18, 2007

Smashing The Modern Stack For Fun And Profit

Craig J. Heffner article about the problems he found while reading and following the examples in Smashing The Stack For Fun And Profit using a modern Linux system.

"...the GNU C Compiler (gcc) has evolved since 1998, and as a result, many people are left wondering why they can't get the examples to work for them, or if they do get the code to work, why they had to make the changes that they did. Having these same problems myself, and being unable to find an updated version of Aleph One's document on the web, I set out to identify the source of these variations on my own. ..."
Smashing The Modern Stack For Fun And Profit

Sunday, December 16, 2007

Valgrind 3.3.0 released

Valgrind is an award-winning suite of tools for debugging and profiling Linux programs. With the tools that come with Valgrind, you can automatically detect many memory management and threading bugs, avoiding hours of frustrating bug-hunting, making your programs more stable. You can also perform detailed profiling, to speed up and reduce memory use of your programs.

The Valgrind distribution currently includes four tools: a memory error detector, a cache (time) profiler, a call-graph profiler, and a heap (space) profiler. It runs on the following platforms: X86/Linux, AMD64/Linux, PPC32/Linux, PPC64/Linux.

The main excitement in 3.3.0 is new and improved tools. Helgrind
works again, Massif has been completely overhauled and much improved,
Cachegrind now does branch-misprediction profiling, and a new category
of experimental tools has been created, containing two new tools:
Omega and DRD. There are many other smaller improvements. [...]