Tuesday, June 1, 2010
Thursday, June 11, 2009
David Kennedy “ReL1K” published
Bypassing Hardware based Data Execution Prevention on Windows 2003 Service Pack 2 PDF (497KB)
Good, you can learn from David experience writing an exploit for Windows 2003 SP2. This is the kind of research you have to do to exploit a simple buffer overflow in modern operating systems with protections. What he does manually in this article sometimes is harder or impossible without the help of some automated tool to analyze thousand of different system modules.
Friday, April 17, 2009
The first stage of Project Shellcode aims to become the knowledge base for all shellcode related resources, including white papers, tutorials, tools, links, assembly code, and of course shellcode.
Is not clear if the project is active or not.
Posted by them at 8:42 AM
Friday, January 2, 2009
...We describe return-oriented programming, a generalization of return-into-libc that allows an attacker to undertake arbitrary, Turing-complete computation without injecting code.New computations are constructed by linking together code snippets that end with a “ret” instruction. The ret instructions allow an attacker who controls the stack to chain instruction sequences together. Because the executed code is stored in memory marked executable, W^X and DEP will not prevent it from running.
Sunday, November 2, 2008
Rafal Wojtczuk paper about the exploitation of a XEN vulnerability
The Evil Hacker escapes from DomU and gets into Dom0. Using clever
ret-into-libc technique he succeeds with his attack on x86 architecture,
despite the NX and ASLR deployed in Dom0 OS (Fedora Core 8). The Evil
Hacker is also not discouraged by the fact that the target
OS has SELinux protection enabled - he demonstrates how the particular
SELinux policy for Xen, used by default on FC8, can be bypassed.
Ultimately he gets full root access in Dom0. Rafal also discusses
variation of the exploitation on x86_64 architecture - he partially
succeeds, but his x64 exploit doesn't work in certain circumstances.
Monday, September 15, 2008
Let's start out with some convenient types that allow bit twiddeling once we've subverted the type system....
well, not exactly but interesting anyway.
Posted by them at 5:03 PM
Wednesday, May 14, 2008
Progress, far from consisting in change, depends on retentiveness. When change is absolute there remains no being to improve and no direction is set for possible improvement: and when experience is not retained, as among savages, infancy is perpetual. Those who cannot remember the past are condemned to repeat it. In the first stage of life the mind is frivolous and easily distracted, it misses progress by failing in consecutiveness and persistence. This is the condition of children and barbarians, in which instinct has learned nothing from experience.
George Santayana, The Life of Reason, Volume 1, 1905
Posted by them at 10:45 PM
Wednesday, April 16, 2008
0x01 Introduction TCLH
0x02 Phrack Prophile of The UNIX Terrorist TCLH
0x03 Phrack World News TCLH
0x04 Stealth Hooking: another way to subvert the Windows kernel mxatone
0x05 Clawing holes in NAT with UPnP felinemenace
0x06 The only laws on Internet are assembly and RFCs Julia
0x07 Hacking the System Management Mode BSDaemon, coideloko, d0nand0n
0x08 Mystifying the debugger for ultimate stealthness halfdead
0x09 Australian Restricted Defense Networks and FISSO The Finn
0x0a Phook - The PEB Hooker shearer & dreg
0x0b Hacking the $49 Wifi Finder openschemes
0x0c The art of exploitation: Samba WINS stack overflow max_packetz
0x0d The Underground Myth anonymous
0x0e Hacking your brain: Artificial Conciousness -C
0x0f International scenes various
Posted by them at 10:08 PM
Monday, April 14, 2008
Memory corruption vulnerabilities are becoming increasingly difficult to exploit, largely due to the protection mechanisms being integrated into most modern operating systems. As general protection mechanisms evolve, attackers are engaging in more specific, low-level application-targeted attacks. In order to refine general countermeasures (or at least raise awareness of their shortcomings), it is important to first understand how memory corruption vulnerabilities are exploited in some unique scenarios.
Aplication-Specific Attacks - Leveraging the ActionScript Virtual Machine by Mark Dowd PDF
Saturday, April 5, 2008
Basically, what it says is that code which looks like this:
gcc will assume that buf+len >= buf.
As a result, code that performs length checks similar to the following:
len = 1<<30;
if(buf+len < buf) /* length check */
[...perform some manipulation on len...]
are compiled away by these versions of gcc
Tuesday, January 1, 2008
Advances in format string exploitation
Gerardo Richarte, Ricardo Quesada
Howto remotely and automatically exploit a format bug
Format String Attack on alpha system
Seunghyun Seo (truefinder)
Format String Technique
Analysis of Format String Bugs
Detecting Format String Vulnerabilities with Type Qualifiers
Large-Scale Analysis of Format String Vulnerabilities in Debian Linux
What are format bugs ?
Christophe BLAESS Christophe GRENIER Frédéreric RAYNAL
More info on format bugs
Format String Attacks
Format Bugs: What are they, Where did they come from,...How to exploit them
Paper sobre format bugs
Exploiting the Libc Locale Subsystem Format String Vulnerability on Solaris/SPARC
100 Most Influential Books Ever Written
See: scut/teso-team Format String paper
Friday, December 28, 2007
New Microsoft technical blog about security vulnerabilities RSS
We are excited to have this outlet to share more in-depth technical information about vulnerabilities serviced by MSRC security updates and ways you can protect your organization from security vulnerabilities. You can read much more about the goals of the blog and about the SWI teams contributing to the blog in our “About” link: http://blogs.technet.com/swi/about.aspx
Posted by them at 11:01 AM
Thursday, December 20, 2007
by Matt Conover 2007
To learn to exploit real heap memory corruption vulnerabilities on Windows one of the things you have to do is to read every Matt Conover's publication. The next are two posts in the Symantec Security Response Blog about double free() bugs. More articles and publications by him will be posted later in this blog.
In light of the recent CSRSS double free bug, I wanted to provide some information on the exploitation of double frees on Windows on XP SP2 and later. Prior to XP SP2, double frees were trivial to exploit, but now the security cookie (in each heap chunk) and safe unlinking checks make it more difficult to exploit. So this blog entry will discuss the exploitability on XP SP2 and later heap implements.
Double Free Vulnerabilities Part 1
Double Free Vulnerabilities Part 2
Tuesday, December 18, 2007
Craig J. Heffner article about the problems he found while reading and following the examples in Smashing The Stack For Fun And Profit using a modern Linux system.
"...the GNU C Compiler (gcc) has evolved since 1998, and as a result, many people are left wondering why they can't get the examples to work for them, or if they do get the code to work, why they had to make the changes that they did. Having these same problems myself, and being unable to find an updated version of Aleph One's document on the web, I set out to identify the source of these variations on my own. ..."
Smashing The Modern Stack For Fun And Profit
Sunday, December 16, 2007
Valgrind is an award-winning suite of tools for debugging and profiling Linux programs. With the tools that come with Valgrind, you can automatically detect many memory management and threading bugs, avoiding hours of frustrating bug-hunting, making your programs more stable. You can also perform detailed profiling, to speed up and reduce memory use of your programs.
The Valgrind distribution currently includes four tools: a memory error detector, a cache (time) profiler, a call-graph profiler, and a heap (space) profiler. It runs on the following platforms: X86/Linux, AMD64/Linux, PPC32/Linux, PPC64/Linux.
The main excitement in 3.3.0 is new and improved tools. Helgrind
works again, Massif has been completely overhauled and much improved,
Cachegrind now does branch-misprediction profiling, and a new category
of experimental tools has been created, containing two new tools:
Omega and DRD. There are many other smaller improvements. [...]