Sunday, November 2, 2008

Adventures with a certain Xen vulnerability - Rafal Wojtczuk

  Rafal Wojtczuk paper about the exploitation of a XEN vulnerability 


The Evil Hacker escapes from DomU and gets into Dom0. Using clever
ret-into-libc technique he succeeds with his attack on x86 architecture,
despite the NX and ASLR deployed in Dom0 OS (Fedora Core 8). The Evil
Hacker is also not discouraged by the fact that the target
OS has SELinux protection enabled - he demonstrates how the particular
SELinux policy for Xen, used by default on FC8, can be bypassed.
Ultimately he gets full root access in Dom0. Rafal also discusses
variation of the exploitation on x86_64 architecture - he partially
succeeds, but his x64 exploit doesn't work in certain circumstances.
...


PDF

Monday, September 15, 2008

writing a .NET Security Exploit PoC...mmm?

Let's start out with some convenient types that allow bit twiddeling once we've subverted the type system....

well, not exactly but interesting anyway.

Wednesday, May 14, 2008

Misplaced Trust: Kerberos 4 Session Keys (1997)

Again, a 10 years old paper in badcoded. Ignore the past, repeat mistakes.

Misplaced Trust: Kerberos 4 Session Keys (1997)


Progress, far from consisting in change, depends on retentiveness. When change is absolute there remains no being to improve and no direction is set for possible improvement: and when experience is not retained, as among savages, infancy is perpetual. Those who cannot remember the past are condemned to repeat it. In the first stage of life the mind is frivolous and easily distracted, it misses progress by failing in consecutiveness and persistence. This is the condition of children and barbarians, in which instinct has learned nothing from experience.

George Santayana, The Life of Reason, Volume 1, 1905

Wednesday, April 16, 2008

PHRACK #65


April 2008
by The Circle of Lost Hackers


0x01 Introduction TCLH
0x02 Phrack Prophile of The UNIX Terrorist TCLH
0x03 Phrack World News TCLH
0x04 Stealth Hooking: another way to subvert the Windows kernel mxatone
ivanlefou
0x05 Clawing holes in NAT with UPnP felinemenace
0x06 The only laws on Internet are assembly and RFCs Julia
0x07 Hacking the System Management Mode BSDaemon, coideloko, d0nand0n
0x08 Mystifying the debugger for ultimate stealthness halfdead
0x09 Australian Restricted Defense Networks and FISSO The Finn
0x0a Phook - The PEB Hooker shearer & dreg
0x0b Hacking the $49 Wifi Finder openschemes
0x0c The art of exploitation: Samba WINS stack overflow max_packetz
0x0d The Underground Myth anonymous
0x0e Hacking your brain: Artificial Conciousness -C
0x0f International scenes various

Monday, April 14, 2008

Aplication-Specific Attacks - Leveraging the ActionScript Virtual Machine

Memory corruption vulnerabilities are becoming increasingly difficult to exploit, largely due to the protection mechanisms being integrated into most modern operating systems. As general protection mechanisms evolve, attackers are engaging in more specific, low-level application-targeted attacks. In order to refine general countermeasures (or at least raise awareness of their shortcomings), it is important to first understand how memory corruption vulnerabilities are exploited in some unique scenarios.

[...]

Aplication-Specific Attacks - Leveraging the ActionScript Virtual Machine by Mark Dowd PDF

Saturday, April 5, 2008

gcc silently discards some wraparound checks...buf+len < buf?

David LeBlanc's Web Log
Vulnerability Note VU#162289

Basically, what it says is that code which looks like this:


char *buf;
int len;

gcc will assume that buf+len >= buf.

As a result, code that performs length checks similar to the following:

len = 1<<30;
[...]
if(buf+len < buf) /* length check */
[...perform some manipulation on len...]

are compiled away by these versions of gcc

Tuesday, January 1, 2008

User Supplied Format String Vulnerability - everything ever written


2005
Format String Vulnerabilities in Perl Programs
Steve Christey
2002

Advances in format string exploitation

Gerardo Richarte, Ricardo Quesada

Howto remotely and automatically exploit a format bug
Frédéric Raynal


2001
Exploiting Format Strings Vulnerabilities
scut team-teso
v1.1
v1.2

Format String Attack on alpha system
Seunghyun Seo (truefinder)

Format String Technique
sloth@nopninjas.com

Analysis of Format String Bugs
Andreas Thuemmel


Detecting Format String Vulnerabilities with Type Qualifiers
David Wagner

Large-Scale Analysis of Format String Vulnerabilities in Debian Linux
David Wagner

What are format bugs ?

Christophe BLAESS Christophe GRENIER Frédéreric RAYNAL
French
2000

More info on format bugs
Pascal Bouchareine
Español

Format String Attacks
Tim Newsham
TXT

Format Bugs: What are they, Where did they come from,...How to exploit them
Lamagra
Español

Paper sobre format bugs
venomous


Exploiting the Libc Locale Subsystem Format String Vulnerability on Solaris/SPARC

Solar Eclipse

100 Most Influential Books Ever Written


See: scut/teso-team Format String paper