Peter Van Eeckhoutte's Blog

Archive for the ‘Exploit Writing Tutorials’ Category

In article 8 of my exploit writing series, I have introduced the concept of egg hunters, and explained what an omelet hunter is and how it works. Today, I want to share with you my own eggs-to-omelet implementation, explain how it works, and how you can use it in a standalone exploit or in a metasploit module. In case you missed article 8, I’ll start with a short recap and explain the basic concepts of egg hunters and omelet. At the same time, I would like to mention that you might have to read article 8 first before you will understand this post.  This post is not a full blown tutorial, …

About 3 months after finishing my previous exploit writing related tutorial, I finally found some time and fresh energy to start writing a new article.
In the previous tutorials, I have explained the basics of stack based overflows and how they can lead to arbitrary code execution. I discussed direct RET overflows, SEH based exploits, Unicode and other character restrictions, the use of debugger plugins to speed up exploit development, how to bypass common memory protection mechanisms and how to write your own shellcode.
While the first tutorials were really written to learn the basics about exploit development, starting from scratch (targeting people without any knowledge about exploit development) you have most likely discovered that the more recent tutorials continue to build on those basics and require solid knowledge of asm, creative thinking, and some experience with exploit writing in general.
Today’s …

In the article I wrote on the abysssec.com website, I explained the steps and techniques needed to build a working exploit for Ken Ward’s zipper. One of the main difficulties I had to overcome when building the exploit, was the character set limitation.  I basically could only use a subset of the ascii characters (only the characters that are allowed in a filename) in my payload, because the other characters got converted to something else. And that may either break the exploit structure or change the behaviour of the payload inside the application. As a result of that, I simply tried to avoid using those "bad chars" altogether and found some ways to make it work, using chained jumps, custom ascii decoders and alpha2-encoded code. Lot’s of complexity, but nevertheless it works fine. Today, I will …

Over the last couple of weeks, ever since I published 2 articles on the Offensive Blog, I have received many requests from people asking me if they could get a copy of those articles in pdf format.  My blog includes a pdf generator, but I obviously didn’t post the articles on my blog.. and the Offensive Security blog does not allow visitors to grab a pdf version of the documents. So I decided to combine the 2 articles into one article, and re-post them on my own blog, so you can export the article to pdf. Here we go. Part 1 A few weeks ago, one of my friends (mr_me) pointed me to an application that appeared to be acting somewhat “buggy” while processing “specifically” crafted zip files.  After playing …

Hi all,

I just wanted to drop a few lines to let you know that, earlier today, my exploit write-up article about this vulnerability was published on www.abysssec.com.

You can find the article here : http://www.abysssec.com/blog/2010/03/ken-ward-zipper-stack-bof-0day-a-not-so-typical-seh-exploit/

Enjoy ! Read more »

Hi all.   I just wanted to drop a quick note that I have released part 2 of the QuickZip 0day vulnerability exploit on the Offensive Security Blog just a few moments ago.   You can find the article here. Have fun & cheers ! Read more »

A few moments ago I published a detailed write-up, explaining the steps I took to build a 0day exploit for a zip file handling bug in QuickZip, on the Offensive Security blog. You can read the article here : http://www.offensive-security.com/blog/vulndev/quickzip-stack-bof-0day-a-box-of-chocolates/ Read more »