Peter Van Eeckhoutte's Blog

Archive for the ‘Exploits’ Category

This page hosts an unofficial list of applications that are said to be vulnerable to the dll hijacking flaw (or feature or whatever you want to call it). Note that I did not test these applications myself. If you have found other applications to be vulnerable and want to add them to the list, send me a mail. Please note that I will not list instances where you have to replace a dll in the application folders.  I do not consider those examples to be valid cases of dll hijacking. (after all, if you have to replace a dll, you might as well replace the executable itself) …

About 3 months after finishing my previous exploit writing related tutorial, I finally found some time and fresh energy to start writing a new article.
In the previous tutorials, I have explained the basics of stack based overflows and how they can lead to arbitrary code execution. I discussed direct RET overflows, SEH based exploits, Unicode and other character restrictions, the use of debugger plugins to speed up exploit development, how to bypass common memory protection mechanisms and how to write your own shellcode.
While the first tutorials were really written to learn the basics about exploit development, starting from scratch (targeting people without any knowledge about exploit development) you have most likely discovered that the more recent tutorials continue to build on those basics and require solid knowledge of asm, creative thinking, and some experience with exploit writing in general.
Today’s …

Hi, Over the last 2 days my friends from Corelan Team and I participated in a Hacking Tournament, organized by Offensive Security.  The primary goals of the tournament are : be the first one to grab "secret" information from a machine and post it to the Tournament Control Panel. document your findings and submit them to offsec. A lot of people registered for the tournament, so in order to avoid massive overload and bandwidth issues, a few days before the contest would start, all participants were told that they would have to pass a "n00b" filter, an "easy" phase1 challenge …

In the article I wrote on the abysssec.com website, I explained the steps and techniques needed to build a working exploit for Ken Ward’s zipper. One of the main difficulties I had to overcome when building the exploit, was the character set limitation.  I basically could only use a subset of the ascii characters (only the characters that are allowed in a filename) in my payload, because the other characters got converted to something else. And that may either break the exploit structure or change the behaviour of the payload inside the application. As a result of that, I simply tried to avoid using those "bad chars" altogether and found some ways to make it work, using chained jumps, custom ascii decoders and alpha2-encoded code. Lot’s of complexity, but nevertheless it works fine. Today, I will …

Over the last couple of weeks, ever since I published 2 articles on the Offensive Blog, I have received many requests from people asking me if they could get a copy of those articles in pdf format.  My blog includes a pdf generator, but I obviously didn’t post the articles on my blog.. and the Offensive Security blog does not allow visitors to grab a pdf version of the documents. So I decided to combine the 2 articles into one article, and re-post them on my own blog, so you can export the article to pdf. Here we go. Part 1 A few weeks ago, one of my friends (mr_me) pointed me to an application that appeared to be acting somewhat “buggy” while processing “specifically” crafted zip files.  After playing …

Hi all,

I just wanted to drop a few lines to let you know that, earlier today, my exploit write-up article about this vulnerability was published on www.abysssec.com.

You can find the article here : http://www.abysssec.com/blog/2010/03/ken-ward-zipper-stack-bof-0day-a-not-so-typical-seh-exploit/

Enjoy ! Read more »

A few moments ago I published a detailed write-up, explaining the steps I took to build a 0day exploit for a zip file handling bug in QuickZip, on the Offensive Security blog. You can read the article here : http://www.offensive-security.com/blog/vulndev/quickzip-stack-bof-0day-a-box-of-chocolates/ Read more »