Comments for Peter Van Eeckhoutte's Blog http://www.corelan.be:8800 :: [Knowledge is not an object, it´s a flow] :: Tue, 07 Sep 2010 09:47:57 +0200 hourly 1 http://wordpress.org/?v=abc Comment on Cheatsheet : Cracking WEP with Backtrack 4 and aircrack-ng by oasis6 PWNED « eXPeri3nc3′s Corner http://www.corelan.be:8800/index.php/2009/02/20/cheatsheet-cracking-wep-with-backtrack-4-and-aircrack-ng/comment-page-1/#comment-339 oasis6 PWNED « eXPeri3nc3′s Corner Tue, 07 Sep 2010 09:47:57 +0000 http://www.corelan.be:8800/index.php/2009/02/20/cheatsheet-cracking-wep-with-backtrack-4-and-aircrack-ng/#comment-339 [...] the IVs flowing like water. This time managed to do it without any clients, and partly referred to Corelan.be, very [...] [...] the IVs flowing like water. This time managed to do it without any clients, and partly referred to Corelan.be, very [...]

]]> Comment on Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development by [0x0027]Exploit writing tutorial part 9 : Introduction to Win32 shellcoding « Eohnik.c http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/comment-page-1/#comment-337 [0x0027]Exploit writing tutorial part 9 : Introduction to Win32 shellcoding « Eohnik.c Sun, 05 Sep 2010 12:28:52 +0000 http://www.corelan.be:8800/?p=2229#comment-337 [...] windbg : byakugan (see exploit writing tutorial part 5) [...] [...] windbg : byakugan (see exploit writing tutorial part 5) [...]

]]> Comment on Exploit writing tutorial part 1 : Stack Based Overflows by Peter Van Eeckhoutte http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/comment-page-1/#comment-336 Peter Van Eeckhoutte Fri, 03 Sep 2010 09:30:18 +0000 http://www.corelan.be:8800/index.php/2009/07/19/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-1/#comment-336 Absolutely correct ! j = look for "jmp" (could be jmp, call, or push + ret) -r = register to look for -n = no null bytes -o = no OS dll's (aslr, but also... just OS dll's -> transportability issue) thanks for the donation - much appreciated and very welcome sir ! Absolutely correct !

j = look for “jmp” (could be jmp, call, or push + ret)
-r = register to look for
-n = no null bytes
-o = no OS dll’s (aslr, but also… just OS dll’s -> transportability issue)

thanks for the donation – much appreciated and very welcome sir !

]]> Comment on Exploit writing tutorial part 1 : Stack Based Overflows by 5M7X http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/comment-page-1/#comment-335 5M7X Fri, 03 Sep 2010 09:18:25 +0000 http://www.corelan.be:8800/index.php/2009/07/19/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-1/#comment-335 THX a lot for your advice peter (hey it even made me donate ;D) !pvefindaddr j -r esp -n -o -o because we dont want windows-dll's in case e.g. ASLR is used on em (vista and so on) right? Found this one which should do the same to me as "jmp esp": Found push esp - ret at 0x1001B058 [msrmfilter03.dll] ** {PAGE_EXECUTE_READ} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\Programme\Easy RM to MP3 Converter\MSRMfilter03.dll That "Fixup:NO" Means that the dll wants to get loaded at its prefered dll-base-address or it will fail the application to load if it cannot load there since it has no "fixup"-rebase-alternative-addresses, is that correct? So thats the reason why it should be reliable because that dll does not like to be put anywhere else? THX a lot for your advice peter (hey it even made me donate ;D)

!pvefindaddr j -r esp -n -o

-o because we dont want windows-dll’s in case e.g. ASLR is used on em (vista and so on) right?

Found this one which should do the same to me as “jmp esp”:

Found push esp – ret at 0x1001B058 [msrmfilter03.dll] ** {PAGE_EXECUTE_READ} [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] – C:\Programme\Easy RM to MP3 Converter\MSRMfilter03.dll

That “Fixup:NO” Means that the dll wants to get loaded at its prefered dll-base-address or it will fail the application to load if it cannot load there since it has no “fixup”-rebase-alternative-addresses, is that correct? So thats the reason why it should be reliable because that dll does not like to be put anywhere else?

]]> Comment on DLL Hijacking (KB 2269637) – the unofficial list by Microsoft DLL Pre-loading ‘Fix-It’ Released « MadMark's Blog http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/comment-page-1/#comment-334 Microsoft DLL Pre-loading ‘Fix-It’ Released « MadMark's Blog Thu, 02 Sep 2010 23:47:59 +0000 http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/#comment-334 [...] product.  Details emerge on new DLL load hijacking Windows attack vector.  According to this unofficial list of affected software, vendors affected includes Microsoft, Adobe, Apple, Cisco, Citrix, Google, Mozilla and [...] [...] product.  Details emerge on new DLL load hijacking Windows attack vector.  According to this unofficial list of affected software, vendors affected includes Microsoft, Adobe, Apple, Cisco, Citrix, Google, Mozilla and [...]

]]> Comment on Exploit writing tutorial part 1 : Stack Based Overflows by Peter Van Eeckhoutte http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/comment-page-1/#comment-333 Peter Van Eeckhoutte Thu, 02 Sep 2010 20:56:12 +0000 http://www.corelan.be:8800/index.php/2009/07/19/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-1/#comment-333 the solution is here : http://www.corelan.be:8800/index.php/forum/exploit-writing-win32-stack-bof-direct-ret/problem-with-jmp-esp-on-tutorial-1/ (basically, use immunity debugger and use "pvefindaddr j -r esp -n -o" - it will get you reliable pointers (in the output j.txt file, you'll see a module table. Look for the Fixup column. If it says "NO", then it will most likely be reliable the solution is here :
http://www.corelan.be:8800/index.php/forum/exploit-writing-win32-stack-bof-direct-ret/problem-with-jmp-esp-on-tutorial-1/

(basically, use immunity debugger and use “pvefindaddr j -r esp -n -o” – it will get you reliable pointers
(in the output j.txt file, you’ll see a module table. Look for the Fixup column. If it says “NO”, then it will most likely be reliable

]]> Comment on Exploit writing tutorial part 1 : Stack Based Overflows by 5M7X http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/comment-page-1/#comment-332 5M7X Thu, 02 Sep 2010 20:50:53 +0000 http://www.corelan.be:8800/index.php/2009/07/19/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-1/#comment-332 The pointer is in the same .dll you used in the tutorial "We’ll look in the area of C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll. This dll is loaded between 01b10000 and 01fd000. Search this area for ff e4 :" I just read about the "dll rebase"-problem: http://www.codeproject.com/KB/DLL/RebaseDll.aspx http://social.msdn.microsoft.com/forums/en-us/windowssdk/thread/E65E5454-A35C-4DFD-9532-9284460310E1 http://www.drdobbs.com/184416272;jsessionid=USKBZ45RJESF3QE1GHOSKHWATMY32JVN And now i am a but confused/scared about what can be done against it. The only idea i can think about is use a "jmp esp" of the windows-core-dll's but if those are compiled with security-compiler-options it may fail too. So whats the best solution then? The pointer is in the same .dll you used in the tutorial
“We’ll look in the area of C:\Program Files\Easy RM to MP3 Converter\MSRMCcodec02.dll. This dll is loaded between 01b10000 and 01fd000. Search this area for ff e4 :”

I just read about the “dll rebase”-problem:
http://www.codeproject.com/KB/DLL/RebaseDll.aspx
http://social.msdn.microsoft.com/forums/en-us/windowssdk/thread/E65E5454-A35C-4DFD-9532-9284460310E1
http://www.drdobbs.com/184416272;jsessionid=USKBZ45RJESF3QE1GHOSKHWATMY32JVN

And now i am a but confused/scared about what can be done against it. The only idea i can think about is use a “jmp esp” of the windows-core-dll’s but if those are compiled with security-compiler-options it may fail too.

So whats the best solution then?

]]> Comment on Exploit writing tutorial part 1 : Stack Based Overflows by Peter Van Eeckhoutte http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/comment-page-1/#comment-331 Peter Van Eeckhoutte Thu, 02 Sep 2010 17:14:51 +0000 http://www.corelan.be:8800/index.php/2009/07/19/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-1/#comment-331 nice work - are you sure your pointer is reliable ? (impact of dll rebase ?) nice work – are you sure your pointer is reliable ? (impact of dll rebase ?)

]]> Comment on Exploit writing tutorial part 1 : Stack Based Overflows by 5M7X http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/comment-page-1/#comment-330 5M7X Thu, 02 Sep 2010 17:04:04 +0000 http://www.corelan.be:8800/index.php/2009/07/19/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-1/#comment-330 also got a version running *nice tuto* :) -> http://pastebin.com/2NgJb33H <-- as you told me it includes ascii and greetings ;D If somebody is interessted you dont need the alpha-encoder the badchars are simply "0x00" "0x09" and "0x0a" so with that as badchars you simply can use shikata_ga_nai \o/ also got a version running *nice tuto* :)
-> http://pastebin.com/2NgJb33H <– as you told me it includes ascii and greetings ;D
If somebody is interessted you dont need the alpha-encoder the badchars are simply "0×00" "0×09" and "0x0a" so with that as badchars you simply can use shikata_ga_nai \o/

]]> Comment on DLL Hijacking (KB 2269637) – the unofficial list by Microsoft ships 'Fix-It' for DLL load hijacking attack vector | ZDNet http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/comment-page-1/#comment-329 Microsoft ships 'Fix-It' for DLL load hijacking attack vector | ZDNet Wed, 01 Sep 2010 19:11:02 +0000 http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/#comment-329 [...] to this unofficial list of affected software, vendors affected includes Microsoft, Adobe, Apple, Cisco, Citrix, Google, Mozilla and [...] [...] to this unofficial list of affected software, vendors affected includes Microsoft, Adobe, Apple, Cisco, Citrix, Google, Mozilla and [...]

]]>