Posts Tagged ‘dep’
Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube
Author: Peter Van Eeckhoutte
Add this post to Your Favorite Posts
About 3 months after finishing my previous exploit writing related tutorial, I finally found some time and fresh energy to start writing a new article.
In the previous tutorials, I have explained the basics of stack based overflows and how they can lead to arbitrary code execution. I discussed direct RET overflows, SEH based exploits, Unicode and other character restrictions, the use of debugger plugins to speed up exploit development, how to bypass common memory protection mechanisms and how to write your own shellcode.
While the first tutorials were really written to learn the basics about exploit development, starting from scratch (targeting people without any knowledge about exploit development) you have most likely discovered that the more recent tutorials continue to build on those basics and require solid knowledge of asm, creative thinking, and some experience with exploit writing in general.
Today’s …
Posted in 001_Security, Exploit Writing Tutorials, Exploits | 
Tags: 41414141, access violation, add esp, alwaysoff, alwayson, aslr, awe, breakpoint, bypass, C0000005, call, dep, dep policy, egg, egg hunter, exploit, exploit writing, gadget, heapcreate, immunity debugger, memcpy, ntsetinformationprocess, nx, offset, optin, optout, pae, permanent dep, pvefindaddr, register, return oriented programming, rop, rop gadget, setprocessdeppolicy, stack, stack pivot, virtualalloc, virtualprotect, WinExec, writeprocessmemory, xd | 
6 Comments »
Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
Author: Peter Van Eeckhoutte
Add this post to Your Favorite Posts
Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return address or pop/pop/ret address must be found, making the application jump to your shellcode. In all of these cases, we were able to find a more or less reliable address in one of the OS dll’s or application dll’s. Even after a reboot, this address stays the same, making the exploit work reliably. Fortunately for the zillions Windows end-users out there, a number of protection mechanisms have been built-in into the Windows Operating systems. – Stack cookies (/GS Switch cookie) …
Posted in 001_Security, Exploit Writing Tutorials, Exploits |
Tags: !aslrdynamicbase, 2003, 4141414, 8, access violation, add esp, address space layout randomization, adjust ebp, adjust esi, alwaysoff, alwayson, aslr, before function returns, buffer, buffer overflow, bypass, call, compiler, cookie, data execution prevention, dep, dword ptr, exception handler, exploit, gs, hack, handler, immdbg, immunity, jmp, jump, Kifastsystemcallret, ldrpchecknxcompatibility, linker, loaded module, mov al, moveimages, next seh, non exec, nseh, ntsetinformationprocess, nx, ollydbg, optin, optout, partial overwrite, plugin, prevention, processexecute, protection, protectvirtualmemory, pvefindaddr, pycommand, python, ret2libc, safeseh, saved ebp, saved eip, se handler, se structure, sehop, stack, stack overflow, switch, virtual function call, vista, windbg, windows 7, xd, xp |
6 Comments »
Exploit writing tutorial part 3 : SEH Based Exploits
Author: Peter Van Eeckhoutte
Add this post to Your Favorite Posts
In the first 2 parts of the exploit writing tutorial series, I have discussed how a classic stack buffer overflow works and how you can build a reliable exploit by using various techniques to jump to the shellcode. The example we have used allowed us to directly overwrite EIP and we had a pretty large buffer space to host our shellcode. On top of that, we had the ability to use multiple jump techniques to reach our goal. But not all overflows are that easy. Today, we’ll look at another technique to go from vulnerability to exploit, by using exception handlers. What are exception handlers ? An exception handler is a piece of code that is written inside an application, with the purpose of dealing with the fact that the application throws an execption. A typical exception …
Posted in 001_Security, Exploit Writing Tutorials, Exploits |
Tags: !exploitable, buffer, buffer overflow, cygwin, dep, dll modload, exception, exception handler, exploit, exploit laboratory, fs:[0], handler, memdump, msec.dll, msfpescan, next seh, ollydbg, pop pop ret, safeseh, seh, shellcode, stack, stack overflow, teb, tib, windbg |
14 Comments »
- Lincoln on CORELAN-10-061 – Integard Home and Pro v2 Remote HTTP Buffer Overflow Exploit September 7, 2010
- Lincoln on CORELAN-10-060 – 123 Flash Chat ver 7.8 August 16, 2010
- Sud0 on CORELAN-10-059 – Sopcast Unicode BOF Remote Exploit August 10, 2010
- MaRkO T. on CORELAN-10-058 – ActiTime2 0MA CSRF July 11, 2010
- MaRkO T. on CORELAN-10-057 – Oracle BPM Process Administrator 5.7-6.0-10.3 MPs XSS July 11, 2010
- chap0 on CORELAN-10-056 - Hero DVD Remote Buffer Overflow Exploit July 7, 2010
- MaRkO T. on CORELAN-10-055 – MemDb (Multiple Remote Dos) June 28, 2010
- chap0 on CORELAN-10-054 - GSM sms Utility SEH Buffer Overflow June 28, 2010
- TecR0c on CORELAN-10-053 – FieldNotes 32 v5.00 SEH exploit June 25, 2010
- sinn3r on CORELAN-10-052 – NO-IP Domain Update Client (DUC) "Request" Insecure Encoding Algorithm June 24, 2010