Python | Peter Van Eeckhoutte's Blog

Posts Tagged ‘python’

Starting to write Immunity Debugger PyCommands : my cheatsheet

January 26th, 2010 |

Viewed 1,072 time(s) |

Add this post to Your Favorite Posts

When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg has many advantages, it appeared not the best tool to search for good jump addresses, or to list non-safeseh compiled / non-aslr aware modules, etc…. Ok, looking for a simple “jmp esp” is trivial, but what if you are looking for all pop pop ret combinations in non-safeseh compiled modules… Not an easy task. It is perfectly possible to build plugins for Windbg, but the ones that I have found (MSEC, byakugan (Metasploit)) don’t always work the way I want them …

– Read more »

Posted in 001_Security, Development, Exploit Writing Tutorials, Scripts |

Tags: api, assemble, cheatsheet, debugger, disassemble, immlib, immunity, immunity debugger, module, plugin, pycommand, python, readmemory, script |

5 Comments »

Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR

September 21st, 2009 |

Author: Peter Van Eeckhoutte

Viewed 6,260 time(s) |

Add this post to Your Favorite Posts

Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return address or pop/pop/ret address must be found, making the application jump to your shellcode. In all of these cases, we were able to find a more or less reliable address in one of the OS dll’s or application dll’s. Even after a reboot, this address stays the same, making the exploit work reliably. Fortunately for the zillions Windows end-users out there, a number of protection mechanisms have been built-in into the Windows Operating systems. – Stack cookies (/GS Switch cookie) …

– Read more »

Posted in 001_Security, Exploit Writing Tutorials, Exploits |

Tags: !aslrdynamicbase, 2003, 4141414, 8, access violation, add esp, address space layout randomization, adjust ebp, adjust esi, alwaysoff, alwayson, aslr, before function returns, buffer, buffer overflow, bypass, call, compiler, cookie, data execution prevention, dep, dword ptr, exception handler, exploit, gs, hack, handler, immdbg, immunity, jmp, jump, Kifastsystemcallret, ldrpchecknxcompatibility, linker, loaded module, mov al, moveimages, next seh, non exec, nseh, ntsetinformationprocess, nx, ollydbg, optin, optout, partial overwrite, plugin, prevention, processexecute, protection, protectvirtualmemory, pvefindaddr, pycommand, python, ret2libc, safeseh, saved ebp, saved eip, se handler, se structure, sehop, stack, stack overflow, switch, virtual function call, vista, windbg, windows 7, xd, xp |

6 Comments »

Peter says:

« All of the info and all tools on this blog are free. Keeping this blog in the air is quite expensive. So if you like what I do and want to show your respect for my work, please consider donating (use the Donate link above)

»     ...     « If you have enjoyed a certain post or like one of my tools, don't forget to vote/rate it !

»     ...     « If you have questions about certain posts, content or tools published on this website, then please use the forums to post questions. Don't write your questions in the Comments section.

»     ...     « If you want to be the first to know about new posts/tools/tutorials on this blog, then subscribe to the mailinglist. Use the 'Subscribe to updates via email' link below (in the Stay posted section)

»