windbg (18)

BlackHat EU 2012 - Day 3

Good morning,

Since doing live-blogging seemed to work out pretty well yesterday, I'll do the same thing again today. Β Please join in for day 3 at BlackHat Europe 2012, in a cloudy and rainy Amsterdam.

The first talk Read more

Read More

Exploit writing tutorial part 11 : Heap Spraying Demystified

A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial, I'm going to provide you with a full and detailed overview on what heap spraying is, and how to use it on old and newer platforms. I'll start with some "ancient" techniques (or classic techniques if you will) that can be used on IE6 and IE7. We'll also look at heap spraying for non-browser applications. Next, we'll talk about precision heap spraying, which is a requirement to make DEP bypass exploits work on IE8. I'll finish this tutorial with sharing some of my own research on getting reliable heap spraying to work on IE9. Read more
Read More

Many roads to IAT

A few days ago a friend approached me and asked how he could see the import address table under immunity debugger and if this could be done using the command line. I figured this would be a good time to take a look at what the IAT is, how we can list the IAT and what common reversing hurdles could be with regards to the IAT. Read more
Read More

Metasploit Bounty - the Good, the Bad and the Ugly

On June 14, 2011 HD Moore announced the Metasploit Bounty contest, offering a cash incentive for specific vulnerabilities to be submitted as modules in the Metasploit Framework. Titled "30 exploits, $5000 in 5 weeks", a post on the Rapid7 blog lists the 30 "bounties" selected by the MSF team, waiting for someone to claim and submit a working exploit module. Read more
Read More

QuickZip Stack BOF 0day: a box of chocolates

Over the last couple of weeks, ever since I published 2 articles on the Offensive Blog, I have received many requests from people asking me if they could get a copy of those articles in pdf format.  My blog Read more

Read More

Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR

Introduction

In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server.

The success of all of these exploits (whether they are based on direct Read more

Read More

Exploit writing tutorial part 3b : SEH Based Exploits - just another example

In the previous tutorial post, I have explained the basics of SEH based exploits. I have mentioned that in the most simple case of an SEH based exploit, the payload is structured like this :

[Junk][next SEH][SEH][Shellcode]

I Read more

Read More

Exploit writing tutorial part 3 : SEH Based Exploits

In the first 2 parts of the exploit writing tutorial series, I have discussed how a classic stack buffer overflow works and how you can build a reliable exploit by using various techniques to jump to the shellcode.  The Read more

Read More