2012-02-12 03:45
Last Friday I presented at Ruxmon on windows exploitation under newer platforms, bypassing arguably the two most painful mitigations at the moment, DEP & ASLR. For those that don’t know, Ruxmon is a monthly security meeting based upon the security conference, Ruxcon. It was great to get up, overcome some fears and gain some constructive feedback and in |
2012-02-12 03:44
The other day I had an interview with myne-us over at securabit discussing a quick and dirty revamp I did of the aurora exploit. It was nice to meet myne-us and I have since become a regular podcast listener of securabit! thanks guys. You can view the blog entry here, enjoy ! |
2012-02-12 03:43
We have talked previously about stack based buffer overflows and format strings vulnerabilities. Now it is time to take it a step further and play with the windows heap manager! Unlink() to execute a write 4 primitive
Previously, with stack overflows, we have gained control of the execution pointer (EIP) some how whether that be through the exception handler or directly. Today we are going to discuss a se |
2012-02-12 03:42
It has always wondered me how code execution can be obtained from a format string bug. I know that in a situation where we can use C style specifiers, we do not directly own the EIP register or the structured exception handler on an x86 platform. Whilst majority of formatstring bugs are virtually dead, I still feel like this is a worthwhile concept to understand for any security analyst. So what is the process to achieve cod |
2012-02-12 03:41
More recently I have researched methods on bypassing two security protection mechanisms under windows that have proven quite difficult. Whist this is nothing new, I will provide the understanding I have of the techniques and show you a brief demonstration of the approach I took. We will discuss this techniques in relation to stack based buffer overflows only for now. What is interesting is that each one protection mechanism individually a |
2011-12-17 23:07
可以分解2^64-1内的数,速度很快,傻瓜级代码,就不做注释了 代码: #include <stdio.h>
#include <windows.h>
const unsigned __int64 prime[2] = {2,3};
const int primeNumTblSize = sizeof(prime) / sizeof(prime[0]);
void PrintFactorization( unsigned __int64 srcNum, unsigned __int64 baseNum )
{
unsigned __int64 yinzi[64] = {0};
int mi[64] = {0};
int numOfYinzi = 0; |
2011-12-12 15:24
Ok so you can exploit EIP and SEH overwrites and your getting bored of the rather simple process of this… and one day your fuzzing away and then boooom ! you see: 
I am going to talk briefly about what Unicode is and how you can write customi |
2011-12-12 15:22
A little while ago I found a 0day attack on Oracle 11g database that has a somewhat high impact (however low likleyhood). The vulnerability is within the parsing of the ‘file’ field inside a parameter file specified on the command line to Oracles export utility. The export utility is not ran as privileged code, however the vulnerability was technically imteresting to exploit.
So what is the situation? A specially |
2011-12-12 15:19
From what it appears.. we can crash the orbital viewer from using a specially crafted .orb file. Here I am using immunity debugger and pvefindaddr.py tools. First of all we must create a header to trigger the vulnerability and then insert |
2011-08-27 22:20
漏洞概要
缺陷编号: WooYun-2011-01383
漏洞标题: 皮皮播放器ActiveX控件PlayURLWithLocalPlayer()函数溢出漏洞
相关厂商: 皮皮网
漏洞作者: riusksk(http://riusksk.blogbus.com)
提交时间: 2011-02-21
漏洞类型: 任意代码执行
危害等级: 高
漏洞状态: 等待厂商处理
漏洞来源: http://www |
|
|
 chinacck
男, 岁
广东 广州
|
