Back again to modern Windows kernel exploitation! After understanding how to build shellcodes for Windows 64-bit and applying this knowledge on a trivial kernel stack overflow vulnerability we are ready to start moving towards more real-life...
Hi there ✋ This post is the third chapter of this series, where we dive into Windows kernel. The previous posts introduced respectively how to painlessly setup a Windows exploit lab, then how to create a custom shellcode for the kernel to...
Continuing on the path to Windows kernel exploitation... Thanks to the previous post, we now have a working lab for easily (and in a reasonably fast manner) debug Windows kernel. Let's skip ahead for a minute and assume we control PC using some...
TL;DR Ready-to-play Qemu images for under-rated architectures (ARM, MIPS, PowerPC, SPARC, AARCH64) to play with, with all the tools builtin to understand memory corruption on non x86 environments here. Update (2018/05/15) The Mega.NZ repository...
Insomni'Hack CTF 2017 offered a series of 3 challenges (i.e. 3 different flags) on the same binary, called bender_safe: bender_safe was a Reversing challenge (50 pts) to discover the correct validation sequence; bender_safer (this one) was a...
TL;DR: It is possible to defeat stack canary protection when a binary is vulnerable to arbitrary file read. Intro First of, Happy New Year 2017 ✌ Recently, I've decided to thoroughly investigate the "Stack Smashing Protection" (SSP) on recent...
Info A few weeks ago, I came across a GitHub repository created by @5aelo called armpwn for people wanting to have a bit of ARM fun. I had recently spent some time adding new features and perfectionning old ones to my exploit helper for GDB, gef...
Info The vulnerable file was given with the following instructions: Guess what, it is a heap bug So yes, we'll be dealing with some heap fun. gef➤ !file ./heapfun4u ./heapfun4u: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically...
Info The vulnerable file was given with the instructions: Don't forget to feed me http://www.scs.stanford.edu/brop/ Here are some info given by gef: gef➤ !file ./feedme ./feedme: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV),...
Info As usual, the vulnerable file is here gef➤ !file ./feap ./feap: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24,...