Collaborate Disseminate
Assuming the attacker can read all the traffic (he cracked my WPA2 for example), is there still something he can do if i’m only connecting through TLS and similar protocols ?
I used Ropper to generate a 64 bits ropchain to execve a shell.
Unfortunately I get a segmentation fault in the middle of the chain. By inspecting in GDB I noticed the segv happens at a ret and rsp is not 16 bytes aligned so this implies t… Continue reading Why does my rop chain fails ? Is it because of alignment?
I used Ropper to generate a 64 bits ropchain to execve a shell.
Unfortunately I get a segmentation fault in the middle of the chain. By inspecting in GDB I noticed the segv happens at a ret and rsp is not 16 bytes aligned so this implies t… Continue reading Why does my rop chain fails ? Is it because of alignment?
I succesfully tried to exploit an old version of Apache. A shell is spawned with user www-data (id=33), but I can’t "ls" or "cat" anything in /tmp. I can ls the contentns of /bin instead, for example.
I even added a fil… Continue reading Why can’t I access /tmp after my execve(/bin/sh) exploit?
I have written a small shellcode but it is trapped at execve() by the debugger if it is attached. Can this be bypassed? Note that I can add any instructions to my shellcode, but I don’t have root privileges.
Continue reading How do you catch sigtrap so your malware will still run while being debugged?
Assume Alice has physical access to Bob’s Linux machine (but can only use the mouse/keyboard). What is the worst that can happen to Bob’s files? For example could she write in a file owned by Bob even if Bob didn’t give permission to her?
… Continue reading What is the most harm that a non-root logged-in user can do on a Linux machine? [closed]
According to this paper on defeating stackguard, it seems canaries are placed lower in the stack (higher address) than EBP, allowing the attacker to overwrite EBP without being noticed. But when I look at more recent code it seems the cana… Continue reading Is this paper on stack canaries outdated?
I know MD5 is no longer secure, but is there an algorithm running in polynomial time to find preimages of a given hash, or is it just bruteforce?
Continue reading Is there a well-defined algorithm to find preimages in MD5?
I understand that a tls has to be established between the supplicant (end user device) and the auth server but a few things are unclear :
How does the supplicant know the ip adress of the auth server ?
The supplicant is not granted access… Continue reading How does the supplicant connect to the auth server in EAP TTLS?
I understand how this exploits work on the theoretical level, but I can’t find detailed worked tutorials that show for example how to overwrite the return adress in the stack when overflowing a given buffer in a given function etc. Is ther… Continue reading Working code examples for stack or heap buffer overflows?