heap-one (x64) CTF exploit exercise: cannot overwrite GOT entry using arbitrary write (qword) primitive?

I’m currently working on the following CTF exercise (x64 version), where the objective is to overwrite a pointer stored on the heap to control the write address of strcpy():

https://exploit.education/phoenix/heap-one/

struc… Continue reading heap-one (x64) CTF exploit exercise: cannot overwrite GOT entry using arbitrary write (qword) primitive?

Why isn’t the checksum length increased on macOS to mitigate generic heap exploitation?

I’ve been studying heap exploitation on Linux/macOS for learning purposes.

Many of the generic exploits on macOS rely on brute-forcing the 4-bit checksum derived from the rack’s cookie value. This effectively results in a 2^… Continue reading Why isn’t the checksum length increased on macOS to mitigate generic heap exploitation?

What’s the risk of malvertising and other PUPs on unpatched machines? [on hold]

If a computer has been running with considerably outdated operating systems, web browsers, Java, and Adobe Flash, what is the overall risk from malvertising and other potentially unwanted programs (PUPs)?

Assuming that the m… Continue reading What’s the risk of malvertising and other PUPs on unpatched machines? [on hold]

Is there something fishy on Kaspersky Internet Security or I am missing something?

Whenever I turn on my computer, a notification pops up – You need to restart you PC (I have added screenshot). I did, but it keeps coming. So went to notification center and saw which application is causing this, it was my an… Continue reading Is there something fishy on Kaspersky Internet Security or I am missing something?

Methods of exploiting a Windows executable protected by "Control Flow Guard" and "Return Flow Guard"?

I understand that obtaining code execution by stack buffer-overflows were mitigated by DEP, which in turn lead to SEH and ROP exploit techniques etc.

However, I don’t see how to exploit an executable simultaneously protecte… Continue reading Methods of exploiting a Windows executable protected by "Control Flow Guard" and "Return Flow Guard"?