Collaborate Disseminate
The July Android Security Bulletin patches 11 critical remote-code execution bugs including one dubbed ‘Broadpwn’ that impacts both Android and iOS devices. Continue reading Google Patches Critical ‘Broadpwn’ Bug in July Security Update
I am trying to exploit a small program. The program looks somewhat like this:
int func(void) {
char text[100];
scanf("%s", text);
return 0;
}
int foo(unsigned short rand) {
char RandomBuffer[rand];
return func();
}
int main(int argc, char* args[]) {
srand(time(NULL));
return foo(rand() % 1000);
}
I used ROPgadget to build a ROP chain. The tool finds a gadet which is needed for the attack:
Gadget found: 0x8058fcc pop edx ; ret
My ROP chain starts like this:
p = ‘rnd padding’
p += pack('<I', 0x08058fcc) # pop edx ; ret
However when executing my exploit I get:
Stopped reason: SIGILL
0x08058fcc in _int_memalign ()
The EIP points to the address computed by ROPgadget but somehow it is not the correct command.
EIP: 0x8058fcc (<_int_memalign+108>: lock mov eax,esi)
What am I missing?
Cheers
I’ve made a simple C-program that simply prints the address of main() at execution:
printf(“%08X\n”, &main);
I compile it with Visual C++ 2015 with the parameter /DYNAMICBASE, for x86 (same thing happens when compiling … Continue reading Why doesn’t Windows keep randomizing the base address of my executable? [migrated]
Why is the EternalBlue exploit so successful when ASLR is likely enabled on modern machines? I may be wrong as i’m not familiar with windows internals. I can’t find any explanation on this including this. Any links would be m… Continue reading EternalBlue exploit and ASLR
In an answer to How do ASLR and DEP work? Polynomial says:
In a non-ASLR and non-DEP process, the stack address is the same every time we run the process. We know exactly where it is in memory.
I don’t understand how th… Continue reading Why are stack address the same all the time when not using ASLR? [on hold]
I’ve seen quite a few posts about and am curious how it prevents shell code execution. During a CTF I used shell code to call execve and perform a task. I tried this again on my own machine and it failed. I was told that this… Continue reading How does ASLR prevent shell code execution?
Mike Mimoso and Chris Brook recap the first day of this year’s Security Analyst Summit, including Mark Dowd’s memory corruption bug keynote, the digital archeology around Moonlight Maze, ATM hacking, and the Lazarus APT. Continue reading Security Analyst Summit 2017 Day One Recap
Local only Filesystems (like ntfs or btrfs) consists of many data structures that require very complex code for parsing them.
So, such filesystems if implemented in user space can suffer of buffer overflows vulnerabilities like many parser.
In that case, the attacker leaves a high capacity sd card with crafted data on the car park that will take control of the staff member’s laptop as soon it tries to mount it.
The point is I think there’s nothing to fear from using 512 Gb sd card found on the ground anymore because of aslr :
-fPIE, so user space programs never uses any static address anymore.So as long as the filesystem isn’t nfs or serial attached scsi and does not run in kernel space nor the system contains position dependent executables, nor use executable stack, aslr does not only mitigates, but it completely prevents buffer overflows attacks, isn’t it ?
Or can alsr be bypassed by performing a single buffer overflow that takes control of all variable allocated on heap even if the program doesn’t uses any networking ? (I also noticed with fileystem that the whole heap strucure can be made predictable)
In the case of filesystems, the typical thing that happen is this :
struct boot_sector ef=malloc(sizeof(struct boot_sector));
ef->dev=open("/dev/sdb1");
ef->sb=malloc(sizeof(struct super_block));
pread(ef->dev, ef->sb, sizeof(struct super_block), 0);
ef->first_extend =malloc (user_controlled_value * CLUSTER_SIZE); // get allocated at the begging of the heap.
pread(ef->dev, ef->first_extend, second_controlled_value << CLUSTER_SIZE, 1024); // overwrite every struct * that follow, including ef. Notice since we control file system data we know the value the varying struct * should have.
Though in that kind of case, no structures hold pointer information, thus requiring to corrupt glibc’s dlmalloc data.
The latest version of Firefox expands non-secure HTTP warnings, enables SHA-1 deprecation by default, and removes support for NPAPI. Continue reading Firefox 52 Expands Non-Secure HTTP Warnings, Enables SHA-1 Deprecation
This article tells how to bypass DEP/ASLR at the same time,click here to read.
I have some questions after reading.In this article,when it finds the address of some instruction using ROP,the address of the instruction is har… Continue reading Some question about this article illustrating bypassing ASLR/DEP