Collaborate Disseminate
I have this code for exploiting PsExec that works perfectly fine when I have a TGS for the CIFS SPN on the target, however there are situations where I only have plaintext credentials for the local admin of the target, and so I cannot requ… Continue reading Custom PsExec csharp code with plaintext credentials
Is there a !pvefindaddr p2 (search for all pop/pop/ret combinations in the entire process memory space) equivalent in mona.py?
Alternatively, is there any option to run pvefindaddr in latest versions of Immunity Debugger? Currently, when I… Continue reading pvefindaddr p2 in mona?
I’m trying to understand how to get more information about a vulnerability given a CVE. I noticed that some CVEs, on websites like https://www.cvedetails.com, have got references to articles or to code, for example a reference to https://w… Continue reading Get in depth information about vulnerability from a CVE
I am working with this INE eCXD material and I am working on my basics of buffer overflow on Linux.
In the lab, there is supposed to be a binary that is using the strcpy() function and it SEGFAULTS when it reaches that function.
I loaded t… Continue reading Can’t get this memory addressing
I just installed ASX to MP3 Converter 1.82.50 in order to try this Local Stack Overflow: https://www.exploit-db.com/exploits/38457
I generate a shell code in order to pop a calc.exe:
msfvenom -p windows/exec CMD=calc.exe -f python -b ‘\x00… Continue reading How to fix ASX to MP3 Converter 1.82.50 exploit code
Suppose there is a remote server 203.0.113.123 listening on port 1337 that is running a vulnerable application. I have engineered a sequence of inputs for that application that result in a shell. I can generate that input with a Python scr… Continue reading Use a custom Metasploit exploit
The injection is inside an <input> element for an email address. The injection payload is ";"@site.com. Once submitted, local cookie information appears inside the actual input textbox.
I’m on my journey to binary explotation, and it seems that at the time "Art of Exploitation" was written, things related to stack protection have been changed. Only after using -fno-stack-protector as an argument to gcc, I get th… Continue reading Ways to bypass stack protection
As I have been reading about the Android Keychain API, I have been particularly concerned about whether or not Android provides a way to restrict the keys installed as part of Keychain API to certain trusted apps only. For instance, can Yo… Continue reading Android Keychain: How to restrict the system-wide credentials based on the app developer or manufacturer only?
In rop, often a gadget has an undesired pop or push in the middle.
For a pop, we handle this simply by adding a dummy value to our chain: it is popped, and all is well.
What about a push: What do we do to our chain to handle it? It seems t… Continue reading Rop: Handling a `push` in the middle of a gadget