| |
|
Leaders in Online Information Security Training » Return Oriented Exploitation (ROP) |
|
|
|---|
| Topic: Miscellaneous |
2:35 pm EDT, Apr 14, 2010 |
For all those who registered to AWE in BlackHat Vegas 2010 – we have special surprise for you… We’ve updated our “Bypassing NX” module with the buzzing ROP exploitation method. We took the PHP 6.0 Dev str_transliterate() 0Day Buffer Overflow Exploit and ported it to a Windows 2008 Server environment, with DEP on AlwaysOn mode. The general idea is to use carefully calculated jumps to function tails present in executable memory in order to align the stack for a WriteProcessMemory call. This call will copy our shellcode to an executable place in memory, and then jump to it. You can check out the exploit here.
Leaders in Online Information Security Training » Return Oriented Exploitation (ROP) |
|
Security Research & Defense : MS10-020: SMB Client Update |
|
|
|---|
| Topic: Miscellaneous |
10:36 am EDT, Apr 14, 2010 |
MS10-020: SMB Client Update Today Microsoft released MS10-020, which addresses several vulnerabilities in the Windows SMB client. This blog post provides additional details to help prioritize installation of the update, and understand the attack vectors and mitigations that apply.
Security Research & Defense : MS10-020: SMB Client Update |
|
Malicious PDF file analysis: zynamics style � blog.zynamics.com |
|
|
|---|
| Topic: Miscellaneous |
1:53 pm EDT, Apr 12, 2010 |
Malicious PDF file analysis: zynamics style
By Sebastian Porst If you are interested in PDF file analysis we might soon have something for you. We have developed a nifty little application that can not only parse PDF files but also help you analyze them very quickly. The main features include:
This looks fucking amazing! Malicious PDF file analysis: zynamics style � blog.zynamics.com |
|
|
|---|
| Topic: Miscellaneous |
1:39 pm EDT, Apr 12, 2010 |
Monday 12 April 2010 - A little return oriented exploitation on Windows x86 (Part 1) Overview
This post will take a look at how Return Oriented Programming (ROP) can be used on x86 Windows in order to bypass DEP and gain arbitrary code execution. The example I will use is from an exploit I wrote last year for a stack based buffer overflow I found in the Sun Java Virtual Machine which was recently patched and disclosed by TippingPoint's ZDI. (ZDI-10-061). Part 2 of this blog post will look at an experimental compiler convention that aims to mitigate return oriented attacks such as the one presented here.
Harmony Security : Blog |
|
Microsoft Office 2010 Engineering : Protected View in Office 2010 |
|
|
|---|
| Topic: Miscellaneous |
10:11 am EDT, Apr 7, 2010 |
Protected View in Office 2010 Hello, my name is Vikas and I work in the Office Trustworthy Computing security team. Today I will be telling you more about a feature I have been working on called Protected View. Protected View is one of the new security defense-in-depth features added in Office 2010. If you have not seen Brad’s post yet on this and the other new security improvements, it’s definitely worth taking a few minutes to look it over.
Microsoft Office 2010 Engineering : Protected View in Office 2010 |
|
Hex blog: Environment variable editor |
|
|
|---|
| Topic: Miscellaneous |
10:17 am EDT, Apr 6, 2010 |
Environment variable editor Normally, to change environment variables in a running process, one has to terminate the process, edit the environment variables and re-run the process. In this blog entry we are going to write an IDAPython script that allows us to add, edit or delete environment variables in a running process directly. To achieve this we will use Appcall to manage the variables and a custom viewer that serves as the graphical interface.
Hex blog: Environment variable editor |
|
Challenging conventional wisdom on AV signatures (Part 1 of 2) « blog.zynamics.com |
|
|
|---|
| Topic: Miscellaneous |
12:30 pm EDT, Apr 5, 2010 |
Challenging conventional wisdom on AV signatures (Part 1 of 2)
By Thomas Dullien We have all been taught (and intuitively felt) that traditional antivirus signatures are, for the most part, a waste of time. I think I have myself argued something similar repeatedly. One could say that “byte signatures don’t work” is accepted conventional wisdom in the security industry. Especially in the light of the recent (and much-publicized) Aurora-attacks, this conventional wisdom appears to ring truer than ever.
Challenging conventional wisdom on AV signatures (Part 1 of 2) « blog.zynamics.com |
|
Metasploit: Penetration Testing: Learn Assembly? |
|
|
|---|
| Topic: Miscellaneous |
11:07 am EDT, Apr 5, 2010 |
Sunday, April 4, 2010
Penetration Testing: Learn Assembly?
This afternoon a question came up on the #metasploit IRC channel (irc.freenode.net). The questioner asked: "Should a good penetration tester know assembly?". This lead to some discussion about when and where assembly language skills become important in the scope of a penetration test. My normal response to "Should I learn [something]?" questions is always a resounding YES; it is hard to know too much as a penetration tester or system auditor.
Metasploit: Penetration Testing: Learn Assembly? |
|
