The data, tools, and procedures which, when applied to a specific vulnerability, predictably violate the security design of a system.
3
votes
0answers
30 views
Return-oriented programming: how to find a stack pivot
I have a program with a heap overflow. It contains some code that is not randomized (is not using ASLR). I want to do a return-oriented programming exploit. Since this is a heap overflow, the first ...
-2
votes
1answer
36 views
Trying to replicate request for CSRF exploit
I'm trying to create a CSRF exploit on this application, but I simply can't figure out how the request is made. I've monitored the requests with tamper data, live http headers, fiddler, and burp ...
-1
votes
0answers
21 views
How to exploit a joomla com_chronocontac vulnerability [on hold]
I have a Joomla 1.5 installation with the module com_chronocontac installed. I've read there's a blind SQL injection attack in this module. How can I make sure that this vulnerability is critical? ...
0
votes
2answers
60 views
Preventing exploits like ROP and Return-to-libc in modern Operating systems
As I was reading about the advanced exploits such as Return Oriented Programming (ROP), Retun-to-libc, etc., I came across many defenses to these attacks including techniques like ASLR, kBouncer, ROP ...
0
votes
1answer
89 views
Stack Guard vs Stack Shield
I would like to know why nowadays Stack Guard is used everywhere (example: ProPolice in GCC, /GS in Visual Studio), instead of Stack Shield.
Both the approaches (i.e. Stack Guard & Stack Shield) ...
-1
votes
0answers
52 views
Reference to a website that contains all possible Linux Kernel Exploits [closed]
I remember that I have hit a site that contains and index for all linux local exploits which allows privilege escalation -and has directory indexing enabled- however, I can not find out where I have ...
1
vote
1answer
91 views
Fuzzer causes crash. Now what?
Can anyone point me in the direction of some good tutorials regarding how to identify the type of vulnerability as reported by !exploitable and where to go from there?
Essentially I've got myself a ...
0
votes
2answers
68 views
Can I read/write canary values from %gs register?
I would like to know if it is possible to read (or write) the canary values from %gs register.
If "yes", how; and if "no", why?
Also, I have been reading somewhere that the canary values are stored ...
3
votes
1answer
51 views
Exploiting memory corruption issues using a DLL file
I was listening to a talk on Return Oriented Exploitation from the Black Hat 2010 conference. The speaker mentioned something about using the DLLs to exploit some of the memory corruption issues.
I ...
-1
votes
2answers
81 views
Android OS Security [closed]
I am somewhat confused in terms of how secure Android OS is and how updates work on Android. Are there security fixes on each release? How can I keep track for Android exploits and what are the most ...
2
votes
3answers
124 views
Insert string to memory with null character
I'm trying to implement return-to-libc,
here's the code
void func(const char *str) {
char buf[4];
strcpy(buf,str);
printf("you entered [%s]\n",buf);
}
int main(int argc, char *argv[]) {
...
0
votes
1answer
267 views
Create netcat listener and execute reverse shell in the same script
I'm coding an exploit in python that exploits a command injection vulnerability for a CTF and I'm wondering how could I start a netcat listener and then send the payload to the remote host and once ...
6
votes
2answers
220 views
Continuous Integration for Exploit Development
I have been thinking about this subject a lot. Exploit Development is nearly the same as normal development, you need to test quite a lot of platforms (eg. Windows XP, Windows Vista, x64, x86, ...
-5
votes
1answer
91 views
Reverse shell in gzip
I got a box I am trying to pop (boot and root) that has an upload form on its website for logged in users that will take a .gzip file and extract it to the users home directory on the server. I am ...
0
votes
1answer
56 views
Abusing write permission on Apache logs dir to escalete privileges
I have just come across this sentence on apache log files documentation:
Anyone who can write to the directory where Apache is writing a log file can almost certainly gain access to the uid that ...
