«
Expand/Collapse
64 items tagged "string"
Related tags:
zero [+],
arbitrary code execution [+],
denial of service [+],
memory corruption [+],
day [+],
squid [+],
service vulnerability [+],
proxy [+],
process [+],
null pointer [+],
string parameter [+],
nedit [+],
hacks [+],
connection string [+],
connection [+],
alonso jose palazon [+],
zero day [+],
vsprintf [+],
version 6 [+],
version [+],
trent micro [+],
toweb [+],
sudo [+],
static program analysis [+],
port 587 [+],
ocx versions [+],
null byte [+],
mov file [+],
micro control [+],
memory addresses [+],
memory [+],
mathias payer [+],
manager. authentication [+],
logging function [+],
escalation [+],
drupal [+],
code attempts [+],
code [+],
chaos communication congress [+],
apple quicktime player [+],
apple quicktime [+],
adobe shockwave player [+],
Programming [+],
video connection [+],
video [+],
ubuntu [+],
tivoli storage manager [+],
terminal emulators [+],
string arguments [+],
space [+],
source code [+],
ruby [+],
pipe character [+],
pellerano [+],
nginx [+],
module [+],
manager fastback [+],
giovanni pellerano [+],
francesco ongaro [+],
format string attacks [+],
disclosure [+],
database web [+],
buffer overflow [+],
audioop [+],
attacker [+],
arduino [+],
application crash [+],
alessandro tanasi [+],
format [+],
vmrc [+],
u.s. [+],
threat [+],
text buffer [+],
string set [+],
string musical instrument [+],
string copy [+],
string constant [+],
stepper motors [+],
stack data [+],
slides [+],
servo [+],
server authentication [+],
samba [+],
quot [+],
plotter [+],
paul haas [+],
parameter [+],
paper [+],
pango pango [+],
pango [+],
org version [+],
nmea data [+],
music mike [+],
mono filament thread [+],
mike baxter [+],
midi file [+],
microsoft excel [+],
microsoft [+],
matt bell [+],
light painting [+],
light [+],
jon sowman [+],
integer overflow vulnerability [+],
instrument [+],
high altitude balloon [+],
helix server [+],
hdd [+],
hash [+],
hardware package [+],
guitar [+],
googling [+],
glyph [+],
generator [+],
format string attack [+],
format specifiers [+],
fedora [+],
exploits [+],
excel [+],
digital [+],
cyber attacks [+],
cyber [+],
cve [+],
containing [+],
code execution [+],
cnc [+],
christopher mitchell [+],
buffer overflow vulnerability [+],
bidirectional [+],
balloon [+],
authentication [+],
audio [+],
attack [+],
arpd [+],
apple appkit [+],
apple [+],
advanced [+],
adam greig [+],
Newbie [+],
Area [+],
vulnerability [+],
format string [+]
-
-
![Permalink for '[Video] String Oriented Programming'](/themes/lilina/web//media/mark_off.gif)
21:34
»
SecDocs
Authors:
Mathias Payer Tags:
exploiting Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: The protection landscape is changing and exploits are getting more and more sophisticated. Exploit generation toolkits can be used to construct exploits for specific applications using well-defined algorithms. We present such an algorithm for leveraging format strings and introduce string oriented programming. String oriented programming takes format string exploits to the next level and turns an intrusion vector that needs hand-crafted exploits into arbitrary code execution. Similar to return oriented programming or jump oriented programming string oriented programming does not rely on existing code but concatenates gadgets in the application using static program analysis. This talk presents an algorithm and a technique that takes a vulnerable application that contains a format string exploit as a parameter and constructs a format string exploit that can be used to inject a dynamic jump oriented programming dispatcher into the running application. String oriented programming circumvents ASLR, DEP, and ProPolice.
-
21:34
»
SecDocs
Authors:
Mathias Payer Tags:
exploiting Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: The protection landscape is changing and exploits are getting more and more sophisticated. Exploit generation toolkits can be used to construct exploits for specific applications using well-defined algorithms. We present such an algorithm for leveraging format strings and introduce string oriented programming. String oriented programming takes format string exploits to the next level and turns an intrusion vector that needs hand-crafted exploits into arbitrary code execution. Similar to return oriented programming or jump oriented programming string oriented programming does not rely on existing code but concatenates gadgets in the application using static program analysis. This talk presents an algorithm and a technique that takes a vulnerable application that contains a format string exploit as a parameter and constructs a format string exploit that can be used to inject a dynamic jump oriented programming dispatcher into the running application. String oriented programming circumvents ASLR, DEP, and ProPolice.
-
21:34
»
SecDocs
Authors:
Mathias Payer Tags:
exploiting Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: The protection landscape is changing and exploits are getting more and more sophisticated. Exploit generation toolkits can be used to construct exploits for specific applications using well-defined algorithms. We present such an algorithm for leveraging format strings and introduce string oriented programming. String oriented programming takes format string exploits to the next level and turns an intrusion vector that needs hand-crafted exploits into arbitrary code execution. Similar to return oriented programming or jump oriented programming string oriented programming does not rely on existing code but concatenates gadgets in the application using static program analysis. This talk presents an algorithm and a technique that takes a vulnerable application that contains a format string exploit as a parameter and constructs a format string exploit that can be used to inject a dynamic jump oriented programming dispatcher into the running application. String oriented programming circumvents ASLR, DEP, and ProPolice.
-
-
6:01
»
Hack a Day
[Matt Bell] sends a shout-out to Hackaday by creating a light-painting of our logo with his string plotter. He starts off by setting up a pair of stepper motors which each have a spool to wind and unwind a string. The plotter is made by suspending a stylus between these two strings. In this case, [...]
-
-
7:58
»
Packet Storm Security Exploits
Drupal version 6.20 with String Overrides version 6.x-1.8 and Drupal version 5.21 with String Overrides version 5.x-1.8 suffer from a cross site scripting vulnerability.
-
7:58
»
Packet Storm Security Recent Files
Drupal version 6.20 with String Overrides version 6.x-1.8 and Drupal version 5.21 with String Overrides version 5.x-1.8 suffer from a cross site scripting vulnerability.
-
7:58
»
Packet Storm Security Misc. Files
Drupal version 6.20 with String Overrides version 6.x-1.8 and Drupal version 5.21 with String Overrides version 5.x-1.8 suffer from a cross site scripting vulnerability.
-
-
15:04
»
Packet Storm Security Advisories
Zero Day Initiative Advisory 11-311 - This vulnerability allows remote attackers to potentially disclose memory addresses on vulnerable installations of Apple QuickTime Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within how QuickTime.qts parses a data handler in specific atom within a .mov file. The application will utilize a string length to copy data into an heap buffer, if the string is of zero-length, the application will fail to copy anything and then proceed to use the uninitialized buffer as a string.
-
15:04
»
Packet Storm Security Recent Files
Zero Day Initiative Advisory 11-311 - This vulnerability allows remote attackers to potentially disclose memory addresses on vulnerable installations of Apple QuickTime Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within how QuickTime.qts parses a data handler in specific atom within a .mov file. The application will utilize a string length to copy data into an heap buffer, if the string is of zero-length, the application will fail to copy anything and then proceed to use the uninitialized buffer as a string.
-
15:04
»
Packet Storm Security Misc. Files
Zero Day Initiative Advisory 11-311 - This vulnerability allows remote attackers to potentially disclose memory addresses on vulnerable installations of Apple QuickTime Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within how QuickTime.qts parses a data handler in specific atom within a .mov file. The application will utilize a string length to copy data into an heap buffer, if the string is of zero-length, the application will fail to copy anything and then proceed to use the uninitialized buffer as a string.
-
-
14:45
»
Packet Storm Security Exploits
BroadWin WebAccess Client with bwocxrun.ocx versions 1.0.0.10 and below suffer from format string and memory corruption vulnerabilities. The OcxSpool function is affected by a format string vulnerability caused by the usage of the Msg string provided by the attacker directly with vsprintf() without the required format argument. WriteTextData and CloseFile allow to corrupt arbitrary zones of the memory through a fully controllable stream identifier in fclose() and fwrite().
-
14:45
»
Packet Storm Security Recent Files
BroadWin WebAccess Client with bwocxrun.ocx versions 1.0.0.10 and below suffer from format string and memory corruption vulnerabilities. The OcxSpool function is affected by a format string vulnerability caused by the usage of the Msg string provided by the attacker directly with vsprintf() without the required format argument. WriteTextData and CloseFile allow to corrupt arbitrary zones of the memory through a fully controllable stream identifier in fclose() and fwrite().
-
14:45
»
Packet Storm Security Misc. Files
BroadWin WebAccess Client with bwocxrun.ocx versions 1.0.0.10 and below suffer from format string and memory corruption vulnerabilities. The OcxSpool function is affected by a format string vulnerability caused by the usage of the Msg string provided by the attacker directly with vsprintf() without the required format argument. WriteTextData and CloseFile allow to corrupt arbitrary zones of the memory through a fully controllable stream identifier in fclose() and fwrite().
-
-
16:02
»
Packet Storm Security Advisories
Zero Day Initiative Advisory 11-207 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the support for embedding various file types within the RIFF-based Director file format. Several of the asset modules distributed with Shockwave do not properly extract string values from within embedded media objects. The code attempts to null-terminate such strings using a 32-bit size value specified prior to the string value. By crafting an embedded media object with a large string size an attacker can write a NULL byte to a controlled offset from the buffer containing the string. This can be leveraged to execute arbitrary code under the context of the user running the browser.
-
16:02
»
Packet Storm Security Recent Files
Zero Day Initiative Advisory 11-207 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the support for embedding various file types within the RIFF-based Director file format. Several of the asset modules distributed with Shockwave do not properly extract string values from within embedded media objects. The code attempts to null-terminate such strings using a 32-bit size value specified prior to the string value. By crafting an embedded media object with a large string size an attacker can write a NULL byte to a controlled offset from the buffer containing the string. This can be leveraged to execute arbitrary code under the context of the user running the browser.
-
16:02
»
Packet Storm Security Misc. Files
Zero Day Initiative Advisory 11-207 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the Adobe Shockwave Player. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the support for embedding various file types within the RIFF-based Director file format. Several of the asset modules distributed with Shockwave do not properly extract string values from within embedded media objects. The code attempts to null-terminate such strings using a 32-bit size value specified prior to the string value. By crafting an embedded media object with a large string size an attacker can write a NULL byte to a controlled offset from the buffer containing the string. This can be leveraged to execute arbitrary code under the context of the user running the browser.
-
-
20:31
»
Packet Storm Security Advisories
Zero Day Initiative Advisory 11-171 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Sybase OneBridge Mobile Data Suite. Authentication is not required to exploit this vulnerability. The specific flaw exists within the iMailGatewayService server process (ECTrace.dll) which listens for encrypted requests by default on TCP port 993 (IMAP) and port 587 (SMTP). The process fails to properly sanitize malformed user string inputs before passing to the authentication logging function. By providing a specially crafted string with format specifiers this can be leveraged to trigger a format string vulnerability which can lead to arbitrary code execution in the context of the server process.
-
20:31
»
Packet Storm Security Recent Files
Zero Day Initiative Advisory 11-171 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Sybase OneBridge Mobile Data Suite. Authentication is not required to exploit this vulnerability. The specific flaw exists within the iMailGatewayService server process (ECTrace.dll) which listens for encrypted requests by default on TCP port 993 (IMAP) and port 587 (SMTP). The process fails to properly sanitize malformed user string inputs before passing to the authentication logging function. By providing a specially crafted string with format specifiers this can be leveraged to trigger a format string vulnerability which can lead to arbitrary code execution in the context of the server process.
-
20:31
»
Packet Storm Security Misc. Files
Zero Day Initiative Advisory 11-171 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Sybase OneBridge Mobile Data Suite. Authentication is not required to exploit this vulnerability. The specific flaw exists within the iMailGatewayService server process (ECTrace.dll) which listens for encrypted requests by default on TCP port 993 (IMAP) and port 587 (SMTP). The process fails to properly sanitize malformed user string inputs before passing to the authentication logging function. By providing a specially crafted string with format specifiers this can be leveraged to trigger a format string vulnerability which can lead to arbitrary code execution in the context of the server process.
-
-
13:41
»
Packet Storm Security Advisories
Zero Day Initiative Advisory 10-301 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trent Micro Control Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within how the mrf.exe component composes a string used to display an error message. The application will build the string using a buffer located on the stack using a sprintf call. As attacker controlled data is used to construct the string, this can lead to code execution under the context of the application.
-
13:41
»
Packet Storm Security Recent Files
Zero Day Initiative Advisory 10-301 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trent Micro Control Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within how the mrf.exe component composes a string used to display an error message. The application will build the string using a buffer located on the stack using a sprintf call. As attacker controlled data is used to construct the string, this can lead to code execution under the context of the application.
-
13:41
»
Packet Storm Security Misc. Files
Zero Day Initiative Advisory 10-301 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Trent Micro Control Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within how the mrf.exe component composes a string used to display an error message. The application will build the string using a buffer located on the stack using a sprintf call. As attacker controlled data is used to construct the string, this can lead to code execution under the context of the application.
-
-
20:01
»
Packet Storm Security Recent Files
Zero Day Initiative Advisory 10-185 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Storage Manager Fastback. Authentication is not required to exploit this vulnerability. The specific flaw exists within the FastBack server process (FastBackServer.exe) which listens by default on TCP port 11406. The process searches received packet data for a pipe character (0x7c) and then sends the remaining portion of the string to the event log without sanitization. By providing a specially crafted string with format specifiers this can be leveraged to trigger a format string vulnerability which can lead to arbitrary code execution in the context of the server process.
-
20:00
»
Packet Storm Security Advisories
Zero Day Initiative Advisory 10-185 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Tivoli Storage Manager Fastback. Authentication is not required to exploit this vulnerability. The specific flaw exists within the FastBack server process (FastBackServer.exe) which listens by default on TCP port 11406. The process searches received packet data for a pipe character (0x7c) and then sends the remaining portion of the string to the event log without sanitization. By providing a specially crafted string with format specifiers this can be leveraged to trigger a format string vulnerability which can lead to arbitrary code execution in the context of the server process.
-
-
8:00
»
Hack a Day
Ah, we love musical hacks that actually play music. [Mike Baxter] is back again with a new servo electric guitar. This one, called the physical string synthesizer, and has only one string. He’s using two Arduinos to control the unit. One to change the midi file to a note within the string’s limits and the [...]
-
-
19:00
»
Packet Storm Security Exploits
This Metasploit module exploits a format string vulnerability within version 10.0.4.x and 10.5.1 of the SonicWALL Aventail SSL-VPN Endpoint Interrogator/Installer ActiveX control (epi.dll). By calling the 'AuthCredential' method with a specially crafted Unicode format string, an attacker can cause memory corruption and execute arbitrary code. Unfortunately, it does not appear to be possible to indirectly re-use existing stack data for more reliable exploitation. This is due to several particulars about this vulnerability. First, the format string must be a Unicode string, which uses two bytes per character. Second, the buffer is allocated on the stack using the 'alloca' function. As such, each additional format specifier (%x) will add four more bytes to the size allocated. This results in the inability to move the read pointer outside of the buffer. Further testing showed that using specifiers that pop more than four bytes does not help. Any number of format specifiers will result in accessing the same value within the buffer. NOTE: It may be possible to leverage the vulnerability to leak memory contents. However, that has not been fully investigated at this time.
-
-
19:03
»
Packet Storm Security Recent Files
Mandriva Linux Security Advisory 2010-132 - Multiple integer overflows in audioop.c in the audioop module in Ptthon allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. The audioop module in Python does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.
-
19:01
»
Packet Storm Security Advisories
Mandriva Linux Security Advisory 2010-132 - Multiple integer overflows in audioop.c in the audioop module in Ptthon allow context-dependent attackers to cause a denial of service (application crash) via a large fragment, as demonstrated by a call to audioop.lin2lin with a long string in the first argument, leading to a buffer overflow. The audioop module in Python does not verify the relationships between size arguments and byte string lengths, which allows context-dependent attackers to cause a denial of service (memory corruption and application crash) via crafted arguments, as demonstrated by a call to audioop.reverse with a one-byte string, a different vulnerability than CVE-2010-1634.
-
-
21:52
»
SecuriTeam
VMrc is vulnerable to format string attacks. Exploitation of this issue may lead to arbitrary code execution on the system where VMrc is installed.
-
Make your website safer. Use external penetration testing service. First report ready in one hour!
-
-
13:58
»
Packet Storm Security Advisories
Zero Day Initiative Advisory 10-079 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of RealNetworks Helix Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the authentication provided by the administrative web interface and is only present if it is configured to use NTLM. The vulnerability can be triggered by specifying invalid Base64 string within the Authorization header. If the string is not proper Base64 the vulnerable function returns -1 which is not verified and is later used as a length to a string copy routine.
-
-
4:20
»
remote-exploit & backtrack
Hello,
I am studying Honeypots so I am trying to setup honeyd in BT4.
honeyd could be installed easily by using apt-get install
The problem is arpd :confused:
BT4 has arpd installed but it doesn't look the same like honeyd.org version
I tried to install arpd-0.2 but I couldn't install it. when I try to "make" I got the following errors:
arpd.c:268 error: expected ')' before string constant
arpd.c:285 error: expected ')' before string constant
arpd.c:294 error: expected ')' before string constant
After googling i found that starting from gcc 3.4 the compiler treats the "__FUNCTION__" as variable while previous compilers treat it as string?
I also found the following link:
http://aaaleonardo.blogspot.com/2009...os-52-via.html
but the step:
./configure --with-libdnet=/usr/local/libdnet --with-libevent=/usr/local/libevent
is not working even after installing the libdnet and libevent and changing the path to /usr/local/lib/...
there is something wrong with libevent and libpcap
how to solve this problem ?
does BT4 have a different tool with the same functionality ?
-
-
11:42
»
Hack a Day
The Ferret is a high-altitude balloon tracking hardware package. Created by [Adam Greig] and [Jon Sowman], it uses an Arduino to gather NMEA data from a GPS unit, format the data into a string, and transmit that string on narrow-band FM. The project, built in one afternoon, is a tribute to the prototyping simplicity the [...]
-
-
15:00
»
Packet Storm Security Recent Files
Ubuntu Security Notice 900-1 - Emmanouel Kellinis discovered that Ruby did not properly handle certain string operations. An attacker could exploit this issue and possibly execute arbitrary code with application privileges. Giovanni Pellerano, Alessandro Tanasi, and Francesco Ongaro discovered that Ruby did not properly sanitize data written to log files. An attacker could insert specially-crafted data into log files which could affect certain terminal emulators and cause arbitrary files to be overwritten, or even possibly execute arbitrary commands. It was discovered that Ruby did not properly handle string arguments that represent large numbers. An attacker could exploit this and cause a denial of service. This issue only affected Ubuntu 9.10.
-
15:00
»
Packet Storm Security Advisories
Ubuntu Security Notice 900-1 - Emmanouel Kellinis discovered that Ruby did not properly handle certain string operations. An attacker could exploit this issue and possibly execute arbitrary code with application privileges. Giovanni Pellerano, Alessandro Tanasi, and Francesco Ongaro discovered that Ruby did not properly sanitize data written to log files. An attacker could insert specially-crafted data into log files which could affect certain terminal emulators and cause arbitrary files to be overwritten, or even possibly execute arbitrary commands. It was discovered that Ruby did not properly handle string arguments that represent large numbers. An attacker could exploit this and cause a denial of service. This issue only affected Ubuntu 9.10.
-
-
9:00
»
Hack a Day
This is the multichord, a one-string musical instrument built by [Christopher Mitchell]. The string is a 20 pound mono-filament thread stretched between a wooden bridge and the read/write head of a hard drive. The idea is that the vibrations of the string are picked up and amplified acoustically by the sounding box that serves as [...]
