«
Expand/Collapse
104 items tagged "exploitation"
Related tags:
discovery protocol [+],
cisco unified [+],
vulnerabilities [+],
chaos communication congress [+],
Skype [+],
denial [+],
remote [+],
post [+],
overflow [+],
malaysia [+],
hitb [+],
day [+],
buffer [+],
usa [+],
router [+],
memory corruption [+],
kernel [+],
injection [+],
code [+],
black hat [+],
ARM [+],
xss [+],
slides [+],
metasploit [+],
memory [+],
jboss [+],
felix [+],
dos vulnerability [+],
buffer overflow [+],
vsr [+],
sql injection [+],
software vulnerabilities [+],
security [+],
process [+],
presence protocol [+],
paper [+],
network drivers [+],
mysql [+],
memory exhaustion [+],
local [+],
lindner [+],
jonathan brossard [+],
jon oberheide [+],
itzhak avraham tags [+],
itzhak [+],
execution [+],
defense mechanisms [+],
corruption bug [+],
cisco sql [+],
cisco sales [+],
audio [+],
attacker [+],
advanced [+],
Software [+],
zero day [+],
zero [+],
workgroups [+],
voice over ip software [+],
video [+],
val smith [+],
uma [+],
terminator 3 [+],
technique [+],
tactical [+],
symbianos [+],
sql servers [+],
shell [+],
servers [+],
ruby [+],
remote monitoring system [+],
railgun [+],
proper exploitation [+],
presentation [+],
posix api [+],
pool [+],
pivot [+],
phone [+],
penetration test [+],
overflows [+],
open source tools [+],
ms sql [+],
meterpreter [+],
memory allocator [+],
marc eisenbarth [+],
linux [+],
kernel stack [+],
juniper [+],
introduction [+],
injection bug [+],
heap [+],
h.d. moore val [+],
google [+],
freebsd [+],
forensics [+],
external stimuli [+],
exploits [+],
exploitation technique [+],
daytona [+],
david d. rude [+],
d moore [+],
cross site scripting [+],
covert [+],
consoles [+],
command [+],
collin mulliner [+],
cisco event [+],
cisco [+],
christiane ruetten [+],
chef [+],
buffer overflows [+],
bremen [+],
blackhat [+],
arbitrary code execution [+],
arabic [+],
antique [+],
aleph one [+],
aed [+],
yuriy bulygin [+],
windows [+],
video router [+],
unix servers [+],
txt [+],
stefan esser [+],
sql [+],
service [+],
seh [+],
researchers release [+],
researchers [+],
reliable [+],
rdp [+],
poison [+],
point and click [+],
persistent [+],
password [+],
online [+],
nightmare [+],
nicolas waisman [+],
new [+],
memory accesses [+],
linker [+],
kernel internals [+],
iphone [+],
ios [+],
internet explorer 8 [+],
hp network printers [+],
hacks [+],
ghost [+],
exploitation techniques [+],
exception handler [+],
exception [+],
domain names [+],
document viewers [+],
directory traversal vulnerability [+],
dino dai zovi [+],
design [+],
denial of service [+],
david litchfield [+],
data execution prevention [+],
corruption [+],
cisco router [+],
cisco ios [+],
case study [+],
case [+],
cain [+],
bugtraq [+],
brief [+],
boston [+],
authors [+],
aurora [+],
ast [+],
arp [+],
aleatory [+],
Release [+],
cisco security advisory [+],
cisco security [+],
whitepaper [+],
free software updates [+],
cisco telepresence [+],
cisco discovery [+],
advisory [+],
vulnerability [+]
-
-
15:44
»
Packet Storm Security Recent Files
This is a presentation called Router Exploitation. It was given at BlackHat 2009. It discusses various vendors such as Cisco, Juniper, Huawei, and more.
-
15:44
»
Packet Storm Security Misc. Files
This is a presentation called Router Exploitation. It was given at BlackHat 2009. It discusses various vendors such as Cisco, Juniper, Huawei, and more.
-
-
12:58
»
SecDocs
-
-
21:30
»
SecDocs
Authors:
Felix 'FX' Lindner Tags:
embedded Event:
Chaos Communication Congress 19th (19C3) 2002 Abstract: The speech covers design issues and software vulnerabilities in embedded systems. The exploitation of design failures will be presented using HP network printers as an example - including getting access up to the point where the printer becomes an attack platform itself. Additionally, exploitation of software vulnerabilities will be covered by presenting a tutorial to write exploits for Cisco IOS. Methods and source code for Cisco Router exploits will be shown.
-
-
21:25
»
SecDocs
Authors:
Marc Eisenbarth Tags:
data mining Event:
Black Hat DC 2011 Abstract: Security professionals have a massive number of acronyms at their disposal: IPS, VA, VM, SIEM, NBAD, and more. This talk is about a tool that resists classification by these acronyms. The goal of Active Exploitation Detection (AED) is to actively monitor and identify compromise of arbitrary, remote systems with the express intent to discover novel exploitation methods, track down elusive zero-day details, compile a list of known-compromised hosts, and most importantly get into the mind of today’s cyber criminals. Simplistically, AED correlates changes visible to the remote monitoring system with external stimuli such as software patch schedules and security media sources in order to gain unique insight into the security threat landscape on an Internet scale. AED is a framework which is driven by arbitrary pluggable modules that must provide four high level implementations, namely port scanning, application identification via static and dynamic methods, and a data mining engine. The primary goal of this talk is to both present findings that trend the threat landscape of the Internet as a whole, and the tool itself, which is a means to introduce the audience to a number of best-of-breed open-source tools which have been integrated into this project.
-
21:25
»
SecDocs
Authors:
Marc Eisenbarth Tags:
data mining Event:
Black Hat DC 2011 Abstract: Security professionals have a massive number of acronyms at their disposal: IPS, VA, VM, SIEM, NBAD, and more. This talk is about a tool that resists classification by these acronyms. The goal of Active Exploitation Detection (AED) is to actively monitor and identify compromise of arbitrary, remote systems with the express intent to discover novel exploitation methods, track down elusive zero-day details, compile a list of known-compromised hosts, and most importantly get into the mind of today’s cyber criminals. Simplistically, AED correlates changes visible to the remote monitoring system with external stimuli such as software patch schedules and security media sources in order to gain unique insight into the security threat landscape on an Internet scale. AED is a framework which is driven by arbitrary pluggable modules that must provide four high level implementations, namely port scanning, application identification via static and dynamic methods, and a data mining engine. The primary goal of this talk is to both present findings that trend the threat landscape of the Internet as a whole, and the tool itself, which is a means to introduce the audience to a number of best-of-breed open-source tools which have been integrated into this project.
-
-
19:38
»
Packet Storm Security Advisories
Cisco Security Advisory - A denial of service (DoS) vulnerability exists in Cisco Unified Presence and Jabber Extensible Communications Platform (Jabber XCP). An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted Extensible Messaging and Presence Protocol (XMPP) stream header to an affected server. Successful exploitation of this vulnerability could cause the Connection Manager process to crash. Repeated exploitation could result in a sustained DoS condition. There are no workarounds available to mitigate exploitation of this vulnerability. Cisco has released free software updates that address this vulnerability.
-
19:38
»
Packet Storm Security Recent Files
Cisco Security Advisory - A denial of service (DoS) vulnerability exists in Cisco Unified Presence and Jabber Extensible Communications Platform (Jabber XCP). An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted Extensible Messaging and Presence Protocol (XMPP) stream header to an affected server. Successful exploitation of this vulnerability could cause the Connection Manager process to crash. Repeated exploitation could result in a sustained DoS condition. There are no workarounds available to mitigate exploitation of this vulnerability. Cisco has released free software updates that address this vulnerability.
-
19:38
»
Packet Storm Security Misc. Files
Cisco Security Advisory - A denial of service (DoS) vulnerability exists in Cisco Unified Presence and Jabber Extensible Communications Platform (Jabber XCP). An unauthenticated, remote attacker could exploit this vulnerability by sending a specially crafted Extensible Messaging and Presence Protocol (XMPP) stream header to an affected server. Successful exploitation of this vulnerability could cause the Connection Manager process to crash. Repeated exploitation could result in a sustained DoS condition. There are no workarounds available to mitigate exploitation of this vulnerability. Cisco has released free software updates that address this vulnerability.
-
20:39
»
Packet Storm Security Misc. Files
This is a brief whitepaper that discusses ARM exploitation and is based on work the author performed against Windows Mobile. Written in Turkish.
-
-
21:41
»
SecDocs
Authors:
Christiane Ruetten Tags:
buffer overflow Event:
Chaos Communication Congress 22th (22C3) 2005 Abstract: Everything started with Aleph One's paper "Smashing the Stack for Fun and Profit". These techniques are still the basis for modern exploitation of buffer, heap and format string vulnerabilities. We will give a swift overview about C functions, stack usage, assembler, gcc, gdb and how these few tools can be used to understand and write shell-code to turn simple buffer overflows into backdoors that open whole systems to potential attackers. Sure you want to know how to defend against that. We also will tell you about that! This course essentially was held at Informatica Feminale in Bremen in September 2005. Not by accident, there is a strong alignment to Aleph1's popular paper on this topic. We will start by looking at the i386 architecture, the linux memory model, typical C functions, how function parameters are pushed onto the stack according to standard C calling convetions and how space is allocated on the stack for local variables. We will take a closer look at the steps neccessary to open a shell and exit cleanly and how to find out how to implement these functions in assembler to build a shellcode, which yields a pretty universal howto of shellcode writing on nearly any architecture, just using gcc and gdb. Finally, we will see how the vital stack space of some vulnerable programs gets overwritten and and how to cleverly do that to force even unknown programs into doing what WE want them to do. The conclusion of this course will put buffer overflows into a wider perspective. How are they related to those other vulnerabilities, like heap overflows and format string vulnerabilities and what can we do to prevent them?
-
21:41
»
SecDocs
Authors:
Christiane Ruetten Tags:
buffer overflow Event:
Chaos Communication Congress 22th (22C3) 2005 Abstract: Everything started with Aleph One's paper "Smashing the Stack for Fun and Profit". These techniques are still the basis for modern exploitation of buffer, heap and format string vulnerabilities. We will give a swift overview about C functions, stack usage, assembler, gcc, gdb and how these few tools can be used to understand and write shell-code to turn simple buffer overflows into backdoors that open whole systems to potential attackers. Sure you want to know how to defend against that. We also will tell you about that! This course essentially was held at Informatica Feminale in Bremen in September 2005. Not by accident, there is a strong alignment to Aleph1's popular paper on this topic. We will start by looking at the i386 architecture, the linux memory model, typical C functions, how function parameters are pushed onto the stack according to standard C calling convetions and how space is allocated on the stack for local variables. We will take a closer look at the steps neccessary to open a shell and exit cleanly and how to find out how to implement these functions in assembler to build a shellcode, which yields a pretty universal howto of shellcode writing on nearly any architecture, just using gcc and gdb. Finally, we will see how the vital stack space of some vulnerable programs gets overwritten and and how to cleverly do that to force even unknown programs into doing what WE want them to do. The conclusion of this course will put buffer overflows into a wider perspective. How are they related to those other vulnerabilities, like heap overflows and format string vulnerabilities and what can we do to prevent them?
-
-
19:08
»
Packet Storm Security Advisories
Cisco Security Advisory - Exploitation of the Cisco TelePresence Malformed IP Packets Denial of Service Vulnerability may allow an unauthenticated, remote attacker to create a denial of service (DoS) condition, causing the product to become unresponsive to new connection requests and potentially leading to termination services and processes. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities.
-
19:08
»
Packet Storm Security Recent Files
Cisco Security Advisory - Exploitation of the Cisco TelePresence Malformed IP Packets Denial of Service Vulnerability may allow an unauthenticated, remote attacker to create a denial of service (DoS) condition, causing the product to become unresponsive to new connection requests and potentially leading to termination services and processes. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities.
-
19:08
»
Packet Storm Security Misc. Files
Cisco Security Advisory - Exploitation of the Cisco TelePresence Malformed IP Packets Denial of Service Vulnerability may allow an unauthenticated, remote attacker to create a denial of service (DoS) condition, causing the product to become unresponsive to new connection requests and potentially leading to termination services and processes. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities.
-
19:07
»
Packet Storm Security Advisories
Cisco Security Advisory - Exploitation of the Cisco TelePresence Malformed IP Packets Denial of Service Vulnerability may allow an unauthenticated, remote attacker to create a denial of service (DoS) condition, causing the product to become unresponsive to new connection requests and potentially leading to termination services and processes. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities.
-
19:07
»
Packet Storm Security Recent Files
Cisco Security Advisory - Exploitation of the Cisco TelePresence Malformed IP Packets Denial of Service Vulnerability may allow an unauthenticated, remote attacker to create a denial of service (DoS) condition, causing the product to become unresponsive to new connection requests and potentially leading to termination services and processes. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities.
-
19:07
»
Packet Storm Security Misc. Files
Cisco Security Advisory - Exploitation of the Cisco TelePresence Malformed IP Packets Denial of Service Vulnerability may allow an unauthenticated, remote attacker to create a denial of service (DoS) condition, causing the product to become unresponsive to new connection requests and potentially leading to termination services and processes. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities.
-
18:59
»
Packet Storm Security Advisories
Cisco Security Advisory - Cisco TelePresence Endpoint devices contain multiple vulnerabilities. Exploitation of the API Remote Command Execution vulnerability could allow an unauthenticated, adjacent attacker to inject commands into API requests. The injected commands will be executed by the underlying operating system in an elevated context. Exploitation of the Remote Command Execution vulnerability could allow an authenticated, remote attacker to inject commands into requests made to the Administrative Web interface. The injected commands will be executed by the underlying operating system in an elevated context. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities.
-
18:59
»
Packet Storm Security Recent Files
Cisco Security Advisory - Cisco TelePresence Endpoint devices contain multiple vulnerabilities. Exploitation of the API Remote Command Execution vulnerability could allow an unauthenticated, adjacent attacker to inject commands into API requests. The injected commands will be executed by the underlying operating system in an elevated context. Exploitation of the Remote Command Execution vulnerability could allow an authenticated, remote attacker to inject commands into requests made to the Administrative Web interface. The injected commands will be executed by the underlying operating system in an elevated context. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities.
-
18:59
»
Packet Storm Security Misc. Files
Cisco Security Advisory - Cisco TelePresence Endpoint devices contain multiple vulnerabilities. Exploitation of the API Remote Command Execution vulnerability could allow an unauthenticated, adjacent attacker to inject commands into API requests. The injected commands will be executed by the underlying operating system in an elevated context. Exploitation of the Remote Command Execution vulnerability could allow an authenticated, remote attacker to inject commands into requests made to the Administrative Web interface. The injected commands will be executed by the underlying operating system in an elevated context. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released free software updates that address these vulnerabilities. There are no workarounds that mitigate these vulnerabilities.
-
18:57
»
Packet Storm Security Advisories
Cisco Security Advisory - Exploitation of the Cisco TelePresence Malformed IP Packets Denial of Service Vulnerability may allow a remote, unauthenticated attacker to create a denial of service condition, preventing the product from responding to new connection requests and potentially causing some services and processes to crash. Exploitation of the Cisco TelePresence Web Interface Command Injection may allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released updated software that resolves the command and code execution vulnerabilities. There are currently no plans to resolve the malformed IP packets denial of service vulnerability, as this product is no longer being actively supported. There are no workarounds that mitigate these vulnerabilities. Customers should contact their Cisco Sales Representative to determine the Business Unit responsible for their Cisco TelePresence Recording Server.
-
18:57
»
Packet Storm Security Recent Files
Cisco Security Advisory - Exploitation of the Cisco TelePresence Malformed IP Packets Denial of Service Vulnerability may allow a remote, unauthenticated attacker to create a denial of service condition, preventing the product from responding to new connection requests and potentially causing some services and processes to crash. Exploitation of the Cisco TelePresence Web Interface Command Injection may allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released updated software that resolves the command and code execution vulnerabilities. There are currently no plans to resolve the malformed IP packets denial of service vulnerability, as this product is no longer being actively supported. There are no workarounds that mitigate these vulnerabilities. Customers should contact their Cisco Sales Representative to determine the Business Unit responsible for their Cisco TelePresence Recording Server.
-
18:57
»
Packet Storm Security Misc. Files
Cisco Security Advisory - Exploitation of the Cisco TelePresence Malformed IP Packets Denial of Service Vulnerability may allow a remote, unauthenticated attacker to create a denial of service condition, preventing the product from responding to new connection requests and potentially causing some services and processes to crash. Exploitation of the Cisco TelePresence Web Interface Command Injection may allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released updated software that resolves the command and code execution vulnerabilities. There are currently no plans to resolve the malformed IP packets denial of service vulnerability, as this product is no longer being actively supported. There are no workarounds that mitigate these vulnerabilities. Customers should contact their Cisco Sales Representative to determine the Business Unit responsible for their Cisco TelePresence Recording Server.
-
-
21:37
»
SecDocs
Authors:
Collin Mulliner Tags:
exploiting phone Event:
Chaos Communication Congress 25th (25C3) 2008 Abstract: SymbianOS is one of the major smart phone operating system and has been around for many years still exploitation has not been researched yet. The lack of proper exploitation techniques is mostly due to the fact that until the recent introduction of PIPS/OpenC (a POSIX API port) SymbianOS did not have the means for programmers to EASILY write insecure code.
-
21:37
»
SecDocs
Authors:
Collin Mulliner Tags:
exploiting phone Event:
Chaos Communication Congress 25th (25C3) 2008 Abstract: SymbianOS is one of the major smart phone operating system and has been around for many years still exploitation has not been researched yet. The lack of proper exploitation techniques is mostly due to the fact that until the recent introduction of PIPS/OpenC (a POSIX API port) SymbianOS did not have the means for programmers to EASILY write insecure code.
-
-
22:38
»
SecDocs
Authors:
Jonathan Brossard Tags:
memory Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: Pmcma is a tool aimed at automating the most time consuming taskes of exploitation. It for instance determine why an application is triggering a segmentention fault, evaluate if the faulting instruction can be used to write to memory or execute arbitrary code, and list all the function pointers potentially called from a given point in time by an application. Pmcma is a totally new kind of debugger, which allows for easy experimentation with a process in memory by forcing it to fork. The exact replicas of the process created in memory can then be intrumented while keeping the properties (eg: state of variables, ASLR, permissions...) of the original process. Pmcma is an easily extensible framework available under the Apache 2.0 license from http://www.pmcma.org/ . In this presentation, we introduce a new exploitation methodology of invalid memory reads and writes, based on dataflow analysis after a memory corruption bug has occured inside a running process. We will expose a methodology which shall help writting a reliable exploit out of a PoC triggering an invalid memory write, in presence of security defense mechanisme such as compiler enchancements (full RELRO, SSP...), or kernel anti exploitation features (ASLR, NX...). We will demonstrate how to:find all the function pointers inside a running process, how to determine which ones would have been dereferenced after the crash, which ones are truncable (in particular with 0x00000000). In case all of the above fail, how to test for specific locations overwrites in order to indirectly trigger a second vulnerability allowing greater control and eventually control flow hijacking. All of the above without source code, indeed ;) In the case of invalid memory reads, we will exemplify how indirectly influence the control flow of execution by reading arbitary values, how to trace all the unaligned memory access and how to test if an invalid read can be turned into an invalid write or used to infere the mapping of the binary. We will also introduce a new debugging technique which allows for very effective testing of all of the above by forcing the debugged process to fork(). Automatically. And with a rating of the best read/write location based on probabilities of mapping addresses (because of ASLR). Finally, since overwriting function pointers doesn't allow direct shellcode execution because of W^X mappings, we introduce a new exploitation technique which works even in the most hardcore kernels such as grsecurity. IT is called "stack desynchronization" and allows frame faking inside the stack itself. Those techniques are implemented in the form of a proof of concept tool available under the Apache 2.0 license at : http://www.pmcma.org/ .
-
22:38
»
SecDocs
Authors:
Jonathan Brossard Tags:
memory Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: Pmcma is a tool aimed at automating the most time consuming taskes of exploitation. It for instance determine why an application is triggering a segmentention fault, evaluate if the faulting instruction can be used to write to memory or execute arbitrary code, and list all the function pointers potentially called from a given point in time by an application. Pmcma is a totally new kind of debugger, which allows for easy experimentation with a process in memory by forcing it to fork. The exact replicas of the process created in memory can then be intrumented while keeping the properties (eg: state of variables, ASLR, permissions...) of the original process. Pmcma is an easily extensible framework available under the Apache 2.0 license from http://www.pmcma.org/ . In this presentation, we introduce a new exploitation methodology of invalid memory reads and writes, based on dataflow analysis after a memory corruption bug has occured inside a running process. We will expose a methodology which shall help writting a reliable exploit out of a PoC triggering an invalid memory write, in presence of security defense mechanisme such as compiler enchancements (full RELRO, SSP...), or kernel anti exploitation features (ASLR, NX...). We will demonstrate how to:find all the function pointers inside a running process, how to determine which ones would have been dereferenced after the crash, which ones are truncable (in particular with 0x00000000). In case all of the above fail, how to test for specific locations overwrites in order to indirectly trigger a second vulnerability allowing greater control and eventually control flow hijacking. All of the above without source code, indeed ;) In the case of invalid memory reads, we will exemplify how indirectly influence the control flow of execution by reading arbitary values, how to trace all the unaligned memory access and how to test if an invalid read can be turned into an invalid write or used to infere the mapping of the binary. We will also introduce a new debugging technique which allows for very effective testing of all of the above by forcing the debugged process to fork(). Automatically. And with a rating of the best read/write location based on probabilities of mapping addresses (because of ASLR). Finally, since overwriting function pointers doesn't allow direct shellcode execution because of W^X mappings, we introduce a new exploitation technique which works even in the most hardcore kernels such as grsecurity. IT is called "stack desynchronization" and allows frame faking inside the stack itself. Those techniques are implemented in the form of a proof of concept tool available under the Apache 2.0 license at : http://www.pmcma.org/ .
-
22:38
»
SecDocs
Authors:
Jonathan Brossard Tags:
memory Event:
Chaos Communication Congress 28th (28C3) 2011 Abstract: Pmcma is a tool aimed at automating the most time consuming taskes of exploitation. It for instance determine why an application is triggering a segmentention fault, evaluate if the faulting instruction can be used to write to memory or execute arbitrary code, and list all the function pointers potentially called from a given point in time by an application. Pmcma is a totally new kind of debugger, which allows for easy experimentation with a process in memory by forcing it to fork. The exact replicas of the process created in memory can then be intrumented while keeping the properties (eg: state of variables, ASLR, permissions...) of the original process. Pmcma is an easily extensible framework available under the Apache 2.0 license from http://www.pmcma.org/ . In this presentation, we introduce a new exploitation methodology of invalid memory reads and writes, based on dataflow analysis after a memory corruption bug has occured inside a running process. We will expose a methodology which shall help writting a reliable exploit out of a PoC triggering an invalid memory write, in presence of security defense mechanisme such as compiler enchancements (full RELRO, SSP...), or kernel anti exploitation features (ASLR, NX...). We will demonstrate how to:find all the function pointers inside a running process, how to determine which ones would have been dereferenced after the crash, which ones are truncable (in particular with 0x00000000). In case all of the above fail, how to test for specific locations overwrites in order to indirectly trigger a second vulnerability allowing greater control and eventually control flow hijacking. All of the above without source code, indeed ;) In the case of invalid memory reads, we will exemplify how indirectly influence the control flow of execution by reading arbitary values, how to trace all the unaligned memory access and how to test if an invalid read can be turned into an invalid write or used to infere the mapping of the binary. We will also introduce a new debugging technique which allows for very effective testing of all of the above by forcing the debugged process to fork(). Automatically. And with a rating of the best read/write location based on probabilities of mapping addresses (because of ASLR). Finally, since overwriting function pointers doesn't allow direct shellcode execution because of W^X mappings, we introduce a new exploitation technique which works even in the most hardcore kernels such as grsecurity. IT is called "stack desynchronization" and allows frame faking inside the stack itself. Those techniques are implemented in the form of a proof of concept tool available under the Apache 2.0 license at : http://www.pmcma.org/ .
-
-
22:26
»
Packet Storm Security Recent Files
This is the full Daytona package that houses three remote JBoss exploits with authentication bypass. They are ported from Metasploit and beefed up with two scanners.
-
22:26
»
Packet Storm Security Misc. Files
This is the full Daytona package that houses three remote JBoss exploits with authentication bypass. They are ported from Metasploit and beefed up with two scanners.
-
-
14:52
»
Packet Storm Security Advisories
Cisco Security Advisory - A denial of service (DoS) vulnerability exists in Jabber Extensible Communications Platform (Jabber XCP) and Cisco Unified Presence. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious XML to an affected server. Successful exploitation of this vulnerability could cause elevated memory and CPU utilization, resulting in memory exhaustion and process crashes. Repeated exploitation could result in a sustained DoS condition. There are no workarounds available to mitigate exploitation of this vulnerability.
-
14:52
»
Packet Storm Security Recent Files
Cisco Security Advisory - A denial of service (DoS) vulnerability exists in Jabber Extensible Communications Platform (Jabber XCP) and Cisco Unified Presence. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious XML to an affected server. Successful exploitation of this vulnerability could cause elevated memory and CPU utilization, resulting in memory exhaustion and process crashes. Repeated exploitation could result in a sustained DoS condition. There are no workarounds available to mitigate exploitation of this vulnerability.
-
14:52
»
Packet Storm Security Misc. Files
Cisco Security Advisory - A denial of service (DoS) vulnerability exists in Jabber Extensible Communications Platform (Jabber XCP) and Cisco Unified Presence. An unauthenticated, remote attacker could exploit this vulnerability by sending malicious XML to an affected server. Successful exploitation of this vulnerability could cause elevated memory and CPU utilization, resulting in memory exhaustion and process crashes. Repeated exploitation could result in a sustained DoS condition. There are no workarounds available to mitigate exploitation of this vulnerability.
-
-
13:12
»
SecDocs
Authors:
Nicolas Waisman Tags:
exploiting Event:
Black Hat USA 2010 Abstract: Over the years, exploitation objectives have changed alongside the associated efforts by vendors to protect their software. Exploitation has moved from remote exploits on Unix servers to the community focusing on client-side targets, such as document viewers and browsers. Some prime examples of these are the Aurora and IE peers zero-days actively exploited in the wild. These bugs answer many questions related to what the new breed of attacker is focusing on, yet all hype aside the real lesson is: botnet authors are learning how to fuzz for these vulnerabilities but are not able to write reliable exploits to accompany them. With that premise in mind, this presentation intends to explore the techniques used to exploit the "use-after-free" bug class on Internet Explorer 8, diving into the API internals, reviewing the art of heap crafting and presenting new techniques to improve it.
-
-
10:37
»
SecDocs
Authors:
Dino Dai Zovi Tags:
exploiting Event:
Black Hat USA 2010 Abstract: The latest advances in exploitation of memory corruption vulnerabilities revolve around applying return-oriented exploitation techniques to evade non-executable memory protections such as Microsoft's Data Execution Prevention (DEP), CPU-supported non-executable memory (NX/XD), and mandatory code-signing such as on iPhone OS. Although the ideas behind these exploitation techniques can be traced quite far back, they are receiving more attention as non-executable memory protections become more prevalent. This presentation will cover the current state of memory corruption exploitation and exploit mitigation as well as an in-depth discussion of a variety of return-oriented exploitation techniques. Finally, the presentation will discuss what ramifications return-oriented exploitation techniques have for exploit developers, software vendors, malware analysts, and enterprise IT security professionals.
-
-
7:51
»
Packet Storm Security Recent Files
Whitepaper called Structured Exception Handler Exploitation. The SEH exploitation technique was publicly documented by David Litchfield September, 2003. At a high-level, the SEH overwrite technique uses a software vulnerability to execute arbitrary code by abusing the 32-bit exception dispatching facilities provided by Windows. At a functional level, an SEH overwrite is generally accomplished by using a stack-based buffer. This document explains SEH details while exploiting a real case.
-
-
0:52
»
Packet Storm Security Recent Files
Whitepaper called Post Exploitation using Metasploit pivot and port forward. A very nice feature in Metasploit is the ability to pivot through a meterpreter session to the network on the other side. This tutorial walks you through how this is done once you have a meterpreter session on a foreign box.
-
0:52
»
Packet Storm Security Misc. Files
Whitepaper called Post Exploitation using Metasploit pivot and port forward. A very nice feature in Metasploit is the ability to pivot through a meterpreter session to the network on the other side. This tutorial walks you through how this is done once you have a meterpreter session on a foreign box.
-
-
17:17
»
Packet Storm Security Recent Files
Whitepaper called Exploitation of "Self-Only" Cross Site Scripting in Google Code. The author discusses how leveraging the use of clickjacking has enabled them to properly exploit a priorly non-exploitable cross site scripting issue in Google Code.
-
17:17
»
Packet Storm Security Misc. Files
Whitepaper called Exploitation of "Self-Only" Cross Site Scripting in Google Code. The author discusses how leveraging the use of clickjacking has enabled them to properly exploit a priorly non-exploitable cross site scripting issue in Google Code.
-
-
8:00
»
Hack a Day
Irongeek.com is hosting an online class on password exploitation. The event was a fundraiser called ShoeCon, but they are hosting the entire series for everyone to share. Not only are the videos there, but you can download the powerpoint slides as well. There is a massive amount of information here on various topics like Hashcat, [...]
-
-
2:02
»
SecDocs
Authors:
Patroklos Argyroudis Tags:
buffer overflow kernel exploiting FreeBSD Event:
Black Hat EU 2010 Abstract: FreeBSD (http://www.freebsd.org/) is widely accepted as one of the most reliable and performance-driven operating systems currently available in both the open source and proprietary worlds. While the exploitation of kernel vulnerabilities has been researched in the context of the Windows and Linux operating systems, FreeBSD, and BSD systems in general, have not received the same attention. This presentation will initially examine the exploitation of kernel stack overflow vulnerabilities on FreeBSD. The development process of a privilege escalation kernel stack smashing exploit will be documented for vulnerability CVE-2008-3531. The second part of the presentation will present a detailed security analysis of the Universal Memory Allocator (UMA), the FreeBSD kernel's memory allocator. We will examine how UMA overflows can lead to arbitrary code execution in the context of the latest stable FreeBSD kernel (8.0-RELEASE), and we will develop an exploitation methodology for privilege escalation and kernel continuation.
-
2:02
»
SecDocs
Authors:
Patroklos Argyroudis Tags:
buffer overflow kernel exploiting FreeBSD Event:
Black Hat EU 2010 Abstract: FreeBSD (http://www.freebsd.org/) is widely accepted as one of the most reliable and performance-driven operating systems currently available in both the open source and proprietary worlds. While the exploitation of kernel vulnerabilities has been researched in the context of the Windows and Linux operating systems, FreeBSD, and BSD systems in general, have not received the same attention. This presentation will initially examine the exploitation of kernel stack overflow vulnerabilities on FreeBSD. The development process of a privilege escalation kernel stack smashing exploit will be documented for vulnerability CVE-2008-3531. The second part of the presentation will present a detailed security analysis of the Universal Memory Allocator (UMA), the FreeBSD kernel's memory allocator. We will examine how UMA overflows can lead to arbitrary code execution in the context of the latest stable FreeBSD kernel (8.0-RELEASE), and we will develop an exploitation methodology for privilege escalation and kernel continuation.
-
-
21:03
»
SecDocs
Authors:
Jon Oberheide Tags:
vulnerability kernel exploiting Event:
Source Conference Boston 2010 Abstract: As userspace applications and services become increasingly hardened against traditional memory corruption exploits, operating system kernels have become a source for abundant exploitation opportunities. In particular, the Linux kernel has recently suffered a bout of severe and high-profile vulnerabilities and drawn ire from the security community for it's mishandling of bugs with known security impact, resulting in a Pwnie award for "Lamest Vendor Response". Given the importance the Linux operating system plays in many enterprise environments, it is necessary to understand the strengths and weaknesses of its kernel's security. In this presentation, we'll explore these strengths and weaknesses by diving deep into the exploitation of vulnerabilities in the Linux kernel. Using real-world vulnerabilities and exploits, we'll detail the traditional classes of kernel vulnerabilities such as control flow hijacking (via stack smashing and SLAB/SLUB/SLOB allocator corruption), invalid userland memory accesses (including NULL pointer dereferences), and information leakage. In addition to traditional bug classes, we'll cover the semantic vulnerabilities inherent in complex operating systems that require deep knowledge of kernel internals to identify and exploit subtle conditions (e.g. desynchronization in the VM subsystem), some of which have previously thought to be unexploitable. We'll also explore the attack surface of the Linux kernel and enumerate the most common vulnerability entry points using historical data. Lastly, we'll release several tools assisting vulndev/auditing and discuss the effectiveness of deployed countermeasures and best current practices for securing the Linux kernel.
-
-
3:18
»
SecDocs
Authors:
David D. Rude Tags:
Metasploit exploiting Event:
Black Hat DC 2010 Abstract: Command injection vulnerabilities have always been a neglected vulnerability class when it comes to exploitation. Many researchers simply view command injection bugs as a direct interface with a shell. While this is true, much more complex tasks can be achieved rather than just executing commands. The purpose of this talk is to discuss the advanced techniques to exploit command injection bugs to leverage more out of these types of vulnerabilities than just a shell. The techniques covered in this talk will show examples of taking a command injection bug and turning it into full native payload execution.
-
3:18
»
SecDocs
Authors:
David D. Rude Tags:
Metasploit exploiting Event:
Black Hat DC 2010 Abstract: Command injection vulnerabilities have always been a neglected vulnerability class when it comes to exploitation. Many researchers simply view command injection bugs as a direct interface with a shell. While this is true, much more complex tasks can be achieved rather than just executing commands. The purpose of this talk is to discuss the advanced techniques to exploit command injection bugs to leverage more out of these types of vulnerabilities than just a shell. The techniques covered in this talk will show examples of taking a command injection bug and turning it into full native payload execution.
-
-
19:00
»
Packet Storm Security Advisories
Cisco Security Advisory - The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability and a SQL injection vulnerability. Successful exploitation of the directory traversal vulnerability may allow an authenticated attacker to view and download arbitrary files from the server hosting the Management Center. Successful exploitation of the SQL injection vulnerability may allow an authenticated attacker to execute SQL statements that can cause instability of the product or changes in the configuration. Additionally, the Cisco Security Agent is affected by a denial of service (DoS) vulnerability. Successful exploitation of the Cisco Security Agent agent DoS vulnerability may cause the affected system to crash. Repeated exploitation could result in a sustained DoS condition. These vulnerabilities are independent of each other.
0day.today (was: 1337day, Inj3ct0r, 1337db)
OSVDB Vulnerabilities
Exploit-DB
SecurityFocus Vulnerabilities
Bugtraq
XSSed
Sophos security news
Penetration Testing
SecuriTeam
BackTrack Linux Forums
Threatpost
carnal0wnage.attackresearch.com
Carnal0wnage
Darknet
The Exploitant
Wirevolution