windows A case of DLL Side Loading from UNC via Windows environmental variable About a month ago I decided to take a look at JetBrains TeamCity, as I wanted to learn more about CVE-2022-25263 (an authenticated OS Command Injection in the Agent Push functionality). Initially I just wanted to find the affected feature and test the mitigation put in place, eventually I ended
windows Improving the write-what-where HEVD PoC (x86, Win7) Introduction This one is about another HEVD exercise (look here to see the my previous HEVD post); the arbitrary write (https://github.com/hacksysteam/HackSysExtremeVulnerableDriver/blob/master/Driver/HEVD/Windows/ArbitraryWrite.c). The main reason I decided to write up my experience with it is the fact that it instantly
windows HEVD StackOverflowGS x86 Win7 - exploitation analysis Introduction This post is about kernel mode exploitation basics under Windows. It operates on assumptions that the reader is familiar with terms such as process, thread, user and kernel mode and the difference between user and kernel mode virtual address range. One could use this post as an introduction to
hijacking Cmd Hijack - a command/argument confusion with path traversal in cmd.exe This one is about an interesting behavior π€ I identified in cmd.exe in result of many weeks of intermittent (private time, every now and then) research in pursuit of some new OS Command Injection attack vectors. So I was mostly trying to: * find an encoding missmatch between some command check/
windows PE Import Table hijacking as a way of achieving persistence - or exploiting DLL side loading Preface In this post I describe a simple trick I came up with recently - something which is definitely nothing new, but as I found it useful and haven't seen it elsewhere, I decided to write it up. What we want to achieve So - let's consider backdooring a Windows
linux Stack-canary (ROP), format string leak plus how I learned that nullbyte is not a badchar to scanf("%s",buf) - while socat ignores read on STDIN - MBE LAB8A This time we are having some fun with a standard null-armored stack canary, as well as Β an additional custom one (we will extensively cover both scenarios, as there's plenty of subject matter here), plus some peculiarities regarding scanf() and read(). The relevant MBE lecture can be found here http://security.
linux Out-of-bound read-write without integer sign flipping - MBE LAB8B walkthrough - the bonus version without using thisIsASecret() function Introduction This is the continuation of https://hackingiscool.pl/out-of-bounds-write-with-some-integer-sign-flipping-mbe-lab8b-walkthrough-the-basic-version/ - the bonus version not utilizing the thisIsASecret() function to get the shell. So, the basic version was in fact very simple after figuring out how to control EIP. We just overwrote it with a pointer to this function: Now,
linux Out-of-bounds read-write with some integer sign flipping - MBE LAB8B walkthrough - the basic version I decided to skip the LAB8C (https://github.com/RPISEC/MBE/blob/master/src/lab08/lab8C.c) writeup, as solving it did not even require running gdb - so I was like "muh". Instead, let's look at LAB8B. The target app As usual, here's the source code: https://github.com/
linux Heap overflow with stack-pivoting, format string mem leaking and first-stage ROP-ing to shellcode after making it executable on the heap - on a statically linked binary (MBE LAB7A) This is was one of the most painstaking ones (which is reflected in the length of this write up). While finding the vulnerability was trivial, building a working exploit was quite of a challenge here. The target app The target app https://github.com/RPISEC/MBE/blob/master/src/lab07/
vulndev Exploiting the same Use after Free twice to leak the mem layout and execute code - MBE LAB7C walkthrough The target app This time we are dealing with a very plain and simple UaF vulnerability. The source code can be found here: https://github.com/RPISEC/MBE/blob/master/src/lab07/lab7C.c Right away we can see two data structure definitions, which more-less suggest what we are going
vulndev MBE is fun - lab6A walkthrough I'll try to keep this one short. What we are going to cover We are not going to overwrite the saved RET on the stack (we're gonna have a different pointer available, without touching the stack protector). We are Β also going to: * beat ASLR with an initial tiny little taste
vulndev The XOR madness of MBE's tricky lab6B - a walkthrough This post is a continuation of my MBE (Modern Binary Exploitation) walkthrough series. In order to get some introduction, please see the previous post: https://hackingiscool.pl/mbe-lab6c-walkthrough/. A look at the target app So let's get right to it. The source code of the target application can be found
vulndev MBE lab6C walkthrough About MBE Some time ago I came across RPISEC's free Modern Binary Exploitation course (https://github.com/RPISEC/MBE) which I can't recommend enough. You get lectures, challenges and a ready out-of-the-box operational Ubuntu VM to play with. Yup, this course is Linux-focused, which made it a great extension to
vulndev Vulnserver - my KSTET exploit (delivering the final stage shellcode through an active server socket) The purpose of writing this up was only to present a little trick I came up with while playing with vulnserver's (http://www.thegreycorner.com/2010/12/introducing-vulnserver.html) KSTET command (one of many protocol commands vulnerable to some sort of memory corruption bug). In spite of the hardcoded addresses,
