Julian Horoszkiewicz

Julian Horoszkiewicz

Living on the edge; fast CPUs, dangerous commands, unpredictable fuckups.
Computer-obsessed global electronic ghetto

Stack-canary (ROP), format string leak plus how I learned that nullbyte is not a badchar to scanf("%s",buf) - while socat ignores read on STDIN - MBE LAB8A

This time we are having some fun with a standard null-armored stack canary, as well as Β an additional custom one (we will extensively cover both scenarios, as there's plenty of subject matter here), plus some peculiarities regarding scanf() and read(). The relevant MBE lecture can be found here http://security.
β€” 14 min read

Out-of-bound read-write without integer sign flipping - MBE LAB8B walkthrough - the bonus version without using thisIsASecret() function

Introduction This is the continuation of https://hackingiscool.pl/out-of-bounds-write-with-some-integer-sign-flipping-mbe-lab8b-walkthrough-the-basic-version/ - the bonus version not utilizing the thisIsASecret() function to get the shell. So, the basic version was in fact very simple after figuring out how to control EIP. We just overwrote it with a pointer to this function: Now,
β€” 11 min read

Heap overflow with stack-pivoting, format string mem leaking and first-stage ROP-ing to shellcode after making it executable on the heap - on a statically linked binary (MBE LAB7A)

This is was one of the most painstaking ones (which is reflected in the length of this write up). While finding the vulnerability was trivial, building a working exploit was quite of a challenge here. The target app The target app https://github.com/RPISEC/MBE/blob/master/src/lab07/
β€” 18 min read
No one really gives a shit about cookies and neither do I