linux Out-of-bound read-write without integer sign flipping - MBE LAB8B walkthrough - the bonus version without using thisIsASecret() function Introduction This is the continuation of https://hackingiscool.pl/out-of-bounds-write-with-some-integer-sign-flipping-mbe-lab8b-walkthrough-the-basic-version/ - the bonus version not utilizing the thisIsASecret() function to get the shell. So, the basic version was in fact very simple after figuring out how to control EIP. We just overwrote it with a pointer to this function: Now,
linux Out-of-bounds read-write with some integer sign flipping - MBE LAB8B walkthrough - the basic version I decided to skip the LAB8C (https://github.com/RPISEC/MBE/blob/master/src/lab08/lab8C.c) writeup, as solving it did not even require running gdb - so I was like "muh". Instead, let's look at LAB8B. The target app As usual, here's
linux Heap overflow with stack-pivoting, format string mem leaking and first-stage ROP-ing to shellcode after making it executable on the heap - on a statically linked binary (MBE LAB7A) This is was one of the most painstaking ones (which is reflected in the length of this write up). While finding the vulnerability was trivial, building a working exploit was quite of a challenge here. The target app The target app https://github.com/RPISEC/MBE/blob/master/src/lab07/
vulndev Exploiting the same Use after Free twice to leak the mem layout and execute code - MBE LAB7C walkthrough The target app This time we are dealing with a very plain and simple UaF vulnerability. The source code can be found here: https://github.com/RPISEC/MBE/blob/master/src/lab07/lab7C.c Right away we can see two data structure definitions, which more-less suggest what we are going
vulndev MBE is fun - lab6A walkthrough I'll try to keep this one short. What we are going to cover We are not going to overwrite the saved RET on the stack (we're gonna have a different pointer available, without touching the stack protector). We are also going to: * beat ASLR with an
vulndev The XOR madness of MBE's tricky lab6B - a walkthrough This post is a continuation of my MBE (Modern Binary Exploitation) walkthrough series. In order to get some introduction, please see the previous post: https://hackingiscool.pl/mbe-lab6c-walkthrough/. A look at the target app So let's get right to it. The source code of the target application can
vulndev MBE lab6C walkthrough About MBE Some time ago I came across RPISEC's free Modern Binary Exploitation course (https://github.com/RPISEC/MBE) which I can't recommend enough. You get lectures, challenges and a ready out-of-the-box operational Ubuntu VM to play with. Yup, this course is Linux-focused, which made it
vulndev Vulnserver - my KSTET exploit (delivering the final stage shellcode through an active server socket) The purpose of writing this up was only to present a little trick I came up with while playing with vulnserver's (http://www.thegreycorner.com/2010/12/introducing-vulnserver.html) KSTET command (one of many protocol commands vulnerable to some sort of memory corruption bug). In spite of the
