Ultimi Articoli

The sexy side of information security, benvenuti su PornoSecurity!

Use the source, Luke!

Posted on 2009-06-17 17:58:10 in PornoSecurity

Hi there, as a proof that I'm alive and kickin I wanna show you this.

This is the same as Apple iTunes 8.1.1.10 (itms/itcp) Remote Buffer Overflow Exploit (win), but not the same :)
It's just... somewhat easier. I wrote it in a couple of hours while watching HD porn(I can prove that! I have a witness :).

It is a little tricky but not hard at all.

As you may know or not metasploit can do alfanumeric shellcode with a little exception: it can't do alfanum getpc(). What I mean is that is not able to make alfanumeric opcodes that will find the shellcode location in memory and so if you try to make an alfanumeric shellcode with mfsencode you'll always get some non-alfanumeric characters: the instructions used to calculate the absolute position in memory of the shellcode.

It turns out that msfencode has an undocumented option(it was undocumented for a while but could be that now it's written somewhere, I didn't checked it) that you can use to tell it that there's no need to calculate anything because the location of the shellcode is already on a register, it's the BufferRegister=REG32 option. With that specified you'll get pure alfanumeric shellcode.

It's funnny to know how many people are not aware of this option. It's funny to know how many people don't even try to understand *why* they don't get what they want when they see those non-alfanumeric chars.

Sleeping

Posted on 2009-06-15 10:54:49 in PornoSecurity

No, I'm not spleeping. I'm working hard, on different things. I got some very interesting bugs but some said: "no more free bugs"... I'm wondering if that's the Right Thing To Do(tm) but in the meantime...
I'm also working hard on reverse engineering since I suck at it: reversing patches, malware, unpacking and the likes. I hope I can share some of my work with you soon.

Oracle WebLogic Connector JSESSIONID BoF exploit

Posted on 2009-04-01 17:30:43 in PornoSecurity

So, I wrote this some time ago and there's no reason to keep it private anymore. You can find it here as usual(submitted now, could need a couple of hours to be published).

This is CVE-2008-5457 and it was an "unspecified vulnerability" so I had to reverse engineer the patch provided by oracle.
I wrote a nice post with technical infos at http://www.securitydate.it