Recent Posts
- Scary monsters (and super creeps)
- Happy exploit wednesday!
- All you can spray
- Update: PDF sploits in the wild
- PDF sploits in the wild
- MPEG2TuneRequest 0-day
- Bad guys and sexy sploits: CVE-2009-1537
- Use the source, Luke!
- Vuln: Microsoft Excel Object Type Confusion Remote ..
-
Microsoft Excel Object Type Confusion Remote Code Execut..
- Vuln: Microsoft Excel MDXSET Record Remote Heap Buf..
-
Microsoft Excel MDXSET Record Remote Heap Buffer Overflo..
- Vuln: RETIRED: Microsoft March 2010 Advance Notific..
-
RETIRED: Microsoft March 2010 Advance Notification Multi..
Categories
Comments
- abhi:Hi, I go
- k`sOSe:sorry for that,
- ftk:can you reuploa
- Vincent:Yup, 403.
- DG:403 Forbidden f
- k`sOSe:yep, exactly. t
- Thierry :"assuming
- h4x0r:Yeahhh ! i,m w
- snip:All work and no
- testonly:hi, i tried thi
- k`sOSe:hello w0lf, tha
- w0lf:hello frist of
- k`sOSe:Hi send9, feel
- k`sOSe:heya snip, than
- send9:Nice. I don
- snip:Guido, questa m
- fXsTar:Infernet eXplod
- k`sOSe:yeah indeed, my
- nopper:w00ting club :)
- k`sOSe:well said patri
- k`sOSe:thx
- sweet :cool shit you g
- k`sOSe:Fossi in te ci
- devon:Appena fixano r
Having Fun With Windogs
Posted on 2008-08-11 14:21:03 in PornoSecurity
Oh yes, it's definitely true, i'm actually approaching the wild word of windogs. I started with some simple stack-based buffer overflows, and let me say a thing: they seems to be very very easy to exploit, kernel32.dll(which is guaranteed to be loaded in every single windozze app) and his friends are full of very usefull opcodes.
Heap-based buffer overflows are a bit more tricky, but it's just a matter of playing around for a while with your favourite debugger. At least for windozze <= sp1, actually sp2 introduces a bit more security in the way he manage chunk's coalescence, they call it safe-unlink and is more or less what glibc adds around version 2.3.5, it basically checks that the prev->next pointer equals the next->prev one before triggering RtlpCoalesceFreeBlocks(). So, i dunnno how to defeat it (yet), but if we speak about all of those browser-based vulnerabilities, i mean like ActiveX, the good news is that is possibile to adjust the Infernet eXploder heap by playing with javascript, and this is very very helpful!
2008-10-22 22:34:42
fXsTar: Infernet eXploder :)))) nice one.respect