badcoded

Memory Corruption and Hacker Folklore

2010-06-01T13:07:00.000-07:00

Nice work by haroon from Thinkst Applied Research, he is making an interactive timeline of the history of memory corruption vulnerabilities and exploit techniques. You can submit events using this form

Bypassing DEP on Win2003 SP2

2009-06-11T00:11:00.000-07:00

David Kennedy “ReL1K” published
Bypassing Hardware based Data Execution Prevention on Windows 2003 Service Pack 2 PDF (497KB)

Good, you can learn from David experience writing an exploit for Windows 2003 SP2. This is the kind of research you have to do to exploit a simple buffer overflow in modern operating systems with protections. What he does manually in this article sometimes is harder or impossible without the help of some automated tool to analyze thousand of different system modules.

Project Shellcode

2009-04-17T08:42:00.000-07:00

The first stage of Project Shellcode aims to become the knowledge base for all shellcode related resources, including white papers, tutorials, tools, links, assembly code, and of course shellcode.

http://projectshellcode.com/
Is not clear if the project is active or not.

Return-Oriented Programming: Exploits Without Code Injection

2009-01-02T08:50:00.000-08:00

...We describe return-oriented programming, a generalization of return-into-libc that allows an attacker to undertake arbitrary, Turing-complete computation without injecting code.New computations are constructed by linking together code snippets that end with a “ret” instruction. The ret instructions allow an attacker who controls the stack to chain instruction sequences together. Because the executed code is stored in memory marked executable, W^X and DEP will not prevent it from running.
...

PDF

Adventures with a certain Xen vulnerability - Rafal Wojtczuk

2008-11-02T08:08:00.000-08:00

  Rafal Wojtczuk paper about the exploitation of a XEN vulnerability

The Evil Hacker escapes from DomU and gets into Dom0. Using clever
ret-into-libc technique he succeeds with his attack on x86 architecture,
despite the NX and ASLR deployed in Dom0 OS (Fedora Core 8). The Evil
Hacker is also not discouraged by the fact that the target
OS has SELinux protection enabled - he demonstrates how the particular
SELinux policy for Xen, used by default on FC8, can be bypassed.
Ultimately he gets full root access in Dom0. Rafal also discusses
variation of the exploitation on x86_64 architecture - he partially
succeeds, but his x64 exploit doesn't work in certain circumstances.
...

PDF

writing a .NET Security Exploit PoC...mmm?

2008-09-15T17:03:00.000-07:00

Let's start out with some convenient types that allow bit twiddeling once we've subverted the type system....

well, not exactly but interesting anyway.

Misplaced Trust: Kerberos 4 Session Keys (1997)

2008-05-14T22:45:00.000-07:00

Again, a 10 years old paper in badcoded. Ignore the past, repeat mistakes.

Misplaced Trust: Kerberos 4 Session Keys (1997)

Progress, far from consisting in change, depends on retentiveness. When change is absolute there remains no being to improve and no direction is set for possible improvement: and when experience is not retained, as among savages, infancy is perpetual. Those who cannot remember the past are condemned to repeat it. In the first stage of life the mind is frivolous and easily distracted, it misses progress by failing in consecutiveness and persistence. This is the condition of children and barbarians, in which instinct has learned nothing from experience.

George Santayana, The Life of Reason, Volume 1, 1905

PHRACK #65

2008-04-16T22:08:00.000-07:00

April 2008
by The Circle of Lost Hackers


0x01 Introduction                                                      TCLH
0x02 Phrack Prophile of The UNIX Terrorist                             TCLH
0x03 Phrack World News                                                 TCLH
0x04 Stealth Hooking: another way to subvert the Windows kernel     mxatone
                                                                  ivanlefou
0x05 Clawing holes in NAT with UPnP                            felinemenace
0x06 The only laws on Internet are assembly and RFCs                  Julia
0x07 Hacking the System Management Mode       BSDaemon, coideloko, d0nand0n
0x08 Mystifying the debugger for ultimate stealthness              halfdead
0x09 Australian Restricted Defense Networks and FISSO              The Finn
0x0a Phook - The PEB Hooker                                  shearer & dreg
0x0b Hacking the $49 Wifi Finder                                openschemes
0x0c The art of exploitation: Samba WINS stack overflow         max_packetz
0x0d The Underground Myth                                         anonymous
0x0e Hacking your brain: Artificial Conciousness                         -C
0x0f International scenes                                           various

Phrack #65

Download .tgz

Aplication-Specific Attacks - Leveraging the ActionScript Virtual Machine

2008-04-14T15:10:00.000-07:00

Memory corruption vulnerabilities are becoming increasingly difficult to exploit, largely due to the protection mechanisms being integrated into most modern operating systems. As general protection mechanisms evolve, attackers are engaging in more specific, low-level application-targeted attacks. In order to refine general countermeasures (or at least raise awareness of their shortcomings), it is important to first understand how memory corruption vulnerabilities are exploited in some unique scenarios.

[...]

Aplication-Specific Attacks - Leveraging the ActionScript Virtual Machine by Mark Dowd PDF

gcc silently discards some wraparound checks...buf+len < buf?

2008-04-05T21:58:00.000-07:00

David LeBlanc's Web Log
Vulnerability Note VU#162289

Basically, what it says is that code which looks like this:

char *buf;
int len;

gcc will assume that buf+len >= buf.

As a result, code that performs length checks similar to the following:

len = 1<<30;
[...]
if(buf+len < buf) /* length check */
[...perform some manipulation on len...]

are compiled away by these versions of gcc

User Supplied Format String Vulnerability - everything ever written

2008-01-01T18:06:00.000-08:00

2005

Format String Vulnerabilities in Perl Programs
Steve Christey

2002

Advances in format string exploitation
Gerardo Richarte, Ricardo Quesada

Howto remotely and automatically exploit a format bug
Frédéric Raynal

2001

Exploiting Format Strings Vulnerabilities
scut team-teso
v1.1
v1.2

Format String Attack on alpha system
Seunghyun Seo (truefinder)

Format String Technique
sloth@nopninjas.com

Analysis of Format String Bugs
Andreas Thuemmel

Detecting Format String Vulnerabilities with Type Qualifiers
David Wagner

Large-Scale Analysis of Format String Vulnerabilities in Debian Linux
David Wagner

What are format bugs ?
Christophe BLAESS Christophe GRENIER Frédéreric RAYNAL
French

2000

More info on format bugs
Pascal Bouchareine
Español

Format String Attacks
Tim Newsham
TXT

Format Bugs: What are they, Where did they come from,...How to exploit them
Lamagra
Español

Paper sobre format bugs
venomous

Exploiting the Libc Locale Subsystem Format String Vulnerability on Solaris/SPARC
Solar Eclipse

100 Most Influential Books Ever Written

See: scut/teso-team Format String paper

New Microsoft Security Vulnerability Research and Defense blog

2007-12-28T11:01:00.000-08:00

New Microsoft technical blog about security vulnerabilities RSS

We are excited to have this outlet to share more in-depth technical information about vulnerabilities serviced by MSRC security updates and ways you can protect your organization from security vulnerabilities. You can read much more about the goals of the blog and about the SWI teams contributing to the blog in our “About” link: http://blogs.technet.com/swi/about.aspx

Double Free Vulnerabilities on Windows

2007-12-20T14:23:00.000-08:00

by Matt Conover 2007

To learn to exploit real heap memory corruption vulnerabilities on Windows one of the things you have to do is to read every Matt Conover's publication. The next are two posts in the Symantec Security Response Blog about double free() bugs. More articles and publications by him will be posted later in this blog.

In light of the recent CSRSS double free bug, I wanted to provide some information on the exploitation of double frees on Windows on XP SP2 and later. Prior to XP SP2, double frees were trivial to exploit, but now the security cookie (in each heap chunk) and safe unlinking checks make it more difficult to exploit. So this blog entry will discuss the exploitability on XP SP2 and later heap implements.

Double Free Vulnerabilities Part 1

Double Free Vulnerabilities Part 2

Smashing The Modern Stack For Fun And Profit

2007-12-18T18:06:00.000-08:00

Craig J. Heffner article about the problems he found while reading and following the examples in Smashing The Stack For Fun And Profit using a modern Linux system.

"...the GNU C Compiler (gcc) has evolved since 1998, and as a result, many people are left wondering why they can't get the examples to work for them, or if they do get the code to work, why they had to make the changes that they did. Having these same problems myself, and being unable to find an updated version of Aleph One's document on the web, I set out to identify the source of these variations on my own. ..."
Smashing The Modern Stack For Fun And Profit

Valgrind 3.3.0 released

2007-12-16T17:14:00.000-08:00

Valgrind is an award-winning suite of tools for debugging and profiling Linux programs. With the tools that come with Valgrind, you can automatically detect many memory management and threading bugs, avoiding hours of frustrating bug-hunting, making your programs more stable. You can also perform detailed profiling, to speed up and reduce memory use of your programs.

The Valgrind distribution currently includes four tools: a memory error detector, a cache (time) profiler, a call-graph profiler, and a heap (space) profiler. It runs on the following platforms: X86/Linux, AMD64/Linux, PPC32/Linux, PPC64/Linux.

The main excitement in 3.3.0 is new and improved tools. Helgrind
works again, Massif has been completely overhauled and much improved,
Cachegrind now does branch-misprediction profiling, and a new category
of experimental tools has been created, containing two new tools:
Omega and DRD. There are many other smaller improvements. [...]

Phrack Magazine #64

2007-12-16T16:03:00.001-08:00

May 2007
by The Circle of Lost Hackers


0x01 Introduction                                 The Circle of Lost Hackers
0x02 Phrack Prophile of the new editors           The Circle of Lost Hackers
0x03 Phrack World News                            The Circle of Lost Hackers
0x04 A brief history of the Underground scene     The Circle of Lost Hackers
0x05 Hijacking RDS TMC traffic information signal                      lcars
                                                                  danbia
0x06 Attacking the Core: Kernel Exploitation Notes                      twiz
                                                                sgrakkyu
0x07 The revolution will be on YouTube                                gladio
0x08 Automated vulnerability auditing in machine code           Tyler Durden
0x09 The use of set_head to defeat the wilderness                       g463
0x0a Cryptanalysis of DPA-128                                           sysk
0x0b Mac OS X Wars - A XNU Hope                                         nemo
0x0c Hacking deeper in the system                                   scythale
0x0d The art of exploitation: Autopsy of cvsxpl                  Ac1dB1tch3z
0x0e Know your enemy: Facing the cops                                  Lance
0x0f Blind TCP/IP hijacking is still alive                               Lkm
0x10 Hacking your brain: The projection of consciousness             keptune
0x11 International scenes                                            Various

Phrack #64

Download .tgz

Putting risk in perspective: Do people make better decisions when they understand average risk?

2007-12-16T15:25:00.000-08:00

Putting risk in perspective: Do people make better decisions when they understand average risk? from PhysOrg.com

If there were a pill that would cut your risk of breast cancer in half, would you take it? What if you were told your risk of breast cancer was already below average?

[...]

Defend Your Code with Top Ten Security Tips Every Developer Must Know

2007-12-16T11:41:00.001-08:00

MSDN Magazine, September 2002
Michael Howard and Keith Brown

Content

English

CERT Secure Coding Projects

2007-12-14T21:36:00.000-08:00

http://www.cert.org/secure-coding/

CERT Secure Coding Standards
A collaborative site that provides rules and recommendations for secure coding practices in the C and C++ programming languages

Managed string library
The managed string library provides a more secure alternative to standard null-terminated byte strings in C. Managed string functions dynamically allocate memory as required, eliminating the possibility of buffer overflows, string truncation, and other common programming errors.

Secure integer library
This library includes functions for safe integer conversions and arithmetic operations.

Publications Podcast RSS

Automatic Discovery of API-Level Exploits

2007-12-14T19:10:00.000-08:00

Not very interesting besides the title and abstract. It could be included it in the "everything ever written about format strings vulnerabilities" section.

PDF
By Vinod Ganapathy, Sanjit A. Seshia, Somesh Jha, Thomas W. Reps, Randal E. Bryant

Abstract
We argue that finding vulnerabilities in software components is different from finding exploits against them. Exploits that compromise security often use several low-level details of the component, such as layouts of stack frames. Existing software analysis tools, while effective at identifying vulnerabilities, fail to model low-level details, and are hence unsuitable for exploit-finding. We study the issues involved in exploit-finding by considering application programming interface (API) level exploits. A software component is vulnerable to an API-level exploit if its security can be compromised by invoking a sequence of API operations allowed by the component. We present a framework to model low-level details of APIs, and develop an automatic technique based on bounded, infinite-state model checking to discover API-level exploits. We present two instantiations of this framework. We show that format-string exploits can be modeled as API-level exploits, and demonstrate our technique by finding exploits against vulnerabilities in widely-used software. We also use the framework to model a cryptographic-key management API (the IBM CCA) and demonstrate a tool that identifies a previously known exploit.

Blended Attacks: Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruses

2007-12-14T18:41:00.000-08:00

Blended Attacks: Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruses
by Peter Szor and Eric Chien / Virus Bulletin Conference September 2002
PDF

Peter Szor is the author of the excellent T he Art of Computer Virus Research and Defense.

The Script Mapping Project

2007-12-13T17:16:00.000-08:00

The purpose of the WASC Script Mapping Project is to come up with an exhaustive list of vectors to execute script within a web page without the use of [script] tags. This data can be useful when testing poorly implemented Cross-site Scripting blacklist filters, for those wishing to build an html white list system, as well as other uses.

The Script Mapping Project

Hacking Windows CE

2007-12-13T16:01:00.000-08:00

HITBSecConf2005
talk by San

Analyzing Code for Security Defects

2007-12-13T15:54:00.000-08:00

HITBSecConf2005
talk by Nish Bhalla

Java 2 Micro Edition (J2ME) Security Vulnerabilities

2007-12-13T15:27:00.000-08:00

badcoded is web 2.0?

HITBSecConf2004
talk by Adam Gowdiak

Once upon a time badcoded was about ASCII text files.