Appendum to “How Safe is your Link ?” – how to fool LFH

Heap overflow bug can potentionaly lead to alter heap in that way, that you can rule on its allocation / deallocation mechanism. Nowdays it is litle bit harder, because you need to fullfill some subset of prerequisities for choosen technique, and it is in more than less case not possible.

This post will describe how to break even LFH trough plugin, custom PoC for IE10 on win8 CP, vulnerable to winXP-8CP backend attack.

DBI framework for fuzzing on the board, part I.

I started a bit researching around fuzzers, fuzzing techniques and practices. As i study materials about fuzzing, code (node / edge) coverage approach quickly impressed me. But for this method is essential to have a good dbi. Pin or valgrind are good solutions, but will i try to make it in lightweight way – specificated for further fuzzing needs.

Already implemented features :

  • BTF – Hypervisor based
  • PageTable walker
  • VAD walker
  • full Process control [images, threads, memory]
  • Syscall monitoring – implemented process virtual memory monitor

Uint8Array pwn them all!

This week I take a look at the research blog post by @vupen Advanced Exploitation of Mozilla Firefox Use-after-free CVE-2012-0469 . It is one year old vulnerability, but thanks to it, simple idea come into my mind…

Exploitation of this vulnerability presented at vupen’s blogs, was not easy, because it have into arsenal just controlled OR for certain location, and it uses nothing more – which is quite interesting ! Because of that, exploitation grows complexity, and the first step was logical expanding length of string object, for memory leak. As the next move was performed OR at one tag-object targeting its VTable, which ends to arbitrary code execution.

but … in generation of HTML5 and its new features, more easier and more general method could be used for this exploitation


Follow

Get every new post delivered to your Inbox

Join other followers: