Return Oriented Exploitation (ROP)

For all those who registered to AWE in BlackHat Vegas 2010 – we have special surprise for you… We’ve updated our “Bypassing NX” module with the buzzing ROP exploitation method.

Read More

QuickZip Stack BOF 0day: a box of chocolates

A few days ago, one of my friends (mr_me) pointed me to an application that appeared to be acting somewhat “buggy” while processing “specifically” crafted zip files.  After playing with the zip file structure for a while (thanks again, mr_me, for documenting the zip file structure), I found a way to make the application crash and overwrite a exception handler structure.

In this article, I will explain the steps I took to build an exploit for this bug. 

… Read more »

Read More

Multiple Media Player HTTP DataHandler Overflow

We recieved an interesting submission today at exploit-db from Dr_IDE. We have verified that both Quicktime and Itunes crash on Windows and OSX. The description reads:

“There is a widespread failure in the way that (.MOV) files are handled by the Quicktime Library. I have attempted to compound my findings on this issue.

Nearly every (.MOV) enabled application that I tested fell victim to this exploit. This is a local memory corruption vulnerability in the way these programs process a malformed file.

… Read more »

Read More

Microsoft IIS FTP 5.0 Remote SYSTEM Exploit

A remote Microsoft FTP server exploit was released today by Kingcope, and can be found at http://milw0rm.com/exploits/9541, https://www.exploit-db.com/exploits/9541/

A quick examination of the exploit showed some fancy manipulations in a highly restrictive environment that lead to a”useradd” type payload. The main issue was the relatively small payload size allowed by the SITE command, which was limited to around 500 bytes.

After a bit of tinkering around,

… Read more »

Read More

ITunes Exploitation Case Study

When masochism just isn’t enough

Our new AWE course is about to go live for the first time, in BlackHat Vegas. We chose the most interesting exploitation cases we’ve encountered, and dove really deep into them. We had many exploits to choose from, some were too easy, and believe it or not, some were just too hard. This blog post is going to be a multipart post, describing our exploitation process of the recent iTunes overflow described here.

… Read more »

Read More