Archive for November, 2010

Bypassing UAC with User Privilege under Windows Vista/7 – Mirror

26th November 2010

Introduction

I would like to present an exploit of an ambiguous parameter in Windows kernel API that leads to buffer overflows under nearly every version of Microsoft Windows, especially one that can be used as a backdoor to Windows user privilege system as well as User Access Control.
(more…)

Fuzzing vs Reversing – Round #2 (Reversing)

22nd November 2010

After a few days of fuzzing, I noticed that I covered a large part of the format (at least the part I found interesting) so I then began reverse engineering the format more thoroughly. I started by mapping out the tag-types and reviewing functions that parse them.
(more…)

Fuzzing vs Reversing – Round #1 (Fuzzing)

22nd November 2010

I have recently been doing some fuzzing on the Adobe Flash Player. I started by implementing a simple format fuzzer for Flash based on a homegrown framework that I have been developing for awhile. I implemented and executed tests and progressively covered more and more of the format. After a few days, I noticed one of the SWF files causing strange crashes, the “Just in time” debugger gets triggered but the process is terminated.

(more…)

vBulletin – A Journey Into 0day Exploitation

16th November 2010

The popular vBulletin software is generally a quite secure forum application if you exclude the minimal amount of vulnerable addons. However, when new features are occasionally included, such as Profile Customization, a new vulnerability might be born.

(more…)

Foxit Reader Stack Overflow Exploit – Egghunter Edition

14th November 2010

Foxit
Some time ago, when Adobe Reader 0days were dropping left, right, and centre, Foxit Reader was frequently mentioned as a safer alternative to using Adobe. While it may be true that there are not as many exploits available for Foxit, that does not mean that it is invincible.
(more…)

Google Hacking Database Reborn

9th November 2010

The incredible amount of information continuously leaked onto the Internet, and therefore accessible by Google, is of great use to penetration testers around the world.  Johnny Long of Hackers for Charity started the Google Hacking Database (GHDB) to serve as a repository for search terms, called Google-Dorks, that expose sensitive information, vulnerabilities, passwords, and much more.

GHDB (more…)

Finding 0days in Web Applications

5th November 2010

PHP 0-Days

Most zero-day exploits in web applications are usually easier to find, study, and attack than actual services like a webserver due to the fact that a hacker does not need to create shellcode, debug the service over and over or even know about the memory layout of the target machine. Furthermore, there are no opcodes to worry about, but there are usually some other sort of security mechanisms in place instead.
(more…)

Exploit Database, New Features!

4th November 2010

New Search Features!We are constantly improving the Exploit Databse and adding more functionality to it. Our latest upgrade brings some exciting features, such as searching security articles by language, and a new “Free Text Exploit Search” feature. (more…)

Winamp 5.58 from Denial of Service to Code Execution Part 2

2nd November 2010

Understanding the Winamp Memory Layout

This post is a continuation of part 1 of Winamp 5.58 from Denial of Service to Code Execution.

Winamp

The solution we used on the first Winamp in_mod_plugin exploit was not as elegant as we would like. First of all, it used a lot of code and secondly, the work that was required to change the shellcode was not a trivial undertaking. So in this post, we present a way to improve the second flaw and make this script kiddie friendly. (more…)