itzikkotler: So, I have decided to pack
Writing kernel exploits
Just tagged libo 0.1, a library for fast integer overflow detection. The major interface change in this version is that instead of writing smulo32(...) for detecting signed 32-bit multiplication overflow, you just call overflow_mul(...), and it will figure out the type for you (using black magic). I have also added a unit test using Google Test. It would be great if you can help generate and test ARM/PowerPC implementations. libo 0.1 released - Xi Wang
Heap Overflows For Humans 104 Created by mr_me on Sunday the 11 of March, 2012 Tags: heap, exploitation Welcome to the sixth installment of the Heap Overflow For Humans series, I hope the journey has been as interesting to you as it has for me. At this point, I can tell you that there are a few more series yet to come as we progress into windows 8.
Heap Overflows For Humans 103 Created by mr_me on Thu Jan 05 03:17:43 +1100 2012 Tags: bitmap attacks, bitmap flip, eip, exploit development, FreeListInUse, heap determinism, heaper, management structures, reversing, RtlCommitRoutine Hi guys! Once again I'm back and here to discuss yet another important technique for heap exploitation that I do not want to see get buried in the sands of time. Lucky for me I have some time off over Christmas/New years so I can cover more of this topic. Lets review what we have covered so far just in-case you missed some if it:
Embedded in Academia : Integer Overflow Paper My coauthors and I just finished the final version of our paper about integer overflows in C/C++ programs that’s going to appear at ICSE 2012, a software engineering conference. Basically we made a tool for dynamically finding integer overflows (and related integer undefined behaviors) and used it to look at a lot of software. As you might expect, lots of overflows occur. Our analysis is based on dividing overflows into four kinds: Intentional, well-defined overflows, such as letting an unsigned integer wrap around in a PRNG. These are not a problem.Unintentional, well-defined overflows, such as an unsigned multiplication wrapping around when this was not expected to happen.
sandpile.org -- The world's leading source for technical x86 processor information.
Vulnerability analysis, Security Papers, Exploit Tutorials
[ Shell-Storm.org ] | Project | ROPgadget tool v3.3 by Jonathan Salwan - 2011-03-12 Description This tool lets you search your gadgets on your binaries (ELF format) to facilitate your ROP exploitation. Since version 3.0, ROPgadget has a auto-roper for build your payload automatically with the gadgets found. GitHub (Stable v4.0.3) https://github.com/JonathanSalwan/ROPgadget/ Authors
Introduction to Writing Shellcode
BinDiff zynamics BinDiff uses a unique graph-theoretical approach to compare executables by identifying identical and similar functions Description BinDiff is a comparison tool for binary files, that assists vulnerability researchers and engineers to quickly find differences and similarities in disassembled code. With BinDiff you can identify and isolate fixes for vulnerabilities in vendor-supplied patches. You can also port symbols and comments between disassemblies of multiple versions of the same binary or use BinDiff to gather evidence for code theft or patent infringement.
DarunGrim: A Patch Analysis and Binary Diffing Tool DarunGrim is a binary diffing tool. DarunGrim is a free diffing tool which provides binary diffing functionality. Binary diffing is a powerful technique to reverse-engineer patches released by software vendors like Microsoft.
darun-grim-script -- scriptable version of DarunGrim3.
This article aims to provide you with the different steps needed to develop shellcode obfuscation techniques, and their respective deobfuscator assembly stubs. This should help you to learn a bit more about IDS and Anti-Virus evasion techniques, and more than that, to give you a useful template to create more advanced obfuscations stuffs. Don’t be confused, we are not talking about shellcode “encoders” since we do neither modify the opcodes nor remove any bad characters. We will just hide the shellcode and – hopefully – break common shellcode patterns. Simple shellcode obfuscation | Fun Over IP
/_/ v0.01 Copyright (C) 2011 Steven Seeley This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. heaper.py at master from mrmee/heaper - GitHub
si - Visualizing entropy in binary files Last week, I wrote about visualizing binary files using space-filling curves, a technique I use when I need to get a quick overview of the broad structure of a file. Today, I'll show you an elaboration of the same basic idea - still based on space-filling curves, but this time using a colour function that measures local entropy. Before I get to the details, let's quickly talk about the motivation for a visualization like this.
Most people know that ASLR randomizes the base address of the binary when loaded, but how does the loader know that a binary is ASLR capable? This is a fairly easy question to answer but from what I can tell is rarely documented as a detection method and the subject of this post. I created a little ruby script to give you access to these values over your whole file system, directories, or a file. There are many tools like cff explorer you can use to view these per a file but this one will give you the ability to crawl a file system to find multiple files with ASLR disabled, DEP disabled and more. git dllcharacteristics Question: How does loader know ASLR is enabled for a binary?
spray / mem patterns visualizer Heappie! is an exploit-writing-oriented memory analysis tool. It assists vulnerability researchers in tracking heap sprays (as well as other memory patterns) by providing visualization of the memory state.
hellman/libformatstr - GitHub README.md libformatstr.py Small script to simplify format string exploitation.
Intel Instruction Set 80x86 instruction set I have started to update this site which will cover all new processors. I have also changed the mirroring policy.
geek edition | X86 Opcode and Instruction Reference 1.11 General notes: POP CSIntel iAPX 86/88, 186/188 User's manual: When the opcode 0FH is encountered, the 8086,88 will execute a POP CS; the 80186,188 will execute an illegal instruction exception.Branch PrefixesBranch hints have effect only on NetBurst microarchitecture: A Detailed Look Inside the Intel NetBurst Micro-Architecture of the Intel Pentium 4 Processor: Branch hints are interpreted by the translation engine, and are used to assist branch prediction and trace construction hardware. They are only used at trace build time, and have no effect within already-built traces.Alternating branch prefix: The microarchitecture of Intel and AMD CPU's, By Agner Fog, Copyright © 1996 - 2006.90 NOP90 NOP is not really aliased to XCHG eAX, eAX instruction.
System Call Table