Writing Buffer Overflow Exploits - a Tutorial for Beginners 1. Memory Note: The way we describe it here, memory for a process is organized on most computers, however it depends on the type of processor architecture. This example is for x86 and roughly applies to Sparc. The principle of exploiting a buffer overflow is to overwrite parts of memory that are not supposed to be overwritten by arbitrary input and making the process execute this code. To see how and where an overflow takes place, let us look at how memory is organized. - Code segment, data in this segment are assembler instructions that the processor executes. - Data segment, space for variables and dynamic buffers - Stack segment, which is used to pass data (arguments) to functions and as a space for variables of functions. 2. memory address code 0x8054321 <main+x> pushl $0x0 0x8054322 call $0x80543a0 <function> 0x8054327 ret 0x8054328 leave ... 0x80543a0 <function> popl %eax 0x80543a1 addl $0x1337,%eax 0x80543a4 ret What happens here? In this case, our return address is 0x8054327. 3.
BLADE - Block All Drive-by Download Exploits SELinux and UML Web Services Security Checklist I am a big fan of checklists in any relatively complex system that has to be delivered under time crunch, like say Web Services, the checklist can save your bacon. If you hired me to work on your project I would use this Web Services Security Checklist to verify standards, mechanisms, and implementation throughout the SDL My partner Pat Christiansen likes to say that architecture artifacts are for communication as much as for engineering. A checklist is a simple artifact that helps ensure consistency throughout architecture, threat modeling, security design requirements, and building security implementation.
.:[ d4 n3wS ]:. Are you familiar with white hat hacking? If you aren’t, you should be. White hat hacking is a planned attack that checks your systems for vulnerabilities. After the hacker successfully (and harmlessly) compromises your environment, they tell you what to do to fix it. Even though most security loopholes are well-documented, I’m surprised how many open exploits are in applications that we security scan here at INetU. So stand by for a little White Hat Hacking 101, where I’ll teach you how to hack into your own site. Hack One: Injection Attacks I’ll start with injection exploits because most IT professionals, even though they have cursory basic understanding of the dangers, leave too many sites open to the vulnerability, according to the Open Web Applications Security Project (OWASP). Find a page on your application that accepts user-supplied information to access a database: A login form, signup form, or “forgot password” form is a good start. Hack Two: PHP Remote File Includes
Scanning Web Applications That Require Authentication Web applications that manage sensitive data are usually protected with either basic or form-based authentication. Nessus can be configured with the appropriate credentials for these authentication schemes as they relate to web application testing. This post covers these authentication schemes in-depth, and explores some of the potential problems you may experience when scanning with credentials and how to overcome them. Basic Authentication For web applications, or sections of web applications, that require basic authentication, you can enter one username and password pair that Nessus can use each time it is prompted for credentials. It is important to note that the password in this case could be sent in clear-text, or most likely Base64 encoded depending on the encryption method implemented by the web server. Without successful authentication, none of these pages and CGI programs would be tested for vulnerabilities. Form Based Authentication
Plone releases fixes for 24 vulnerabilities Using SQL trusted Connections with ASP.NET Hard coding passwords into your application or your web site is a bad thing. Microsoft SQL has the ability to use "trusted connections" to authenticate your database connection against your login name, so no passwords are ever sent to SQL server, just your login name and an authentication token. But once you come to use this feature in asp.net you run into problems, because of how asp.net works and the user it runs as. In a default configuration asp.net runs as (or rather, in the context of) the ASPNET user on the local machine. If your SQL server is on the same machine as your asp.net pages then trusted connections are easy, simply grant access and appropriate permissions to the ASPNET user within SQL and change your connection string to use Integrated Security=SSPI or Trusted_Connection=true depending on your connection string style. The problem arises when your SQL server and your IIS/asp.net server are on separate machines, which is a typical setup. Impersonation <system.web> ...
grimwepa - Project Hosting on Google Code GRIM WEPA was written in Java and is intended for use with the Linux Operating System (specifically the Backtrack 4 distribution). GrimWepa 1.1 has been translated for Português-Brasil users. It is available in the downloads section. GRIM WEPA is no longer being supported GRIM WEPA is on an indefinite hiatus while I work on other projects. Please use Wifite instead of GRIM WEPA. Please update your bookmarks and links accordingly. This project will remain open so that I may eventually update GrimWepa. GRIM WEPA is a password cracker for both WEP and WPA-encrypted access points (routers). note: the settings & configuration file for Grim Wepa is saved to /etc/grimwepa.conf GRIM WEPA's cracking methods are archaic and have been around for years. The Backtrack 4 Linux distribution has a default WEP/WPA cracker, but it does not work properly for me; also, the Spoon series does not run properly for me on BT4, so I created GRIM WEPA for myself and as an homage to shamanvirtuel. Run GRIM WEPA as root!