Saturday, August 6, 2011

Universal DEP/ASLR bypass with msvcr71.dll

     Days after the Corelan shared their generic/universal ROP chain, i decided to give it a try and see if i can build my own.
     The trip inside the dll was very funny & instructive; i had the opportunity to meet many gadgets ;-)
     A commercial ROP chain from White Phosphorus can be found here : http://www.whitephosphorus.org/sayonara.txt

     Ok, let's back to the ROP chain:
  In order to use it, you have to be able to load msvcr71.dll.
  The
ROP chain size(22 dwords) is the same as the commercial one.
  It works on XP, Windows 7.(I didn't test on Vista, 2003 & 2008 Server
).
  The chain is null byte free.
  The chain works without any particular setup in terms of preparing registers.





Feel free to use the chain in your exploits and don’t forget to credit me ;-)

   

Monday, May 16, 2011

Exploit Development Made Easy with pvefindaddr

    Hi all,
    This tutorial aims to show the utility of the Immunity Debugger pycommand pvefindaddr.
    In this tutorial I’ll use a vulnerability in Chasys Media Player,
    To download the application: http://www.chachaslab.com/chasys_media.php
    For more information: Bypassing SafeSeh
    
    Triggering the vulnerability:
    When opening a malformed play list(m3u) the application crashes,
    We’ll use the following simple perl script to create the .m3u file:




   

Friday, April 1, 2011

Word List Builder Buffer Overflow Write-Up

     Hi All,
 This is just a write up about Word List Builder Buffer Overflow.
 If you’re not familiar with Buffer Overflow please read those tutorials:
Exploit writing tutorial part 1 : Stack Based Overflows
Exploit writing tutorial part 3 : SEH Based Exploits

     Triggering the vulnerability:

     Well, opening an invalid (.dic) file will cause the overflow.
 Now we have to find “next SEH” & “SEH” offset.
 Run: !pvefindaddr suggest

Friday, February 18, 2011

SQL Injection Tutorial




I.            Introduction:
In the following article I'm not trying to introduce anything new.
As a pentester and a Web Developer I can say that more than 90% of nowadays Web Application seems to be vulnerable to SQLInjection and many other kind of vulnerabilities,

                  II.            What is SQL Injection?
SQL Injection is composed of two words; let's start with the second one:
·       Injection: if we look in the dictionary, we'll find that Injection means the act of putting one thing into another.
·       SQL: Structured Query Language.

According to Wikipedia, SQL Injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL Injection attacks are also known as SQL insertion attacks.

              III.            SQL Injection Example:

Tuesday, January 11, 2011

WordList Creator

 


We all know that the brute forcing and the password cracking process relies on the quality of the WordList. 

So, I decided to share a tool I developed on my free time.
I named it WordList Creator.

The WordList Creator enables you to collect words from web pages, the result can be saved in a new WordList or appended to an existing WordList, with no duplicates.

How it works:
The WordList Creator has two methodes for working:
  1. The first one consists of querying Google to collect all links, and then collect all the words found in those links.
  2. The second one is similar to the first, except that the links are gathered from a text file.
The rar file contains the source & the jar file.
Download WordList Creator


** If you encounter a bug please report it 

Wednesday, December 15, 2010

Google Hacking Database


   
    If you do not already know, Google can be used by malicious person to hack websites, servers, credit cards, and ………..

Ohhh yes, Google is the best friend of hackers, using what is called GOOGLE DORKS, a hacker can easily find exploitable vulnerabilities and mount attacks that will allow access to the vulnerable target.

   Google dorks are a combination of words used as search keyword.

   The Google Hacking Database (GHDB) is a project started by Johnny Long, and located at: http://www.hackersforcharity.org/ghdb/
For more information follow the link: http://www.exploit-db.com/google-hacking-database-reborn/ 

   Now time to demonstrate the power of the Google Hacking Database,