Posted by SkyLined on March 8th, 2010 in Browsers, Internet Explorer, Repro and Security ·
Quoting http://msdn.microsoft.com/en-us/library/aa930622.aspx:
typedef struct tagBITMAPINFOHEADER {
DWORD biSize;
LONG biWidth;
LONG biHeight;
WORD biPlanes;
WORD biBitCount
DWORD biCompression;
DWORD biSizeImage;
LONG biXPelsPerMeter;
LONG biYPelsPerMeter;
DWORD biClrUsed;
DWORD biClrImportant;
} BITMAPINFOHEADER;
“If the bitmap is a packed bitmap (a bitmap in which the bitmap array immediately follows the BITMAPINFO header and is referenced by a single pointer), the biClrUsed member must be either zero or the actual size of the color table.”
ANI files stores each frame of the animated cursor as a packed bitmap inside the ANI file…
Posted by SkyLined on March 1st, 2010 in Browsers, HTML, Internet Explorer, JavaScript, PoC, Programming Languages and Security ·
In 2005 I released Internet Exploiter 2, which helped make heap spraying popular in browser exploits…
Posted by SkyLined on January 20th, 2010 in Browsers, Internet Explorer, JavaScript, Programming Languages, Repro and Security ·
Two crashes caused by NULL pointer dereferences have been discovered in MSIE 6.0/7.0. These issues do not affect MSIE 8.0…
Posted by SkyLined on January 11th, 2010 in Assembler, Programming Languages, Security and Shellcode ·
Everyone and their dog seems to want to use download and execute shellcode in their exploits. Even though this has some drawbacks:
You need to create an .exe file on the system, which will very likely draw unwanted attention…
Posted by SkyLined on January 11th, 2010 in Assembler, C/C++, Programming Languages, Security, Shellcode and Tools ·
During shellcode development, it makes sense to have a program that can easily load your shellcode at a controlable location, allows you to set registers and memory to certain values and execute the shellcode by setting EIP through a RET or CALL instruction.
The Testival project aims to do all those things and more: it also allows you to test ret-into-libc attacks, set the type of memory allocation you want (RWE flags, etc…), report exceptions in your code to stdout as well as load DLLs to test shellcode in DllMain.
Testival is used by ALPHA3 for automatically testing if all the en-/decoders work.
Testival requires SkyBuild to automatically build all files.
Posted by SkyLined on January 10th, 2010 in Assembler, PoC, Programming Languages, Python, Security and Tools ·
I realized that if I would wait until I had fully documented everything in ALPHA3, it would probably never get released…
Posted by SkyLined on January 2nd, 2010 in Assembler, Programming Languages, Security and Shellcode ·
One limitation of most alphanumeric shellcode decoders, including those in ALPHA2 and the soon-to-be-released ALPHA3 is that they need to know where they are located in memory in order to decode themselves and run correctly…
Posted by SkyLined on January 2nd, 2010 in Assembler, Programming Languages, Security and Shellcode ·
w32-bind-ngs-shellcode is a small, null-free 32-bit Windows port-binding shellcode. The total shellcode is currently 214 bytes and supports Windows 5.0-7.0 all service packs…
Posted by SkyLined on January 2nd, 2010 in Programming Languages, Python, Security and Tools ·
As part of my New Year’s resolutions, I am releasing BETA3, the follow up to BETA2. BETA3 is a multi-format shellcode encoding tool that can be used to turn binary shellcode into text for use in exploits…
