« Previous Page« Previous Entries Next Entries »Next Page »

Testival released

Posted by SkyLined on January 11th, 2010 in , , , , and · 0 Comments

During shellcode development, it makes sense to have a program that can easily load your shellcode at a controlable location, allows you to set registers and memory to certain values and execute the shellcode by setting EIP through a RET or CALL instruction.

The Testival project aims to do all those things and more: it also allows you to test ret-into-libc attacks, set the type of memory allocation you want (RWE flags, etc…), report exceptions in your code to stdout as well as load DLLs to test shellcode in DllMain.

Testival is used by ALPHA3 for automatically testing if all the en-/decoders work.

Testival requires SkyBuild to automatically build all files.

ALPHA3 released

Posted by SkyLined on January 10th, 2010 in , , , , and · 2 Comments

I realized that if I would wait until I had fully documented everything in ALPHA3, it would probably never get released…

Countslide alphanumeric GetPC

Posted by SkyLined on January 2nd, 2010 in , , and · 5 Comments

One limitation of most alphanumeric shellcode decoders, including those in ALPHA2 and the soon-to-be-released ALPHA3 is that they need to know where they are located in memory in order to decode themselves and run correctly…

w32-bind-ngs-shellcode released

Posted by SkyLined on January 2nd, 2010 in , , and · 0 Comments

w32-bind-ngs-shellcode is a small, null-free 32-bit Windows port-binding shellcode. The total shellcode is currently 214 bytes and supports Windows 5.0-7.0 all service packs…

BETA3 released

Posted by SkyLined on January 2nd, 2010 in , , and · 0 Comments

As part of my New Year’s resolutions, I am releasing BETA3, the follow up to BETA2. BETA3 is a multi-format shellcode encoding tool that can be used to turn binary shellcode into text for use in exploits…

Memory corruption when loading/unloading Adobe objects through EMBED tag in Firefox

Posted by SkyLined on October 13th, 2009 in , , , and · 0 Comments

(a.k.a. CVE-2009-2983)

Adobe fixed a bug in various COM objects. Loading and unloading these objects in a webpage in Firefox allows memory corruption, which can be exploited to execute arbitrary code…

MSIE Content-Encoding: deflate memory corruption vulnerability

Posted by SkyLined on October 13th, 2009 in , , and · 2 Comments

(a.k.a. MSRC 8769, MS09-054, CVE-2009-1547, “Data Stream Header Corruption Vulnerability”)

Microsoft fixed a bug in Internet Explorer’s “Content-Encoding:deflate” implementation…

Shellcode: finding the base address of kernel32 in Windows 7

Posted by SkyLined on July 22nd, 2009 in , , and · 14 Comments

If you’ve coded shellcode before, you know that the code often needs to find out the base address address where kernel32.dll is loaded in memory. Most publicly available code expects the second entry in the “InitializationOrder” list to be kernel32…

MS09-014: EMBED element memory corruption

Posted by SkyLined on April 19th, 2009 in , , and · 0 Comments

Microsoft has just released a fix for an issue I reported to them on December 4th, 2008. A simple repro can be found here

MSIE screen[""] NULL ptr DoS details

Posted by SkyLined on January 7th, 2009 in , , and · 2 Comments

MSIE can be made to crash with a NULL ptr Read AV by executing a very small piece of JavaScript. This affects MSIE 6.0, 7.0 and 8.0 beta2…

« Previous Page« Previous Entries Next Entries »Next Page »