‘Advances in Format String Exploits’

‘Format string bugs are a method of abusing incorrect usage of the format functions like printf, sprintf, snprintf, fprintf, vfprintf and the likes. When these functions are called they require that a version specifier is used to display the data stored in one or more directives. The following paper will illustrate more advance methods of exploiting format string vulnerability, whenever complex cases present themselves.’

Read More »

‘XSS Virus Whitepaper’

The following paper explores the new threat of cross-site scripting (XSS) viruses. To date, cross site scripting has never been utilised to generate viruses. These viruses are a new species which are platform independent and not affected by common firewall configurations. XSS viruses could have a significant impact for Internet continuity, including distributed denial of service (DDOS) attacks, SPAM and dissemination of browser exploits. This is particularly relevant with the increasing sophistication of web browsers and the growing popularity of web based applications such as Wikis and Blogs.’

Read More »

‘Smack the Stack – Advanced Buffer Overflow Methods (Virtual Address)’

From time to time, a new patch or security feature is integrated to raise the bar on buffer overflow exploiting. The paper linked here includes five creative methods to overcome various stack protection patches, but in practice focus on the VA (Virtual Address) space randomization patch that have been integrated to Linux 2.6 kernel. These methods are not limited to this patch or another, but rather provide a different approach to the buffer overflow exploiting scheme.’

Read More »

‘Linux Virtual Addresses Exploitation’

Linux kernel recently incorporated a protection which randomizes the stack making exploitation of stack based overflows more difficult. Micheal presents here an attack which works on exploiting static addresses in Linux. You should be familiar with standard stack smashing before attempting this paper.’

Read More »

‘Exploring Windows CE Shellcode’

The linked paper discusses the problems involved in writing shellcode for Windows CE/ARM and goes on to develop an exploit. The full source for the exploit and related utilities is included.’

Read More »

‘Exploiting kmalloc Based Buffer Overflows’

‘kmalloc – ‘Linux Kernel memory allocation routine, kmalloc() ensures physical address contiguity’. Qobaiashi has published a paper that introduces a technique that would allow attackers to exploit kmalloc based overflows in Linux kernel modules.’

Read More »

‘Exploiting The XmlHttpRequest Object In IE’

‘XmlHttpRequest is a Javascript object that allows a client side Javascript code to send almost raw HTTP requests to the origin host and to access the response’s body in raw form. As such, XmlHttpRequest is a core component of AJAX.

XmlHttpRequest implementation in IE can be exploited to perform Referer spoofing, HTTP Request Smuggling and web-scanning.

Read More »

‘Writing Small Shellcode In Windows’

This paper describes an attempt to write Win32 shellcode that is as small as possible, to perform a common task subject to reasonable constraints. The solution presented implements a bindshell in 191 bytes of null-free code, and outlines some general ideas for writing small shellcode.’

Read More »

‘Understanding and Preventing DNS-related Attacks by Phishers’

‘Exploiting well known flaws in DNS services and the way in which host names are resolved to IP addresses, Phishers have upped the ante in the cyber war for control of a customer’s online identity for financial gain.

A grouping of attack vectors now referred to as ‘Pharming’, affects the fundamental way in which a customer’s computer locates and connects to an organisations online offering. Enabling the Pharmer to reach wider audiences with less probability of detection than their Phishing counterparts, pharming attacks are capable of defeating many of the latest defensive strategies used customer and online retailer alike.

This paper, extending the original material of ‘The Phishing Guide’, examines in depth the workings of the name services of which Internet-based customers are dependent upon, and how they can be exploited by Pharmers to conduct identity theft and financial fraud on a massive scale.’

Read More »

‘Bypassing Windows Heap Protections’

Nicolas Falliere posted an article explaining how to bypass Windows heap protections and to perform heap overflow in general. In this article Nicolas presents a new way to exploit heap-based buffer overflows..’

Read More »

‘ICMP Attacks Against TCP’

It is possible to attack TCP connections by forging ICMP packets and sending them to the server. The whitepaper linked below discusses the problem and means to solve it, as well as attack tools to exploit the vulnerabilities.’

Read More »

‘NTLM HTTP Authentication is Insecure By Design’

‘In ‘Meanwhile on the other side of the webserver’ Amit surveyed some possible attacks against a scenario wherein a proxy server is positioned in front of a web server, and that proxy server shares a single TCP connection to the server among several clients. In that write-up, Amit mentioned several problems related to HTTP Request Smuggling ( and HTTP Response Splitting (

These are attacks that make use of non-RFC HTTP requests (HTTP Request Smuggling) or inject unexpected data (CRLF) through the application into the HTTP response stream (HTTP Response Splitting). In contrast, this write-up discusses a completely different problem, one which is inherent to the situation of a connection-oriented authentication/authorization protocol (e.g. NTLM authentication) used with a proxy server that shares TCP connections among several clients. Exploiting this vulnerability can be performed with 100% RFC compliant HTTP requests, and without attacking the application (i.e. without sending malicious data to the application).’

Read More »

‘DOM Based Cross Site Scripting’

‘We all know what Cross Site Scripting (XSS) is, right? It’s that vulnerability wherein one sends malicious data (typically HTML stuff with Javascript code in it) that is echoed back later by the application in an HTML context of some sort, and the Javascript code gets executed.

Well, wrong. There is a kind of XSS that does not match this description, at least not in some of its fundamental properties. The XSS attacks described above are either non-persistent / reflected (i.e. the malicious data is embedded in the page that is returned to the browser immediately following the request) or persistent / stored (in which case the malicious data is returned at some later time).

But there s also a third kind of XSS attacks – the ones that do not rely on sending the malicious data to the server in the first place! While this seems almost contradictory to the definition or to common sense, there are, in fact, two well described examples for such attacks.

This technical note discusses the third kind of XSS, dubbed ‘DOM Based XSS’. No claim is made to novelty in the attacks themselves, of course, but rather, the innovation in this write-up is about noticing that these belong to a different flavor, and that flavor is interesting and important.’

Read More »

‘Analysis of a win32 Userland Rootkit’

‘A rootkit is a program designed to control the behavior of a given machine. This is often used to hide the illegitimate presence of a backdoor and others such tools. It acts by denying the listing of certain elements when requested by the user, affecting thereby the confidence that the machine has not been compromised. Presented here an analysis of a Userland rootkit for Microsoft Windows.

Read More »

‘Second-Order Symlink Vulnerabilities’

Recently, Eric Romang of ZATAZ Audits reported several symlink issues that are different than the usual symlink vulnerabilities [1] [2]. There are probably a large number of applications that are safe with respect to traditional symlink problems, but vulnerable to this particular variant.

Specifically, the problem arises when one program, ‘PARENT,’ invokes another program, ‘CHILD,’ in which:
 – The CHILD has a ‘standalone’ design, i.e. its normal mode of operation is to be run by an interactive user, or a script on behalf of the user

 – The CHILD does not run with more privileges than the user that invokes it, e.g. it is not setuid

 – The CHILD program assumes that the user calling the program has control over all files that are specified as arguments, i.e. the specified filenames are trusted

 – The CHILD program follows symlinks

 – The PARENT uses filenames that are passed as arguments to the CHILD

 – The filenames as used by the PARENT are:
  – Controllable, or predictable, by the attacker, and
  – In a directory that’s writable by the attacker;

The attacker could then use a symlink attack on the filename arguments that the PARENT passes to the CHILD.
This variant might be referred to as a ‘Second Order Symlink Vulnerability’.’

Read More »