Continuing from Java Dynamic Instrumentation #1, this post will cover some more advanced features of the Javassist API. In the previous post, we went over the ClassPool, CtClass, and CtMethod classes and how to add code to the beginning and end of a method. In this post, we will cover
Instrumentation is the process of injecting code into a compiled program. In Java, this can be done statically and dynamically. Using static intrumentation, a class' bytecode is modified and saved to disk; permanently modifying the class. With dynamic instrumentation, the class' bytecode is modified in memory right before
This exercise is compiled on Debian 2.6.32 with NX and ASLR enabled. However, those protections do not effect the difficulty of the exercise. Exploiting this challenge could have been performed with or without those protections. ABO #3 source code: {% highlight c %} /* abo3.c * * specially crafted to feed your
After my last post, I decided to go straight into the Advance Buffer Overflow (ABO) section and practice more ROP. The first ABO exercise was a straight-forward buffer overflow. ABO #1 source code: {% highlight c %} /* abo1.c * * specially crafted to feed your brain by gera */ /* Dumb example to let you
A lot of programming languages, like C, C++, Java, Python, Ruby, etc, have exception support. In the event of an exception, the program searches back through the stack of function calls until an exception handler is found. Actually, the pointers to the exception handler are stored in the stack frame
While doing a JavaScript exploit I encountered that there isn’t a convenient function in JavaScript to set specific code to a specific offset in a given string. For example: Given the string “1234567890” If you want to change the substring “567” to “756” for it to become “1234765890” you
I started gera's exercises on format strings vulnerabilities. I am going to start on the stack next. This post will be my first ROP practice and it was fun :). The main purpose of "warming up the stack" exercises is to just bypass the canary. However, I
Web200 For this challenge, credentials were provided. We see the following page upon logging in: Clearly, this site doesn't get many visitors Nothing particularly stands out. To the source! <iframe src="content/news.php?type=1"></iframe> It seems the news content
This challenge provided a pcap file and the question ''What am I searching for?". A hint dropped in the irc channel by hockeyinjune helped us to look in the right place. All this challenge required was to look at the http traffic in wireshark and analyze some
Web 400 Upon visiting the site we are greeted with a login page. My, that person certainly is TALL. No credentials were provided as a hint for this challenge, so we'll have to brute force them. Some common combinations to try are administrator:123456, user:qwerty, admin:password,
For Web Challenge 300, you were presented with a news website, BluesNews. Although we're not told what we need to do, we probably want administrator access. Let's take a look at all the possible attack vectors to help us get the access we want. Clicking one
This past weekend, the ISIS lab held CSAW CTF quals. For more information about the event see: csawctf.poly.edu Here is the description for bin2 Bin2 - 300 Points ssh csawctf.poly.edu:30002 binary: bin2 Environment: ASLR, Ubuntu 11.04 {% highlight bash %} user21000@ubuntu:~$ uname -a Linux ubuntu
