Here's a simple program to illustrate a stack smash. {% highlight bash %} $ date Wed Sep 14 11:36:21 EDT 2011 $ uname -a FreeBSD fbsd.local 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Feb 18 02:24:46 UTC 2011 root@almeida.cse.buffalo.edu:/usr/obj/usr/src/
This post is long overdue. I decided to step it up from FreeBSD to Debian. The last format string challenge from gera is a vanilla format string. You can find this challenge here. {% highlight c %} /* fs5.c * * specially crafted to feed your brain by gera */ /* go, go, go! */ int main(
This is a summary of [Iwaniuk 2011] PHP 5.3.6 (source) uses two slightly different datastructures to handle metadata on a file upload/multifile upload [RFC 1867]. PHP gates which of these codepaths and datastructures to use based on user controlled input, and it is possible to mangle the
One more completed challenge is needed before we can declare format strings dead. This challenge from the format string section of Gera's Insecure Programming is basically solvable using the same approach as challenge #3. I am going to keep this post brief. If you want a more detail
This article discusses a new bug class that was introduced in XMLHttpRequest Level 2, how the bug manifests and some solutions to different problems. HTML5 is a hot topic in web security today. Mostly because of how expansive it is in relation to older web specifications, but also because it
This gera's insecure programming challenge is solvable (pwnable) in a similar fashion as my previous post. The challenge's source is posted. The challenge can be found at gera's format string 3 {% highlight c%} /* fs3.c * * specially crafted to feed your brain by riq */ /* Not
Here is the write-up for the DEFCON 19 quals challenge b100 run by DDTEK. This one is somewhat funny. Description Category: Binary L33tness Your journey begins: Download jtd@hackbox:~/DEFCONquals2011/bl100$ ./b100_6817e51fa3b60f176b56 ./b100_6817e51fa3b60f176b56 [1-11|all] jtd@hackbox:~/DEFCONquals2011/bl100$ ./b100_6817e51fa3b60f176b56 ./b100_6817e51fa3b60f176b56 [1-11|all] 1 Running this
This article describes ELF relocation sections, how to abuse them for arbitrary code execution, and how to protect them at runtime. ELF Relocation Sections A dynamically linked ELF binary uses a look-up table called Global Offset Table (GOT) to dynamically resolve functions that are located in shared libraries. When you
Now that this semester is completed, I can continue going through gera's execises =). For reference, the program is below: {% highlight c%} /* fs2.c * * specially crafted to feed your brain by gera */ /* Can you tell me what's above the edge? */ int main(int argv,char **argc) { char
The basic database QUERY expression for a simple login is: [sql] SELECT * FROM users WHERE username = 'phillip' AND password = 'taco' [/sql] Which boils down to: "Login if T ∧ T" where in this case the first T is the result the database returns when username
A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of
Evidence of recent attacks on major political and financial systems suggests that large-scale attacks on critical infrastructures are still a focus of attackers, despite recent reports that cyber attackers are focusing on smaller targets. In an article titled “Are We Ready for a Financial Cyber Attack” the Wall Street Journal
