0xCC'd
We spend a lot of time preparing for Blackhat, and as part of putting together content for the show, one of our best, Lurene Grenier, submitted an unexpected piece of content: a poem. Now this poem isn't our regular security research or a shiny piece of corporate corresponden
Defenders of the Faith
Quite recently, Tavis Ormandy released a 0-day vulnerability in a prominent piece of software. For this transgression, both he and his employer received a good deal of bad press. Sadly, very few in the professional security researcher crowd made enough noise about this, and to th
DEP and Heap Sprays
Usually when you need to use a heap spray, you're SOL when it comes to DEP. The reason for this has to do with why you used the heap spray in the first place. In the case of a vtable overwrite you need a chain of pointers to get the job done. A neat way to deal with this is t
Adobe Reader media.newPlayer() Analysis (CVE-2009-4324)
First off its not Friday, and hopefully you'll have a better weekend. The reason for that is you are set with rules and clam sigs. Now what the heck am I talking about…. Last night Adobe released an advisory detailing an in the wild exploit for Adobe Acrobat that is current
Actual Conversation - botnets explained
[11:04] <[?] someone > Pusscat: basically im trying to walk an non-technical person though a simple irc bot [11:04] <[?] someone > my goal was for my mom to be able to accurately describe a botnet [11:04] <[?] someone > like code chunk - this is the c&c inte
Bamboo -> angel tongue
#include <stdio.h> struct newClass { char type; int size; char *data; void (*printer)(char*); }; void painter(char *input) { char buf[4096]; memcpy(buf, input, sizeof(buf)<strlen(input)?sizeof(buf):strlen(input)); r
SMBv2 <air quotes> DoS </air quotes>
Here's the dirty dirty dirt dirt. (All addresses SP2) If you send an SMBv2 packet off to Vista SP1 or SP2 that specifies the NEGOTIATE command, and the ProcessIDHigh word is not set to 0x0000, you do not in fact get a DoS. What happens, is this: (Note that we control eax, a
New Byakugan functionality - !jutsu searchVtptr
With heap metadata exploits going out of favor (hzon's fine work not withstanding), I've recently gone after a number of vtable overwrites. This can be no fun at all to do by hand, so I've added some helpful code to byakugan to let you search for the pointers to point
Only whitehat journalists need Metasploit to hack oracle
I'm astounded at the number of crazy articles concerning the release of Oracle exploits for PATCHED vulnerabilities. How is it that oracle in particular gets this kind of response, when Metasploit has been doing this with other vendors for years and years? Never mind the fact