Clik here to view.
Exploitme5 (Heap spraying & UAF)
If you haven’t already, read the previous articles (I, II, III, IV) before proceeding. For this example you’ll need to disable DEP. In VS 2013, go to Project→properties, and modify the configuration...
View ArticleClik here to view.
EMET 5.2
The acronym EMET stands for Enhanced Mitigation Experience Toolkit. As of this writing, the latest version of EMET is 5.2 (download). As always, we’ll be working on Windows 7 SP1 64-bit. Warning EMET...
View ArticleClik here to view.
IE10: Reverse Engineering IE
For this exploit I’m using a VirtualBox VM with Windows 7 64-bit SP1 and the version of Internet Explorer 10 downloaded from here. To successfully exploit IE 10 we need to defeat both ASLR and DEP....
View ArticleClik here to view.
IE10: From one-byte-write to full process space read/write
As we said before, if we can modify a single byte at an arbitrary address, we can get read/write access to the entire process address space. The trick is to modify the length field of an array (or...
View ArticleClik here to view.
IE10: God Mode (1)
When an html page tries to load and run an ActiveX object in IE, the user is alerted with a dialog box. For instance, create an html file with the following code:<html> <head> <script...
View ArticleClik here to view.
IE10: God Mode (2)
Fixing the God Mode Before doing something radical, let’s try to find out where the crash is. To do this, let’s add a few alerts:function createExe(fname, data) { alert("3"); //...
View ArticleClik here to view.
IE10: Use-After-Free bug
Until now, we have depended on WinDbg for modifying the length of an Int32Array to acquire full read/write access to the space address of the IE process. It’s high time we found a UAF to complete our...
View ArticleClik here to view.
IE11: Part 1
For this exploit I’m using a VirtualBox VM with Windows 7 64-bit SP1 and the version of Internet Explorer 11 downloaded from here: http://filehippo.com/download_internet_explorer_windows_7_64/tech/...
View ArticleClik here to view.
IE11: Part 2
Completing the exploit As we saw, the POC uses window.onload because it requires that the javascript code is executed after the page has fully loaded. We must do the same in our exploit. We also need...
View ArticleClik here to view.
More space on the stack
If you can’t get an exploit to work because you get a weird crash inside fread or some other access violation, the space on the stack might be insufficient for the payload. The easiest solution is to...
View Article