Quantcast
Channel: Exploit Development Community
Browsing latest articles
Browse All 11 View Live

Image may be NSFW.
Clik here to view.

Exploitme5 (Heap spraying & UAF)

If you haven’t already, read the previous articles (I, II, III, IV) before proceeding. For this example you’ll need to disable DEP. In VS 2013, go to Project→properties, and modify the configuration...

View Article


Image may be NSFW.
Clik here to view.

EMET 5.2

The acronym EMET stands for Enhanced Mitigation Experience Toolkit. As of this writing, the latest version of EMET is 5.2 (download). As always, we’ll be working on Windows 7 SP1 64-bit. Warning EMET...

View Article


Image may be NSFW.
Clik here to view.

IE10: Reverse Engineering IE

For this exploit I’m using a VirtualBox VM with Windows 7 64-bit SP1 and the version of Internet Explorer 10 downloaded from here. To successfully exploit IE 10 we need to defeat both ASLR and DEP....

View Article

Image may be NSFW.
Clik here to view.

IE10: From one-byte-write to full process space read/write

As we said before, if we can modify a single byte at an arbitrary address, we can get read/write access to the entire process address space. The trick is to modify the length field of an array (or...

View Article

Image may be NSFW.
Clik here to view.

IE10: God Mode (1)

When an html page tries to load and run an ActiveX object in IE, the user is alerted with a dialog box. For instance, create an html file with the following code:<html> <head> <script...

View Article


Image may be NSFW.
Clik here to view.

IE10: God Mode (2)

Fixing the God Mode Before doing something radical, let’s try to find out where the crash is. To do this, let’s add a few alerts:function createExe(fname, data) { alert("3"); //...

View Article

Image may be NSFW.
Clik here to view.

IE10: Use-After-Free bug

Until now, we have depended on WinDbg for modifying the length of an Int32Array to acquire full read/write access to the space address of the IE process. It’s high time we found a UAF to complete our...

View Article

Image may be NSFW.
Clik here to view.

IE11: Part 1

For this exploit I’m using a VirtualBox VM with Windows 7 64-bit SP1 and the version of Internet Explorer 11 downloaded from here: http://filehippo.com/download_internet_explorer_windows_7_64/tech/...

View Article


Image may be NSFW.
Clik here to view.

IE11: Part 2

Completing the exploit As we saw, the POC uses window.onload because it requires that the javascript code is executed after the page has fully loaded. We must do the same in our exploit. We also need...

View Article


Image may be NSFW.
Clik here to view.

More space on the stack

If you can’t get an exploit to work because you get a weird crash inside fread or some other access violation, the space on the stack might be insufficient for the payload. The easiest solution is to...

View Article
Browsing latest articles
Browse All 11 View Live