MS-06-040 Exploit In Action!

Once again reader Didier Stevens has put together some tasty security goodness in the form of a video that shows the Microsoft MS-06-040 exploit in action! Pay attention to the tools that he’s using, and experience just how amazing the Metasploit Toolkit is.
Source : ittoolbox

return-into-libc Papers

return-into-libc is very sueful method for exploiting  Returning to libc is a method of exploiting a buffer overflow on a system that has a non-executable stack, it is very similar to a standard buffer overflow, in that the return address is changed to point at a new location that we can control. However since no executable code is allowed on the stack we can’t just tag in shellcode.

The advanced return-into-lib(c) exploits
Exploitation – returning into libc
c0ntex – return to libc

Advances in Windows Shellcode

 This paper will start with dissection on a standard Win32 shellcode as an introduction. We will then explore the techniques being used by proof of concept codes to allow attacker to control the target and their limitations. Then, we will introduce a few alternatives techniques which we call “One-way shellcode” and how they may by passfirewall rules. Finally, we also discussed on a possible way to transfer file from command line without breaking the firewall rule.
Source : Phrack

Bypassing windows BOF Protection

Bypassing 3rd Party Windows Buffer Overflow Protection

Recently, a number of commercial security systems started to offer protection against buffer overflows. This paper analyzes the protection claims and describes several techniques to bypass the buffer overflow protection. Existing commercial systems implement a number of techniques to protect against buffer overflows. Currently, stack backtracing is the most popular one. It is also the easiest to implement and the easiest to bypass. Several commercial products such as Entercept (now NAI Entercept) and Okena (now Cisco Security Agent) implement this technique.
Source : phrack

Nubuntu – security distribution

 The main goal of nUbuntu is to create a distribution which is derived from the Ubuntu distribution, and add packages related to security testing, and remove unneeded packages, such as Gnome, Openoffice.org, and Evolution. nUbuntu is the result of an idea two people had to create a new distribution for the learning experience.
more information : nubuntu.org ( & Installed Applactions )

A Memory Allocator

Memory allocators form interesting case studies in the engineering of infrastructure software. I started writing one in 1987, and have maintained and evolved it (with the help of many volunteer contributors) ever since. This allocator provides implementations of the the standard C routines malloc(), free(), and realloc(), as well as a few auxiliary utility routines. The allocator has never been given a specific name. Most people just call it Doug Lea’s Malloc, or dlmalloc for short.
Source : oswego.edu

Bypassing PatchGuard

The version of the Windows kernel that runs on the x64 platform has introduced a new feature, nicknamed PatchGuard, that is intended to prevent both malicious software and third-party vendors from modifying certain critical operating system structures. These structures include things like specific system images, the SSDT, the IDT, the GDT, and certain critical processor MSRs. This feature is intended to ensure kernel stability by preventing uncondoned behavior, such as hooking. However, it also has the side effect of preventing legitimate products from working properly. For that reason, this paper will serve as an in-depth analysis of PatchGuard’s inner workings with an eye toward techniques that can be used to bypass it. Possible solutions will also be proposed for the bypass techniques that are suggested.
Source : uninformed.org

Application Denial of Service Attacks

In order to achieve business goals, organisations frequently have to develop bespoke application solutions or customise commercial off-the-shelf (COTS) packages. These range from complex back-office database applications, CRMs and asset management systems to customer-facing fat and thin applications. Corporate web-applications offer anything from a simple brochure request to a full e-business implementation.

Source : infosecwriters 

Open/NetBSD Local Root Bug !!

Finaly i saw bug like local root in *BSD (not work on freeBSD ) in this year .
systrace is a technology which allows supervision and allow / deny of syscalls made by a supervised process. There is an integer overflow condition in the kernel component of systrace which can be triggered by specifiying large integer values in a systrace ioctl(). The integer overflow condition allows the sidestep of a sanity check, and subsequent out-of-bounds write of a NULL byte to a fairly arbitrary kernel address. Reading of chunks of kernel memory may also be possible.
Advisory : beasts.org

Analysis of brute force attacks

 A lot of discussion has taken place for a long time in password cracking techniques.In this paper we will analyze the two most commonly used techniques.The first one being “Brute Force Attacks” and the second “Dictionary Attacks”.We will start from the hardest and most effective one, brute force.After that, dictionary attacks will look like a piece of cake.
I hope that you will find the paper interesting and enlightening.
Source : Milw0rm.com