The videos from Hack In The Box Security Conference 2007 Malaysia is now
available for download! The files were created in Quicktime, however if
you're having trouble playing them on your platform, please ensure you
have the latest 3IVX codec installed.

Time to fire up your favorite Bit Torrent

[ more ]  [ reply ]

maybe I have formulated badly this question. I mean that if we can overwrite return address of the function properly ( without access violation ) then we can overwrite SEH properly ( without access violation ) and if we can overwrite SEH properly then we can overwrite return address properly. So it

[ more ]  [ reply ]

Hello,

I have simple question: assume that there is a buffer overflow vulnerability in some program, assume that I want to exploit it. Is it big difference beetwen overwriting SEH and EIP?

opexoc

[ more ]  [ reply ]

Not quite sure what to think about this, is this a hoax?

No details are given, the captures of the "hack" show clearly a router command "gdb kernel" which (according to cisco's IOS command lookup tool on cisco.com) doesn't exist and which my own IOS device doesn't recognize.

So let's not hype th

[ more ]  [ reply ]

Tanel Poder has found a way to get SYSDBA access to the Oracle database by utilising a user who has the BECOME USER system privilege, execute privileges on KUPP$PROC.CHANGE_USER and CREATE SESSION. he shows how a user with these privileges can become SYS (but not SYSDBA) and then use an immediate de

[ more ]  [ reply ]

I'd like to congratulate Adam Laurie for winning the second Powerbook
from the Pwn_to_Own contest as the prize for the best speaker rated
by the audience for his presentation on RFID at CanSecWest 2007.
We will have a similar prize for the best speaker at CanSecWest 2008,
prize TBD (but we promise i

[ more ]  [ reply ]

I've been experimenting with Browser heaps and have some question. In
Internet Explorer I see two large heaps, one with the base at
0x00030000 and the other with the base at 0x00150000. From what I
understood, the heap at 0x00150000 is the process default heap and can
be manipulated by allocating an

[ more ]  [ reply ]

thx.. this was a great example. yesterday i posted a replay with a different email address so i think, it was not acceptet.

i edited your exampleas followed(maybe it was a bit different, im now at work..)

vuln.cpp:

#include <stdio.h>

#include <string.h>

int foo(char *a)

{

char buffe

[ more ]  [ reply ]

thank you!

this was a great example but it didnt work on my debian machine. - but it worked better than mine.

i have edited your example as folowed:

vuln.cpp:

#include <stdio.h>

#include <string.h>

int foo (char *input)

{

char buffer [10];

strcpy(buffer, input);

return (0);

}

[ more ]  [ reply ]

Try this.. it is in C but you shouldn't have problems rewriting it..

In your example you are overrunning the buffer but you might not be overwriting the EIP .. try a bigger buffer

--

Best Regards,

Atanas

/*

Overflow written for:

x86 Pentium 4

Linux version 2.6.5-7.104-defaul

[ more ]  [ reply ]

hello, my name is michael, im from austria - so my english is very bad.

A few days ago i begin to experiment with bufferoverflows in linux.

i wrote a little c++ programm like this:

#include <string.h>

void main()

{

char buffer[10];

char COPY[]="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

[ more ]  [ reply ]

With great sadness, I regret to inform you that Itojun
will not be presenting his great knowledge of IPv6 at
PacSec. I have been informed by several sources
that he passed away yesterday.

Funeral services will be held on Nov 7th at Rinkai-Saijo
in Tokyo. There aren't many details of his passing,

[ more ]  [ reply ]

Hallo list members, and sorry if you receive multiple copies of this message

this is just a friendly reminder that registration for the DeepSec
Security Conference 2007 is available at the URL
http://deepsec.net/register/

The conference is taking place in less than 3 weeks in the awesome city
of V

[ more ]  [ reply ]

Thanks patrick,
looks like the script is in metasploit but it didn't
work on my win xp sp1. my issue is here that my
shellcode is 4 btyes off the ESP pointer. if anyone
could point me a method to directly align the
shellcode to ESP that would be great.

regards

--- Patrick Webster <patrick@m

[ more ]  [ reply ]

The last part of my iPhone-related blog entries was posted last night. The
first article discusses the architecture and provides some useful
shellcode for already-modified phones.

http://blog.metasploit.com/2007/09/root-shell-in-my-pocket-and-maybe-you
rs.html

The second article discusses the l

[ more ]  [ reply ]

The CFP for HITBSecConf2008 - Dubai is now open.

Our 2008 event is expected to attract over 300 attendees from around the
EMEA region and will see keynote speakers Bruce Schneier (Founder and
CTO, BT Counterpane) and Jeremiah Grossman (Founder and CTO, White Hat
Security). The event is supported an

[ more ]  [ reply ]

hi all,
i'm new to bufferoverflow. i've gone thru some basic
examples in bufferover now i'm trying to write my own
exploit based on this software. basically i found this
perl script somewhere on the net. it takes 264 bytes
to overflow with 4 byte extra for the EIP.
i''m using call esp , #0x

[ more ]  [ reply ]

In August 2005 at Black Hat Las Vegas, Michael Lynn delivered his
infamous presentation entitled "Cisco IOS Shellcode and Exploitation
Techniques". For the first time ever, remote exploitation of Cisco IOS
was publicly demonstrated using shellcode that spawned a connect-back or
"reverse" shell. His

[ more ]  [ reply ]

We've finalized the speaker lineup for Black Hat Japan 2007, and we're looking forward to a great show. Attendees will be treated to a roster with more variety and depth than ever.
The schedule and speaker bios are available on-line at:

http://www.blackhat.com/html/bh-japan-07/bh-jp-07-en-schedu

[ more ]  [ reply ]

Hi All,

I have been posting a few entries to my blog over the last few weeks on Oracle 11g Security and have been looking at the new SHA-1 password algorithm used in Oracle 11g.

The password algorithm is simple and very easy to guess once you realise that the sha1 verifier stored in the datab

[ more ]  [ reply ]

Hey guys,

Just thought I'd shoot out a quick shameless plug for ToorCon and
mention that we've published our full speaker lineup and have
finalized our Seminars and Workshops schedule. We will be increasing
the registration prices on Sunday, September 23rd so if you're
interested in coming out, mak

[ more ]  [ reply ]

Uninformed is pleased to announce the release of its eighth volume. This
volume includes 6 articles on a variety of topics:

- Covert Communications: Real-time Steganography with RTP
Author: I)ruid

- Engineering in Reverse: PatchGuard Reloaded: A Brief Analysis of
PatchGuard Version 3

[ more ]  [ reply ]

Sirs,
The lack of a defense vector doesn't translate magically to a new attack vector. The absence of common security mitigating controls is referred to as a vulnerability. Really all old attack vectors apply.

The secure design model for this type of application should be a sandboxed by zone. The v

[ more ]  [ reply ]