It has been over a month since my last post. It has been a really busy time. When they say the most important resource is time, they are not kidding. Anyway, in that time I have continuing to go to exploitdb to practice. I was able to get some basic stack overflows going on two software ftp programs, easyftp and war-ftpd. I have been using a test OS of Windows XP SP3. Most of the exploits seem to center around Win XP SP2. It would be better to try different service packs I guess. Next, I want to find more SEH exploits. This was fun trying to figure how to jump around in the stack. Again, go to http://www.corelan.be/ for information about buffer overflows and infosec in general. Great stuff. With easyftp, I was only able to fit the "net user add" payload. Mannnn, it was a small buffer space. However, in war-ftpd, the buffer was much larger and I was able to fit a Windows reverse shell. I have to say, reverse shell is the best. Just a side note, I have noticed that I have had a lot of success when the payload is encoded in "ShikataGaNai". It might help someone else so I figured I would mention it.
Just in case, you thought I let it go, nope. Paper is still on. Of course, the new hacker groups that have come out have made this an excellent paper to write. ;-) I mean I thought of this before two groups even came out in the media. Not that they were not there the whole time. I just more time to get the thoughts together and more anecdotal evidence to make it more credible. With everything that is going on, I should probably just post it by the end of the year so I can get all the probable hacks that will come recorded.
Finding Weak Rails Security Tokens
4 weeks ago