|The Apocalypse of the Heap - Shizo edit.|
💥Painless intro to the Linux userland heap
The heap is hard to maintain, especially in this implementation due to being threaded. Hopefully this article helps you understand the process of making a chunk free from its allocation and which structures play in the game of freeing chunks.
💥Understanding glibc malloc
💾How heap memory is obtained from kernel?
💾How efficiently memory is managed?
💾Is it managed by kernel or by library or by application itself?
💾Can heap memory be exploited?
💥ptmalloc fanzine episodes(collection of resources related to glibc heap meta-data corruptions):
💾episode 01: munmap madness
💾episode 02: fastbin fever
💾episode 03: scraps of notes on ptmalloc metadata corruptions
💾episode 04: once upon a realloc()
💾episode 05: thread local caching in glibc malloc
💥Heap exploitation for Dummies.
This short book is written for people who want to understand the internals of 'heap memory', particularly the implementation of glibc's 'malloc' and 'free' procedures, and also for security researchers who want to get started in the field of heap exploitation.
🔖github repo
💥Educational Heap Exploitation(how2heap) is for learning various heap exploitation techniques. We use Ubuntu's Libc releases as the gold-standard. Each technique is verified to work on corresponding Ubuntu releases.
💥GlibC Malloc for Exploiters presentation
💥Linux Heap Exploitation Intro Series:
💾printf might be leaking!
💾Used and Abused – Use After Free
💾The magicians cape – 1 Byte Overflow
💾Riding free on the heap – Double free attacks!
💾Set you free() – part 1
💾Set you free() – part 2
💥How to exploit a double free vulnerability in 2021(Exploiting an ARM-only race condition)
You will learn how to exploit a double free vulnerability or exploit a UAF vulnerability.
💥Linux kernel heap feng shui in 2022
In this article we discuss changes in the Linux kernel slab allocator implementation and exploitation challenges associated with kernel heap-related vulnerabilities. We focus on the SLUB (unqueued slab allocator) implementation in this article since it is the most common allocator enabled by default on most Linux distributions and Android devices.
💥Overview of GLIBC heap exploitation techniques
Overview of current GLIBC heap exploitation techniques up to GLIBC 2.34, including their ideas and introduced mitigations along the way.
💥Perfect Spray: A Journey From Finding a New Type of Logical Flaw at Linux Kernel To Developing a New Heap Exploitation Technique
In this talk, we will present Pspray, a new memory exploitation technique for the Linux kernel, dramatically improving the exploitation reliability. In particular, we designed a heap exploitation technique effective for most memory vulnerabilities, including heap OOB, UAF, and double-free. The key idea behind this new attack is in developing timing side-channels in Linux's SLUB allocator. Then using this timing side-channel, we carefully redesigned the traditional exploitation technique to precisely predict the runtime behavior of SLUB, allowing Pspray to avoid unexpected exploitation failure. We used Pspray's exploitation technique for 10 real-world Linux kernel vulnerabilities, which significantly improved the attack success probability from 56.1% to 97.92%.
💥Painless intro to the Linux userland heap
The heap is hard to maintain, especially in this implementation due to being threaded. Hopefully this article helps you understand the process of making a chunk free from its allocation and which structures play in the game of freeing chunks.
💥Understanding glibc malloc
💾How heap memory is obtained from kernel?
💾How efficiently memory is managed?
💾Is it managed by kernel or by library or by application itself?
💾Can heap memory be exploited?
💥ptmalloc fanzine episodes(collection of resources related to glibc heap meta-data corruptions):
💾episode 01: munmap madness
💾episode 02: fastbin fever
💾episode 03: scraps of notes on ptmalloc metadata corruptions
💾episode 04: once upon a realloc()
💾episode 05: thread local caching in glibc malloc
💥Heap exploitation for Dummies.
This short book is written for people who want to understand the internals of 'heap memory', particularly the implementation of glibc's 'malloc' and 'free' procedures, and also for security researchers who want to get started in the field of heap exploitation.
🔖github repo
💥Educational Heap Exploitation(how2heap) is for learning various heap exploitation techniques. We use Ubuntu's Libc releases as the gold-standard. Each technique is verified to work on corresponding Ubuntu releases.
💥GlibC Malloc for Exploiters presentation
💥Linux Heap Exploitation Intro Series:
💾printf might be leaking!
💾Used and Abused – Use After Free
💾The magicians cape – 1 Byte Overflow
💾Riding free on the heap – Double free attacks!
💾Set you free() – part 1
💾Set you free() – part 2
💥How to exploit a double free vulnerability in 2021(Exploiting an ARM-only race condition)
You will learn how to exploit a double free vulnerability or exploit a UAF vulnerability.
💥Linux kernel heap feng shui in 2022
In this article we discuss changes in the Linux kernel slab allocator implementation and exploitation challenges associated with kernel heap-related vulnerabilities. We focus on the SLUB (unqueued slab allocator) implementation in this article since it is the most common allocator enabled by default on most Linux distributions and Android devices.
💥Overview of GLIBC heap exploitation techniques
Overview of current GLIBC heap exploitation techniques up to GLIBC 2.34, including their ideas and introduced mitigations along the way.
💥Perfect Spray: A Journey From Finding a New Type of Logical Flaw at Linux Kernel To Developing a New Heap Exploitation Technique
In this talk, we will present Pspray, a new memory exploitation technique for the Linux kernel, dramatically improving the exploitation reliability. In particular, we designed a heap exploitation technique effective for most memory vulnerabilities, including heap OOB, UAF, and double-free. The key idea behind this new attack is in developing timing side-channels in Linux's SLUB allocator. Then using this timing side-channel, we carefully redesigned the traditional exploitation technique to precisely predict the runtime behavior of SLUB, allowing Pspray to avoid unexpected exploitation failure. We used Pspray's exploitation technique for 10 real-world Linux kernel vulnerabilities, which significantly improved the attack success probability from 56.1% to 97.92%.
🔥🔥🔥AD manager Plus full RCE PoC
At that time, Log4j was already widespread on the internet. Manage Engine had already patched the Ad Manager Plus to prevent it from being affected by the Log4j vulnerability. They had mentioned that Log4j was not affected by Ad Manager Plus. However, we determined that the Ad Manager Plus was running on our target and managed to exploit the Log4j vulnerability.
When we initially reported this vulnerability to Synack, we only managed to get a DNS callback and our report was marked as LDAP injection. However, we attempted to gain full RCE on the host but were not successful. Later, we discovered that Ad Manager Plus was running on another target, so we tried to get full RCE on that target. We realized that there was a firewall and an anti-virus running on the machine, so most of our payloads wouldn't work. After spending a considerable amount of time , we eventually managed to bypass the firewall and anti-virus, and achieve full RCE.
At that time, Log4j was already widespread on the internet. Manage Engine had already patched the Ad Manager Plus to prevent it from being affected by the Log4j vulnerability. They had mentioned that Log4j was not affected by Ad Manager Plus. However, we determined that the Ad Manager Plus was running on our target and managed to exploit the Log4j vulnerability.
When we initially reported this vulnerability to Synack, we only managed to get a DNS callback and our report was marked as LDAP injection. However, we attempted to gain full RCE on the host but were not successful. Later, we discovered that Ad Manager Plus was running on another target, so we tried to get full RCE on that target. We realized that there was a firewall and an anti-virus running on the machine, so most of our payloads wouldn't work. After spending a considerable amount of time , we eventually managed to bypass the firewall and anti-virus, and achieve full RCE.
💥Introduction to the Windows Filtering Platform
The Windows Filtering Platform (WFP) provides flexible ways to control network filtering. It exposes user-mode and kernel-mode APIs, that interact with several layers of the networking stack. Some configuration and control is available directly from user-mode, without requiring any kernel-mode code (although it does require administrator-level access). WFP replaces older network filtering technologies, such as Transport Driver Interface (TDI) filters some types of NDIS filters.
The Windows Filtering Platform (WFP) provides flexible ways to control network filtering. It exposes user-mode and kernel-mode APIs, that interact with several layers of the networking stack. Some configuration and control is available directly from user-mode, without requiring any kernel-mode code (although it does require administrator-level access). WFP replaces older network filtering technologies, such as Transport Driver Interface (TDI) filters some types of NDIS filters.
🔥🔥🔥KITCTFCTF 2022 V8 Heap SBX
(V8 exploitation challenge)
In this writeup, I’ll go over the intended solution in detail which leads to a V8 (heap) sandbox escape without using the JIT technique that is very popular currently.
(V8 exploitation challenge)
In this writeup, I’ll go over the intended solution in detail which leads to a V8 (heap) sandbox escape without using the JIT technique that is very popular currently.
This media is not supported in your browser
VIEW IN TELEGRAM
🔥🔥🔥rp++ or rp is a C++ ROP gadget finder for PE/ELF/Mach-O executables and x86/x64/ARM/ARM64 architectures.
hexacon2022_AppleAVD.pdf
2.5 MB
🔥🔥🔥Cinema time!
Agenda:
💾Video decoding subsystem overview
💾AppleAVD internals
💾AppleAVD attack surface
💾Fuzzing approach and code analysis
💾Results
💾Previously disclosed vulnerabilities and exploitation
💾Discussion
💾Q&A
Agenda:
💾Video decoding subsystem overview
💾AppleAVD internals
💾AppleAVD attack surface
💾Fuzzing approach and code analysis
💾Results
💾Previously disclosed vulnerabilities and exploitation
💾Discussion
💾Q&A
Forwarded from Hackershop
DSTIKE WiFI Deauther MiNi
Deauther MiNi is still an ESP8266 development board,It comes installed with the latest ESP8266 Deauther software. With this software, you can perform different attacks to test WiFi networks.
Please note that the ESP8266 does only support 2.4GHz.You can also use it to develop your own software. It is simple to use, just like any other ESP8266 development board.
Function:
▫️ Deauther Attack: Disconnect 2.4G WiFi
▫️ Deauther Beacon: Create fake networks
▫️ Deauther Probe:Confuse wifi trackers
▫️ Packet Monitor:Display wifi traffic
Deauther or Jammer: What's the difference?
Buy online:
🛒 https://ali.ski/PItT3
#wifi #dstike #esp8266
Deauther MiNi is still an ESP8266 development board,It comes installed with the latest ESP8266 Deauther software. With this software, you can perform different attacks to test WiFi networks.
Please note that the ESP8266 does only support 2.4GHz.You can also use it to develop your own software. It is simple to use, just like any other ESP8266 development board.
Function:
▫️ Deauther Attack: Disconnect 2.4G WiFi
▫️ Deauther Beacon: Create fake networks
▫️ Deauther Probe:Confuse wifi trackers
▫️ Packet Monitor:Display wifi traffic
Deauther or Jammer: What's the difference?
Buy online:
🛒 https://ali.ski/PItT3
#wifi #dstike #esp8266
Forwarded from 卩ro 爪Cracker
Spice up your persistence: loading PHP extensions from memory
https://ift.tt/EoF3gDj
Submitted December 28, 2022 at 03:25AM by gid0rah
via reddit https://ift.tt/gA8Zb91
https://ift.tt/EoF3gDj
Submitted December 28, 2022 at 03:25AM by gid0rah
via reddit https://ift.tt/gA8Zb91
Spice up your persistence: loading PHP extensions from memory |
Spice up your persistence: loading PHP extensions from memory | AdeptsOf0xCC
Load shared object (PHP extension) from memory
Forwarded from 卩ro 爪Cracker
New AMSI Bypass Using CLR Hooking
https://ift.tt/FyPlmOA
Submitted December 28, 2022 at 04:44AM by pracsec
via reddit https://ift.tt/pcHKbWq
https://ift.tt/FyPlmOA
Submitted December 28, 2022 at 04:44AM by pracsec
via reddit https://ift.tt/pcHKbWq
Practical Security Analytics LLC
New AMSI Bypass Using CLR Hooking
Introduction In this article, I will present a new technique to bypass Microsoft’s Anti-Malware Scan Interface (AMSI) using API Call Hooking of CLR methods. When executed on a Windows system,…
Forwarded from 卩ro 爪Cracker
Certificate Ripper v2 released - tool to extract server certificates
https://ift.tt/1Yr83Px
Submitted December 28, 2022 at 06:24AM by Hakky54
via reddit https://ift.tt/S8YAlmQ
https://ift.tt/1Yr83Px
Submitted December 28, 2022 at 06:24AM by Hakky54
via reddit https://ift.tt/S8YAlmQ
GitHub
GitHub - Hakky54/certificate-ripper: 🔐 A CLI tool to extract server certificates
🔐 A CLI tool to extract server certificates. Contribute to Hakky54/certificate-ripper development by creating an account on GitHub.
Forwarded from 卩ro 爪Cracker
Video game save file Trojan personified
https://ift.tt/xfrDS4s
Submitted December 28, 2022 at 08:36AM by bemodtwz
via reddit https://ift.tt/oljIPvB
https://ift.tt/xfrDS4s
Submitted December 28, 2022 at 08:36AM by bemodtwz
via reddit https://ift.tt/oljIPvB
GitHub
GitHub - swoops/video-game-save-file-trojans: Demonstrates why it's not safe to download random save files from the Internet
Demonstrates why it's not safe to download random save files from the Internet - swoops/video-game-save-file-trojans