Security Basics mailing list archives
RE: locating exploits in open source
From: Vincent Verloop <vverloop () live nl>
Date: Wed, 23 May 2012 00:14:39 +0200
Search for Metaspoitable. It's a Virtual Machine (linux). Also look for Nessus. -----Oorspronkelijk bericht----- Van: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Namens Bob Bobson Verzonden: dinsdag 22 mei 2012 23:45 Aan: security-basics () securityfocus com Onderwerp: Re: locating exploits in open source Alternatively you can attempt to locate a version ofDamn Vulnerable Linux. Although it has been discontinued and most torrents have died by now (there are still a few seeds here and there), it remains one of my personal favorites when it comes to learning about vulnerabilities. On 22/05/12 20:29, AK wrote:
ASLR is not your only problem under Linux. If you are using a modern distribution (e.g. your homebox) there are loads other protections enabled. Your best bet is to download an older one, turn off protections where needed (via proc and via linker options) and start from
there.
Userland exploitation is not beginner material with all the mitigations enabled. On 5/22/12 7:00 PM, Littlefield, Tyler wrote:Thanks all for the info. I really appreciated it. Luckaly I have some experience with asm, though it is limited. The videos are nice, though I am going to have to supplement them with extra materials more than usual, since I am blind and it's hard to tell what he is doing all the time. Anyway, again I appreciate the help. I do have a question. If I am going to use a buffer overflow, I want to make sure I understand this right. If I have a function like: void foo(char* x); that means that I'd need to push an argument and call foo. push eax call foo now that I've called foo, it's going to set up the stack: gcc's disasm does something like: push ebp mov ebp, esp so now we have: ebp+8 >> x ebp+4 >> return ebp >> old ebp (?) so lets say that I declare a static buffer (you would sub ebp, 4) for that extra variable and it was a buffer. so if it was ebp-4, I could store an int there. now if I wanted to overflow that, I would have to fill ebp-4, which is the variable, ebp which is the pointer to the old frame (explaination there would be cool--I am kind of confused on what the "old
frame"
is); is it just the point on the stack (esp) where the previous frame's locals and that are stored? and then ebp+4. So I would have to feed that buffer 12 bytes to overwrite the return. so, this leads me to two final questions. First, is there a way perhaps to return backwards? So if I could manage to squeeze shellcode into those first 8 bytes (is that a possibility?) I could return to that and execute that? If I return to a funtion, how do I make that function do what I want? Being able to run any function in the code seems nice, but calling printf for example doesn't really do much for me. It would also require that I somehow get my arguments on the stack. Finally, lets say I found a function with GDB. With ASLR, is that not guaranteed to change when I execute the program again? Hopefully this is the right place for these questions--if not, I would appreciate other resources where this could be asked. Thanks, Ty --------------------------------------------------------------------- --- Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be 442f727d1 --------------------------------------------------------------------- ------------------------------------------------------------------------- -- Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be4 42f727d1 ---------------------------------------------------------------------- --
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727 d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- locating exploits in open source Littlefield, Tyler (May 22)
- Re: locating exploits in open source haZard0us (May 22)
- RE: locating exploits in open source Mike Vella (May 22)
- Message not available
- Re: locating exploits in open source Littlefield, Tyler (May 22)
- Re: locating exploits in open source AK (May 22)
- Re: locating exploits in open source Bob Bobson (May 22)
- Re: locating exploits in open source Robert Musser (May 22)
- RE: locating exploits in open source Vincent Verloop (May 22)
- Re: locating exploits in open source Littlefield, Tyler (May 22)