Pwning stuffs

This is the first tutorial of exercises solutions of Ricardo narvaja spanish course (ignore Google dangerous message). Binary is named Vulnerable_No_vulnerable.exe in 21 lesson. When we run the binary it asks us to introduce an input we also view a string so we already have a starting point to see the references to that string in the .text section. We see the first comparison where it is checked..

Introduction The Modbus Serial Driver creates a listener on Port 27700 / TCP. When a connection is made, the Modbus Application Header is first read into a buffer. If a large buffer size is specified in this header, a stack-based buffer overflow results.The final idea of ​​this article is to reproduce and detail the process by which the vulnerability can be detected and exploited, including why ..

Writeup - From Format String to Buffer OverflowPKTeam Recon First of all we see the protections of the binary. We have several problems. We can not execute code in the stack such as a shellcode due to NX, we can not overflow without having a canary leak and if we want to attach with gdb we have to bypass PIE as if we want to do ROP (Return-Oriented Programming). We also need leak of a function t..

Introduction T he description of the vulnerability reads as follows: The server in Flexense SysGauge 3.6.18 operating on port 9221 can be exploited remotely with the attacker gaining system-level access to a Buffer Overflow.The final idea of ​​this article is to reproduce and detail the process by which the vulnerability can be detected and exploited, including why it occurs. To study the vulner..

Introduction The vulnerability reads as follows: Stack-based buffer overflow in the CmpWebServer component in 3S CoDeSys 3.4 SP4 Patch 2 and earlier, as used on the ABB AC500 PLC and other products, allows remote attackers to execute arbitrary code via a long URI to TCP port 8080. The final idea of ​​this article is to reproduce and detail the process by which the vulnerability can be detected a..

Writeup - pwnable.kr Sabiendo que tenemos un overflow y la dirección de retorno en el stack, podríamos escribe en el buffer donde contiene los primeros 4 bytes del nombre que introducimos. Deberemos escaping primero en ese buffer cuando nos pregunta por cual es nuestro nombre, los opcodes de jmp rsp. Segundo aprovecharemos el overflow para escribir en la dirección de retorno justo la dirección d..

Horcruxes Date: 05/01/2019-08/01/2019 @naivenom 3.1 Deep Reversing Analysis Primero vemos las protecciones y tiene NX habilitado en áreas como no ejecutable. gdb-peda$ checksec CANARY : disabled FORTIFY : disabled NX : ENABLED PIE : disabled RELRO : Partial Vemos las funciones que usa el binario, Non-debugging symbols: 0x0809fbec _init 0x0809fc20 seccomp_init@plt 0x0809fc30 read@plt 0x0809fc40 p..