PAPER: Security Mitigations for Return-Oriented Programming Attacks
ABSTRACT
With the discovery of new exploit techniques, new protection mechanisms are needed as well. Mitigations like DEP (Data Execution Prevention) or ASLR (Address Space Layout Randomization) created a significantly more difficult environment for vulnerability exploitation. Attackers, however, have recently developed new exploitation methods which are capable of bypassing the operating system’s security protection mechanisms. In this paper we present a short summary of novel and known mitigation techniques against return-oriented programming (ROP) attacks. The techniques described in this article are related mostly to x86-32 processors and Microsoft Windows operating systems.
PAPER LINK: DOWNLOAD HERE
RELEASE: SMB2 REMOTE EXPLOIT (VISTA SP1/SP2) + HACKTRO
Today i'm releasing ~1year old (almost) remote exploit for the MS09-050 SMB2
negotiation vulnerability. Since users had almost a year to patch up their
machines and some other remote exploits for this vulnerability are flying
over the internet for a long time already i have decided to release my own.
This exploit uses the trampoline technique that I described in my previous
blog post [1] and it is also a fantastic example of how not^H^H^H to write
exploits. Additionally, to make this one more miserable and yet still funky,
I have attached a brand new 3D HACKTRO (yay!). As always, greetings for all
of the hidden demosceners spending more time bouncing to cracktros than
original games.
Here comes the video capture of the pure-awesome hacktro (low-quality):
http://vimeo.com/14138182
SMB2 HACKTRO - LOW QUALITY from Piotr Bania on Vimeo.
And here is the list of mirrors where you can find exploit src + hacktro
bin:
http://www.piotrbania.com/all/smb2_exploit_mirrors.txt
thank you and have a nice winter!
Using MATLAB and Mathcad for solving (mesh current) equations.
There are times when you need to do something simple from the logic point of view but a bit exhausting when it comes to the sum of calculations you need to perform. I'm referring here to the past times (like 3-4 years ago) when I was forced to do all my circuit calculations manually without using anything except paper, pen and a calculator (without the solve function :-)). Hopefully now when I need to do some circuit calculations (which happens very rarely - thank God!) I'm allowed to use some computer software like MATLAB, Mathcad etc. However every single piece of software has it own environment and something like own programming language. So the question is how to use it properly, to speed your work and limit it to writing the logic and forcing computer to do the calculations.
So our task is to calculate all the unknown currents (I1,I2,I3,I4,I6) and voltage value of Uj. To compute the logic equations I'm using the Mesh analysis method (loop analysis) [1] which relies on Kirchhoff's circuit laws [2] (this little article is not a circuit theory tutorial so I hope the reader is familiar with those laws).
Telewizor, meble, mały fiat
There have been relatively much noise about the latest paper about exploiting the SMB2 bug i had written. Some people i believe can't understand the unconditional love of doing security research. In other words this paper and entire technique was developed just for fun, in my spare time. It was not a sponsored research and in fact i haven't earned a single penny from it. I must confess I'm really happy i was able to meet guys that feel it the same way and they keep releasing things just for pure fun and for the purpose of information exchange (hey spender! :-)). Couple of people asked me how much time did I spend on this vulnerability, someone actually haven't but they have posted their own conclusions that were pretty entertaining but far away from truth. The fact is i have spent about a week for entire research - i mean overall. Thanks to open Europe borders i got infected with flu, no ideas wherever it was swine or not but it took me about two weeks to recover. While having the flu and feeling like dehydrated shit i found it hard to focus on the smb2 research so i have switched to developing some 3d engine of mine. Well the initial idea here was to create a engine which would be able to read some internal scene formats like the one used by 3D Studio Max, Maya, Lightwave3D or Cinema4D and being able to render it on the fly. Of course such things exists already and are pretty common in the demoscene community - like Plastic's PICO engine. I bet this will take me some years to complete :( Anyway returning to the SMB stuff, it is undeniable fact that Immunity created the first reliable SMB exploit and i don't negate that. At the same time, i believe it's important to notice that a single guy in his spare time can bring you similar results and i don't speak only about myself here. I bet there are a couple of underground people that have exploited this vulnerability too :-) Overall it was fun and that's how i consider it.
As you probably know it is October already, and it is surely the most "beloved" month for most of the students. I have decided to spent one more year at the university and finish my masters degree, even though I have thought about quitting it after i have obtained my BSc degree. This means i doubt there will be next posts here soon :(
Ok that's all, below you can see some initial renders and some Plastic demo (+PICO):
One of my initial renders (thank god for tutorials):
Linger In Shadows trailer (HD):
Slimy Maya Trickery (making of "Linger In Shadows"):