Friday, March 13, 2015

nspr4!PR_Write

The right way to ‪#‎hook‬ the ‪#‎PR_Write‬ f-n in ‪#‎Firefox‬ Summary: instead of instantly re-patching the f-n prologue (mprotect / memcpy) which lead to frequent crashes, one could patch the PR_Write once and mock its behaviour (the original function is just an interface to call the implementation of the method, and it's stable, the same code is used from FF 1.0 up to the latest).
Posted by herm1t at 6:28 AM 0 comments

Friday, April 5, 2013

CVE-2010-4347 CVE-2012-0056 small fixes

Small fixes for the $subj - here and here
Posted by herm1t at 3:27 AM 0 comments
Labels: , , , , , , , , , ,

Thursday, August 30, 2012

How I made $740 in ten minutes for reporting vulnerability

Two months ago I read in a popular blog that the bank (where I have my account) is extending their vulnerability reward program. "Why not?" - I thought and started to google the bank's sites to find the target for the attack. In ten minutes I found that one of the sites is leaking customers data. Probing specially crafted URLs with sequential ID and omitted security token allowed me to download the large portions of the database with sensitive data. No further actions were needed, so I just filled the report. The banks employee mailed me back and told me that they need time to confirm it. Today I got the mail notifying me that the vuln was confirmed, patched and evaluated at $740 (the max bounty in this program is $1k). I think it's worth ten minutes of googling, right? :-)
Posted by herm1t at 1:47 AM 0 comments
Labels: , , ,

Thursday, March 15, 2012

Valhalla 2

The second issue of the Valhalla zine is out! I like it! :-) There is article by me too. In the last moment I decided to throw out the technical details, stop theorizing and switch to the code. :-)
Posted by herm1t at 4:37 AM 0 comments
Labels: ,

Thursday, February 16, 2012

Smoking kills

Posted by herm1t at 2:23 AM 0 comments

Thursday, October 20, 2011

LDE based on exceptions

Recently Indy (from rootkits.su) proposed the new design for the length disassembler. Rather than compare the bytes against patterns it's put the instruction on the boundary between RWE and NOACCESS pages. First, one byte is copied, if it's not enough, the CPU would try to fetch the next one and will trigger the exception. Engine will catch the exception and copy the next byte and so on. Here you can download his code. I also write a sketch of this idea for Linux (it needs a lot of improvements, but working in a simple cases):
Read more »
Posted by herm1t at 2:42 AM 0 comments
Labels: , , , ,

Wednesday, September 21, 2011

Hardware breakpoints

In addition to. Spent some time trying to recollect how to set the hw breakpoints.
Read more »
Posted by herm1t at 3:46 AM 0 comments
Labels: , , , , , ,
Subscribe to: Posts (Atom)