herm1t LIVE!ng room
Friday, March 13, 2015
nspr4!PR_Write
The right way to #hook the #PR_Write f-n in #Firefox
Summary: instead of instantly re-patching the f-n prologue (mprotect / memcpy) which lead to frequent crashes, one could patch the PR_Write once and mock its behaviour (the original function is just an interface to call the implementation of the method, and it's stable, the same code is used from FF 1.0 up to the latest).
Friday, April 5, 2013
CVE-2010-4347 CVE-2012-0056 small fixes
Labels:
ac vs lid,
acpi,
american-russian-slang,
cve-2010-4347,
cve-2012-0056,
ELF,
exploit,
fix,
mempodipper,
objdump,
x64
Thursday, August 30, 2012
How I made $740 in ten minutes for reporting vulnerability
Two months ago I read in a popular blog that the bank (where I have my account) is extending their vulnerability reward program. "Why not?" - I thought and started to google the bank's sites to find the target for the attack. In ten minutes I found that one of the sites is leaking customers data. Probing specially crafted URLs with sequential ID and omitted security token allowed me to download the large portions of the database with sensitive data. No further actions were needed, so I just filled the report. The banks employee mailed me back and told me that they need time to confirm it. Today I got the mail notifying me that the vuln was confirmed, patched and evaluated at $740 (the max bounty in this program is $1k). I think it's worth ten minutes of googling, right? :-)
Thursday, March 15, 2012
Valhalla 2
The second issue of the Valhalla zine is out! I like it! :-) There is article by me too. In the last moment I decided to throw out the technical details, stop theorizing and switch to the code. :-)
Thursday, February 16, 2012
Thursday, October 20, 2011
LDE based on exceptions
Recently Indy (from rootkits.su) proposed the new design for the length disassembler. Rather than compare the bytes against patterns it's put the instruction on the boundary between RWE and NOACCESS pages. First, one byte is copied, if it's not enough, the CPU would try to fetch the next one and will trigger the exception. Engine will catch the exception and copy the next byte and so on. Here you can download his code. I also write a sketch of this idea for Linux (it needs a lot of improvements, but working in a simple cases):
Wednesday, September 21, 2011
Hardware breakpoints
In addition to. Spent some time trying to recollect how to set the hw breakpoints.
Subscribe to:
Posts (Atom)