Posts

In MSDN we trust? - CreateRemoteThread Shenanigans

-
Image
Thanks for @Intel80x86 and @whtaguy for reviewing!   Disclaimer The following by no means presents any security issue or highly complex stuff. It’s merely a story of a short journey stretching from a driver debugging session to discovering just how wrong MSDN’s documentation can be. Motivation   As part of exercising writing different drivers, I wanted to see how removing the PROCESS_CREATE_THREAD access right from handles would affect the system, along with seeing just how effective this “aggressive” approach is when trying to block thread injections. No Access Rights Required   Why would it affect thread injection?  Well, apart from the self describing name of the access right, MSDN claims you need to pass a handle that has this access right when using CreateRemoteThread .     Figure 1: MSDN CreateRemoteThread handle parameter   Yet, my stupid simple thread injection PoC still worked after my driver removed that access right. Weird.  Maybe my driver has a bug?  Registering a post c
7 comments
Read more

Revising Vulnerabilities - FTPShell 6.7 Client (Buffer Overflow)

-
Image
Big thx to @va_start for shaping up the writeup (; Short disclaimer The following writeup is a basic self-exercise of exploiting a known vulnerability that was already disclosed, there isn’t anything new here (: Goal While we know for sure there is a vulnerability from one of the most basic bug type classes (buffer overflow), the goal of this exercise is to attempt and find the overflow and exploit it ourselves.  Our vulnerable target is an FTP client which we’ll exploit from the server-side. The exploit scenario is unlikely as it would require a victim to connect to an attacker-controlled FTP server. Nonetheless it’s a great exercise. Intro Before diving into the client application and attempting to map its logic, we should start by making sure were familiar with the typical FTP protocol flow.  We won’t go over the details here, but you’re more than welcome to cover it quickly :) What’s important in our case are the following: The USER, PA
Post a Comment
Read more