Uninformed

Exploiting Tomorrow's Internet Today: Penetration testing with IPv6 10/2008 H D Moore hdm@metasploit.com Abstract: This paper illustrates how IPv6-enabled systems with link-local and auto-configured addresses can be compromised using existing security tools. While most of the techniques described can apply to "real" IPv6 networks, the focus of this paper is to target IPv6-enabled systems on the local network. Acknowledgments: The author would like to thank Van Hauser of THC for his excellent presentation at CanSecWest 2005 and for releasing the IPv6 Attack Toolkit. Much of the background information in this paper is based on notes fr...

Analyzing local privilege escalations in win32k 10/2008 mxatone mxatone@gmail.com Abstract: This paper analyzes three vulnerabilities that were found in win32k.sys that allow kernel-mode code execution. The win32k.sys driver is a major component of the GUI subsystem in the Windows operating system. These vulnerabilities have been reported by the author and patched in MS08-025[1]. The first vulnerability is a kernel pool overflow with an old communication mechanism called the Dynamic Data Exchange (DDE) protocol. The second vulnerability involves improper use of the ProbeForWrite function within string management functions. The third ...

Using dual-mappings to evade automated unpackers 10/2008 skape mmiller@hick.org Abstract: Automated unpackers such as Renovo, Saffron, and Pandora's Bochs attempt to dynamically unpack executables by detecting the execution of code from regions of virtual memory that have been written to. While this is an elegant method of detecting dynamic code execution, it is possible to evade these unpackers by dual-mapping physical pages to two distinct virtual address regions where one region is used as an editable mapping and the second region is used as an executable mapping. In this way, the editable mapping is written to during the unpackin...

Can you find me now? - Unlocking the Verizon Wireless xv6800 (HTC Titan) GPS 10/2008 Skywing skywing_uninformed@valhallalegends.com 0. Abstract In August 2008 Verizon Wireless released a firmware upgrade for their xv6800 (rebranded HTC Titan) line of Windows Mobile smartphones that provided a number of new features previously unavailable on the device on the initial release firmware. In particular, support for accessing the device's built-in Qualcomm gpsOne assisted GPS chipset was introduced with this update. However, Verizon Wireless elected to attempt to lock down the GPS hardware on xv6800 such that only applications authorized b...

Engineering in Reverse Can you find me now? Unlocking the Verizon Wireless xv6800 (HTC Titan) GPS Skywing In August 2008 Verizon Wireless released a firmware upgrade for their xv6800 (rebranded HTC Titan) line of Windows Mobile smartphones that provided a number of new features previously unavailable on the device on the initial release firmware. In particular, support for accessing the device's built-in Qualcomm gpsOne assisted GPS chipset was introduced with this update. However, Verizon Wireless elected to attempt to lock down the GPS hardware on xv6800 such that only applications authorized by Verizon Wireless would be able to access...

Improving Software Security Analysis using Exploitation Properties 12/2007 skape mmiller@hick.org Abstract Reliable exploitation of software vulnerabilities has continued to become more difficult as formidable mitigations have been established and are now included by default with most modern operating systems. Future exploitation of software vulnerabilities will rely on either discovering ways to circumvent these mitigations or uncovering flaws that are not adequately protected. Since the majority of the mitigations that exist today lack universal bypass techniques, it has become more fruitful to take the latter approach. It is in th...

Context-keyed Payload Encoding Preventing Payload Disclosure via Context October, 2007 I)ruid, C²ISSP druid@caughq.org http://druid.caughq.org Abstract A common goal of payload encoders is to evade a third-party detection mechanism which is actively observing attack traffic somewhere along the route from an attacker to their target, filtering on commonly used payload instructions. The use of a payload encoder may be easily detected and blocked as well as opening up the opportunity for the payload to be decoded for further analysis. Even so-called keyed encoders utilize easily observable, recoverable, or guessable key values in th...

ActiveX - Active Exploitation 01/2008 warlord warlord@nologin.org http://www.nologin.org Share what I know, learn what I don't 1) Foreword First of all, I'd like to explain what this paper is all about, and especially, what it is not. A few months ago I got into the technical details of ActiveX for the first time. Prior to this point I only had some vague ideas and a general understanding of what it is and how it works. What I did first is probably quite obvious: I googled. To my surprise though, I could not find a single paper discussing ActiveX and how to exploit it. My next step was to contact some generally smart and know...

An Objective Analysis of the Lockdown Protection System for Battle.net 12/2007 Skywing skywing@valhallalegends.com Abstract Near the end of 2006, Blizzard deployed the first major update to the version check and client software authentication system used to verify the authenticity of clients connecting to Battle.net using the binary game client protocol. This system had been in use since just after the release of the original Diablo game and the public launch of Battle.net. The new authentication module (Lockdown) introduced a variety of mechanisms designed to raise the bar with respect to spoofing a game client when logging on to Ba...

Engineering in Reverse An Objective Analysis of the Lockdown Protection System for Battle.net Skywing Near the end of 2006, Blizzard deployed the first major update to the version check and client software authentication system used to verify the authenticity of clients connecting to Battle.net using the binary game client protocol. This system had been in use since just after the release of the original Diablo game and the public launch of Battle.net. The new authentication module (Lockdown) introduced a variety of mechanisms designed to raise the bar with respect to spoofing a game client when logging on to Battle.net. In addition, the...