Skip to main content

Off-By-One Vulnerability And Exploit


Comments

Popular posts from this blog

Intro To Malware Analsys

Hi Folks, here I will analyze a malware which is possible packed with nspack. Details are below: SHA256: 5df0b1b07143c880c76d6e82253a20192981c83c3ea68bf86ffede6b17c01da4 File name: 5df0b1b07143c880c76d6e82253a20192981c83c3ea68bf86ffede6b17c01da4 First, we will do static analysis of the file. Using string utility: we see following things. most of the strings are obfuscated or encrypted content. we saw the strings like. nsp0 .nsp1. .nsp2.if  we google it we can know that it is a packer which based on NS packer. VirusTotal Analysis: Upon analysis using virus Total we saw detection 49 out of 55 which is a malicious in nature so we should unpack the malware because without unpacking the malware looks obfuscated and it is not possible to debug the instruction.it looks like below in IDA As we saw above we saw custom sections like ns0 ns1 ns2 and OEP starts with PUSHF PUSHA which is indication of a packer.we can confirm it

Buffer Overflow Attack on Windows

Generally Exploiting In windows system is very tough,though you have to overcome various protection and bypass.In some cases you have to use Kernel Mode exploits. And also we will show you the target machine which we will perform attack is XP,otherwise if we will try on win7,win8,win10, then we will have to cross the path where all doors are closed.hope you got my point.First we will discuss some of the protection mechanism here. ASLR DEP SEH SAFESEH SEHOP Control Flow Guard(CFG) Stack Compiler Option(/GS cookie option) EMET Heap Isolation and many more coming............. But before starting our exploit development process we should know some theory which is very necessary.Otherwise we are in the middle of way and we don't know the path to go around. Windows Memory Layout   In an X86 system, when a application starts,a process is created and virtual memory assigned.so the address space ranges from 0x00000000 to 0xFFFFFFFF which is called user-land level of OS.If the address range