solareclipse at phreedom dot org
GPG key ID: E36B11B7
2AEE 1C8D 06C6 DEF8 7CEA 6FAE 1F0A 65D4 E36B 11B7
| 12 Dec 2006 : | OpenLDAP kbind vulnerability |
| 6 Nov 2006 : | Tiny PE source code |
| 4 Nov 2006 : | Atom feed for website updates |
| 17 Dec 2005 : | Operator Shell (osh) 1.7 vulnerabilities released |
26 Mar 2004
This is an exploit for a previously undisclosed vulnerability in the bit string decoding routine in the Microsoft ASN.1 library (CVE-2005-1935). This vulnerability is different from the interger overflow vulnerability described in the eEye advisory AD20040210-2. It was silently fixed in the MS04-007 patch along with the publicly disclosed ASN.1 vulnerabilities.
31 October 2003
A presentation about the basics of exploit code development, covering buffer overflows, stack layout and calling convention, format string exploits, heap overflows and the malloc memory allocation. The presentation includes diagrams of the stack and memory during the execution of an exploit.
15 October 2003
This is an exploit for the vulnerability discovered by ISS in September 2003 (CVE-2003-0831). It affects ProFTPD 1.2.7, 1.2.8, 1.2.9rc1 and 1.2.9rc2. The exploit includes a detailed vulnerability description and an interesting exploitation technique.
17 September 2002
Remote exploit for the KEY_ARG overflow in OpenSSL 0.9.6d and older (CVE-2002-0656). Tested against most major Linux distributions. Gives a remote nobody shell on Apache and remote root on other servers. Includes an OpenSSL vulnerability scanner and a detailed vulnerability analysis. Only Linux/x86 targets are supported.
7 August 2002
This is a remote exploit for a buffer overflow in the Kerberos KBIND authentication code in the OpenLDAP slapd server (CVE-2006-6493). The vulnerable code is enabled only when OpenLDAP is compiled with the --enable-kbind option, which has been disabled by default since version 2.0.2 and was removed from the configure script in the 2.1 release. However, the vulnerable code code is still present even in the latest 2.4.3alpha version of OpenLDAP and can be enabled manually.
10 October 2000
Exploit for the locale format string vulnerability in Solaris/SPARC 2.6 and 7 (CVE-2000-0844). Includes information about using the exploit and a description of some implementation details.
7 Feb 2005
The Operator Shell is a setuid root, security enhanced, restricted shell for providing fine-grain discribution of system privileges for a wide range of usages and requirements. Contrary to its stated design goals however, this programs seems to be designed to subvert security and provide unrestricted root access to any unprivileged user. During the course of a few hours, I discovered 11 vulnerabilities, ranging from vanilla strcpy overflows to format string bugs and more esoteric environment variable issues.
7 August 2002
The Kerberos KBIND authentication code in the OpenLDAP slapd server contains a remotely exploitable stack buffer overflow. This vulnerability was found using grep and its presence indicates that the OpenLDAP code has not been audited thoroughtly enough in the past. The buffer overflow is still present in the latest 2.4.3alpha version of OpenLDAP, but the vulnerable code is not enabled by default. The vulnerability was assigned CVE-2006-6493.
31 May 2002
Sometime in 2002 a Honeynet system was compromised, and the binary in question was downloaded, installed, and then ran on the compromised honeypot. Its now your mission -- should you choose to accept it! -- to identify how the tool works, its purpose, and to show your methods for analysis. My solution to the challenge won 4th place in the contest.
26 April 2002
On 08 January, 2002 a default, unpatched installation of Solaris8 Sparc was remotely compromised with the dtspcd exploit. Using the Snort binary capture of the attack, identify the commands executed on the hacked Solaris box, as well as other specific details about the compromise.
16 Jun 2001
In March, 2001 a Solaris system was compromised. A collection of tools, utilities and files were uploaded onto the system by the blackhat. One of the files was encrypted. The goal of this challenge was to identify the encryption algorithm used, decrypt the file and identify the file contents. My solution was in the Top 10 for this month.
6 Nov 2006
This is a tutorial on creating really small PE executables. It describes the techniques used to create a 97 byte PE file that is successfully loaded by Windows and a 133 byte file that downloads and runs another program from the Internet. This work was was inspired by the Tiny PE challenge.
5 Jan 2004
onesixtyone is an efficient SNMP scanner which utilizes a sweep technique to achieve extreme performance. It is possible to scan a class B network (65536 ip addresses) in under 13 minutes with a very high degree of accuracy. onesixtyone can be used to scan a network for devices responding to well-known community names or to mount a dictionary attack against one or more SNMP devices.
4 July 2001
The HTTP server in Cisco IOS 11.3 to 12.2 allows attackers to bypass authentication and execute arbitrary commands (CVE-2001-0537, Cisco Bug ID CSCdt93862). This is a Perl script for scanning a network for vulnerable Cisco devices.
