tag:blogger.com,1999:blog-4014979627879654228.comments2023-08-07T18:58:54.745+02:00h0wl's blogPawel Wylecialhttp://www.blogger.com/profile/10114474176396848494noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-4014979627879654228.post-15140799184602426692015-06-22T23:17:02.725+02:002015-06-22T23:17:02.725+02:00Also from WinDbg:
jscript9!Js::TempArenaAllocatorW...Also from WinDbg:<br />jscript9!Js::TempArenaAllocatorWrapper<1>::Dispose:<br />63781300 8bff mov edi,edi<br />63781302 56 push esi<br />63781303 8bf1 mov esi,ecx<br />63781305 8d4e04 lea ecx,[esi+4]<br />63781308 e8684fe5ff call jscript9!ArenaAllocatorBase::Clear (635d6275)<br />6378130d 8b5634 mov edx,dword ptr [esi+34h]<br />63781310 83ea08 sub edx,8<br />63781313 52 push edx<br />63781314 8b4a04 mov ecx,dword ptr [edx+4]<br />63781317 8b02 mov eax,dword ptr [edx]<br />63781319 8901 mov dword ptr [ecx],eax<br />6378131b 8b0a mov ecx,dword ptr [edx]<br />6378131d 8b4204 mov eax,dword ptr [edx+4]<br />63781320 894104 mov dword ptr [ecx+4],eax<br />63781323 ff1540619a63 call dword ptr [jscript9!_imp__free (639a6140)]<br />63781329 59 pop ecx<br />6378132a 5e pop esi<br />6378132b c20400 ret 4<br />Notice the write to the address obtained.Yuhong Baohttps://www.blogger.com/profile/14519473280837410246noreply@blogger.comtag:blogger.com,1999:blog-4014979627879654228.post-57116836179913739432015-06-14T15:08:14.701+02:002015-06-14T15:08:14.701+02:00i guess you mean enabling PageHeap ? Yes i use it,...i guess you mean enabling PageHeap ? Yes i use it, but it was not required to catch this specific bug.Pawel Wylecialhttps://www.blogger.com/profile/10114474176396848494noreply@blogger.comtag:blogger.com,1999:blog-4014979627879654228.post-32884513050269822802015-06-14T15:04:04.071+02:002015-06-14T15:04:04.071+02:00tak, zdaje sobie sprawe ze teraz uafy czesciej mog...tak, zdaje sobie sprawe ze teraz uafy czesciej moga wygladac jak null ptr, ale tutaj nie bylem w stanie nic wykombinowac. Dlatego opublikowalem, moze ktos pokaze ze jest jednak inaczej : ) Pawel Wylecialhttps://www.blogger.com/profile/10114474176396848494noreply@blogger.comtag:blogger.com,1999:blog-4014979627879654228.post-38130137593493729302015-06-13T14:27:35.858+02:002015-06-13T14:27:35.858+02:00hi mate, did you use any settings on IE11 to fuzz ...hi mate, did you use any settings on IE11 to fuzz it?<br />like for isolated heap and other similar stuff?.......thanks!micheehttps://www.blogger.com/profile/05937230965190972040noreply@blogger.comtag:blogger.com,1999:blog-4014979627879654228.post-23253761016572275432015-06-08T22:51:00.157+02:002015-06-08T22:51:00.157+02:00a skąd wiesz że to np nie późne zwalnianie
To tak...a skąd wiesz że to np nie późne zwalnianie <br />To takie pytanie retoryczne :)<br />Ale faktem jest że od 2014 roku jeszcze więcej błędów niż poprzednio może wyglądać jak NULL PTR przynajmniej w IE <br />Kiedyś było mn. tak : http://www.exploit-monday.com/2011/07/post-mortem-analysis-of-use-after-free_07.html <br />Dzisiaj w IE poniżej osiągniętej puli 100000B pamięć jest tylko oznaczana do zwolnienia w przyszłości, a jej zawartość wypełniana zerami <br />tak więc wiszący wskaźnik wskazujący na taki obszar będzie miał wartość '0' :| <br />echohttps://www.blogger.com/profile/01929239118131886185noreply@blogger.comtag:blogger.com,1999:blog-4014979627879654228.post-46783788244278846672013-07-06T23:58:00.962+02:002013-07-06T23:58:00.962+02:00thank you very much for the explanationthank you very much for the explanationAnonymoushttps://www.blogger.com/profile/06547464201458275625noreply@blogger.comtag:blogger.com,1999:blog-4014979627879654228.post-59401474152882322362013-07-05T19:10:57.351+02:002013-07-05T19:10:57.351+02:00sure,the echo command is issued insecurely by the ...sure,the echo command is issued insecurely by the system() function, we can alter the environment variable PATH so that when echo is called it will first look in the /home/level01 directory, where our simple program is located (the program i created simply executes bash). So instead of running /bin/echo it will run /home/level01/echo.Pawel Wylecialhttps://www.blogger.com/profile/10114474176396848494noreply@blogger.comtag:blogger.com,1999:blog-4014979627879654228.post-15035252848242897012013-07-05T18:55:49.945+02:002013-07-05T18:55:49.945+02:00I'm sorry to bother you, but could you explain...I'm sorry to bother you, but could you explain why? how echo was altered? and what the program does you have created?Anonymoushttps://www.blogger.com/profile/06547464201458275625noreply@blogger.comtag:blogger.com,1999:blog-4014979627879654228.post-39331937299729483972013-06-21T03:20:27.972+02:002013-06-21T03:20:27.972+02:00Very good explanation. We made a Video tutorial ab...Very good explanation. We made a Video tutorial about Tor + Proxychains and even wrote a script called tor-buddy available on our website www.LearnNetSec.comAnonymoushttps://www.blogger.com/profile/00699554541421837097noreply@blogger.comtag:blogger.com,1999:blog-4014979627879654228.post-69242315970996809912013-01-24T18:57:58.036+01:002013-01-24T18:57:58.036+01:00Hi,
I have issues running the gwtenum.py tool.
Wh...Hi,<br /><br />I have issues running the gwtenum.py tool.<br />Wheni give in this command in prompt it says invaid syntax error.<br />I have tried all possibilities but invain.<br /><br />Could you please help me with this.kphttps://www.blogger.com/profile/12443743794876613591noreply@blogger.comtag:blogger.com,1999:blog-4014979627879654228.post-37919776124317764782012-08-31T21:58:06.424+02:002012-08-31T21:58:06.424+02:00script just view etc/passwd, but if want see other...script just view etc/passwd, but if want see other file like database / config.php isfaultString.<br />can u tell me script to view other file ?skak_matchhttps://www.blogger.com/profile/01330413330719248592noreply@blogger.com