Sign in to follow this  
Followers 0
oddflux

Anyone got any documents on

7 posts in this topic

Been looking through search engines recently, for more detailed explanations on Null pointer dereference vulnerabilities, and their exploitation. I haven't found a lot of reliable documentation which I can learn from, but I do know that it exists; Anyone got anything on them?

Hmm, and anyone got anything on exploiting buffer overflows, in the Python language? Another thing I've been looking for, for a while.

0

Share this post


Link to post
Share on other sites

Huh? I don't think there is any such thing as "NULL pointer dereference exploitation" unless you mean somehow causing a program to dereference a NULL pointer and crash. Even then, it's only a DOS vulnerability. NULL pointer derferences are not often considered security vulnerabilities.

Also, the language the exploit is written in is completely irrelevant. Assuming the exploit functions over a network socket, anything that can open a socket (and even ones that can't, with the help of a program like netcat) can write an exploit. Writing the exploit is usually the easiest part, finding the bug and figuring out how to exploit it is the hard part. So you can write them in Python, there's no reason you can't. They're traditionally written in C for one big reason: it's the lingua franca of the hacker world. That's not as true today as it once was though.

0

Share this post


Link to post
Share on other sites

Is this what you're talking about? I just breezed through it.. looks like it might be interesting. Bet they are a bitch to find though.

http://documents.iss.net/whitepapers/IBM_X...ce_WP_final.pdf

Found it here:

http://blogs.zdnet.com/security/?p=1030

Lingua Franca... That's a new phrase to me. Fortunately (for me) there is a big wiki on it.

0

Share this post


Link to post
Share on other sites
Huh? I don't think there is any such thing as "NULL pointer dereference exploitation" unless you mean somehow causing a program to dereference a NULL pointer and crash. Even then, it's only a DOS vulnerability. NULL pointer derferences are not often considered security vulnerabilities.

Yes, aliens do exist! Any signal/exception that the program receives is going to change the control flow which can sometimes lead to arbitrary code execution. Check out this paper from uninformed.org: exploiting the otherwise non-exploitable on windows

That paper was written a few years before before Mark Dowd's ActionScript escapade. Matasano had a really good blog post about Dowd's exploit.

If you’re not an exploit writer, think of it this way: you know that crazy version of Super Mario Brothers that Japan refused to ship to the US markets because they thought the difficulty would upset and provoke us? This is the exploit equivalent of that guy who played the perfect game of it on YouTube.

roflollerz :warrior:

Most of the time it is just a DoS, but before you draw any final conclusions you might want to look a bit more closely. ;)

0

Share this post


Link to post
Share on other sites
Huh? I don't think there is any such thing as "NULL pointer dereference exploitation" unless you mean somehow causing a program to dereference a NULL pointer and crash. Even then, it's only a DOS vulnerability. NULL pointer derferences are not often considered security vulnerabilities.

Also, the language the exploit is written in is completely irrelevant. Assuming the exploit functions over a network socket, anything that can open a socket (and even ones that can't, with the help of a program like netcat) can write an exploit. Writing the exploit is usually the easiest part, finding the bug and figuring out how to exploit it is the hard part. So you can write them in Python, there's no reason you can't. They're traditionally written in C for one big reason: it's the lingua franca of the hacker world. That's not as true today as it once was though.

That isn't entirely true. NULL pointer dereferences isn't limited to only DOS exploitation; There's a vulnerability, of a high priority OS kernel, which is suspectible to NULL pointers, and can be locally exploited to provide the hacker with execution of arbitrary code at the kernel level, on 80x86 systems, or on SPARC systems a DOS.

I'm also aware that the language is irrelevant, with or without sockets. I'm asking how to write Python exploits ... I wouldn't know where to start.

0

Share this post


Link to post
Share on other sites
That isn't entirely true. NULL pointer dereferences isn't limited to only DOS exploitation; There's a vulnerability, of a high priority OS kernel, which is suspectible to NULL pointers, and can be locally exploited to provide the hacker with execution of arbitrary code at the kernel level, on 80x86 systems, or on SPARC systems a DOS.

I'm also aware that the language is irrelevant, with or without sockets. I'm asking how to write Python exploits ... I wouldn't know where to start.

oddflux, that just made me remember something.. There was a talk at BlackHat USA (Las Vegas) this summer called "Pointers and Handles: A Story of Unchecked Assumptions in the Windows Kernel" by Alex Ionescu about NULL Pointer exploitation in Vista kernel space.. you might wanna check that out, too! :rules:

The jist of it is that you can use the memory manager function NtAllocateVirtualMemory to allocate memory at address 0x1. (which isn't really the null address, but when 32/64-bits are dereferenced from 0x0, the data at that next location becomes part of the word value.)

If you're into writing exploits in .py, then check out Immunity MOSDEF. It's a shellcode generation framework written in Python with support for syscall proxying and remote stack swapping. :ninja:

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0