• Apache Tika VS Boredom. Bypassing Arbitrary File Upload Restrictions

    As we were preparing some stuff for one of our clients, they requested for us to provide some insight in how to avoid arbitrary file uploads.

    Apart of the usual “just use a white-list for the allowed extensions” approach, he wanted us to focus on analyzing the uploaded files to be able to determine whether if these should be allowed or not.

  • CheatEngine: Hacking games memory

    Hi all!

    In Audea we love to reversing and break stuff, and videogames is probably one of the most fun things to hack. Rules are okay but what would have happened if Neo followed the rules?? Exactly, he would have got a raise and would be happy with a wonderful fake life.

    That’s why we like to explain a bit how to start hacking some basic things in a videogame because breaking the rules can be fun also.

    The game we choose to analyze and hack is a hilarious game made by ChaosMonger Studio, a letonian company with 20 years of experience. Clunky Hero!!

  • Heap Funk: Playing with TCache

    As I was learning some stuff about TCache, and its lack of checks, it came patent that some of those already mitigated attacks were available once again. I was especially concerned about how the TCache bin was managed, and thus decided to go a little deeper. There’s many checks being overlooked due to performance reasons.

    What would happen if we issue a free over a pointer obtained via malloc and then modify something inside it, will it be actually disrupting the heap management? >)

    Let’s find out

  • Exploiting HackSys Kernel driver

    Hi all!

    Exploiting drivers offers tons of possibilities we couldn’t find in userland so it’s important to learn kernel internals because it will become more important for Windows security.

    Kernel exploitation is a very complex subject, and the more I learn about it the more I realize I must do basic things first. And that’s what I will explain today, a basic stack buffer overflow in a driver of Windows 7 32-bit. The chosen driver is the famous HEVD (HackSys Extreme Vulnerable Driver), a Windows Kernel driver with vulnerabilites. This vulnerable driver is the main reference to learn Kernel exploitation so if you are interested you can find it here. Special thanks to them!

  • Heap Series: References

    Writing this small series can’t pass without saying thank you.

    Thank you all for providing for the community. And most of all, thank you for sharing and taking the time and the effort to provide such a good content

  • Heap Series: 5/5 Heap basics from a practical perspective

    In the previous part, we talked about the TCache and FastBin freelists, by making use of a couple of code-samples that would make some memory allocations and allowed us to see how the heap management was taking care of the frees and mallocs performed.

    In this part, we will talk about the unsorted, small and large bins. We’ll go through some samples to verify our assumptions and make sure that everything is understood :)

  • Heap Series: 4/5 Heap basics from a practical perspective

    In the previous part of this series we had a look to he structures used by the heap manager to keep track of the allocated/freed chunks. As we learned from the second part, the chunks could be in two states (whether they’re in use or not), and we peekaboo just the tip of that iceberg making use of GDB and a couple of plugins.

    Let’s dig into those structures we mentioned before, the Bins or FreeLists used by the heap manager.

  • Heap Series: 3/5 Heap basics from a practical perspective

    In the second part of this series, we had a look at the internals of GLIBC to learn how the heap management was implemented making use of two basic structures:

    • Allocated chunks (currently in use)
    • Free chunks (free was called over the pointer returned from a malloc)

    I know the title reads “… from a practical perspective” and the previous post was almost all theory, but that’s only because this one was supposed to be part of the second. As I was writing it, became so long that it turned to be impractical to read.

    So here it is, a whole practical post about heap insides

  • Heap Series: 2/5 Heap basics from a practical perspective

    In the first part of this series, we talked about some basic functionalities the heap manager provides, and by running some demos, we were able to learn simple malloc/free usage and its effects over the memory.

  • Heap Series: 1/5 Heap basics from a practical perspective

    I’ve tried a few times to learn some heap stuff, however I usually ended up reading about something else in my to-do list or something brand new…

    For sure I’m not the only one :)

    This time I wanted to make a change in the way I approach this particular dragon. I promised to myself I would write about the learnt and findings I would make during this, rather long, process.

    So let’s give it a try.