phrack 64 article
Back in 2006 I have found a flaw in the file(1) utility, found on many UNIX systems. It took me a while to successfully exploit this software, and while doing it, I have found a new way to take advantage of a top chunk overflow. I have written a paper about it, and it got published in phrack 64!
p64_0x09_The_use_of_set_head_to_defeat_the_wilderness.txt
Multiple vendors ZOO file decompression infinite loop DoS
Here is the advisory for this security vulnerability:
Barracuda Convert-UUlib library buffer overflow leads to remote compromise
Here is the advisory for the security vulnerability:
barracuda-advisory-convert-uulib.txt
DrWeb LHA long directory name exploit and advisory
I have found a security vulnerability in DrWeb's antivirus. After a couple of months, I finally took the time to learn how to write an exploit for it. Malloc overflows can be complicated :-) Some versions of the libc implement integrity checks in the malloc library, and it makes writing a working exploit a lot harder.
Here is the advisory and the exploit for the security vulnerability:
2 security advisories for the Barracuda Antispam Firewall
I have published 2 security advisories for the Barracuda. You can find them over here:
barracuda-advisory-LHA.txt
barracuda-advisory-ZOO.txt
SMTP content filter security and PIRANA
PIRANA is an exploitation framework that tests the security of a email content filter. By means of a vulnerability database, the content filter to be tested will be bombarded by various emails containing a malicious payload intended to compromise the computing platform. PIRANA's goal is to test whether or not any vulnerability exists on the content filtering platform. This tool uses the excellent shellcode generator from the Metasploit framework!
Download PIRANA here :
pirana-0.3.3.tar.gz
I wrote a paper that explains what are the vulnerabilities of a SMTP content filter. It also presents what techniques were used in PIRANA to improve reliability and stealthness.
You can download the paper in english or in french.
Freeing the ZOO!
Lately, I have been doing a lot of vulnerability research. I have discovered a flaw in the ZOO archiver, distributed with many UNIX systems.
Read the advisory here!
My experience with format string attacks
This is a little article that I published after playing with format string attacks. I also devellopped a little library that lets you do weird things with format strings attacks.
You can view the article by clicking here (in french).
Exploiting the sniffer
This was one of my first experience with auditing source code... I was very happy to find a bug in the popular sniffer "sniffit", but I found a while after that it was already patched. Well, too bad! ;)
Click here for the exploit code!