Slides & notes for “Uncovering Zero-Days and advanced fuzzing” at AthCon 2012:
Uncovering ZeroDays and advanced fuzzing
the full version as a PDF file
Uncovering ZeroDays and advanced fuzzing SCRIPT
the full script (my notes) as a PDF file
Thank you, very nice!
You are welcome, I hope people like it and can actually make use of the information inside.
Excellent stuff! The demo of slowly testing using Perl (how you found the Apache bug) is especially inspiring, shows a more methodical and better way than just firing $(public_fuzzer) at something and looking for a crash…
I wish I had been able to go to Athcon to see this…
Thanks again! The slides and notes show some insight on how to improve your auditing skills and I just want to deliver knowledge to the people that I collected over the years, of course not everything. I love to hear posts like the one you wrote drunkode, as it shows me that it is worth doing what i do ..
Enjoy!
Wonderfull!!
salam kincope jan …
Tnx .. rasti kellas online ham mizari ?
King, yesterday I saw your materials. How can I speak with you more privately?
you can mail me at isowarez.isowarez.isowarez@googlemail.com
why can’t you use memcpy to copy the shellcode to the mmap alocated area? Because the stack is randomized? I guess so…….then what do the copied gadgets do so special in order to copy the shellcode from the stack are? They work like an egghunter or what? Thanks.
It is much more straight forward to use the read plt entry in order to readin the shellcode from the tcp connection. If read plt is not available( bcoz of no dynamic linkage for example) u can use the presented shellcode copier . It copies the shellcode from ESP register to the new mmaped area (0×10000200) right after the shellcode copier. Yes its because stack adresses are unknown.
right, read is also an option.
aha, ok, thanks for clarifying that up mate!