Comments for SkullSecurity

Comment on ropasaurusrex: a primer on return-oriented programming by Newlog

Newlog — Sat, 11 May 2013 19:33:38 +0000

man, this writeup is Amazing. What a wonderful ROP explanation. great.

Comment on ANDX... and what? by ISMAIL

ISMAIL — Thu, 09 May 2013 20:04:01 +0000

You just confused me more! :)

Comment on Epic "cnot" Writeup (highest value level from PlaidCTF) by Ron Bowes

Ron Bowes — Mon, 06 May 2013 21:43:38 +0000

@tudalex - sadly, Isuldur isn't public. It was developed by one of the guys who organized PlaidCTF as a school project.

Comment on ropasaurusrex: a primer on return-oriented programming by Ron Bowes

Ron Bowes — Mon, 06 May 2013 21:43:11 +0000

Thanks douglas!

Comment on ropasaurusrex: a primer on return-oriented programming by douglas

douglas — Mon, 06 May 2013 18:36:43 +0000

this is the best ROP tutorial I ever seen.
Thank you a lot for write this, maybe now I can really learn this subject.

Comment on ropasaurusrex: a primer on return-oriented programming by Scotty

Scotty — Mon, 06 May 2013 04:57:22 +0000

I had a hard time following how you manipulated the read() call yourself... I think you should point out ( not in code comments) that you overflowed the return address to that of reads with it's expected parameters sitting in the buffer.

Otherwise beautiful tutorial

Comment on Epic "cnot" Writeup (highest value level from PlaidCTF) by tudalex

tudalex — Sun, 05 May 2013 19:52:35 +0000

What is isildur? And where can I find it?

Comment on Epic "cnot" Writeup (highest value level from PlaidCTF) by shuffle2

shuffle2 — Sun, 05 May 2013 00:38:45 +0000

Nice job. The phrase appears to come from http://oneweirdkerneltrick.com/swaggr.pdf "Figure 5" (check the other pdfs on the site too..). What is the connection? (or: wtf is that page in the first place?)

Comment on Epic "cnot" Writeup (highest value level from PlaidCTF) by Dominic Wang

Dominic Wang — Sat, 04 May 2013 22:44:14 +0000

That was amazing! I've been working on this for at least 24 hours.

Comment on ropasaurusrex: a primer on return-oriented programming by luc

luc — Fri, 03 May 2013 11:21:20 +0000

Thanks so much!! really useful!!! i like how you explain complex concepts in an easy and clear way.
REGARDS

Comment on Epic "cnot" Writeup (highest value level from PlaidCTF) by danny

danny — Fri, 26 Apr 2013 08:07:54 +0000

Thanks for the write-up!
I figured till 24 chars, 4 check-sums, 4 check-routines and then got lost in the routines, dumped this one and moved to 'cone' and solved it :)

Comment on Epic "cnot" Writeup (highest value level from PlaidCTF) by Ron Bowes

Ron Bowes — Thu, 25 Apr 2013 18:36:25 +0000

Thanks! "Brute-force persistence" was the best description I could come up with, and I think it's quite apt. :)

If you figured out any shortcuts/techniques that I missed, I'd love to hear it!

Comment on Epic "cnot" Writeup (highest value level from PlaidCTF) by Gynvael Coldwind

Gynvael Coldwind — Thu, 25 Apr 2013 18:32:53 +0000

Great work and great writeup!
I also had a chance to play (and after countless battles solve) this task, and uh, I totally agree with ur conclusions on "brute-force persistence".
Good task eating quite a lot of time ;)

Comment on Epic "cnot" Writeup (highest value level from PlaidCTF) by Ron Bowes

Ron Bowes — Thu, 25 Apr 2013 17:09:08 +0000

Thanks, guys! It was a lot of fun!

I actually had trouble patching the binary, I kept winding up with an infinite loop. I'm not sure if I was running afoul of some kind of protection, or if I was just screwing something up (likely the latter :) )

Comment on Epic "cnot" Writeup (highest value level from PlaidCTF) by Rajat

Rajat — Thu, 25 Apr 2013 17:06:57 +0000

Hats off! You should be proud of solving this one! I went until the point where I was fixing the IDA assembly statically. I was stuck on the dynamic piece: the gdbinit LD_PRELOAD trick was awesome. I'll keep that in my arsenal for future reference! :-)

Comment on Epic "cnot" Writeup (highest value level from PlaidCTF) by Gilgamesh

Gilgamesh — Thu, 25 Apr 2013 17:01:13 +0000

Pretty impressive! I have been working on this problem for the past 2 days during my free time and I got to the point where I figured out where the messages 'Wrong!' and 'Correct!' were being printed as well as the logic that the flag to determine which one to print was in the -0x58(%ebp) address. After that I was getting really lost with all the shit code (I didn't have the same idea as you to remove the useless parts). Only I thing I did different was to patch the binary for the ptrace call so that the check would always pass (simply xor eax,eax before the check).
Congrats on this write-up, it is pretty awesome! Thanks for it :)

Comment on Padding oracle attacks: in depth by mehdim

mehdim — Mon, 15 Apr 2013 09:00:14 +0000

how we use your tool in url's like http://www.example.com/ScriptResource.axd?...

Thank you

Comment on A padding oracle example by oplbhw

oplbhw — Sun, 14 Apr 2013 10:06:18 +0000

http://www.hack-ware.com/content/padding-oracle-exploit-tool-vs-apache-myfaces

Comment on Padding oracle attacks: in depth by Anonymous

Anonymous — Sun, 31 Mar 2013 23:32:18 +0000

Hi. Could you write a blog post about null IVs? I'm very interested and I appreciate your crypto posts.

Comment on How big is the ideal dick...tionary? by Piotr

Piotr — Thu, 14 Mar 2013 17:20:19 +0000

Great article! having password ordered by
frequencies makes things much more clear...
You know if is possible to finding databases like that in other languages
(spanish, french, german, dutch) in order to draw a similar probability distribution?
I just found huge dictionary with no frequencies in languages other than english