libtalloc: A GDB plugin for analysing the talloc heap

tl;dr This post is about a GDB plugin I wrote while researching the Samba exploitation earlier in 2015. There is a python script available. See the README for usage examples. Note that the plugin was thrown together while hacking on bugs. Introduction The Samba project developed a custom heap dubbed the “trivial allocator” aka talloc. A … Continue reading libtalloc: A GDB plugin for analysing the talloc heap

Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit

tl;dr Earlier this year I worked on an exploit for an interesting use-after-free vulnerability in win32k.sys (CVE-2015-0057) and was able to develop a reliable exploit on both 32-bit and 64-bit, affecting XP through Windows 8.1 (with a few exceptions). This writeup describes in detail how I approached exploitation on both architectures, which ended up being … Continue reading Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit

Some Notes About the Xen XSA-122 Bug

tl;dr; This is a summary of a vulnerability in Xen I found earlier in 2015, and why it’s not very useful in practice. Basically you can leak small amounts of memory from the hypervisor stack, but due to the way the associated hypercall is compiled, it turns out you can’t reliably leak very useful information. … Continue reading Some Notes About the Xen XSA-122 Bug

Exploiting Samba CVE-2015-0240 on Ubuntu 12.04 and Debian 7 32-bit

tl;dr It was found that Ubuntu 12.04 32-bit and Debian 7 Samba binaries contained a stack layout that was suitable for exploiting the recent _netr_ServerPasswordSet bug. I was able to develop a reliable exploit that grants pre-authenticated remote root against both systems. Introduction On March 2, 2015 I posted a blog entry [1] discussing the … Continue reading Exploiting Samba CVE-2015-0240 on Ubuntu 12.04 and Debian 7 32-bit