Flag: Tornado!
Hurricane!
|
|
| ASLRdynamicbase.py |
1 KB |
Aug 11 2007 |
This Immunity Debugger 'PyCommand' script inspects each loaded module, and reports whether the PEHeader contains the relevant information indicating it is compatible with Vista's ASLR implementation (DLLCharacteristics).
Install by copying this file into the PyCommands\ folder, and from within the running debugger issue the !ASLRdynamicbase command. |
| findtrampoline.py |
1 KB |
Aug 11 2007 |
This is a simple Immunity Debugger 'PyCommand' script. It finds a suitable trampoline to the chosen register. These could be suitable addresses to use in overwriting the saved return address, when exploiting a classic stack overflow.
Install by copying this file into the PyCommands\ folder, and from within the running debugger issue the !findtrampoline <register> command. It will search for the basic jmp, call and push/ret combinations to direct execution into a register which points to our shellcode. |
| funcdump.py |
694 B |
Aug 9 2007 |
This is a very basic Immunity Debugger 'PyCommand' script. It will list all the functions found within the loaded module, and display them cleanly into a table. From here it is simple to focus on the relevant function; which can be done by highlighting the line and pressing Enter.
Install by copying this file into the PyCommands\ folder, and from within the running debugger issue the !funcdump command. There is undoubtably other ways to produce the same result, but it's a nice, useful example of the flexibility of the Python API. |
| itunes7_antiantidebug.py |
2 KB |
Sep 7 2007 |
Ever wanted to impress your friends by playing songs in iTunes while debugging it at the same time?! Now you can!
On a more serious note, this will allow you to bypass iTunes 2 SoftICE detection and IsDebuggerPresent() anti-debugging checks. This ImmunityDebugger PyScript contains the correct breakpoint for iTunes 7.3.2.6 but others can easily be added (the target function is documented and well explained). Finding and understanding David Thiel's recent iTunes vulnerability should be much easier.
Rather than merely hooking on IsDebuggerPresent(), and still allowing both SoftICE detection techniques to complete, this method adjusts the
relevant register after the wrapper function Tunes.checkForDebuggers() returns, thus preventing a call to Kernel32.ExitProcess(0). |
| itunes7_universal_antiantidebug.py |
2 KB |
Sep 7 2007 |
Same outcome as the preivous itunes7_antiantidebug.py PyScript, however this version scans the process address space for the likely location to hook.
That means no more horrible static offsets, and it should work 'automatigically' against newer/older versions. |
| JgpStartUp.JPG |
158 KB |
Jun 14 2006 |
This came from my work on MS06-022 patch analysis. It's the .ART flaw, that's present in IE.
Just comparing the old (47.0.0.0) and new (54.0.0.0) versions of jgpl400.dll shows that function calls have been dropped. |
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}