From: Dave Aitel (daveimmunityinc.com)
Date: Thu Aug 14 2008 - 14:47:27 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It's dark and storming here - not rare for Miami.

For those of you who like to read about heap overflows, Nico's blog has
some information on the work he did to make the Citrix bug CANVASized:
http://eticanicomana.blogspot.com/

Likewise his post on the rollarcoaster ride that is writing heap
overflows is a good one. :>

We find that ready-to-use kernel rootkits are a key part of what people
want in an attack platform these days. To this end Daniel Palacio (an
intern at Immunity this summer) wrote a Linux rootkit we hope to release
shortly as part of CANVAS. Bas has since written a loader for it [1]
that uses the debug registers to "hook" things. You may or may not have
seen this technique being used [2] but it's good to have something ready
to go in your toolkit. There's some other cool features in the CANVAS
Linux rootkit but I'll wait till it's ready sometime next week to post
about them.

- -dave
[1] The loader itself is in CANVAS Early Updates for those of you who
want to play with it.
[2] I think a Windows rootkit uses this hooking technique but I can't
remember which one.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIpIvPtehAhL0gheoRAsjMAJ0dV6QtjYeKxTMIXJ3B4lQh6DCMSgCffqqQ
Grzmj+AKSj37bABrA8nANaw=
=oOeE
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]