Events Related

  • CodeGate 2011 YUT Quals –
    The problems consisted of web vulnerabilities, forensics, cryptography, binary reversing, and some problems related to security topics that had been in the news.


  • Stack Based Buffer Overflow Tutorial
    This tutorial, in three parts, will cover the process of writing a simple stack based buffer overflow exploit based on a known vulnerability in the Vulnserver application.


  • WCE v1.1 is out! –
    Windows Credentials Editor (WCE) allows to list logon sessions and add, change, list and delete associated credentials.
  • Metasploit Framework 3.6.0 Released! –
    In coordination with Metasploit Express and Metasploit Pro, version 3.6 of the Metasploit Framework is now available.
  • Agnitio v1.2 –
    Agnitio is a tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way.
  • AntiSamy 1.4.4 released! –
    The biggest move of this release is to officially change the default parser/serializer from the DOM engine to the SAX engine.
  • BeEF v0.4.2.3-alpha! –
    BeEF, the Browser Exploitation Framework is a professional security tool provided for lawful research and testing purposes.
  • iAnalizer: An Integrity Analyzer for SAP! –
    Though this tool was talked about last year at the BlackHat security conference, it is only now that the tool is being released for download.
  • Analyzing PDF exploits for finding payloads used –
    In this blog, we will examine yet another in the wild PDF exploit which has hidden it’s malicious code under different objects.
  • This Is Not the Android Market Security Tool You Are Looking For –
    We have been actively following and analyzing the spate of Android malware in the Android Market place.


  • Dumpstrings.1sc –
    I wrote another script for my 010 Editor.
  • Can You Hack Your Own Site –
    We’ve been asked by our client to incorporate into an existing site, a book review system.
  • Flash JavaScript Injection –
    According to the Adobe website, can accept a JavaScript function name as the first argument and a string which would be sent to that JavaScript function.
  • SMBRelay by Oracle –
    Our next target is Oracle. Oracle is one of the most widespread RDBMS and many Enterprises use it as backend.
  • Hacking GDB –
    To see how a function in GDB is implemented, seek calls to the following functions in GDB source tree.
  • At least, I got DoS –
    Due to Wireshark having more than 1,000 different packet dissectors in this directory, I chose a pretty dumb approach to find interesting code parts.
  • Hacking crappy password resets (part 1) –
    For this first part, I’m going to take a closer look at some very common code that I’ve seen in on a major “snippit” site and contained in at least 5-6 different applications.
  • How Android/Fake10086 selectively blocks SMS –
    In brief, Android/Fake10086.A!tr looks like a handy hotel reservation application, but in the background it communicates with a remote web server and blocks some incoming SMS messages.
  • BFF 2.0 ImageMagick Fuzz Run Tutorial –
    A walk-through of the Basic Fuzzing Framework’s default ImageMagick fuzz run.

Vendor/Software Patches


  • Oracle padding attacks –
    We can see a valid request (HTTP status code 200) and then a series of 500 requests, as well as a single 403 request.

Other News