Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ
Tải xuống
This is paper are the more or less raw results of the trial and error natural process of hacking a system. As the initial idea was not to made it public, I did not take care of the “feel and look” and I wrote as a simple reminder to me of what attack vectors where tried and its time-line. As the R+D work increased, what where simple annotations begun to look interesting, maybe for readers other than me. At the end I got what I was looking for: a way to hack the tested system, but then I realize that what was more interesting –at. | Pentest consultores seguridad telemática Check Point Secure Platform Hack Doc. V1.0- First release October 2007 An uncensored real-time-line of how I exploited a vulnerability in a kernel hardened EAL4 certified firewall Hugo Vazquez Caramés hvazquez at pentest dot es http www.pentest.es phone 0034 933962070 Pentest Check Point SecurePlatform Hack Index About PenTest.4 Prologue.6 Introduction of the Check Point Firewall.8 The Secure Platform R60 Common Criteria Certification.12 Security Target.14 Validation Report.20 Common Criteria Certificate.23 The Secure Platform.24 Information Gathering of the target.27 Fast look to vulnerabilities candidates.32 Try out to some buffer overflows.40 The Monster EXEC-SHIELD.46 The real exploitation adventure.58 Now let s try with exec-shield turned on .75 How to put the system argument in a place other than the environment variable .78 System argument sled.81 Summary of the state of the testing process.87 Another way.104 Playing with cpu registers.107 Overflows in the 2nd and 1st arguments of SDSUtil.115 Let s try to delete a file.118 Playing with UNLINK .131 Trying well Known hacking Techniques.140 Rename .143 Chroot .145 2 Pentest Check Point SecurePlatform Hack Frame manipulation.146 Do_System .155 Playing again with cpu registers and execve .158 Back to Do_System .161 libc.so.6.177 Attacking through the binary image.188 Yet another strange attack vector.190 Cpshell debug.192 1st Real scenario attack.195 1st P.o.C. exploit.198 About other overflows and remote exploitation.203 Summary.206 Conclusion.215 F.A.Q.216 What about responsible disclosure .217 ANNEX I - SYSCALLS.218
