A paper by Immunity describing in technical detail the details of the LLSSRV issue described in MS05-010. This paper also describes how this issue affects Windows 2000 AP SP3 and SP4 without authentication, something which was not described in the MS05-010 bulletin.
9a2d067a18b330af81f10c5e578a7b8b552bacf8da50268824d53fb63f24a752
A good introduction to writing exploits for the Win32 platform. Walks through creation of an exploit for a real vulnerable piece of software, using OllyDbg to help isolate the fault and exploit it.
a1ac7823b06c48cec480ed611ee8b0204d36353a374f2c737339dfa0f6b96491
A bit of a rant about how Microsoft and Virus scanners fail to properly pay attention to .txt file extensions and how they can be used by attackers to fall into the background.
229dfa0b0c78a9b80ce0ca073eee096c97a84c01ed37e967a28cc0d2f6cc95f2
Small whitepaper describing the obfuscation algorithm used by Windows 2k/NT/XP Syskey and the steps required to remove its encryption from the password hashes. Tools to automate the process included.
f5f9bec45eda579187a441ef744709a51fad7d1713b89e43530fcc7690bca1d3
A simple tutorial on Windows Shellcoding - Shows how to write shellcode in asm that spawns a cmd shell. Includes tools to encode the asm code to avoid NULL bytes, and to generate the typical C shellcode. In Powerpoint and PDF format.
d612a88f1dba4e28d11743cd0d9579d520bc1ffcfcc355aa2d650faad3da1111
Brief research paper that audits and discusses the true scope of how many hosts on the Internet actually have TCP port 139 listening and are susceptible to attack.
244293ebdd2a973beb2961f77348e04047e69687a1efabdac4ab45d5af3cf75b
Paper discussing utilization of the Win32 exploit for the DCOM RPC vulnerability.
ac991411216d76522190300a8ee9d05dc9d1eee9a92a9af2f72a6cffa66b6bb9
Paper discussing more shatter attacks that are possible using SEH memory locations to escalate privileges in Windows. Related information available here.
08eeaae0ef4d604d10152e302c4788b1eb3339d71fd9c5a793d9b0e5a67d44e0
An iDEFENSE released security paper reflecting on the Shatter Attacks found against the Windows operating system in 2002. It clarifies what the flaws in the Windows event model are, describes a related vulnerability that continues to exist in many popular software products and suggests ways in which these unfixable flaws might be addressed.
fb0fa8745192613a9bdb181c4d941509343bd2f72a05a7a56786349fd4ee1876
This paper presents a new generation of attacks against Microsoft Windows, and possibly other message-based windowing systems. The flaws presented in this paper are, at the time of writing, unfixable. The only reliable solution to these attacks requires functionality that is not present in Windows, as well as efforts on the part of every single Windows software vendor. This paper documents Next-Generation Win32 exploits being based off of fundamental API flaws.
e6db69645f9bab587c9ae93bf6270d1e2f76d72cd700fd1a238cd11736e74682
Security Hardening of Windows 2000 and NT Server Machines - Contains a roundup of good security practices, hardening, ways that windows-boxes are penetrated, and a roundup of some useful tools. Written in 2001.
e9aaaa0f410f24e9705089083e684c2cd647519dbc5bd929756fc5b6a20e511f
How to hack windows remotely through file sharing.
ffc2b445833e871c315c998250f6bb60702c9aff78e05256d53c79e26ad64a71
Windows 2000 Format String Vulnerabilities - Includes detailed discussion of how format string bugs in fprintf(), vprintf() and sprintf() calls they are created, discovered, and exploited.
cc470ec4478e27b35f145967b8b7096795122256fa90b4a6e74a53055431fa40
Whitepaper on hardening the Windows 2000 operating system.
3a76a02aea438530ffc18147fa2aa954786034a888c0c029de6f70bd966562db
Windows 2000 machines can reliably be identified remotely because they do not correctly respond to ICMP query messages with a nonstandard Type-of-Service value.
47afc4eb164d7d4d223a0ea4749e7ca0101efeb95f9269d96b699b461e1f7355
Windows 2000 Security - Log of a Windows 2000 hack and explanation of the dangers involved with the default security in Windows 2000 professional.
8b2ac853634ad5a826d4954ec9a04f38562ac16e7d8df4b21e6871c90ec05651