Nah, Win7 you have to enable it as well AFAIK: "By default, SEHOP is disabled in Windows 7 and in Windows Vista. To enable SEHOP manually, follow these steps: Click Start, click Run ... " (http://support.microsoft.com/kb/956607)

Just so you know though (for those who don't): XOR, POP, POP, RET >= SEHOP (http://www.sysdream.com/articles/sehop_en.pdf) Sotirov and a few others have written about this. My guess on my end... My Win7 Ultimate is just polluted with junk constantly running. E.g., just an hour ago I plopped on Oracle's BPM Studio 10.3 to fiddle with it. So it could just be a combination of bloat. I know funny things started after Cenzic's Hailstorm which tried to fiddle with my .net and ESPECIALLY after I started making Klocwork Architect connections to a server. I think my registry is somehow in a double tee eff state.

I will dig into it a little more some other time (tinkering with Win7) however, this is just for my sanity. I envision in like 4-5 years Win7 becoming to attackers what 2000, 2003, XP now is. So I figured I'd try on my own to learn porting POC's and learning to weaponize them seamless before I submit vulns and stuff. Nothing sucks more than having it work on say 2-3 of your own machines but not being repeatable by a vendor.

Couldn't find documentation on win2008. I have it installed on a VMWare machine that I barely use My theory/thought is, if it works on win7 it should work on W2k8. What I have noticed intermingling is that for the most part, if I start say fuzzying something on XP and get a working control of registers, I can usually mimic it down (2003) and up (Vista) *most* of the times with little work. When I do the same on Vista *sometimes* I can mimic it on XP. When I do *anything* on the 7 side, almost always get kernelbase errors with no way to find out where (address) this occurs. No matter what debugger I use, no matter how many breakpoints I set... fail should post screenshots... coding failblog or something... "exploit fail" where instead of calcor notepad you get ... nothing

As of late/mid last year, I began having more fun learning programming, reverse engineering in regards to security. Personally, I find it more challenging than the typical "pentesting" involving scanning, enumerating, social engineering, etc. I can say from experience it (programming/exploitation) is definitely more nerve wrecking and "intimate" (for lack of better words right now).

When it comes to vanilla (above mentioned tests) pentesting, I've always found that (in my count) about 60+% is horrible configurations and overlooked items. 30+% social engineering 10% "extreme exploiting". There have been ONLY two instances this year where I had to escalate privileges on a pentest from a fluff user to root. These occurred on *nix machines. The rest, tended to be bad configurations and lack of security awareness. I've performed 3 solid pentests consisting of about 100-125 servers/routers/switches/PBX's.

One client (99.99999% Linux) had ONE Windows machine which sadly was configured safer than their entire Linux infrastructure. They have 1 full /21 and about 3 separate /24's. Their engineers decided to use sshkeys and some genius thought he would save all his engineers time by changing all their UID's to 0. Fun ... They had an old version of Cacti running on ONE server that got them owned.

Anyway... I like reversing/coding. A lot more thought to me is involved. I'm personally at an impasse where security is too repetitive for me. Reversing is like ... "huh!?@!" So don't feel like you can't respond to anyone ever we're all going through learning phases. Heck I learn from everyone so I've always been humbled to learn and eager to share... Sometimes though, my wording (perhaps poor choices of phrases) lead people to misconstrue a response as elitist or arrogant. I'm no smarter/leeter than anyone. Security remains a learning game. Don't let anyone tell you different Sure there are plenty who can mop the floor with my coding talent... I could do it with packet-fu (been doing so since circa 97)... Does it make me better? Nah, I likely know something they don't care for and vice versa. We're all learning here no?

This thread has been bugging me continuosuly. The thing is, I've no experience in exploit development whatsoever and can't participate in the discussion. Although I've started learning a bit about buffer overflow exploit development (n1p's article was a great inspiration), I still have a lot to learn. Would someone link me to some good online resources to learn from? Furthermore, from where do I start? Links to books will be helpful too.
I'm thinking about buying 'The Shellcoder's Handbook: Discovering and Exploiting Security Holes'. The table of contents looks impressive and frankly doesn't look too difficult as I have some programming experience.

Thanks n1p! I'll certainly check them

Edit: I checked the links and found out that I already had two of them bookmarked. Looks like I was on the right path. What about 'The Shellcoder's Handbook'? Should I buy it or not?

Shellcoders Handbook is great and so is Jack Koziol. I had the opportunity to correspond with Jack a few times here and there and he is a kick ass cool person. As are Dino whom I also bug from time to time.

Equix3n: Before you fork out money for the book though, although it looks easy, once involved more heavily, there is really no *one* book that will give you that "aha! NOW I GET IT" Here is a list Dino Dai Zovi sent me when I had a question pertaining to some Quicktime stuff I was lost on: http://TinyURL.com/bughunters
Just to let you understand how difficult/weird/frustrating it is for most security researchers... (apologies if you stumble on this Dino): I was fuzzing Quicktime for one of my classes and trying to get a workable (weaponized) exploit for Quicktime: (http://www.infiltrated.net/OWNING-QUICKTIME) I was frozen here. All was working as planned with complete control of my registers (EIP, EAX, etc., all were 'ownable') yet I couldn't pop my calc. Frustrated I sent a quick email to Dino asking what am I doing wrong:

I'd again insist that you should double-check that the surface that you are fuzzing is available via a web page, try and at least trigger a crash from a web page to make sure.  You don't want to take an early victory lap only to discover that it's not an actual security vulnerability (trust me, this happens to me at least a few times a year and it *sucks*).

At the end of it (my fuzzing) I had to completely drop and revamp a working exploit even though I had control in the first place... By the way n1p, ketchup if you guys follow the horrendous output, you'd notice the use of byakugan in there... Mushishi rocks!


Equix3n is not always easy in fact some of your most frustrating days will be getting an exploit working correctly however... (and this is a big however....) Simply demonstrating enough control over registers (EIP, etc.) is enough to report. If you follow the "no more free bugs" them, you aren't doing companies any favors by providing free security research and fixes to them. Sure there is the potential glory of saying "Found vulnerabilities in X, Y, Z" The truth at the heart of the matter is, time is money. After some time you won't even care about any so called glory. Ready? Apple, SAP, IBM, VMWare, Microsoft, F5, Oracle... Within the past 8 months I have cases opened with various vendors on bugs I've found. Some with CERT, some with IDefense some with ZDI... Means nothing at the end of the day seriously... I've spent countless hours on my own time when I could have been spending it with family or enjoying life. My attitude shifted into the "no more free bugs" mode where I'm learning for dual reasons now... 1) To understand/learn/enjoy security more 2) make money. We all have bills to pay.

So here is my link contribution for you:

http://pentest.cryptocity.net/

I'd start with Reverse Engineering, Fuzzing, Exploitation then client side exploitation in that order. I'd go over all the videos and walk throughs over and over until you don't have any questions you would ask if you were in the class.

This topic is becoming really really interesting. Now I have tons of additional resources..where am I going to find the time lol?