Archive for the ‘Exploit Writing Tutorials’ Category

In article 8 of my exploit writing series, I have introduced the concept of egg hunters, and explained what an omelet hunter is and how it works. Today, I want to share with you my own eggs-to-omelet implementation, explain how it works, and how you can use it in a standalone exploit or in a metasploit module. In case you missed article 8, I’ll start with a short recap and explain the basic concepts of egg hunters and omelet. At the same time, I would like to mention that you might have to read article 8 first before you will understand this post.  This post is not a full blown tutorial, …

About 3 months after finishing my previous exploit writing related tutorial, I finally found some time and fresh energy to start writing a new article.
In the previous tutorials, I have explained the basics of stack based overflows and how they can lead to arbitrary code execution. I discussed direct RET overflows, SEH based exploits, Unicode and other character restrictions, the use of debugger plugins to speed up exploit development, how to bypass common memory protection mechanisms and how to write your own shellcode.
While the first tutorials were really written to learn the basics about exploit development, starting from scratch (targeting people without any knowledge about exploit development) you have most likely discovered that the more recent tutorials continue to build on those basics and require solid knowledge of asm, creative thinking, and some experience with exploit writing in general.
Today’s …

In the article I wrote on the abysssec.com website, I explained the steps and techniques needed to build a working exploit for Ken Ward’s zipper. One of the main difficulties I had to overcome when building the exploit, was the character set limitation.  I basically could only use a subset of the ascii characters (only the characters that are allowed in a filename) in my payload, because the other characters got converted to something else. And that may either break the exploit structure or change the behaviour of the payload inside the application. As a result of that, I simply tried to avoid using those "bad chars" altogether and found some ways to make it work, using chained jumps, custom ascii decoders and alpha2-encoded code. Lot’s of complexity, but nevertheless it works fine. Today, I will …

Over the last couple of weeks, ever since I published 2 articles on the Offensive Blog, I have received many requests from people asking me if they could get a copy of those articles in pdf format.  My blog includes a pdf generator, but I obviously didn’t post the articles on my blog.. and the Offensive Security blog does not allow visitors to grab a pdf version of the documents. So I decided to combine the 2 articles into one article, and re-post them on my own blog, so you can export the article to pdf. Here we go. Part 1 A few weeks ago, one of my friends (mr_me) pointed me to an application that appeared to be acting somewhat “buggy” while processing “specifically” crafted zip files.  After playing …

Hi all,

I just wanted to drop a few lines to let you know that, earlier today, my exploit write-up article about this vulnerability was published on www.abysssec.com.

You can find the article here : http://www.abysssec.com/blog/2010/03/ken-ward-zipper-stack-bof-0day-a-not-so-typical-seh-exploit/

Enjoy ! Read more »

Hi all.   I just wanted to drop a quick note that I have released part 2 of the QuickZip 0day vulnerability exploit on the Offensive Security Blog just a few moments ago.   You can find the article here. Have fun & cheers ! Read more »

A few moments ago I published a detailed write-up, explaining the steps I took to build a 0day exploit for a zip file handling bug in QuickZip, on the Offensive Security blog. You can read the article here : http://www.offensive-security.com/blog/vulndev/quickzip-stack-bof-0day-a-box-of-chocolates/ Read more »


Meet me at Brucon 2010
Meet me at Brucon 2010 !

Corelan Team Merchandise
You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Peter says:
« All of the info and all tools on this blog are free. Keeping this blog in the air is quite expensive.
So if you like what I do and want to show your respect for my work, please consider donating (use the Donate link above)

There is no way I can keep this site up and running without your help.


»     ...     « If you have enjoyed a certain post or like one of my tools, don't forget to vote/rate it !

»     ...     « If you have questions about certain posts, content or tools published on this website, then please use the forums to post questions. Don't write your questions in the Comments section.

»     ...     « If you want to be the first to know about new posts/tools/tutorials on this blog, then subscribe to the mailinglist. Use the 'Subscribe to updates via email' link below (in the Stay posted section)

»
Categories