Blog > Archive by tag 'immunity'

Posts Tagged ‘immunity’

Starting to write Immunity Debugger PyCommands : my cheatsheet

January 26th, 2010 | Author: Peter Van Eeckhoutte
Viewed 2,985 time(s) | LoadingAdd this post to Your Favorite Posts

When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg has many advantages, it appeared not the best tool to search for good jump addresses, or to list non-safeseh compiled / non-aslr aware modules, etc….  Ok, looking for a simple “jmp esp” is trivial, but what if you are looking for all pop pop ret combinations in non-safeseh compiled modules…   Not an easy task. It is perfectly possible to build plugins for Windbg, but the ones that I have found (MSEC, byakugan (Metasploit)) don’t always work the way I want them …

Read more »
Posted in 001_Security, Development, Exploit Writing Tutorials, Scripts | Tags: , , , , , , , , , , , , , | 5 Comments »

Exploit writing tutorial part 8 : Win32 Egg Hunting

January 9th, 2010 | Author: Peter Van Eeckhoutte
Viewed 5,038 time(s) | LoadingAdd this post to Your Favorite Posts

Introduction Easter is still far away, so this is probably the right time to talk about ways to hunting for eggs (so you would be prepared when the easter bunny brings you another 0day vulnerability) In the first parts of this exploit writing tutorial series, we have talked about stack based overflows and how they can lead to arbitrary code execution. In all of the exploits that we have built so far, the location of where the shellcode is placed is more or less static and/or could be referenced by using a register (instead of a hardcoded stack address), taking care of stability and reliability. In some parts of the series, I have talked about various techniques to jump to shellcode, including techniques that would use one or more trampolines to get to the shellcode.  In …

Read more »
Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | 7 Comments »

Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR

September 21st, 2009 | Author: Peter Van Eeckhoutte
Viewed 11,348 time(s) | LoadingAdd this post to Your Favorite Posts

Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return address or pop/pop/ret address must be found, making the application jump to your shellcode. In all of these cases, we were able to find a more or less reliable address in one of the OS dll’s or application dll’s. Even after a reboot, this address stays the same, making the exploit work reliably. Fortunately for the zillions Windows end-users out there, a number of protection mechanisms have been built-in into the Windows Operating systems. – Stack cookies (/GS Switch cookie) …

Read more »
Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | 6 Comments »

Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development

September 5th, 2009 | Author: Peter Van Eeckhoutte
Viewed 7,751 time(s) | LoadingAdd this post to Your Favorite Posts

In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at least contain the following tools : windbg (for a list of Windbg commands, click here) ollydbg immunity debugger (requires python) metasploit pyDbg (if you are using python and want to build your own custom debugger, as explained in the awesome Gray Hay Python book scripting tools such as perl / python, etc In the previous chapters, we have already played with windbg, and I have briefly discussed a …

Read more »
Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , | 12 Comments »

Meet me at Brucon 2010
Meet me at Brucon 2010 !

Corelan Team Merchandise
You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Peter says:
« All of the info and all tools on this blog are free. Keeping this blog in the air is quite expensive.
So if you like what I do and want to show your respect for my work, please consider donating (use the Donate link above)

There is no way I can keep this site up and running without your help.


»     ...     « If you have enjoyed a certain post or like one of my tools, don't forget to vote/rate it !

»     ...     « If you have questions about certain posts, content or tools published on this website, then please use the forums to post questions. Don't write your questions in the Comments section.

»     ...     « If you want to be the first to know about new posts/tools/tutorials on this blog, then subscribe to the mailinglist. Use the 'Subscribe to updates via email' link below (in the Stay posted section)

»
Your profile
Stay posted
Categories


Terms of Use | Copyright © 2008-2010 Peter Van Eeckhoutte´s Blog. All Rights Reserved.
Your IP address : 38.107.191.114 | 67 queries. 1.745 seconds | www.corelan.be - artemis.corelan.be | Uptime Report