Monthly Archives: July 2009

Exploit writing tutorial part 3b : SEH Based Exploits – just another example

In the previous tutorial post, I have explained the basics of SEH based exploits. I have mentioned that in the most simple case of an SEH based exploit, the payload is structured like this : [Junk][next SEH][SEH][Shellcode] I have indicated that SEH needs to be overwritten by a pointer to “pop pop ret” and that […]

Exploit writing tutorial part 3 : SEH Based Exploits

In the first 2 parts of the exploit writing tutorial series, I have discussed how a classic stack buffer overflow works and how you can build a reliable exploit by using various techniques to jump to the shellcode.  The example we have used allowed us to directly overwrite EIP and we had a pretty large […]

Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode

Where do you want to jmp today ? In one of my previous posts (part 1 of writing stack based buffer overflow exploits), I have explained the basisc about discovering a vulnerability and using that information to build a working exploit. In the example I have used in that post, we have seen that ESP […]

Exploit writing tutorial part 1 : Stack Based Overflows

Last friday (july 17th 2009), somebody (nick)named ‘Crazy_Hacker’ has reported a vulnerability in Easy RM to MP3 Conversion Utility (on XP SP2 En), via packetstormsecurity.org. (see http://packetstormsecurity.org/0907-exploits/). The vulnerability report included a proof of concept exploit (which, by the way,  failed to work on my MS Virtual PC based XP SP3 En). Another exploit was […]

Spread the word ! nmap 5 released

Insecure.org has released a new major version of the free, open source “nmap” security scanner. (Don’t just call nmap a port scanner – Thanks to many improvements over the last years, nmap has become an excellent security scanner). Visit http://nmap.org/5/ for more information about this new version. Although there are roughly 600 updates in this […]

One for the money, second one for the show…

While I was going through the archive of some ‘funny’ pictures at http://failblog.org/, I suddenly realised that I had encountered something funny a couple of years ago myself, when I was attending Blackhat in Amsterdam. When trying to get some money out of the ATM downtown Amsterdam, I noticed this on the screen of the […]

Free tool : Find out where your AD Users are logged on into

Hi, I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines.  This should include local users, users that are logged in via RDP, user […]

Juniper ScreenOS : Active/Passive clustering

Introduction In this blog post, I’ll show the easy steps to set up a screenOS based active/passive cluster. I’m not going to discuss the configuration of active/active clusters because, in my opinion, this configuration is only needed in rare circumstances and may introduce some weird behaviour issues.  Furthermore, active/passive clusters have been working quite well […]

Backtrack 4 cheat sheet

Download backtrack from http://www.remote-exploit.org/backtrack_download.html. Current version at the time of writing is BT4 Pre-Final.This document is based on BT4 pre-final. Ergo, some of the instructions below may not work with other versions of BT. FYI : An excellent guide about Backtrack4 can be found at BackTrack 4 – The Definitive Guide    1. Installing Backtrack […]

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
http://bit.ly/demandglobalchange
Read the full document at
http://bit.ly/demandglobalchange_full and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.



Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)

Categories