Peter Van Eeckhoutte (corelanc0d3r)

mona.py – the manual

Published July 14, 2011 |

This document describes the various commands, functionality and behaviour of mona.py.

Released on june 16, this pycommand for Immunity Debugger replaces pvefindaddr, solving performance issues and offering numerous new features. pvefindaddr will still be available for download until all of its functionality has been ported over to mona.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials | Tagged automation, corelan, corelanc0d3r, documentation, exploit, exploit development, immunity, immunity debugger, metasploit, mona, mona.py, pattern, plugin, pycommand, python, rapid7, rop, rop automation, rop gadget, suggest

ROP your way into B-Sides Las Vegas 2011

Published July 12, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

Ahh.. Vegas.. What happens in Vegas, stays in Vegas right ?

With a variety of cons ahead (BlackHat, Defcon, B-Sides, …) there is plenty of things that can and will happen at Vegas. Will you be there to witness & enjoy it ?

Getting to Vegas is just one part of the story. Getting access to one of the cons is the second part, but in case of B-Sides, there are no tickets left anymore.
So, in case you were not able to get one of the free tickets to B-Sides LV, there’s good news !

We have 2 tickets for B-Sides LV (august 3 & 4, 2011)… and we’re giving them away…but not without a little ‘battle’…
Continue reading →

Posted in Cons and Seminars | Tagged b-sides, bsides, bsides-las-vegas, chain, gadget, game, intitlelas-vegas-php-web-development-wordpress-development, las vegas, las-vegas-regional-occupational-program, metasploit-return-oriented-programming, programming-for-metasploit, regional-occupational-program-in-las-vegas, regional-occupational-program-las-vegas, return oriented programming, rop, rop-las-vegas, ropdb, vegas, what-happens-in-vegas-stays-in-vegas, what-u-do-in-vegas-stay-in-vegas-wallpaper

Universal DEP/ASLR bypass with msvcr71.dll and mona.py

Published July 3, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

Over the last few weeks, there has been some commotion about a universal DEP/ASLR bypass routine using ROP gadgets from msvcr71.dll (written by Immunity Inc) and the fact that it might have been copied into an exploit submitted to Metasploit as part of the Metasploit bounty.

I’m not going to make any statements about this, but the ROP routine itself looks pretty slick.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged aslr, bounty, bypass, chain, corelan, dep, exploit, finding-universal-offsets-immunity, gadget, httpswww-corelan-beindex-php20110703universal-depaslr-bypass-with-msvcr71-dll-and-mona-py, immunity, metasploit, mona.py, mscvr-dll, msvcr71, return oriented programming, rop, rop-mona-py, universal-rop-bypass, white phosphorus

Mona 1.0 released !

Published June 16, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

FINALLY !
After spending almost 6 months of designing, developing and testing, and after ‘surviving’ 2 presentations (at AthCon and Hack In Paris), I am extremely excited and proud to present, on behalf of the entire Corelan Team, the general availability of mona.py.

With this announcement, we also declare pvefindaddr officially dead from this point forward. (This doesn’t mean pvefindaddr is now entirely worthless, because not all functions have been ported into mona yet, but we won’t be releasing any updates to pvefindaddr anymore and the entire project page/download page will eventually disappear)
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Exploits, Uncategorized | Tagged eip, exploit, gadget, immunity, immunity debugger, immunitydbg-mona-example, immunitydbg-search-for-rop, mona, mona-corelan, mona-corelan-bad-characters, mona-download, mona-py-search-for-pointers, mona-py-youku, mona.py, monapy, pvefindaddr, pycommand, return oriented programming, rop, rop automation

Hack Notes : Ropping eggs for breakfast

Published May 12, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

Introduction I think we all agree that bypassing DEP (and ASLR) is no longer a luxury today. As operating systems (such as Windows 7) continue to gain popularity, exploit developers are forced to deal with increasingly more memory protection mechanisms, including DEP and ASLR. From a defense perspective, this is a good thing. But we […]

Posted in Exploit Writing Tutorials, Exploits | Tagged code reuse, corelan-rop, egg, egghunter, how-to-hack-notes, how-to-hack-windows-7-note, hunter, memcpy, memmove, metasploit, payload, return oriented programming, rop, rop-chain-what-is, shellcode, shellcode-virtualalloc-pastebins, strcpy, strncpy, virtualalloc, virtualprotect

BlackHat Europe 2011 / Day 02

Published March 18, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

Having missed the IOActive party last night, I woke up fresh and sharp and ready for some kick-ass debugger stuff so I decided to start my second day at BlackHat Europe 2011 with attending the Cisco IOS fuzzing & debugging talk.
Continue reading →

Posted in 001_Security, Cons and Seminars | Tagged 2011, alfredo ortega, barcelona, blackhat, blackhat europe, cisco ios, denial of service mitigation, DoS, floodgates, fuzzing, graph, loic, malware, pie chart, roboo, sebastian muniz, stuxnet, tom parker, visualize, wim remes

BlackHat Europe 2011 / Day 01

Published March 17, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

After having breakfast, chatting with ping and hanging out with @kokanin, @xme and @wimremes, it was time to start attending the various talks.
So, as promised in yesterdays preview, what follows is the report of my first day at Black Hat Europe 2011.
Continue reading →

Posted in 001_Security, Cons and Seminars | Tagged 2011, andres riancho, barcelona, blackhat, blackhat europe, briefings, chris valasek, conference, exploit, fixation, hacking, ID, metasploit, nitesh dhanjani, rapid7, Raul Siles, ryan smith, seminar, session, tom keetch, w3af

BlackHat Europe 2011 / Preview

Published March 16, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

Things change.
11 months have passed since a lot of people found themselves trapped all over Europe (including Barcelona) because of a little volcano ash cloud thingy.

This is 2011.

This time BlackHat anticipated and outsmarted nature by rescheduling the Europe briefings to march (instead of april).
Continue reading →

Posted in 001_Security, Cons and Seminars | Tagged 2011, april-blackhat, barcelona, blackhat, blackhat-bag, blackhat-barcelona-2011-volcano, blackhat-exporting-non-exportabe, briefings, c-debugging-contest-banners, corelanwallpaper, europe, export-non-exportable-certificate, export-non-exportable-certificates, httpwww-corelan-be8800index-phpcategorysecurityexploit-writing-tutor, jason-geffner, jason-geffner-exporting-non-exportable-certificate-source-code, knowledge-is-not-an-object-its-a-flow, knowledge-is-not-object-is-flow, seminar, vegas-entry-door

Cheat sheet : Installing Snorby 2.2 with Apache2 and Suricata with Barnyard2 on Ubuntu 10.x

Published February 27, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

After spending a few hours fighting a battle against Snorby and Apache2 + Passenger, I finally managed to get it to run properly on my Ubunty 10.x box (32bit). Looking back, I figured I might not be the only one who is having issues with this.

So I decided to publish the notes I took while setting everything up, and as a little bonus, explain how to install and configure Suricata as well (configured in combination with barnyard2 which will pick up local logs and send them to the remote MySQL server).
Continue reading →

Posted in 001_Security, Linux and Unix, Networking, Papers | Tagged a2enmod, apache2, apt-get, barnyard, bind-address, bundle install, cheat sheet, cheatsheet, configuration, daily cache, database.yml, emerging, emerging-threats, ezprint, gem, HOME_NET, ids, installation, ips, libhtp-0.2.so.1, my.cnf, mysql, passenger, passenger-install-apache2-module, passenger.conf, passenger.load, PassengerRoot, PassengerRuby, procedure, qt patch, rails, ruby, sensor cache, setup, snorby, snorby_config.yml, snort, step by step, suricata, ubuntu, unified2.alert, waldo, wkhtmltopdf, www.testmyids.com

The Honeypot Incident – How strong is your UF (Reversing FU)

Published January 31, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

Interested in capturing, documenting and analyzing scans and malicious activity, Corelan Team decided to set up a honeypot and put it online. In the first week of december 2010, Obzy built a machine (default Windows XP SP3 installation, no patches, firewall turned off), named it “EGYPTS-AIRWAYS”, set up a honeypot + some other monitoring tools, and connected it to the internet.
Continue reading →

Posted in 001_Security, Exploits, Malware and Reversing | Tagged analysis, anti, challenge, compromise, conficker, corelan, debugger, debugging, engineer, game, honeypot, how strong is you uf, iat, isdebuggerpresent, malware, ms08-067, netapi, peb, reverse, reversing, svchost.ee, worm

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

mona.py – the manual

ROP your way into B-Sides Las Vegas 2011

Universal DEP/ASLR bypass with msvcr71.dll and mona.py

Mona 1.0 released !

Hack Notes : Ropping eggs for breakfast

BlackHat Europe 2011 / Day 02

BlackHat Europe 2011 / Day 01

BlackHat Europe 2011 / Preview

Cheat sheet : Installing Snorby 2.2 with Apache2 and Suricata with Barnyard2 on Ubuntu 10.x

The Honeypot Incident – How strong is your UF (Reversing FU)

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!