001_Security

Death of an ftp client / Birth of Metasploit modules

Published October 12, 2010 |

Over the past few weeks, Corelan Team has given its undivided attention to fuzzing ftp client applications.

Using a custom built ftp client fuzzer, now part of the Metasploit framework, the team has audited several ftp clients and applications that use an embedded client ftp component. One example of such an application is a tool that would synchronize / backup data from a computer to a remote ftp server.

The 3 main audit/attack vectors that were used during the “project” were

send back overly long responses to ftp commands / requests sent by the ftp client to the server
send back a file/directory listing that contains overly long file/folder names
try to download a file that has an overly long filename.
Continue reading →

Posted in 001_Security, Exploits | Tagged client, egg hunter, exploit, Exploits, file, ftp, ftp client, ftp server, fuzzer, metasploit, mixin, module, msf, msf exploit, omelet, payload, payloag-egghunter-metasploit, reply, server, svn

BruCON 2010 : Day 0x2

Published September 25, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

[WORKSHOP] – Malicious PDF Analysis I started the second day at BruCON with attending the workshop about analyzing malicious pdf files. Didier Stevens spared no expense and prepared an impressive lab, offering all sorts of pdf exercise files. Trying to squeeze in weeks and months of research into a 2 hour workshop, he managed to […]

Posted in 001_Security, Cons and Seminars | Tagged 2010, ascure, backdoor, brucon, code, dale, didier, files, hacking, hex, hex factor, lightning, malicious, malicious code, matias, might, might help, nlp, pdf, stevens, talk, target, techniques

BruCON 2010 : Day 0x1

Published September 23, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

After hearing a lot of great things about the first edition of BruCON (in 2009), I decided to attend the con this year. The fact that BruCON is gaining popularity and established a lot of recognition in the industry already, combined with the fact that it takes place in Brussels, Belgium (my home country), it […]

Posted in 001_Security, Cons and Seminars | Tagged 001_Security, attack, brucon, brussels, code, cybercrime, cyberwar, gsm, hex factor, iftach, ips, malicious, mitm, mobile, network, pentester, phone, session key, systems, virus, viruses, waf

DLL Hijacking (KB 2269637) – the unofficial list

Published August 25, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

This page hosts an unofficial list of applications that are said to be vulnerable to the dll hijacking flaw (or feature or whatever you want to call it). Note that I did not test these applications myself. If you have found other applications to be vulnerable and want to add them to the list, send […]

Posted in 001_Security, Exploits | Tagged 2269637, 3-0-csl-2264107, applications, camtasia-studio-res-dll, corel-draw-wow64-official-site, corelan-be, corelean-buffer-overflow, dll, dll hijack, dll hijacking, download-kb-2269637, hijack, hijack-dll-guid, j2k-dll-dll, kb2269637, lotus-notes-address-book-hijacked, metasploit-windows-7-home-premium-6-1, pvefindaduser-exe, vulnerable, windows-7-home-premium-metasploit

Exploit notes – win32 eggs-to-omelet

Published August 22, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

In article 8 of my exploit writing series, I have introduced the concept of egg hunters, and explained what an omelet hunter is and how it works. Today, I want to share with you my own eggs-to-omelet implementation, explain how it works, and how you can use it in a standalone exploit or in a […]

Posted in 001_Security, Exploit Writing Tutorials | Tagged assemble, egg, egg hunter, eggs omelet, eggs-to-omelet, find, hunter, metasploit, nasm, omelet, omelet-egghunter, omelette-sitecorelan-be, payload, pvefindaddr, recombine, search, sequence-of-imagesegg, shellcode, skylined, xc3-code

Cisco VoIP Phones – A Hackers Perspective

Published July 27, 2010 |

By chap0

Introduction In the world of VoIP phones, each person may look at them differently. For some, an annoyance that sit on their desk, or maybe for some it is simply a part of their job either deploying them or as a help desk position taking phone calls all day. This could even go as far […]

Posted in 001_Security, Cisco, Papers | Tagged Cisco, cisco voip, cisco-voip-cheatsheet, hackers perspective, people-on-cisco-phones, phones hackers, target ending, ucsniff voip, understand vulnerabilities, using voip, utilizing ucsniff, voip, voip network, voip phones, voip security, voip-cheat-sheet, vulnerabilities may, waiting malicious, world voip, write intro

WATOBO – the unofficial manual

Published July 23, 2010 |

By Corelan Team (fancy)

WATOBO is intended to enable security professionals to perform highly efficient (semi-automated) web application security audits. I am convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities. WATOBO has no attack capabilities and is provided for legal vulnerability audit purposes only. It works […]

Posted in 001_Security, Papers, Web Application Security | Tagged 001_Security, active, active checks, audit, base64, decode, encode, filter, filter functions, functions, fuzzer, interceptor, login, passive, passive checks, proxy, regex, requests, scan, scanner, semi, semi automated, session, vulnerability, watobo, watobo supports, web application

How strong is your fu 2 – the report

Published June 23, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

For anyone interested, this is _sinn3r’s and tecr0c’s writeup of the steps they took to own 4 out of the 5 machines in last weekend’s HSIYF – Hacking for Charity cyber hacking challenge …
Continue reading →

Posted in 001_Security | Tagged -hack, challenge, corelan-how-srong-if-your-fu, ctf, cyber, cyber-hacker, hacking, hacking-challenge, hacking-ninja, how-strong-is-you-fu, how-strong-is-your-foo, how-strong-is-your-fu, how-strong-is-your-fu-offensive-security, how-strong-is-your-fu2, hsiyf, hsiyf-report, offensive, offensive security, offsec, report

How strong is your fu : Hacking for charity

Published June 22, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Last weekend, Offensive Security hosted their second cyber hacking challenge, called “HSIYF For Charity”. The goal of this challenge was to raise money for Johnny Long’s “Hackers for Charity” project, a charity organization that tries to feed children, build computer labs etc in East Africa. Each challenger had to donate $49 to be able to […]

Posted in 001_Security | Tagged corelan-hacking, corelan-how-strong-is-your-foo, corelan-strong, ctf, cyber-hackers, hacking, hfc, how-strong-is-my-foo-corelan, how-strong-you-fu-pdf, hsiyf, june-22-2010-hacked, offensive security, offensive-security-wallpaper, offsec, pastie-sh-hackers-for-charity, pentesting-training-class-online-private, successfullyowned, tournament, try-harder-offensive-security, vpn-hacking

Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube

Published June 16, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

About 3 months after finishing my previous exploit writing related tutorial, I finally found some time and fresh energy to start writing a new article.
In the previous tutorials, I have explained the basics of stack based overflows and how they can lead to arbitrary code execution. I discussed direct RET overflows, SEH based exploits, Unicode and other character restrictions, the use of debugger plugins to speed up exploit development, how to bypass common memory protection mechanisms and how to write your own shellcode.
While the first tutorials were really written to learn the basics about exploit development, starting from scratch (targeting people without any knowledge about exploit development) you have most likely discovered that the more recent tutorials continue to build on those basics and require solid knowledge of asm, creative thinking, and some experience with exploit writing in general.
Today’s tutorial is no different. I will continue to build upon everything we have seen and learned in the previous tutorials. Today I will talk about ROP and how it can be used to bypass DEP (and ASLR)…
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged 41414141, access violation, add esp, alwaysoff, alwayson, aslr, awe, breakpoint, bypass, C0000005, call, code reuse, dep, dep policy, egg, egg hunter, exploit, exploit writing, gadget, heapcreate, immunity debugger, jop, jump oriented programming, memcpy, ntsetinformationprocess, nx, offset, optin, optout, pae, permanent dep, pvefindaddr, register, return oriented programming, rop, rop gadget, setprocessdeppolicy, stack, stack pivot, time-line, virtualalloc, virtualprotect, WinExec, writeprocessmemory, xd

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

Death of an ftp client / Birth of Metasploit modules

BruCON 2010 : Day 0x2

BruCON 2010 : Day 0x1

DLL Hijacking (KB 2269637) – the unofficial list

Exploit notes – win32 eggs-to-omelet

Cisco VoIP Phones – A Hackers Perspective

How strong is your fu 2 – the report

How strong is your fu : Hacking for charity

Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!