Search Results for: exploit writing tutorial

Happy 5th Birthday Corelan Team

Published March 3, 2014 | By Peter Van Eeckhoutte (corelanc0d3r)

Table of ContentsIntroductionDiscounts (in alphabetical order):Hak5Hex-RaysMalformity LabsNetsparkerNo Starch PressPatervaRapid7SANSSecurity RootsSyngressYour name here ? Introduction Corelan Team was founded in September of 2009. Over the last few years, the team has written and published numerous tutorials on exploit development.  We have created a series of tools and scripts,  and worked with vendors/developers across the globe to […]

Posted in 001_Security | Tagged , , , , , , , , , , , , , , , , , , , ,

Corelan Team reply to false allegation made by Kaspersky

Published February 5, 2014 | By Peter Van Eeckhoutte (corelanc0d3r)

Hi, A few moments ago, I was informed about an article on www.securelist.com and the fact that Corelan Team was mentioned in that post.  Apparently a researcher at Kaspersky Labs found a piece of text (“You have been owned by CorelanX”) inside a malware sample and concluded that, due to the mere presence of that […]

Posted in Legal | Tagged , , , , , , , ,

Root Cause Analysis – Integer Overflows

Published July 2, 2013 | By Corelan Team (Jason Kratzer)

Table of ContentsForewordIntroductionAnalyzing the Crash DataIdentifying the Cause of ExceptionPage heapInitial analysisReversing the Faulty FunctionDetermining ExploitabilityChallengesPrerequisitesHeap BasicsLookaside ListsFreelistsPreventative Security MeasuresSafe-UnlinkingHeap CookiesApplication Specific ExploitationThoughts on This AttackGeneric Exploitation MethodsLookaside List OverwriteOverviewApplication Specific TechniqueWhy Not?Brett Moore: Wrecking Freelist[0] Since 2005Freelist[0] Insert AttackOverviewApplication Specific TechniqueWhy Not?Freelist[0] Searching AttackOverviewApplication Specific TechniqueWhy Not?ConclusionRecommended Reading Foreword Over the past few years, […]

Posted in Exploit Writing Tutorials, Root Cause Analysis | Tagged , , , , , , , , , , , , , , , , , , , , ,

DEPS – Precise Heap Spray on Firefox and IE10

Published February 19, 2013 | By Peter Van Eeckhoutte (corelanc0d3r)

Introduction Last week, while doing my bi-weekly courseware review and update, I discovered that my heap spray script for Firefox 9 no longer works on recent versions.  Looking back at the type of tricks I had to use to make a precise spray work under Firefox 9 and IE 9, and realizing that these changes […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits, Tools | Tagged , , , , , , , , , , , , , , , , , , , , , ,

About Corelan Team

Published April 5, 2012 | By Peter Van Eeckhoutte (corelanc0d3r)

The Team Corelan Team is a group of IT Security researchers/enthusiasts/professionals/hobbyists who share the same interests, mainly focused on 3 things : Research : We like to work together to perform all kinds of security research, ranging from finding vulnerabilities and working with vendors/developers to get them fixed, over developing and documenting  exploitation techniques to […]

Tagged , , , , , , , , , , , , , , , , , , ,

Many roads to IAT

Published December 1, 2011 | By Dinos

A few days ago a friend approached me and asked how he could see the import address table under immunity debugger and if this could be done using the command line.

I figured this would be a good time to take a look at what the IAT is, how we can list the IAT and what common reversing hurdles could be with regards to the IAT.
Continue reading

Posted in Malware and Reversing | Tagged , , , , , , , , , , , , , , , , , , ,

WoW64 Egghunter

Published November 18, 2011 | By Corelan Team (Lincoln)

Traditional Egghunter An Egghunter is nothing more than an assembly routine to find shellcode somewhere in memory. We typically deploy an Egghunter when there is no more room in our buffer that we can use to initially redirect EIP to. If we are able to load our shellcode elsewhere in process memory, the Egghunter will […]

Posted in 001_Security, Exploit Writing Tutorials, Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , , , , , ,

Metasploit Bounty – the Good, the Bad and the Ugly

Published July 27, 2011 | By Corelan Team (Lincoln)

On June 14, 2011 HD Moore announced the Metasploit Bounty contest, offering a cash incentive for specific vulnerabilities to be submitted as modules in the Metasploit Framework. Titled “30 exploits, $5000 in 5 weeks”, a post on the Rapid7 blog lists the 30 “bounties” selected by the MSF team, waiting for someone to claim and submit a working exploit module.
Continue reading

Posted in 001_Security, Exploits | Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Universal DEP/ASLR bypass with msvcr71.dll and mona.py

Published July 3, 2011 | By Peter Van Eeckhoutte (corelanc0d3r)

Over the last few weeks, there has been some commotion about a universal DEP/ASLR bypass routine using ROP gadgets from msvcr71.dll (written by Immunity Inc) and the fact that it might have been copied into an exploit submitted to Metasploit as part of the Metasploit bounty.

I’m not going to make any statements about this, but the ROP routine itself looks pretty slick.
Continue reading

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged , , , , , , , , , , , , , , , , , , ,

Hack Notes : Ropping eggs for breakfast

Published May 12, 2011 | By Peter Van Eeckhoutte (corelanc0d3r)

Introduction I think we all agree that bypassing DEP (and ASLR) is no longer a luxury today. As operating systems (such as Windows 7) continue to gain popularity, exploit developers are forced to deal with increasingly more memory protection mechanisms, including DEP and ASLR. From a defense perspective, this is a good thing. But we […]

Posted in Exploit Writing Tutorials, Exploits | Tagged , , , , , , , , , , , , , , , , , , ,

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace

    • Categories

    Mastodon: @corelanc0d3r | @corelan


    Copyright Peter Van Eeckhoutte © 2007 - 2024 | All Rights Reserved | Terms of use