Search Results for: SEH Based Exploits
Root Cause Analysis – Integer Overflows
Table of ContentsForewordIntroductionAnalyzing the Crash DataIdentifying the Cause of ExceptionPage heapInitial analysisReversing the Faulty FunctionDetermining ExploitabilityChallengesPrerequisitesHeap BasicsLookaside ListsFreelistsPreventative Security MeasuresSafe-UnlinkingHeap CookiesApplication Specific ExploitationThoughts on This AttackGeneric Exploitation MethodsLookaside List OverwriteOverviewApplication Specific TechniqueWhy Not?Brett Moore: Wrecking Freelist[0] Since 2005Freelist[0] Insert AttackOverviewApplication Specific TechniqueWhy Not?Freelist[0] Searching AttackOverviewApplication Specific TechniqueWhy Not?ConclusionRecommended Reading Foreword Over the past few years, […]
Exploit writing tutorial part 11 : Heap Spraying Demystified
A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions.
Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail.
Of course, you can probably derive how it works by looking at those public exploits.
With this tutorial, I’m going to provide you with a full and detailed overview on what heap spraying is, and how to use it on old and newer platforms.
I’ll start with some “ancient” techniques (or classic techniques if you will) that can be used on IE6 and IE7.
We’ll also look at heap spraying for non-browser applications.
Next, we’ll talk about precision heap spraying, which is a requirement to make DEP bypass exploits work on IE8.
I’ll finish this tutorial with sharing some of my own research on getting reliable heap spraying to work on IE9.
Continue reading
Metasploit Bounty – the Good, the Bad and the Ugly
On June 14, 2011 HD Moore announced the Metasploit Bounty contest, offering a cash incentive for specific vulnerabilities to be submitted as modules in the Metasploit Framework. Titled “30 exploits, $5000 in 5 weeks”, a post on the Rapid7 blog lists the 30 “bounties” selected by the MSF team, waiting for someone to claim and submit a working exploit module.
Continue reading
mona.py – the manual
This document describes the various commands, functionality and behaviour of mona.py.
Released on june 16, this pycommand for Immunity Debugger replaces pvefindaddr, solving performance issues and offering numerous new features. pvefindaddr will still be available for download until all of its functionality has been ported over to mona.
Continue reading
Corelan ROPdb
This page gathers generic/universal ROP chains that are solely based on gadgets taken from a single dll. The main requirements for a ROP chain to be listed here are: it must work on XP, Vista, Windows 7, 2003 and 2008 server. (the dll should not rebase and should not be ASLR enabled). If your ROP […]
BlackHat Europe 2011 / Day 01
After having breakfast, chatting with ping and hanging out with @kokanin, @xme and @wimremes, it was time to start attending the various talks.
So, as promised in yesterdays preview, what follows is the report of my first day at Black Hat Europe 2011.
Continue reading
Corelan Training "Corelan Live – Win32 Exploit Development Bootcamp"
Introduction Starting this year, Corelan will be teaching live Win32 exploit development classes at various security conferences. Titled “Corelan Live – Win32 Exploit Development Bootcamp“, this 2-day instructor-led course will teach everything you need to know about writing exploits for a Win32 environment and exploiting stack based vulnerabilities. During the first day, all basics about […]
The Honeypot Incident – How strong is your UF (Reversing FU)
Interested in capturing, documenting and analyzing scans and malicious activity, Corelan Team decided to set up a honeypot and put it online. In the first week of december 2010, Obzy built a machine (default Windows XP SP3 installation, no patches, firewall turned off), named it “EGYPTS-AIRWAYS”, set up a honeypot + some other monitoring tools, and connected it to the internet.
Continue reading
Offensive Security Exploit Weekend
Introduction I’m excited and honored to be able to announce that Sud0, one of our Corelan Team members, has won the Offensive Security Exploit weekend, an exploiting exercise only available to Offensive Security certified alumni. The challenge was built around a vulnerability in Foxit Reader. Each participant was pointed to a Proof of Concept exploit, […]
Death of an ftp client / Birth of Metasploit modules
Over the past few weeks, Corelan Team has given its undivided attention to fuzzing ftp client applications.
Using a custom built ftp client fuzzer, now part of the Metasploit framework, the team has audited several ftp clients and applications that use an embedded client ftp component. One example of such an application is a tool that would synchronize / backup data from a computer to a remote ftp server.
The 3 main audit/attack vectors that were used during the “project” were
send back overly long responses to ftp commands / requests sent by the ftp client to the server
send back a file/directory listing that contains overly long file/folder names
try to download a file that has an overly long filename.
Continue reading
Donate
Your donation will help funding server hosting.
