Needles in heaps, allocator primitives, posts, tutorials, papers, research notes ...

Your search for

resolved the following candidate gadgets:

Exploit writing tutorial part 11 : Heap Spraying Demystified

corelanc0d3r December 31, 2011
A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions. Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail. Of course, you can probably derive how it works by looking at those public exploits. With this tutorial, I'm going to provide you with a full and detailed overview on what heap spraying is, and how to use it on old and newer platforms. I'll start with some "ancient" techniques (or classic techniques if you will) that can be used on IE6 and IE7. We'll also look at heap spraying for non-browser applications. Next, we'll talk about precision heap spraying, which is a requirement to make DEP bypass exploits work on IE8. I'll finish this tutorial with sharing some of my own research on getting reliable heap spraying to work on IE9. Read more

Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube

corelanc0d3r June 16, 2010
About 3 months after finishing my previous exploit writing related tutorial, I finally found some time and fresh energy to start writing a new article. In the previous tutorials, I have explained the basics of stack based overflows and how they can lead to arbitrary code execution. I discussed direct RET overflows, SEH based exploits, Unicode and other character restrictions, the use of debugger plugins to speed up exploit development, how to bypass common memory protection mechanisms and how to write your own shellcode. While the first tutorials were really written to learn the basics about exploit development, starting from scratch (targeting people without any knowledge about exploit development) you have most likely discovered that the more recent tutorials continue to build on those basics and require solid knowledge of asm, creative thinking, and some experience with exploit writing in general. Today's tutorial is no different. I will continue to build upon everything we have seen and learned in the previous tutorials. Today I will talk about ROP and how it can be used to bypass DEP (and ASLR)... Read more

Exploit writing tutorial part 1 : Stack Based Overflows

corelanc0d3r July 19, 2009

Last friday (july 17th 2009), somebody (nick)named ‘Crazy_Hacker’ has reported a vulnerability in Easy RM to MP3 Conversion Utility (on XP SP2 En), via packetstormsecurity.org. (see http://packetstormsecurity.org/0907-exploits/). The vulnerability report included a proof of concept exploit (which, by Read more

Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc

corelanc0d3r November 6, 2009

Finally … after spending a couple of weeks working on unicode and unicode exploits, I’m glad and happy to be able to release this next article in my basic exploit writing series : writing exploits for stack based unicode Read more

Windows 10 egghunter (wow64) and more

corelanc0d3r April 23, 2019

Introduction

Ok, I have a confession to make, I have always been somewhat intrigued by egghunters. That doesn’t mean that I like to use (or abuse) an egghunter just because I fancy what it does. In fact, I Read more

DEPS – Precise Heap Spray on Firefox and IE10

corelanc0d3r February 19, 2013

Introduction

Last week, while doing my bi-weekly courseware review and update, I discovered that my heap spray script for Firefox 9 no longer works on recent versions.  Looking back at the type of tricks I had to use to Read more

Universal DEP/ASLR bypass with msvcr71.dll and mona.py

corelanc0d3r July 3, 2011
Over the last few weeks, there has been some commotion about a universal DEP/ASLR bypass routine using ROP gadgets from msvcr71.dll (written by Immunity Inc) and the fact that it might have been copied into an exploit submitted to Metasploit as part of the Metasploit bounty. I'm not going to make any statements about this, but the ROP routine itself looks pretty slick. Read more

Offensive Security Exploit Weekend

Corelan Team (Sud0) November 13, 2010

Introduction

I’m excited and honored to be able to announce that Sud0, one of our Corelan Team members, has won the Offensive Security Exploit weekend, an exploiting exercise only available to Offensive Security certified alumni.

The challenge Read more

Exploit notes – win32 eggs-to-omelet

corelanc0d3r August 22, 2010

In article 8 of my exploit writing series, I have introduced the concept of egg hunters, and explained what an omelet hunter is and how it works.

Today, I want to share with you my own eggs-to-omelet implementation, explain Read more

Blackhat Europe 2010 Barcelona – Day 01

corelanc0d3r April 14, 2010

As some of you might know, I am currently attending Blackhat Europe (hosted in Barcelona this year). So I wanted to take the opportunity to fill you in on the details of this first day of briefings, and provide Read more