Needles in heaps, allocator primitives, posts, tutorials, papers, research notes ...

Your search for

resolved the following candidate gadgets:

Metasploit Bounty - the Good, the Bad and the Ugly

Corelan Team (Lincoln) July 27, 2011
On June 14, 2011 HD Moore announced the Metasploit Bounty contest, offering a cash incentive for specific vulnerabilities to be submitted as modules in the Metasploit Framework. Titled "30 exploits, $5000 in 5 weeks", a post on the Rapid7 blog lists the 30 "bounties" selected by the MSF team, waiting for someone to claim and submit a working exploit module. Read more

Universal DEP/ASLR bypass with msvcr71.dll and mona.py

corelanc0d3r July 3, 2011
Over the last few weeks, there has been some commotion about a universal DEP/ASLR bypass routine using ROP gadgets from msvcr71.dll (written by Immunity Inc) and the fact that it might have been copied into an exploit submitted to Metasploit as part of the Metasploit bounty. I'm not going to make any statements about this, but the ROP routine itself looks pretty slick. Read more

Hack Notes : Ropping eggs for breakfast

corelanc0d3r May 12, 2011

Introduction

I think we all agree that bypassing DEP (and ASLR) is no longer a luxury today. As operating systems (such as Windows 7) continue to gain popularity, exploit developers are forced to deal with increasingly more memory protection Read more

Hack Notes : ROP retn+offset and impact on stack setup

corelanc0d3r January 30, 2011

Yesterday, sickn3ss (one of the frequent visitors of the #corelan channel on freenode IRC) posted a really interesting question.

The question

While testing ROP gadgets, as part of the process of building a DEP bypass exploit for WM Downloader, Read more

Death of an ftp client / Birth of Metasploit modules

corelanc0d3r October 12, 2010
Over the past few weeks, Corelan Team has given its undivided attention to fuzzing ftp client applications. Using a custom built ftp client fuzzer, now part of the Metasploit framework, the team has audited several ftp clients and applications that use an embedded client ftp component. One example of such an application is a tool that would synchronize / backup data from a computer to a remote ftp server. The 3 main audit/attack vectors that were used during the "project" were send back overly long responses to ftp commands / requests sent by the ftp client to the server send back a file/directory listing that contains overly long file/folder names try to download a file that has an overly long filename. Read more

Blackhat Europe 2010 Barcelona - Day 01

corelanc0d3r April 14, 2010

As some of you might know, I am currently attending Blackhat Europe (hosted in Barcelona this year). So I wanted to take the opportunity to fill you in on the details of this first day of briefings, and provide Read more

QuickZip Stack BOF 0day: a box of chocolates

corelanc0d3r March 27, 2010

Over the last couple of weeks, ever since I published 2 articles on the Offensive Blog, I have received many requests from people asking me if they could get a copy of those articles in pdf format.  My blog Read more

Backtrack 4 cheat sheet

corelanc0d3r July 4, 2009

Download backtrack from http://www.remote-exploit.org/backtrack_download.html. Current version at the time of writing is BT4 Pre-Final.This document is based on BT4 pre-final. Ergo, some of the instructions below may not work with other versions of BT.

FYI : An excellent guide Read more