exploiting writing | Corelan Cybersecurity ResearchCorelan Cybersecurity Research

Search Results for: exploiting writing

Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube

Published June 16, 2010 |

About 3 months after finishing my previous exploit writing related tutorial, I finally found some time and fresh energy to start writing a new article.
In the previous tutorials, I have explained the basics of stack based overflows and how they can lead to arbitrary code execution. I discussed direct RET overflows, SEH based exploits, Unicode and other character restrictions, the use of debugger plugins to speed up exploit development, how to bypass common memory protection mechanisms and how to write your own shellcode.
While the first tutorials were really written to learn the basics about exploit development, starting from scratch (targeting people without any knowledge about exploit development) you have most likely discovered that the more recent tutorials continue to build on those basics and require solid knowledge of asm, creative thinking, and some experience with exploit writing in general.
Today’s tutorial is no different. I will continue to build upon everything we have seen and learned in the previous tutorials. Today I will talk about ROP and how it can be used to bypass DEP (and ASLR)…
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged 41414141, access violation, add esp, alwaysoff, alwayson, aslr, awe, breakpoint, bypass, C0000005, call, code reuse, dep, dep policy, egg, egg hunter, exploit, exploit writing, gadget, heapcreate, immunity debugger, jop, jump oriented programming, memcpy, ntsetinformationprocess, nx, offset, optin, optout, pae, permanent dep, pvefindaddr, register, return oriented programming, rop, rop gadget, setprocessdeppolicy, stack, stack pivot, time-line, virtualalloc, virtualprotect, WinExec, writeprocessmemory, xd

Exploiting Ken Ward Zipper : Taking advantage of payload conversion

Published March 27, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

In the article I wrote on the abysssec.com website, I explained the steps and techniques needed to build a working exploit for Ken Ward’s zipper. One of the main difficulties I had to overcome when building the exploit, was the character set limitation. I basically could only use a subset of the ascii characters (only […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged align, alpha getpc, alpha2, alphanumeric, compare, conversion, corelanc0d3r-blog, document, egg hunter, encoder, executable-zip-file-zip, getpc, getpc-routine-corelan, jump, ken ward, ken-wards, kenwards-zipper-corelan, ppr, seh, zip

Exploit writing tutorial part 9 : Introduction to Win32 shellcoding

Published February 25, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Over the last couple of months, I have written a set of tutorials about building exploits that target the Windows stack. One of the primary goals of anyone writing an exploit is to modify the normal execution flow of the application and trigger the application to run arbitrary code… code that is injected by the […]

Posted in 001_Security, Exploit Writing Tutorials | Tagged asm, assembly, bad chars, beta3, bits 32, bytecode, calc, charset limitation, decoder, encoder, ExitFunc, ExitProcess, ExitThread, exploit, exploit writing, find function, fstenv, fstenv_mov, GetProcess, hash, intel, introduction win, kernel32, loadlibraryA, loopd, MessageBoxA, metasploit, nasm, null bytes, opcode, part introduction, peb, pvefindaddr, pvereadbin.pl, pvewritebin.pl, seh, shellcode, shikata_ga_nai, skylined, topstack, tutorial part, user32, w32-testival, win shellcoding, win32, WinExec, writing, writing tutorial, x86

Exploit writing tutorial part 8 : Win32 Egg Hunting

Published January 9, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Introduction Easter is still far away, so this is probably the right time to talk about ways to hunting for eggs (so you would be prepared when the easter bunny brings you another 0day vulnerability) In the first parts of this exploit writing tutorial series, we have talked about stack based overflows and how they […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged alpha2, alpha3, alphanumeric, asm, bad char, custom encoder, direct ret, egg, eip, encode, exploit, exploit writing, find shellcode, hunter, hunting, immunity, inject, isbadreadptr, marker, memory, metasploit, nasm, nop, ntdisplaystring, omelet, pvefindaddr, search, seh, shellcode, skape, skylined, small buffer, staged, tag, trampoline, tutorial, unicode, venetian, win32, win32_seh_omelet

Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR

Published September 21, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged !aslrdynamicbase, 2003, 4141414, 8, access violation, add esp, address space layout randomization, adjust ebp, adjust esi, alwaysoff, alwayson, aslr, before function returns, buffer, buffer overflow, bypass, call, compiler, cookie, data execution prevention, dep, dword ptr, exception handler, exploit, gs, hack, handler, immdbg, immunity, jmp, jump, Kifastsystemcallret, ldrpchecknxcompatibility, linker, loaded module, mov al, moveimages, next seh, non exec, nseh, ntsetinformationprocess, nx, ollydbg, optin, optout, partial overwrite, plugin, prevention, processexecute, protection, protectvirtualmemory, pvefindaddr, pycommand, python, ret2libc, safeseh, saved ebp, saved eip, se handler, se structure, sehop, stack, stack overflow, switch, virtual function call, vista, windbg, windows 7, xd, xp

Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development

Published September 5, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged !aslrdynamicbase, !findtrampoline, address call, address jmp, aslr, buffer, byakugan, call esp, eip, esp, esp found, findreturn, found valid, hunt, identbuf, immdbg, immunity, jmp, jmp esp, jutsu, listbuf, memdiff, metasploit, msec, pattern_create, pattern_offset, pop, pycommand, ret, return address, rmbuf, safeseh, searchopcode, shellcode, valid return, vista

Exploit writing tutorial part 3 : SEH Based Exploits

Published July 25, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

In the first 2 parts of the exploit writing tutorial series, I have discussed how a classic stack buffer overflow works and how you can build a reliable exploit by using various techniques to jump to the shellcode. The example we have used allowed us to directly overwrite EIP and we had a pretty large […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged !exploitable, buffer, buffer overflow, cygwin, dep, dll modload, exception, exception handler, exploit, exploit laboratory, fs:[0], handler, memdump, msec.dll, msfpescan, next seh, ollydbg, pop pop ret, safeseh, seh, shellcode, stack, stack overflow, teb, tib, windbg

Exploit writing tutorial part 1 : Stack Based Overflows

Published July 19, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

Last friday (july 17th 2009), somebody (nick)named ‘Crazy_Hacker’ has reported a vulnerability in Easy RM to MP3 Conversion Utility (on XP SP2 En), via packetstormsecurity.org. (see http://packetstormsecurity.org/0907-exploits/). The vulnerability report included a proof of concept exploit (which, by the way, failed to work on my MS Virtual PC based XP SP3 En). Another exploit was […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged 41414141, buffer, buffer overflow, buffersize, bytes, discover, ebp, eip, esp, exploit, exploit laboratory, exploit writing tutorial, hack, learn, metasploit, nop, nop sled, nop slide, overflow, pattern_create, pattern_offset, pop, push, register, saumil shah, shellcode, sk chong, stack, stack overflow, write

How to become a pentester

Published October 13, 2015 |

By Peter Van Eeckhoutte (corelanc0d3r)

Intro I receive a lot of emails. (Please don’t make it worse, thanks!) Unfortunately I don’t have as much spare time as I used to, or would like to, so I often have no other choice than to redirect questions to our forums or our IRC channel (#corelan on freenode), hoping that other members […]

Posted in 001_Security, Penetration testing, Web Application Security | Tagged asking questions, carreer, efforts, ethical hacker, free-list-of-email-addresses, goal, how to become, how-do-i-become-a-pentester, httpswww-corelan-beindex-php20151013how-to-become-a-pentester, httpswww-corelan-beindex-php20151013how-to-become-a-pentesterutm_contentbufferc2731, industry, infosec, internship, junior, penetration tester, pentester, security assessment, security audit, vulnerability assessment, where to start

Root Cause Analysis – Integer Overflows

Published July 2, 2013 |

By Corelan Team (Jason Kratzer)

Table of ContentsForewordIntroductionAnalyzing the Crash DataIdentifying the Cause of ExceptionPage heapInitial analysisReversing the Faulty FunctionDetermining ExploitabilityChallengesPrerequisitesHeap BasicsLookaside ListsFreelistsPreventative Security MeasuresSafe-UnlinkingHeap CookiesApplication Specific ExploitationThoughts on This AttackGeneric Exploitation MethodsLookaside List OverwriteOverviewApplication Specific TechniqueWhy Not?Brett Moore: Wrecking Freelist[0] Since 2005Freelist[0] Insert AttackOverviewApplication Specific TechniqueWhy Not?Freelist[0] Searching AttackOverviewApplication Specific TechniqueWhy Not?ConclusionRecommended Reading Foreword Over the past few years, […]

Posted in Exploit Writing Tutorials, Root Cause Analysis | Tagged !exploitable, determine exploitability, fake chunk, freelist, freelist[0] insert atttack, freelist[0] search atttack, fuzzing, fwptr, gom player, heap, heap overflow, heapbase, integer overflow, lal head, lookasidelist, mona.py, mp4, msec.dll, peach, qt, root cause analysis, windbg

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

Search Results for: exploiting writing

Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube

Exploiting Ken Ward Zipper : Taking advantage of payload conversion

Exploit writing tutorial part 9 : Introduction to Win32 shellcoding

Exploit writing tutorial part 8 : Win32 Egg Hunting

Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development

Exploit writing tutorial part 3 : SEH Based Exploits

Exploit writing tutorial part 1 : Stack Based Overflows

How to become a pentester

Root Cause Analysis – Integer Overflows

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!