metasploit | Corelan Cybersecurity Research - Part 2Corelan Cybersecurity Research

Search Results for: metasploit

Happy 5th Birthday Corelan Team

Published March 3, 2014 |

Table of ContentsIntroductionDiscounts (in alphabetical order):Hak5Hex-RaysMalformity LabsNetsparkerNo Starch PressPatervaRapid7SANSSecurity RootsSyngressYour name here ? Introduction Corelan Team was founded in September of 2009. Over the last few years, the team has written and published numerous tutorials on exploit development. We have created a series of tools and scripts, and worked with vendors/developers across the globe to […]

Posted in 001_Security | Tagged 2014, 5 years, community, corelan, coupon, discount, hak5, happy birthday, hex-rays, infosec, malformity labs, metasploit, netsparker, no starch press, party, paterva, rapid7, sansinstitute, securityroots, stephen sims, syngress

Zabbix SQL Injection/RCE – CVE-2013-5743

Published October 4, 2013 |

By Corelan Team (Lincoln)

Table of ContentsIntroductionDisclosure Timeline:Vendor DetailsVulnerability DetailsThe patch Leveraging SQL InjectionCool! We got Admin, now what?Code Execution Further Exploitation? Introduction First off, please do not throw a tomato at me since this is not the typical Windows binary exploit article that is posted on Corelan! During a recent a penetration test, I encountered a host running Zabbix, an […]

Posted in Pentesting, SQL Injection, Web Application Security | Tagged 3, 5743, 5743-views, burp, corelan-be-zabbix-2-0-8, cve-2013-5743, exploit-sql-injection-2013, facebook-sql-injection-2013, got-a-deauthentication, metasploit, pentest, putting-injuction-in-bobs-video-for-free-download, putting-injuction-on-bobs-video-for-download, python-sql-injection-pastebin, single-url-sqli-scanner-php-pastebin, sql injection, web application, zabbix, zabbix-2-0-8-code-execution, zabbix-sql-injector-gratis-download

DEPS – Precise Heap Spray on Firefox and IE10

Published February 19, 2013 |

By Peter Van Eeckhoutte (corelanc0d3r)

Introduction Last week, while doing my bi-weekly courseware review and update, I discovered that my heap spray script for Firefox 9 no longer works on recent versions. Looking back at the type of tricks I had to use to make a precise spray work under Firefox 9 and IE 9, and realizing that these changes […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits, Tools | Tagged button, chrome, corelan, createelement, deps, div, dom, dom element property spray, element, emet, firefox, fontfamily, heap, html5, ie10, internet explorer, property, rop, spray, title, trident, webkit, windbg

Jingle BOFs, Jingle ROPs, Sploiting all the things… with Mona v2 !!

Published December 31, 2012 |

By Peter Van Eeckhoutte (corelanc0d3r)

Ho Ho Ho friends, It has been a while since we posted something on the Corelan Team blog, I guess we all have been busy doing … stuff and things, here and there. Nevertheless, as the year is close to filling up 100%, it’s probably a good time to start thinking about finding some convincing […]

Posted in Development, Exploit Writing Tutorials, Exploits, My Free Tools, Scripts | Tagged debugger, exploit, extension, immunity, immunity debugger, jingle-bofs, mona, mona-albertini, mona-py-2-windbg, mona-windbg, mona.py, new year, plugin, present, pycommand, pykd, python, windbg, windbg-mona-py, www-corelan-be

HITB2012AMS Day 2 – Attacking XML Processing

Published May 25, 2012 |

By Peter Van Eeckhoutte (corelanc0d3r)

Attacking XML Processing Dressed in a classy Corelan Team T-Shirt, Nicolas Grégoire kicks off his presentation by introducing himself. Nicolas has been asked by a customer to audit some XML-DSig applications 18 months ago and found a number of bugs. This triggered him to do more research on this topic. This technology is present in […]

Posted in Cons and Seminars | Tagged adobe, agarri, common-xml-vulnerabilities, dtd, embed, firefox, java, meterpreter, nicolas grégoire, oracle, parser, php, processing, rest, restlet-xml-external-entity-gregoire, winrt-xml-parsing, xml, xslt, xxe, xxe-attack-execution

HITB2012AMS Day 1 – Intro and Keynote

Published May 24, 2012 |

By Peter Van Eeckhoutte (corelanc0d3r)

Introduction Good morning everyone, After spending a couple of hours on the train, picking up my HITB badge, meeting with some of the organizers and having a great evening hanging out with Steven Seeley, Roberto Suggi Liverani, Nicolas Grégoire, Andy Ellis, Didier Stevens, and some other folks, conference time has arrived. With the conference taking place […]

Posted in Cons and Seminars | Tagged adiosphpid, akamai, amsterdam, andy ellis, capabilities, corelan, download-immunity-debugger-exe-ollydbg, hack in the box, hack-in-the-box-amsterdam-2012-keynote, hack-in-the-box-amsterdam-2012-ppt, hitb, hitb-2012-keynote, hitb2012-merchandise, hitb2012ams, keynote, okura, poverty line, resources, security awareness, steven-seeley

About Corelan Team

Published April 5, 2012 |

By Peter Van Eeckhoutte (corelanc0d3r)

The Team Corelan Team is a group of IT Security researchers/enthusiasts/professionals/hobbyists who share the same interests, mainly focused on 3 things : Research : We like to work together to perform all kinds of security research, ranging from finding vulnerabilities and working with vendors/developers to get them fixed, over developing and documenting exploitation techniques to […]

Tagged corelan, corelan team, corelan-be, corelan-live-training-exchange, corelan-rop-exploit-writing, corelan-team-about, corelan-team-course, corelan-teams, corelan-tutorial-3, corelanteam, easychat-exploit-mona-py, exploitbypass-sandbox-and-rop, hobbyist-security-researchers, inurlindex-phpabout-us-inurlteam-hack, is-not-an-object-it-s-a, sitewww-corelan-be-intitleexploit-writing-tutorial, what-is-a-exploit-developer-and-corelan-team-member, working-at-stratsec-good-bad, writing-an-exploit, www-corelan-be

Debugging Fun – Putting a process to sleep()

Published February 29, 2012 |

By Corelan Team (Lincoln)

Recently I played with an older CVE (CVE-2008-0532, http://www.securityfocus.com/archive/1/489463, by FX) and I was having trouble debugging the CGI executable where the vulnerable function was located.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Malware and Reversing, Uncategorized | Tagged cgi, corelan, corelan team, cve-2008-0532, debugger, entrypoint, f, function, fx, hook, immunity, isdebuggerpresent, jit, just in time, loop, pefile, python, rva, sleep, www-corelan-be

Exploit writing tutorial part 11 : Heap Spraying Demystified

Published December 31, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions.
Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail.
Of course, you can probably derive how it works by looking at those public exploits.

With this tutorial, I’m going to provide you with a full and detailed overview on what heap spraying is, and how to use it on old and newer platforms.
I’ll start with some “ancient” techniques (or classic techniques if you will) that can be used on IE6 and IE7.
We’ll also look at heap spraying for non-browser applications.
Next, we’ll talk about precision heap spraying, which is a requirement to make DEP bypass exploits work on IE8.
I’ll finish this tutorial with sharing some of my own research on getting reliable heap spraying to work on IE9.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials | Tagged 0c0c0c0c, actionscript, adobe, bmp, bstr, corelan, debugger, dep, exploit, exploit writing tutorial, firefox, freelists, gadget, gzip, heap, heapcreate, heaplib, image, immunity, internet explorer, javascript, lookasidelist, low fragmentation heap, metasploit, mona.py, moshe ben abu, pdf, pivot, return oriented programming, rop, ruby, sotirov, spray, string, substring, trancer, virtualalloc, vtable, windbg

WoW64 Egghunter

Published November 18, 2011 |

By Corelan Team (Lincoln)

Traditional Egghunter An Egghunter is nothing more than an assembly routine to find shellcode somewhere in memory. We typically deploy an Egghunter when there is no more room in our buffer that we can use to initially redirect EIP to. If we are able to load our shellcode elsewhere in process memory, the Egghunter will […]

Posted in 001_Security, Exploit Writing Tutorials, Uncategorized | Tagged 32bit, 64bit, access violation, dep, egg, egghunter, fs, hunter, int2, interrupt, matt miller, metasploit, nasm, ntaccesscheckandauditalarm, omelet, shellcode, skape, syscall, sysenter, tag, teb, virtualalloc, virtualprotect, w00t, wow64

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

Search Results for: metasploit

Happy 5th Birthday Corelan Team

Zabbix SQL Injection/RCE – CVE-2013-5743

DEPS – Precise Heap Spray on Firefox and IE10

Jingle BOFs, Jingle ROPs, Sploiting all the things… with Mona v2 !!

HITB2012AMS Day 2 – Attacking XML Processing

HITB2012AMS Day 1 – Intro and Keynote

About Corelan Team

Debugging Fun – Putting a process to sleep()

Exploit writing tutorial part 11 : Heap Spraying Demystified

WoW64 Egghunter

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!