metasploit | Corelan Cybersecurity Research - Part 4Corelan Cybersecurity Research

Search Results for: metasploit

Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube

Published June 16, 2010 |

About 3 months after finishing my previous exploit writing related tutorial, I finally found some time and fresh energy to start writing a new article.
In the previous tutorials, I have explained the basics of stack based overflows and how they can lead to arbitrary code execution. I discussed direct RET overflows, SEH based exploits, Unicode and other character restrictions, the use of debugger plugins to speed up exploit development, how to bypass common memory protection mechanisms and how to write your own shellcode.
While the first tutorials were really written to learn the basics about exploit development, starting from scratch (targeting people without any knowledge about exploit development) you have most likely discovered that the more recent tutorials continue to build on those basics and require solid knowledge of asm, creative thinking, and some experience with exploit writing in general.
Today’s tutorial is no different. I will continue to build upon everything we have seen and learned in the previous tutorials. Today I will talk about ROP and how it can be used to bypass DEP (and ASLR)…
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged 41414141, access violation, add esp, alwaysoff, alwayson, aslr, awe, breakpoint, bypass, C0000005, call, code reuse, dep, dep policy, egg, egg hunter, exploit, exploit writing, gadget, heapcreate, immunity debugger, jop, jump oriented programming, memcpy, ntsetinformationprocess, nx, offset, optin, optout, pae, permanent dep, pvefindaddr, register, return oriented programming, rop, rop gadget, setprocessdeppolicy, stack, stack pivot, time-line, virtualalloc, virtualprotect, WinExec, writeprocessmemory, xd

Offensive Security Hacking Tournament – How strong was my fu ?

Published May 10, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Hi, Over the last 2 days my friends from Corelan Team and I participated in a Hacking Tournament, organized by Offensive Security. The primary goals of the tournament are : be the first one to grab “secret” information from a machine and post it to the Tournament Control Panel. document your findings and submit them […]

Posted in 001_Security, Exploits | Tagged --, 001_Security, 192-168-6-66, capture, ctf, flag, hacking, hacklab-vpn, n00bfilter, nc-backshell-invalid-connection, nox-of-xr-offensive-security-team, offensive security, offensive-security-labs-exercises, offsec-lab, offsec-lab-firewall, pentestexploitsexploitdbplatformslinuxremote340-c-imap, screenos-import-pfx, smtx-video-ghost-challenge-write-up, surgemail-3-8k4-4-d-download, tournament

QuickZip Stack BOF 0day: a box of chocolates

Published March 27, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Over the last couple of weeks, ever since I published 2 articles on the Offensive Blog, I have received many requests from people asking me if they could get a copy of those articles in pdf format. My blog does not include a pdf generator, but it has a “print” button, so you can get […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged 0day, 0day-cisco, character set, corelan-quickzip, corelan-safeseh, corelanc0d3r, decoder, encoder, esp-ebp, filename, limitation, memory-heap-stack-esp-ebp, metasploit-cyclic-pattern, Peter Van Eeckhoutte, quickzip, seh, stack-esp-ebp, try harder, windbg-wscr-scripts, zip

Exploit writing tutorial part 9 : Introduction to Win32 shellcoding

Published February 25, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Over the last couple of months, I have written a set of tutorials about building exploits that target the Windows stack. One of the primary goals of anyone writing an exploit is to modify the normal execution flow of the application and trigger the application to run arbitrary code… code that is injected by the […]

Posted in 001_Security, Exploit Writing Tutorials | Tagged asm, assembly, bad chars, beta3, bits 32, bytecode, calc, charset limitation, decoder, encoder, ExitFunc, ExitProcess, ExitThread, exploit, exploit writing, find function, fstenv, fstenv_mov, GetProcess, hash, intel, introduction win, kernel32, loadlibraryA, loopd, MessageBoxA, metasploit, nasm, null bytes, opcode, part introduction, peb, pvefindaddr, pvereadbin.pl, pvewritebin.pl, seh, shellcode, shikata_ga_nai, skylined, topstack, tutorial part, user32, w32-testival, win shellcoding, win32, WinExec, writing, writing tutorial, x86

Starting to write Immunity Debugger PyCommands : my cheatsheet

Published January 26, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg […]

Posted in 001_Security, Development, Exploit Writing Tutorials, Scripts | Tagged api, assemble, cheatsheet, debugger, disassemble, hoe-to-use-mona-at-immunity-debugger, immlib, immunity, immunity debugger, immunity-cheatsheet, immunity-debugger-strcat, module, plugin, pycommand, python, readmemory, script, softice-debuger, tuto-immunity-debugger-python, tutorial-debugging-using-immunity

Exploit writing tutorial part 8 : Win32 Egg Hunting

Published January 9, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Introduction Easter is still far away, so this is probably the right time to talk about ways to hunting for eggs (so you would be prepared when the easter bunny brings you another 0day vulnerability) In the first parts of this exploit writing tutorial series, we have talked about stack based overflows and how they […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged alpha2, alpha3, alphanumeric, asm, bad char, custom encoder, direct ret, egg, eip, encode, exploit, exploit writing, find shellcode, hunter, hunting, immunity, inject, isbadreadptr, marker, memory, metasploit, nasm, nop, ntdisplaystring, omelet, pvefindaddr, search, seh, shellcode, skape, skylined, small buffer, staged, tag, trampoline, tutorial, unicode, venetian, win32, win32_seh_omelet

Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc

Published November 6, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

Finally … after spending a couple of weeks working on unicode and unicode exploits, I’m glad and happy to be able to release this next article in my basic exploit writing series : writing exploits for stack based unicode buffer overflows (wow – that’s a mouthful). You may (or may not) have encountered a situation […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged 00410041, 0x00410041, 0x06, 0xeb, alpha2, BufferRegister, Building IA32 'Unicode-Proof' Shellcodes, chris anley, code page, Creating Arbitrary Shellcode in Unicode Expanded string, dave aitel, decoder, eax, eip, exploit, fx, msfencode, MultiByteToWideChar, nseh, null bytes, ollyuni, prepend, pvefindaddr, seh, shellcode, skylined, unicode, unicode jump seh, utf-16, utf-7, utf-8, venetian, vense.pl

About me

Published October 20, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

Hi, My name is Peter Van Eeckhoutte. I was born in 1975 and spent my childhood in a small town called Vichte, Belgium. 14 years later, I got my first computer and about 5 years later I started working in a computer shop where I was responsible for the technical department, servers/network installations, etc… I […]

Tagged aslr-eip-partial-overwrite, cisco-debug-ios-fuzz, corelan, corelan-be-overflow-lesson-1, corelan-exploit-development-torrent, corelan-exploit-writing-tutorial-part-3a, corelan-peter, corelan-team-torrent, exploit-db-com-qarnode, ftp-fuzz, how-to-become-a-ciso-of-a-big-company, immdbg, Peter Van Eeckhoutte, peter-van-eeckhoutte-training, r-of-corelan-security, ruby-ftp-fuzz, sitecorelan-be-immdbg, thesprawl-org-sitethesprawl-org, torrent-offensive-security-exploit-development, win32-exploit-development-bootcamp-torrent

Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR

Published September 21, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged !aslrdynamicbase, 2003, 4141414, 8, access violation, add esp, address space layout randomization, adjust ebp, adjust esi, alwaysoff, alwayson, aslr, before function returns, buffer, buffer overflow, bypass, call, compiler, cookie, data execution prevention, dep, dword ptr, exception handler, exploit, gs, hack, handler, immdbg, immunity, jmp, jump, Kifastsystemcallret, ldrpchecknxcompatibility, linker, loaded module, mov al, moveimages, next seh, non exec, nseh, ntsetinformationprocess, nx, ollydbg, optin, optout, partial overwrite, plugin, prevention, processexecute, protection, protectvirtualmemory, pvefindaddr, pycommand, python, ret2libc, safeseh, saved ebp, saved eip, se handler, se structure, sehop, stack, stack overflow, switch, virtual function call, vista, windbg, windows 7, xd, xp

Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development

Published September 5, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

In the first parts of this exploit writing tutorial, I have mainly used Windbg as a tool to watch registers and stack contents while evaluating crashes and building exploits. Today, I will discuss some other debuggers and debugger plugins that will help you speed up this process. A typical exploit writing toolkit arsenal should at […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged !aslrdynamicbase, !findtrampoline, address call, address jmp, aslr, buffer, byakugan, call esp, eip, esp, esp found, findreturn, found valid, hunt, identbuf, immdbg, immunity, jmp, jmp esp, jutsu, listbuf, memdiff, metasploit, msec, pattern_create, pattern_offset, pop, pycommand, ret, return address, rmbuf, safeseh, searchopcode, shellcode, valid return, vista

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

Search Results for: metasploit

Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube

Offensive Security Hacking Tournament – How strong was my fu ?

QuickZip Stack BOF 0day: a box of chocolates

Exploit writing tutorial part 9 : Introduction to Win32 shellcoding

Starting to write Immunity Debugger PyCommands : my cheatsheet

Exploit writing tutorial part 8 : Win32 Egg Hunting

Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc

About me

Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!