Search Results for: pat
Metasploit module : HTTP Form field fuzzer
Introduction About a month after releasing an ftp client fuzzer module for Metasploit, I decided to release yet another fuzzer module I have been working on over the last few weeks. This new module can be used to audit web servers/web server plugins/components/filters, by fuzzing form fields and optionally fuzz some header fields. While this […]
In Memory Fuzzing
Introduction In memory fuzzing is a technique that allows the analyst to bypass parsers; network-related limitations such as max connections, buit-in IDS or flooding protection; encrypted or unknown (poorly documented) protocol in order to fuzz the actual underlying assembly routines that are potentially vulnerable. Prior to the development of my fuzzing toolset, I was unsatisfied […]
Death of an ftp client / Birth of Metasploit modules
Over the past few weeks, Corelan Team has given its undivided attention to fuzzing ftp client applications.
Using a custom built ftp client fuzzer, now part of the Metasploit framework, the team has audited several ftp clients and applications that use an embedded client ftp component. One example of such an application is a tool that would synchronize / backup data from a computer to a remote ftp server.
The 3 main audit/attack vectors that were used during the “project” were
send back overly long responses to ftp commands / requests sent by the ftp client to the server
send back a file/directory listing that contains overly long file/folder names
try to download a file that has an overly long filename.
Continue reading
BruCON 2010 : Day 0x2
[WORKSHOP] – Malicious PDF Analysis I started the second day at BruCON with attending the workshop about analyzing malicious pdf files. Didier Stevens spared no expense and prepared an impressive lab, offering all sorts of pdf exercise files. Trying to squeeze in weeks and months of research into a 2 hour workshop, he managed to […]
BruCON 2010 : Day 0x1
After hearing a lot of great things about the first edition of BruCON (in 2009), I decided to attend the con this year. The fact that BruCON is gaining popularity and established a lot of recognition in the industry already, combined with the fact that it takes place in Brussels, Belgium (my home country), it […]
DLL Hijacking (KB 2269637) – the unofficial list
This page hosts an unofficial list of applications that are said to be vulnerable to the dll hijacking flaw (or feature or whatever you want to call it). Note that I did not test these applications myself. If you have found other applications to be vulnerable and want to add them to the list, send […]
Exploit notes – win32 eggs-to-omelet
In article 8 of my exploit writing series, I have introduced the concept of egg hunters, and explained what an omelet hunter is and how it works. Today, I want to share with you my own eggs-to-omelet implementation, explain how it works, and how you can use it in a standalone exploit or in a […]
ROP Gadgets
This page contains a collection of rop gadgets that can be found in commonly used Windows OS dll’s and common applications. All gadget text files were generated with pvefindaddr. If you are building a rop based exploit and want to use rop gadgets from one of those dll’s, you can simply download the text files […]
How strong is your fu : Hacking for charity
Last weekend, Offensive Security hosted their second cyber hacking challenge, called “HSIYF For Charity”. The goal of this challenge was to raise money for Johnny Long’s “Hackers for Charity” project, a charity organization that tries to feed children, build computer labs etc in East Africa. Each challenger had to donate $49 to be able to […]
Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube
About 3 months after finishing my previous exploit writing related tutorial, I finally found some time and fresh energy to start writing a new article.
In the previous tutorials, I have explained the basics of stack based overflows and how they can lead to arbitrary code execution. I discussed direct RET overflows, SEH based exploits, Unicode and other character restrictions, the use of debugger plugins to speed up exploit development, how to bypass common memory protection mechanisms and how to write your own shellcode.
While the first tutorials were really written to learn the basics about exploit development, starting from scratch (targeting people without any knowledge about exploit development) you have most likely discovered that the more recent tutorials continue to build on those basics and require solid knowledge of asm, creative thinking, and some experience with exploit writing in general.
Today’s tutorial is no different. I will continue to build upon everything we have seen and learned in the previous tutorials. Today I will talk about ROP and how it can be used to bypass DEP (and ASLR)…
Continue reading
Donate
Your donation will help funding server hosting.
