pdf | Corelan Cybersecurity Research - Part 2Corelan Cybersecurity Research

Search Results for: pdf

Exploit writing tutorial part 11 : Heap Spraying Demystified

Published December 31, 2011 |

A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions.
Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail.
Of course, you can probably derive how it works by looking at those public exploits.

With this tutorial, I’m going to provide you with a full and detailed overview on what heap spraying is, and how to use it on old and newer platforms.
I’ll start with some “ancient” techniques (or classic techniques if you will) that can be used on IE6 and IE7.
We’ll also look at heap spraying for non-browser applications.
Next, we’ll talk about precision heap spraying, which is a requirement to make DEP bypass exploits work on IE8.
I’ll finish this tutorial with sharing some of my own research on getting reliable heap spraying to work on IE9.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials | Tagged 0c0c0c0c, actionscript, adobe, bmp, bstr, corelan, debugger, dep, exploit, exploit writing tutorial, firefox, freelists, gadget, gzip, heap, heapcreate, heaplib, image, immunity, internet explorer, javascript, lookasidelist, low fragmentation heap, metasploit, mona.py, moshe ben abu, pdf, pivot, return oriented programming, rop, ruby, sotirov, spray, string, substring, trancer, virtualalloc, vtable, windbg

Many roads to IAT

Published December 1, 2011 |

By Dinos

A few days ago a friend approached me and asked how he could see the import address table under immunity debugger and if this could be done using the command line.

I figured this would be a good time to take a look at what the IAT is, how we can list the IAT and what common reversing hurdles could be with regards to the IAT.
Continue reading →

Posted in Malware and Reversing | Tagged corelan, iat, ida, immunity, import address directory, import address table, impre, lordpe, monaida-plugin, ollydbg, python, rebuild iat, reconstruct, resetsearchinindex-ps1, restore, reverse, reverse engineering, reversing, view names, windbg

WoW64 Egghunter

Published November 18, 2011 |

By Corelan Team (Lincoln)

Traditional Egghunter An Egghunter is nothing more than an assembly routine to find shellcode somewhere in memory. We typically deploy an Egghunter when there is no more room in our buffer that we can use to initially redirect EIP to. If we are able to load our shellcode elsewhere in process memory, the Egghunter will […]

Posted in 001_Security, Exploit Writing Tutorials, Uncategorized | Tagged 32bit, 64bit, access violation, dep, egg, egghunter, fs, hunter, int2, interrupt, matt miller, metasploit, nasm, ntaccesscheckandauditalarm, omelet, shellcode, skape, syscall, sysenter, tag, teb, virtualalloc, virtualprotect, w00t, wow64

Mona 1.0 released !

Published June 16, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

FINALLY !
After spending almost 6 months of designing, developing and testing, and after ‘surviving’ 2 presentations (at AthCon and Hack In Paris), I am extremely excited and proud to present, on behalf of the entire Corelan Team, the general availability of mona.py.

With this announcement, we also declare pvefindaddr officially dead from this point forward. (This doesn’t mean pvefindaddr is now entirely worthless, because not all functions have been ported into mona yet, but we won’t be releasing any updates to pvefindaddr anymore and the entire project page/download page will eventually disappear)
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Exploits, Uncategorized | Tagged eip, exploit, gadget, immunity, immunity debugger, immunitydbg-mona-example, immunitydbg-search-for-rop, mona, mona-corelan, mona-corelan-bad-characters, mona-download, mona-py-search-for-pointers, mona-py-youku, mona.py, monapy, pvefindaddr, pycommand, return oriented programming, rop, rop automation

Cheat sheet : Installing Snorby 2.2 with Apache2 and Suricata with Barnyard2 on Ubuntu 10.x

Published February 27, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

After spending a few hours fighting a battle against Snorby and Apache2 + Passenger, I finally managed to get it to run properly on my Ubunty 10.x box (32bit). Looking back, I figured I might not be the only one who is having issues with this.

So I decided to publish the notes I took while setting everything up, and as a little bonus, explain how to install and configure Suricata as well (configured in combination with barnyard2 which will pick up local logs and send them to the remote MySQL server).
Continue reading →

Posted in 001_Security, Linux and Unix, Networking, Papers | Tagged a2enmod, apache2, apt-get, barnyard, bind-address, bundle install, cheat sheet, cheatsheet, configuration, daily cache, database.yml, emerging, emerging-threats, ezprint, gem, HOME_NET, ids, installation, ips, libhtp-0.2.so.1, my.cnf, mysql, passenger, passenger-install-apache2-module, passenger.conf, passenger.load, PassengerRoot, PassengerRuby, procedure, qt patch, rails, ruby, sensor cache, setup, snorby, snorby_config.yml, snort, step by step, suricata, ubuntu, unified2.alert, waldo, wkhtmltopdf, www.testmyids.com

The Honeypot Incident – How strong is your UF (Reversing FU)

Published January 31, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

Interested in capturing, documenting and analyzing scans and malicious activity, Corelan Team decided to set up a honeypot and put it online. In the first week of december 2010, Obzy built a machine (default Windows XP SP3 installation, no patches, firewall turned off), named it “EGYPTS-AIRWAYS”, set up a honeypot + some other monitoring tools, and connected it to the internet.
Continue reading →

Posted in 001_Security, Exploits, Malware and Reversing | Tagged analysis, anti, challenge, compromise, conficker, corelan, debugger, debugging, engineer, game, honeypot, how strong is you uf, iat, isdebuggerpresent, malware, ms08-067, netapi, peb, reverse, reversing, svchost.ee, worm

Offensive Security Exploit Weekend

Published November 13, 2010 |

By Sud0

Introduction I’m excited and honored to be able to announce that Sud0, one of our Corelan Team members, has won the Offensive Security Exploit weekend, an exploiting exercise only available to Offensive Security certified alumni. The challenge was built around a vulnerability in Foxit Reader. Each participant was pointed to a Proof of Concept exploit, […]

Posted in 001_Security, Exploits | Tagged alpha2, corelan, ecx, esp, exploit, foxit, metasploit, msfpayload, nseh, offensive security, offsec, payload, pdf, pointer, seh, shellcode, skylined, stub, sud0, unicode, venetian, weekend, writeable, writeable location

BruCON 2010 : Day 0x2

Published September 25, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

[WORKSHOP] – Malicious PDF Analysis I started the second day at BruCON with attending the workshop about analyzing malicious pdf files. Didier Stevens spared no expense and prepared an impressive lab, offering all sorts of pdf exercise files. Trying to squeeze in weeks and months of research into a 2 hour workshop, he managed to […]

Posted in 001_Security, Cons and Seminars | Tagged 2010, ascure, backdoor, brucon, code, dale, didier, files, hacking, hex, hex factor, lightning, malicious, malicious code, matias, might, might help, nlp, pdf, stevens, talk, target, techniques

BruCON 2010 : Day 0x1

Published September 23, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

After hearing a lot of great things about the first edition of BruCON (in 2009), I decided to attend the con this year. The fact that BruCON is gaining popularity and established a lot of recognition in the industry already, combined with the fact that it takes place in Brussels, Belgium (my home country), it […]

Posted in 001_Security, Cons and Seminars | Tagged 001_Security, attack, brucon, brussels, code, cybercrime, cyberwar, gsm, hex factor, iftach, ips, malicious, mitm, mobile, network, pentester, phone, session key, systems, virus, viruses, waf

DLL Hijacking (KB 2269637) – the unofficial list

Published August 25, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

This page hosts an unofficial list of applications that are said to be vulnerable to the dll hijacking flaw (or feature or whatever you want to call it). Note that I did not test these applications myself. If you have found other applications to be vulnerable and want to add them to the list, send […]

Posted in 001_Security, Exploits | Tagged 2269637, 3-0-csl-2264107, applications, camtasia-studio-res-dll, corel-draw-wow64-official-site, corelan-be, corelean-buffer-overflow, dll, dll hijack, dll hijacking, download-kb-2269637, hijack, hijack-dll-guid, j2k-dll-dll, kb2269637, lotus-notes-address-book-hijacked, metasploit-windows-7-home-premium-6-1, pvefindaduser-exe, vulnerable, windows-7-home-premium-metasploit

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

Search Results for: pdf

Exploit writing tutorial part 11 : Heap Spraying Demystified

Many roads to IAT

WoW64 Egghunter

Mona 1.0 released !

Cheat sheet : Installing Snorby 2.2 with Apache2 and Suricata with Barnyard2 on Ubuntu 10.x

The Honeypot Incident – How strong is your UF (Reversing FU)

Offensive Security Exploit Weekend

BruCON 2010 : Day 0x2

BruCON 2010 : Day 0x1

DLL Hijacking (KB 2269637) – the unofficial list

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!