exploit

BlackHat Europe 2011 / Day 01

Published March 17, 2011 |

After having breakfast, chatting with ping and hanging out with @kokanin, @xme and @wimremes, it was time to start attending the various talks.
So, as promised in yesterdays preview, what follows is the report of my first day at Black Hat Europe 2011.
Continue reading →

Posted in 001_Security, Cons and Seminars | Tagged 2011, andres riancho, barcelona, blackhat, blackhat europe, briefings, chris valasek, conference, exploit, fixation, hacking, ID, metasploit, nitesh dhanjani, rapid7, Raul Siles, ryan smith, seminar, session, tom keetch, w3af

Hack Notes : ROP retn+offset and impact on stack setup

Published January 30, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

Yesterday, sickn3ss (one of the frequent visitors of the #corelan channel on freenode IRC) posted a really interesting question. The question While testing ROP gadgets, as part of the process of building a DEP bypass exploit for WM Downloader, he wanted to know if there is a way to predict the required padding needed to […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged align-padding, align-padding-exploit-tutorial, esp, exploit, gadget, gadget pointer, mona-pop-pop-ret, next pointer, offset, pop-ebp-retn, retn, retn+offset, return oriented programming, rop, rop-hack, rop-stack, sickn3ss, stack, stack-alignment-for-exploitation, stack-padding-exploit

Case Study: SolarWinds Orion (video)

Published December 14, 2010 |

By Corelan Team (Lincoln)

Special Thanks: To my wife for putting up with my crap. Also SolarWinds for keeping an open communication while fixing the issue. And of course… Corelan Team :P Audio: Many thanks to DJ Great Scott for supplying me with the music. Definitely check out some of his work! http://soundcloud.com/greatscott http://glitch.fm/ Music in Video: Defcon (Samples […]

Posted in 001_Security, Exploits, Private | Tagged activex, bug, execute, exploit, great scott, lincoln, link track, memcpy, orion-solarwinds-video-tutorials, payload, remix, remix link, solarwinds, solarwinds orion, track video, variables developing, video, video based, video defcon, work soundcloud

Offensive Security Exploit Weekend

Published November 13, 2010 |

By Sud0

Introduction I’m excited and honored to be able to announce that Sud0, one of our Corelan Team members, has won the Offensive Security Exploit weekend, an exploiting exercise only available to Offensive Security certified alumni. The challenge was built around a vulnerability in Foxit Reader. Each participant was pointed to a Proof of Concept exploit, […]

Posted in 001_Security, Exploits | Tagged alpha2, corelan, ecx, esp, exploit, foxit, metasploit, msfpayload, nseh, offensive security, offsec, payload, pdf, pointer, seh, shellcode, skylined, stub, sud0, unicode, venetian, weekend, writeable, writeable location

Death of an ftp client / Birth of Metasploit modules

Published October 12, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Over the past few weeks, Corelan Team has given its undivided attention to fuzzing ftp client applications.

Using a custom built ftp client fuzzer, now part of the Metasploit framework, the team has audited several ftp clients and applications that use an embedded client ftp component. One example of such an application is a tool that would synchronize / backup data from a computer to a remote ftp server.

The 3 main audit/attack vectors that were used during the “project” were

send back overly long responses to ftp commands / requests sent by the ftp client to the server
send back a file/directory listing that contains overly long file/folder names
try to download a file that has an overly long filename.
Continue reading →

Posted in 001_Security, Exploits | Tagged client, egg hunter, exploit, Exploits, file, ftp, ftp client, ftp server, fuzzer, metasploit, mixin, module, msf, msf exploit, omelet, payload, payloag-egghunter-metasploit, reply, server, svn

Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube

Published June 16, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

About 3 months after finishing my previous exploit writing related tutorial, I finally found some time and fresh energy to start writing a new article.
In the previous tutorials, I have explained the basics of stack based overflows and how they can lead to arbitrary code execution. I discussed direct RET overflows, SEH based exploits, Unicode and other character restrictions, the use of debugger plugins to speed up exploit development, how to bypass common memory protection mechanisms and how to write your own shellcode.
While the first tutorials were really written to learn the basics about exploit development, starting from scratch (targeting people without any knowledge about exploit development) you have most likely discovered that the more recent tutorials continue to build on those basics and require solid knowledge of asm, creative thinking, and some experience with exploit writing in general.
Today’s tutorial is no different. I will continue to build upon everything we have seen and learned in the previous tutorials. Today I will talk about ROP and how it can be used to bypass DEP (and ASLR)…
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged 41414141, access violation, add esp, alwaysoff, alwayson, aslr, awe, breakpoint, bypass, C0000005, call, code reuse, dep, dep policy, egg, egg hunter, exploit, exploit writing, gadget, heapcreate, immunity debugger, jop, jump oriented programming, memcpy, ntsetinformationprocess, nx, offset, optin, optout, pae, permanent dep, pvefindaddr, register, return oriented programming, rop, rop gadget, setprocessdeppolicy, stack, stack pivot, time-line, virtualalloc, virtualprotect, WinExec, writeprocessmemory, xd

Ken Ward Zipper exploit write-up on abysssec.com

Published March 22, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Hi all, I just wanted to drop a few lines to let you know that, earlier today, my exploit write-up article about this vulnerability was published on www.abysssec.com. You can find the article here : http://www.abysssec.com/blog/2010/03/ken-ward-zipper-stack-bof-0day-a-not-so-typical-seh-exploit/ Enjoy !

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged abyssec-com, abyssec-exploit, abysssec, abysssec-com-exploit-devalopment, abysssec-security, bof, exploit, httpabysssec-com, httpabysssec-comblogtagsafeseh, inurlexploit1intextmysql, ken ward, ken-ward-zipper-exploit, ken-ward-zipper-exploit-write-up-on-abysssec-com, ken-ward-zipper-offensive-security, seh, stack, wahtis-zipper, zip, zipper, zipper exploit

QuickZip exploit article part 2 released on OffSec Blog

Published March 15, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Hi all. I just wanted to drop a quick note that I have released part 2 of the QuickZip 0day vulnerability exploit on the Offensive Security Blog just a few moments ago. You can find the article here. Have fun & cheers !

Posted in 001_Security, Exploit Writing Tutorials | Tagged corelan-heap-spray, exploit, exploit article, exploit offensive, fun cheers, note released, offensive, offensive security, offsec blog, part quickzip, part released, quickzip, quickzip day, quickzip exploit, quickzip stack, released offsec, security blog, stack bof, vulndev, vulndev quickzip

corelanc0d3r featured on Offensive Security Blog

Published March 7, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

A few moments ago I published a detailed write-up, explaining the steps I took to build a 0day exploit for a zip file handling bug in QuickZip, on the Offensive Security blog. You can read the article here : http://www.offensive-security.com/blog/vulndev/quickzip-stack-bof-0day-a-box-of-chocolates/

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged 0day, corelanc0d3r, corelanc0d3r-exploit, corelanc0d3r-exploit-writing-tutorial, corelanc0d3r-tutorial, corelanc0d3rs-exploit-dev-cheat-sheet, corelanc0d3rs-exploit-dev-cheatsheet, corlanc0d3r, exploit, how-strong-is-your-fu-writeup-corelan, offensive security, offensive-security-article, offensive-security-seh, offensive-security-tutorial, offensive-security-tutorials, offsec, offsec-blogspot, quickzip, seh, tutorial-offensive-security-forum

Exploit writing tutorial part 9 : Introduction to Win32 shellcoding

Published February 25, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Over the last couple of months, I have written a set of tutorials about building exploits that target the Windows stack. One of the primary goals of anyone writing an exploit is to modify the normal execution flow of the application and trigger the application to run arbitrary code… code that is injected by the […]

Posted in 001_Security, Exploit Writing Tutorials | Tagged asm, assembly, bad chars, beta3, bits 32, bytecode, calc, charset limitation, decoder, encoder, ExitFunc, ExitProcess, ExitThread, exploit, exploit writing, find function, fstenv, fstenv_mov, GetProcess, hash, intel, introduction win, kernel32, loadlibraryA, loopd, MessageBoxA, metasploit, nasm, null bytes, opcode, part introduction, peb, pvefindaddr, pvereadbin.pl, pvewritebin.pl, seh, shellcode, shikata_ga_nai, skylined, topstack, tutorial part, user32, w32-testival, win shellcoding, win32, WinExec, writing, writing tutorial, x86

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

BlackHat Europe 2011 / Day 01

Hack Notes : ROP retn+offset and impact on stack setup

Case Study: SolarWinds Orion (video)

Offensive Security Exploit Weekend

Death of an ftp client / Birth of Metasploit modules

Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube

Ken Ward Zipper exploit write-up on abysssec.com

QuickZip exploit article part 2 released on OffSec Blog

corelanc0d3r featured on Offensive Security Blog

Exploit writing tutorial part 9 : Introduction to Win32 shellcoding

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!