exploit

Exploit writing tutorial part 8 : Win32 Egg Hunting

Published January 9, 2010 |

Introduction Easter is still far away, so this is probably the right time to talk about ways to hunting for eggs (so you would be prepared when the easter bunny brings you another 0day vulnerability) In the first parts of this exploit writing tutorial series, we have talked about stack based overflows and how they […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged alpha2, alpha3, alphanumeric, asm, bad char, custom encoder, direct ret, egg, eip, encode, exploit, exploit writing, find shellcode, hunter, hunting, immunity, inject, isbadreadptr, marker, memory, metasploit, nasm, nop, ntdisplaystring, omelet, pvefindaddr, search, seh, shellcode, skape, skylined, small buffer, staged, tag, trampoline, tutorial, unicode, venetian, win32, win32_seh_omelet

Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc

Published November 6, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

Finally … after spending a couple of weeks working on unicode and unicode exploits, I’m glad and happy to be able to release this next article in my basic exploit writing series : writing exploits for stack based unicode buffer overflows (wow – that’s a mouthful). You may (or may not) have encountered a situation […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged 00410041, 0x00410041, 0x06, 0xeb, alpha2, BufferRegister, Building IA32 'Unicode-Proof' Shellcodes, chris anley, code page, Creating Arbitrary Shellcode in Unicode Expanded string, dave aitel, decoder, eax, eip, exploit, fx, msfencode, MultiByteToWideChar, nseh, null bytes, ollyuni, prepend, pvefindaddr, seh, shellcode, skylined, unicode, unicode jump seh, utf-16, utf-7, utf-8, venetian, vense.pl

Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR

Published September 21, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged !aslrdynamicbase, 2003, 4141414, 8, access violation, add esp, address space layout randomization, adjust ebp, adjust esi, alwaysoff, alwayson, aslr, before function returns, buffer, buffer overflow, bypass, call, compiler, cookie, data execution prevention, dep, dword ptr, exception handler, exploit, gs, hack, handler, immdbg, immunity, jmp, jump, Kifastsystemcallret, ldrpchecknxcompatibility, linker, loaded module, mov al, moveimages, next seh, non exec, nseh, ntsetinformationprocess, nx, ollydbg, optin, optout, partial overwrite, plugin, prevention, processexecute, protection, protectvirtualmemory, pvefindaddr, pycommand, python, ret2libc, safeseh, saved ebp, saved eip, se handler, se structure, sehop, stack, stack overflow, switch, virtual function call, vista, windbg, windows 7, xd, xp

Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics

Published August 12, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

In the first parts of the exploit writing tutorial, I have discussed some common vulnerabilities that can lead to 2 types of exploits : stack based buffer overflows (with direct EIP overwrite), and stack based buffer overflows that take advantage of SEH chains. In my examples, I have used perl to demonstrate how to build […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged buffer, check, custom vulnserver, encoder, exe, exe windows, exploit, exploit custom, Exploits, include, initialize, metasploit, meterpreter, module, msf, msf exploit, msf/core, offset, payload, port, print, rb, require, ruby, shellcode, socket, vulnserver, windows, windows system

Exploit writing tutorial part 3b : SEH Based Exploits – just another example

Published July 28, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

In the previous tutorial post, I have explained the basics of SEH based exploits. I have mentioned that in the most simple case of an SEH based exploit, the payload is structured like this : [Junk][next SEH][SEH][Shellcode] I have indicated that SEH needs to be overwritten by a pointer to “pop pop ret” and that […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged bof, buffer, corelan-be-seh, corelan-seh-tutorial, edx, eip, exploit, junk nseh, milw0rm, nseh, ollydbg, overflow, payload, perl, safeseh, seh, shellcode, stack, windbg, xcc

Exploit writing tutorial part 3 : SEH Based Exploits

Published July 25, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

In the first 2 parts of the exploit writing tutorial series, I have discussed how a classic stack buffer overflow works and how you can build a reliable exploit by using various techniques to jump to the shellcode. The example we have used allowed us to directly overwrite EIP and we had a pretty large […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged !exploitable, buffer, buffer overflow, cygwin, dep, dll modload, exception, exception handler, exploit, exploit laboratory, fs:[0], handler, memdump, msec.dll, msfpescan, next seh, ollydbg, pop pop ret, safeseh, seh, shellcode, stack, stack overflow, teb, tib, windbg

Exploit writing tutorial part 1 : Stack Based Overflows

Published July 19, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

Last friday (july 17th 2009), somebody (nick)named ‘Crazy_Hacker’ has reported a vulnerability in Easy RM to MP3 Conversion Utility (on XP SP2 En), via packetstormsecurity.org. (see http://packetstormsecurity.org/0907-exploits/). The vulnerability report included a proof of concept exploit (which, by the way, failed to work on my MS Virtual PC based XP SP3 En). Another exploit was […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged 41414141, buffer, buffer overflow, buffersize, bytes, discover, ebp, eip, esp, exploit, exploit laboratory, exploit writing tutorial, hack, learn, metasploit, nop, nop sled, nop slide, overflow, pattern_create, pattern_offset, pop, push, register, saumil shah, shellcode, sk chong, stack, stack overflow, write

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

Exploit writing tutorial part 8 : Win32 Egg Hunting

Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc

Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics

Exploit writing tutorial part 3b : SEH Based Exploits – just another example

Exploit writing tutorial part 3 : SEH Based Exploits

Exploit writing tutorial part 1 : Stack Based Overflows

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!