Posts:

Jingle BOFs, Jingle ROPs, Sploiting all the things… with Mona v2 !!

Ho Ho Ho friends,

It has been a while since we posted something on the Corelan Team blog, I guess we all have been busy doing … stuff and things, here and there.  Nevertheless, as the year is close Read more

Read More

HITB2012AMS Day 1 – One Flew Over The Cuckoos Nest

One Flew Over The Cuckoos Nest – Automated Malware Analysis

Claudio Guarnieri, senior researcher at iSight Partner, and part of the Shadowserver Foundation and the HoneyPot project.  He works with malware on a daily basis, maintains malwr.com Read more

Read More

Debugging Fun – Putting a process to sleep()

Recently I played with an older CVE (CVE-2008-0532, http://www.securityfocus.com/archive/1/489463, by FX) and I was having trouble debugging the CGI executable where the vulnerable function was located. Read more
Read More

Many roads to IAT

A few days ago a friend approached me and asked how he could see the import address table under immunity debugger and if this could be done using the command line. I figured this would be a good time to take a look at what the IAT is, how we can list the IAT and what common reversing hurdles could be with regards to the IAT. Read more
Read More

mona.py – the manual

This document describes the various commands, functionality and behaviour of mona.py. Released on june 16, this pycommand for Immunity Debugger replaces pvefindaddr, solving performance issues and offering numerous new features. pvefindaddr will still be available for download until all of its functionality has been ported over to mona. Read more
Read More

Honeynet Workshop 2011

March 21th I was in Paris for the annual Honeynet Workshop. For the first time this year there was a conference day accessible to the general public. Moreover, I didn't have to pay the registration fee since I successfully completed one of the Honeynet Forensics challenges. The day was split in 4 sessions and had talks covering the Honeynet projects, malware, and ethical and legal considerations of tracking botnets and eventual take-downs. Read more
Read More

In Memory Fuzzing

Introduction

In memory fuzzing is a technique that allows the analyst to bypass parsers; network-related limitations such as max connections, buit-in IDS or flooding protection; encrypted or unknown (poorly documented) protocol in order to fuzz the actual underlying assembly Read more

Read More

Starting to write Immunity Debugger PyCommands : my cheatsheet

When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to Read more

Read More

Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR

Introduction

In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server.

The success of all of these exploits (whether they are based on direct Read more

Read More