{"id":9215,"date":"2012-05-25T11:30:20","date_gmt":"2012-05-25T09:30:20","guid":{"rendered":"https:\/\/www.corelan.be\/?p=9215"},"modified":"2012-05-25T11:30:20","modified_gmt":"2012-05-25T09:30:20","slug":"hitb2012ams-day-2-postscript-danger-ahead","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/","title":{"rendered":"HITB2012AMS Day 2 - PostScript - Danger Ahead"},"content":{"rendered":"<p>Good morning everyone, welcome back at Hack In The Box 2012 Amsterdam !<\/p>\n<p>Before looking at the first talk that I attended today, I would like to mention that you can find copies of the talks and materials on the hitb.org website. \u00a0 Files are made available right after a talk or lab finishes, you can find them: \u00a0<a href=\"http:\/\/conference.hitb.org\/hitbsecconf2012ams\/materials\/\">http:\/\/conference.hitb.org\/hitbsecconf2012ams\/materials\/<\/a><\/p>\n<p>In addition to that, make sure to check out the following sites for more coverage on Hack In The Box:<\/p>\n<ul>\n<li><a href=\"http:\/\/blog.rootshell.be\/2012\/05\/24\/hitb-amsterdam-wrap-up-day-1\/\">http:\/\/blog.rootshell.be\/2012\/05\/24\/hitb-amsterdam-wrap-up-day-1\/<\/a><\/li>\n<li>http:\/\/www.cupfighter.net\/index.php\/category\/conferences\/hitb2012ams\/<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3>PostScript - Danger Ahead - Hacking MFPs, PCs and beyond<\/h3>\n<p>Born and raised in Moldova, Andrei is a Computer Science graduate of the Politechnic University of Bucharest where he did his thesis work in Biometrics and Image Processing. He is the author of the MiFare Classic Universal toolKit (MFCUK), the first publically available (FOSS) card-only key cracking tool for the MiFare Classic RFID card family. \u00a0You can find some of his previous work at http:\/\/andreicostin.com\/papers.<\/p>\n<h4>Introduction<\/h4>\n<p>Multifunctional Printers (MFPs) care large abuse potential. \u00a0People send confidential data to these devices. \u00a0They are part of the internal network, a trusted resource, often have LDAP integration with Active Directory, and usually doesn't have patch\/vulnerability management. \u00a0In some case, some of these devices are even directly accessible from the internet. \u00a0 The history of hacking MFPs goes back to the 1960's, Andrei continues. \u00a0Back then, hacking was more focused on the electro-mechanical aspect of the device. \u00a0 After doing a quick scan on the internet in 2010, Andrei was able to find and map out a huge amount of devices on the internet.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_104555_303.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_104555_303.jpg\" alt=\"Rps20120525 104555 303\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>Some printer drivers have integration with for example office applications, and other (mgmt) apps allow you to interact with the printer. In other words, there must be some API that accepts certain streams sent to the printer, which could be malicious. \u00a0Payloads can get delivered via Java\u2026 in short, Andrei mentions that you should think twice before printing in certain scenario's.<\/p>\n<h4>What about PostScript?<\/h4>\n<p>PostScript was introduced by Adobe in 1985. \u00a0It is one of the first languages that interact with the printer. \u00a0It's built to handle complex processing tasks. \u00a0It's a programming language. \u00a0You can run all kind of things against\/on a printer. \u00a0 The initial goal of PostScript started with graphics &amp; patterns, but later extended to include web servers, xml parsers, ray-tracing, milling machines and so on.<\/p>\n<p>PostScript is not just a static data stream, text or image. \u00a0It's a<\/p>\n<ul>\n<li>Dynamically typed<\/li>\n<li>stack-based<\/li>\n<li><strong>Turing-complete !<\/strong><\/li>\n<li>programming lanugage<\/li>\n<\/ul>\n<p>Usually, when a user wants to print a document, he\u00a0writes the doc and hits \"Print\". \u00a0The PS printer driver transforms it to PS stream for a specific device and the PS data stream is sent to the printer.<\/p>\n<p>When the User opens a PS file (email\/harddrive), the PC-based PS interpreter processes it (renders it, in a sandboxed environment), and the PS data stream gets executed on the PC. \u00a0 \u00a0In both cases, the PS data stream IS a PS program, Andrei emphasizes. \u00a0It's not static data. \u00a0On top of that, a lot of applications might have an interpreter\/renderer for PostScript, even if you don't know it. \u00a0Office, for example, has an embedded interpreter.<\/p>\n<p>Andrei shows a simple demo, using a simple infinite loop to demonstrate a Denial of Service condition.\u00a0Because it's a program, IDS\/IPS solutions won't work. You actually need an execution sandbox to determine if a PostScript file is fine or not. \u00a0 To demonstrate the PS dynamic statement construction and execution abilities, he used another simple PS script:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"20120525_105005.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/20120525_105005.jpg\" alt=\"20120525 105005\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>Saving this file as an EPS file, and trying to insert into MS Word as a picture, it makes Word hang. \u00a0In some cases, you can even make the application crash.<\/p>\n<p>As part of his academic work, Andrei is currently working on building a dynamic execution sandbox for PostScript, which might get released in the weeks to come.<\/p>\n<p>By opening a .ps file, using some custom extensions, you might even be able to directly communicate with the printer. \u00a0 PostScript is a language, so you are even able to detect the environment where the code is running, whether it's an application or directly on a printer. \u00a0This way, you can add functionality in the PS script to try to use some kind of social engineering trick (showing an image or so) to try to lure the user into printing the document directly on the printer instead (using the printer web gui, upload the file, print)<\/p>\n<p>Usually, when a user opens a document, and prints it, he expects it to be the same after printing it. Not a lot of people actually verify and confirm that the printed document is exactly the same. Imagine you're printing a contract that contains figures\/numbers, and the numbers get changed on the printer, you might get into trouble.<\/p>\n<h4>Where can we find PostScript?<\/h4>\n<p>We can PostScript in a lot of applications, including CUPS, Gimp, Tex, MS Office, Adobe, printers. \u00a0 The engines used are GhostScript, Access Softek (MS), Adobe, and some other vendors. \u00a0GhostScript\/MS Office and Adobe apps are typically found on client devices. \u00a0We can also find components on print servers, and of course printers also include PS support.<\/p>\n<h4>PostScript Web 2.0<\/h4>\n<p>PostScript made it to the web. \u00a0Around 20+ services were found to be vulnerable to various degrees (including Google). \u00a0 These services are effective for host exploitation and information gathering. \u00a0Some of the vulnerable services, Andrei continues, had GhostScript running as root. \u00a0Some ran GS without -dSAFER. \u00a0All of them ran vulnerable GS versions, containing Heap and Stack buffer overflows.<\/p>\n<h4>What else was found ?<\/h4>\n<p>As part of his printer research, he found ways to send things to printers. \u00a0Once you know how to send things to printers, you need payload. \u00a0PCL and PS are the 2 obvious choices. PCL is not a language, so PS is the preferred choice. \u00a0He discovered that some XEROX printers supports PS based firmware. \u00a0He looked for the PS firmware file and discovered that these are not really obfuscated, and was able to reverse some of its functionality.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_110646_239.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_110646_239.jpg\" alt=\"Rps20120525 110646 239\" width=\"600\" height=\"413\" border=\"0\" \/><\/p>\n<p>If you can get access to RAM, you get everything. \u00a0 Andrei continues to mention that he discovered that the Admin restriction fails to prevent memory dumping. \u00a0 Imagine the admin logs on to the device. \u00a0If the authentication GET URL contains the password, it will be stored in memory somewhere. In other words, you might be able to \"sniff\" the admin password by dumping internal memory. \u00a0Same thing applies if the password is simply base64 encoded. \u00a0 In other words, even if access to the admin page is protected with HTTPS, you might be able to get the password. Andrei shows an example where he could even find the private key for HTTPS in memory.<\/p>\n<p>Regardless of how good the network between the user and the printer is protected, or even the printer supports encrypted documents, it needs to be decrypted inside the printer, becoming clear text again. \u00a0This certainly provides you with a false sense of security.<\/p>\n<p>Andrei continues by showing a demo against a XEROX printer (issue not fixed yet).\u00a0To communicate with a printer, the printer driver will set up a tcp connection to port 9100 on the printer, and exchange data. \u00a0To protect printing of confidential documents, lots of printers support the use of passwords. \u00a0The user needs to walk over to the printer, enter the password, to get the document. \u00a0 This password is usually stored in the generated PS file and sent to the printer. \u00a0Once the document is sent, the attacker could connect to the same tcp port, and run a memory dumper to get all data, the passwords, and information about the document, and so on.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_111912.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_111912.jpg\" alt=\"Rps20120525 111912\" width=\"600\" height=\"282\" border=\"0\" \/><\/p>\n<p>Besides getting document information, an attacker can use it as a hop point, and use built-in SDP\/UPNP functionality to further map the network, as demonstrated by Andrei. \u00a0You might even be able to send malicious documents from one printer to another, and create a self spreading worm.<\/p>\n<p>Summing things up, there's a lot of work that needs to be done to protect against this kind of attacks:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_112410_402.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_112410_402.jpg\" alt=\"Rps20120525 112410 402\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>A big number of Xerox printers share the affected PS firmware update mechanism. Xerox is still struggling with trying to fix the issues.<\/p>\n<p>From an attack perspective, these are just a couple of possible scenario's:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" title=\"rps20120525_112603_544.jpg\" src=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_112603_544.jpg\" alt=\"Rps20120525 112603 544\" width=\"600\" height=\"450\" border=\"0\" \/><\/p>\n<p>One of the ways to prevent issues, as mentioned earlier, is to build a\u00a0Secure PostScript Execution\/Interpreter Sandbox (Andrei is working on this),\u00a0containing a set of online\/offline tools for analysis &amp; reporting,\u00a0Wepawet-like, but for PostScript related data.<\/p>\n<h3>Take aways<\/h3>\n<p>In general, MFPs are badly secured computing platforms with large abuse potential. \u00a0Upcoming MFP attacks could include viruses in MS Office files, PS documents that extract organization data. \u00a0Secure the MFP infrastructure require better segmentation, strong credentials and continuous vulnerability patching.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Good morning everyone, welcome back at Hack In The Box 2012 Amsterdam ! Before looking at the first talk that I attended today, I would like to mention that you can find copies of the talks and materials on the hitb.org website. \u00a0 Files are made available right after a talk or lab finishes, you &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"HITB2012AMS Day 2 - PostScript - Danger Ahead\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[2250],"tags":[2775,204],"class_list":["post-9215","post","type-post","status-publish","format-standard","hentry","category-cons-seminars","tag-hitb","tag-backtrack"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>HITB2012AMS Day 2 - PostScript - Danger Ahead - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HITB2012AMS Day 2 - PostScript - Danger Ahead - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Good morning everyone, welcome back at Hack In The Box 2012 Amsterdam ! Before looking at the first talk that I attended today, I would like to mention that you can find copies of the talks and materials on the hitb.org website. \u00a0 Files are made available right after a talk or lab finishes, you &hellip; Continue reading &quot;HITB2012AMS Day 2 - PostScript - Danger Ahead&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2012-05-25T09:30:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_104555_303.jpg\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-postscript-danger-ahead\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-postscript-danger-ahead\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"HITB2012AMS Day 2 - PostScript - Danger Ahead\",\"datePublished\":\"2012-05-25T09:30:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-postscript-danger-ahead\\\/\"},\"wordCount\":1486,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-postscript-danger-ahead\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/rps20120525_104555_303.jpg\",\"keywords\":[\"hitb\",\"backtrack\"],\"articleSection\":[\"Cons and Seminars\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-postscript-danger-ahead\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-postscript-danger-ahead\\\/\",\"name\":\"HITB2012AMS Day 2 - PostScript - Danger Ahead - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-postscript-danger-ahead\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-postscript-danger-ahead\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/rps20120525_104555_303.jpg\",\"datePublished\":\"2012-05-25T09:30:20+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-postscript-danger-ahead\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-postscript-danger-ahead\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-postscript-danger-ahead\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/rps20120525_104555_303.jpg\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2012\\\/05\\\/rps20120525_104555_303.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2012\\\/05\\\/25\\\/hitb2012ams-day-2-postscript-danger-ahead\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"HITB2012AMS Day 2 &#8211; PostScript &#8211; Danger Ahead\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HITB2012AMS Day 2 - PostScript - Danger Ahead - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/","og_locale":"en_US","og_type":"article","og_title":"HITB2012AMS Day 2 - PostScript - Danger Ahead - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"Good morning everyone, welcome back at Hack In The Box 2012 Amsterdam ! Before looking at the first talk that I attended today, I would like to mention that you can find copies of the talks and materials on the hitb.org website. \u00a0 Files are made available right after a talk or lab finishes, you &hellip; Continue reading \"HITB2012AMS Day 2 - PostScript - Danger Ahead\"","og_url":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2012-05-25T09:30:20+00:00","og_image":[{"url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_104555_303.jpg","type":"","width":"","height":""}],"author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"HITB2012AMS Day 2 - PostScript - Danger Ahead","datePublished":"2012-05-25T09:30:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/"},"wordCount":1486,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_104555_303.jpg","keywords":["hitb","backtrack"],"articleSection":["Cons and Seminars"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/","url":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/","name":"HITB2012AMS Day 2 - PostScript - Danger Ahead - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/#primaryimage"},"image":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/#primaryimage"},"thumbnailUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_104555_303.jpg","datePublished":"2012-05-25T09:30:20+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/#primaryimage","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_104555_303.jpg","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2012\/05\/rps20120525_104555_303.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2012\/05\/25\/hitb2012ams-day-2-postscript-danger-ahead\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"HITB2012AMS Day 2 &#8211; PostScript &#8211; Danger Ahead"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":2511,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/9215","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=9215"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/9215\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=9215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=9215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=9215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}