001_Security

BlackHat EU 2012 – Day 1

Published March 14, 2012 |

Introduction – Back in Amsterdam ! After a 2 year detour in Barcelona, BlackHat Europe has returned to Amsterdam again this year. After spending a few hours on the train, checking in at The Grand Hotel Krasnapolsky, getting my ‘media’ badge (thank you BlackHat) & grabbing a delegate bag, and finally working my way […]

Posted in Cons and Seminars | Tagged amsterdam, blackhat, blackhat europe, briefings, exist-db, injection, interception, jeff jarmoc, krasnapolsky, lfi, mac framework, mac osx, php, proxy, rfi, sandbox, streams, trustedBSD, vincenzo, xpath, xquery

Debugging Fun – Putting a process to sleep()

Published February 29, 2012 |

By Corelan Team (Lincoln)

Recently I played with an older CVE (CVE-2008-0532, http://www.securityfocus.com/archive/1/489463, by FX) and I was having trouble debugging the CGI executable where the vulnerable function was located.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Malware and Reversing, Uncategorized | Tagged cgi, corelan, corelan team, cve-2008-0532, debugger, entrypoint, f, function, fx, hook, immunity, isdebuggerpresent, jit, just in time, loop, pefile, python, rva, sleep, www-corelan-be

Exploit writing tutorial part 11 : Heap Spraying Demystified

Published December 31, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions.
Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail.
Of course, you can probably derive how it works by looking at those public exploits.

With this tutorial, I’m going to provide you with a full and detailed overview on what heap spraying is, and how to use it on old and newer platforms.
I’ll start with some “ancient” techniques (or classic techniques if you will) that can be used on IE6 and IE7.
We’ll also look at heap spraying for non-browser applications.
Next, we’ll talk about precision heap spraying, which is a requirement to make DEP bypass exploits work on IE8.
I’ll finish this tutorial with sharing some of my own research on getting reliable heap spraying to work on IE9.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials | Tagged 0c0c0c0c, actionscript, adobe, bmp, bstr, corelan, debugger, dep, exploit, exploit writing tutorial, firefox, freelists, gadget, gzip, heap, heapcreate, heaplib, image, immunity, internet explorer, javascript, lookasidelist, low fragmentation heap, metasploit, mona.py, moshe ben abu, pdf, pivot, return oriented programming, rop, ruby, sotirov, spray, string, substring, trancer, virtualalloc, vtable, windbg

Many roads to IAT

Published December 1, 2011 |

By Dinos

A few days ago a friend approached me and asked how he could see the import address table under immunity debugger and if this could be done using the command line.

I figured this would be a good time to take a look at what the IAT is, how we can list the IAT and what common reversing hurdles could be with regards to the IAT.
Continue reading →

Posted in Malware and Reversing | Tagged corelan, iat, ida, immunity, import address directory, import address table, impre, lordpe, monaida-plugin, ollydbg, python, rebuild iat, reconstruct, resetsearchinindex-ps1, restore, reverse, reverse engineering, reversing, view names, windbg

WoW64 Egghunter

Published November 18, 2011 |

By Corelan Team (Lincoln)

Traditional Egghunter An Egghunter is nothing more than an assembly routine to find shellcode somewhere in memory. We typically deploy an Egghunter when there is no more room in our buffer that we can use to initially redirect EIP to. If we are able to load our shellcode elsewhere in process memory, the Egghunter will […]

Posted in 001_Security, Exploit Writing Tutorials, Uncategorized | Tagged 32bit, 64bit, access violation, dep, egg, egghunter, fs, hunter, int2, interrupt, matt miller, metasploit, nasm, ntaccesscheckandauditalarm, omelet, shellcode, skape, syscall, sysenter, tag, teb, virtualalloc, virtualprotect, w00t, wow64

Corelan T-Shirt Contest – Derbycon 2011

Published September 14, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

September is going to be a busy month.

With Brucon approaching very fast and Derbycon on its way as well, it looks like I will be spending more time at cons than at work :)

I’ll have the pleasure to teach the Corelan Live Exploit Development Bootcamp trainings at Brucon and Derbycon. If you are a student, make sure to check the prerequisites so we’re all set to make the training a success for everyone.
Continue reading →

Posted in Cons and Seminars | Tagged brucon, corelan live, corelan-tshirt, course, derbycon, derbycon-corlean-team-exploit-writing-tutorials, exploit, mona-return-oriented-programming-attack, new-t-shirt-designs-2011, Peter Van Eeckhoutte, return-oriented-programming-in-net, return-oriented-programming-live, rop-exploit, rop-exploit-training, t-shirt, team-briefings, team-briefings-cons, training, what-is-an-rop-exploit, win32-exploit-dev-training

Metasploit Bounty – the Good, the Bad and the Ugly

Published July 27, 2011 |

By Corelan Team (Lincoln)

On June 14, 2011 HD Moore announced the Metasploit Bounty contest, offering a cash incentive for specific vulnerabilities to be submitted as modules in the Metasploit Framework. Titled “30 exploits, $5000 in 5 weeks”, a post on the Rapid7 blog lists the 30 “bounties” selected by the MSF team, waiting for someone to claim and submit a working exploit module.
Continue reading →

Posted in 001_Security, Exploits | Tagged advapi32.dll, aslr, asm, auriemma, bounty, carchive, cash, challenge, contest, debugger, dep, egg, egghunter, exploit, fix, genbroker, genclient, genesis, hd moore, heap, hmi, iat, iconics, immunity, incentive, integer, luigi, malloc, metasploit, meterpreter, mfc71u.dll, migrate, mona.py, ntsetinformationprocess, opcode, overflow, payload, peb, rop, rop.txt, ropfunc, scada, serialization, spray, stage, unicode, venetian, vtable, w00tw00t, windbg

Installing Watobo on BackTrack 5

Published July 23, 2011 |

By Corelan Team (fancy)

Watobo author Andy Schmidt made 2 great videos about installing Watobo on Windows and on BackTrack 5.
I created a rather simple and short shell script to install Watobo on BT5. Nothing new, nothing sensational, just to alleviate the installation process.
Continue reading →

Posted in 001_Security, Pentesting, Web Application Security | Tagged andy schmidt, back-track-5-scripts, backtrack, backtrack-5, backtrack-5-gem1-8-install, backtrack-5-script, backtrack-5-scripts, backtrack-5-scripts-download, backtrack-scripts, backtrack-shell-scripts, blacktrack-team-sharing, install, install-ciso-di-backtrack-5, install-watobo-in-backtrck, jak-zainstalowac-ssh-c-ubiquity-backtrack, script, watobo, watobo-backtrack-install, watobo-was-created-by, www-remote-exploit-orgbacktrack_download-html

mona.py – the manual

Published July 14, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

This document describes the various commands, functionality and behaviour of mona.py.

Released on june 16, this pycommand for Immunity Debugger replaces pvefindaddr, solving performance issues and offering numerous new features. pvefindaddr will still be available for download until all of its functionality has been ported over to mona.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials | Tagged automation, corelan, corelanc0d3r, documentation, exploit, exploit development, immunity, immunity debugger, metasploit, mona, mona.py, pattern, plugin, pycommand, python, rapid7, rop, rop automation, rop gadget, suggest

ROP your way into B-Sides Las Vegas 2011

Published July 12, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

Ahh.. Vegas.. What happens in Vegas, stays in Vegas right ?

With a variety of cons ahead (BlackHat, Defcon, B-Sides, …) there is plenty of things that can and will happen at Vegas. Will you be there to witness & enjoy it ?

Getting to Vegas is just one part of the story. Getting access to one of the cons is the second part, but in case of B-Sides, there are no tickets left anymore.
So, in case you were not able to get one of the free tickets to B-Sides LV, there’s good news !

We have 2 tickets for B-Sides LV (august 3 & 4, 2011)… and we’re giving them away…but not without a little ‘battle’…
Continue reading →

Posted in Cons and Seminars | Tagged b-sides, bsides, bsides-las-vegas, chain, gadget, game, intitlelas-vegas-php-web-development-wordpress-development, las vegas, las-vegas-regional-occupational-program, metasploit-return-oriented-programming, programming-for-metasploit, regional-occupational-program-in-las-vegas, regional-occupational-program-las-vegas, return oriented programming, rop, rop-las-vegas, ropdb, vegas, what-happens-in-vegas-stays-in-vegas, what-u-do-in-vegas-stay-in-vegas-wallpaper

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

BlackHat EU 2012 – Day 1

Debugging Fun – Putting a process to sleep()

Exploit writing tutorial part 11 : Heap Spraying Demystified

Many roads to IAT

WoW64 Egghunter

Corelan T-Shirt Contest – Derbycon 2011

Metasploit Bounty – the Good, the Bad and the Ugly

mona.py – the manual

ROP your way into B-Sides Las Vegas 2011

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!