..:: Corelan Cybersecurity Research ::.. - Part 10Corelan Cybersecurity Research

WATOBO – the unofficial manual

Published July 23, 2010 |

WATOBO is intended to enable security professionals to perform highly efficient (semi-automated) web application security audits. I am convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities. WATOBO has no attack capabilities and is provided for legal vulnerability audit purposes only. It works […]

Posted in 001_Security, Papers, Web Application Security | Tagged 001_Security, active, active checks, audit, base64, decode, encode, filter, filter functions, functions, fuzzer, interceptor, login, passive, passive checks, proxy, regex, requests, scan, scanner, semi, semi automated, session, vulnerability, watobo, watobo supports, web application

How strong is your fu 2 – the report

Published June 23, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

For anyone interested, this is _sinn3r’s and tecr0c’s writeup of the steps they took to own 4 out of the 5 machines in last weekend’s HSIYF – Hacking for Charity cyber hacking challenge …
Continue reading →

Posted in 001_Security | Tagged -hack, challenge, corelan-how-srong-if-your-fu, ctf, cyber, cyber-hacker, hacking, hacking-challenge, hacking-ninja, how-strong-is-you-fu, how-strong-is-your-foo, how-strong-is-your-fu, how-strong-is-your-fu-offensive-security, how-strong-is-your-fu2, hsiyf, hsiyf-report, offensive, offensive security, offsec, report

How strong is your fu : Hacking for charity

Published June 22, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Last weekend, Offensive Security hosted their second cyber hacking challenge, called “HSIYF For Charity”. The goal of this challenge was to raise money for Johnny Long’s “Hackers for Charity” project, a charity organization that tries to feed children, build computer labs etc in East Africa. Each challenger had to donate $49 to be able to […]

Posted in 001_Security | Tagged corelan-hacking, corelan-how-strong-is-your-foo, corelan-strong, ctf, cyber-hackers, hacking, hfc, how-strong-is-my-foo-corelan, how-strong-you-fu-pdf, hsiyf, june-22-2010-hacked, offensive security, offensive-security-wallpaper, offsec, pastie-sh-hackers-for-charity, pentesting-training-class-online-private, successfullyowned, tournament, try-harder-offensive-security, vpn-hacking

Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube

Published June 16, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

About 3 months after finishing my previous exploit writing related tutorial, I finally found some time and fresh energy to start writing a new article.
In the previous tutorials, I have explained the basics of stack based overflows and how they can lead to arbitrary code execution. I discussed direct RET overflows, SEH based exploits, Unicode and other character restrictions, the use of debugger plugins to speed up exploit development, how to bypass common memory protection mechanisms and how to write your own shellcode.
While the first tutorials were really written to learn the basics about exploit development, starting from scratch (targeting people without any knowledge about exploit development) you have most likely discovered that the more recent tutorials continue to build on those basics and require solid knowledge of asm, creative thinking, and some experience with exploit writing in general.
Today’s tutorial is no different. I will continue to build upon everything we have seen and learned in the previous tutorials. Today I will talk about ROP and how it can be used to bypass DEP (and ASLR)…
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged 41414141, access violation, add esp, alwaysoff, alwayson, aslr, awe, breakpoint, bypass, C0000005, call, code reuse, dep, dep policy, egg, egg hunter, exploit, exploit writing, gadget, heapcreate, immunity debugger, jop, jump oriented programming, memcpy, ntsetinformationprocess, nx, offset, optin, optout, pae, permanent dep, pvefindaddr, register, return oriented programming, rop, rop gadget, setprocessdeppolicy, stack, stack pivot, time-line, virtualalloc, virtualprotect, WinExec, writeprocessmemory, xd

Offensive Security Hacking Tournament – How strong was my fu ?

Published May 10, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Hi, Over the last 2 days my friends from Corelan Team and I participated in a Hacking Tournament, organized by Offensive Security. The primary goals of the tournament are : be the first one to grab “secret” information from a machine and post it to the Tournament Control Panel. document your findings and submit them […]

Posted in 001_Security, Exploits | Tagged --, 001_Security, 192-168-6-66, capture, ctf, flag, hacking, hacklab-vpn, n00bfilter, nc-backshell-invalid-connection, nox-of-xr-offensive-security-team, offensive security, offensive-security-labs-exercises, offsec-lab, offsec-lab-firewall, pentestexploitsexploitdbplatformslinuxremote340-c-imap, screenos-import-pfx, smtx-video-ghost-challenge-write-up, surgemail-3-8k4-4-d-download, tournament

corelanc0d3r interviewed by Slo-Tech

Published May 10, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Introduction: We continue our series of interviews with a slightly »unusual« talk this time: Peter Van Eeckhoutte may be unknown to readers who don’t follow the InfoSec scene on a daily basis. But he is well known to the international security community and his name is climbing fast on the list of top security researchers. He’s […]

Posted in 001_Security, Private | Tagged corelanc0d3r, interview, mona-switcher-slo-tech, Peter Van Eeckhoutte, slo-tech, slotech-international

corelanc0d3r interviewed by CubilFelino Security Research Labs

Published April 20, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Hi all, Just wanted to drop a few words about that fact that I have been interview by chr1x (, the maintainer of CubilFelino Security Research Labs (sectester.net). You can read the entire interview here : http://chr1x.sectester.net/corelanc0d3r.php If you have any questions, want to share your thoughts or comments, please use the comments form at […]

Posted in Private | Tagged chr1x, corelan-heap-spray, corelan-labs, corelanc0d3r, corelanc0d3r-interview, cubilfelino, cubilfelino-security-research, cubilfelino-security-research-lab, interview, odf-peter-van-eeckhoutte-from-the-corelan-team-on-the-first-half-of-his-presentation, ssh-key-with-pin

Forum restore

Published April 20, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

Hi all, Due to a server crash this afternoon, I had to restore the forum database from this morning. I have been able to recover some posts from this afternoon, but if you posted questions after 10:00 GMT+1, please check if your posts are still there… If not, please post them again I apologize for […]

Posted in Private | Tagged 0waitfor-delay0020, 237ca2a8bf9663af87, 40107716-or-35973597, 40107716-or-35973598, 40107716-or-35983598, 83bdd00711, 9661d-ab-54a73, alert1, and-37483748, and-37483749, and-37493749, and-benchmark20000000sha11, benchmark20000000sha11, confirm1, d89aeb9d2d, dbec3ab0177d, document-location1, document-title1, prompt1, waitfor-delay0020

Blackhat Europe 2010 Barcelona – Day 10

Published April 16, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

I got up early this morning, trying to be sharp and well prepared for day 2 of the BlackHat briefings. As some of you may know, I’m not really a morning person, so I usually need some time to wake up and wait until all components in my body start functioning again. After one day […]

Posted in 001_Security, Cons and Seminars | Tagged 002 - Tools, 2010, adobe, ashcloud, barcelona, Cons and Seminars, data, europe, function, functions, fuzzing, heap, heap management, input, memory, mitm, oracle, presentation, session, sessions, tcp, volcano

Blackhat Europe 2010 Barcelona – Day 01

Published April 14, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

As some of you might know, I am currently attending Blackhat Europe (hosted in Barcelona this year). So I wanted to take the opportunity to fill you in on the details of this first day of briefings, and provide you with a short overview of the presentations I have attended today. I am most certainly […]

Posted in 001_Security, Cons and Seminars | Tagged 001_Security, backdoors, blackhat europe, bugs, chris-john-riley, conf-x-frame-options, Cons and Seminars, database, facebook, httpd-conf-location-header-set-x-frame-options, httpd-conf-set-header-frames, maltego, oracle, presentation, sample-httpd-conf-with-x-frame, sap, secure-badge-exchange-system, sitewww-corelan-be-facebook, swf, vulnerabilities

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

How strong is your fu 2 – the report

How strong is your fu : Hacking for charity

Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube

Offensive Security Hacking Tournament – How strong was my fu ?

corelanc0d3r interviewed by Slo-Tech

corelanc0d3r interviewed by CubilFelino Security Research Labs

Forum restore

Blackhat Europe 2010 Barcelona – Day 10

Blackhat Europe 2010 Barcelona – Day 01

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!