adobe

HITB2012AMS Day 2 – Attacking XML Processing

Published May 25, 2012 |

Attacking XML Processing Dressed in a classy Corelan Team T-Shirt, Nicolas Grégoire kicks off his presentation by introducing himself. Nicolas has been asked by a customer to audit some XML-DSig applications 18 months ago and found a number of bugs. This triggered him to do more research on this topic. This technology is present in […]

Posted in Cons and Seminars | Tagged adobe, agarri, common-xml-vulnerabilities, dtd, embed, firefox, java, meterpreter, nicolas grégoire, oracle, parser, php, processing, rest, restlet-xml-external-entity-gregoire, winrt-xml-parsing, xml, xslt, xxe, xxe-attack-execution

HITB2012AMS Day 2 – PostScript – Danger Ahead

Published May 25, 2012 |

By Peter Van Eeckhoutte (corelanc0d3r)

Good morning everyone, welcome back at Hack In The Box 2012 Amsterdam ! Before looking at the first talk that I attended today, I would like to mention that you can find copies of the talks and materials on the hitb.org website. Files are made available right after a talk or lab finishes, you […]

Posted in Cons and Seminars | Tagged adobe, amsterdam, corelan-backtrack-5-wep-hack, corelanbe, dump-mifare-card-windows, eps, ghostscript, hitb, memory dump, mfcuk-authentication-tries, mifare, multifunctional, not-display-text-in-forum-corelan, office, postscript, postscript-danger-ahead, printer, ps, word, xerox

Exploit writing tutorial part 11 : Heap Spraying Demystified

Published December 31, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions.
Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail.
Of course, you can probably derive how it works by looking at those public exploits.

With this tutorial, I’m going to provide you with a full and detailed overview on what heap spraying is, and how to use it on old and newer platforms.
I’ll start with some “ancient” techniques (or classic techniques if you will) that can be used on IE6 and IE7.
We’ll also look at heap spraying for non-browser applications.
Next, we’ll talk about precision heap spraying, which is a requirement to make DEP bypass exploits work on IE8.
I’ll finish this tutorial with sharing some of my own research on getting reliable heap spraying to work on IE9.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials | Tagged 0c0c0c0c, actionscript, adobe, bmp, bstr, corelan, debugger, dep, exploit, exploit writing tutorial, firefox, freelists, gadget, gzip, heap, heapcreate, heaplib, image, immunity, internet explorer, javascript, lookasidelist, low fragmentation heap, metasploit, mona.py, moshe ben abu, pdf, pivot, return oriented programming, rop, ruby, sotirov, spray, string, substring, trancer, virtualalloc, vtable, windbg

Blackhat Europe 2010 Barcelona – Day 10

Published April 16, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

I got up early this morning, trying to be sharp and well prepared for day 2 of the BlackHat briefings. As some of you may know, I’m not really a morning person, so I usually need some time to wake up and wait until all components in my body start functioning again. After one day […]

Posted in 001_Security, Cons and Seminars | Tagged 002 - Tools, 2010, adobe, ashcloud, barcelona, Cons and Seminars, data, europe, function, functions, fuzzing, heap, heap management, input, memory, mitm, oracle, presentation, session, sessions, tcp, volcano

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

HITB2012AMS Day 2 – Attacking XML Processing

HITB2012AMS Day 2 – PostScript – Danger Ahead

Exploit writing tutorial part 11 : Heap Spraying Demystified

Blackhat Europe 2010 Barcelona – Day 10

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!