immunity

Using DBI for solving Reverse Engineering 101 – Newbie Contest from eLearnSecurity

Published December 10, 2013 |

Introduction Last weekend I had some time so I wanted to have a look at a reversing challenge which you can find here: https://www.ethicalhacker.net/features/special-events/reverse-engineering-101-newbie-contest-webcast-elearnsecurity Reverse Engineering 101 Contest Steps Get the exe to be hacked Break it open and start exploring. The only rule for the challenge is that it has to be solved by […]

Posted in Malware and Reversing | Tagged C#, challenge, corelan, corelan-be-facebook, corelan-coder, corelancoder, crack, dbi, dynamic binary instrumentation, elearnsecurity, elearnsecurity-reverse-engineering, hexedit, ida pro, immunity, m0n0sapiens, patching, Peter Van Eeckhoutte, pin, reverse engineering, reversing

Jingle BOFs, Jingle ROPs, Sploiting all the things… with Mona v2 !!

Published December 31, 2012 |

By Peter Van Eeckhoutte (corelanc0d3r)

Ho Ho Ho friends, It has been a while since we posted something on the Corelan Team blog, I guess we all have been busy doing … stuff and things, here and there. Nevertheless, as the year is close to filling up 100%, it’s probably a good time to start thinking about finding some convincing […]

Posted in Development, Exploit Writing Tutorials, Exploits, My Free Tools, Scripts | Tagged debugger, exploit, extension, immunity, immunity debugger, jingle-bofs, mona, mona-albertini, mona-py-2-windbg, mona-windbg, mona.py, new year, plugin, present, pycommand, pykd, python, windbg, windbg-mona-py, www-corelan-be

Debugging Fun – Putting a process to sleep()

Published February 29, 2012 |

By Corelan Team (Lincoln)

Recently I played with an older CVE (CVE-2008-0532, http://www.securityfocus.com/archive/1/489463, by FX) and I was having trouble debugging the CGI executable where the vulnerable function was located.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Malware and Reversing, Uncategorized | Tagged cgi, corelan, corelan team, cve-2008-0532, debugger, entrypoint, f, function, fx, hook, immunity, isdebuggerpresent, jit, just in time, loop, pefile, python, rva, sleep, www-corelan-be

Exploit writing tutorial part 11 : Heap Spraying Demystified

Published December 31, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions.
Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail.
Of course, you can probably derive how it works by looking at those public exploits.

With this tutorial, I’m going to provide you with a full and detailed overview on what heap spraying is, and how to use it on old and newer platforms.
I’ll start with some “ancient” techniques (or classic techniques if you will) that can be used on IE6 and IE7.
We’ll also look at heap spraying for non-browser applications.
Next, we’ll talk about precision heap spraying, which is a requirement to make DEP bypass exploits work on IE8.
I’ll finish this tutorial with sharing some of my own research on getting reliable heap spraying to work on IE9.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials | Tagged 0c0c0c0c, actionscript, adobe, bmp, bstr, corelan, debugger, dep, exploit, exploit writing tutorial, firefox, freelists, gadget, gzip, heap, heapcreate, heaplib, image, immunity, internet explorer, javascript, lookasidelist, low fragmentation heap, metasploit, mona.py, moshe ben abu, pdf, pivot, return oriented programming, rop, ruby, sotirov, spray, string, substring, trancer, virtualalloc, vtable, windbg

Many roads to IAT

Published December 1, 2011 |

By Dinos

A few days ago a friend approached me and asked how he could see the import address table under immunity debugger and if this could be done using the command line.

I figured this would be a good time to take a look at what the IAT is, how we can list the IAT and what common reversing hurdles could be with regards to the IAT.
Continue reading →

Posted in Malware and Reversing | Tagged corelan, iat, ida, immunity, import address directory, import address table, impre, lordpe, monaida-plugin, ollydbg, python, rebuild iat, reconstruct, resetsearchinindex-ps1, restore, reverse, reverse engineering, reversing, view names, windbg

Metasploit Bounty – the Good, the Bad and the Ugly

Published July 27, 2011 |

By Corelan Team (Lincoln)

On June 14, 2011 HD Moore announced the Metasploit Bounty contest, offering a cash incentive for specific vulnerabilities to be submitted as modules in the Metasploit Framework. Titled “30 exploits, $5000 in 5 weeks”, a post on the Rapid7 blog lists the 30 “bounties” selected by the MSF team, waiting for someone to claim and submit a working exploit module.
Continue reading →

Posted in 001_Security, Exploits | Tagged advapi32.dll, aslr, asm, auriemma, bounty, carchive, cash, challenge, contest, debugger, dep, egg, egghunter, exploit, fix, genbroker, genclient, genesis, hd moore, heap, hmi, iat, iconics, immunity, incentive, integer, luigi, malloc, metasploit, meterpreter, mfc71u.dll, migrate, mona.py, ntsetinformationprocess, opcode, overflow, payload, peb, rop, rop.txt, ropfunc, scada, serialization, spray, stage, unicode, venetian, vtable, w00tw00t, windbg

mona.py – the manual

Published July 14, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

This document describes the various commands, functionality and behaviour of mona.py.

Released on june 16, this pycommand for Immunity Debugger replaces pvefindaddr, solving performance issues and offering numerous new features. pvefindaddr will still be available for download until all of its functionality has been ported over to mona.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials | Tagged automation, corelan, corelanc0d3r, documentation, exploit, exploit development, immunity, immunity debugger, metasploit, mona, mona.py, pattern, plugin, pycommand, python, rapid7, rop, rop automation, rop gadget, suggest

Universal DEP/ASLR bypass with msvcr71.dll and mona.py

Published July 3, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

Over the last few weeks, there has been some commotion about a universal DEP/ASLR bypass routine using ROP gadgets from msvcr71.dll (written by Immunity Inc) and the fact that it might have been copied into an exploit submitted to Metasploit as part of the Metasploit bounty.

I’m not going to make any statements about this, but the ROP routine itself looks pretty slick.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged aslr, bounty, bypass, chain, corelan, dep, exploit, finding-universal-offsets-immunity, gadget, httpswww-corelan-beindex-php20110703universal-depaslr-bypass-with-msvcr71-dll-and-mona-py, immunity, metasploit, mona.py, mscvr-dll, msvcr71, return oriented programming, rop, rop-mona-py, universal-rop-bypass, white phosphorus

Mona 1.0 released !

Published June 16, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

FINALLY !
After spending almost 6 months of designing, developing and testing, and after ‘surviving’ 2 presentations (at AthCon and Hack In Paris), I am extremely excited and proud to present, on behalf of the entire Corelan Team, the general availability of mona.py.

With this announcement, we also declare pvefindaddr officially dead from this point forward. (This doesn’t mean pvefindaddr is now entirely worthless, because not all functions have been ported into mona yet, but we won’t be releasing any updates to pvefindaddr anymore and the entire project page/download page will eventually disappear)
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Exploits, Uncategorized | Tagged eip, exploit, gadget, immunity, immunity debugger, immunitydbg-mona-example, immunitydbg-search-for-rop, mona, mona-corelan, mona-corelan-bad-characters, mona-download, mona-py-search-for-pointers, mona-py-youku, mona.py, monapy, pvefindaddr, pycommand, return oriented programming, rop, rop automation

Starting to write Immunity Debugger PyCommands : my cheatsheet

Published January 26, 2010 |

By Peter Van Eeckhoutte (corelanc0d3r)

When I started Win32 exploit development many years ago, my preferred debugger at the time was WinDbg (and some Olly). While Windbg is a great and fast debugger, I quickly figured out that some additional/external tools were required to improve my exploit development experience. Despite the fact that the command line oriented approach in windbg […]

Posted in 001_Security, Development, Exploit Writing Tutorials, Scripts | Tagged api, assemble, cheatsheet, debugger, disassemble, hoe-to-use-mona-at-immunity-debugger, immlib, immunity, immunity debugger, immunity-cheatsheet, immunity-debugger-strcat, module, plugin, pycommand, python, readmemory, script, softice-debuger, tuto-immunity-debugger-python, tutorial-debugging-using-immunity

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

Using DBI for solving Reverse Engineering 101 – Newbie Contest from eLearnSecurity

Jingle BOFs, Jingle ROPs, Sploiting all the things… with Mona v2 !!

Debugging Fun – Putting a process to sleep()

Exploit writing tutorial part 11 : Heap Spraying Demystified

Many roads to IAT

Metasploit Bounty – the Good, the Bad and the Ugly

mona.py – the manual

Universal DEP/ASLR bypass with msvcr71.dll and mona.py

Mona 1.0 released !

Starting to write Immunity Debugger PyCommands : my cheatsheet

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!