metasploit

Happy 5th Birthday Corelan Team

Published March 3, 2014 |

Table of ContentsIntroductionDiscounts (in alphabetical order):Hak5Hex-RaysMalformity LabsNetsparkerNo Starch PressPatervaRapid7SANSSecurity RootsSyngressYour name here ? Introduction Corelan Team was founded in September of 2009. Over the last few years, the team has written and published numerous tutorials on exploit development. We have created a series of tools and scripts, and worked with vendors/developers across the globe to […]

Posted in 001_Security | Tagged 2014, 5 years, community, corelan, coupon, discount, hak5, happy birthday, hex-rays, infosec, malformity labs, metasploit, netsparker, no starch press, party, paterva, rapid7, sansinstitute, securityroots, stephen sims, syngress

Metasploit Meterpreter and NAT

Published January 4, 2014 |

By Peter Van Eeckhoutte (corelanc0d3r)

Professional pentesters typically use a host that is connected directly to the internet, has a public IP address, and is not hindered by any firewalls or NAT devices to perform their audit. Hacking “naked” is considered to be the easiest way to perform a penetration test that involves getting shells back. Not everyone has the […]

Posted in Metasploit, Pentesting | Tagged how-to-hack-nat-metasploit, how-to-use-metasploit-over-internet, httpswww-corelan-beindex-php20140104metasploit-meterpreter-and-nat, kali-metasploit-bind-with-pdf, metasploit, metasploit-behind-nat, metasploit-exploits-xp-sp3, metasploit-over-the-internet-kali, metasploit-targets-my-router, meterpreter, meterpreter-workings, nat, pentesting, port forwarding, reverse connection, reverse nat, reverse_http, reverse_https, reverse_tcp, value-of-lhost-in-metasploit-from-behind-firewall

Zabbix SQL Injection/RCE – CVE-2013-5743

Published October 4, 2013 |

By Corelan Team (Lincoln)

Table of ContentsIntroductionDisclosure Timeline:Vendor DetailsVulnerability DetailsThe patch Leveraging SQL InjectionCool! We got Admin, now what?Code Execution Further Exploitation? Introduction First off, please do not throw a tomato at me since this is not the typical Windows binary exploit article that is posted on Corelan! During a recent a penetration test, I encountered a host running Zabbix, an […]

Posted in Pentesting, SQL Injection, Web Application Security | Tagged 3, 5743, 5743-views, burp, corelan-be-zabbix-2-0-8, cve-2013-5743, exploit-sql-injection-2013, facebook-sql-injection-2013, got-a-deauthentication, metasploit, pentest, putting-injuction-in-bobs-video-for-free-download, putting-injuction-on-bobs-video-for-download, python-sql-injection-pastebin, single-url-sqli-scanner-php-pastebin, sql injection, web application, zabbix, zabbix-2-0-8-code-execution, zabbix-sql-injector-gratis-download

Exploit writing tutorial part 11 : Heap Spraying Demystified

Published December 31, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions.
Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail.
Of course, you can probably derive how it works by looking at those public exploits.

With this tutorial, I’m going to provide you with a full and detailed overview on what heap spraying is, and how to use it on old and newer platforms.
I’ll start with some “ancient” techniques (or classic techniques if you will) that can be used on IE6 and IE7.
We’ll also look at heap spraying for non-browser applications.
Next, we’ll talk about precision heap spraying, which is a requirement to make DEP bypass exploits work on IE8.
I’ll finish this tutorial with sharing some of my own research on getting reliable heap spraying to work on IE9.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials | Tagged 0c0c0c0c, actionscript, adobe, bmp, bstr, corelan, debugger, dep, exploit, exploit writing tutorial, firefox, freelists, gadget, gzip, heap, heapcreate, heaplib, image, immunity, internet explorer, javascript, lookasidelist, low fragmentation heap, metasploit, mona.py, moshe ben abu, pdf, pivot, return oriented programming, rop, ruby, sotirov, spray, string, substring, trancer, virtualalloc, vtable, windbg

WoW64 Egghunter

Published November 18, 2011 |

By Corelan Team (Lincoln)

Traditional Egghunter An Egghunter is nothing more than an assembly routine to find shellcode somewhere in memory. We typically deploy an Egghunter when there is no more room in our buffer that we can use to initially redirect EIP to. If we are able to load our shellcode elsewhere in process memory, the Egghunter will […]

Posted in 001_Security, Exploit Writing Tutorials, Uncategorized | Tagged 32bit, 64bit, access violation, dep, egg, egghunter, fs, hunter, int2, interrupt, matt miller, metasploit, nasm, ntaccesscheckandauditalarm, omelet, shellcode, skape, syscall, sysenter, tag, teb, virtualalloc, virtualprotect, w00t, wow64

Metasploit Bounty – the Good, the Bad and the Ugly

Published July 27, 2011 |

By Corelan Team (Lincoln)

On June 14, 2011 HD Moore announced the Metasploit Bounty contest, offering a cash incentive for specific vulnerabilities to be submitted as modules in the Metasploit Framework. Titled “30 exploits, $5000 in 5 weeks”, a post on the Rapid7 blog lists the 30 “bounties” selected by the MSF team, waiting for someone to claim and submit a working exploit module.
Continue reading →

Posted in 001_Security, Exploits | Tagged advapi32.dll, aslr, asm, auriemma, bounty, carchive, cash, challenge, contest, debugger, dep, egg, egghunter, exploit, fix, genbroker, genclient, genesis, hd moore, heap, hmi, iat, iconics, immunity, incentive, integer, luigi, malloc, metasploit, meterpreter, mfc71u.dll, migrate, mona.py, ntsetinformationprocess, opcode, overflow, payload, peb, rop, rop.txt, ropfunc, scada, serialization, spray, stage, unicode, venetian, vtable, w00tw00t, windbg

mona.py – the manual

Published July 14, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

This document describes the various commands, functionality and behaviour of mona.py.

Released on june 16, this pycommand for Immunity Debugger replaces pvefindaddr, solving performance issues and offering numerous new features. pvefindaddr will still be available for download until all of its functionality has been ported over to mona.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials | Tagged automation, corelan, corelanc0d3r, documentation, exploit, exploit development, immunity, immunity debugger, metasploit, mona, mona.py, pattern, plugin, pycommand, python, rapid7, rop, rop automation, rop gadget, suggest

Universal DEP/ASLR bypass with msvcr71.dll and mona.py

Published July 3, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

Over the last few weeks, there has been some commotion about a universal DEP/ASLR bypass routine using ROP gadgets from msvcr71.dll (written by Immunity Inc) and the fact that it might have been copied into an exploit submitted to Metasploit as part of the Metasploit bounty.

I’m not going to make any statements about this, but the ROP routine itself looks pretty slick.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged aslr, bounty, bypass, chain, corelan, dep, exploit, finding-universal-offsets-immunity, gadget, httpswww-corelan-beindex-php20110703universal-depaslr-bypass-with-msvcr71-dll-and-mona-py, immunity, metasploit, mona.py, mscvr-dll, msvcr71, return oriented programming, rop, rop-mona-py, universal-rop-bypass, white phosphorus

Hack Notes : Ropping eggs for breakfast

Published May 12, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

Introduction I think we all agree that bypassing DEP (and ASLR) is no longer a luxury today. As operating systems (such as Windows 7) continue to gain popularity, exploit developers are forced to deal with increasingly more memory protection mechanisms, including DEP and ASLR. From a defense perspective, this is a good thing. But we […]

Posted in Exploit Writing Tutorials, Exploits | Tagged code reuse, corelan-rop, egg, egghunter, how-to-hack-notes, how-to-hack-windows-7-note, hunter, memcpy, memmove, metasploit, payload, return oriented programming, rop, rop-chain-what-is, shellcode, shellcode-virtualalloc-pastebins, strcpy, strncpy, virtualalloc, virtualprotect

BlackHat Europe 2011 / Day 01

Published March 17, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

After having breakfast, chatting with ping and hanging out with @kokanin, @xme and @wimremes, it was time to start attending the various talks.
So, as promised in yesterdays preview, what follows is the report of my first day at Black Hat Europe 2011.
Continue reading →

Posted in 001_Security, Cons and Seminars | Tagged 2011, andres riancho, barcelona, blackhat, blackhat europe, briefings, chris valasek, conference, exploit, fixation, hacking, ID, metasploit, nitesh dhanjani, rapid7, Raul Siles, ryan smith, seminar, session, tom keetch, w3af

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

Happy 5th Birthday Corelan Team

Metasploit Meterpreter and NAT

Zabbix SQL Injection/RCE – CVE-2013-5743

Exploit writing tutorial part 11 : Heap Spraying Demystified

WoW64 Egghunter

Metasploit Bounty – the Good, the Bad and the Ugly

mona.py – the manual

Universal DEP/ASLR bypass with msvcr71.dll and mona.py

Hack Notes : Ropping eggs for breakfast

BlackHat Europe 2011 / Day 01

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!