Metasploit Bounty – the Good, the Bad and the Ugly
On June 14, 2011 HD Moore announced the Metasploit Bounty contest, offering a cash incentive for specific vulnerabilities to be submitted as modules in the Metasploit Framework. Titled “30 exploits, $5000 in 5 weeks”, a post on the Rapid7 blog lists the 30 “bounties” selected by the MSF team, waiting for someone to claim and submit a working exploit module.
Continue reading
Hack Notes : Ropping eggs for breakfast
Introduction I think we all agree that bypassing DEP (and ASLR) is no longer a luxury today. As operating systems (such as Windows 7) continue to gain popularity, exploit developers are forced to deal with increasingly more memory protection mechanisms, including DEP and ASLR. From a defense perspective, this is a good thing. But we […]
Case Study: SolarWinds Orion (video)
Special Thanks: To my wife for putting up with my crap. Also SolarWinds for keeping an open communication while fixing the issue. And of course… Corelan Team :P Audio: Many thanks to DJ Great Scott for supplying me with the music. Definitely check out some of his work! http://soundcloud.com/greatscott http://glitch.fm/ Music in Video: Defcon (Samples […]
Malicious pdf analysis : from price.zip to flashplayer.exe
This morning, my generic attachment filter for MS Exchange reported that about 100 emails were put in quarantine because they contained a small zip file.
When looking inside the zip file, I found a small pdf file… I immediately figured this file was up to no good, so it was time to get my hands dirty :)
Continue reading
Offensive Security Exploit Weekend
Introduction I’m excited and honored to be able to announce that Sud0, one of our Corelan Team members, has won the Offensive Security Exploit weekend, an exploiting exercise only available to Offensive Security certified alumni. The challenge was built around a vulnerability in Foxit Reader. Each participant was pointed to a Proof of Concept exploit, […]
Death of an ftp client / Birth of Metasploit modules
Over the past few weeks, Corelan Team has given its undivided attention to fuzzing ftp client applications.
Using a custom built ftp client fuzzer, now part of the Metasploit framework, the team has audited several ftp clients and applications that use an embedded client ftp component. One example of such an application is a tool that would synchronize / backup data from a computer to a remote ftp server.
The 3 main audit/attack vectors that were used during the “project” were
send back overly long responses to ftp commands / requests sent by the ftp client to the server
send back a file/directory listing that contains overly long file/folder names
try to download a file that has an overly long filename.
Continue reading
Exploit notes – win32 eggs-to-omelet
In article 8 of my exploit writing series, I have introduced the concept of egg hunters, and explained what an omelet hunter is and how it works. Today, I want to share with you my own eggs-to-omelet implementation, explain how it works, and how you can use it in a standalone exploit or in a […]
Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics
In the first parts of the exploit writing tutorial, I have discussed some common vulnerabilities that can lead to 2 types of exploits : stack based buffer overflows (with direct EIP overwrite), and stack based buffer overflows that take advantage of SEH chains. In my examples, I have used perl to demonstrate how to build […]
Exploit writing tutorial part 3b : SEH Based Exploits – just another example
In the previous tutorial post, I have explained the basics of SEH based exploits. I have mentioned that in the most simple case of an SEH based exploit, the payload is structured like this : [Junk][next SEH][SEH][Shellcode] I have indicated that SEH needs to be overwritten by a pointer to “pop pop ret” and that […]
Donate
Your donation will help funding server hosting.
