ruby

Exploit writing tutorial part 11 : Heap Spraying Demystified

Published December 31, 2011 |

A lot has been said and written already about heap spraying, but most of the existing documentation and whitepapers focus on IE7 or older versions.
Although there are a number of public exploits available that target IE8, the exact technique to do so has not been really documented in detail.
Of course, you can probably derive how it works by looking at those public exploits.

With this tutorial, I’m going to provide you with a full and detailed overview on what heap spraying is, and how to use it on old and newer platforms.
I’ll start with some “ancient” techniques (or classic techniques if you will) that can be used on IE6 and IE7.
We’ll also look at heap spraying for non-browser applications.
Next, we’ll talk about precision heap spraying, which is a requirement to make DEP bypass exploits work on IE8.
I’ll finish this tutorial with sharing some of my own research on getting reliable heap spraying to work on IE9.
Continue reading →

Posted in 001_Security, Exploit Writing Tutorials | Tagged 0c0c0c0c, actionscript, adobe, bmp, bstr, corelan, debugger, dep, exploit, exploit writing tutorial, firefox, freelists, gadget, gzip, heap, heapcreate, heaplib, image, immunity, internet explorer, javascript, lookasidelist, low fragmentation heap, metasploit, mona.py, moshe ben abu, pdf, pivot, return oriented programming, rop, ruby, sotirov, spray, string, substring, trancer, virtualalloc, vtable, windbg

Pastenum – Pastebin/pastie enumeration tool

Published March 22, 2011 |

By Elliott Cutright

When conducting a pen-test, the process typically starts with the reconnaissance phase, the process of gathering information about your target(s) system, organization or person.
Today, we want to present a tool that can be added to your reconnaissance toolkit.
Continue reading →

Posted in 001_Security, Pentesting, Scripts | Tagged backtrack-3-free-download, backtrack3-free-download, colored, enumerate, gem, gscraper, json, mechanize, nokogiri, nullthreat, pastebin, pastenum, pastie, pentest, query, reconnaissance, ruby, rvm, scrape, uri-query_params

Cheat sheet : Installing Snorby 2.2 with Apache2 and Suricata with Barnyard2 on Ubuntu 10.x

Published February 27, 2011 |

By Peter Van Eeckhoutte (corelanc0d3r)

After spending a few hours fighting a battle against Snorby and Apache2 + Passenger, I finally managed to get it to run properly on my Ubunty 10.x box (32bit). Looking back, I figured I might not be the only one who is having issues with this.

So I decided to publish the notes I took while setting everything up, and as a little bonus, explain how to install and configure Suricata as well (configured in combination with barnyard2 which will pick up local logs and send them to the remote MySQL server).
Continue reading →

Posted in 001_Security, Linux and Unix, Networking, Papers | Tagged a2enmod, apache2, apt-get, barnyard, bind-address, bundle install, cheat sheet, cheatsheet, configuration, daily cache, database.yml, emerging, emerging-threats, ezprint, gem, HOME_NET, ids, installation, ips, libhtp-0.2.so.1, my.cnf, mysql, passenger, passenger-install-apache2-module, passenger.conf, passenger.load, PassengerRoot, PassengerRuby, procedure, qt patch, rails, ruby, sensor cache, setup, snorby, snorby_config.yml, snort, step by step, suricata, ubuntu, unified2.alert, waldo, wkhtmltopdf, www.testmyids.com

Fuzzing with Metasploit : Simple FTP fuzzer

Published October 19, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

Just wanted to drop a quick note about the release of another free script. This time I’ve written a simple FTP fuzzer (with a little help from HDMoore) in Metasploit. You can read more about it (and download the script) at http://www.corelan.be:8800/index.php/my-free-tools/security/metasploit/simple-ftp-fuzzer-metasploit-module/ This is why I like Metasploit so much… :-) Update : after running […]

Posted in 001_Security, Exploits, My Free Tools, Scripts | Tagged free, ftp fuzzer, fuzzer, fuzzer-metasploit, fuzzing, fuzzing-con-metasploit, fuzz_ftp.rb, good-ftp-fuzzer, hdmoore, metasploit, metasploit-fuzzer, metasploit-fuzzers, metasploit-fuzzing, metasploit-ike, ruby, script, security metasploit, server, simple ftp, simple-ftp-fuzzer

Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics

Published August 12, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

In the first parts of the exploit writing tutorial, I have discussed some common vulnerabilities that can lead to 2 types of exploits : stack based buffer overflows (with direct EIP overwrite), and stack based buffer overflows that take advantage of SEH chains. In my examples, I have used perl to demonstrate how to build […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged buffer, check, custom vulnserver, encoder, exe, exe windows, exploit, exploit custom, Exploits, include, initialize, metasploit, meterpreter, module, msf, msf exploit, msf/core, offset, payload, port, print, rb, require, ruby, shellcode, socket, vulnserver, windows, windows system

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

Exploit writing tutorial part 11 : Heap Spraying Demystified

Pastenum – Pastebin/pastie enumeration tool

Cheat sheet : Installing Snorby 2.2 with Apache2 and Suricata with Barnyard2 on Ubuntu 10.x

Fuzzing with Metasploit : Simple FTP fuzzer

Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!