Lmst

🇧🇪 Belgian Roots. Global Impact. 🌍

Corelan is more than just 🍟, 🍺 & 👶🏼🚿.

We offer world-class Exploit Development Training for Windows:
🔹 Stack-based Exploit Dev
🔹 Heap Exploit Development Masterclass

Crafted in 🇪🇺, respected worldwide 🌐.

Built by a researcher, for researchers 🧠.

Support European excellence in cybersecurity!

🎯 Sign up here → https://bit.ly/corelan-training

#CyberSecurity #ExploitDevelopment #Corelan #InfoSec #InvestInEurope #MadeInBelgium #Heap #Stack #Windows

I wrote a blog post about the basics of ROP chain.
https://enetolabs.medium.com/rop-chains-78e8f028eaef

#ReverseEngineering #ExploitDevelopment #ROPChain

Already enjoying the https://exploits.club/ newsletter. Don't let the "coming soon..." website fool you, the content is high quality.

#exploitdev #ExploitDevelopment

Ready to navigate the treacherous waters of buffer overflows?

Check my latest blog post: "Wherein We Study A Buffer Overflow And Ready Our Aim: testing the waters"

We'll now be ready to actually exploit the return address and use it for our own means.

Consider this the first step before shellcoding gallore.

🦶 Dip your toe here: https://dreaming-of-dragons.blogspot.com/2024/10/wherein-we-study-buffer-overflow.html

#Shellcode #CyberSecurity #ReverseEngineering #LowLevelProgramming #TechBlog #ExploitDevelopment

Ready for the troubled waters of shellcode? I'm not. Not just yet, at least. But I'm by the shore and telling you about it in my latest blog post: "Wherein We Wade Through A Shellcode Shore: before the dive

"

Spoiler alert: shellcode remains relevant (and fun).

👉 Check out: https://dreaming-of-dragons.blogspot.com/2024/10/wherein-we-wade-through-shellcode-shore.html

#Shellcode #CyberSecurity #ReverseEngineering #LowLevelProgramming #TechBlog #ExploitDevelopment

We’ve just published the third and final part in our new series on Windows kernel driver vulnerability research and exploitation.

Exploiting AMD atdcm64a.sys arbitrary pointer dereference - Part 3:
https://security.humanativaspa.it/exploiting-amd-atdcm64a-sys-arbitrary-pointer-dereference-part-3/

In the previous articles, we covered the discovery of an arbitrary MSR read and an arbitrary pointer dereference vulnerability, and successfully confirmed them by putting together two PoCs. This time, we will craft a full exploit that chains both vulnerabilities to enable all privileges on Windows. Happy hacking!

#HumanativaGroup #HNSecurity #VulnerabilityResearch #ExploitDevelopment #Windows

Here’s a collection of the #SecurityAdvisories that I’ve published over the years:

https://github.com/0xdea/advisories

If you’re interested in #VulnerabilityResearch and #ExploitDevelopment, on @github and on the @hnsec blog you can also find a trilogy of talks on these topics that I delivered between 2019 and 2021:

https://github.com/0xdea/raptor_infiltrate19

https://github.com/0xdea/raptor_infiltrate20

https://github.com/0xdea/raptor_romhack21

I hope you’ll enjoy them!

Sometimes you write a quick, dirty & fugly thing and immediately feel disgusted by it. But it works, so does it matter in the end?

#hacking #exploitdevelopment #python

Python code that loads .dll/.so/.dylib and executes a function from it. Don't try this at home, kids.

How common is RC4 vs. RC5 in the wild? I assume there's still plenty of vulnerable legacy software out there that's still using RC4. Would still supporting RC4 be useful for writing exploits or diminishing returns?
#exploitdev #ExploitDevelopment

I want to share my thoughts on something I find discomforting. When I decided to work at cybersecurity field, I wanted to become a vulnerability researcher and exploit developer, because I found these fields mentally challenging. BUT, when I found out, working for law enforcement/military and intelligence services is a norm in these fields (individually or with VR firms), I was like "lol WHAT??". If I hadn't found out this truth, I would blindly educate myself to become competent in these fields, and I would waste a LOT of my time. How is this not being mentioned when talking about these fields? Is it normal to assume everybody potentially is ok about working for these organizations? Also, punk hacker image which a lot of people enjoy became a joke to me after this truth. 💔 #cybersecurity #vulnerabilityresearch #exploitdevelopment #infosec #cyberpunk

I implemented Ken Thompson’s Reflections on Trusting Trust (1984 Turing Award Lecture) compiler #backdoor for the GNU Compiler Collection (GCC). The backdoor maintains persistence by re-injecting itself to any new versions of the compiler built. The secondary payload modifies a test application by adding a backdoor password to allow authentication bypass:

$ cat testapp.c
#include <string.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv)
{
if (argc == 2 && !strcmp(argv[1], "secret"))
{
printf("access granted!\n");
return EXIT_SUCCESS;
}
else
{
printf("access denied!\n");
return EXIT_FAILURE;
}
}
$ gcc -Wall -O2 -o testapp.c -o testapp
$ ./testapp kensentme
access granted!
$

I spent most time (around two hours) writing the generalized tooling that produces the final quine version of the malicious payload. Now that this is done, the actual code can be adjusted trivially to exploit more target code without any need to adjust the self-reproducing section of the code. This method of exploitation could be extended to target various binaries: SSH Server, Linux Kernel, Setuid binaries and similar. While itself written in C, the secondary payloads can target any programming languages supported by GCC.

It should be noted that GCC build checks for malicious compiler changes such as this. This check can – of course – also be bypassed. However, most serious projects have measures in place to avoid hacks of this nature.

Some links:
- Ken Thompson's "Reflections on Trusting Trust" paper: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf
- David A. Wheeler: "Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) - Countering Trojan Horse attacks on Compilers" https://dwheeler.com/trusting-trust/

#hacking #exploitdevelopment #kenthompson #infosec #cybersecurity @vegard

Backdoored GCC compiler quietly modifying the logic of a simple test app. Normally the application only allows "secret" as password, but the backdoored compiler modifies it to allow "kensentme" as valid password as well.

@FrankGevaerts In this case I opted for replacing a root executed binary with a script that injects ssh pubkey to /root/.ssh/authorized_keys and then executes the real binary - this should be quite self-explanatory as the attacker can now just ssh as root. I also wanted to keep this as simple as possible to avoid 4th day of explaining basic concepts to #hackerone analyst. #exploit #ExploitDevelopment

Screenshot of displaying last step in exploiting ability to replace any file on a system as non-root user.

SonicWall next-gen firewall (NGFW) series 6 and 7 devices are affected by 2 DoS #vulnerabilities that can lead to remote code execution (RCE): #CVE-2022-22274 and CVE-2023-0656. Bishop Fox research revealed that these issues are fundamentally the same, but exploitable at different HTTP URI paths. Read more & download our test script at our blog.

https://bfx.social/47Hcdzj

#SonicWall #infosec #exploitdevelopment

I have an #exploit that takes 4 hours to trigger, with no obvious way to speed it up. Oh well, at least it should still give me #privesc to local SYSTEM. #infosec #hacking #exploitdevelopment

I once had a dilemma: I had found a stack buffer overflow from a system I could only access in highly restricted environment. Yet I wanted to develop a proper #exploit for it.

Reversing revealed that the #vulnerability itself was a really simple string copy buffer overflow. It was trivial to reproduce it in my own stand-in program with a function that would strcpy a command line argument string to fixed size char array. This would lead to the identical crash at the function epilogue.

At this stage I was just missing the gadgets. Analyzing the loaded DLLs revealed multiple libraries without ASLR, a prime candidate for the gadgets. But there was a problem: I would not have access to these DLLs: Even though the files were from a common software package, they were some really old and obscure version and I would not have access to them outside of the target environment. I then had a bright idea of actually calculating hashes of these files. I could then hunt the files from Virustotal and similar sources. I did find the DLLs (from some dubious FTP, as you do) and I adjusted the stand-in program to load the DLL libraries. I could then use normal tooling to hunt the necessary gadgets to produce the classic VirtualProtect + jmp to esp ropchain to execute arbitrary shellcode.

TL;DR; I created a working 0-day #RCE exploit without ever executing the attack against the actual target environment.

#exploitdevelopment #hacking #infosec