Clik here to view.
Leveraging format string vulnerabilities to interrogate Win32 process memory
Although format string vulnerabilities aren't seen as much in the wild these days since they are so easy to spot in source code, I'd like to use this class of vulnerability to demonstrate what...
View ArticleClik here to view.
Post-mortem Analysis of a Use-After-Free Vulnerability (CVE-2011-1260)
Recently, I've been looking into the exploitation of use-after-free vulnerabilities. This class of bug is very application specific, but armed with just the right amount of knowledge these...
View ArticleClik here to view.
Cool kids pop a programmer's calc in their demos
Over time, I've heard several well-respected security professionals mention that you're not really cool unless you can pop a scientific/programmer's calculator when demoing your exploits. I mean, what...
View ArticleClik here to view.
Integrating WinDbg and IDA for Improved Code Flow Analysis
IDA is hands down the best tool for static analysis. Its debugger on the other hand, when compared to the power of WinDbg is certainly lacking, IMHO. As such, I find myself wasting too much time...
View ArticleClik here to view.
Targeted Heap Spraying – 0x0c0c0c0c is a Thing of the Past
Traditionally, heap spraying has relied upon spraying with 0x0C0C0C0C followed by shellcode which serves as both an address in the heap and a series of nops. This however is not extremely reliable....
View ArticleClik here to view.
Dropping Executables with Powershell
Scenario: You find yourself in a limited Windows user environment without the ability to transfer binary files over the network for one reason or another. So this rules out using a browser, ftp.exe,...
View ArticleClik here to view.
Stealth Alternate Data Streams and Other ADS Weirdness
I was reading an article on MSDN regarding the naming of files, paths, and namespaces[1] and I discovered some interesting peculiarities regarding the naming and creation of certain files containing...
View ArticleClik here to view.
Exploiting Powershell's Features (Not Flaws)
tl;dr versionUsing the features built in to Microsoft Powershell one can execute arbitrary shellcode. The method described in this post is both 32 and 64 bit compatible. Because we are exploiting the...
View ArticleClik here to view.
Man vs. ROP - Overcoming Adversity One Gadget at a Time
IntroductionI recently discovered a rather simple stack-based buffer overflow in a legacy application that shall remain unnamed. With DEP disabled, exploiting the vulnerability was trivial. It’s no...
View ArticleClik here to view.
PowerSyringe - PowerShell-based Code/DLL Injection Utility
Download Link: PowerSyringe.ps1So I decided to expand upon my previous post and create a slightly more full-featured Powershell-based code/DLL injection utility. Behold, PowerSyringe. As the name...
View ArticleClik here to view.
Powershell Live-Memory Analysis Tools: Dump-Memory, Dump-Strings,...
I’m releasing three new tools for Powershell that may be of use for those performing live-memory forensics or for penetration testers trying to pull sensitive information from memory. Dump-Memory will...
View ArticleClik here to view.
64-bit Process Replacement in Powershell
Download here: Replace-x64-Process.ps1For those of you who follow me on Twitter, you may have noticed that I posted a few teasers related to replacing processes in Powershell. Without further ado, I am...
View ArticleClik here to view.
Architecture Independent Windows Shellcode
What's this? A non PowerShell-related blog post??? Unheard of! Today's post is more of a novelty but perhaps someone might benefit from it.There may be times when you’d like to execute shellcode but...
View ArticleClik here to view.
Extracting hard-coded credentials using managed code debugging techniques in...
tl;dr versionUsing some simple managed code debugging techniques, you can easily pull out hard-coded credentials from a binary claiming to protect them.A friend of mine (@Obscuresec) referred me to a...
View ArticleClik here to view.
Accessing the Windows API in PowerShell via internal .NET methods and reflection
tl:dr versionIt is possible to invoke Windows API function calls via internal .NET native method wrappers in PowerShell without requiring P/Invoke or C# compilation. How is this useful for an attacker?...
View ArticleClik here to view.
PowerSploit - A PowerShell Post-Exploitation Framework
PowerSploit RepoAfter recently reviewing my code for Powersyringe, I realized it was total crap. Although it worked and got the job done in most cases, it was ugly. Also, upon discovering how to...
View ArticleClik here to view.
PowerSploit - New Feature: Inject-Shellcode now supports Metasploit HTTP[S]...
PowerSploit RepoThe Inject-Shellcode script, which is part of the PowerSploit project now supports windows/meterpreter/reverse_http and windows/meterpreter/reverse_https payloads. Now, you don't have...
View ArticleClik here to view.
Get-ILDisassembly - A Scriptable MSIL Disassembler Added to PowerSploit
PowerSploit RepoI just added Get-ILDisassembly to the PowerSploit project. This tool takes any MethodInfo object and returns the disassembly for that method, assuming it's not a native method or...
View ArticleClik here to view.
Finding PowerShell's Missing Binary Operator - Rotate Right
One of my complaints about PowerShell is its lack of binary operators. As of version 2, it had the -bor, -band, and -bxor operators. Also, thankfully, version 3 will include shift left and shift right...
View ArticleClik here to view.
Get-PEHeader - A Scriptable In-memory and On-disk PE Parsing Utility
Download: 'PETools' PowerShell moduleIntroducing, yet another PE parsing utility! Where Get-PEHeader differentiates itself though is that it will parse 32 and 64-bit executables both on disk and loaded...
View Article