The Grey Corner

Restricted Character Set Buffer Overflow Tutorial for Vulnserver

2011-12-03T10:45:00.001+11:00

The title says it all. You can find the tutorial here.

Egghunter based exploit for Vulnserver

2011-10-20T17:27:00.000+11:00

A link to the most recent entry in the Vulnserver series is provided below. Its at the InfoSec Institute site once more. Link Hopefully the next part in the series will be coming up soon, keep watching this space.

SEH Based Buffer Overflow Tutorial for Vulnserver

2011-06-25T13:39:00.000+10:00

I wrote this tutorial on exploiting an SEH based vulnerability in Vulnserver a while back and am just getting around to posting a link for it here now that some formatting issues have been sorted. Its at the InfoSec Institute site once more. Link Hopefully the next part in the series will be coming up soon, keep watching this space.

Running Dradis in Apache on Ubuntu

2011-05-21T22:34:00.004+10:00

Ever been running Dradis and noticed dreadful, unworkable performance problems? I have, and to fix these I have often resorted to running Dradis on Apache, which seems to get things working nicely once more. The problem with doing this however, is that I cant find an online guide that actually works for getting this setup. The existing ones get you partway there, but still result in a broken

High Level Windows Shellcode Development Methods

2011-04-25T00:10:00.001+10:00

Heres a super quick entry covering some high level methods you can use when developing Windows shellcode. The methods are: Using the memory editing features of a debugger Using a c compiler Using an assembler Using a debugger Writing shellcode using the code editing features of a debugger like OllyDbg is best suited to really simple (approximately <20 byte) shellcode, or for making small edits

Simple Stack Based Buffer Overflow Tutorial for Vulnserver

2011-03-11T17:29:00.000+11:00

I have just written a tutorial for writing an exploit for the first and simplest exploitable vulnerability in Vulnserver. As with previous Vulnserver related articles, you can read it at the InfoSec Institute site. Links below: Part 1 Part 2 Part 3 Enjoy!

Exploit Writers Debugging Tutorial

2011-03-02T17:26:00.000+11:00

I have written a debugging tutorial specifically for exploit writers, which you can read at the InfoSec Institute resources site. It covers all of the debugging skills needed to use OllyDbg for the development of Basic to Intermediate exploits, and is intended as a lead in to the tutorials I am planning on how to exploit each of the vulnerabilities in Vulnserver. Links below: Part 1 Part 2

An Introduction to Fuzzing: Using SPIKE to find vulnerabilities in Vulnserver

2010-12-25T12:33:00.002+11:00

I have written an article on how to use the SPIKE fuzzer to find vulnerabilities in Vulnserver, which you can read at the InfoSec Institute site. Links are below. Part 1: Introduction to Fuzzing Part 2: Fuzzer Automation with SPIKE You can download some of the scripts used in the article below: fuzzer.pl trun.pl gmon.pl Enjoy!

Introducing Vulnserver

2010-12-15T11:29:00.000+11:00

Vulnserver I have just released a program named Vulnserver - a Windows based threaded TCP server application that is designed to be exploited. Why did I write this? I am (slowly, and when not occupied with other things) teaching myself to program in C, and this seemed like a good way to further develop my C programming skills. This gave me an opportunity to see how software is exploited

Version 0.4 of SSL Testing Tool ssltest.pl

2010-11-10T18:09:00.000+11:00

New version, fixing a bug with the list command and resolving an issue from Skoyern relating to SSLv2 compliance with PCI DSS. Download below - this link will always point to the latest version: ssltest.pl

Version 0.3 of SSL Testing Tool ssltest.pl

2010-11-09T20:43:00.000+11:00

I have released a new version of ssltest.pl - version 0.3. This new version has two changes from version 0.2: The tool now checks to see that it can make a connection to the provided host and port before it performs all of its SSL tests. This will allow you to differentiate a non listening socket or non working network connection from an SSL service that supports no ciphers (mostly there to

Download and Execute Script Shellcode on Windows 7

2010-10-21T18:20:00.001+11:00

I have just released a new version of my Download and Execute Script shellcode which now works on Windows 7. Essentially, the previous method I was using to find the base address of kernel32 was not Windows 7 compatible, so I have now started using this method discovered by SkyLined. Taking into account some other "efficient-ising" I did while I was making this change, this comes in at only (

Bypassing Restrictive Proxies Part 2, Modified Windows Shell via Metasploit PassiveX

2010-08-22T13:50:00.003+10:00

Introduction When I first posted my Download and Execute Script shellcode a few months back, I mentioned that I had used it to obtain a shell in a restrictive proxy environment, and that I would discuss the process in a future blog entry. Well this blog entry has been a long time coming, mostly because I couldn't think of the right way to present the code that I used. Since use of this method

Version 0.2 of SSL Testing Tool ssltest.pl

2010-08-12T21:02:00.000+10:00

I have just released a new version (0.2) of ssltest.pl. This newest set of changes to the tool still don't include some of the things on my future wishlist, as mentioned in the previous post, but instead came about when I attempted to use the tool from a Windows system and found it didn't work so well. The changes in version 0.2 were essentially focused on getting the same functionality from

SSL Testing Tool ssltest.pl

2010-07-27T21:18:00.005+10:00

Update: I have just updated this tool to version 0.1.1 to resolve a minor bug (thanks Gitsnik) and a few cosmetic issues. I have used a number of different tools to check cipher support on SSL Servers, including SSLDigger, sslthing, Cryptonark, Openssl and even a few web based solutions. Each tool has its good and bad points, but recently when trying to confirm that a particular badly behaved

Bypassing Restrictive Proxies Part 1, Encoded Executables and DNS Tunneling

2010-06-19T00:43:00.001+10:00

Uses for Download and Execute Script Shellcode A little while back I posted my Download and Execute Script shellcode and mentioned that it could be used in bypassing restrictive proxy servers. In this post I will give some quick examples of how you can actually do that. The example scenarios I will describe are as follows, and involve having the script that is downloaded and executed: write

Bypassing AntiVirus Detection for Malicious PDFs

2010-06-13T02:12:00.010+10:00

Introduction Recently I had to get a malicious PDF file past a virus scanner as part of a penetration test, and I thought I would share the process I used to do it. But before I do so, lets get the standard disclaimer out of the way... Warning! Please note that this tutorial is intended for educational purposes only, and you should NOT use the skills you gain here to attack any system for

Download and Execute Script Shellcode

2010-05-22T21:14:00.009+10:00

Introduction Something I have been working on lately is shellcode to download and execute a script on a Windows system. "What?" you may be thinking, "Why the hell would you want to do that when there already exists shellcode to download and execute proper Windows executables?" The short answer to that question is "To bypass restrictive proxy servers"... ... Need more detail than that?

Running Regripper on Linux

2010-04-25T15:57:00.007+10:00

I have been using Harlan Carvey's excellent RegRipper tool for a while now to analyse Windows registry hive files as part of incident investigations, and since I do the majority of my investigations from Linux systems I thought I'd share here the process I use to run RegRipper from Linux. I am aware that a Linux version of RegRipper has been created but at the time that I checked it was not

Random Links

2010-04-09T17:35:00.001+10:00

Just adding a couple of random links I found interesting over the past few days First of all - the nmap survey! Used as input for updates to nmap and to the sectools.org list. If you havent already get in there and vote!http://nmap.org/survey/ More on malicious pdf analysis at the ISC Diary. This one analyses a pdf that is using some interesting new Javascript obfuscation methods. http://

Bypassing Antivirus Detection: Netcat

2010-04-03T21:19:00.001+11:00

Introduction The subject of bypassing AV detection is one that comes up quite frequently in discussions in pentesting circles, and I was most recently reminded of it once again when it came up on one of the mailing lists I subscribed to. In this particular case, the executable in question that people wanted to sneak by those evil AV scanners was the Windows version of netcat (nc.exe). Since

Links and trojans and zipsploits, oh my!

2010-03-31T21:25:00.002+11:00

A bit of a housekeeping post here, where I am just going to provide some links for cool stuff I have seen recently and provide some updates on some things mentioned in other blog posts. First of all... the trojan. Im still planning to write a malware detection and analysis style post using it as an example, but when I actually started writing the thing it started to grow out of all proportion

The Difference Between Heap Overflow and Use After Free Vulnerabilities

2010-03-31T20:35:00.000+11:00

A little while back I received a question from a blog reader asking about the difference between heap overflows and use after free vulnerabilities, and I thought it would make a good topic for a blog post, so here goes. Now, to answer this question I am first going to have to explain something about memory management, so prepare yourself for reams of dry theory... There are two main types of

Uh oh! Trojan!

2010-03-19T10:51:00.002+11:00

Apparently you cant trust anyone these days. Including me it seems ;). In my second exploit tutorial I talked about how to exploit a vulnerability in BigAnt Server 2.52, and I provided a link to the vulnerable application from the Exploit-DB. On the 27th of February, I noticed that the Exploit-DB download link for the vulnerable application had been removed, with no explanation as to why, so

Do the Exploit Tutorials Work Under XP SP3?

2010-02-28T13:14:00.001+11:00

I have received a couple of questions from blog readers recently about whether the various exploits I have written in my various exploit tutorials will work under XP SP3, so I thought I would write a quick blog post on the subject here in case other readers were interested. As mentioned in each of my tutorials, the platform I have been using for my victim machine is XP SP2. There was no real

Creating an Unprivileged (Non Root) User in BackTrack

2010-02-27T20:33:00.006+11:00

Introduction This tutorial will cover the steps for adding a new, unprivileged user for day to day use of BackTrack. It will also discuss the reasons for and against running as root, as well covering off on as potential problems that may arise from running as a user other than root and how to solve these problems. This is essentially just a repost of a tutorial I posted over at the BackTrack

Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump

2010-02-13T21:46:00.003+11:00

Introduction This is entry number five in my series of buffer overflow tutorials. These tutorials have been written so that the later tutorials build upon skills taught in the earlier ones, so if you haven't already read parts one, two, three and four Id recommend you do that first before you attempt this entry. This particular entry will exploit a vulnerability in Savant Web Server 3.1

Installing and Running the MinGW Windows C Compiler on Linux

2010-02-13T14:35:00.001+11:00

Having a working Windows c compiler on your Linux system can be very handy for penetration testing and incident response activities, as it allows you to create executables from Windows shellcode to aid in analysis or to compile Windows c based exploits so you can run them on your Linux box using wine. In this post I will briefly cover the steps required to install the MinGW C compiler on a Linux

Linkfest

2010-02-09T18:20:00.002+11:00

To tide everyone over while I finish up writing part 5 of my exploit tutorials (which will hopefully be done by the end of this week), I have a number of interesting links that I have collected recently. Didier Stevens has been up to some very interesting things recently with getting dlls loaded from memory (so a copy of the DLL does NOT have to be stored on the hard disk). This has very

Introduction to Vulnerability Discovery: Guest Post

2010-01-28T18:12:00.000+11:00

When I wrote my second buffer overflow tutorial I mentioned that I was discussing with Lincoln the possibility of him writing a complementary blog post on how the vulnerability in BigAnt Server 2.52 was discovered. Well here is the post in its entirety, written by the man himself and posted as a guest entry on my blog: Finding 0day for BigAnt The process of finding a buffer overflow is

Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability

2010-01-24T22:27:00.007+11:00

Introduction This is the fourth entry in my series of exploit tutorials. Part one is here, part two is here, and part three is here. The tutorials are written to be done in order, so ensure you have the required knowledge from parts one through three before you attempt number four. In this entry, we will be reproducing the "aurora" Internet Explorer exploit using heap spraying. This exploit

Windows Buffer Overflow Tutorial: Dealing with Character Translation

2010-01-17T19:44:00.001+11:00

Introduction This is the third entry in my series of buffer overflow tutorials. In case you missed them, here are entries one and two. These tutorials are designed to build upon skills taught in each of the preceding tutorials, so I recommend that you complete the first two before you attempt this one. In this entry we will be doing another SEH Stack based overflow, however in this case our

BackTrack 4 Final First Impressions

2010-01-13T00:24:00.000+11:00

I just finished installing BackTrack 4 Final and I thought I would list some of my initial impressions of it here. I performed a fresh install of BackTrack 4 Final, over the top of my old BackTrack 4 PreFinal install. Apparently an upgrade is possible (according to this) but it sounds like it might cause some small niggles so I decided to go with the fresh install option. Theres a few things

BackTrack 4 Final Released!

2010-01-12T13:13:00.000+11:00

BackTrack 4 Final has finally been released! Along with the new BackTrack version there is also a new website including various installation, customisation and usage HowTo documents, a new blog, and a new forum. I am currently downloading BT4 Final from the official torrent (the official downloads are here, dont forget to check the MD5 hash!) , and I will post here again with my first

Analysing a Malicious PDF Document

2010-01-10T00:25:00.008+11:00

Introduction On a number of occasions I have had to analyse PDF documents to determine whether they were malicious, and in this post I am going to share the process I follow in performing this analysis. For demonstration purposes, I will generate an example malicious PDF document using Metasploit, featuring the "use-after-free" media.newPlayer vulnerability. This is the very same exploit that

SEH Stack Based Windows Buffer Overflow Tutorial

2010-01-07T20:17:00.025+11:00

Introduction This is the second in my series of buffer overflow tutorials, which focuses on how to use an overwrite of the SEH handler address on the stack to gain control of code execution in a vulnerable program. The intent of this series of tutorials is to educate the reader on how they can write buffer overflow exploits. This will enable you to have a better understanding of the use of

Stack Based Windows Buffer Overflow Tutorial

2010-01-07T13:44:00.005+11:00

Introduction One thing I have always maintained is that aspiring or practicing penetration testers who use an exploitation product (such as CANVAS, Core Impact, Metasploit) should know how buffer overflows actually work. Having this knowledge will help you understand the circumstances under which these products can work, will help you troubleshoot when things don't work and will correct