I receive a lot of emails. (Please don’t make it worse, thanks!) Unfortunately I don’t have as much spare time as I used to, or would like to, so I often have no other choice than to redirect questions to our forums or our IRC channel (#corelan on freenode), hoping that other members of the community will jump in and help me answer those questions. One of the most frequently asked question is “how do I become a penetration tester”. Depending on whom you ask this question, you may get different results or may be told to take a specific approach. With this post, I am trying to formulate my views on this question (with a focus on the process and not so much on the technical aspect), in an attempt to hopefully provide a good starting point for those that find themselves in a similar situation. For the record, I am not a penetration tester… but I try to apply common sense (seasoned with a touch of plain logic) to challenges and pretty much all situations in life. Don’t hesitate to provide feedback, suggest changes or tell me to STFU and GTFO. Any motivated additions or changes to this post are more than welcome, and I’ll update this page as needed.
Tuesday October 13th
Monday October 12th
In my previous post about this browser, I have already covered how you can abuse the insecure parsing of the Intent URI scheme into invoking the private WiFi Manager feature. I also described how you can exploit a path traversal vulnerability in the custom web server used by the WiFi Manager feature, in order to arbitrarily read files from the browser's data directory. Now we are going to cover how to achieve a fatality over the Mercury Browser for Android by gaining code execution.
For over forty years the computer industry has been engaged in a cat and mouse game of defensive and offensive techniques and countermeasures. Traditionally, the offensive side almost always has a technological and time advantage. Exploits are among the primary tools of the offensive side. An exploit is typically a piece of software, or some logic used by an attacker, which takes advantage of a bug or behaviour in the targeted software or hardware. Use of the exploit allows the target to be manipulated in ways unintended by the designer. This manipulation can in turn allow security bypasses, such as executing arbitrary code when only strict program interaction was intended or extracting sensitive data without authentication.
Monday September 28th
In the aftermath of the recent Android stagefright vulnerabilities, efficient fuzz testing techniques and tools for the Android ecosystem are again in the spotlight. In this post we would like to share some of the fuzz testing experience we have gained through our projects and show how it can be applied in the Android world. Additionally, we’ll enlist some of the public contributions we’ve made to open source tools aiming to help the community focus more on the target and less on the tooling.
Not long ago I came across a certain font related vulnerability, it was a 0day being exploited in the wild. The vulnerability was in a driver I was somewhat familiar with  ATFMD.SYS. But what caught my eye this time was how the exploit was getting System privileges in a very elegant and clean way. The mechanics of this technique involve patching the kernel structure representing a bitmap (SURFOBJ), turning it into a powerful arbitrary read/write primitive. Alex Ionescu touched on the subject of Win32k shared memory regions in his excellent 2013 talk. But he didn’t mention this one, in fact the only previous mention of this technique I could find was by Keen Team in June 2015 .
This talk will have two primary focus points with the goal of providing useful information for both penetration testers as well as vulnerability developers looking to get into windows kernel exploitation. Attendees will leave with an understanding of common kernel exploit techniques. The first half will be an overview of Windows kernel vulnerabilities with a focus on exploitability. The talk will explore the common classes of vulnerabilities and reveal what they mean from an exploitability perspective. The factors that make some vulnerabilities easier and more reliable to exploit than others will be revealed. The second half of the talk will contain techniques useful for creating (semi-)reliable exploits. Techniques that will be covered include gaining code execution, and notes for implementing exploits for the Metasploit framework.
Windows Management Instrumentation (WMI) is a remote management framework that enables the collection of host information, execution of code, and provides an eventing system that can respond to operating system events in real time. FireEye has recently seen a surge in attacker use of WMI to carry out objectives such as system reconnaissance, remote code execution, persistence, lateral movement, covert data storage, and VM detection. Defenders and forensic analysts have largely remained unaware of the value of WMI due to its relative obscurity and completely undocumented file format. After extensive reverse engineering, our team has documented the WMI repository file format in detail, developed libraries to parse it, and formed a methodology for finding evil in the repository.
Thursday September 24th
Adobe Flash is no stranger to security issues, but this post isn’t about stack overflows, bypassing ASLR, or sandbox escaping – it’s about building practical exploits against poor use of crossdomain.xml. For those unfamiliar with cross-domain policies in Flash, check out my previous post here. I’ve also built a nice tool for testing cross-domain requests in Flash which can be found here. Say a site has done the unspeakable and set their cross-domain policy to a wildcard. They’re completely compromised but now you have to write ActionScript to get a practical exploit going. Gross. Have you ever written AS3?
Wednesday September 23rd
Lately I have been spending some time digging into PHP, especially focusing on issues which could be used in Object Injection contexts; more specifically,for my research, I chose to target the SoapClient built-in class since it already had a past in terms of interesting findings. For the TL;DR guys: I ended up finding an RCE+info leak, a couple of NULL pointer dereference, a memory exfiltration and sort of a trick to extend its attack surface ; all the issues have been fixed with PHP 5.6.12/5.5.28/5.4.44 relases.
Tuesday September 22nd
In the previous series of posts (parts #1 #2 #3 #4), we discussed the exploitation process of a serious “blend” vulnerability (CVE-2015-0093 / CVE-2015-3052), which was special in that it provided the attacker with an extremely powerful primitive (arbitrary out-of-bounds stack operations) allowing a fully reliable arbitrary remote code execution, and affected both a client-side application – Adobe Reader – and the Microsoft Windows kernel. While that bug was definitely the most severe and technically challenging issue discovered during my Type 1 / OpenType Charstring research conducted several months ago, it was not the only one affecting multiple platforms and certainly not the only interesting one.
Saturday September 19th
Warning: The repository associated with this post contains malicious binaries (core, core_packed, soldier, soldier_packed) for educational purposes. Don't go around toying with them if you don't know what you're doing. A couple of days ago i came across this post detailing a joint project between Ethan Heilman and Will Cummings discussing Hacking Team's crypter named 'core-packer'. The crypter's source was leaked online after the Hacking Team compromise of July 2015. As Heilman notes despite the name 'core-packer' is a crypter as it doesn't perform compression but rather uses anti-analysis functionality (including encryption) to obfuscate malicious PEs in order to evade anti-virus products. Taking a look at 'core-packer' provides an interesting glimpse at the quality (or lack thereof) of 'government-grade' commercial malware products.
Sunday August 23rd
So with the release of Windows 10 I (like many before me) decided to look into what new syscalls have been added. Syscalls are the means by which code running in the context of a user can request the functionality provided by the kernel be executed. This includes many basic operations such as opening and reading from files. Collecting this information will allow us to identify new functionality provided by the Windows 10 kernel.