8-bit video game blocks with pixel art of the Learn One and Learn Enterprise logos

Level up your training with limited-time offers - Discounts for Individuals and Enterprise

Exploit Development | OffSec

Blog

Exploit Development

Everything related to vulnerability and exploit development, including OffSec course updates and live training.
Exploit Development

Aug 25, 2022

13 min read

Bypassing Intel CET with Counterfeit Objects

In this blog, we’ll briefly cover how CFI mitigations works, including CET, and how we can leverage COOP to effectively bypass Intel CET on the latest Windows releases.

Read more
awae-cert-exam-may-2019

Exploit Development

AWAE Exam for OSWE Certification now Available with Online Course

In March we released the online version of Advanced Web Attacks and Exploitations (AWAE) to amazing customer response. Thank you to everyone that has taken the course! We really appreciate the kind words and reviews. Today, we are very pleased to announce the availability of the Offensive Security Web Expert (OSWE) certification.

May 13, 2019

3 min read

kaslr-bypass

Exploit Development

Development of a new Windows 10 KASLR Bypass (in One WinDBG Command)

by Morten Schenk Windows 10 1809 Kernel ASLR Bypass Evolution When it is well-implemented, Kernel Address Space Layout Randomization (KASLR) makes Windows kernel exploitation extremely difficult by making it impractical to obtain the base address of a kernel driver directly. In an attempt to bypass this, researchers have historically focussed on kernel address leaks to

Mar 19, 2019

10 min read

AWAE: Anytime, Anywhere

Exploit Development

AWAE Now Available Anywhere, Anytime

Our Advanced Web Attacks and Exploitation (AWAE) live training course has been one of the fastest-selling classes at various industry events for years. The Black Hat classes perennially sell out in a matter of minutes, and every year we’re snowed under by demand from security professionals wondering when we’ll offer it online. For this reason, today we’re excited to announce AWAE is now available online…

Mar 18, 2019

2 min read

fldbg-debug-flash-player

Exploit Development

Fldbg, a Pykd script to debug FlashPlayer

A few months ago, we decided to make a new module for our Advanced Windows Exploitation class. After evaluating a few options we chose to work with an Adobe Flash 1day vulnerability originally discovered by the Google Project Zero team. Since we did not have any previous experience with Flash internals, we expected a pretty steep learning curve.

Nov 29, 2016

19 min read

Disarming Enhanced Mitigation Experience Toolkit

Exploit Development

Disarming and Bypassing EMET 5.1

Last week Microsoft released EMET 5.1 to address some compatibility issues and strengthen mitigations to make them more resilient to attacks and bypasses. We, of course, were curious to see if our EMET 5.0 disarming technique has been addressed by the latest version of the toolkit.

Nov 18, 2014

5 min read

NetHunter 1.0.2 Released!

Exploit Development

Disarming EMET v5.0

In our previous Disarming Emet 4.x blog post, we demonstrated how to disarm the ROP mitigations introduced in EMET 4.x by abusing a global variable in the .data section located at a static offset. A general overview of the EMET 5 technical preview has been recently published here.

Sep 29, 2014

10 min read

Symantec Endpoint Protection: Privilege Escalation

Exploit Development

Symantec Endpoint Protection 0day

In a recent engagement, we had the opportunity to audit a leading Antivirus Endpoint Protection solution, where we found a multitude of vulnerabilities. Some of these made it to CERT, while others have been scheduled for review during our upcoming AWE course at Black Hat 2014, Las Vegas. Ironically, the same software that was meant to protect the organization under review was the reason for its compromise.

Jul 29, 2014

1 min read

Disarming Enhanced Mitigation Experience Toolkit

Exploit Development

Disarming Enhanced Mitigation Experience Toolkit (EMET)

With the emergence of recent Internet Explorer Vulnerabilities, we’ve been seeing a trend of EMET recommendations as a path to increasing application security. A layered defense is always helpful as it increases the obstacles in the path of an attacker. However, we were wondering how much does it really benefit? How much harder does an attacker have to work to bypass these additional protections? With that in mind, we started a deep dive into EMET.

Jul 1, 2014

5 min read

NDPROXY local SYSTEM exploit CVE-2013-5065

Exploit Development

NDPROXY Local SYSTEM exploit CVE-2013-5065

In the past few days there has been some online chatter about a new Windows XP/2k3 privilege escalation, well documented by FireEye. Googling around, we came across a Twitter message which contained a link to a Chinese vulnerability analysis and PoC.

Dec 4, 2013

1 min read

Fun with AIX Shellcode and Metasploit

Exploit Development

Fun with AIX Shellcode and Metasploit

In one of our recent pentests, we discovered an 0day for a custom C application server running on the AIX Operating System. After debugging the crash, we discovered that the bug could lead to remote code execution and since we don’t deal very often with AIX exploitation, we decided to write an exploit for it. The first steps were accomplished pretty quickly and we successfully diverted the execution flow by jumping to a controlled buffer. At this point, we thought we could easily generate some shellcode from MSF and enjoy our remote shell.

Nov 20, 2012

6 min read

CA ARCserve – CVE-2012-2971

Exploit Development

CA ARCserve – CVE-2012-2971

On a recent penetration test, we encountered an installation of CA ARCserve Backup on one of the target systems that piqued our interest. Like most “good” enterprise applications, ARCserve has processes that are running as SYSTEM so naturally, we went straight to work looking for vulnerabilities.

Oct 30, 2012

11 min read

MS11-080 Exploit – A Voyage into Ring Zero

Exploit Development

MS11-080 Exploit – A Voyage into Ring Zero

Every patch Tuesday, we, like many in the security industry, love to analyze the released patches and see if any of them can lead to the development of a working exploit. Recently, the MS11-080 advisory caught our attention as it afforded us the opportunity to play in the kernel and try to get a working privilege escalation exploit out of it.

Dec 6, 2011

6 min read

Showing 1 - 13 of 24 entries