Archive for category Exploits

Exploiting Ammyy Admin – developing an 0day

Background For the past few years, a number of groups of scammers have been cold-calling thousands if not millions of people in what’s been referred to as the “Ammyy Scam” or the “Microsoft Tech Support Scam” among other names. The scammers pretend to be from Microsoft or another official group and claim to have detected […]


Shellcode sizes in Metasploit

When working on DNS tunneling shellcode, I was wondering how small the shellcode needed to be to work with most exploits. In case you have the same question, this is how you find out how much space, for example, all Windows exploits have, or see how many exploits a given payload will work with, although […]

No Comments

Malicious VM to Host Attacks

In The Hacker Games, a hostile VM is used as the target. It employs a few counterattacks among the included CTF-style challenges, so if you don’t want any spoilers, don’t keep reading!

No Comments

The Hacker Games

Welcome, welcome! The time has come to select one courageous young hacker for the honor of representing District 12 in the 74th annual Hacker Games! And congratulations, for you have been selected as tribute! … Depending on your skill level, you could pwn (or be pwned) in just a few minutes or in a few hours. So hack it before it hacks you …


Direct shellcode execution in MS Office macros

Metasploit has for years supported encoding payloads into VBA code. (VBA, or Visual Basic for Applications, is the language that Microsoft Office macros are written in.) Macros are great for pentesters, since they don’t rely on a specific version, and they are a supported method of code execution that most people don’t realize and are […]


Network Nightmare – PXE talk at Defcon

Hope you were able to see my talk at Defcon 19, Network Nightmare – Ruling the Nightlife Between Shutdown and Boot with PXEsploit. If not, you can see the slides here and watch the demos below. As a quick summary, the Preboot Execution Environment, available on almost all motherboards as “Network Boot,” provides a way […]

, ,


Bypassing DEP/ASLR in browser exploits with McAfee and Symantec

[Also found this lingering on my hard drive from earlier this year, the recent exploits using Java to do the same thing reminded me of this. But I think it’s still valid, so here you go. Useful if the target doesn’t have Java I guess.] Vanilla Firefox doesn’t seem to be missing ASLR/DEP protection; the […]


Firefox Exploit Analyzed

[I found some old posts lurking around my hard drive from a few months ago. This is no longer the newest or best Firefox exploit, but you might find it interesting] To learn a little bit more about exploit development and RE I took a look at the latest Firefox exploit in exploit-db (; […]

, , , , , , , , , , , ,

No Comments

Java_signed_applet with RJB

I just wasted a lot of time trying to get the java_signed_applet exploit module working in Metasploit. Not that it doesn’t work by default, but you will get the warning [-] [-] The JDK failed to initialized: no such file to load — rjb [-] In order to dynamically sign the applet, you must install […]

, , , , , ,

No Comments

Finding non-ASLR or DEP modules

As the recent exploits for IE using the .NET 2.0 DLL demonstrate, sometimes a non-ASLR DLL to enable an exploit is just a LoadLibrary away. So if pvefindaddr won’t give you any ASLR-free DLL’s in memory, look for other DLL’s which the process will load, given the right input. Or from a system-hardening or development […]

, , , , , , ,

1 Comment