CoreLabs Articles

Read articles from CoreLabs, the research division of Core Security. CoreLabs prides itself on taking a holistic view of information security with a focus on developing solutions to complex, real-world security problems that affect our customers.


May 11, 2022
The F5 BIG-IP iControl REST vulnerability, a critical authentication bypass vulnerability that leads to unauthenticated remote code execution, is quite simple to exploit and provides an attacker with a method to execute arbitrary system commands as root.
Apr 11, 2022
In this blogpost, we’ll briefly describe how we developed a DoS module for CVE-2022-21907. Instead of viewing it in a result-oriented way, we’ll approach it from a research standpoint, describing the process of developing this module for Core Impact.
Apr 7, 2022
In part 12, we completed the ROP bypass of the DEP in 64 bits. In this part, we’ll analyze and adapt the RESOLVER for 64 bits.  Resolution of the 64-Bit Exercise As a quick point of clarification, the shellcode is not mine. However, it is quite public, so it was simply adapted for this example.
Mar 15, 2022
I wanted to write this blog to show the analysis I did in the context of developing the Core Impact exploit “Win32k Window Object Type Confusion” that abuses the CVE-2022-21882 vulnerability. It’s based on the existing Proof of Concept (POC), which is both interesting and quite complex.
Jan 28, 2022
In part 11, we completed the ROP bypass of the DEP. In this part, we’ll begin our first exercise compiled in 64 bits. Before beginning, we’ll go over a few concepts in detail, because this exercise requires a new frame of reference. While the base is the same, it’s important to know the differences between 32 and 64 bits in order to be successful in reversing.
Dec 16, 2021
This post focuses on creating Cobalt Strike Beacon Object Files using the MinGW compiler on Linux. We will discuss several ideas and best practices that will increase the quality of your BOFs. Flexibility Compiling to Both Object Files and Executables While writing a BOF is great, it’s always worth making the code compile to both BOF and EXE.
Dec 13, 2021
The Log4Shell vulnerability, a serious remote code execution vulnerability in the Apache Log4j2 library, is one of the best candidates for winning several Pwnie awards in 2022.
Oct 20, 2021
In part 10, we started exploring different protections and mitigations that we may find. In this part, we’ll continue this exercise, completing the ROP bypass of the DEP. Roping Step by Step Typically, there are tools that, in simple cases can automatically build a ROP. However, in difficult cases, these tools generally can’t fully build one, or can only partially do so, leaving one to complete by hand the work that the tool could not do.
Sep 8, 2021
In the previous parts of this series, we went through some basic examples of exploitation and reversing. Now we’ll take a step forward, gradually adding different protections and mitigations that we will find.
Jun 17, 2021
In part 8, we solved ABO3 using IDA FREE. In this part, we’ll use Radare to solve ABO4. Updating Radare and Cutter First, we’ll need to update to the new version of Cutter, the Radare GUI. A pop-up will prompt us to update whenever there is a new version:
May 18, 2021
CVE-2021-26897 is a DNS server RCE vulnerability, and is triggered when many consecutive Signature RRs Dynamic Updates are sent. This vulnerability is an OOB write on the heap when combining the many consecutive Signature RR Dynamic Updates into base64-encoded strings before writing to the Zone file.
Apr 29, 2021
In part 7, we solved ABO2 in GHIDRA. In this part, we’ll use IDA FREE to solve ABO3. As is the case with all of the ABOS, the goal is to run the calculator or some other executable that we want. 
Mar 30, 2021
The new format of Microsoft monthly updates have proven challenging to reverse engineer. We’ve figured out a workaround that we hope will be helpful. In the original format, the Microsoft updates have always included the full files to patch, and from there it’s relatively straightforward to work on reversing and diffing through only extracting, without installing the patch.
Mar 18, 2021
Ransomware, as an active variant of current malware, has undoubtedly undergone a series of changes that have allowed cyber criminals to expand the horizons of clandestine business. In order to try to understand the different "forms" ransomware has presented over time, this article will show the evolutionary line of this latent threat in a compact and concrete way.
Mar 10, 2021
Authored by: Ernesto Alvarez, Senior Security Consultant, Security Consulting Services This article describes techniques used for creating UDP redirectors for protecting Cobalt Strike team servers. This is one of the recommended mechanisms for hiding Cobalt Strike team servers and involves adding different points which a Beacon can contact for instructions when using the HTTP channel.
Mar 4, 2021
The pen testing world is constantly changing and threat actors are continually finding new ways to exploit organizations of all industries and sizes. In order for pen testers to safely and efficiently test and expose security weaknesses, they enlist the help of different tools. This article series from cybersecurity expert Ricardo Narvaja provides tips and tricks on reversing and exploiting Windows using free and easy to get tools.
Feb 25, 2021
In part 6, we learned how to understand a shellcode and its resolver. Now, we will continue with the analysis and resolution of abo2 in GHIDRA. Download ABO2 executable. The latest version is on Google drive.
Feb 17, 2021
As you may already know, when a penetration test or Red Team exercise in being executed, it is important to define the objective of the project. Sometimes it is not enough to get Domain Admin privileges, so the objective may instead be defined as access to a particular network segment or a user’s workstation where credentials and sensitive information could be stored. For the purposes of this example, we’ll make the latter our main objective. With this in mind, let’s discuss the role DPAPI keys can play in such an attack. 
Feb 15, 2021
Authored by: Marcos Accossatto On August 5th, ethical hacker and cybersecurity professional Antoine Goichot posted on twitter that three vulnerabilities he had discovered on Cisco AnyConnect (CVE-2020-3433, CVE-2020-3434, and CVE-2020-3435) were now public. The next day, he published a follow-up blogpost on github.
Dec 18, 2020
Authored by: Ramiro Molina
Dec 15, 2020
In part 5, we completed our analysis of Stack4 using IDA Free. In this next part, we’ll be solving ABO1, using RADARE. The first thing we need to do is to find the binary information located in ABO1_VS_2017.exe. Go to the folder where the executable is and extract it using rabin2. Using RABIN2 rabin2 -l ABO1_VS_2017.exe
Oct 2, 2020
Authored by: Ricardo Narvaja Note: This work was originally done by Cristian Rubio and Ricardo Narvaja of Core Labs on Windows Server 2008 SP1 32 and 64-bit. There are not many differences in other versions of Windows. While the basis of the SIGred bug is quite simple, it’s critical to explore exactly how this vulnerability can exploited.
Sep 17, 2020
What You Need to Know About Netlogon and Zerologon On September 11th, 2020, researchers at Secura published information on a critical vulnerability in Microsoft’s Netlogon authentication process which they dubbed “Zerologon." It is a cryptographic flaw that has a clear path to full takeover of an Active Directory domain.
Jun 8, 2020
In part four, we performed an analysis of stacks three and four with exercises on testing bad characters. In this next part, we will complete our analysis of Stack4 using IDA Free. In subsequent parts, we’ll complete ABOS exercises that delve deeper into the use of the different tools.