Latest from CoreLabs

Read blog posts from CoreLabs, the research division of Core Security. CoreLabs prides itself on taking a holistic view of information security with a focus on developing solutions to complex, real-world security problems that affect our customers.

In part one of this series, we focused on installing several tools that will be useful for reversing and exploiting security weaknesses on Windows. These tools are free to access, so anyone can use them to learn and try out the useful exercises…

Read More

Pen testing is a dynamic process that requires practitioners to exploit an environment to expose security weaknesses. In order to do this safely and efficiently, pen testers enlist the help of different tools. This article series will focus on reversing and exploiting Windows…

Read More

In the first series of this introduction to Linux and flash, we began with a basic lesson on flash memory. In part two, we can begin to tackle how Linux interacts with it. From this point forward, we’ll focus on NAND flash, with the…

Read More

During hardware-oriented engagements, we are sometimes faced with a hardware device's firmware image. This may happen because we downloaded a firmware upgrade image to try to understand a device with a view of finding security flaws, or we may find an unknown device…

Read More

The latest and greatest in Linux-MTD is UBI and UBIfs. It is important to keep in mind that UBI is not the same as UBIfs. These two are actually two layers in a stack. UBI UBI (unsorted block images) is an abstraction layer that rides…

Read More

This work was originally done on Windows 7 Ultimate SP1 64-bit.  The versions of the libraries used in the tutorial are: termdd.sys version 6.1.7601.17514 rdpwsx.dll version 6.1.7601.17828 rdpwd.sys version 6.1.7601.17830 icaapi.dll version 6.1.7600.16385 rdpcorekmts.dll version 6.1.7601.17828   The Svchost.exe process In the Windows NT operating system family, svchost.exe ('Service Host) is a system process that serves or…

Read More

As an exploit writer, one of my tasks consists of gathering common vulnerabilities and exposures (CVE) and all of the information related to them in order to design an exploit for Core Impact. As part of this process I stumbled across CVE-2018-15422: A…

Read More

In a previous blog post, I described how I bypassed the patch for the first fix for CVE-2018-15422. That bypass was also discovered by other researchers as well. You can check that out in Cisco’s updated advisory. Now, WebExec was the name given to…

Read More

While working on the NVIDIA DxgDdiEscape Handler exploit, it became obvious that The GDI primitives approach discussed the last couple of years would be of no help to reliably exploit this vulnerability. So we came up with another solution: We could map some specially chosen virtual addresses,…

Read More

As part of my daily work as an Exploit Writer, I decided to take a look at CVE-2017-7308. It is a Linux Kernel vulnerability related to packet sockets. I will not go into details about the bug itself or its exploitation because there is an…

Read More