Our Blog

Linux Heap Exploitation Intro Series: Riding free on the heap – Double free attacks!

Reading time: ~15 min
Intro Hello again and welcome to the third of our series. On today’s blog post we are going to see...

building the bsidescpt17 rfchallenge

Reading time: ~24 min
In this post I want to talk a little about the BSides Cape Town 17 RFCat challenge and how I...

gowitness – a new tool for an old idea

Reading time: ~4 min
On a recent assessment I had an incredibly large IP space that was in scope. Almost an entire /8 to...

A distinguisher for SHA256 using Bitcoin (mining faster along the way)

Reading time: ~5 min
This post assumes a passing familiarity with what a Distinguishing Attack on a cryptographic hash is, as well as the...

Outlook Home Page – Another Ruler Vector

Reading time: ~12 min
Ruler has become a go to tool for us on external engagements, easily turning compromised mailbox credentials into shells. This...

Macro-less Code Exec in MSWord

Reading time: ~5 min
Authors: Etienne Stalmans, Saif El-Sherei What if we told you that there is a way to get command execution on...

Recreating certificates using Apostille

Reading time: ~3 min
Sometimes on an engagement, you’d like to construct a believable certificate chain, that you have the matching private keys for....

NotRuler – Turning Offence into Defence

Reading time: ~7 min
We’ve spent a lot of time creating Ruler and turning it into, what we think, is a useful attack tool....

Linux Heap Exploitation Intro Series: The magicians cape – 1 Byte Overflow

Reading time: ~21 min
Intro Hello again! It’s been a while since the last blog post. This is due to not having as much...

DEEP INSERT – Card Skimmer Research

Reading time: ~17 min
So I get a phone call from Daniel on a Wednesday night, Stu, can you bring your hardware stuff with...

Abusing GDI Objects for ring0 Primitives Revolution

Reading time: ~21 min
Exploiting MS17-017 EoP Using Color Palettes This post is an accompaniment to the Defcon 25 talk given by Saif. One...

Linux Heap Exploitation Intro Series: Used and Abused – Use After Free

Reading time: ~9 min
Intro After analysing the implementation of ptmalloc2 which, is a must read if you don’t know anything about the linux userland...

A new colour scheme

Reading time: ~2 min
SensePost has been hacking for 17 years and the time has come for a branding change. The change in logo...

objection – mobile runtime exploration

Reading time: ~4 min
introduction In this post, I want to introduce you to a toolkit that I have been working on, called objection....

SensePost at BlackHat & Defcon 2017

Reading time: ~2 min
July is our favourite time of year, when thousands descend into Las Vegas for Blackhat/Defcon, or more commonly referred to...

Fuzzing Apache httpd server with American Fuzzy Lop + persistent mode

Reading time: ~10 min
Intro Recently, I reported CVE-2017-7668 (Apache Server buffer-over-read). This is a cross-post from my personal blog where I explain how...

Linux Heap Exploitation Intro Series – (BONUS) printf might be leaking!

Reading time: ~11 min
Intro Hi there (again)! This series are going to an end as the next and feasible step is the widely...

Pentesting Enterprise Infrastructure – Journeyman Level

Reading time: ~2 min
Sophisticated attacks aim to hide from endpoint solutions Advanced hacking. Expert approaches We are inundated by advanced this, expert that,...

Womens Training Scholarship

Reading time: ~1 min
SensePost and BlackHat are proud to announce a new scholarship initiative for a woman in the information security field. The...

Sending AM-OOK using Metasploit and rftransceiver

Reading time: ~7 min
Introduction Towards the end of last year, I found myself playing around with some basic amplitude modulation (AM)/On-off keying (OOK)...

Painless intro to the Linux userland heap

Reading time: ~25 min
-1 – Pre-Intro When looking at heap exploit tutorials most of the time I found myself lacking knowledge on the...

Outlook Forms and Shells

Reading time: ~16 min
Using MS Exchange and Outlook to get a foothold in an organisation, or to maintain persistence, has been a go...

The TRITON Won’t Protect You From Our Punches

Reading time: ~10 min
Whilst on a Red Team assessment back in 2015, we were faced with a tough Data Leak Protection (DLP) and...

Liniaal – Empire through Exchange

Reading time: ~7 min
Getting access to an internal network is always great, keeping this access can be a whole other challenge. At times we...

USaBUSe Linux updates

Reading time: ~6 min
(If you’re new to this project, read the intro first) For the past few months, I’ve been working on porting...

Pass the Hash with Ruler

Reading time: ~5 min
Ruler at Troopers17 We are taking Ruler and the abuse of Exchange on a road trip to Germany in March....

Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects

Reading time: ~39 min
Starting from the beginning with no experience whatsoever in kernel land let alone exploiting it, I was always intrigued and...