Exploit Mitigation Killchain
Link to Lab Writeup
*Need to sort into actual order
Methods of finding opcodes:
metasploit opcode DB
pvefindaddr - mona.py
Corelan Exploit Series: https://www.corelan.be/index.php/articles/
- I have just released a program named Vulnserver - a Windows based threaded TCP server application that is designed to be exploited.
HackSys Extreme Vulnerable Driver
- HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level.
- HackSys Extreme Vulnerable Driver caters wide range of vulnerabilities ranging from simple Buffer Overflows to complex Use After Frees and Pool Overflows. This allows the researchers to explore the exploitation techniques for all the implemented vulnerabilities.z6z
This will allow you to transfer EIP control to a specified offset within a file containing shellcode and then pause to support a malware analysis investigation The file will be mapped to memory and maintain a handle, allowing shellcode to egghunt for second stage payload as would have happened in original loader Patches / self modifications are dynamically written to jmp2it-flypaper.out
- Miscellaneous tools written in Python, mostly centered around shellcodes.
..* bin2py: Embed binary files into Python source code.
..* shellcode2exe: Convert shellcodes into executable files for multiple platforms.
Writing Manual Shellcode by Hand
###General Videos/Presentations(that aren't
Hacking FinSpy - a Case Study - Atilla Marosi - Troopers15
###General Techniques/ Tricks
Shellcode Debugging with OllyDbg
Walking Heap using Pydbg
- This is the simplest implementation of HeapWalk() API based on pydbg. Heap walk API enumerates the memory blocks in the specified heap. If you are not very familiar with HeapWalk() API this page has a very good example in C++.
Using ARM Inline Assembly and Naked Functions to fool Disassemblers
Easy Ways To Bypass Anti-Virus Systems - Attila Marosi -Trooper14
###Acquiring Old/Vulnerable Software
Acquiring VMs of any Windows going back to XP to Windows 10
Compromise-as-a-Service: Our PleAZURE.
- This could be a comprehensive introduction about the ubiquity of virtualization, the essential role of the hypervisor, and how the security posture of the overall environment depends on it. However, we decided otherwise, as this is what everybody is interested in: We will describe the Hyper-V architecture in detail, provide a taxonomy of hypervisor exploits, and demonstrate how we found MS13-092 which had the potential to compromise the whole Azure environment. Live demo included!
[DEP/ASLR bypass without ROP/JIT](https://cansecwest.com/slides/2013/DEP-ASLR bypass without ROP-JIT.pdf)
*rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O x86/x64/ARM binaries. It is open-source and has been tested on several OS: Debian / Windows 8.1 / Mac OSX Lion (10.7.3). Moreover, it is x64 compatible and supports Intel syntax. Standalone executables can also be directly downloaded.
Mechanization of Exploits
Funky File Formats - Advanced Binary Exploitation
Exploit Tips and Techniques(ReCon2014 William Peteroy)
Modern Objective-C Exploitation Techniques
Fuzzing for MS15-010
- This past Patch Tuesday Microsoft released MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution. This patch addressed multiple privately reported vulnerabilities in win32k.sys and one publicly disclosed vulnerability in cng.sys. This post goes through identifying the patched vulnerability.
[Introduction to ROP programming]http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html)
Blind Return Oriented Programming (BROP)
- The BROP attack makes it possible to write exploits without possessing the target's binary. It requires a stack overflow and a service that restarts after a crash. Based on whether a service crashes or not (i.e., connection closes or stays open), the BROP attack is able to construct a full remote exploit that leads to a shell. The BROP attack remotely leaks enough gadgets to perform the write system call, after which the binary is transferred from memory to the attacker's socket. Following that, a standard ROP attack can be carried out. Apart from attacking proprietary services, BROP is very useful in targeting open-source software for which the particular binary used is not public (e.g., installed from source setups, Gentoo boxes, etc.).
The Birth of a Complete IE11 Exploit Under the New Exploit Mitigations
BISC: Borrowed Instructions Synthetic Computation
- BISC is a Ruby library for demonstrating how to build borrowed-instruction programs. BISC aims to be simple, analogous to a traditional assembler, minimize behind-the-scenes magic, and let users write simple macros. BISC was developed by Dino Dai Zovi for Practical Return-oriented Programming at Blackhat USA 2010 and was used for the Assured Exploitation training course.
#####Originally from a randomly linked Pastebin (if you made this, thank you so much; I've now added onto it and changed it from what it originally was. Original Page I've kept the original creator's note as I feel it is highly relevant and aligns with my goal)
- "My intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker.
I have tried to order the articles by technique and chronology.
- Getting around non-executable stack (and fix) (First public description of a return-into-libc exploit), Solar Designer, 1997
*More advanced ret-into-lib(c) techniques, Nergal, 2001
- On the effectiveness of address-space randomization, , 2004
- Gentle introduction to ROP programming
- Borrowed code chunks exploitation technique, Sebastian Krahmer, 2005
- The Geometry of Innocent Flesh on the Bone: Return-into-libc without function calls, Hovav Shacham, 2007
- Defeating DEP, the Immunity Debugger way, Pablo Sole,2008
- The Case of Return-Oriented Programming and the AVC Advantage, 2009
- Practical Return-Oriented Programming, Dino A. Dai Zovi, 2010
Blind Return Oriented Programming (BROP)
- The BROP attack makes it possible to write exploits without possessing the target's binary. It requires a stack overflow and a service that restarts after a crash. Based on whether a service crashes or not (i.e., connection closes or stays open), the BROP attack is able to construct a full remote exploit that leads to a shell. The BROP attack remotely leaks enough gadgets to perform the write system call, after which the binary is transferred from memory to the attacker's socket. Following that, a standard ROP attack can be carried out. Apart from attacking proprietary services, BROP is very useful in targeting open-source software for which the particular binary used is not public (e.g., installed from source setups, Gentoo boxes, etc.). The attack completes within 4,000 requests (within minutes) when tested against a toy proprietary service, and real vulnerabilities in nginx and MySQL.
- Hacking Blind - BROP paper
- w00w00 on heap overflows, Matt Conover, 1999
- Vudo - An object superstitiously believed to embody magical powers, Michel "MaXX" Kaempf, 2001
- [Once upon a free(), anonymous author, 2001(http://www.phrack.com/issues.html?issue=57&id=9)
- Advanced Doug Lea's malloc exploits, jp, 2003
- Exploiting the wilderness, Phantasmal Phantasmagoria, 2004
*Malloc Maleficarum, Phantasmal Phantasmagoria, 2005
- Yet another free() exploitation technique, huku, 2009
- Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
- Aslr Smack and Laugh Reference
- Advanced Buffer Overflow Methods
- Smack the Stack
- Exploiting the random number generator to bypass ASLR
Wikipedia on ASLR
- Bypassing Memory Protections: The Future of Exploitation
- On the Effectiveness of Address-Space Randomization
- Exploiting with linux-gate.so.1
- Circumventing the VA kernel patch For Fun and Profit
- Defeating the Matasano C++ Challenge
- Bypassing PaX ASLR protection
- Thoughts about ASLR, NX Stack and format string attacks
- Return-into-libc without Function Calls
- Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes
- Fun With Info-Leaks(DEP+ASLR bypass)/
..* This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it’s quite nice what can be done with the bug.
- Exploiting Buffer Overflows On Kernels With Aslr Enabled Using Brute Force On The Stack Layer
- Bypassing The Linux Kernel Aslr And Exploiting A Buffer Overflow Vulnerable Application With Ret2esp
- This video tutorial illustrates how to exploit an application vulnerable to buffer overflow under a modern 2.6 Linux kernel with ASLR, bypassing stack layer randomization by search a jmp *%esp inside the executable file and forcing our program to jump there.
- Exploiting A Buffer Overflow Under Linux Kernel 2.6 With Aslr Through Ret2reg
- Linux kernel versions 2.6.x implement ASLR to avoid execution of arbitrary code located in the stack segment of a process. Moreover, kernel versions >= 2.6.18 also made the allocation of ld-linux.so.2 dynamic, and recent compilers also tend to avoid the generation of jmp|call *%esp instructions, so the use of a ret2esp technique to exploit a vulnerable application is becoming harder and harder. A way to turn around the problem is analyzing the registers situations just a while before the vulnerable code is executed: very probably one of them points to the address of the vulnerable buffer. All we have to do is searching inside the executable or a static library a ret2reg instruction, where reg is the register pointing to the vulnerable area, and use that as return address.
- Pwn2Own 2010 Windows 7 I nternet Explorer 8 exploit
*Attacking the Core : Kernel Exploiting Notes
Shellcoding for Linux and Windows Tutorial - Steve Hannah
Phrack Magazine Extraction Utility
- writing ia32 alphanumeric shellcode
Bypassing All the Things
- Handholding through Vuln Discovery and Exploitation
Smashing the Browser - From fuzzing to 0day on IE11
From fuzzing to 0-day
SQL Injection to MIPS Overflows: Part Deux
- This paper is a followup to a paper presented at BlackHat USA 2012, entitled “SQL Injec0ons to MIPS Overflows: Rooting SOHO Routers." That previous paper described how to combine SQL injection vulnerabili0es with MIPS Linux buffer overflows in order to gain root on Netgear SOHO routers. This paper revisits the “MiniDLNA” UPnP server that ships on nearly all Netgear routers in order to explore what has changed in the past two years.
From 0-day to exploit – Buffer overflow in Belkin N750 (CVE-2014-1635)
Smashing The Browser: From Vulnerability Discovery To Exploit
- Goes from introducing a fuzzer to producing an IE11 0day
AVM Fritz!Box root RCE: From Patch to Metasploit Module
###Bypassing Exploit Protections/Mitigations
Exploring Control-Flow-Guard in Windows10
Defeating the Matasano C++ Challenge with ASLR enabled
Fun With Info-Leaks(DEP+ASLR bypass)/
- This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it’s quite nice what can be done with the bug.
Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005
Preventing the Exploitation of SEH Overwrites
- This paper proposes a technique that can be used to prevent the exploitation of SEH overwrites on 32-bit Windows applications without requiring any recompilation. While Microsoft has attempted to address this attack vector through changes to the exception dispatcher and through enhanced compiler support, such as with /SAFESEH and /GS, the majority of benefits they offer are limited to image files that have been compiled to make use of the compiler enhancements. This limitation means that without all image files being compiled with these enhancements, it may still be possible to leverage an SEH overwrite to gain code execution. In particular, many third-party applications are still vulnerable to SEH overwrites even on the latest versions of Windows because they have not been recompiled to incorporate these enhancements. To that point, the technique described in this paper does not rely on any compile time support and instead can be applied at runtime to existing applications without any noticeable performance degradation. This technique is also backward compatible with all versions of Windows NT+, thus making it a viable and proactive solution for legacy installations.
Understanding DEP as a mitigation Technology
Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP
Bypassing Windows Hardware-enforced DEP
- This paper describes a technique that can be used to bypass Windows hardware-enforced Data Execution Prevention (DEP) on default installations of Windows XP Service Pack 2 and Windows 2003 Server Service Pack 1. This technique makes it possible to execute code from regions that are typically non-executable when hardware support is present, such as thread stacks and process heaps. While other techniques have been used to accomplish similar feats, such as returning into NtProtectVirtualMemory, this approach requires no direct reprotecting of memory regions, no copying of arbitrary code to other locations, and does not have issues with NULL bytes. The result is a feasible approach that can be used to easily bypass the enhancements offered by hardware-enforced DEP on Windows in a way that requires very minimal modifications to existing exploits.
Exploit Writeup on Flash vuln explaining use of ASLR + DEP bypass
Exploit Mitigation Killchain
Bypassing EMET’s EAF with custom shellcode using kernel pointer
Bypassing EMET 4.1
Disarming and Bypassing EMET 5.1 - OffSec
Bypassing Microsoft EMET 5.1 . Yet again.
Disarming and Bypassing EMET 5.1
Defeating EMET 5.2 Protections - Part 1
Defeating EMET 5.2 Protections - Part 2
Bypassing EMET 5.2 Protection
BYPASSING EMET Export Address Table Access Filtering feature
Subverting PatchGuard Version 2
- Windows Vista x64 and recently hotfixed versions of the Windows Server 2003 x64 kernel contain an updated version of Microsoft's kernel-mode patch prevention technology known as PatchGuard. This new version of PatchGuard improves on the previous version in several ways, primarily dealing with attempts to increase the difficulty of bypassing PatchGuard from the perspective of an independent software vendor (ISV) deploying a driver that patches the kernel. The feature-set of PatchGuard version 2 is otherwise quite similar to PatchGuard version 1; the SSDT, IDT/GDT, various MSRs, and several kernel global function pointer variables (as well as kernel code) are guarded against unauthorized modification. This paper proposes several methods that can be used to bypass PatchGuard version 2 completely. Potential solutions to these bypass techniques are also suggested. Additionally, this paper describes a mechanism by which PatchGuard version 2 can be subverted to run custom code in place of PatchGuard's system integrity checking code, all while leaving no traces of any kernel patching or custom kernel drivers loaded in the system after PatchGuard has been subverted. This is particularly interesting from the perspective of using PatchGuard's defenses to hide kernel mode code, a goal that is (in many respects) completely contrary to what PatchGuard is designed to do.
PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3
- Since the publication of previous bypass or circumvention techniques for Kernel Patch Protection (otherwise known as "PatchGuard"), Microsoft has continued to refine their patch protection system in an attempt to foil known bypass mechanisms. With the release of Windows Server 2008 Beta 3, and later a full-blown distribution of PatchGuard to Windows Vista and Windows Server 2003 via Windows Update, Microsoft has introduced the next generation of PatchGuard to the general public ("PatchGuard 3"). As with previous updates to PatchGuard, version three represents a set of incremental changes that are designed to address perceived weaknesses and known bypass vectors in earlier versions. Additionally, PatchGuard 3 expands the set of kernel variables that are protected from unauthorized modification, eliminating several mechanisms that might be used to circumvent PatchGuard while co-existing (as opposed to disabling) it. This article describes some of the changes that have been made in PatchGuard 3. This article also proposes several new techniques that can be used to circumvent PatchGuard's defenses. Countermeasures for these techniques are also discussed.
Bypassing PatchGuard on Windows x64
- The version of the Windows kernel that runs on the x64 platform has introduced a new feature, nicknamed PatchGuard, that is intended to prevent both malicious software and third-party vendors from modifying certain critical operating system structures. These structures include things like specific system images, the SSDT, the IDT, the GDT, and certain critical processor MSRs. This feature is intended to ensure kernel stability by preventing uncondoned behavior, such as hooking. However, it also has the side effect of preventing legitimate products from working properly. For that reason, this paper will serve as an in-depth analysis of PatchGuard's inner workings with an eye toward techniques that can be used to bypass it. Possible solutions will also be proposed for the bypass techniques that are suggested.
- Repository to train/learn memory corruption exploitation on the ARM platform. This is the material of a workshop I prepared for my CTF Team.
Too LeJIT to Quit: Extending JIT Spraying to ARM
Pool Blade: A new approach for kernel pool exploitation
64-bit Linux Return-Oriented Programming - Standford
Linux ASLR integer overflow: Reducing stack entropy by four
- A bug in Linux ASLR implementation for versions prior to 3.19-rc3 has been found. The issue is that the stack for processes is not properly randomized on some 64 bit architectures due to an integer overflow. This is a writeup of the bug and how to fix it.
A Brief History of Exploit Techniques and Mitigations on Windows
Windows DLL-Injection basics
Portable Executable Injection For Beginners
ActiveX - Active Exploitation
- This paper provides a general introduction to the topic of understanding security vulnerabilities that affect ActiveX controls. A brief description of how ActiveX controls are exposed to Internet Explorer is given along with an analysis of three example ActiveX vulnerabilities that have been previously disclosed.
Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP
Windows Kernel-mode Payload Fundamentals
- This paper discusses the theoretical and practical implementations of kernel-mode payloads on Windows. At the time of this writing, kernel-mode research is generally regarded as the realm of a few, but it is hoped that documents such as this one will encourage a thoughtful progression of the subject matter. To that point, this paper will describe some of the general techniques and algorithms that may be useful when implementing kernel-mode payloads. Furthermore, the anatomy of a kernel-mode payload will be broken down into four distinct units, known as payload components, and explained in detail. In the end, the reader should walk away with a concrete understanding of the way in which kernel-mode payloads operate on Windows.
Exploiting the Otherwise Non-Exploitable on Windows
- This paper describes a technique that can be applied in certain situations to gain arbitrary code execution through software bugs that would not otherwise be exploitable, such as NULL pointer dereferences. To facilitate this, an attacker gains control of the top-level unhandled exception filter for a process in an indirect fashion. While there has been previous work illustrating the usefulness in gaining control of the top-level unhandled exception filter, Microsoft has taken steps in XPSP2 and beyond, such as function pointer encoding, to prevent attackers from being able to overwrite and control the unhandled exception filter directly. While this security enhancement is a marked improvement, it is still possible for an attacker to gain control of the top-level unhandled exception filter by taking advantage of a design flaw in the way unhandled exception filters are chained. This approach, however, is limited by an attacker's ability to control the chaining of unhandled exception filters, such as through the loading and unloading of DLLs. This does reduce the global impact of this approach; however, there are some interesting cases where it can be immediately applied, such as with Internet Explorer.
[Intro to Anti-Fuzzing](https://www.nccgroup.com/en/blog/2014/01/introduction-to-anti-fuzzing-a-defence-in-depth-aid/]
X86 Instruction Reference
Awesome Reference for Intel x86/64
- This reference is intended to be precise opcode and instruction set reference (including x86-64). Its principal aim is exact definition of instruction parameters and attributes.
Nasm x86 reference
The Ultimate Anti-Debugging Reference(2011)
- Good reference, though old.
Windows Anti-Debug Reference
- Good, but also old, Nov2010
- In this presentation I'll present a series of unusual security bugs. Things that I've ran into at some point and went "There's gotta be some security consequence here". None of these are really a secret, and most of them are even documented somewhere. But apparently most people don't seem to know about them. What you'll see in this presentation is a list of bugs and then some explanation of how these could be exploited somehow. Some of the things I'll be talking about are (recursive) stack overflow, NULL pointer dereferences, regular expressions and more.
Automated vulnerability analysis of zero sized heap allocations
OptiROP: The art of hunting ROP gadgets
- This research attempts to solve the problem by introducing a tool named OptiROP that lets exploitation writers search for ROP gadgets with semantic queries. Combining sophisticated techniques such as code normalization, code optimization, code slicing, SMT solver and some creative heuristic searching methods, OptiROP is able to discover desired gadgets very quickly, with much less efforts. Our tool also provides the detail semantic meaning of each gadget found, so users can easily decide how to chain their gadgets for the final shellcode.
The Wallstreet of Windows Binaries - Marion Marschalek, Joseph Moti
Slides - Weird - Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System
Less is More, Exploring Code/Process-less Techniques and Other Weird Machine Methods to Hide Code (and How to Detect Them)
Check out the 'Reverse Engineering" Section's Tools list for a lot of useful tools that aren't listed here.
Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)
MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection.
Equip: python bytecode instrumentation
- equip is a small library that helps with Python bytecode instrumentation. Its API is designed to be small and flexible to enable a wide range of possible instrumentations. The instrumentation is designed around the injection of bytecode inside the bytecode of the program to be instrumented. However, the developer does not need to know anything about the Python bytecode since the injected code is Python source.
!exploitable Crash Analyzer
- rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O (doesn't support the FAT binaries) x86/x64 binaries. It is open-source, documented with Doxygen (well, I'm trying to..) and has been tested on several OS: Debian / Windows 7 / FreeBSD / Mac OSX Lion (10.7.3). Moreover, it is x64 compatible. I almost forgot, it handles both Intel and AT&T syntax (beloved BeaEngine). By the way, the tool is a standalone executable ; I will upload static-compiled binaries for each OS.
Pattern-Create/offset as a python function
- Metasploit pattern generator in Python, modified to be used as a function
Findjmp2 is a modified version of Findjmp from eEye.com to find jmp, call, push in a loaded DLL. This version includes search for pop/pop/ret set of instructions that is useful to bypass Windows XP SP2 and Windows 2003 stack protection mechanism.
###Decompilers & Disassemblers
- Bokken is a GUI for the Pyew and Radare projects so it offers almost all the same features that Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities. Currently Bokken is neither an hexadecimal editor nor a full featured disassembler YET, so it should not be used for deep code analysis or to try to modify files with it.
- IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment.
- Overview & Tutorials
..* Ida Plugins
- Ida Sploiter
- IDA Sploiter is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's capabilities as an exploit development and vulnerability research tool. Some of the plugin's features include a powerful ROP gadgets search engine, semantic gadget analysis and filtering, interactive ROP chain builder, stack pivot analysis, writable function pointer search, cyclic memory pattern generation and offset analysis, detection of bad characters and memory holes, and many others.
- Ida Pomidor
- IDA Pomidor is a fun and simple plugin for the Hex-Ray's IDA Pro disassembler that will help you retain concentration and productivity during long reversing sessions.
- This repository contains a collection of IDA Pro scripts and plugins used by the FireEye Labs Advanced Reverse Engineering (FLARE) team.
- Hopper is a reverse engineering tool for OS X and Linux, that lets you disassemble, decompile and debug your 32/64bits Intel Mac, Linux, Windows and iOS executables!
- Reverse engineering for x86 binaries (elf-format). Generate a more readable code (pseudo-C) with colored syntax. Warning, the project is still in development, use it at your own risks. This tool will try to disassemble one function (by default main). The address of the function, or its symbol, can be passed by argument.
The Secret Lives of Debuggers - Lance Buttars - BSides SLC15
- Binaries are files like any text file or a bitmap. They can be modified and changed.With some basic understanding of assembly language anyone can take a binary and modify its execution in a debugger and using a hex editor change how it executes. In this presentation I will cover the basics of binary manipulation and the use of debuggers to change program execution.
- OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.
- OllyDbg Tricks for Exploit Development
GDB - GNU Debugger
- GDB, the GNU Project debugger, allows you to see what is going on `inside' another program while it executes -- or what another program was doing at the moment it crashed.
- PEDA - Python Exploit Development Assistance for GDB
GEF - GDB Enhanced Features
- GEF is aimed to be used mostly by exploiters and reverse-engineers. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis or exploit development.
- Why not PEDA?
- Yes!! Why not?! PEDA is a fantastic tool to do the same, but is only to be used for x86-32 or x86-64. On the other hand, GEF supports all the architecture supported by GDB (x86, ARM, MIPS, PowerPC, SPARC, and so on).
*Excellent Resource Site
*Crash Dump Analysis Poster
- The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. It uses ctypes to wrap many Win32 API calls related to debugging, and provides a powerful abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test or fuzz Windows applications with quickly coded Python scripts. Several ready to use tools are shipped and can be used for this purposes. Current features also include disassembling x86/x64 native code, debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing.
Open Source Windows x86/x64 Debugger
- xnippet is a tool that lets you load code snippets or isolated functions (no matter the operating system they came from), pass parameters to it in several formats (signed decimal, string, unsigned hexadecimal...), hook other functions called by the snippet and analyze the result. The tool is written in a way that will let me improve it in a future, defining new calling conventions and output argument pointers.
- HyperDbg is a kernel debugger that leverages hardware-assisted virtualization. More precisely, HyperDbg is based on a minimalistic hypervisor that is installed while the system runs. Compared to traditional kernel debuggers (e.g., WinDbg, SoftIce, Rasta R0 Debugger) HyperDbg is completely transparent to the kernel and can be used to debug kernel code without the need of serial (or USB) cables. For example, HyperDbg allows to single step the execution of the kernel, even when the kernel is executing exception and interrupt handlers. Compared to traditional virtual machine based debuggers (e.g., the VMware builtin debugger), HyperDbg does not require the kernel to be run as a guest of a virtual machine, although it is as powerful.
Bowcaster Exploit Development Framework
- This framework, implemented in Python, is intended to aid those developing exploits by providing useful set of tools and modules, such as payloads, encoders, connect-back servers, etc. Currently the framework is focused on the MIPS CPU architecture, but the design is intended to be modular enough to support arbitrary architectures.
- This is the CTF framework used by Gallopsled in every CTF.
###General Exploit Development Papers
Glibc Adventures: The Forgotten Chunks
x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique
- The x86-64 CPU platform (i.e. AMD64 or Hammer) introduces new features to protect against exploitation of buffer overflows, the so called No Execute(NX) or Advanced Virus Protection (A VP). This non-executable enforcement of data pages and the ELF64 SystemV ABI render common buffer overflow exploitation techniques useless. This paper describes and analyzes the protection mechanisms in depth. Research and tar get platform was a SUSE Linux 9.3 x86-64 system but the results can be expanded to non-Linux systems as well. search engine tag: SET-krahmer-bccet-2005.
ROPs are for the 99% - Yang Yu
Temporal Return Addresses
- Nearly all existing exploitation vectors depend on some knowledge of a process' address space prior to an attack in order to gain meaningful control of execution flow. In cases where this is necessary, exploit authors generally make use of static addresses that may or may not be portable between various operating system and application revisions. This fact can make exploits unreliable depending on how well researched the static addresses were at the time that the exploit was implemented. In some cases, though, it may be possible to predict and make use of certain addresses in memory that do not have static contents. This document introduces the concept of temporal addresses and describes how they can be used, under certain circumstances, to make exploitation more reliable.
Reducing the Effective Entropy of GS Cookies
- This paper describes a technique that can be used to reduce the effective entropy in a given GS cookie by roughly 15 bits. This reduction is made possible because GS uses a number of weak entropy sources that can, with varying degrees of accuracy, be calculated by an attacker. It is important to note, however, that the ability to calculate the values of these sources for an arbitrary cookie currently relies on an attacker having local access to the machine, such as through the local console or through terminal services. This effectively limits the use of this technique to stack-based local privilege escalation vulnerabilities. In addition to the general entropy reduction technique, this paper discusses the amount of effective entropy that exists in services that automatically start during system boot. It is hypothesized that these services may have more predictable states of entropy due to the relative consistency of the boot process. While the techniques described in this paper do not illustrate a complete break of GS, any inherent weakness can have disastrous consequences given that GS is a static, compile-time security solution. It is not possible to simply distribute a patch. Instead, applications must be recompiled to take advantage of any security improvements. In that vein, the paper proposes some solutions that could be applied to address the problems that are outlined.
OS X Kernel-mode Exploitation in a Weekend
- Apple's Mac OS X operating system is attracting more attention from users and security researchers alike. Despite this increased interest, there is still an apparent lack of detailed vulnerability development information for OS X. This paper will attempt to help bridge this gap by walking through the entire vulnerability development process. This process starts with vulnerability discovery and ultimately finished with a remote code execution. To help illustrate this process, a real vulnerability found in the OS X wireless device driver is used.
Getting out of Jail: Escaping Internet Explorer Protected Mode
- With the introduction of Windows Vista, Microsoft has added a new form of mandatory access control to the core operating system. Internally known as "integrity levels", this new addition to the security manager allows security controls to be placed on a per-process basis. This is different from the traditional model of per-user security controls used in all prior versions of Windows NT. In this manner, integrity levels are essentially a bolt-on to the existing Windows NT security architecture. While the idea is theoretically sound, there does exist a great possibility for implementation errors with respect to how integrity levels work in practice. Integrity levels are the core of Internet Explorer Protected Mode, a new "low-rights" mode where Internet Explorer runs without permission to modify most files or registry keys. This places both Internet Explorer and integrity levels as a whole at the forefront of the computer security battle with respect to Windows Vista.
Context-keyed Payload Encoding
- A common goal of payload encoders is to evade a third-party detection mechanism which is actively observing attack traffic somewhere along the route from an attacker to their target, filtering on commonly used payload instructions. The use of a payload encoder may be easily detected and blocked as well as opening up the opportunity for the payload to be decoded for further analysis. Even so-called keyed encoders utilize easily observable, recoverable, or guessable key values in their encoding algorithm, thus making decoding on-the-fly trivial once the encoding algorithm is identified. It is feasible that an active observer may make use of the inherent functionality of the decoder stub to decode the payload of a suspected exploit in order to inspect the contents of that payload and make a control decision about the network traffic. This paper presents a new method of keying an encoder which is based entirely on contextual information that is predictable or known about the target by the attacker and constructible or recoverable by the decoder stub when executed at the target. An active observer of the attack traffic however should be unable to decode the payload due to lack of the contextual keying information.
Automating Mimicry Attacks Using Static Binary Analysis
- Intrusion detection systems that monitor sequences of system calls have recently become more sophisticated in defining legitimate application behavior. In particular, additional information, such as the value of the program counter and the configuration of the program's call stack at each system call, has been used to achieve better characterization of program behavior. While there is common agreement that this additional information complicates the task for the attacker, it is less clear to which extent an intruder is constrained. In this paper, we present a novel technique to evade the extended detection features of state-of-the-art intrusion detection systems and reduce the task of the intruder to a traditional mimicry attack. Given a legitimate sequence of system calls, our technique allows the attacker to execute each system call in the correct execution context by obtaining and relinquishing the control of the application's execution flow through manipulation of code pointers. We have developed a static analysis tool for Intel x86 binaries that uses symbolic execution to automatically identify instructions that can be used to redirect control flow and to compute the necessary modifications to the environment of the process. We used our tool to successfully exploit three vulnerable programs and evade detection by existing state-of-the-art system call monitors. In addition, we analyzed three real-world applications to verify the general applicability of our techniques.
###Miscellaneous Exploit Writeups
MALLOC DES-MALEFICARUM - blackngel
It All Swings Around - Malicious Macros
- Writeup and explanation of random Macro exploits
Smashing the Heap with Vector: Advanced Exploitation T echnique in Recent Flash Zero - day Attack
Adventures in Xen Exploitation
- "This post is about my experience trying to exploit the Xen SYSRET bug (CVE-2012-0217)."
Exploiting the DRAM rowhammer bug to gain kernel privileges
- "Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process.
When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.
- Program for testing for the DRAM "rowhammer" problem
Exploiting CVE-2014-4113 on Win8.1
Shellshock bug writeup by lcamtuf
Linux Kernel < 184.108.40.206 Econet Privilege Escalation Exploit
Coding Malware for Fun and Not for Profit (Because that would be illegal)
Exploiting “BadIRET” vulnerability - CVE-2014-9322, Linux kernel privilege escalation
The Userland Exploits of Pangu 8
Exploiting CVE-2015-0311: A Use-After-Free in Adobe Flash Player
- "The vulnerability was first discovered as a zero-day being actively exploited in the wild as part of the Angler Exploit Kit. Although the exploit code was highly obfuscated using the SecureSWF obfuscation tool, malware samples taking advantage of this vulnerability became publicly available, so I decided to dig into the underlying vulnerability in order to exploit it and write the corresponding module for Core Impact Pro and Core Insight."
A Technical Analysis of CVE 2014-1776
- CENSUS researcher Patroklos Argyroudis has recently presented a talk on heap exploitation abstraction at two conferences, namely ZeroNights 2014 (Moscow, Russia) and BalCCon 2014 (Novi Sad, Serbia). In the talk titled “Project Heapbleed”, Patroklos has collected the experience of exploiting allocators in various different target applications and platforms. He focused on practical, reusable heap attack primitives that aim to reduce the exploit development time and effort.
A Technical Analysis of CVE 2014-1776
Extreme Privelege Escalataion on Windows8 UEFI Systems
- Summary by stormehh from reddit: “In this whitepaper (and accompanying Defcon/Blackhat presentations), the authors demonstrate vulnerabilities in the UEFI "Runtime Service" interface accessible by a privileged userland process on Windows 8. This paper steps through the exploitation process in great detail and demonstrates the ability to obtain code execution in SMM and maintain persistence by means of overwriting SPI flash”
Fun with info leaks
Smashing the Browser
- Smashing The Browser: From Vulnerability Discovery To Exploit
- Writeup: going from fuzzing to an IE11 0day exploit development
Diving into A Silverlight Exploit and Shellcode - Analysis and Techniques
- Abstract: We will observe how the exploit is obfuscated; how it loads parts of the code dynamically into the memory in order to reduce the chances of being detected by signature based protections and how to extract these components from the exploit. In addition we will look at the shell-code supplied by the exploit-kit and how it uses encryption to hide the payload’s URL and contents.
- WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.
Analyzing Common Binary Parser Mistakes
- With just about one file format bug being consistently released on a weekly basis over the past six to twelve months, one can only hope developers would look and learn. The reality of it all is unfortunate; no one cares enough. These bugs have been around for some time now, but have only recently gained media attention due to the large number of vulnerabilities being released. Researchers have been finding more elaborate and passive attack vectors for these bugs, some of which can even leverage a remote compromise.
Finding and analyzing Crash dumps
All the Ways to Capture a Crash Dump
Basic Debugging of an Application Crash
Collecting User Mode Dumps
####High Level Searching
#####Searching Github for vulnerable code/credentials
- ropshell is a free online service for generating and searching for Return-Oriented-Programming (ROP) gadgets.