GreySec Forums

Full Version: Windows exploitation
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Windows exploitation by @Fu11Shade

Just thought I'd share this golden gem here:

Fu11Shade Wrote:This page provides a pathway for learning Windows exploit development, following the provided blog posts will allow you to learn Windows exploit development from the basics, to advanced kernel exploitation on a Windows 10 system with all the mitigations enabled.

Basic exploitation (late 1990’s - early 2010’s era) is my repository with over 25 from scratch written exploits, these exploits are in-scope of the “basic exploitation” category of this series.

Fair warning, some of the following posts are not finished yet… Most everything else is
Id Article Author
0 Setting up Immunity and WinDBG with FullShade
1 Classic JMP ESP buffer overflow FullShade
2 Local SEH buffer overflow FullShade
3 Local SEH buffer overflow with a DEP bypass FullShade
4 Remote SEH overflow with egghunters FullShade
5 Remote SEH overflows & multi-stage jumps FullShade
6 SEH overflows, alphanumber & unicode encoding bypass FullShade
7 Bypassing SEH mitigations with DLL injection FullShade
8 Code caving and backdooring PEs FullShade

Windows Internals theory
Id Article Author
9 Understanding Windows security mitigations FullShade
10 Understanding Windows memory data structures FullShade
11 Understanding the PEB & WinDBG analysis FullShade
12 Kernel Opaque data structures & access tokens FullShade
13 Windows Kernel memory pool & vulnerabilities FullShade
14 Basics of Kernel-mode driver (IRPs) & I/O requests FullShade
15 IOCTL’s for kernel driver exploit development FullShade

Windows kernel exploitation (2010 - 2013 era)

POCs and fully completed exploits can be found here, more coming thing week
Id Article Author
16 Writing a Windows Kernel-Mode Driver - Part 1 FullShade
17 HEVD - Windows 7 x86 Kernel Stack Overflow FullShade
18 HEVD - Windows 7 x86 Kernel NULL Pointer Dereference FullShade
19 HEVD - Windows 7 x86 Kernel Type Confusion FullShade
20 HEVD - Windows 7 x86 Kernel Arbitrary Write FullShade
21 HEVD - Windows 7 x86 Kernel Use-After-Free FullShade
22 HEVD - Windows 7 x86 Kernel Interger Overflow FullShade
23 HEVD - Windows 7 x86 Kernel Uninitialized Stack Variable FullShade
24 HEVD - Windows 7 x86 Kernel Pool Overflow FullShade
25 HEVD - Windows 7 x86_64 Kernel Stack Overflow FullShade
26 HEVD - Windows 7 x86_64 Kernel Arbitrary Write FullShade

Advanced Windows kernel exploitation (2016 - 2020 era)
Id Article Author
27 HEVD - Windows 8.1 64-bit Kernel Stack Overflow w/ SMEP FullShade
28 Leaking Kernel Addresses on Windows 10 64-bit FullShade
29 Abusing GDI Bitmap objects on Windows 10 64-bit FullShade

Hunting Windows 0days

Once you have enough Windows exploitation knowledge, you can start auditing third-party applications and drivers for 0day vulnerabilities, below are a few that have been discovered with this level of information.

Discovered 0days by me can be found littered around my Github profile, more organization will come soon
Id Article Author
30 Fuzzing drivers for 0days, discover new vulnerabilities FullShade

See full course:
Also adding this gem to the thread:
Advanced Windows exploit development resources

github Wrote:Some resources, links, books, and papers related to mostly Windows Internals and anything Windows kernel related. Mostly talks and videos