Windows Internals: Dissecting Secure Image Objects - Part 1
Analysis of NT, Secure Kernel, and SKCI working together to create the initial SECURE_IMAGE object
Posts
posts
Exploit Development: No Code Execution? No Problem! Living The Age of VBS, HVCI, and Kernel CFG
Dealing with Virtualization-Based Security (VBS), Hypervisor-Protected Code Integrity (HVCI), and Kernel Control Flow Guard (kCFG).
Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 3)
Porting part 2’s ChakraCore exploit to Microsoft Edge while defeating ASLR, DEP, CFG, ACG, CIG, and other mitigations.
Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 2)
Leveraging ChakraCore to convert our denial-of-service from part 1 into a read/write primtive and functioning exploit.
Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 1)
End-to-end ‘modern’ browser exploitation on Windows beginning with configuring a browser exploitation environment, exploring JavaScript intrinsics, and under...
Exploit Development: ASLR - Coming To A KUSER_SHARED_DATA Structure Near You!
Examining recent changes to a highly-abused static structure, KUSER_SHARED_DATA, and its exploitation impact.
Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity Exploits, Part 2
Combining part 1’s information leak vulnerability with a pool overflow vulnerability to obtain code execution via grooming the kLFH
Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity Exploits, Part 1
Leveraging the HackSysExtreme Vulnerable Driver to understand the Windows kernel pool, the impacts of kLFH, and bypassing kASLR from low integrity via out-of...
Exploit Development: CVE-2021-21551 - Dell ‘dbutil_2_3.sys’ Kernel Exploit Writeup
Analysis and writeup on weaponizing CVE-2021-21551 without a data-only attack and the importance of Virtualization-Based Security, Hypervisor-Protected Code ...
Exploit Development: Browser Exploitation on Windows - Understanding Use-After-Free Vulnerabilities
Documenting my journey from ground 0 to (hopefully) more modern browser exploitation.
Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking
Utilizing Cobalt Strike’s in-memory C capabilities to inject a Beacon implant into a remote process without spawning a remote thread on 64-bit systems.
Exploit Development: Between a Rock and a (Xtended Flow) Guard Place: Examining XFG
Taking a look at Microsoft’s new forward-edge CFI solution: Xtended Flow Guard
The Current State of Exploit Development, Part 2
In part two, we walk through the many exploit mitigations that Microsoft has put in place - include Page Table Randomization, Arbitrary Code Guard, and CET.
The Current State of Exploit Development, Part 1
This two-part series explores the evolution of exploit development and vulnerability research on Windows - beginning with types and legacy mitigation techniq...
Exploit Development: Playing ROP’em COP’em Robots with WriteProcessMemory()
Gaining code execution with WriteProcessMemory() via ROP and outlining the occasional need for Call-Oriented Programming.
Exploit Development: Leveraging Page Table Entries for Windows Kernel Exploitation
Exploiting page table entries through arbitrary read/write primitives to circumvent SMEP, no-execute (NX) in the kernel, and page table randomization.
Turning the Pages: Introduction to Memory Paging on Windows 10 x64
Brief introduction to memory paging on Windows 10 x64 to help leverage bypassing SMEP via page table entries.
Exploit Development: Rippity ROPpity The Stack Is Our Property - Blue Frost Security eko2019.exe Full ASLR and DEP Bypass on Windows 10 x64
Reverse engineering BFS’s eko2019.exe application and obtaining an ASLR bypass via an arbitrary read primitive.
Exploit Development: Panic! At The Kernel - Token Stealing Payloads Revisited on Windows 10 x64 and Bypassing SMEP
Revisiting token stealing payloads on Windows 10 x64 and diving into mitigations such as SMEP.
Exploit Development: Windows Kernel Exploitation - Arbitrary Overwrites (Write-What-Where)
An introduction to exploiting the ability to write data to an arbitrary location.
Exploit Development: Windows Kernel Exploitation - Debugging Environment and Stack Overflow
An introduction to creating a kernel debugging environment with WinDbg and IDA to analyze and exploit a vulnerable kernel driver.
Exploit Development: Hands Up! Give Us the Stack! This Is a ROPpery!
An introduction to utilizing Return Oriented Programming to defeat Data Execution Prevention.
Riding the NOP sled into OSCE: Retrospect on the Cracking The Perimeter course and OSCE exam
My thoughts on the Cracking The Perimeter course/OSCE Exam and how I came to learn that one must learn to walk before learning to run.
Exploit Development: Second Stage Payload - WS_32.recv() Socket Reuse
Reusing an existing socket connection to add a buffer of a user defined length.
Exploit Development: 0day! Admin Express v1.2.5.485 Folder Path Local SEH Alphanumeric Encoded Buffer Overflow
A 0day I found in an application called Admin Express, how to, by hand, alphanumerically encode shellcode, align the stack properly, and explaining the integ...
From Zero to Hero: My Path to OSCP
How I went from a naive college kid, who did not know there was more than one distribution of Linux, to an OSCP in less than a year - and debunking the stigm...