Dealing with Virtualization-Based Security (VBS), Hypervisor-Protected Code Integrity (HVCI), and Kernel Control Flow Guard (kCFG).
Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 3)
Porting part 2’s ChakraCore exploit to Microsoft Edge while defeating ASLR, DEP, CFG, ACG, CIG, and other mitigations.
Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 2)
Leveraging ChakraCore to convert our denial-of-service from part 1 into a read/write primtive and functioning exploit.
Exploit Development: Browser Exploitation on Windows - CVE-2019-0567, A Microsoft Edge Type Confusion Vulnerability (Part 1)
Examining recent changes to a highly-abused static structure, KUSER_SHARED_DATA, and its exploitation impact.
Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity Exploits, Part 2
Combining part 1’s information leak vulnerability with a pool overflow vulnerability to obtain code execution via grooming the kLFH
Exploit Development: Swimming In The (Kernel) Pool - Leveraging Pool Vulnerabilities From Low-Integrity Exploits, Part 1
Leveraging the HackSysExtreme Vulnerable Driver to understand the Windows kernel pool, the impacts of kLFH, and bypassing kASLR from low integrity via out-of...
Analysis and writeup on weaponizing CVE-2021-21551 without a data-only attack and the importance of Virtualization-Based Security, Hypervisor-Protected Code ...
Documenting my journey from ground 0 to (hopefully) more modern browser exploitation.
Malware Development: Leveraging Beacon Object Files for Remote Process Injection via Thread Hijacking
Utilizing Cobalt Strike’s in-memory C capabilities to inject a Beacon implant into a remote process without spawning a remote thread on 64-bit systems.
Taking a look at Microsoft’s new forward-edge CFI solution: Xtended Flow Guard
In part two, we walk through the many exploit mitigations that Microsoft has put in place - include Page Table Randomization, Arbitrary Code Guard, and CET.
This two-part series explores the evolution of exploit development and vulnerability research on Windows - beginning with types and legacy mitigation techniq...
Gaining code execution with WriteProcessMemory() via ROP and outlining the occasional need for Call-Oriented Programming.
Exploiting page table entries through arbitrary read/write primitives to circumvent SMEP, no-execute (NX) in the kernel, and page table randomization.
Brief introduction to memory paging on Windows 10 x64 to help leverage bypassing SMEP via page table entries.
Exploit Development: Rippity ROPpity The Stack Is Our Property - Blue Frost Security eko2019.exe Full ASLR and DEP Bypass on Windows 10 x64
Reverse engineering BFS’s eko2019.exe application and obtaining an ASLR bypass via an arbitrary read primitive.
Exploit Development: Panic! At The Kernel - Token Stealing Payloads Revisited on Windows 10 x64 and Bypassing SMEP
Revisiting token stealing payloads on Windows 10 x64 and diving into mitigations such as SMEP.
An introduction to exploiting the ability to write data to an arbitrary location.
An introduction to creating a kernel debugging environment with WinDbg and IDA to analyze and exploit a vulnerable kernel driver.
An introduction to utilizing Return Oriented Programming to defeat Data Execution Prevention.
My thoughts on the Cracking The Perimeter course/OSCE Exam and how I came to learn that one must learn to walk before learning to run.
Reusing an existing socket connection to add a buffer of a user defined length.
Exploit Development: 0day! Admin Express v184.108.40.2065 Folder Path Local SEH Alphanumeric Encoded Buffer Overflow
A 0day I found in an application called Admin Express, how to, by hand, alphanumerically encode shellcode, align the stack properly, and explaining the integ...
How I went from a naive college kid, who did not know there was more than one distribution of Linux, to an OSCP in less than a year - and debunking the stigm...