From 37bb96d47ff753e37cd81fbdafcac529799680cd Mon Sep 17 00:00:00 2001 From: lc0des Date: Fri, 10 Sep 2021 12:27:01 +0200 Subject: [PATCH] initial --- README.md | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..4aa08c7 --- /dev/null +++ b/README.md @@ -0,0 +1,71 @@ +# Win32 Exploitation + +This repo is dedicated to my steps in win32 exploitation. The path is strongly paved around the OSCE and [CORELAN.BE](https://www.corelan.be/) documents. + +# Exploits + +## Vulnserver + +pretty neat application to train circumvention of several security features. including classic RET Overwrite, SEH, Egghunting, ASCII Shellcode ... + +## RM2MP3 Converter + +corelan.be Exploitation Tutorials strongly rely on this application in a vulnerable version to explain circumvention of security mechanisms. + +# Anti-Exploitation + +## DEP / ROP + +### OS Specifics + +#### Defaults + +* Windows XP SP2, XP SP3, Vista SP0 : OptIn +* Windows Vista SP1 : OptIn + Permanent DEP +* Windows 7: OptIn + Permanent DEP +* Windows Server 2003 SP1 and up : OptOut +* Windows Server 2008 and up : OptOut + Permanent DEP + +#### boot.ini +* /noexecute=policy + +#### Vista/Windows 2008/Windows 7 +* bcdedit.exe /set nx OptIn +* bcdedit.exe /set nx OptOut +* bcdedit.exe /set nx AlwaysOn +* bcdedit.exe /set nx AlwaysOff + +#### Windows XP SP3 EN +* Control-Center-Advanced-DEP + * OptOut Default (First Button) + * OptIn (2nd Button) + * Exception List Available + +### Techniqx + + +#### VirtualAlloc + +* VirtualAlloc(MEM_COMMIT + PAGE_READWRITE_EXECUTE) + copy memory. This will allow you to create a new executable memory region, copy your shellcode to it, and execute it. This technique may require you to chain 2 API’s into each other. + +#### HeapCreate + +* HeapCreate(HEAP_CREATE_ENABLE_EXECUTE) + HeapAlloc() + copy memory. In essence, this function will provide a very similar technique as VirtualAlloc(), but may require 3 API’s to be chained together)) + +#### SetProcessDEPPolicy + +* SetProcessDEPPolicy(). This allows you to change the DEP policy for the current process (so you can execute the shellcode from the stack) (Vista SP1, XP SP3, Server 2008, and only when DEP Policy is set to OptIn or OptOut) + +#### NtSetInformationProcess +* NtSetInformationProcess(). This function will change the DEP policy for the current process so you can execute your shellcode from the stack. + +#### VirtualProtect +* VirtualProtect(PAGE_READ_WRITE_EXECUTE). This function will change the access protection level of a given memory page, allowing you to mark the location where your shellcode resides as executable. + +#### WriteProcessMemory + +* WriteProcessMemory(). This will allow you to copy your shellcode to another (executable) location, so you can jump to it and execute the shellcode. The target location must be writable and executable. + +# References +* https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ +* https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/