dash/Win32_Exploitation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1 Commit 1 Branch 0 Tags
37bb96d47ff753e37cd81fbdafcac529799680cd
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
lc0des 37bb96d47f initial
2021-09-10 12:27:01 +02:00
README.md
initial
2021-09-10 12:27:01 +02:00

README.md

Win32 Exploitation

This repo is dedicated to my steps in win32 exploitation. The path is strongly paved around the OSCE and CORELAN.BE documents.

Exploits

Vulnserver

pretty neat application to train circumvention of several security features. including classic RET Overwrite, SEH, Egghunting, ASCII Shellcode ...

RM2MP3 Converter

corelan.be Exploitation Tutorials strongly rely on this application in a vulnerable version to explain circumvention of security mechanisms.

Anti-Exploitation

DEP / ROP

OS Specifics

Defaults

  • Windows XP SP2, XP SP3, Vista SP0 : OptIn
  • Windows Vista SP1 : OptIn + Permanent DEP
  • Windows 7: OptIn + Permanent DEP
  • Windows Server 2003 SP1 and up : OptOut
  • Windows Server 2008 and up : OptOut + Permanent DEP

boot.ini

  • /noexecute=policy

Vista/Windows 2008/Windows 7

  • bcdedit.exe /set nx OptIn
  • bcdedit.exe /set nx OptOut
  • bcdedit.exe /set nx AlwaysOn
  • bcdedit.exe /set nx AlwaysOff

Windows XP SP3 EN

  • Control-Center-Advanced-DEP
  • OptOut Default (First Button)
  • OptIn (2nd Button)
  • Exception List Available

Techniqx

VirtualAlloc

  • VirtualAlloc(MEM_COMMIT + PAGE_READWRITE_EXECUTE) + copy memory. This will allow you to create a new executable memory region, copy your shellcode to it, and execute it. This technique may require you to chain 2 APIs into each other.

HeapCreate

  • HeapCreate(HEAP_CREATE_ENABLE_EXECUTE) + HeapAlloc() + copy memory. In essence, this function will provide a very similar technique as VirtualAlloc(), but may require 3 APIs to be chained together))

SetProcessDEPPolicy

  • SetProcessDEPPolicy(). This allows you to change the DEP policy for the current process (so you can execute the shellcode from the stack) (Vista SP1, XP SP3, Server 2008, and only when DEP Policy is set to OptIn or OptOut)

NtSetInformationProcess

  • NtSetInformationProcess(). This function will change the DEP policy for the current process so you can execute your shellcode from the stack.

VirtualProtect

  • VirtualProtect(PAGE_READ_WRITE_EXECUTE). This function will change the access protection level of a given memory page, allowing you to mark the location where your shellcode resides as executable.

WriteProcessMemory

  • WriteProcessMemory(). This will allow you to copy your shellcode to another (executable) location, so you can jump to it and execute the shellcode. The target location must be writable and executable.

References

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 69 MiB
Languages
Python 95.6%
C++ 4.4%