dash/Win32_Exploitation
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
e00ac3bf107c004348205af1181d15877bb3d9a8
Win32_Exploitation/README.md
lc0des 37bb96d47f initial
2021-09-10 12:27:01 +02:00

72 lines
2.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Win32 Exploitation
This repo is dedicated to my steps in win32 exploitation. The path is strongly paved around the OSCE and [CORELAN.BE](https://www.corelan.be/) documents.
# Exploits
## Vulnserver
pretty neat application to train circumvention of several security features. including classic RET Overwrite, SEH, Egghunting, ASCII Shellcode ...
## RM2MP3 Converter
corelan.be Exploitation Tutorials strongly rely on this application in a vulnerable version to explain circumvention of security mechanisms.
# Anti-Exploitation
## DEP / ROP
### OS Specifics
#### Defaults
* Windows XP SP2, XP SP3, Vista SP0 : OptIn
* Windows Vista SP1 : OptIn + Permanent DEP
* Windows 7: OptIn + Permanent DEP
* Windows Server 2003 SP1 and up : OptOut
* Windows Server 2008 and up : OptOut + Permanent DEP
#### boot.ini
* /noexecute=policy
#### Vista/Windows 2008/Windows 7
* bcdedit.exe /set nx OptIn
* bcdedit.exe /set nx OptOut
* bcdedit.exe /set nx AlwaysOn
* bcdedit.exe /set nx AlwaysOff
#### Windows XP SP3 EN
* Control-Center-Advanced-DEP
* OptOut Default (First Button)
* OptIn (2nd Button)
* Exception List Available
### Techniqx
#### VirtualAlloc
* VirtualAlloc(MEM_COMMIT + PAGE_READWRITE_EXECUTE) + copy memory. This will allow you to create a new executable memory region, copy your shellcode to it, and execute it. This technique may require you to chain 2 APIs into each other.
#### HeapCreate
* HeapCreate(HEAP_CREATE_ENABLE_EXECUTE) + HeapAlloc() + copy memory. In essence, this function will provide a very similar technique as VirtualAlloc(), but may require 3 APIs to be chained together))
#### SetProcessDEPPolicy
* SetProcessDEPPolicy(). This allows you to change the DEP policy for the current process (so you can execute the shellcode from the stack) (Vista SP1, XP SP3, Server 2008, and only when DEP Policy is set to OptIn or OptOut)
#### NtSetInformationProcess
* NtSetInformationProcess(). This function will change the DEP policy for the current process so you can execute your shellcode from the stack.
#### VirtualProtect
* VirtualProtect(PAGE_READ_WRITE_EXECUTE). This function will change the access protection level of a given memory page, allowing you to mark the location where your shellcode resides as executable.
#### WriteProcessMemory
* WriteProcessMemory(). This will allow you to copy your shellcode to another (executable) location, so you can jump to it and execute the shellcode. The target location must be writable and executable.
# References
* https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
* https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
Reference in New Issue View Git Blame Copy Permalink