Académique Documents
Professionnel Documents
Culture Documents
Advanced
Windows
Exploitation
Techniques
Matteo
Memelli
Jim
OGorman
Page 1 of 331
Page 2 of 331
Page 3 of 331
Table
of
Contents
Module
0x00
Introduction
......................................................................................................
8
Module
0x01
Egghunters
........................................................................................................
9
Lab
Objectives
..............................................................................................................................................................................
9
Overview
..........................................................................................................................................................................................
9
Exercise
1-1
.................................................................................................................................................................................
11
MS08-067
Vulnerability
.......................................................................................................................................................
12
MS08-067
Case
Study:
Crashing
the
Service
................................................................................................................
12
MS08-067
Case
Study:
Finding
the
Right
Offset
..........................................................................................................
15
MS08-067
Case
Study:
From
PoC
to
Exploit
.................................................................................................................
17
Controlling
the
Execution
Flow
..........................................................................................................................................
20
Getting
our
Remote
Shell
......................................................................................................................................................
30
Wrapping
Up
.............................................................................................................................................................................
34
Module
0x02
Bypassing
NX
...................................................................................................
35
Lab
Objectives
...........................................................................................................................................................................
35
A
Note
from
the
Authors
.......................................................................................................................................................
35
Overview
.......................................................................................................................................................................................
36
Hardware-Enforcement
and
the
NX
Bit
........................................................................................................................
36
Hardware-Enforced
DEP
Bypassing
Theory
Part
I
...................................................................................................
37
Hardware-Enforced
DEP
Bypassing
Theory
Part
II
.................................................................................................
38
Hardware-Enforced
DEP
on
Windows
2003
Server
SP2
.......................................................................................
39
MS08-067
Case
Study:
Testing
NX
Protection
............................................................................................................
40
Exercise
.........................................................................................................................................................................................
43
MS08-067
Case
Study:
Approaching
the
NX
Problem
.............................................................................................
44
MS08-067
Case
Study:
Memory
Space
Scanning
.......................................................................................................
46
MS08-067
Case
Study:
Defeating
NX
..............................................................................................................................
49
Exercise
.........................................................................................................................................................................................
52
MS08-067
Case
Study:
Returning
into
our
Buffer
.....................................................................................................
53
Exercise
.........................................................................................................................................................................................
65
Wrapping
Up
.............................................................................................................................................................................
65
Module
0x02
(Update)
Bypassing
DEP
AlwaysOn
Policy
........................................................
66
Lab
Objectives
...........................................................................................................................................................................
66
Overview
.......................................................................................................................................................................................
66
Ret2Lib
Attacks
and
Their
Evolution
.............................................................................................................................
67
Return
Oriented
Programming
Exploitation
...............................................................................................................
67
Page 4 of 331
Immunity
Debuggers
API
and
findrop.py
....................................................................................................................
72
Exercise
.........................................................................................................................................................................................
80
ASLR
..............................................................................................................................................................................................
80
PHP
6.0
Dev
Case
Study:
The
Crash
................................................................................................................................
81
PHP
6.0
Dev
Case
Study:
The
ROP
Approach
..............................................................................................................
85
PHP
6.0
Dev
Case
Study:
Preparing
the
Battlefield
..................................................................................................
86
Exercise
.........................................................................................................................................................................................
88
PHP
6.0
Dev
Case
Study:
Crafting
the
ROP
Payload
.................................................................................................
89
Steps
1
and
2
...............................................................................................................................................................................
89
Steps
3
and
4
...............................................................................................................................................................................
94
Step
5
.............................................................................................................................................................................................
97
PHP
6.0
Dev
Case
Study:
Getting
our
Shell
................................................................................................................
101
Exercise
......................................................................................................................................................................................
104
Deplib:
Gadgets
on
Steroids
.............................................................................................................................................
105
Classification
...........................................................................................................................................................................
105
Searching
the
Database
......................................................................................................................................................
107
Stack
Pivoting
.........................................................................................................................................................................
111
Wrapping
Up
..........................................................................................................................................................................
112
Page 5 of 331
Lab
Objectives
........................................................................................................................................................................
143
Overview
....................................................................................................................................................................................
143
The
Unicode
Problem
.........................................................................................................................................................
144
The
Venetian
Blinds
Method
...........................................................................................................................................
145
Exercise
......................................................................................................................................................................................
146
DivX
Player
6.6
Case
Study:
Crashing
the
Application
.........................................................................................
147
Exercise
......................................................................................................................................................................................
148
DivX
Player
6.6
Case
Study:
Controlling
the
Execution
Flow
............................................................................
149
Exercise
......................................................................................................................................................................................
157
DivX
Player
6.6
Case
Study:
The
Unicode
Payload
Builder
................................................................................
158
DivX
Player
6.6
Case
Study:
Getting
our
Shell
.........................................................................................................
162
Exercise
......................................................................................................................................................................................
173
Page 6 of 331
Lab
Objectives
........................................................................................................................................................................
241
Overview
....................................................................................................................................................................................
241
64-bit
Address
Space
..........................................................................................................................................................
242
64-bit
Main
Enhancements
..............................................................................................................................................
244
Windows-On-Windows
Emulation
...............................................................................................................................
245
64-bit
Exploitation:
General
Concepts
........................................................................................................................
247
MS11-080
Case
Study:
The
Bug
.....................................................................................................................................
249
MS11-080
Case
Study:
IOCTL
Hunting
.......................................................................................................................
251
MS11-080
Case
Study:
Triggering
the
vulnerable
code
......................................................................................
253
Exercise
......................................................................................................................................................................................
261
MS11-080
Case
Study:
Mapping
your
Route
............................................................................................................
262
MS11-080
Case
Study:
BSODing
the
Box
................................................................................................................
266
Exercise
......................................................................................................................................................................................
274
MS11-080
Case
Study:
Owning
RIP
..............................................................................................................................
275
MS11-080
Case
Study:
You
are
on
your
Own.
Bring
me
a
SYSTEM
Shell!
...................................................
291
Page 7 of 331
Page 8 of 331