Light

5l1v3r1 / nixawk-awesome-windows-exploitation Goto Github PK

View Code? Open in Web Editor NEW

This project forked from r3p3r/nixawk-awesome-windows-exploitation

0.0 1.0 0.0 2.39 MB

License: Artistic License 2.0

nixawk-awesome-windows-exploitation's Introduction

Awesome Windows Exploitation

A curated list of awesome Windows Exploitation resources, and shiny things.

There is no pre-established order of items in each category, the order is for contribution. If you want to contribute, please read the guide.

Table of Contents

Windows stack overflows
Windows heap overflows
Kernel based Windows overflows
Windows Kernel Memory Corruption
Return Oriented Programming
Windows memory protections
Bypassing filter and protections
Typical windows exploits
Exploit development tutorial series
Tools

Windows stack overflows

Stack Base Overflow Articles.

Win32 Buffer Overflows (Location, Exploitation and Prevention) - by Dark spyrit [1999]
Writing Stack Based Overflows on Windows - by Nish Bhalla’s [2005]
Stack Smashing as of Today - by Hagen Fritsch [2009]
SMASHING C++ VPTRS - by rix [2000]

Windows heap overflows

Heap Base Overflow Articles.

Third Generation Exploitation smashing heap on 2k - by Halvar Flake [2002]
Exploiting the MSRPC Heap Overflow Part 1 - by Dave Aitel (MS03-026) [September 2003]
Exploiting the MSRPC Heap Overflow Part 2 - by Dave Aitel (MS03-026) [September 2003]
Windows heap overflow penetration in black hat - by David Litchfield [2004]
Glibc Adventures: The Forgotten Chunk - by François Goichon [2015]
Pseudomonarchia jemallocum - by argp & huku
The House Of Lore: Reloaded - by blackngel [2010]
Malloc Des-Maleficarum - by blackngel [2009]
free() exploitation technique - by huku
Understanding the heap by breaking it - by Justin N. Ferguson [2007]
The use of set_head to defeat the wilderness - by g463
The Malloc Maleficarum - by Phantasmal Phantasmagoria [2005]
Exploiting The Wilderness - by Phantasmal Phantasmagoria [2004]
Advanced Doug lea's malloc exploits - by jp

Kernel based Windows overflows

Kernel Base Exploit Development Articles.

How to attack kernel based vulns on windows was done - by a Polish group called “sec-labs” [2003]
Sec-lab old whitepaper
Sec-lab old exploit
Windows Local Kernel Exploitation (based on sec-lab research) - by S.K Chong [2004]
How to exploit Windows kernel memory pool - by SoBeIt [2005]
Exploiting remote kernel overflows in windows - by Eeye Security
Kernel-mode Payloads on Windows in uninformed - by Matt Miller
Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
BH US 2007 Attacking the Windows Kernel
Remote and Local Exploitation of Network Drivers
Exploiting Comon Flaws In Drivers
I2OMGMT Driver Impersonation Attack
Real World Kernel Pool Exploitation
Exploit for windows 2k3 and 2k8
Alyzing local privilege escalations in win32k
Intro to Windows Kernel Security Development
There’s a party at ring0 and you’re invited
Windows kernel vulnerability exploitation
A New CVE-2015-0057 Exploit Technology - by Yu Wang [2016]
Exploiting CVE-2014-4113 on Windows 8.1 - by Moritz Jodeit [2016]
Easy local Windows Kernel exploitation - by Cesar Cerrudo [2012]
Windows Kernel Exploitation - by Simone Cardona 2016
Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects - by Saif Sherei 2017
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes - by keen team [2015]
Abusing GDI for ring0 exploit primitives - [2016]

Windows Kernel Memory Corruption

Windows Kernel Memory Corruption Exploit Development Articles.

Remote Windows Kernel Exploitation - by Barnaby Jack [2005]
windows kernel-mode payload fundamentals - by Skape [2006]
exploiting 802.11 wireless driver vulnerabilities on windows - by Johnny Cache, H D Moore, skape [2007]
Kernel Pool Exploitation on Windows 7 - by Tarjei Mandt [2011]
Windows Kernel-mode GS Cookies and 1 bit of entropy - [2011]
Subtle information disclosure in WIN32K.SYS syscall return values - [2011]
nt!NtMapUserPhysicalPages and Kernel Stack-Spraying Techniques - [2011]
SMEP: What is it, and how to beat it on Windows - [2011]
Kernel Attacks through User-Mode Callbacks - by Tarjei Mandt [2011]
Windows Security Hardening Through Kernel Address Protection - by Mateusz "j00ru" Jurczyk [2011]
Reversing Windows8: Interesting Features of Kernel Security - by MJ0011 [2012]
Smashing The Atom: Extraordinary String Based Attacks - by Tarjei Mandt [2012]
Easy local Windows Kernel exploitation - by Cesar Cerrudo [2012]
Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement - by MJ0011 [2012]
MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit - [2013]
KASLR Bypass Mitigations in Windows 8.1 - [2013]
First Dip Into the Kernel Pool: MS10-058 - by Jeremy [2014]
Windows 8 Kernel Memory Protections Bypass - [2014]
An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - by Weimin Wu [2014]
Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool - [2014]
Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE 2015-0057) bug on both 32-bit and 64-bit - by Aaron Adams [2015]
Exploiting MS15-061 Microsoft Windows Kernel Use-After-Free (win32k!xxxSetClassLong) - by Dominic Wang [2015]
Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit - by Cedric Halbronn [2015]
Abusing GDI for ring0 exploit primitives - by Diego Juarez [2015]
Duqu 2.0 Win32k exploit analysis - [2015]

Return Oriented Programming

The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls
Blind return-oriented programming
Sigreturn-oriented Programming
Jump-Oriented Programming: A New Class of Code-Reuse Attack
Out of control: Overcoming control-flow integrity
ROP is Still Dangerous: Breaking Modern Defenses
Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015]
Systematic Analysis of Defenses Against Return-Oriented Programming -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013]
Return-oriented programming without returns -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010]
Jump-oriented programming: a new class of code-reuse attack -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011]
Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection - by L. Davi, A. Sadeghi, and D. Lehmann [2014]
Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014]
Buffer overflow attacks bypassing DEP (NX/XD bits) – part 1 - by Marco Mastropaolo [2005]
Buffer overflow attacks bypassing DEP (NX/XD bits) – part 2 - by Marco Mastropaolo [2005]
Practical Rop - by Dino Dai Zovi [2010]
Exploitation with WriteProcessMemory - by Spencer Pratt [2010]
Exploitation techniques and mitigations on Windows - by skape
A little return oriented exploitation on Windows x86 – Part 1 - by Harmony Security and Stephen Fewer [2010]
A little return oriented exploitation on Windows x86 – Part 2 - by Harmony Security and Stephen Fewer [2010]

Windows memory protections

Windows memory protections Introduction Articles.

Bypassing filter and protections

Windows memory protections Bypass Methods Articles.

Third Generation Exploitation smashing heap on 2k - by Halvar Flake [2002]
Creating Arbitrary Shellcode In Unicode Expanded Strings - by Chris Anley
Advanced windows exploitation - by Dave Aitel [2003]
Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server - by David Litchfield
Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2) - by Matt Conover in cansecwest 2004
Safely Searching Process Virtual Address Space - by Matt Miller [2004]
IE exploit and used a technology called Heap Spray
Bypassing hardware-enforced DEP - by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005]
Exploiting Freelist[0] On XP Service Pack 2 - by Brett Moore [2005]
Kernel-mode Payloads on Windows in uninformed
Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
Exploiting Comon Flaws In Drivers
Heap Feng Shui in JavaScript by Alexander sotirov [2007]
Understanding and bypassing Windows Heap Protection - by Nicolas Waisman [2007]
Heaps About Heaps - by Brett moore [2008]
Bypassing browser memory protections in Windows Vista - by Mark Dowd and Alex Sotirov [2008]
Attacking the Vista Heap - by ben hawkes [2008]
Return oriented programming Exploitation without Code Injection - by Hovav Shacham (and others ) [2008]
Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 - by Cesar Cerrudo [2008]
Defeating DEP Immunity Way - by Pablo Sole [2008]
Practical Windows XP2003 Heap Exploitation - by John McDonald and Chris Valasek [2009]
Bypassing SEHOP - by Stefan Le Berre Damien Cauquil [2009]
Interpreter Exploitation : Pointer Inference and JIT Spraying - by Dionysus Blazakis[2010]
Write-up of Pwn2Own 2010 - by Peter Vreugdenhil
All in one 0day presented in rootedCON - by Ruben Santamarta [2010]
DEP/ASLR bypass using 3rd party - by Shahin Ramezany [2013]
Bypassing EMET 5.0 - by René Freingruber [2014]

Typical windows exploits

Real-world HW-DEP bypass Exploit - by Devcode
Bypassing DEP by returning into HeapCreate - by Toto
First public ASLR bypass exploit by using partial overwrite - by Skape
Heap spray and bypassing DEP - by Skylined
First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability
Exploit codes of bypassing browsers memory protections
PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1 - by Cesar Cerrudo
PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2 - by Cesar Cerrudo
An exploit works from win 3.1 to win 7 - by Tavis Ormandy KiTra0d
Old ms08-067 metasploit module multi-target and DEP bypass
PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass
SMBv2 Exploit - by Stephen Fewer
Microsoft IIS 7.5 remote heap buffer overflow - by redpantz
Browser Exploitation Case Study for Internet Explorer 11 - by Moritz Jodeit [2016]

Exploit development tutorial series

Exploid Development Tutorial Series Base on Windows Operation System Articles.

Tools

Disassemblers, debuggers, and other static and dynamic analysis tools.

angr - Platform-agnostic binary analysis framework developed at UCSB's Seclab.
BARF - Multiplatform, open source Binary Analysis and Reverse engineering Framework.
Binary Ninja - Multiplatform binary analysis IDE supporting various types of binaries and architecturs. Scriptable via Python.
binnavi - Binary analysis IDE for reverse engineering based on graph visualization.
Bokken - GUI for Pyew and Radare.
Capstone - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
codebro - Web based code browser using clang to provide basic code analysis.
dnSpy - .NET assembly editor, decompiler and debugger.
Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
GDB - The GNU debugger.
GEF - GDB Enhanced Features, for exploiters and reverse engineers.
hackers-grep - A utility to search for strings in PE executables including imports, exports, and debug symbols.
IDA Pro - Windows disassembler and debugger, with a free evaluation version.
Immunity Debugger - Debugger for malware analysis and more, with a Python API.
ltrace - Dynamic analysis for Linux executables.
objdump - Part of GNU binutils, for static analysis of Linux binaries.
OllyDbg - An assembly-level debugger for Windows executables.
PANDA - Platform for Architecture-Neutral Dynamic Analysis
PEDA - Python Exploit Development Assistance for GDB, an enhanced display with added commands.
pestudio - Perform static analysis of Windows executables.
Process Monitor - Advanced monitoring tool for Windows programs.
Pyew - Python tool for malware analysis.
Radare2 - Reverse engineering framework, with debugger support.
SMRT - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
strace - Dynamic analysis for Linux executables.
Udis86 - Disassembler library and tool for x86 and x86_64.
Vivisect - Python tool for malware analysis.
X64dbg - An open-source x64/x32 debugger for windows.

nixawk-awesome-windows-exploitation's People

Contributors

Watchers

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.