ameetsaahu/awesome-windows-exploitation

A curated list of awesome Windows Exploitation resources, and shiny things. Inspired by awesom

Awesome Windows Exploitation

A curated list of awesome Windows Exploitation resources, and shiny things.

Table of Contents

• windows stack overflows
• windows heap overflows
• kernel based Windows overflows
• Windows memory protections
• Bypassing filter and protections
• Typical windows exploits

windows stack overflows

• Win32 Buffer Overflows (Location, Exploitation and Prevention) by dark spyrit in 1999
• S.K Chong Win32 Stack Based Buffer Overflow Walkthrough in july 2002
• Nish Bhalla’s series on Writing Stack Based Overflows on Windows in 2005

windows heap overflows

• Third Generation Exploitation smashing heap on 2k by halvar Flake in 2002
• Exploiting the MSRPC Heap Overflow two part by Dave Aitel (MS03-026) sep 2003
• Exploiting the MSRPC Heap Overflow two part by Dave Aitel (MS03-026) sep 2003
• david litchfield did a great detailed penetration in black hat 2004

kernel based Windows overflows

• how to attack kernel based vulns on windows was done by a Polish group called “sec-labs” around 2003
• sec-lab old whitepaper
• sec-lab old exploit
• Windows Local Kernel Exploitation by S.K Chong in 2004 (based on sec-lab research)
• How to exploit Windows kernel memory pool in 2005 by SoBeIt
• exploiting remote kernel overflows in windows by eeye security
• Kernel-mode Payloads on Windows in uninformed by matt miller
• Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
• BH US 2007 Attacking the Windows Kernel
• Remote and Local Exploitation of Network Drivers
• Exploiting Comon Flaws In Drivers
• I2OMGMT Driver Impersonation Attack
• Real World Kernel Pool Exploitation
• exploit for windows 2k3 and 2k8
• nalyzing local privilege escalations in win32k
• Intro to Windows Kernel Security Development
• There’s a party at ring0 and you’re invited
• Windows kernel vulnerability exploitation

Windows memory protections

• Data Execution Prevention
• /GS (Buffer Security Check)
• /SAFESEH
• ASLR
• SEHOP

Bypassing filter and protections

• Third Generation Exploitation smashing heap on 2k by halvar Flake in 2002
• chris anley wrote Creating Arbitrary Shellcode In Unicode Expanded Strings
• Dave aitel advanced windows exploitation in 2003
• Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by david litchfield
• reliable heap exploits (matt Conover in cansecwest 2004 ) and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2)
• later in 2004 matt miller wrote an article Safely Searching Process Virtual Address Space
• IE exploit and used a technology called Heap Spray
• bypassing hardware-enforced DEP skape (matt miller) Skywing (ken johnson) (in October 2005
• Exploiting Freelist[0] On XP Service Pack 2 by brett moore (dec 2005)
• Kernel-mode Payloads on Windows in uninformed
• Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
• Exploiting Comon Flaws In Drivers
• Heap Feng Shui in JavaScript by Alexander sotirov (2007)
• Understanding and bypassing Windows Heap Protection by Nicolas Waisman (2007)
• Heaps About Heaps by brett moore (in 2008)
• Bypassing browser memory protections in Windows Vista by Mark Dowd and Alex Sotirov (in 2008)
• Attacking the Vista Heap by ben hawkes (in 2008)
• Return oriented programming Exploitation without Code Injection by Hovav Shacham (and others ) (in 2008)
• Cesar Cerrudo wrote Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 (2008)
• Defeating DEP Immunity Way by Pablo sole (2008)
• Practical Windows XP2003 Heap Exploitation (bh 2009) by John McDonald and Chris Valasek
• Bypassing SEHOP by Stefan Le Berre Damien Cauquil (in 2009)
• Interpreter Exploitation : Pointer Inference and JIT Spraying by Dionysus Blazakis (2010)
• write-up of Pwn2Own 2010 by Peter Vreugdenhil (2010)
• ruben santamarta all in one 0day presented in rootedCON (2010)

Typical windows exploits

• real-world HW-DEP bypass Exploit by devcode
• bypassing DEP by returning into HeapCreate by toto
• first public ASLR bypass exploit by using partial overwrite by skape
• heap spray and bypassing DEP by skylined
• first public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability
• exploit codes of bypassing browsers memory protections
• Cesar Cerrudo PoC’s on Tokken TokenKidnapping . PoC for 2k3
• Cesar Cerrudo PoC’s on Tokken TokenKidnapping . PoC for 2k8
• Tavis Ormandy KiTra0d an exploit works from win 3.1 to win 7
• old ms08-067 metasploit module multi-target and DEP bypass
• PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass
• Stephen Fewer SMBv2 Exploit