Nytro Posted May 9, 2020 Report Posted May 9, 2020 Welcome! I am Fu11shade, I specialize in 0day research and offensive Windows exploitation, this course is to fill in the gap on the internet for Windows exploitation content. I am rapidly working to finish the last few (newly added) posts, everything should be finished by the end of this week. Currently about 5-6 missing posts so far. This page provides a pathway for learning Windows exploit development, following the provided blog posts will allow you to learn Windows exploit development from the basics, to advanced kernel exploitation on a Windows 10 system with all the mitigations enabled. This course can all be downloaded as a polished PDF book format [coming soon!] Basic exploitation (late 1990’s - early 2010’s era) https://github.com/FULLSHADE/OSCE is my repository with over 25 from scratch written exploits, these exploits are in-scope of the “basic exploitation” category of this series. Fair warning, some of the following posts are not finished yet… Most everything else is Id Article Author 0 Setting up Immunity and WinDBG with Mona.py FullShade 1 Classic JMP ESP buffer overflow FullShade 2 Local SEH buffer overflow FullShade 3 Local SEH buffer overflow with a DEP bypass FullShade 4 Remote SEH overflow with egghunters FullShade 5 Remote SEH overflows & multi-stage jumps FullShade 6 SEH overflows, alphanumber & unicode encoding bypass FullShade 7 Bypassing SEH mitigations with DLL injection FullShade 8 Code caving and backdooring PEs FullShade Windows Internals theory Id Article Author 9 Understanding Windows security mitigations FullShade 10 Understanding Windows memory data structures FullShade 11 Understanding the PEB & WinDBG analysis FullShade 12 Kernel Opaque data structures & access tokens FullShade 13 Windows Kernel memory pool & vulnerabilities FullShade 14 Basics of Kernel-mode driver (IRPs) & I/O requests FullShade 15 IOCTL’s for kernel driver exploit development FullShade Windows kernel exploitation (2010 - 2013 era) POCs and fully completed exploits can be found here https://github.com/FULLSHADE/HEVD-Exploits, more coming thing week Id Article Author 16 Writing a Windows Kernel-Mode Driver - Part 1 FullShade 17 HEVD - Windows 7 x86 Kernel Stack Overflow FullShade 18 HEVD - Windows 7 x86 Kernel NULL Pointer Dereference FullShade 19 HEVD - Windows 7 x86 Kernel Type Confusion FullShade 20 HEVD - Windows 7 x86 Kernel Arbitrary Write FullShade 21 HEVD - Windows 7 x86 Kernel Use-After-Free FullShade 22 HEVD - Windows 7 x86 Kernel Interger Overflow FullShade 23 HEVD - Windows 7 x86 Kernel Uninitialized Stack Variable FullShade 24 HEVD - Windows 7 x86 Kernel Pool Overflow FullShade 25 HEVD - Windows 7 x86_64 Kernel Stack Overflow FullShade 26 HEVD - Windows 7 x86_64 Kernel Arbitrary Write FullShade Advanced Windows kernel exploitation (2016 - 2020 era) Id Article Author 27 HEVD - Windows 8.1 64-bit Kernel Stack Overflow w/ SMEP FullShade 28 Leaking Kernel Addresses on Windows 10 64-bit FullShade 29 Abusing GDI Bitmap objects on Windows 10 64-bit FullShade Hunting Windows 0days Once you have enough Windows exploitation knowledge, you can start auditing third-party applications and drivers for 0day vulnerabilities, below are a few that have been discovered with this level of information. https://fullpwnops.com/cves.html Discovered 0days by me can be found littered around my Github profile, more organization will come soon Id Article Author 30 Fuzzing drivers for 0days, discover new vulnerabilities FullShade Sursa: https://fullpwnops.com/windows-exploitation-pathway.html Quote
