Jump to content

Recommended Posts

Welcome! I am Fu11shade, I specialize in 0day research and offensive Windows exploitation, this course is to fill in the gap on the internet for Windows exploitation content. I am rapidly working to finish the last few (newly added) posts, everything should be finished by the end of this week. Currently about 5-6 missing posts so far.

This page provides a pathway for learning Windows exploit development, following the provided blog posts will allow you to learn Windows exploit development from the basics, to advanced kernel exploitation on a Windows 10 system with all the mitigations enabled.

This course can all be downloaded as a polished PDF book format [coming soon!]

Basic exploitation (late 1990’s - early 2010’s era)

https://github.com/FULLSHADE/OSCE is my repository with over 25 from scratch written exploits, these exploits are in-scope of the “basic exploitation” category of this series.

Fair warning, some of the following posts are not finished yet… Most everything else is

Id Article Author
0 Setting up Immunity and WinDBG with Mona.py FullShade
1 Classic JMP ESP buffer overflow FullShade
2 Local SEH buffer overflow FullShade
3 Local SEH buffer overflow with a DEP bypass FullShade
4 Remote SEH overflow with egghunters FullShade
5 Remote SEH overflows & multi-stage jumps FullShade
6 SEH overflows, alphanumber & unicode encoding bypass FullShade
7 Bypassing SEH mitigations with DLL injection FullShade
8 Code caving and backdooring PEs FullShade

Windows Internals theory

Id Article Author
9 Understanding Windows security mitigations FullShade
10 Understanding Windows memory data structures FullShade
11 Understanding the PEB & WinDBG analysis FullShade
12 Kernel Opaque data structures & access tokens FullShade
13 Windows Kernel memory pool & vulnerabilities FullShade
14 Basics of Kernel-mode driver (IRPs) & I/O requests FullShade
15 IOCTL’s for kernel driver exploit development FullShade

Windows kernel exploitation (2010 - 2013 era)

POCs and fully completed exploits can be found here https://github.com/FULLSHADE/HEVD-Exploits, more coming thing week

Id Article Author
16 Writing a Windows Kernel-Mode Driver - Part 1 FullShade
17 HEVD - Windows 7 x86 Kernel Stack Overflow FullShade
18 HEVD - Windows 7 x86 Kernel NULL Pointer Dereference FullShade
19 HEVD - Windows 7 x86 Kernel Type Confusion FullShade
20 HEVD - Windows 7 x86 Kernel Arbitrary Write FullShade
21 HEVD - Windows 7 x86 Kernel Use-After-Free FullShade
22 HEVD - Windows 7 x86 Kernel Interger Overflow FullShade
23 HEVD - Windows 7 x86 Kernel Uninitialized Stack Variable FullShade
24 HEVD - Windows 7 x86 Kernel Pool Overflow FullShade
25 HEVD - Windows 7 x86_64 Kernel Stack Overflow FullShade
26 HEVD - Windows 7 x86_64 Kernel Arbitrary Write FullShade

Advanced Windows kernel exploitation (2016 - 2020 era)

Id Article Author
27 HEVD - Windows 8.1 64-bit Kernel Stack Overflow w/ SMEP FullShade
28 Leaking Kernel Addresses on Windows 10 64-bit FullShade
29 Abusing GDI Bitmap objects on Windows 10 64-bit FullShade

Hunting Windows 0days

Once you have enough Windows exploitation knowledge, you can start auditing third-party applications and drivers for 0day vulnerabilities, below are a few that have been discovered with this level of information.

Discovered 0days by me can be found littered around my Github profile, more organization will come soon

Id Article Author
30 Fuzzing drivers for 0days, discover new vulnerabilities





Sursa: https://fullpwnops.com/windows-exploitation-pathway.html

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...