-
-
Save SkyBulk/7c45552b15b77a985e1e03f6584b679d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Heap Overflow Case Study: CVE-2015-3104 Proof of Concept | |
Heap Overflow Case Study: A Deeper Look at the Bug | |
Heap Overflow Case Study: Allocation Control. | |
Heap Overflow Case Study: Gaining Read/Write Access to the Memory Space | |
Heap Overflow Case Study: Defeating ASLR | |
Heap Overflow Case Study: Gaining code execution | |
Heap Overflow Case Study: Stack Pivoting | |
Heap Overflow Case Study: Defeating DEP | |
Executing Shellcode and Restoring the execution flow | |
Sandbox Escape | |
Windows Defender Exploit Guard. | |
Testing WDEG Protections on CVE-2015-3104 | |
Disarm vs Bypass | |
Disarming WDEG: Theory | |
Disarming WDEG: Practice (CVE-2015-3104) | |
Exercises | |
Defeating EAF | |
Exercises | |
3 Module 0x02 CFG/ACG Bypass and Sandbox Escape via Microsoft Edge Type Confusion | |
3.2 64-bit Windows...........................................................................................................................102 | |
3.2.1 Main 64-bit Enhancements .................................................................................................104 | |
3.2.2 JavaScript on 64-bit..............................................................................................................107 | |
3.2.3 Microsoft Edge and WinDbg ...............................................................................................108 | |
3.3 Type Confusion Case Study: CVE-2017-8601 POC.............................................................109 | |
3.3.1 Exercises................................................................................................................................. 114 | |
3.4 Type Confusion Case Study: Read and Write Primitive...................................................... 114 | |
3.4.1 Exercises................................................................................................................................. 126 | |
3.5 Control Flow Guard Theory...................................................................................................... 126 | |
3.5.1 CFG Implementation ............................................................................................................ 127 | |
3.5.2 CFG History and Limitations............................................................................................... 129 | |
3.5.3 Exercises................................................................................................................................. 129 | |
3.5.4 CFG Bypass Techniques......................................................................................................130 | |
3.6 Type Confusion Case Study: Leaking the stack................................................................... 131 | |
3.6.1 Exercises................................................................................................................................. 134 | |
3.7 Type Confusion Case Study: RIP Control and Stack Pivot................................................ 134 | |
3.7.1 Stack pivoting ........................................................................................................................ 138 | |
3.7.2 Confuse me again................................................................................................................. 139 | |
3.7.3 Exercises................................................................................................................................. 141 | |
3.7.4 ROP preps............................................................................................................................... 141 | |
3.7.5 Exercises................................................................................................................................. 143 | |
3.8 Arbitary Code Guard Theory .................................................................................................... 143 | |
3.9 ACG Bypass Case Study: CVE-2017-8637............................................................................ 147 | |
3.9.1 ACG Bypass Mechanics....................................................................................................... 147 | |
3.9.2 Locating the JIT Process Handle....................................................................................... 148 | |
3.9.3 Duplicating the JIT Process handle...................................................................................150 | |
3.9.4 ACG ROP Chain...................................................................................................................... 152 | |
3.9.5 Step 1: DuplicateHandle Call............................................................................................... 153 | |
3.9.6 Exercise................................................................................................................................... 156 | |
3.9.7 Step 2: VirtualAllocEx Call.................................................................................................... 156 | |
3.9.8 Exercise...................................................................................................................................160 | |
3.9.9 Step 3: WriteProcessMemory Call .....................................................................................160 | |
3.9.10 Exercise .............................................................................................................................. 163 | |
3.9.11 Step 4: CreateRemoteThread Call ................................................................................. 163 | |
3.9.12 Exercise .............................................................................................................................. 168 | |
3.9.13 Step 5: Thread leak........................................................................................................... 169 | |
3.9.14 Exercise .............................................................................................................................. 173 | |
3.9.15 Step 6: Stack manipulation............................................................................................. 174 | |
3.9.16 Exercise .............................................................................................................................. 177 | |
3.9.17 Step 7: Remote RIP hijacking......................................................................................... 177 | |
3.9.18 Exercises ............................................................................................................................ 182 | |
3.9.19 Extramile............................................................................................................................. 182 | |
3.10 Type Confusion Case Study: Process Continuation ........................................................... 182 | |
3.10.1 Exercises ............................................................................................................................ 187 | |
3.11 AppContainer Sandbox and Code Integrity Guard.............................................................. 188 | |
3.11.1 AppContainer Protections Overview............................................................................. 188 | |
3.11.2 Appcontainer in the Creators Update ...........................................................................190 | |
3.12 Sandbox Escape Case Study: CVE-2016-0165....................................................................190 | |
3.13 Sandbox Escape Case Study: Shellcode............................................................................... 191 | |
3.13.1 Exercises ............................................................................................................................ 193 | |
3.14 Wrapping up................................................................................................................................ 194 | |
- Module 0x01 DEP/ASLR Bypass and Sandbox Escape via Flash Heap Overflow | |
`Vulnerable Software and Version:` Adobe Flash Player 16.0.0.235 / 17.0.0.188 | |
[Software Link](http://fouladi.persiangig.com/exe/Adobe.Flash.Player.16.0.0.235.Windows_Soft98.iR.zip) | |
Vulnerability Type: `Integer Overflow` | |
* Sandbox Escape | |
* [CVE-2015-3081 Flash Broker-Based - Sandbox Escape via Timing Attack Against File Moving](https://www.exploit-db.com/exploits/37842) | |
* [CVE-2015-3082 Flash Broker-Based - Sandbox Escape via Forward Slash Instead of Backslash](https://www.exploit-db.com/exploits/37840) | |
- Module 0x02 CFG/ACG Bypass and Sandbox Escape via Microsoft Edge Type Confusion | |
* 64-bit Windows | |
* Main 64-bit Enhancements | |
* JavaScript on 64-bit | |
* Microsoft Edge and WinDbg | |
* Type Confusion Case Study: CVE-2017-8601 POC | |
* Vulnerable Software and Version: [Microsoft Edge in Windows 10 1703](http://windowsiso.net/windows-10-iso/windows-10-creators-update-1703-download-build-15063/free-windows-10-creators-update-1703-iso-download-successful/?windowsiso_id=20) | |
* Vulnerability Type: `Incorrect JIT Optimization` | |
* Control Flow Guard Theory https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard | |
* CFG Implementation | |
* CFG History and Limitations | |
* Exercises | |
* [Bypassing Control Flow Guard in Windows 10](https://improsec.com/tech-blog/bypassing-control-flow-guard-in-windows-10) | |
* [Bypassing Control Flow Guard in Windows 10 II](https://improsec.com/tech-blog/bypassing-control-flow-guard-on-windows-10-part-ii) | |
* CFG Bypass Techniques | |
* https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf | |
* [Arbitary Code Guard Theory](https://windowsadmins.com/tag/arbitrary-code-guard/) | |
* ACG Bypass Case Study: CVE-2017-8637 | |
* OS Software and Version: `Microsoft Edge in Microsoft Windows 10 1703` | |
* Software Link: Same as the one above | |
* Vulnerability Type: `ACG Bypass` | |
* [Sandbox Escape Case Study: CVE-2016-0165](http://repwn.com/archives/26/) | |
* Vulnerable Software and Version: `Windows 10 1511 / Windows 7 SP1` | |
* [OS Link (Windows 10 1511)](http://windowsiso.net/windows-10-iso/windows-10-th2-download-build-10586/free-windows-10-threshold-2-download-successful/?windowsiso_id=21) | |
[OS Link (Windows 7 SP1)](https://softlay.net/operating-system/windows-7-ultimate-iso-download.html) | |
* Vulnerability Type: `LPE (Sandbox Escape case)` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment