Skip to content

Instantly share code, notes, and snippets.

@SkyBulk

SkyBulk/awe

Last active October 24, 2023 20:02
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save SkyBulk/7c45552b15b77a985e1e03f6584b679d to your computer and use it in GitHub Desktop.
Save SkyBulk/7c45552b15b77a985e1e03f6584b679d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
awe
Heap Overflow Case Study: CVE-2015-3104 Proof of Concept
Heap Overflow Case Study: A Deeper Look at the Bug
Heap Overflow Case Study: Allocation Control.
Heap Overflow Case Study: Gaining Read/Write Access to the Memory Space
Heap Overflow Case Study: Defeating ASLR
Heap Overflow Case Study: Gaining code execution
Heap Overflow Case Study: Stack Pivoting
Heap Overflow Case Study: Defeating DEP
Executing Shellcode and Restoring the execution flow
Sandbox Escape
Windows Defender Exploit Guard.
Testing WDEG Protections on CVE-2015-3104
Disarm vs Bypass
Disarming WDEG: Theory
Disarming WDEG: Practice (CVE-2015-3104)
Exercises
Defeating EAF
Exercises
3 Module 0x02 CFG/ACG Bypass and Sandbox Escape via Microsoft Edge Type Confusion
3.2 64-bit Windows...........................................................................................................................102
3.2.1 Main 64-bit Enhancements .................................................................................................104
3.2.2 JavaScript on 64-bit..............................................................................................................107
3.2.3 Microsoft Edge and WinDbg ...............................................................................................108
3.3 Type Confusion Case Study: CVE-2017-8601 POC.............................................................109
3.3.1 Exercises................................................................................................................................. 114
3.4 Type Confusion Case Study: Read and Write Primitive...................................................... 114
3.4.1 Exercises................................................................................................................................. 126
3.5 Control Flow Guard Theory...................................................................................................... 126
3.5.1 CFG Implementation ............................................................................................................ 127
3.5.2 CFG History and Limitations............................................................................................... 129
3.5.3 Exercises................................................................................................................................. 129
3.5.4 CFG Bypass Techniques......................................................................................................130
3.6 Type Confusion Case Study: Leaking the stack................................................................... 131
3.6.1 Exercises................................................................................................................................. 134
3.7 Type Confusion Case Study: RIP Control and Stack Pivot................................................ 134
3.7.1 Stack pivoting ........................................................................................................................ 138
3.7.2 Confuse me again................................................................................................................. 139
3.7.3 Exercises................................................................................................................................. 141
3.7.4 ROP preps............................................................................................................................... 141
3.7.5 Exercises................................................................................................................................. 143
3.8 Arbitary Code Guard Theory .................................................................................................... 143
3.9 ACG Bypass Case Study: CVE-2017-8637............................................................................ 147
3.9.1 ACG Bypass Mechanics....................................................................................................... 147
3.9.2 Locating the JIT Process Handle....................................................................................... 148
3.9.3 Duplicating the JIT Process handle...................................................................................150
3.9.4 ACG ROP Chain...................................................................................................................... 152
3.9.5 Step 1: DuplicateHandle Call............................................................................................... 153
3.9.6 Exercise................................................................................................................................... 156
3.9.7 Step 2: VirtualAllocEx Call.................................................................................................... 156
3.9.8 Exercise...................................................................................................................................160
3.9.9 Step 3: WriteProcessMemory Call .....................................................................................160
3.9.10 Exercise .............................................................................................................................. 163
3.9.11 Step 4: CreateRemoteThread Call ................................................................................. 163
3.9.12 Exercise .............................................................................................................................. 168
3.9.13 Step 5: Thread leak........................................................................................................... 169
3.9.14 Exercise .............................................................................................................................. 173
3.9.15 Step 6: Stack manipulation............................................................................................. 174
3.9.16 Exercise .............................................................................................................................. 177
3.9.17 Step 7: Remote RIP hijacking......................................................................................... 177
3.9.18 Exercises ............................................................................................................................ 182
3.9.19 Extramile............................................................................................................................. 182
3.10 Type Confusion Case Study: Process Continuation ........................................................... 182
3.10.1 Exercises ............................................................................................................................ 187
3.11 AppContainer Sandbox and Code Integrity Guard.............................................................. 188
3.11.1 AppContainer Protections Overview............................................................................. 188
3.11.2 Appcontainer in the Creators Update ...........................................................................190
3.12 Sandbox Escape Case Study: CVE-2016-0165....................................................................190
3.13 Sandbox Escape Case Study: Shellcode............................................................................... 191
3.13.1 Exercises ............................................................................................................................ 193
3.14 Wrapping up................................................................................................................................ 194
- Module 0x01 DEP/ASLR Bypass and Sandbox Escape via Flash Heap Overflow
`Vulnerable Software and Version:` Adobe Flash Player 16.0.0.235 / 17.0.0.188
[Software Link](http://fouladi.persiangig.com/exe/Adobe.Flash.Player.16.0.0.235.Windows_Soft98.iR.zip)
Vulnerability Type: `Integer Overflow`
* Sandbox Escape
* [CVE-2015-3081 Flash Broker-Based - Sandbox Escape via Timing Attack Against File Moving](https://www.exploit-db.com/exploits/37842)
* [CVE-2015-3082 Flash Broker-Based - Sandbox Escape via Forward Slash Instead of Backslash](https://www.exploit-db.com/exploits/37840)
- Module 0x02 CFG/ACG Bypass and Sandbox Escape via Microsoft Edge Type Confusion
* 64-bit Windows
* Main 64-bit Enhancements
* JavaScript on 64-bit
* Microsoft Edge and WinDbg
* Type Confusion Case Study: CVE-2017-8601 POC
* Vulnerable Software and Version: [Microsoft Edge in Windows 10 1703](http://windowsiso.net/windows-10-iso/windows-10-creators-update-1703-download-build-15063/free-windows-10-creators-update-1703-iso-download-successful/?windowsiso_id=20)
* Vulnerability Type: `Incorrect JIT Optimization`
* Control Flow Guard Theory https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard
* CFG Implementation
* CFG History and Limitations
* Exercises
* [Bypassing Control Flow Guard in Windows 10](https://improsec.com/tech-blog/bypassing-control-flow-guard-in-windows-10)
* [Bypassing Control Flow Guard in Windows 10 II](https://improsec.com/tech-blog/bypassing-control-flow-guard-on-windows-10-part-ii)
* CFG Bypass Techniques
* https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf
* [Arbitary Code Guard Theory](https://windowsadmins.com/tag/arbitrary-code-guard/)
* ACG Bypass Case Study: CVE-2017-8637
* OS Software and Version: `Microsoft Edge in Microsoft Windows 10 1703`
* Software Link: Same as the one above
* Vulnerability Type: `ACG Bypass`
* [Sandbox Escape Case Study: CVE-2016-0165](http://repwn.com/archives/26/)
* Vulnerable Software and Version: `Windows 10 1511 / Windows 7 SP1`
* [OS Link (Windows 10 1511)](http://windowsiso.net/windows-10-iso/windows-10-th2-download-build-10586/free-windows-10-threshold-2-download-successful/?windowsiso_id=21)
[OS Link (Windows 7 SP1)](https://softlay.net/operating-system/windows-7-ultimate-iso-download.html)
* Vulnerability Type: `LPE (Sandbox Escape case)`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment