Awesome
Windows-Exploits
Some kernel exploits I used to learn about the topic, mainly for OSEE. These probably contain code snippets from other exploits - if I missed references/authors please send me a message and I'll add them.
Kernel
HEVD
Most exploits are vs. Win10 1909 x64 targetting https://github.com/hacksysteam/HackSysExtremeVulnerableDriver .
- StackOverflow (Medium Integrity)
- StackOverflow Data Only (ROP/PreviousMode Overwrite, Medium Intregity)
- StackOverflow with GS (Medium Integrity)
- TypeConfusion (Medium Integrity)
- TypeConfusion with StackPivot (Medium Integrity)
- User-After-Free (Medium Integrity)
- Pool Overflow Win7 x64 w ProcessBilled Overwrite (Medium Integrity)
- NullPtr Dereference Win7 x64 (Medium Integrity)
Misc Drivers
All exploits are vs. Win10 1909 x64.
- CVE-2018-19320 (Gigabyte Driver, Medium Integrity)
- CVE-2018-19320 + CVE-2018-19323 (Gigabyte Driver, Low Integrity)
Notes/Misc
- KUSER_SHARED_DATA, at offset 0x800 (0xFFFFF78000000800) in ntoskrnl.exe contains a writable code cave
- Ways to SYSTEM: Steal Token, Overwrite HAL Dispatch (or another ptr with a ptr to sc), ACL Editing
- Ways to get Page RW/RX: Flip bit like with U/S, WriteProcessMemory, VirtualProtect
- Bypass SMEP: Rop to 20th bit of CR4, Flip U/S, Write Code to Kernel Mem (using U/S trick to fix memory protections)
- KCFG is only enforced when Hyper-V is enabled (it would prevent ptr overwrites to sc)
- Dangerous functions to look for in drivers: MmMapIoSpace, __readmsr/__writemsr,memmove
- Compile Shellcode:
nasm shellcode.asm -o shellcode.bin -f bin
,radare2 -b 32 -c 'pc' ./shellcode.bin
Resources
- https://kristal-g.github.io/
- https://h0mbre.github.io
- https://blog.xpnsec.com/
- https://voidsec.com/
- https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/using-the-kernel-debugger-to-find-a-kernel-mode-memory-leak
- https://windows-internals.com/exploiting-a-simple-vulnerability-in-35-easy-steps-or-less/
- https://www.crowdstrike.com/blog/cve-2021-21551-learning-through-exploitation/
- https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pool_overflow_exploitation_since_windows_10_19h1/SSTIC2020-Article-pool_overflow_exploitation_since_windows_10_19h1-bayet_fariello.pdf
- https://github.com/synacktiv/Windows-kernel-SegmentHeap-Aligned-Chunk-Confusion