HEVD Windows Kernel Exploitation 4 – Null Pointer Dereference

So as we exploit the 3rd vulnerability on HEVD, I’ll use this as a tradition and will give history on what we’ve done so far and whats up next: With Stack Overfow:  put your shellcode in userland in an allocated memory and execute in kernelland With Arbitraty Overwrite: writing the value pointed by what to the… Continue reading HEVD Windows Kernel Exploitation 4 – Null Pointer Dereference

HEVD Windows Kernel Exploitation 3 -Write What Where

Let’s continue with the third blogpost of the Kernel exploitation series. Few notes: With Stack Overfow:  we put our shellcode in user-land in an allocated memory and execute in kernel-land With Arbitraty Overwrite: we’ll be writing the value pointed by “what” to the memory location referenced by “where” The strategy for this blogpost: Initial Phase: Source… Continue reading HEVD Windows Kernel Exploitation 3 -Write What Where

HEVD Windows Kernel Exploitation 1 – Setup the Environment

There will be few setup steps we need to follow before we jump into the Kernel Exploitation: Install Windows x86 in VM Install WinDBG 2. Setup the Debugging Symbols computer – properties – advanced system settings – emvironmental variables create a sys variable Variable Name: _NT_SYMBOL_PATH Variable Value: SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols 3. Enable Debugging in BCD Run CMD as… Continue reading HEVD Windows Kernel Exploitation 1 – Setup the Environment

ROP Gadgets: VirtualProtect()

We’ll work on VUPlayer 2.49 (Windows 7) – ‘.m3u’ Local Buffer Overflow (DEP Bypass) for this article Initial exploit v1: EIP Control import sysimport structimport os  crash_file = “test.m3u” fuzz = “A” * 1012fuzz += “B” * 4fuzz += “C” * (3000 – len(fuzz))  file= open(crash_file, “w”)file.write(fuzz)file.close() Start the app and attach to Immunity Drag the m3u file on… Continue reading ROP Gadgets: VirtualProtect()

SLAE64: Assignment 7 – Cryptor

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: https://www.pentesteracademy.com/course?id=7 Student-ID: PA-15847 The Objectives for the Assignment: – create a custom crypter- free to use any existing encryption schema- can use any programming language We’ll use the following encryption script for this assignment: I used the following… Continue reading SLAE64: Assignment 7 – Cryptor

Published
Categorized as SLAE64

SLAE64: Assignment 6 – Polymorphic Shellcode

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: https://www.pentesteracademy.com/course?id=7 Student-ID: PA-15847 The Objectives for the Assignment: – Take up 3 shellcode from shell-storm and create polymorphic versions of them to beat pattern matching- the polymorphic versions cannot be larger 150% of the existing shellcode- bonus points… Continue reading SLAE64: Assignment 6 – Polymorphic Shellcode

Published
Categorized as SLAE64

SLAE64: Assignment 5: Shellcode Analysis

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: https://www.pentesteracademy.com/course?id=7 Student-ID: PA-15847 The Objectives for the Assignment: – Take up at least 3 shellcode samples created using msfpayload for linux x86- use gdb to dissect the functionality of the shellcode- document your analysis I chose the following… Continue reading SLAE64: Assignment 5: Shellcode Analysis

Published
Categorized as SLAE64

SLAE64: Assignment 4 – Custom Encoder

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: https://www.pentesteracademy.com/course?id=7 Student-ID: PA-15847 The Objectives for the Assignment: – create a custom encoding scheme like the Insertion Encoder– PoC with execve stack as the shellcode to encode with your scheme and execute So we used the following python… Continue reading SLAE64: Assignment 4 – Custom Encoder

Published
Categorized as SLAE64

SLAE64: Assignment 3 – Egghunters

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: https://www.pentesteracademy.com/course?id=7 Student-ID: PA-15847 The Objectives for the Assignment: study about egg hunter shellcodecreate a working demo of the egghuntershould be configurable for different payloads An Egg Hunter is the first stage of a multistage payload. It consists of… Continue reading SLAE64: Assignment 3 – Egghunters

Published
Categorized as SLAE64