README.md

Windows or ARM Exploitation

A collection of awesome software, libraries, learning tutorials, documents and books, awesome resources and cool stuff about ARM and Windows Exploitation.

What are exploits?

Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security safeguards to infect your device.

Table of Contents

• Windows stack overflows
• Windows heap overflows
• Kernel based Windows overflows
• Windows Kernel Memory Corruption
• Return Oriented Programming
• Windows memory protections
• Bypassing filter and protections
• Typical windows exploits
• Exploit development tutorial series
  • Corelan Team
  • Fuzzysecurity
  • Securitysift
  • Whitehatters Academy
  • TheSprawl
  • Expdev-Kiuhnm
• Tools
• Miscellaneous
  • Conference Talks / Videos
  • Articles / Papers
  • Resources
  • CTF / Training Binaries
  • Books
  • Other Tools
  • Courses
  • Related Awesome Lists
• Advanced ARM
  • Browser
  • Mitigation Bypass
  • Kernel
  • Misc

Windows stack overflows

Stack Base Overflow Articles.

• Win32 Buffer Overflows (Location, Exploitation and Prevention) - by Dark spyrit [1999]
• Writing Stack Based Overflows on Windows - by Nish Bhalla’s [2005]
• Stack Smashing as of Today - by Hagen Fritsch [2009]
• SMASHING C++ VPTRS - by rix [2000]

Windows heap overflows

Heap Base Overflow Articles.

• Third Generation Exploitation smashing heap on 2k - by Halvar Flake [2002]
• Exploiting the MSRPC Heap Overflow Part 1 - by Dave Aitel (MS03-026) [September 2003]
• Exploiting the MSRPC Heap Overflow Part 2 - by Dave Aitel (MS03-026) [September 2003]
• Windows heap overflow penetration in black hat - by David Litchfield [2004]
• Glibc Adventures: The Forgotten Chunk - by François Goichon [2015]
• Pseudomonarchia jemallocum - by argp & huku
• The House Of Lore: Reloaded - by blackngel [2010]
• Malloc Des-Maleficarum - by blackngel [2009]
• free() exploitation technique - by huku
• Understanding the heap by breaking it - by Justin N. Ferguson [2007]
• The use of set_head to defeat the wilderness - by g463
• The Malloc Maleficarum - by Phantasmal Phantasmagoria [2005]
• Exploiting The Wilderness - by Phantasmal Phantasmagoria [2004]
• Advanced Doug lea's malloc exploits - by jp

^ back to top ^

Kernel based Windows overflows

Kernel Base Exploit Development Articles.

• How to attack kernel based vulns on windows was done - by a Polish group called “sec-labs” [2003]
• Sec-lab old whitepaper
• Sec-lab old exploit
• Windows Local Kernel Exploitation (based on sec-lab research) - by S.K Chong [2004]
• How to exploit Windows kernel memory pool - by SoBeIt [2005]
• Exploiting remote kernel overflows in windows - by Eeye Security
• Kernel-mode Payloads on Windows in uninformed - by Matt Miller
• Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
• BH US 2007 Attacking the Windows Kernel
• Remote and Local Exploitation of Network Drivers
• Exploiting Comon Flaws In Drivers
• I2OMGMT Driver Impersonation Attack
• Real World Kernel Pool Exploitation
• Exploit for windows 2k3 and 2k8
• Alyzing local privilege escalations in win32k
• Intro to Windows Kernel Security Development
• There’s a party at ring0 and you’re invited
• Windows kernel vulnerability exploitation
• A New CVE-2015-0057 Exploit Technology - by Yu Wang [2016]
• Exploiting CVE-2014-4113 on Windows 8.1 - by Moritz Jodeit [2016]
• Easy local Windows Kernel exploitation - by Cesar Cerrudo [2012]
• Windows Kernel Exploitation - by Simone Cardona 2016
• Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects - by Saif Sherei 2017
• Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes - by keen team [2015]
• Abusing GDI for ring0 exploit primitives - [2016]

Windows Kernel Memory Corruption

Windows Kernel Memory Corruption Exploit Development Articles.

• Remote Windows Kernel Exploitation - by Barnaby Jack [2005]
• windows kernel-mode payload fundamentals - by Skape [2006]
• exploiting 802.11 wireless driver vulnerabilities on windows - by Johnny Cache, H D Moore, skape [2007]
• Kernel Pool Exploitation on Windows 7 - by Tarjei Mandt [2011]
• Windows Kernel-mode GS Cookies and 1 bit of entropy - [2011]
• Subtle information disclosure in WIN32K.SYS syscall return values - [2011]
• nt!NtMapUserPhysicalPages and Kernel Stack-Spraying Techniques - [2011]
• SMEP: What is it, and how to beat it on Windows - [2011]
• Kernel Attacks through User-Mode Callbacks - by Tarjei Mandt [2011]
• Windows Security Hardening Through Kernel Address Protection - by Mateusz "j00ru" Jurczyk [2011]
• Reversing Windows8: Interesting Features of Kernel Security - by MJ0011 [2012]
• Smashing The Atom: Extraordinary String Based Attacks - by Tarjei Mandt [2012]
• Easy local Windows Kernel exploitation - by Cesar Cerrudo [2012]
• Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement - by MJ0011 [2012]
• MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit - [2013]
• KASLR Bypass Mitigations in Windows 8.1 - [2013]
• First Dip Into the Kernel Pool: MS10-058 - by Jeremy [2014]
• Windows 8 Kernel Memory Protections Bypass - [2014]
• An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - by Weimin Wu [2014]
• Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool - [2014]
• Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE 2015-0057) bug on both 32-bit and 64-bit - by Aaron Adams [2015]
• Exploiting MS15-061 Microsoft Windows Kernel Use-After-Free (win32k!xxxSetClassLong) - by Dominic Wang [2015]
• Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit - by Cedric Halbronn [2015]
• Abusing GDI for ring0 exploit primitives - by Diego Juarez [2015]
• Duqu 2.0 Win32k exploit analysis - [2015]

Return Oriented Programming

• The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls
• Blind return-oriented programming
• Sigreturn-oriented Programming
• Jump-Oriented Programming: A New Class of Code-Reuse Attack
• Out of control: Overcoming control-flow integrity
• ROP is Still Dangerous: Breaking Modern Defenses
• Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015]
• Systematic Analysis of Defenses Against Return-Oriented Programming -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013]
• Return-oriented programming without returns -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010]
• Jump-oriented programming: a new class of code-reuse attack -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011]
• Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection - by L. Davi, A. Sadeghi, and D. Lehmann [2014]
• Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014]
• Buffer overflow attacks bypassing DEP (NX/XD bits) – part 1 - by Marco Mastropaolo [2005]
• Buffer overflow attacks bypassing DEP (NX/XD bits) – part 2 - by Marco Mastropaolo [2005]
• Practical Rop - by Dino Dai Zovi [2010]
• Exploitation with WriteProcessMemory - by Spencer Pratt [2010]
• Exploitation techniques and mitigations on Windows - by skape
• A little return oriented exploitation on Windows x86 – Part 1 - by Harmony Security and Stephen Fewer [2010]
• A little return oriented exploitation on Windows x86 – Part 2 - by Harmony Security and Stephen Fewer [2010]

Windows memory protections

Windows memory protections Introduction Articles.

• Data Execution Prevention
• /GS (Buffer Security Check)
• /SAFESEH
• ASLR
• SEHOP

Bypassing filter and protections

Windows memory protections Bypass Methods Articles.

• Third Generation Exploitation smashing heap on 2k - by Halvar Flake [2002]
• Creating Arbitrary Shellcode In Unicode Expanded Strings - by Chris Anley
• Advanced windows exploitation - by Dave Aitel [2003]
• Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server - by David Litchfield
• Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2) - by Matt Conover in cansecwest 2004
• Safely Searching Process Virtual Address Space - by Matt Miller [2004]
• IE exploit and used a technology called Heap Spray
• Bypassing hardware-enforced DEP - by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005]
• Exploiting Freelist[0] On XP Service Pack 2 - by Brett Moore [2005]
• Kernel-mode Payloads on Windows in uninformed
• Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
• Exploiting Comon Flaws In Drivers
• Heap Feng Shui in JavaScript by Alexander sotirov [2007]
• Understanding and bypassing Windows Heap Protection - by Nicolas Waisman [2007]
• Heaps About Heaps - by Brett moore [2008]
• Bypassing browser memory protections in Windows Vista - by Mark Dowd and Alex Sotirov [2008]
• Attacking the Vista Heap - by ben hawkes [2008]
• Return oriented programming Exploitation without Code Injection - by Hovav Shacham (and others ) [2008]
• Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 - by Cesar Cerrudo [2008]
• Defeating DEP Immunity Way - by Pablo Sole [2008]
• Practical Windows XP2003 Heap Exploitation - by John McDonald and Chris Valasek [2009]
• Bypassing SEHOP - by Stefan Le Berre Damien Cauquil [2009]
• Interpreter Exploitation : Pointer Inference and JIT Spraying - by Dionysus Blazakis[2010]
• Write-up of Pwn2Own 2010 - by Peter Vreugdenhil
• All in one 0day presented in rootedCON - by Ruben Santamarta [2010]
• DEP/ASLR bypass using 3rd party - by Shahin Ramezany [2013]
• Bypassing EMET 5.0 - by René Freingruber [2014]

Typical windows exploits

• Real-world HW-DEP bypass Exploit - by Devcode
• Bypassing DEP by returning into HeapCreate - by Toto
• First public ASLR bypass exploit by using partial overwrite - by Skape
• Heap spray and bypassing DEP - by Skylined
• First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability
• Exploit codes of bypassing browsers memory protections
• PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1 - by Cesar Cerrudo
• PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2 - by Cesar Cerrudo
• An exploit works from win 3.1 to win 7 - by Tavis Ormandy KiTra0d
• Old ms08-067 metasploit module multi-target and DEP bypass
• PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass
• SMBv2 Exploit - by Stephen Fewer
• Microsoft IIS 7.5 remote heap buffer overflow - by redpantz
• Browser Exploitation Case Study for Internet Explorer 11 - by Moritz Jodeit [2016]

Exploit development tutorial series

Exploid Development Tutorial Series Base on Windows Operation System Articles.

• Corelan Team

  • Exploit writing tutorial part 1 : Stack Based Overflows
  • Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode
  • Exploit writing tutorial part 3 : SEH Based Exploits
  • Exploit writing tutorial part 3b : SEH Based Exploits – just another example
  • Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics
  • Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development
  • Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
  • Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc
  • Exploit writing tutorial part 8 : Win32 Egg Hunting
  • Exploit writing tutorial part 9 : Introduction to Win32 shellcoding
  • Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s Cube
  • Exploit writing tutorial part 11 : Heap Spraying Demystified

• Fuzzysecurity

  • Part 1: Introduction to Exploit Development
  • Part 2: Saved Return Pointer Overflows
  • Part 3: Structured Exception Handler (SEH)
  • Part 4: Egg Hunters
  • Part 5: Unicode 0x00410041
  • Part 6: Writing W32 shellcode
  • Part 7: Return Oriented Programming
  • Part 8: Spraying the Heap Chapter 1: Vanilla EIP
  • Part 9: Spraying the Heap Chapter 2: Use-After-Free
  • Part 10: Kernel Exploitation -> Stack Overflow
  • Part 11: Kernel Exploitation -> Write-What-Where
  • Part 12: Kernel Exploitation -> Null Pointer Dereference
  • Part 13: Kernel Exploitation -> Uninitialized Stack Variable
  • Part 14: Kernel Exploitation -> Integer Overflow
  • Part 15: Kernel Exploitation -> UAF
  • Part 16: Kernel Exploitation -> Pool Overflow
  • Part 17: Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)
  • Heap Overflows For Humans 101
  • Heap Overflows For Humans 102
  • Heap Overflows For Humans 102.5
  • Heap Overflows For Humans 103
  • Heap Overflows For Humans 103.5

• Securitysift

  • Windows Exploit Development – Part 1: The Basics
  • Windows Exploit Development – Part 2: Intro to Stack Based Overflows
  • Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules
  • Windows Exploit Development – Part 4: Locating Shellcode With Jumps
  • Windows Exploit Development – Part 5: Locating Shellcode With Egghunting
  • Windows Exploit Development – Part 6: SEH Exploits
  • Windows Exploit Development – Part 7: Unicode Buffer Overflows

• Whitehatters Academy

  • Intro to Windows kernel exploitation 1/N: Kernel Debugging
  • Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver
  • Intro to Windows kernel exploitation 3/N: My first Driver exploit
  • Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver
  • Backdoor 103: Fully Undetected
  • Backdoor 102
  • Backdoor 101

• TheSprawl

  • corelan - integer overflows - exercise solution
  • heap overflows for humans - 102 - exercise solution
  • exploit exercises - protostar - final levels
  • exploit exercises - protostar - network levels
  • exploit exercises - protostar - heap levels
  • exploit exercises - protostar - format string levels
  • exploit exercises - protostar - stack levels
  • open security training - introduction to software exploits - uninitialized variable overflow
  • open security training - introduction to software exploits - off-by-one
  • open security training - introduction to re - bomb lab secret phase
  • open security training - introductory x86 - buffer overflow mystery box
  • corelan - tutorial 10 - exercise solution
  • corelan - tutorial 9 - exercise solution
  • corelan - tutorial 7 - exercise solution
  • getting from seh to nseh
  • corelan - tutorial 3b - exercise solution

• Expdev-Kiuhnm

  • WinDbg
  • Mona 2
  • Structure Exception Handling (SEH)
  • Heap
  • Windows Basics
  • Shellcode
  • Exploitme1 (ret eip overwrite)
  • Exploitme2 (Stack cookies & SEH)
  • Exploitme3 (DEP)
  • Exploitme4 (ASLR)
  • Exploitme5 (Heap Spraying & UAF)
  • EMET 5.2
  • Internet Explorer 10 - Reverse Engineering IE
  • Internet Explorer 10 - From one-byte-write to full process space read/write
  • Internet Explorer 10 - God Mode (1)
  • Internet Explorer 10 - God Mode (2)
  • Internet Explorer 10 - Use-After-Free bug
  • Internet Explorer 11 - Part 1
  • Internet Explorer 11 - Part 2

Tools

Disassemblers, debuggers, and other static and dynamic analysis tools.

• angr - Platform-agnostic binary analysis framework developed at UCSB's Seclab.
• BARF - Multiplatform, open source Binary Analysis and Reverse engineering Framework.
• Binary Ninja - Multiplatform binary analysis IDE supporting various types of binaries and architecturs. Scriptable via Python.
• binnavi - Binary analysis IDE for reverse engineering based on graph visualization.
• Bokken - GUI for Pyew and Radare.
• Capstone - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
• codebro - Web based code browser using clang to provide basic code analysis.
• dnSpy - .NET assembly editor, decompiler and debugger.
• Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
• GDB - The GNU debugger.
• GEF - GDB Enhanced Features, for exploiters and reverse engineers.
• hackers-grep - A utility to search for strings in PE executables including imports, exports, and debug symbols.
• IDA Pro - Windows disassembler and debugger, with a free evaluation version.
• Immunity Debugger - Debugger for malware analysis and more, with a Python API.
• ltrace - Dynamic analysis for Linux executables.
• objdump - Part of GNU binutils, for static analysis of Linux binaries.
• OllyDbg - An assembly-level debugger for Windows executables.
• PANDA - Platform for Architecture-Neutral Dynamic Analysis
• PEDA - Python Exploit Development Assistance for GDB, an enhanced display with added commands.
• pestudio - Perform static analysis of Windows executables.
• Process Monitor - Advanced monitoring tool for Windows programs.
• Pyew - Python tool for malware analysis.
• Radare2 - Reverse engineering framework, with debugger support.
• SMRT - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
• strace - Dynamic analysis for Linux executables.
• Udis86 - Disassembler library and tool for x86 and x86_64.
• Vivisect - Python tool for malware analysis.
• X64dbg - An open-source x64/x32 debugger for windows.

Conference Talks / Videos

• Exploitation on ARM - Itzhak Avraham - Defcon 18 (2010)
• ARM Exploitation ROPMAP - Long Le - Blackhat USA (2011)
• Advanced ARM Exploitation - Stephen Ridley & Stephen Lawler - Blackhat USA (2012)
• ARM Assembly and Shellcode Basics - Saumil Shah - 44CON (2017)
• Heap Overflow Exploits for Beginners (ARM Exploitation Tutorial) - Billy Ellis (2017)
• Introduction to Exploitation on ARM64 - Billy Ellis - Codetalks (2018)
• Make ARM Shellcode Great Again - Saumil Shah - Hack.lu (2018)
• ARM Memory Tagging, how it improves C++ memory safety - Kostya Serebryany - LLVM (2018)
• Breaking Samsung's ARM Trustzone
• Hacker Nightmares: Giving Hackers a Headache with Exploit Mitigations - Azeria - Virtual Arm Research Summit (2020)

Articles / Papers

• ARM Assembly Basics Series - Azeria
• ARM Binary Exploitation Series - Azeria
• Smashing the ARM Stack - Mercked Security
• Introduction to ARMv8 64-bit Architecture - pnuic
• Alphanumeric RISC ARM Shellcode - (Phrack) - Yves Younan, Pieter Philippaerts
• Return-Oriented Programming on a Cortex-M Processor
• 3or ARM Exploitation Series - Dimitrios Slamaris
• Developing StrongARM/Linux Shellcode - (Phrack) - funkysh
• Reversing and Exploiting ARM Binaries - Mathy Vanhoef
• ARM Exploitation for IoT Series - Andrea Sindoni
• Reverse Engineering of ARM Microcontrollers - Rdomanski
• ARM64 Reversing and Exploitation - Part 1: ARM Instruction Set + Simple Heap Overflow - 8ksec
• ARM64 Reversing and Exploitation - Part 2: Use After Free - 8ksec
• ARM64 Reversing and Exploitation - Part 3: A Simple ROP Chain - 8ksec
• ARM64 Reversing and Exploitation - Part 4: Using Mprotect() To Bypass NX Protection - 8ksec
• ARM64 Reversing and Exploitation - Part 5: Writing Shellcode - 8ksec
• ARM64 Reversing and Exploitation - Part 6: Exploiting An Uninitialized Stack Variable Vulnerability - 8ksec
• ARM64 Reversing and Exploitation - Part 7: Bypassing ASLR And NX - 8ksec
• ARM64 Reversing and Exploitation - Part 8: Exploiting An Integer Overflow Vulnerability - 8ksec
• ARM64 Reversing and Exploitation - Part 9 :Exploiting An Off By One Overflow Vulnerability - 8ksec
• ARM64 Reversing and Exploitation - Part 10: Intro To Arm Memory Tagging Extension (MTE) - 8ksec

Resources

• ARM Architecture Reference Manual
• Online ARM Assembler
• ARM TEE Reversing and Exploitation

CTF / Training Binaries

• Exploit Me
• Exploit Challenges
• Azeria ARM Lab

Books

• Practical Reverse Engineering (Chapter 2) - Bruce Dang, Alexandre Gazet and Elias Bachalany
• Beginners Guide to Exploitation on ARM - Volumes 1 & 2 - Billy Ellis
• ARM Assembly Language: Fundamentals & Techniques - William Hohl

Other Tools

• Ropper

Courses

• Azeria ARM Training
• Pentest Academy ARM Assembly
• Pentest Academy Reverse Engineering for ARM Platforms
• IHackArm Offensive ARM Exploitation

Related Awesome Lists

• Cybersecurity Android Security
• Awesome iOS Security
• Awesome IoT Hacks
• Awesome Exploit Development

↑ Browser

• Beginners guide to UAT exploits IE 0day exploit development
• Fuzzy Security - Spraying the Heap [Chapter 1: Vanilla EIP] – Putting Needles in the Haystack
• Fuzzy Security - Spraying the Heap [Chapter 2: Use-After-Free] – Finding a needle in a Haystack
• Anatomy of an exploit – inside the CVE-2013-3893 Internet Explorer zero-day – Part 1
• Using the JIT Vulnerability to Pwn Microsoft Edge
• Post-mortem Analysis of a Use-After-Free Vulnerability (CVE-2011-1260)
• Advanced Heapspraying Technique
• HeapSpray Aurora Vulnerability
• Microsoft Edge Chakra JIT Type Confusion CVE-2019-0539
• CVE-2019-0539 Root Cause Analysis
• attacking javascript engines
• Learning browser exploitation via 33C3 CTF feuerfuchs challenge
• A Methodical Approach to Browser Exploitation
• Reducing target scope within JSC, building a JavaScript fuzzer
• Performing root-cause analysis of a JSC vulnerability
• Weaponizing a JSC vulnerability for single-click RCE
• Evaluating the Safari sandbox, and fuzzing WindowServer on MacOS
• Weaponizing a Safari sandbox escape
• Microsoft Edge MemGC Internals
• The ECMA and the Chakra
• Memory Corruption Exploitation In Internet Explorer
• IE 0day Analysis And Exploit
• Write Once, Pwn Anywhere
• The Art of Leaks: The Return of Heap Feng Shui
• IE 11 0day & Windows 8.1 Exploit
• IE11 Sandbox Escapes Presentation
• Spartan 0day & Exploit
• Look Mom, I don't use Shellcode
• Windows 10 x64 edge 0day and exploit
• 1-Day Browser & Kernel Exploitation
• The Secret of ChakraCore: 10 Ways to Go Beyond the Edge
• From Out of Memory to Remote Code Execution
• Attacking WebKit Applications by exploiting memory corruption bugs
• CVE-2018-5129: Out-of-bounds write with malformed IPC messages
• it-sec catalog browser exploitation chapter
• ZDI-18-428: An MsEdge InfoLeak Story
• AsiaSecWest-2018-Chakra-vulnerability-and-exploit-bypass-all-system-mitigation
• IE 0day Analysis And Exploit
• Attacking Client-Side JIT Compilers v2
• The Return of the JIT Part 1
• The Return of the JIT Part 2
• Using the JIT vulnerability to Pwning Microsoft Edge
• From Assembly to JavaScript and Back
• Exploiting CVE-2020-0041 - Part 1: Escaping the Chrome Sandbox
• Exploiting CVE-2020-0041 - Part 2: Escalating to root

↑ Mitigation Bypass

• Disarming EMET v5.0
• Disarming and Bypassing EMET 5.1
• Universal DEP/ASLR bypass with msvcr71.dll and mona.py
• Chaining DEP with ROP – the Rubik’s[TM] Cube
• Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
• Development of a new Windows 10 KASLR Bypass (in One WinDBG Command)
• Disarming Enhanced Mitigation Experience Toolkit (EMET)
• Simple EMET EAF bypass
• Exploit Dev 101: Bypassing ASLR on Windows
• Bypassing Control Flow Guard in Windows 10
• Bypassing Control Flow Guard in Windows 10 - Part II
• BYPASS CONTROL FLOW GUARD COMPREHENSIVELY
• CROSS THE WALL-BYPASS ALL MODERN MITIGATIONS OF MICROSOFT EDGE
• How to find the vulnerability to bypass the Control Flow Guard
• Bypassing Memory Mitigation Using Data-Only Exploitation Technique
• CHAKRA JIT CFG BYPASS
• SMEP: What is it, and how to beat it on Windows
• ROP for SMEP bypass
• Smashing The Browser
• Browser security mitigations against memory corruption vulnerabilities

↑ Kernel

• Windows Kernel Pool Spraying
• Windows Kernel Exploitation Basics - Part 1 : Introduction to DVWDDriver
• Windows Kernel Exploitation Basics - Part 2 : Arbitrary Memory Overwrite exploitation using HalDispatchTable
• Windows Kernel Exploitation Basics - Part 3 : Arbitrary Memory Overwrite exploitation using LDT
• Windows Kernel Exploitation Basics - Part 4 : Stack-based Buffer Overflow exploitation (bypassing cookie)
• Arbitrary Write primitive in Windows kernel (HEVD)
• MS11-080 Exploit – A Voyage into Ring Zero
• Windows kernel pool spraying fun - Part 1 - Determine kernel object size
• Windows kernel pool spraying fun - Part 2 - More objects
• Windows kernel pool spraying fun - Part 3 - Let's make holes
• Fuzzy Security - Kernel Exploitation -> Stack Overflow
• Fuzzy Security - Kernel Exploitation -> Write-What-Where
• Fuzzy Security - Kernel Exploitation -> Null Pointer Dereference
• Fuzzy Security - Kernel Exploitation -> Uninitialized Stack Variable
• Fuzzy Security - Kernel Exploitation -> Integer Overflow
• Fuzzy Security - Kernel Exploitation -> UAF
• Fuzzy Security - Kernel Exploitation -> Pool Overflow
• Fuzzy Security - Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)
• Fuzzy Security - Kernel Exploitation -> RS2 Bitmap Necromancy
• Fuzzy Security - Kernel Exploitation -> Logic bugs in Razer rzpnk.sys
• Intro to Windows kernel exploitation 1/N: Kernel Debugging
• Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver
• Intro to Windows kernel exploitation 3/N: My first Driver exploit
• Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver
• Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool
• Windows Kernel Exploitation Tutorial Part 1: Setting up the Environment
• Windows Kernel Exploitation Tutorial Part 2: Stack Overflow
• Windows Kernel Exploitation Tutorial Part 3: Arbitrary Memory Overwrite (Write-What-Where)
• Windows Kernel Exploitation Tutorial Part 4: Pool Feng-Shui –> Pool Overflow
• Windows Kernel Exploitation Tutorial Part 5: NULL Pointer Dereference
• Windows Kernel Exploitation Tutorial Part 6: Uninitialized Stack Variable
• Windows Kernel Exploitation Tutorial Part 7: Uninitialized Heap Variable
• Windows Kernel Exploitation Tutorial Part 8: Use After Free
• Corelan Team (corelanc0d3r) Heap Spraying Demystified
• abatchy Kernel Exploitation 1: Setting up the environment
• abatchy Kernel Exploitation 2: Payloads
• abatchy Kernel Exploitation 3: Stack Buffer Overflow (Windows 7 x86/x64)
• abatchy Kernel Exploitation 4: Stack Buffer Overflow (SMEP Bypass)
• abatchy Kernel Exploitation 5: Integer Overflow
• abatchy Kernel Exploitation 6: NULL pointer dereference
• abatchy Kernel Exploitation 7: Arbitrary Overwrite (Win7 x86)
• Kernel Hacking With HEVD Part 1 - The Setup
• Kernel Hacking With HEVD Part 2 - The Bug
• Kernel Hacking With HEVD Part 3 - The Shellcode
• Kernel Hacking With HEVD Part 4 - The Exploit
• Kernel Hacking With HEVD Part 5 - The SMEP Version
• The Path to Ring-0 Windows Edition
• DIRECTX TO THE KERNEL
• Windows Kernel Graphics Driver Attack Surface
• Root Cause of the Kernel Privilege Escalation Vulnerabilities CVE-2019-0808
• Kernel Pool Overflow Exploitation In Real World – Windows 10
• Kernel Pool Overflow Exploitation In Real World – Windows 7
• Windows Kernel Exploitation - Exploiting HEVD x64 Use-After-Free using Generic Non-Paged Pool Feng-Shui
• Windows Kernel Exploitation Part 1: Stack Buffer Overflows
• Windows Kernel Exploitation Part 2: Type Confusion
• Windows Kernel Exploitation Part 3: Integer Overflow

↑ Misc

• Root Cause Analysis – Memory Corruption Vulnerabilities
• Windows 10 x86/wow64 Userland heap

^ back to top ^

License

MIT License & cc license

This work is licensed under a Creative Commons Attribution 4.0 International License.

To the extent possible under law, Paul Veillard has waived all copyright and related or neighboring rights to this work. Just follow the guidelines. Thank you!