Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
nixawk-awesome-windows-exploitation
https://github.com/r3p3r/nixawk-awesome-windows-exploitation
Last synced: 1 day ago
JSON representation
-
<a name="kernel_based_Windows_overflows" />Kernel based Windows overflows
- Windows Local Kernel Exploitation (based on sec-lab research) - by S.K Chong [2004]
- How to attack kernel based vulns on windows was done - by a Polish group called “sec-labs” [2003]
- Sec-lab old whitepaper
- Sec-lab old exploit
- How to exploit Windows kernel memory pool - by SoBeIt [2005]
- Exploiting remote kernel overflows in windows - by Eeye Security
- I2OMGMT Driver Impersonation Attack
- Real World Kernel Pool Exploitation
- Intro to Windows Kernel Security Development
- Windows kernel vulnerability exploitation
- A New CVE-2015-0057 Exploit Technology - by Yu Wang [2016]
- Exploiting CVE-2014-4113 on Windows 8.1 - by Moritz Jodeit [2016]
- Windows Kernel Exploitation - by Simone Cardona 2016
- Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects - by Saif Sherei 2017
- Abusing GDI for ring0 exploit primitives - [2016]
- Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes - by keen team [2015]
- Abusing GDI for ring0 exploit primitives - [2016]
-
<a name="windows_stack_overflows" />Windows stack overflows
- Writing Stack Based Overflows on Windows - by Nish Bhalla’s [2005]
- Stack Smashing as of Today - by Hagen Fritsch [2009]
- SMASHING C++ VPTRS - by rix [2000]
- Win32 Buffer Overflows (Location, Exploitation and Prevention) - by Dark spyrit [1999]
-
<a name="Typical_windows_exploits" />Typical windows exploits
- PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2 - by Cesar Cerrudo
- Bypassing DEP by returning into HeapCreate - by Toto
- First public ASLR bypass exploit by using partial overwrite - by Skape
- First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability
- PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1 - by Cesar Cerrudo
- An exploit works from win 3.1 to win 7 - by Tavis Ormandy KiTra0d
- Old ms08-067 metasploit module multi-target and DEP bypass
- SMBv2 Exploit - by Stephen Fewer
- Microsoft IIS 7.5 remote heap buffer overflow - by redpantz
- Browser Exploitation Case Study for Internet Explorer 11 - by Moritz Jodeit [2016]
- Heap spray and bypassing DEP - by Skylined
-
<a name="windows_heap_overflows" />Windows heap overflows
- Exploiting the MSRPC Heap Overflow Part 1 - by Dave Aitel (MS03-026) [September 2003]
- Exploiting the MSRPC Heap Overflow Part 2 - by Dave Aitel (MS03-026) [September 2003]
- Windows heap overflow penetration in black hat - by David Litchfield [2004]
- Pseudomonarchia jemallocum - by argp & huku
- The House Of Lore: Reloaded - by blackngel [2010]
- Malloc Des-Maleficarum - by blackngel [2009]
- free() exploitation technique - by huku
- Understanding the heap by breaking it - by Justin N. Ferguson [2007]
- The use of set_head to defeat the wilderness - by g463
- The Malloc Maleficarum - by Phantasmal Phantasmagoria [2005]
- Exploiting The Wilderness - by Phantasmal Phantasmagoria [2004]
- Advanced Doug lea's malloc exploits - by jp
- Glibc Adventures: The Forgotten Chunk - by François Goichon [2015]
-
<a name="Bypassing_filter_and_protections" />Bypassing filter and protections
- Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 - by Cesar Cerrudo [2008]
- Creating Arbitrary Shellcode In Unicode Expanded Strings - by Chris Anley
- Advanced windows exploitation - by Dave Aitel [2003]
- Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server - by David Litchfield
- Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2) - by Matt Conover in cansecwest 2004
- Exploiting Freelist[0 - by Brett Moore [2005]
- Understanding and bypassing Windows Heap Protection - by Nicolas Waisman [2007]
- Heaps About Heaps - by Brett moore [2008]
- Bypassing browser memory protections in Windows Vista - by Mark Dowd and Alex Sotirov [2008]
- Attacking the Vista Heap - by ben hawkes [2008]
- Defeating DEP Immunity Way - by Pablo Sole [2008]
- Bypassing SEHOP - by Stefan Le Berre Damien Cauquil [2009]
- Interpreter Exploitation : Pointer Inference and JIT Spraying - by Dionysus Blazakis[2010]
- Write-up of Pwn2Own 2010 - by Peter Vreugdenhil
- All in one 0day presented in rootedCON - by Ruben Santamarta [2010]
- Exploiting Comon Flaws In Drivers
- Bypassing EMET 5.0 - by René Freingruber [2014]
- Attacking the Vista Heap - by ben hawkes [2008]
-
<a name="windows_kernel_memory_corruption" />Windows Kernel Memory Corruption
- Remote Windows Kernel Exploitation - by Barnaby Jack [2005]
- windows kernel-mode payload fundamentals - by Skape [2006]
- exploiting 802.11 wireless driver vulnerabilities on windows - by Johnny Cache, H D Moore, skape [2007]
- Kernel Pool Exploitation on Windows 7 - by Tarjei Mandt [2011]
- Subtle information disclosure in WIN32K.SYS syscall return values - [2011]
- nt!NtMapUserPhysicalPages and Kernel Stack-Spraying Techniques - [2011]
- Kernel Attacks through User-Mode Callbacks - by Tarjei Mandt [2011]
- Windows Security Hardening Through Kernel Address Protection - by Mateusz "j00ru" Jurczyk [2011]
- Reversing Windows8: Interesting Features of Kernel Security - by MJ0011 [2012]
- MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit - [2013]
- First Dip Into the Kernel Pool: MS10-058 - by Jeremy [2014]
- Windows 8 Kernel Memory Protections Bypass - [2014]
- Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool - [2014]
- Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE 2015-0057) bug on both 32-bit and 64-bit - by Aaron Adams [2015]
- Exploiting MS15-061 Microsoft Windows Kernel Use-After-Free (win32k!xxxSetClassLong) - by Dominic Wang [2015]
- Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit - by Cedric Halbronn [2015]
- Abusing GDI for ring0 exploit primitives - by Diego Juarez [2015]
- Duqu 2.0 Win32k exploit analysis - [2015]
- Easy local Windows Kernel exploitation - by Cesar Cerrudo [2012]
- Abusing GDI for ring0 exploit primitives - by Diego Juarez [2015]
- Subtle information disclosure in WIN32K.SYS syscall return values - [2011]
- nt!NtMapUserPhysicalPages and Kernel Stack-Spraying Techniques - [2011]
- SMEP: What is it, and how to beat it on Windows - [2011]
- Windows Security Hardening Through Kernel Address Protection - by Mateusz "j00ru" Jurczyk [2011]
-
<a name="Return_oriented_programming" />Return Oriented Programming
- The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls
- Blind return-oriented programming
- Sigreturn-oriented Programming
- Jump-Oriented Programming: A New Class of Code-Reuse Attack
- Out of control: Overcoming control-flow integrity
- ROP is Still Dangerous: Breaking Modern Defenses
- Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015]
- Systematic Analysis of Defenses Against Return-Oriented Programming - by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013]
- Return-oriented programming without returns - by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010]
- Jump-oriented programming: a new class of code-reuse attack - by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011]
- Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection - by L. Davi, A. Sadeghi, and D. Lehmann [2014]
- Exploitation with WriteProcessMemory - by Spencer Pratt [2010]
- Exploitation techniques and mitigations on Windows - by skape
- A little return oriented exploitation on Windows x86 – Part 1 - by Harmony Security and Stephen Fewer [2010]
- Buffer overflow attacks bypassing DEP (NX/XD bits) – part 1 - by Marco Mastropaolo [2005]
- Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014]
- Buffer overflow attacks bypassing DEP (NX/XD bits) – part 2 - by Marco Mastropaolo [2005]
- Practical Rop - by Dino Dai Zovi [2010]
-
<a name="Windows_memory_protections" />Windows memory protections
-
<a name="Exploit_development_tutorial_series" />Exploit development tutorial series
- Exploit writing tutorial part 1 : Stack Based Overflows
- Exploit writing tutorial part 3 : SEH Based Exploits
- Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development
- Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
- Exploit writing tutorial part 8 : Win32 Egg Hunting
- Exploit writing tutorial part 9 : Introduction to Win32 shellcoding
- Exploit writing tutorial part 11 : Heap Spraying Demystified
- Heap Overflows For Humans 101
- Heap Overflows For Humans 102
- Heap Overflows For Humans 102.5
- Heap Overflows For Humans 103
- Heap Overflows For Humans 103.5
- Intro to Windows kernel exploitation 1/N: Kernel Debugging
- Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver
- Intro to Windows kernel exploitation 3/N: My first Driver exploit
- Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver
- Backdoor 103: Fully Undetected
- Backdoor 102
- Backdoor 101
- corelan - integer overflows - exercise solution
- heap overflows for humans - 102 - exercise solution
- exploit exercises - protostar - final levels
- exploit exercises - protostar - network levels
- exploit exercises - protostar - heap levels
- exploit exercises - protostar - format string levels
- exploit exercises - protostar - stack levels
- open security training - introduction to software exploits - uninitialized variable overflow
- open security training - introduction to software exploits - off-by-one
- open security training - introduction to re - bomb lab secret phase
- open security training - introductory x86 - buffer overflow mystery box
- corelan - tutorial 10 - exercise solution
- corelan - tutorial 9 - exercise solution
- corelan - tutorial 7 - exercise solution
- getting from seh to nseh
- corelan - tutorial 3b - exercise solution
- WinDbg
- Mona 2
- Structure Exception Handling (SEH)
- Heap
- Windows Basics
- Shellcode
- Exploitme1 (ret eip overwrite)
- Exploitme2 (Stack cookies & SEH)
- Exploitme3 (DEP)
- Exploitme4 (ASLR)
- Exploitme5 (Heap Spraying & UAF)
- EMET 5.2
- Internet Explorer 10 - Reverse Engineering IE
- Internet Explorer 10 - From one-byte-write to full process space read/write
- Internet Explorer 10 - God Mode (1)
- Internet Explorer 10 - God Mode (2)
- Internet Explorer 10 - Use-After-Free bug
- Internet Explorer 11 - Part 1
- Internet Explorer 11 - Part 2
- Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc
- Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s Cube
- Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics
- Exploit writing tutorial part 3b : SEH Based Exploits – just another example
- Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode
-
<a name="tools" />Tools
- Binary Ninja - Multiplatform binary analysis IDE supporting
- Bokken - GUI for Pyew and Radare.
- IDA Pro - Windows
- Immunity Debugger - Debugger for
- ltrace - Dynamic analysis for Linux executables.
- objdump - Part of GNU binutils,
- OllyDbg - An assembly-level debugger for Windows
- Process Monitor
Categories
<a name="Exploit_development_tutorial_series" />Exploit development tutorial series
59
<a name="windows_kernel_memory_corruption" />Windows Kernel Memory Corruption
24
<a name="Return_oriented_programming" />Return Oriented Programming
18
<a name="Bypassing_filter_and_protections" />Bypassing filter and protections
18
<a name="kernel_based_Windows_overflows" />Kernel based Windows overflows
17
<a name="windows_heap_overflows" />Windows heap overflows
13
<a name="Typical_windows_exploits" />Typical windows exploits
11
<a name="tools" />Tools
8
<a name="windows_stack_overflows" />Windows stack overflows
4
<a name="Windows_memory_protections" />Windows memory protections
4
Sub Categories