Windows Exploit Development – Part 1: The Basics
Overview Welcome to Part 1 of a series of posts on Windows Exploit Development. In this first installment I’ll cover just the basics necessary to understand the content of future posts, including some...
View ArticleWindows Exploit Development – Part 3: Changing Offsets and Rebased Modules
Overview In Part 2 we constructed a basic stack based overflow exploit for ASX To MP3 Converter. As I indicated in that post, the exploit itself is far from perfect. Successful EIP overwrite is...
View ArticleWindows Exploit Development – Part 5: Locating Shellcode With Egghunting
Overview In Part 4 we looked at how to find and execute your shellcode using various jump methods. In Part 5 we’re going to look at another method to find your shellcode called Egghunting. This method...
View ArticleWindows Exploit Development – Part 6: SEH Exploits
Introduction The buffer overflow exploits covered so far in this tutorial series have generally involved some form of direct EIP overwrite using a CALL or JMP instruction(s) to reach our shellcode....
View ArticleFun With Teensy
Introduction I’ve been wanting to write about the Teensy and its application in security testing or some time now. It’s extremely useful for executing scripts on a target machine without the need for...
View ArticleWindows Exploit Development – Part 7: Unicode Buffer Overflows
Introduction In this seventh installment of the Windows Exploit Development Series, I’ll introduce Unicode Buffer Overflows. We’ll start with a brief introduction to Unicode (what it is and why/how...
View ArticleExploiting MS14-066 / CVE-2014-6321 (aka “Winshock”)
Introduction I think enough time has passed now to provide a little more detail on how to exploit MS14-066 schannel vulnerability (aka “Winshock”). In this post I won’t be providing a complete PoC...
View ArticleEggSandwich – An Egghunter with Integrity
Introduction A while back I introduced the EggSandwich in my tutorial on Egghunting as a means to implement some basic integrity checks into the traditional Egghunter and overcome the problem of...
View Article