Windows Kernel Exploitation Tutorial Part 8: Use After Free

Overview In our previous post, we discussed about Uninitialized Heap Variable. This post will focus on another vulnerability, Use After Free. As the name might suggest, we’d be exploiting a stale pointer, that should’ve been freed, but due to a flaw, the pointer is called through a Callback function, thus executing anything that we can […]

Windows Kernel Exploitation Tutorial Part 7: Uninitialized Heap Variable

Overview In the previous part, we looked into an Uninitialized Stack Variable vulnerability. In this part, we’ll discuss about another vulnerability on similar lines, Uninitialized Heap Variable. We’d be grooming Paged Pool in this one, so as to direct our execution flow to the shellcode. Again, huge thanks to @hacksysteam for the driver. Analysis Let’s […]

Windows Kernel Exploitation Tutorial Part 6: Uninitialized Stack Variable

Overview In the previous part, we looked into a simple NULL Pointer Dereference vulnerability. In this part, we’ll discuss about another vulnerability, Uninitialized Stack Variable. This vulnerability arises when the developer defines a variable in the code, but doesn’t initialize it. So, during runtime, the variable would have some value, albeit an unpredictable one. How […]

Windows Kernel Exploitation Tutorial Part 5: NULL Pointer Dereference

Overview First of all, a happy new year. 🙂 After the exhaustive last part in this series, to start off this new year, this post will be about a lighter, more easy to understand vulnerability. A null pointer dereference vulnerability exists when the value of the pointer is NULL, and is used by the application […]

Windows Kernel Exploitation Tutorial Part 4: Pool Feng-Shui –> Pool Overflow

Overview We discussed about Write-What-Where vulnerability in the previous part. This part will deal with another vulnerability, Pool Overflow, which in simpler terms, is just an Out-of-Bounds write on the pool buffer. This part could be intimidating and goes really in-depth on how to groom the pool in a way to control the flow of […]

Windows Kernel Exploitation Tutorial Part 3: Arbitrary Memory Overwrite (Write-What-Where)

Overview In the previous part, we looked into exploiting a basic kernel stack overflow vulnerability. This part will focus on another vulnerability, Arbitrary Memory Overwrite, also known as Write-What-Where vulnerability. Basic exploitation concept for this would be to overwrite a pointer in a Kernel Dispatch Table (Where) with the address to our shellcode (What). Again, […]

Windows Kernel Exploitation Tutorial Part 2: Stack Overflow

Overview In the part 1, we looked into how to manually setup the environment for Kernel Debugging. If something straightforward is what you want, you can look into this great writeup by hexblog about setting up the VirtualKd for much faster debugging. In this post, we’d dive deep into the kernel space, and look into […]

Windows Kernel Exploitation Tutorial Part 1: Setting up the Environment

Intro Recently, I had the pleasure to attend the training on Windows Kernel Exploitation at nullcon by the HackSysTeam. The training was well executed, and I got the intro into the world of kernel. But, as you know, nobody could teach you internals about Kernel Exploitation in a couple of days. So I thought of […]

OSCE & CTP – The dreaded certification by Offensive Security

  Overview First of all, I still haven’t had my shot @ OSCP, and most of the online reviews I read about OSCE suggested that it’s better to clear OSCP first, and then take a dig at OSCE. Well, I took my chances and went straight for OSCE, as many of my peers suggested not […]