I have been lately training myself on windows exploitation using multiples resources , but I learnt a lot this time in topics such as how to perfom buffer overflows , seh , multiples way to jmp a shellcode
call / jmp esp
pop ret
push ret
small buff
SEH
I also learn bypasing DEP using ROP , bypassing ASLR using non-ASLR modules, partial overwrite,bruteforce address space , theorical and practical knowlegde about safeSEH and SEHOP . the use of egghunters , but however I skipped a bit the module of unicode for shellcoding on windows / linux . I could consider myself I am at level 2 of exploit development , and level 3 I could say everything related to heap , wingdb , UAF , and etc. what things should I go for right now ? my main goal right now is to hunt bugs specially memory corruption ones , browsers , and cool ones . I know I could not have the level for that right now , but I could . so my question is where should I go ?
Everything you learn is helpful, as long as you put it to work.
I have a really limited knowledge when it comes to Windows, but I’m going to try.
Now, “bypassing randomization using non-protected modules” is not enough, since ASLR is now practically everywhere, but if you find an address and dump it during runtime(other words: Leak it), you can calculate addresses to perform a code-reuse attack or such(ROP, JOP…). and it isn’t the only protection out there, there’s CFG(Control-flow guard) which attackers found multiple ways around in the past (i.e; data-only attacks or out-of-context calls), Isolated Heap, EMET…
Remember when Site Isolation was used to run an exploit multiple times and increase its reliability?
“Child crashed? duuuuh, all I know is the parent process is still alive.”
What a comedy, it really is a cat and mouse game.
WinDbg will be useful in studying a possible attack vector and its exploitability, so understand the (Windows) Console Debugger, the available commands and scripting.
Note that when it comes to real applications, the attacker doesn’t have access to the victim’s machine. He should first use a bug(or most likely a couple of them) to acheive code execution and get over the sandbox(Escape it), only then can he think of escalating privileges(EoP, LPE) and guarantee persistence(using a rootkit).
Looking at all the bug types and their examples wouldn’t hurt, such as OOB R/W, TOCTOU and Race conditions, Uninitialized buffer, Logic bugs, Heap and Stack overflows, UAF, Type confusion…
Familiarize with IDA, WINAPI and Reversing C++ code along with peeking at available documents that study a specific browser’s engine and internals will be great help.
In general, searching more is what’ll help you, good luck!
thanks for your help so much . the next step it will be the 1-3 days more on shellcoding and move to heap exploits advanced or stay 1-4 weeks on reversing
