Skills to hunt come CVE

I have been lately training myself on windows exploitation using multiples resources , but I learnt a lot this time in topics such as how to perfom buffer overflows , seh , multiples way to jmp a shellcode

call / jmp esp
pop ret
push ret
small buff

I also learn bypasing DEP using ROP , bypassing ASLR using non-ASLR modules, partial overwrite,bruteforce address space , theorical and practical knowlegde about safeSEH and SEHOP . the use of egghunters , but however I skipped a bit the module of unicode for shellcoding on windows / linux . I could consider myself I am at level 2 of exploit development , and level 3 I could say everything related to heap , wingdb , UAF , and etc. what things should I go for right now ? my main goal right now is to hunt bugs specially memory corruption ones , browsers , and cool ones . I know I could not have the level for that right now , but I could . so my question is where should I go ?

Everything you learn is helpful, as long as you put it to work.
I have a really limited knowledge when it comes to Windows, but I’m going to try.

Now, “bypassing randomization using non-protected modules” is not enough, since ASLR is now practically everywhere, but if you find an address and dump it during runtime(other words: Leak it), you can calculate addresses to perform a code-reuse attack or such(ROP, JOP…). and it isn’t the only protection out there, there’s CFG(Control-flow guard) which attackers found multiple ways around in the past (i.e; data-only attacks or out-of-context calls), Isolated Heap, EMET…
Remember when Site Isolation was used to run an exploit multiple times and increase its reliability?
“Child crashed? duuuuh, all I know is the parent process is still alive.”
What a comedy, it really is a cat and mouse game.

  • WinDbg will be useful in studying a possible attack vector and its exploitability, so understand the (Windows) Console Debugger, the available commands and scripting.
  • Note that when it comes to real applications, the attacker doesn’t have access to the victim’s machine. He should first use a bug(or most likely a couple of them) to acheive code execution and get over the sandbox(Escape it), only then can he think of escalating privileges(EoP, LPE) and guarantee persistence(using a rootkit).
  • Looking at all the bug types and their examples wouldn’t hurt, such as OOB R/W, TOCTOU and Race conditions, Uninitialized buffer, Logic bugs, Heap and Stack overflows, UAF, Type confusion…
  • Familiarize with IDA, WINAPI and Reversing C++ code along with peeking at available documents that study a specific browser’s engine and internals will be great help.

In general, searching more is what’ll help you, good luck!

1 Like

thanks for your help so much . the next step it will be the 1-3 days more on shellcoding and move to heap exploits advanced or stay 1-4 weeks on reversing

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.