Advanced Windows Exploitation (AWE) Training

Students should be experienced in developing windows exploits and understand how to operate a debugger. Familiarity with WinDbg, Immunity Debugger, and Python scripting is highly recommended. A willingness to work and put in real effort will greatly help students succeed in this security training course.

• NX/ASLR Bypass – Using different techniques to bypass Data Execution Prevention and Address Space Layout Randomization protection mechanisms on modern operating systems.
• Function pointer overwrites – Overwriting a function pointer in order to get code execution.
• Precision Heap Spraying – Spraying the heap for reliable code execution.
• Disarming EMET Mitigations to gain reliable code execution
• 64 and 32 Bit Windows Kernel Driver Exploitation
• Kernel Pool Exploitation

1 Module 0x00 Introduction

2 Module 0x01 DEP/ASLR Bypass and Sandbox Escape via Flash Heap Overflow

• 2.1 Lab Objectives
• 2.1.1 Overview
• 2.2 DEP and ASLR
• 2.2.1 Ret2Lib Attacks and Their Evolution
• 2.2.2 Return Oriented Programming Exploitation
• 2.2.3 Address Space Layout Randomization
• 2.2.4 Debugger automation: Pykd and findrop.py
• 2.2.5 Exercises
• 2.3 Flash Player Heap Internals Key Points
• 2.4 Heap Spray: The Technique
• 2.4.1 Exercises
• 2.5 Heap Overflow Case Study: CVE-2015-3104 Proof of Concept
• 2.5.1 Exercises
• 2.6 Heap Overflow Case Study: A Deeper Look at the Bug
• 2.6.1 Exercises
• 2.7 Heap Overflow Case Study: Allocation Control
• 2.7.1 Exercises
• 2.8 Heap Overflow Case Study: Gaining Read/Write Access to the Memory Space
• 2.8.1 Exercises
• 2.9 Heap Overflow Case Study: Defeating ASLR
• 2.9.1 Finding our object in memory
• 2.9.2 Exercises
• 2.9.3 Obtaining NPSWF32 base address
• 2.9.4 Exercises
• 2.10 Heap Overflow Case Study: Gaining code execution
• 2.10.1 Exercises
• 2.11 Heap Overflow Case Study: Stack Pivoting
• 2.11.1 Exercises
• 2.12 Heap Overflow Case Study: Defeating DEP
• 2.12.1 GetModuleHandle ROP Chain
• 2.12.2 Exercises
• 2.12.3 GetProcAddress ROP Chain
• 2.12.4 Exercises
• 2.12.5 WriteProcessMemory ROP Chain
• 2.12.6 Exercises
• 2.13 Executing Shellcode and Restoring the execution flow
• 2.13.1 Exercises
• 2.14 Sandbox Escape
• 2.14.1 Exercises
• 2.15 Windows Defender Exploit Guard
• 2.16 Testing WDEG Protections on CVE-2015-3104
• 2.17 Disarm vs Bypass
• 2.17.1 Disarming WDEG: Theory
• 2.17.2 Disarming WDEG: Practice (CVE-2015-3104)
• 2.17.3 Exercises
• 2.17.4 Defeating EAF
• 2.17.5 Exercises
• 2.18 Wrapping Up

3 Module 0x02 CFG/ACG Bypass and Sandbox Escape via Microsoft Edge Type Confusion

• 3.1 Lab Objectives
• 3.1.1 Overview
• 3.2.1 Main 64-bit Enhancements
• 3.2.2 JavaScript on 64-bit
• 3.2.3 Microsoft Edge and WinDbg
• 3.3 Type Confusion Case Study: CVE-2017-8601 POC
• 3.3.1 Exercises
• 3.4 Type Confusion Case Study: Read and Write Primitive
• 3.4.1 Exercises
• 3.5 Control Flow Guard Theory
• 3.5.1 CFG Implementation
• 3.5.2 CFG History and Limitations
• 3.5.3 Exercises
• 3.5.4 CFG Bypass Techniques
• 3.6 Type Confusion Case Study: Leaking the stack
• 3.6.1 Exercises
• 3.7 Type Confusion Case Study: RIP Control and Stack Pivot
• 3.7.1 Stack pivoting
• 3.7.2 Confuse me again
• 3.7.3 Exercises
• 3.7.4 ROP preps
• 3.7.5 Exercises
• 3.8 Arbitary Code Guard Theory
• 3.9 ACG Bypass Case Study: CVE-2017-8637
• 3.9.1 ACG Bypass Mechanics
• 3.9.2 Locating the JIT Process Handle
• 3.9.3 Duplicating the JIT Process handle
• 3.9.4 ACG ROP Chain
• 3.9.5 Step 1: DuplicateHandle Call
• 3.9.6 Exercise
• 3.9.7 Step 2: VirtualAllocEx Call
• 3.9.8 Exercise
• 3.9.9 Step 3: WriteProcessMemory Call
• 3.9.10 Exercise
• 3.9.11 Step 4: CreateRemoteThread Call
• 3.9.12 Exercise
• 3.9.13 Step 5: Thread leak
• 3.9.14 Exercise
• 3.9.15 Step 6: Stack manipulation
• 3.9.16 Exercise
• 3.9.17 Step 7: Remote RIP hijacking
• 3.9.18 Exercises
• 3.9.19 Extramile
• 3.10 Type Confusion Case Study: Process Continuation
• 3.10.1 Exercises
• 3.11 AppContainer Sandbox and Code Integrity Guard
• 3.11.1 AppContainer Protections Overview
• 3.11.2 Appcontainer in the Creators Update
• 3.12 Sandbox Escape Case Study: CVE-2016-0165
• 3.13 Sandbox Escape Case Study: Shellcode
• 3.13.1 Exercises
• 3.14 Wrapping up

4 Module 0x03 64-bit Kernel Driver Exploitation

• 4.1 Lab Objectives
• 4.2 Overview
• 4.3 Windows I/O System and Device Drivers
• 4.4 Communicating with Drivers
• 4.5 I/O Control Codes
• 4.6 Privilege Levels and Ring0 Payloads
• 4.7 Token Stealing Payload
• 4.8 CVE-2015-5736 : Vulnerability Overview
• 4.9 CVE-2015-5736 : Overwriting the callback function
• 4.9.1 Exercises
• 4.10 CVE-2015-5736 : Triggering the Vulnerable Code
• 4.10.1 Exercises
• 4.11 CVE-2015-5736 : SMEP Says Hello
• 4.11.1 Exercise
• 4.12 CVE-2015-5736 : Introduction to Memory Paging and Structures
• 4.12.1 Exercise
• 4.13 CVE-2015-5736 : The PML4 Self-reference Entry
• 4.14 CVE-2015-5736 : ROP Based Attack
• 4.14.1 Restricted Callers
• 4.14.2 PML4 self-reference entry randomization
• 4.15 CVE-2015-4077 : Memory Leak Vulnerability
• 4.15.1 Bypassing Driver Checks
• 4.15.2 Exercises
• 4.15.3 Leak an Arbitrary Address
• 4.15.4 Exercises
• 4.15.5 Leaking The Kernel Base Address
• 4.15.6 Exercises
• 4.15.7 Leaking Additional DLLs Mapped In Kernel Space
• 4.15.8 Exercises
• 4.16 CVE-2015-5736 : Stack Pivoting
• 4.16.1 Exercises
• 4.17 CVE-2015-5736 : Bypassing SMEP
• 4.17.1 Exercises
• 4.18 CVE-2015-5736 : Restoring the Execution Flow
• 4.18.1 Exercises
• 4.19 Wrapping Up