Himanshu Khokhar's Blog

A journey to pwn rip

Author: Himanshu Khokhar

Demystifying Code Injection Techniques: Part 1 – Shellcode Injection

Introduction

Code injection refers to the act of injecting arbitrary external code in an application. There are two types of code injection:

  1. Injection into vulnerable programs.
  2. Injection into non-vulnerable programs.

If code injection is done in vulnerable applications, it is done via exploitation of a bug which occurs when processing invalid data. In this case, the extent of code injection is dependent on the bug in the application, which we also refer to as “vulnerability”. The problem with this scenario is that the application should have a bug that can be leveraged to gain code execution.

Read More

Windows Kernel Exploitation Part 3: Integer Overflow

Introduction

Welcome to the third part of Windows Kernel Exploitation series. In this part, we are going to exploit integer overflow in the HackSysExtremeVulnerableDriver.

What exactly is an integer overflow?

For those who do not know about integer overflows, you might be thinking how an integer can overflow?

Well, the actual integer does not overflow. CPU stores integers in fixed size memory allocations (we are not talking about heap or alike here). If you are familiar with C/C++ programming language or similar languages, you might recall data types and how each data type has specific fixed size.

Read More

Windows Kernel Exploitation Part 2: Type Confusion

Introduction

Welcome to the second part of Windows Kernel Exploitation series. In the second part, we are taking a detour from usual memory corruption vulnerabilities (which are a majority in case of the driver we are exploiting). I was quite confused whether to make it the first part because how easy it is to exploit, but here we are, once we have tasted blood in kernel land.

What is Type Confusion?

Type confusion is a vulnerability where the application doesn’t verify the type of an object (function, data type, etc.) and then processes it as it expects but the passed object is some other object.

Read More

Windows Kernel Exploitation Part 1: Stack Buffer Overflows

Introduction

Welcome to the first part of Windows Kernel Exploitation series. In the first part, we are starting with a vanilla stack buffer overflow in the HackSysExtremeVulnerableDriver.

When a buffer present on stack gets more data than it can store (for e.g. Copying 20 bytes on a 16-byte buffer, which can be a character array or similar object), the remaining data gets written in nearby location, effectively overwriting or corrupting the stack.

The core idea is to control this overflow so that we can overwrite saved return address on the stack and after execution of current (vulnerable) function, it will return to our overwritten value, which contains our shellcode.

Read More

Powered by WordPress & Theme by Anders Norén