# TwistedBytes ## Episode #1 ### Introduction to Windows Exploitation in 2019 ###### tags: `exploitation`, `windows`, `rop`, `mona`, `corelan`, `tb`, `ep1` --- ## Overview * Walk through corelan's articles * https://www.corelan.be/index.php/articles/ * Learn tools and tecniques * https://github.com/corelan/mona * Get hands-on skills * Don't expect to much --- ## Today's plan * Walk through corelan's articles * https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ * Learn tools and tecniques * Get hands-on skills --- ## Win10 demo --- ## Why it's possible on Win10? * It's a stack overflow without canaries, so you can do ROP * ASLR is disabled for some modules --- ## Let's dig into the crash * DEMO: searching for EIP control * DEMO: WinDBG preview && TT * https://blahcat.github.io/2018/11/02/some-time-travel-musings/ --- ## Let's dig into an exploit * The original exploit https://www.exploit-db.com/exploits/39933 * generated with help of mona.py, but some additional steps is required * DEMO: debugging ROP --- ## Attack plan 1. We've overflown the stack, our shellcode is on the stack 2. We need to make call to VirtualAlloc/VirtualProtect to make shellcode executable * Use ROP chain for it * Accumulate parameters for VirtualAlloc in the registers * Crurial gadget is `pushad/.../ret`, call it to set up the stack parameters 3. Jump to the shellcode (metasploit) --- ## Using metasploit for shellcodes  * DEMO --- ## The end <!-- .slide: data-background-opacity="0.5" data-background="https://g77v3827gg2notadhhw9pew7-wpengine.netdna-ssl.com/wp-content/uploads/2017/03/kitten-anxiety_canna-pet-e1490739366728-1024x683.jpg" --> * give feedback * join me on discord https://discord.gg/YSXg2TH * and here is kitten