Exploiting Windows 10 Kernel Drivers - Stack Overflow

Following on from my earlier post in which we walked through creating an exploit for the WARBIRD vulnerability, over the next few posts I'm going to be looking at Windows kernel exploitation. If you haven't had chance to read it, I'd recommend that you pause and give it a quick glance as some of this walkthrough will rely on concepts introduced previously. This post will start off by laying the groundwork for future posts, and walking through a simple stack overflow exploit in the Windows kernel. HackSys Extreme Vulnerable Driver If you want to learn about Windows driver exploitation, few reso…

Read more »

Windows Anti-Debug techniques - OpenProcess filtering

Posted on

This week I took a break from SYSTEM chasing to review some anti-debugging techniques. With quite a few Bug Bounty programs available relying on client-side applications, I thought I'd share one of the techniques used by numerous security products (and apparently game anti-cheat engines) to stop you from debugging core components, and just how we can go about bypassing this. Obviously it goes without saying, but the technique shown in this post is not a vulnerability, if an attacker has this level of access to your system... it was already game over and they are likely just finishing up by ins…

Read more »

Alternative methods of becoming SYSTEM

For many pentesters, Meterpreter's getsystem command has become the default method of gaining SYSTEM account privileges, but have you ever have wondered just how this works behind the scenes? In this post I will show the details of how this technique works, and explore a couple of methods which are not quite as popular, but may help evade detection on those tricky redteam engagements. Meterpreter's "getsystem" Most of you will have used the getsystem module in Meterpreter before. For those that haven't, getsystem is a module offered by the Metasploit-Framework which allows an adminis…

Read more »