Open Advanced Windows Exploitation
  • Introduction
    • Welcome
      • Subscribe
      • Contents
      • Intended Audience
      • Required Software and Tools
      • Thank You and Support
  • Custom Shellcode
    • 64-bit Architecture
      • 64-bit Enhancements
      • Calling Conventions
    • Shellcode Workflow
      • Visual Studio Code
      • Netwide Assembler
      • Windbg Preview
      • Workflow
    • Writing Shellcode
      • NULL-Free Position-Independent Shellcode
      • Finding kernel32.dll
      • Resolving Symbols
      • Finding VMAs
      • MessageBox Shellcode
      • Avoiding NULL
      • GetLastError
    • Reverse Shell
      • Exercise
      • Solution
  • Exploit Mitigations
    • Understanding the Battlefield
      • Memory Corruption
      • Vulnerability Primitives
      • Overview of Mitigations
    • Our Old Foes
      • DEP
      • ASLR
  • Memory Management
    • Memory Basics
      • Pages
      • Shared Memory
    • Memory Management
      • The Stack
      • The Heap
        • Heap Grooming and Overflow
        • Virtual Functions in C++
        • The Heap Continued
        • Kernel Mode Heap
      • Managed Memory
  • The Kernel
    • Kernel Basics
      • Kernel Structures
      • Kernel Debugging Options
      • Navigating the Kernel
      • Analysing the Kernel
    • Access Tokens
      • Access Token Basics
      • Token Theft
  • Drivers
    • Driver Basics
      • Implementing a Driver
      • Reversing Our Driver
      • A Basic User Mode Application
  • First Kernel Exploit
    • A Kernel Exploit
      • CVE 2020-17382
      • IDA Free
      • Writing A Basic Fuzzer
      • Controlling RIP
      • Meet SMEP
      • ROP to the Rescue
      • kASLR
      • Priv Esc Shellcode
    • Exploit Code
  • References
    • References
Powered by GitBook
On this page
  1. Exploit Mitigations
  2. Understanding the Battlefield

Memory Corruption

Memory corruption exploits refer to security vulnerabilities and attack techniques where attackers manipulate program memory to gain unauthorised control, enabling execution of arbitrary code.

PreviousUnderstanding the BattlefieldNextVulnerability Primitives

Last updated 1 year ago

When would-be security researchers initially delve into binary exploitation, they often start with stack-based buffer overflows, where excessive data is written into a stack buffer, leading to the overwrite of the saved return address and facilitating unauthorised code execution.

This classic memory corruption technique allows for arbitrary code execution within the system by taking control of the eip register.

It's important to note that we are actually corrupting a portion of memory on the stack that eventually gets loaded into the eip register as the stack winds down after a function.

This may seem a very trivial distinction, but it is an important one to understand.

Achieving arbitrary code execution often involves corrupting memory that subsequently executes as part of the system's regular operations.

We will look at common vulnerability primitives that achieve, or help achieve this goal, shortly. User mode API calls trigger system calls, which trigger the execution of code within the kernel.

If we could somehow corrupt the memory in the kernel to point to our arbitrary shellcode, instead of the intended function, we can execute our shellcode with a simple user mode call to gain privilege escalation.

An example we will look at later is by overwriting the HalDispatchTable, the normal API function flow is shown below:

The intention is that you should never be able to overwrite these pointers in memory, sometimes vulnerable code is written that allows us to do that.

This section is very brief, but it is important to understand that by overwriting function pointers we can take advantage of normal operations to gain arbitrary code execution; whether that be a reverse shell, privilege escalation shellcode or staging malware.

User mode call