Past, Present, Future of Windows Exploitation

hi all

this is v0.1 of this post and in this post i’m going to have a review and brief history on exploitation with focus on windows .

this post will be  done III part :

  • part I     : brief history of buffer overflow
  • part II   : history of windows exploitation from windows 2000 to windows 7
  • part III : feature of exploitation

Part I  : brief history of buffer overflow

Starring : Robert morris , Aleph_one , Solar designer , Matt Conover , Casper Dik

it’s been long time after :

morris worm in 1988 (first known computer worm that used a buffer overflow to attack)

aleph one wrote Smashing The Stack For Fun Profit in phrack 49 in ~1996

so he start taking about detailed strcpy exploitation :

Matt Conover wrote first detailed heap overflow tutorial in 1999 heap tut

and solar designer wrote first generic heap exploit on windows netscape exploit

at that times because of really low OS memory protections and also low application specific protections (can also called CPU and compilers problem !) , a poor input validation and an insecure memory copy was enough to corrupting memory (mostly in stack area) and overwriting a function return address and getting control of instruction pointer (IP , EIP) and then by storing malicious code (called shellcode) and using a pointer (mostly stack pointer (ESP)) execution flow can be change and pointer to attacker malicious (or educational ;) )  code.

so OS developers and security guys had to think about memory protections and casper dik in nov 1996 wrote a kernel run-time patch to implement non-executable-stacks for Solaris 2.4 to 2.5.1

and later solar designer released same thing to remove executable permission for stack on the linux here

and around ~2000 solar designer made return-to-libc attacks to return in executable page and functions in memory for bypassing non-executable memory. the basic idea was  after controlling executing flow return to some function like system() and executing a single command or …. but there was a problem and the attacker was limit in payload selection and can’t use advanced payloads .

so around ~2000 we had :

  • basic / intermediate stack overflows
  • basic heap overflows
  • basic / intermediate format strings (killed so soon !)
  • basic memory protections
  • basic bypass memory protections
  • also some other type of memory corruptions (not so general)


part II  : history of windows exploitation from windows 2000 to windows 7

Starring : Alexander Sotirov , Mark Dowd , John McDonald, Chris Valasek , Chris Anley , Brett Moore , David litchfield , Nicolas Waisman , Dave Aitel , Halvar Flake ,  Cesar Cerrudo , Matt Miller , ken johnson , S.K Chong ,  Dionysus Blazakis  , hd moore , FlashSky , Ruben Santamarta .

welcome to windows world !

i wanna start from windows 2000  final version of NT family because i think older windows are not interesting enough to talk about .

exploit developers golden age : microsoft was is supporting and making money from windows 2k and unfortunately forgot  protect you from buffer overflow attacks . so old and classic attacks works like a charm and just  maybe in some case  we saw very complex  and smart vulnerabilities but exploitation by itself was not that hard (maybe just some application specific filters / protections )

so because of that poor protection we saw great worms like :

blaster worm one of historic worms ever that used a RPC vuln for attack and fixed in

and maybe you can remember : “billy gates why do you make this possible ? Stop making money and fix your software!! “

and this cool picture :

slammer worm a great and fast worm that used an SQL Server buffer overflow for attack. that fixed after 6 month !!! in :

sasser worm another great worm that used lsass remote overflow vulnerability and fixed in:

but there is a question these worms targeted windows XP and 2003 as well too ? yes !

because microsoft did  that great job in windows XP service pack 0 and 1 as well as windows 2003 service pack 0.

also we had lots of great and reliable exploits like :

DCOM RCP Exploit  here by flashsky (xfocus guy)

MS Windows (RPC DCOM) Remote Exploit here by hd moore

Great Kill Bill exploit here (targeting ANS.1) by Alexander Sotirov

MS Windows Plug-and-Play here by sl0ppy and houseofdabus and others .

also some GUI tools for easy exploitation for those even don’t know how they can compile and run an exploit like : RPC GUI v2 – r3L4x.exe

but why we had lots of juicy and clicky – clicky exploits ? there is two main reasons :

1- poor generic OS / application layer  memory protection

2- cool generic public memory exploitation related researches

classic windows stack overflows

lots of great and detailed papers in this area i just wanna link a few of them :

1- Win32 Buffer Overflows (Location, Exploitation and Prevention) by dark spyrit in 1999

2- S.K Chong Win32 Stack Based Buffer Overflow Walkthrough  in july 2002

3- Nish Bhalla’s series on  Writing Stack Based Overflows on Windows in 2005

if i want to have brief description of them they all are talking about finding a reliable return address in  a reliable Dynamic Linked Library (MOST in OS DLL’s kernel32.dll ntdll.dll shell32.dll user32.dll and … ) and then after overwriting a function return address by sending big value to not good checked input variable and getting program execution flow redirect that flow to address in DLL that address is mostly JMP / call /  PUSH ESP (stack pointer)  or EBP (base pointer) because most of time in classic stack overflow attacker store her / his malicious code in the stack and a JMP / CALL / PUSH ESP RET will lead his / her to jump to start of shellcode .thats all!

classic windows heap overflows

1 –  Third Generation Exploitation smashing heap on 2k by halvar Flake in 2002

2- Exploiting the MSRPC Heap Overflow two part by Dave Aitel (MS03-026) sep 2003

3- david litchfield did a great detailed penetration in black hat 2004

if i want to have brief description of them they all are talking about exploiting unlink macro and using write4 (where + what) and actually ability of writing 4byte (32bit ) of selected address in memory by using specific function pointers like :

  • UnhandledExceptionFilter
  • VectoredExceptionHandling
  • RtlEnterCriticalSection
  • TEB Exception Handler
  • Application specific function pointer


kernel based Windows overflows (not so classic)

because of Inexorability of  this type of attacks i want to share all of most notable history in this area here : (note that  i will back to heap and stack with protections after in it)


First noticeable whitepaper that stated how to attack kernel based vulns on

windows was done by a Polish group called “sec-labs” around 2003 .

sec-lab old whitepaper :

sec-lab old exploit :

(thanks Piotr Bania !)

1- Windows Local Kernel Exploitation by S.K Chong in 2004 (based on sec-lab research)

2-Windows interrupt context kernel overflow exploit BY FLASHSKY in 2004

3- How to exploit Windows kernel memory pool in 2005 by SoBeIt

4- in 2005 eeye security published great paper about exploiting remote kernel overflows in windows

5- later in 2005 matt miller published great article called Kernel-mode Payloads on Windows in uninformed

6- in 2006 johny cache hd moore and matt miller released Exploiting 802.11 Wireless Driver Vulnerabilities on Windows

7- in 2007 Jonathan Lindsay published and did a presentation in BH US 2007 called Attacking the Windows Kernel

8- same in  BH US 2007 Yuriy Bulygin did a peresentiation called Remote and Local Exploitation of Network Drivers

9- in 2007 also Ruben Santamarta wrote Exploiting Comon Flaws In Drivers

10- in 2008 Justin Seitz  wrote a paper and called I2OMGMT Driver Impersonation Attack

in that paper Justin  talked about new type of kernel attacks and about i2OMGMT bug that founded by ruben.

11- later in 2008 Kostya Kortchinsky did a presentation called Real World Kernel Pool Exploitation

in that presentation kostya  talked about how he wrote exploit for ms08-001 (Microsoft marked it as not-exploitable !)

12- later in 2008 Cesar Cerrudo wrote Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8

  • artice :
  • poc 2k3:
  • poc 2k8:

13- again later in 2008 mxtone wrote a paper called Analyzing local privilege escalations in win32k

in that paper he analyzed vulnerabilities and exploitation vector of win32k driver .

14- in ucon 2009  Stephen A. Ridley did a presentation called Intro to Windows Kernel Security Development
download it here

15- Tavis Ormandy, Julien Tinnes and great presentation called There’s a party at ring0 and you’re invited

16- in January 2010 Matthew “j00ru” Jurczyk and Gynvael Coldwind, Hispasec wrote a detailed paper called GDT and LDT in Windows kernel vulnerability exploitation.
in that  paper they describes some possible ways of exploiting kernel-mode write-what-where vulnerabilities in a stable manner

17- later  they did a presentation called Case Study of Recent Windows Vulnerabilities in HITB 2010

Windows memory protections !

OK so now we are going back to user-land this time with memory protections !

due to  lots of generic exploitation methods as well as lots of worms  ! Microsoft decided to use of memory protections in hardware and software layer. so from windows XP SP2 (Windows XP Tablet PC Edition 2005) , Windows Server 2003 Service Pack 1 (OS level) and from visual studio 2003 (compiler level) added lots of memory protections functionality.

here i’m going to have brief history of them and then  i will introduce  great researchers and their research against memory protections .

1- Data Execution Prevention (DEP)

DEP is a security feature included in modern Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region. This helps prevent certain exploits that store code via a buffer overflow, for example.

hardware-enforced DEP for CPUs that can mark memory pages as non-executable, and software-enforced DEP with a limited prevention for CPUs that do not have hardware support.

in windows XP SP2 and windows 2003 sp1 and sp2 you can get access on DEP setting by editing boot.ini in noexecute section.

there is four options :

1- OptIn : DEP only will work for all of windows services as well as  necessary programs.

2- OptOut: DEP  will work for all of windows services as well as  all of 3d-party installed program but you can add some process as            exception from controll panel.

3- AlwaysOn : fully protected by DEP no exception is acceptable.

4- AlwaysOff : Go to hell DEP , turns DEP off .

most of CPUs those are made after 2004 (AMD , Intel) can support hardware DEP.

read more on DEP :

/GS (Buffer Security Check)

GS (a.k.a stack cookie) is a compiler option that added from visual studio 2003 and will detects some buffer overruns that overwrite the return address, a common technique for exploiting code that does not enforce buffer size restrictions. This is achieved by injecting security checks into the compiled code.

so by using /GS flag compiler will add __security_init_cookie() function to your program and each time you want to overwrite a function return address you actually overwrite cookie as well and so comparison of cookie will fall so process will be terminate and you can’t use your return address.

for more detail read :


a linked option also system functionality added in visual studio 2005. when a program is linked with /SAFESEH in header of file will be contain of a acceptable Exception Handler Table. so each time an exception occurs and attacker wants overwrite a record from exception handler the ntdll dispatcher will understand this and will terminate program execution.

for more detail read :


Windows Vista, 2008 server, and Windows 7 offer yet another built-int security technique (like PAX), which randomizes the base addresses of executables, dll’s, stack and heap in a process’s address space (in fact, it will load the system images into 1 out of 256 random slots, it will randomize the stack for each thread, and it will randomize the heap as well).
in simple explanation if you want use an address in system in one of system dll’s   after your target system got restart your address is changed and not valid anymore so exploitation will fail again.

for more detail read : here


used in most modern windows operation systems like 2008 and 7 . the idea beyond this new mitigation comes from matt miller article called Preventing the Exploitation of SEH Overwrites. for detailed explanation of this protection just read flowing link :

Heap Protection

Microsoft also introduce to some new heap protections like heap meta cookie , safe unlinking , and in newer systems (after vista) function pointer obfuscation and so on …


Advanced Windows Exploitation (bypassing filter and protections )

after 2005 exploitation getting harder and harder and number of public and “white-hat” hackers who can made a reliable multi platform exploit for modern windows OS was not too much.

in this section i want to have review on most important and noticeable researches against protections.

1- Third Generation Exploitation smashing heap on 2k by halvar Flake in 2002

windows 2k heap exploitation.

2- chris anley wrote Creating Arbitrary Shellcode In Unicode Expanded Strings

this was first public article about unicode based shellcode and is also known as “Venetian” shellcode. the method explained in this paper was good enough to making poor ASCII shellcodes .

3- Dave aitel advanced windows exploitation in 2003

in that talk dave talked about no so typical windows exploitation and start making game more advanced .

4- Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server by david litchfield

this paper actually was first detailed paper about abusing SEH (structured exception handler)  and the generic way to bypass /GS  and also write not lots of public exploit are using this method for exploitation so it also can called one of most important research in windows exploitation history.

5- reliable heap exploits  (matt Conover  in cansecwest 2004 ) and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2)

i think that was one of most important heap related research in history of windows exploitation a great and gentle introduction to overwrite a chunk on lookaside list for bypassing safe unlinking and also give lots of great information  about windows heap manager internals .

6- later in 2004 matt miller wrote an article Safely Searching Process Virtual Address Space

this article was first great and public article about using egg-hunter shellcode and it’s about when we have limited memory space for our shellcode and we can store our big and main shellcode some-where in memory. this can be also called practical introduction to search shellcodes .

7- later in 2004  skylined wrote on IE exploit and used a technology called Heap Spray

heap spray is one of most important technologies even in modern exploitation and it’s about code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’ heap and fill the bytes in these blocks with the right values. They commonly take advantage from the fact that these heap blocks will roughly be in the same location every time the heap spray is run.

for a few years heap spray was just used in java script and mostly in browsers but today modern attackers are using anything possible to allocate more heap for sparing .  like action script , silver light , bmp files and … and not just in browsers !  from my point of view heap spray is like cheating in modern exploitation !

8- bypassing hardware-enforced DEP skape (matt miller) Skywing (ken johnson) (in October 2005)

yay ! they finally did it . hardware enforced DEP bypassed by using a return to libc style attack . in simple explanation  the problem was in not CPU the problem and weakness was in windows related API that was used for setting DEP for various process. and the API was NtSetInformationProcess. but there was some simple problem in that article like they forget talk about it we need to to have EBP always writable.

9- Exploiting Freelist[0] On XP Service Pack 2 by brett moore (dec 2005)

download here

this is was another great example of bypassing heap protections by using Freelist[0] and really useful is some case .

10 -  later in 2005 matt miller published great article called Kernel-mode Payloads on Windows in uninformed

this article was great article for porting exploits to kernel-land.

11-  in 2006 johny cache hd moore and matt miller released Exploiting 802.11 Wireless Driver Vulnerabilities on Windows

good example of real-world driver exploitation.

12-  in 2007  Ruben Santamarta wrote Exploiting Comon Flaws In Drivers

Read it here

note that before ruben we can find lots of great research about this topic but  ruben makes  it different . he  made a tool that called kartoffel which is a great driver fuzzer for finding IOCTL vulnerabilities  in drivers. but kartoffel was not main reason to make it different.

after he wrote kartofell and published lots of detailed advisories in various vendor drivers , windows driver exploitation got speed and changed to one of focusable area in exploitation .

13- Heap Feng Shui in JavaScript by Alexander sotirov (2007)

notable improvements to skylined heap spray technology . heap spray was good but blind and not so reliable is some case.  Heap Feng Shui is great research about doing advanced FU in heap  (heap manipulation) it will lead you to have more control on heap.

14- Understanding and bypassing Windows Heap Protection by Nicolas Waisman (2007)

nico is one of a few guys that focused on windows heap he also developed immunity debugger heaplib and did lots of great heap related researches. he is one of world leading heap !

15- Heaps About Heaps by brett moore (in 2008)

that was one of most complete researches about heap. yes that is just a few slides but great hint if you want do something on heap !

16- Bypassing browser memory protections in Windows Vista  by Mark Dowd and Alex Sotirov (in 2008)

one of most greatest exploitation related research with a focus on bypassing browsers memory protections in vista .

great  generic .net shellcode trick (loading a .net dll and use shellcode in it),  java spraying , deep into  combined protections  and great ways to bypassing them.

17 – Attacking the Vista Heap by ben hawkes (in 2008)

great research about vista heap internals and some ways to bypassing vista heap protections.

18- Return oriented programming Exploitation without Code Injection by Hovav Shacham  (and others ) (in 2008)

not a so new technology. it’s just our old code reuse ! but with great official introduction he call it  Return-Oriented-Programming (now known as ROP ). this technology is great to bypass permanent DEP (vista / 7 / 2008) (because you can’t use return-to-libc style attack anymore)

19- Cesar Cerrudo wrote Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 (2008)

20- Defeating DEP Immunity Way by Pablo sole (2008)

first automation of ROP . thats it ;)

21- Practical Windows XP2003 Heap Exploitation (bh 2009) by John McDonald and Chris Valasek.

if you want write a heap exploit for modern OS . you should read this one . most complete heap related article .

22- Bypassing SEHOP  by Stefan Le Berre Damien Cauquil (in 2009)

cool and good research ! but ALSR will make it not so useful because SEHOP = SEHOP + ASLR

23- Interpreter Exploitation  : Pointer Inference and JIT Spraying by Dionysus Blazakis (2010)

Great ! exploitation is still alive . generic exploitation method for bypassing DEP and ASLR together . if you read and understand it you can write lots of exploits for windows 7 !

24- write-up of Pwn2Own 2010 by  Peter Vreugdenhil (2010)

a great and short article about how to own DEP+ASLR without any 3rd-party plugin

(used two vulnerability and toke around 4 minutes)

25- ruben santamarta all in one 0day presented in rootedCON (2010)

some great idea for bypassing IE XSS Filter and protected mod not exploitation specific but it’s great for being combined with other exploitation methods .


history of some not so typical windows exploits:

in this section i’m going to archive some of interesting exploits i saw you can learn lots of things from them !

1- one of first real-world HW-DEP bypass Exploit by devcode : here

2- bypassing DEP by returning into HeapCreate by toto : here

3- first public ASLR bypass exploit by using partial overwrite  by skape (matt miller) : here

4- heap spray and bypassing DEP by skylined : here

5- first public exploit that used ROP  for bypassing DEP in adobe lib TIFF vulnerability : here (is this case ASLR bypass is possible !)

6-  exploit codes of bypassing browsers memory protections : here

7-  Cesar Cerrudo PoC’s on Tokken TokenKidnapping .  PoC for  2k3: here , PoC 2k8: here

8- Tavis Ormandy KiTra0d an exploit works from win 3.1 to win 7 . PoC here (metasploit updated module works more interesting !)

9- old ms08-067 metasploit module multi-target and DEP bypass  PoC here

10- PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass (using ROP and Brute Forcing ASLR) PoC here

11- Stephen Fewer SMBv2 Exploit . PoC here

note 1  :there is lots of other interesting exploits in windows platform you can just find them in here and also here .

note 2: i saw lots of other great and advanced exploits in commercial packages . (they are commercial so forget them ;) )


history of related windows exploitation books !

in this section i’m going to archive some books about windows exploitation.

1- Exploiting Software How to Break Code By (Greg Hoglund, Gary McGraw)

2- The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (By Mark Dowd, John McDonald)

3- Buffer Overflow Attacks: Detect, Exploit, Prevent (by James C. Foster)

4- Windows Internals (by Mark Russinovich , David A. Solomon, Alex Ionescu)

5-  The Shellcoders Handbook Discovering and Exploiting Security

(by Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan Eren, Neel Mehta, and Riley Hassell)

6- Software Vulnerability Guide ( by HERBERT H. THOMPSON , SCOTT G. CHASE)

7- ADVANCED WINDOWS DEBUGGING (by Mario Heward , Daniel Pravat)

8- Reversing: Secrets of Reverse Engineering

9- great step by step exploit writing tutorials by my friend Peter Van Eeckhoutte :

  1. Exploit writting tutorial part 1:Stack Based Overflowshere
  2. Exploit writting tutorial part 2: Stack Based Overflows – jumping to shellcode – here
  3. Exploit writting tutorial part 3: SEH Based Exploits – here
  4. Exploit writting tutorial part 3b: SEH Based Exploits - just another example  - here
  5. Exploit writting tutorial part 4: From Exploit to Metasploit – here
  6. Exploit writting tutorial part 5:  speed up basic exploit development – here
  7. Exploit writting tutorial part 6: Bypassing GS, SafeSeh, SEHOP, HW DEP and ASLR – here
  8. Exploit writting tutorial part 7: Unicode – from 0×00410041 to calc – here
  9. Exploit writting tutorial part 8: Win32 Egg Hunting - here
  10. Exploit writting tutorial part 9: Introduction to Win32 shellcoding – here

also he wrote a cool immunity debugger PyCommand called PveFindAddr i think this python script is necessary for speed-up exploit development for newbie or expert exploit developers and i found it so useful , it have some cool features like finding instructions for code reuse and ROP also finding state of memory protections and finding best return address in your situation.

this is not complete lits of exploitation related book / articles list i just listed those had at least one windows specific chapter .

PART III : Future of exploitation

Starring : T.B.A

1- exploitation is not and will not die.

2- just will change and being more harder also won’t be ” just for fun” like before.

3- writing reliable exploits will take time and time == money and now exploit development is acceptable specific job in security area !

4- fame == money as well (also is lovely by itself) .  so you will see other great researches in various security fields ;)

5- if you read all of resources exist in post you can be a great exploit developer ; )

PS1 : during writing this post due to lots of links and peoples on it maybe i forgot some notable people / article you can alert me about them just by shahin [at]

PS2 : i wrote this post so fast (and took long time !) i will edit my Misspellings and grammatical in good time.

i need to go and take 0XCC00FFEE .

have fun .

Get Adobe Flash playerPlugin by wordpress themes