CF
Uploaded byCsaba Fitzl
77 views

Exploit generation automation with WinDBG (Hacktivity 2017)

This document discusses an automated tool written in Python that uses the pykd library to interact with WinDBG to automate the entire exploit writing process from a crash proof of concept to a working exploit for classic buffer overflows without any manual interaction. The tool finds the EIP overwrite location, registers pointing to buffers, bad characters, and a way to jump to shellcode to generate a successful exploit from a simple crash by automating the entire process.

Embed presentation

Download to read offline
Exploit generation automation with WinDBG Csaba Fitzl
whoami blue teamer security researcher, blogger husband, father hiker
Exploit writing challenges Time consuming Heavily manual intensive process Discovering memory layout Finding bad characters While (exploit doesn’t work == True): Start process, attach debugger, crash, Modify exploit
Exploit writing methodology - BoF Find EIP overwrite location Examine memory layout, registries Somehow jump to shellcode Generate shellcode Put all together
The task A tool which can automate the entire exploit writing process From crash PoC to working Exploit If possible n0 manual interaction
The tool Written in Python Uses the “pykd” library to interact with WinDBG
What can it do? Currently works for classic BoFs Can bypass ASLR Works for network and file based exploits Will create a successful exploit from a simple crash Automates the entire process (even finding bad characters!) No need to manually start the process / WinDBG
The logic Find EIP overwrite location / offset Find registers pointing to the buffers Find bad characters Find a way to jump to the shellcode (JMP, CALL, etc…) Generate shellcode Put it all together
demo time
How to use it? Some pre-work needs to be done Exploit is a Class Has to be populated with initial info (crash)
What has to be changed? def exploit(self): """ This function runs the actual exploit """ sleep(1) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(('127.0.0.1',80)) message = "GET " + ''.join(self.buffer) + " HTTP/ 1.1rnrn" sock.send(message) sock.close()
? twitter: @theevilbit tool: https://github.com/theevilbit/exploit_generator

More Related Content

PDF
Browser controller testing for webapps (in Windows environment)
byAdrian Spinei
 
PDF
Look beyond PHP
byFabien Potencier
 
PPTX
De was doen. gr 1 2.pptx
byMarjolein de Groot
 
PPTX
Windows custom shellcoding
byMihir Shah
 
PDF
Dive into exploit development
byPayampardaz
 
PDF
From SEH Overwrite with Egg Hunter to Get a Shell!
byRodolpho Concurde
 
PDF
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
byRodolpho Concurde
 
PDF
Fuzzing: Finding Your Own Bugs and 0days! at Arab Security Conference
byRodolpho Concurde
 
Browser controller testing for webapps (in Windows environment)
byAdrian Spinei
 
Look beyond PHP
byFabien Potencier
 
De was doen. gr 1 2.pptx
byMarjolein de Groot
 
Windows custom shellcoding
byMihir Shah
 
Dive into exploit development
byPayampardaz
 
From SEH Overwrite with Egg Hunter to Get a Shell!
byRodolpho Concurde
 
From SEH Overwrite with Egg Hunter to Get a Shell_by_RodolphoConcurde
byRodolpho Concurde
 
Fuzzing: Finding Your Own Bugs and 0days! at Arab Security Conference
byRodolpho Concurde
 

Similar to Exploit generation automation with WinDBG (Hacktivity 2017)

PDF
2011-03 Developing Windows Exploits
byRaleigh ISSA
 
PDF
Writing simple buffer_overflow_exploits
byD4rk357 a
 
PDF
Fuzzing: Finding Your Own Bugs and 0days! 1.0
byRodolpho Concurde
 
PDF
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
byNETWAYS
 
PPTX
Anatomy of a Buffer Overflow Attack
byRob Gillen
 
PPTX
Baab (Bug as a Backdoor) through automatic exploit generation (CRAX)
byShih-Kun Huang
 
PPTX
Tranning-2
byAli Hussain
 
PDF
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
byJongWon Kim
 
PDF
smash the stack , Menna Essa
byCATReloaded
 
PDF
Toorcon Seattle 2011 - Browser Exploit Packs
byAditya K Sood
 
PPTX
ETCSS: Into the Mind of a Hacker
byRob Gillen
 
PDF
Unix executable buffer overflow
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
PDF
A CTF Hackers Toolbox
byStefan
 
ODP
Exploiting buffer overflows
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
PPTX
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
bymidnite_runr
 
PPTX
Fuzzing | Null OWASP Mumbai | 2016 June
bynullowaspmumbai
 
PDF
AEG_ Automatic Exploit Generation
byRedhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
 
PDF
Efficient Bytecode Analysis: Linespeed Shellcode Detection
byGeorg Wicherski
 
PPTX
Fun with exploits old and new
byLarry Cashdollar
 
PPT
Dau Hoang - Buffer Overflows 8980 for Stu
byQueenNicki1
 
2011-03 Developing Windows Exploits
byRaleigh ISSA
 
Writing simple buffer_overflow_exploits
byD4rk357 a
 
Fuzzing: Finding Your Own Bugs and 0days! 1.0
byRodolpho Concurde
 
stackconf 2021 | Fuzzing: Finding Your Own Bugs and 0days!
byNETWAYS
 
Anatomy of a Buffer Overflow Attack
byRob Gillen
 
Baab (Bug as a Backdoor) through automatic exploit generation (CRAX)
byShih-Kun Huang
 
Tranning-2
byAli Hussain
 
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
byJongWon Kim
 
smash the stack , Menna Essa
byCATReloaded
 
Toorcon Seattle 2011 - Browser Exploit Packs
byAditya K Sood
 
ETCSS: Into the Mind of a Hacker
byRob Gillen
 
Unix executable buffer overflow
byAmmarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
A CTF Hackers Toolbox
byStefan
 
Exploiting buffer overflows
byPaul Dutot IEng MIET MBCS CITP OSCP CSTM
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
bymidnite_runr
 
Fuzzing | Null OWASP Mumbai | 2016 June
bynullowaspmumbai
 
AEG_ Automatic Exploit Generation
byRedhung @ Nationtal Chung Cheng University, Chiayi, Taiwan.
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
byGeorg Wicherski
 
Fun with exploits old and new
byLarry Cashdollar
 
Dau Hoang - Buffer Overflows 8980 for Stu
byQueenNicki1
 

More from Csaba Fitzl

PDF
The Final Chapter - Unlimited Ways to Bypass Your macOS Privacy Mechanisms
byCsaba Fitzl
 
PDF
Launch and Environment Constraints Overview
byCsaba Fitzl
 
PDF
macOS Vulnerabilities Hiding in Plain Sight
byCsaba Fitzl
 
PDF
SecurityFest-22-Fitzl-beyond.pdf
byCsaba Fitzl
 
PDF
Mitigating Exploits Using Apple's Endpoint Security
byCsaba Fitzl
 
PDF
Csaba fitzl - Mount(ain) of Bugs
byCsaba Fitzl
 
PDF
20+ ways to bypass your mac os privacy mechanisms
byCsaba Fitzl
 
PDF
Exploiting Directory Permissions on macOS
byCsaba Fitzl
 
PDF
Exploiting XPC in AntiVirus
byCsaba Fitzl
 
PDF
GateKeeper - bypass or not bypass?
byCsaba Fitzl
 
PDF
Getting root with benign app store apps vsecurityfest
byCsaba Fitzl
 
PDF
Getting root with benign app store apps
byCsaba Fitzl
 
PDF
Exploit generation and javascript analysis automation with WinDBG lu
byCsaba Fitzl
 
PDF
How to convince a malware to avoid us
byCsaba Fitzl
 
The Final Chapter - Unlimited Ways to Bypass Your macOS Privacy Mechanisms
byCsaba Fitzl
 
Launch and Environment Constraints Overview
byCsaba Fitzl
 
macOS Vulnerabilities Hiding in Plain Sight
byCsaba Fitzl
 
SecurityFest-22-Fitzl-beyond.pdf
byCsaba Fitzl
 
Mitigating Exploits Using Apple's Endpoint Security
byCsaba Fitzl
 
Csaba fitzl - Mount(ain) of Bugs
byCsaba Fitzl
 
20+ ways to bypass your mac os privacy mechanisms
byCsaba Fitzl
 
Exploiting Directory Permissions on macOS
byCsaba Fitzl
 
Exploiting XPC in AntiVirus
byCsaba Fitzl
 
GateKeeper - bypass or not bypass?
byCsaba Fitzl
 
Getting root with benign app store apps vsecurityfest
byCsaba Fitzl
 
Getting root with benign app store apps
byCsaba Fitzl
 
Exploit generation and javascript analysis automation with WinDBG lu
byCsaba Fitzl
 
How to convince a malware to avoid us
byCsaba Fitzl
 

Recently uploaded

PDF
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PPTX
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
PDF
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PDF
Linux Professional Institute LPIC-1 Exam.pdf
byLinuxCert Guru
 
PDF
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PDF
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
PDF
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
PDF
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
PDF
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
PPTX
Understanding the digital experience of FE teaching staff in 2024/25
byJisc
 
PDF
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
PDF
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PPTX
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
PDF
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
PDF
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
Linux Professional Institute LPIC-1 Exam.pdf
byLinuxCert Guru
 
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
PMI PMBOK8 Released on November 13, 2025
byScott M. Graffius
 
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
Understanding the digital experience of FE teaching staff in 2024/25
byJisc
 
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
Mutation Testing for Industrial Robotic Systems (FMAS 2025)
bySylvain Hallé
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 

Exploit generation automation with WinDBG (Hacktivity 2017)

  • 1.
  • 2.
    whoami blue teamer security researcher,blogger husband, father hiker
  • 3.
    Exploit writing challenges Timeconsuming Heavily manual intensive process Discovering memory layout Finding bad characters While (exploit doesn’t work == True): Start process, attach debugger, crash, Modify exploit
  • 4.
    Exploit writing methodology- BoF Find EIP overwrite location Examine memory layout, registries Somehow jump to shellcode Generate shellcode Put all together
  • 5.
    The task A toolwhich can automate the entire exploit writing process From crash PoC to working Exploit If possible n0 manual interaction
  • 6.
    The tool Written inPython Uses the “pykd” library to interact with WinDBG
  • 7.
    What can itdo? Currently works for classic BoFs Can bypass ASLR Works for network and file based exploits Will create a successful exploit from a simple crash Automates the entire process (even finding bad characters!) No need to manually start the process / WinDBG
  • 8.
    The logic Find EIPoverwrite location / offset Find registers pointing to the buffers Find bad characters Find a way to jump to the shellcode (JMP, CALL, etc…) Generate shellcode Put it all together
  • 9.
  • 10.
    How to useit? Some pre-work needs to be done Exploit is a Class Has to be populated with initial info (crash)
  • 11.
    What has tobe changed? def exploit(self): """ This function runs the actual exploit """ sleep(1) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(('127.0.0.1',80)) message = "GET " + ''.join(self.buffer) + " HTTP/ 1.1rnrn" sock.send(message) sock.close()
  • 12.