Past, Present, Future of Windows Exploitation - 1

最新推荐文章于 2025-08-21 10:49:32 发布

fisher_jiang

最新推荐文章于 2025-08-21 10:49:32 发布

阅读量1.5k

点赞数

分类专栏：网络安全文章标签： windows microsoft buffer application basic sql server

网络安全专栏收录该内容

27 篇文章

订阅专栏

本文回顾了从1988年Robert Morris蠕虫到现代Windows系统的缓冲区溢出攻击历史，详细介绍了从简单到复杂的漏洞类型、操作系统保护措施的发展，以及针对不同Windows版本的典型蠕虫案例。文中还提到了缓冲区溢出攻击的基本原理、内存保护技术的演化，并探讨了其在Windows系统中的应用和影响。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

http://www.abysssec.com/blog/2010/05/past-present-future-of-windows-exploitation/

hi all

this is v0.1 of this post and in this post i’m going to have a review and brief history on exploitation with focus on windows .

this post will be done III part :

part I : brief history of buffer overflow
part II : history of windows exploitation from windows 2000 to windows 7
part III : feature of exploitation

Part I : brief history of buffer overflow

Starring : Robert morris , Aleph_one , Solar designer , Matt Conover , Casper Dik

it’s been long time after :

morris worm in 1988 (first known computer worm that used a buffer overflow to attack)

aleph one wrote Smashing The Stack For Fun Profit in phrack 49 in ~1996

so he start taking about detailed strcpy exploitation :

Matt Conover wrote first detailed heap overflow tutorial in 1999 heap tut

and solar designer wrote first generic heap exploit on windows netscape exploit

==============================================
at that times because of really low OS memory protections and also low application specific protections (can also called CPU and compilers problem !) , a poor input validation and an insecure memory copy was enough to corrupting memory (mostly in stack area) and overwriting a function return address and getting control of instruction pointer (IP , EIP) and then by storing malicious code (called shellcode) and using a pointer (mostly stack pointer (ESP)) execution flow can be change and pointer to attacker malicious (or educational ;) ) code.

so OS developers and security guys had to think about memory protections and casper dik in nov 1996 wrote a kernel run-time patch to implement non-executable-stacks for Solaris 2.4 to 2.5.1 http://seclists.org/bugtraq/1996/Nov/57

and later solar designer released same thing to remove executable permission for stack on the linux here

and around ~2000 solar designer made return-to-libc attacks to return in executable page and functions in memory for bypassing non-executable memory. the basic idea was after controlling executing flow return to some function like system() and executing a single command or …. but there was a problem and the attacker was limit in payload selection and can’t use advanced payloads .

so around ~2000 we had :

basic / intermediate stack overflows
basic heap overflows
basic / intermediate format strings (killed so soon !)
basic memory protections
basic bypass memory protections
also some other type of memory corruptions (not so general)

=========================================

part II : history of windows exploitation from windows 2000 to windows 7

Starring : Alexander Sotirov , Mark Dowd , John McDonald, Chris Valasek , Chris Anley , Brett Moore , David litchfield , Nicolas Waisman , Dave Aitel , Halvar Flake , Cesar Cerrudo , Matt Miller , ken johnson , S.K Chong , Dionysus Blazakis , hd moore , FlashSky , Ruben Santamarta .

welcome to windows world !

i wanna start from windows 2000 final version of NT family because i think older windows are not interesting enough to talk about .

exploit developers golden age : microsoft was is supporting and making money from windows 2k and unfortunately forgot protect you from buffer overflow attacks . so old and classic attacks works like a charm and just maybe in some case we saw very complex and smart vulnerabilities but exploitation by itself was not that hard (maybe just some application specific filters / protections )

so because of that poor protection we saw great worms like :

blaster worm one of historic worms ever that used a RPC vuln for attack and fixed in http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

and maybe you can remember : “billy gates why do you make this possible ? Stop making money and fix your software!! “

and this cool picture :

slammer worm a great and fast worm that used an SQL Server buffer overflow for attack. that fixed after 6 month !!! in :

http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

sasser worm another great worm that used lsass remote overflow vulnerability and fixed in: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

but there is a question these worms targeted windows XP and 2003 as well too ? yes !

because microsoft did that great job in windows XP service pack 0 and 1 as well as windows 2003 service pack 0.

also we had lots of great and reliable exploits like :

and another DCOM RCP Exploit here by flashsky (xfocus guy)

MS Windows (RPC DCOM) Remote Exploit here by hd moore

Great Kill Bill exploit here (targeting ANS.1) by Alexander Sotirov

MS Windows Plug-and-Play here by sl0ppy and houseofdabus and others .

also some GUI tools for easy exploitation for those don’t know how they can compile and run an exploit like : RPC GUI v2 – r3L4x.exe

but why we had lots of juicy and clicky – clicky exploits ? there is to main reasons :

1- poor generic OS / application layer memory protection

2- cool generic public memory exploitation related researches