INT 3

// Tracklist

1. Load Binary Listen

   Pull up the chair, kill the lights, lock the door Screen throws a glow on the desk and the floor Target dot E-X-E, drag it in, let it pour WinDbg loads what the developer swore was secure

   Headers parse, sections map, P-E thirty-two plus intact Import table, export list, nothing abstract Kernel thirty-two, W-S-2, the usual stack But the mitigations list got me leaning way back

   Load the binary, read the signs Every byte a border, every call a landmine D-E-P is on, A-S-L-R high entropy aligned C-E-T shadow stack, this is gonna take time

   L-M shows the modules, bases randomized Every system D-L-L got CET inside But one module in the list didn’t meet the guide Third-party codec, no CET-COMPAT applied

   Control Flow Guard bitmap, indirect calls get checked G-S cookies in the prolog, XOR’d with the S-P wrecked Anti-debug checks sitting right where I’d expect Is-Debugger-Present, cute, but I’m not impressed

   Load the binary, read the signs Every byte a border, every call a landmine D-E-P is on, A-S-L-R high entropy aligned C-E-T shadow stack, this is gonna take time

   One monitor for notes, one for the disassembly Coffee getting cold but the focus assembling That non-CET module, I’m filing it away Hardware guards the returns, but not every D-L-L obeys

   Binary loaded, protections in sight Cookies and shadow stacks standing guard tonight But every lock has a flaw if you read it right Pull up the hex dump, it’s going to be a long night

2. Fuzzer Listen

   Fuzz dot py, twenty lines, nothing fancy Socket connect to the target port, antsy Buff equals A times length, let it dance, see Increment by fifty, send it, rinse it, can’t sleep

   Four-one fills the wire like a flood on the bus Hex forty-one repeating, yeah, the letter A, plus Fifty bytes, hundred, two, four, eight, adjust Every packet longer than the last one was

   Throw the garbage at the gate Every buffer bigger till it breaks Socket send and socket wait Something in this target’s gonna take the bait

   Two hundred, four hundred, target holds the line Six hundred, eight hundred, process running fine A thousand, still alive, the parser won’t resign Twelve hundred hits, and Win-D-B-G lights up mine

   Access violation reading zero-X-four-one Four-one-four-one-four-one-four-one, overrun R-S-P is painted, saved return address done Stack overflow in the parser, that’s crash number one

   Throw the garbage at the gate Every buffer bigger till it breaks Socket send and socket wait Something in this target’s gonna take the bait

   Save the crash dump, note the size, restart the app But wait, the log file caught a different mishap Wasn’t sending A’s that time, I sent a format trap Percent P dot percent P, and the logger just snapped

   See, the input hits a logging call on the way through Sprintf takes the string raw, no format argument, who Wrote this? Percent P makes it bleed, leaks values into view The log file’s full of pointers, that’s crash number two

   Wasn’t even looking for it, format string for free The parser overflow’s the door, but this one’s the key Two bugs from one session, one I planned, one I didn’t see Save both dumps, mark the offsets, this is where we need to be

   Two crashes in the notebook, red-underlined Stack overflow for the kill, format string for the find The fuzzer did its job and left us two ways inside Socket close, script done, let the real work begin

3. Access Violation Listen

   Send the payload, same buffer, twelve hundred deep Win-D-B-G catches the fault before the process can sleep But R-I-P ain’t forty-one, nah, that address can’t keep Non-canonical on x64, the CPU won’t leap

   General protection fault, hash GP, not a page fault, learn the difference R-I-P stopped at the RET, the instruction that triggered it The address never loaded, CPU rejected the reference But dq at RSP, there it sits in all its brilliance

   Access violation, the process is done R-I-P’s at the RET but the damage is won Four-one-four-one-four-one-four-one-four-one-four-one-four-one-four-one Sitting right at RSP, overflow confirmed, son

   Bang analyze dash V, let the debugger talk Stack-based buffer overflow, just like I thought Exception record, context record, walk the walk dq at RSP shows the proof that I brought

   Eight bytes of A’s where the return address sat Forty-one repeated eight times, non-canonical, flat On thirty-two bit that would’ve jumped, imagine that But x64 said nah, address space don’t go that fat

   Access violation, the process is done R-I-P’s at the RET but the damage is won Four-one-four-one-four-one-four-one-four-one-four-one-four-one-four-one Sitting right at RSP, overflow confirmed, son

   Now the bad news hits, scroll up through the disassembly The function epilogue got a check before the exit, evidently XOR RCX with RSP, compare the cookie, hear me The GS canary’s sitting right between the buffer and the entry

   That cookie’s gotta match or the process calls fast-fail And even past the cookie, there’s another wall, another rail CET shadow stack is watching every RET without fail Hardware copies the return address, mismatch and you derail

   So let me get this straight, I own the overflow, it’s real But the cookie blocks the path before I reach the wheel And even if I forge it, CET’s a second seal Shadow stack compares the return, mismatch, process keel

   Can’t just JMP RSP, can’t just overwrite and pray DEP blocks the stack, shadow stack blocks the play Three walls between me and the code I need to lay But that format string from the fuzzer, maybe there’s another way

   Crash confirmed, the overflow is mine to wield But the cookie and the shadow stand as double shield Brute force won’t cut it, the protections won’t yield Need an info leak to crack this battlefield

4. The Leak Listen

   Back to the format string, the bug I didn’t plan The logger takes the input raw, no format argument, fam Sprintf with the user string sitting where the format should land Percent P don’t write nothing, percent N is banned

   MSVC killed percent N back in oh-five, that’s a fact CRT ignores it now, no writes through format, that’s that But I don’t need to write, I need to read, I need to extract One probe, read-only, pull the memory out intact

   Bleed, let the pointers pour Bleed, hex out every door One string, ten specifiers on the floor Two protections fall and I need nothing more

   Build the probe, ten percent P’s, periods in between Send it through the input where the logger intervenes RCX holds the format string, that’s the calling convention scene RDX, R8, R9, first three args the function’s seen

   Then the stack feeds the rest, four through ten in line The response comes back, hex values, period-delimited, mine I read them left to right, categorize each find Three flavors in the output and each one’s by design

   Bleed, let the pointers pour Bleed, hex out every door One string, ten specifiers on the floor Two protections fall and I need nothing more

   Zero-X-zero-zero-zero-zero-seven-F-F, code pointer, I see you That’s a module address, high canonical, user-space venue Subtract the RVA I pulled from Ghidra’s static menu Runtime base recovered, ASLR, I’m seeing through you

   Now the second prize, one value’s got the top word zeroed clean Zero-zero-zero-zero then high entropy in between That’s the cookie shape, security-init-cookie’s signature gene Microsoft zeros the top sixteen bits, I know what that means

   XOR the leaked value with the stack address I already own Raw cookie recovered from a single subtraction, blown GS defeated, ASLR defeated, two walls overthrown One format string, one probe, two shields turned to stone

   This is the moment, the pivot, the crack Module base in hand, cookie value exact Everything from here builds on what I just tracked One read-only leak and there’s no turning back

5. Offset Listen

   Pattern create, length two thousand, let it cook Cyclic string, no repeating, that’s the hook Eight-byte sequences unique through the whole book Every position’s got a fingerprint if you know where to look

   Send the pattern through the overflow, watch the process fold Access violation, but RIP don’t show what I was told On sixty-four the address ain’t canonical, it won’t hold RIP stays at the RET, the real story’s on the stack, cold

   dq @rsp L1, read the quad-word clean Eight bytes sitting where the return address had been Five sixty-eight to the crown, that’s the distance in between Not five sixty-seven, not five sixty-nine, precision is the theme

   Grab the value off the stack, little-endian, reverse the feed msf-pattern_offset, give it what it needs Minus q, the eight-byte value, minus l two thousand, speed Offset five hundred sixty-eight, that’s the measurement agreed

   Verify it now, can’t afford to guess it wrong A’s times five-six-eight then B’s eight bytes long If dq @rsp reads forty-two’s when I’m done Then the offset’s locked and the measurement is won

   On thirty-two you’d just read EIP, four-one-four-one on the screen But sixty-four don’t let non-canonical addresses convene The CPU rejects it at the RET, throws a fault between So you read the stack instead, dq @rsp, the routine

   Five sixty-eight bytes of padding before the door Eight bytes for the return, then the stack holds more RSP plus eight is where the chain will start to pour Every measurement matters, off by one and it’s all on the floor

   Proof of concept time, swap the B’s for a known address Canonical this time, something in the process If RIP lands there clean, that’s the final test Full control confirmed, point it anywhere, nothing less

   The jump lands true, the address loads and holds I own the instruction pointer, the story unfolds But DEP still blocks my code, the stack’s not where it goes Gonna need to chain returns to change the page controls

   Offset locked at five-six-eight Eight bytes past and my chain awaits The return address is mine, I own the gate But the stack won’t execute, gotta change its fate

6. Bad Characters Listen

   Zero-zero through F-F, two-fifty-six in a line Every byte value once, pack ’em past the offset, mine Five-six-eight bytes of junk, then the test array’s assigned Send it through the overflow, check what made it out alive

   db at the buffer address, hex dump on the screen Compare what I sent to what the application deemed clean Zero-zero, gone, null byte killed the string downstream First bad character found, mark it red, start the machine

   Bad characters, cross ’em off the list Bad characters, every byte that won’t persist One I miss corrupts the chain or wrecks the shellcode twist Do the work now or debug for hours in the mist

   Strip the null, rebuild the blob, resend the test db again, compare the dump, spot the next arrest Zero-A, the newline, truncated all the rest Line feed hit the parser and it chewed up what was left

   Back again, remove the zero-A and throw Zero-D, the carriage return, broke the flow Application treats it like the end of the show Three bad characters down, keep grinding through the slow

   Bad characters, cross ’em off the list Bad characters, every byte that won’t persist One I miss corrupts the chain or wrecks the shellcode twist Do the work now or debug for hours in the mist

   This is the part nobody puts in the write-up No glory in the hex dump, no dramatic light-up Just patience and precision through the night, sup- ping cold coffee like it’s medicine for the grind, yup

   On sixty-four it matters twice as much, don’t sleep Every gadget address is eight bytes deep Every ROP address and every shellcode byte I keep Has to dodge the bad list, or the whole exploit’s a heap

   One more pass, two-zero, space byte, cuts the noun Application splits on whitespace, shuts it down Four bad characters total, write it on the ground Zero-zero, zero-A, zero-D, two-zero, that’s the crown

   Every address in the ROP chain gets the filter test Every byte of shellcode screened against the rest If a gadget lives at an address with a bad byte in its chest I can’t use it, find another, that’s the quest

   Tedious work but the list is clean Four bad bytes between me and the dream Now the alphabet’s defined, every byte I’m allowed to scheme Time to hunt for gadgets, ROP’s the next regime

7. ROPE Listen

   rp++ pointed at the system DLLs, let it rip Kernel32, KernelBase, every module gets the strip Filter bad bytes, zero-zero, zero-A, zero-D, two-zero skip Thousands of gadgets, but I only need the right ones for the trip

   pop rcx; ret, fifty-nine, C3, that’s the first I need RCX takes the buffer address, the memory to freed pop rdx; ret, 5A, C3, found it at speed RDX gets the size, hex one-thousand, page-aligned, agreed

   Chain the returns, link by link Every gadget on the brink Sixty-four-bit calling convention, four regs deep RCX, RDX, R8, R9, mine to keep

   Now the hard part, pop r8 needs that REX.B prefix in the stream 41 58 C3, three bytes for the dream Searched three modules, came up empty, rarer than it seemed Compiled code don’t make ’em natural, the optimizer’s regime

   But KernelBase at offset 2A713, there it lives pop r8; ret, clean address, no bad bytes it gives R8 gets the flag, 0x40, PAGE_EXECUTE_READWRITE forgives That’s the permission flip that lets my shellcode live

   Chain the returns, link by link Every gadget on the brink Sixty-four-bit calling convention, four regs deep RCX, RDX, R8, R9, mine to keep

   pop r9; ret, 41 59 C3 Even rarer than R8, took an hour just to see Found it in a leaf function, hiding quietly R9 gets the old-protect pointer, writable memory

   Now I lay the chain, shadow space first, thirty-two bytes on the floor Eight bytes times four, padding for the calling convention’s law Then the gadgets, then the values, then VirtualProtect’s front door Seven gadgets total, every address from the leaked base before

   Stack alignment, RSP’s gotta hit sixteen-byte clean Extra RET gadget at the top, just C3, slides in between Thirty-two bytes shadow space, four quad-words on the scene Then pop rcx with the address, load it like a machine

   pop rdx, size goes in, pop r8, the flag’s assigned pop r9, old-protect pointer, writable section, aligned Then the address of VirtualProtect, calculated and combined From the leaked base plus the offset, every piece designed

   Layout’s done, I check it in my head, run the math twice through Five-six-eight bytes of junk, then the chain, then the shellcode queue Shadow stack? Please, every RET here hits a real address, it’ll let me through Everything I built tonight comes down to what this chain can do

   Chain is built, every link locked down Seven gadgets deep, not a byte out of bounds Shadow stack? Real code, not corruption, nah, it won’t bring me down Hit send, I know this shit is sound

8. Shadow Stack Listen

   Deep breath, finger on the key, the moment’s here Seven tracks of work compressed into a prayer Cookie value patched in from the leak, it’s clear G-S check will pass, I got the right one, I don’t fear

   Buffer packed, junk bytes fill the frame Cookie sits exact where the original came Then the chain, first gadget’s address takes its aim Right on top of the saved return, overwriting the name

   Fire the exploit, send it down the wire Everything I built about to light the fire Hours in the dark all leading to this One shot, one RET, can’t miss

   The packet hits the socket, buffer overflows Cookie check compares, my value holds, it glows G-S passed, the canary didn’t blow RET instruction loads my address from the row

   But the CPU’s got a second set of books tonight Shadow stack, it don’t check code, it checks the CALL was right RET pops mine from the regular, pops the real from the right Two addresses, side by side, and they don’t align

   Hash-C-P fires, Control Protection, vector twenty-one Error code one, NEAR RET, it’s done The kernel calls fast-fail with code fifty-seven FAST FAIL CONTROL INVALID RETURN ADDRESS, no eleventh hour redemption

   Exception zero-X-C-zero-zero-zero-four-zero-nine STATUS STACK BUFFER OVERRUN, but that name’s a lie It’s the fast-fail code, parameter zero-X-thirty-nine Non-continuable, the flag is set, no handler gets to try

   I fired the exploit, sent it down the wire Everything I built just died in the fire Win-D-B-G breaks, security check failure Code C-four-oh-nine, the shadow stack’s the jailer

   No SEH handler catches this, no VEH, no except The exception’s non-continuable, the process can’t intercept The chain was built from system DLLs, every one CET Shadow stack was watching every RET, I never had a chance, and yet

   I spent hours on that chain, every gadget hand-picked clean Every address filtered, every offset in between And a hardware stack I couldn’t write, couldn’t see on screen Killed it all in microseconds, coldest thing I’ve ever seen

   Staring at the screen, the process is dead Zero-X-C-four-oh-nine printed in red Every gadget, every byte, everything I said The shadow stack compared, and none of it led

   Anywhere, the chain never ran a single link Eight hours in and I’m standing on the brink The darkest hour of the night, I need to think Everything I built just sank, let it sink

9. Compatibility Mode Listen

   Sit in the silence, stare at the dead process on screen Zero-X-C-four-oh-nine, the coldest code I’ve seen But quitting’s not the move, I need to understand the machine How does the shadow stack decide what’s dirty and what’s clean?

   Pull up the docs, MSDN, kernel internals deep PROCESS MITIGATION USER SHADOW STACK POLICY, I don’t sleep A structure full of bit fields, every flag I need to sweep Enable User Shadow Stack equals one, the hardware’s in the keep

   Compatibility mode, that’s the default state The shadow stack is watching but it doesn’t always hate Strict mode’s off, the kernel checks before it seals your fate And if the target’s right, the violation gets a pass through the gate

   Enable User Shadow Stack Strict Mode equals zero That’s the flag that matters, that’s the buried hero In strict mode, every mismatch kills, but Windows isn’t Nero Compatibility means the kernel checks the module before ground zero

   When the shadow stack catches a RET that doesn’t match The kernel asks one question before it locks the latch Is the return address pointing to a CETCOMPAT dispatch? Or a module that was never compiled with that flag attached?

   Compatibility mode, that’s the default state The shadow stack is watching but it doesn’t always hate Strict mode’s off, the kernel checks before it seals your fate And if the target’s in a non-CET module, the violation dissipates

   And then it hits me like a freight train through the fog That third-party DLL from Track One, sitting in the log No CETCOMPAT, I noted it, I wrote it in the blog A module that the shadow stack forgives, the missing cog

   I don’t need JOP, don’t need exotic tricks Don’t need to break the hardware, don’t need kernel-level kicks Standard ROP works fine, the same chain, the same bricks Just built from different clay, the non-CET module sticks

   Every RET that targets the non-CET DLL gets a pass The shadow stack will catch the mismatch, then the kernel asks Is the target CET compatible? No, so it forgives the task Execution continues, the violation fades like glass

   Rebuild the chain from one module, every gadget, every RET Pointing back into the DLL that Windows chose to let Slide through the shadow stack like it was never even set The loophole in the hardware defense, and I haven’t lost this yet

   Three A-M, the longest night I’ve known But the path is clear now, I can see the zone One module, one loophole, standing on its own The shadow stack forgives what it doesn’t own

   Time to hunt for gadgets in a smaller space Different module, harder search, but I know the place The chain died once, I’ll build it back with grace Compatibility mode, and I’m back in the race

10. Gadgets Listen

    One module, one search, rp++, let it scan The non-CET DLL, that’s the only land Smaller binary, fewer gadgets than I had planned But every RET inside forgives the shadow stack’s demand

    POP RCX, RET, that’s fifty-nine, C-three Two bytes, common sequence, found it instantly POP RDX, RET, five-A, C-three, I can see Three results already, small module serving me

    Hunt the gadgets, one module deep Every byte sequence mine to reap Smaller space but the gems I keep Build the chain back from the heap

    Now the hard part, R8 needs a REX.B in front POP R8, RET, forty-one, fifty-eight, C-three, the hunt Three-byte sequence with a prefix, not a two-byte stunt In a module this small, intended gadgets bear the brunt

    rp++ shows zero hits for POP R8 direct But I know how x64 encodes, variable-length, unchecked A longer instruction might contain my bytes midway, unchecked Unintended gadgets, jump mid-instruction, redirect

    Hunt the gadgets, one module deep Every byte sequence mine to reap Smaller space but the gems I keep Build the chain back from the heap

    Variable-length encoding, x64’s gift and curse Every instruction’s one to fifteen bytes, for better or for worse A MOV with an immediate might hide my three bytes in its purse Forty-one, fifty-eight, C-three buried in the middle of a verse

    Find the offset, check the disassembly starting there POP R8; RET, a gadget hiding in plain air The compiler never meant for this instruction pair But the CPU don’t care where you start, it’ll decode from anywhere

    Same trick for R9, forty-one, fifty-nine, C-three Scan the raw bytes of the module, search the hex debris Found one, seven bytes into a LEA, the sequence sits for free Unintended POP R9, RET, that’s the final key

    Four gadgets locked, every address offset from the base The base I leaked in Track Four, calculated to the place Filter every address through the bad character space Not a single null or newline, every gadget’s clean, no trace

    Four gadgets from one module, that’s the set POP RCX, RDX, R8, R9, RET Smaller search, harder hunt, but nothing I regret The shadow stack will forgive every address, that’s the bet

    Fewer gadgets but the right ones, built to last Learned the hard way, system DLLs belong in the past One module, four pops, four arguments to cast Time to build the chain again, and this time it holds fast

11. Payload Listen

    Five-sixty-eight bytes of padding lead the way Junk to fill the buffer to the overflow’s doorway Then the cookie, leaked it back on track four’s day XOR’d with RSP so the epilogue says okay

    Saved registers next, RBX, RBP in line RDI, RSI, R12 through R15, all mine Callee-saved values pushed in the prologue by design Pop ’em clean on the way out, nothing left behind

    Every byte deliberate, nothing left to chance No sled, no slack, no margin in this dance Five-sixty-eight to cookie to the chain’s advance One payload, ten tracks built this lance

    Now the chain, every gadget from the non-CET DLL Pop RCX loads the buffer address, ring the bell Pop RDX, size one-thousand, set the memory well Pop R8, 0x40, PAGE_EXECUTE_READWRITE, can’t you tell

    Pop R9, writable address for the old protect Shadow space, thirty-two bytes, gotta genuflect RSP aligned to sixteen, architecture expects Then VirtualProtect fires, DEP wrecked

    Every byte deliberate, nothing left to chance No sled, no slack, no margin in this dance Five-sixty-eight to cookie to the chain’s advance One payload, ten tracks built this lance

    Now the shellcode, four-sixty bytes of hand-rolled steel gs:0x60, walk the PEB for real TEB to PEB to the loader, peel InMemoryOrderModuleList, find the kernel, seal the deal

    ROR13 hash on every export name Walk the directory till the hashes match the frame LoadLibraryA first, then ws2_32’s the claim WSAStartup, WSASocketA, connect, light the flame

    CreateProcessA, ten parameters, no room for error RCX null, RDX “cmd.exe”, R8 terror R9 null, then TRUE on the stack, I’m the bearer Six more pushed, startup info wired to the socket’s tether

    Standard handles all three set to the socket file hStdInput, hStdOutput, hStdError, at offsets 0x50, 0x58, 0x60, hostile cb equals 0x68, dwFlags 0x100, missile xor eax,eax clears the nulls, no zero byte in this epistle

    Four-sixty bytes of shellcode, not a single null inside Five-sixty-eight of padding with the cookie verified ROP chain from the module that the shadow stack won’t ride Print the hex dump one last time, every byte is sanctified

    The trigger’s in the script, the listener’s standing by Port four-four-three waiting on the other side Payload built, payload checked, nothing left to try Hold your breath, it’s time to let it fly

12. Reverse Shell Listen

    Send the payload down the wire, second time’s the one Cookie passes, epilogue checks, XOR compares, done RET fires, pops the address, shadow stack sees what I’ve spun Checks the module, non-CET, compatibility, let it run

    First gadget hits, pop RCX, buffer address acquired RET, shadow checks, non-CET module, forgiven, not expired Pop RDX, one-thousand, every return that I’ve wired Lands in the DLL the shadow stack never required

    Forgiven, every RET into the non-CET zone Forgiven, shadow stack can’t guard what it don’t own The chain fires clean, every gadget finds its throne VirtualProtect flips the page, DEP’s overthrown

    Pop R8, 0x40, PAGE_EXECUTE_READWRITE Pop R9, writable address for the old protect to write Shadow space accounted, RSP aligned just right VirtualProtect executes, the stack page turns to flight

    DEP is done, the memory’s executable now Execution falls through to the shellcode, take a bow PEB walk fires, gs:0x60, and how ROR13 hash-is match, the kernel’s found, I vow

    Forgiven, every RET into the non-CET zone Forgiven, shadow stack can’t guard what it don’t own The chain fires clean, every gadget finds its throne VirtualProtect flips the page, DEP’s overthrown

    LoadLibraryA loads ws2_32, the socket stack arrives WSAStartup, version 2.2, Winsock’s alive WSASocketA, AF_INET, stream, TCP survives Connect to port four-four-three, the signal finally thrives

    And on the other side the listener wakes, connection received CreateProcessA, cmd.exe, the handles weaved Standard in, standard out, standard error, all relieved The Windows banner prints and the blinking prompt’s achieved

    Who am I, hostname, the proof is on the screen The quietest moment of the longest night I’ve seen 4am, the monitor’s the only light between Me and the dark of a room where nobody’s ever been

    Push back from the desk, the coffee’s long gone cold The binary’s beaten, every protection’s been controlled Cookie, shadow stack, DEP, every wall that they enrolled Fell to patience, fell to craft, fell to a cracker growing old

    Close the debugger, kill the listener, save the notes The shell still blinks but there’s nothing left to devote Just a cursor on a screen in a room that’s so remote Every lock has got a flaw, that’s the only thing I wrote