offensive-vuln-classes

# SKILL: Week 1: Vulnerability Classes with Real-World Examples

## Metadata
- **Skill Name**: vulnerability-classes
- **Folder**: offensive-vuln-classes
- **Source**: https://github.com/SnailSploit/offensive-checklist/blob/main/1-vulnerability-classes.md

## Description
Exploit development curriculum covering core vulnerability classes with real-world CVE case studies: stack/heap buffer overflows, use-after-free, integer overflows, format strings, type confusion, and race conditions. Use when learning or teaching vuln classes, researching specific CVE patterns, or building exploit dev knowledge.

## Trigger Phrases
Use this skill when the conversation involves any of:
`vulnerability classes, buffer overflow, use-after-free, UAF, heap overflow, stack overflow, type confusion, integer overflow, format string, memory corruption, CVE case study, exploit development, Day 1-7`

## Instructions for Claude

When this skill is active:
1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

---

## Full Methodology

# Week 1: Vulnerability Classes with Real-World Examples

## Course Overview

_created by AnotherOne from @Pwn3rzs Telegram channel_.

This document is Week 1 of a multi‑week exploit development course, focusing on core vulnerability classes and real‑world exploitation context.

Next Week we'll focus on using fuzzing to identify new vulnerabilites and in week 3 we'll focus on using patch diffing to find n-days

## Day 1: Memory Corruption Fundamentals

- **Goal**: Understand primary memory corruption vulnerability classes and their real-world impact.
- **Activities**:
  - _Reading_:
    - "The Art of Software Security Assessment" by Mark Dowd, John McDonald, Justin Schuh - Chapter 5: Memory Corruption
    - [Memory Corruption: Examples, Impact, and 4 Ways to Prevent It](https://sternumiot.com/iot-blog/memory-corruption-examples-impact-and-4-ways-to-prevent-it/)
  - _Online Resources_:
    - [Microsoft Security Research: Memory Safety](https://www.microsoft.com/en-us/research/project/checked-c/)
    - [Google Project Zero Blog](https://googleprojectzero.blogspot.com/) - Read recent memory corruption findings
  - _Concepts_:
    - What is memory corruption and why does it matter?
    - Understanding the stack, heap, and their differences
    - The lifecycle of memory: allocation → use → deallocation

### Stack Buffer Overflow

**What It Is**: A stack overflow occurs when a program writes more data to a buffer located on the stack than it can hold, causing adjacent memory to be overwritten. This can corrupt important data like return addresses, allowing attackers to redirect program execution.

**Case Study - CVE-2024-27130 (QNAP QTS/QuTS hero Stack Overflow)**:

- **The Bug**: QNAP's QTS and QuTS hero operating systems contained multiple buffer copy vulnerabilities where unsafe functions like `strcpy()` were used to copy user-supplied input into fixed-size stack buffers without proper size validation. The vulnerabilities affected the web administration interface and file handling components. [POC](https://github.com/watchtowrlabs/CVE-2024-27130)
- **The Attack**: An authenticated remote attacker could send specially crafted requests with oversized input to vulnerable endpoints. The unchecked data would overflow stack buffers, corrupting adjacent memory including return addresses and saved frame pointers.
- **The Impact**: Remote code execution with the privileges of the QNAP system service. The attacker could gain complete control over the NAS device, accessing stored data, pivoting to other network resources, or installing persistent backdoors.
- **The Fix**: QNAP released QTS 5.1.7.2770 build 20240520 and QuTS hero h5.1.7.2770 build 20240520 in May 2024, replacing unsafe string copy functions with bounds-checked alternatives and implementing additional input validation.
- **Why It Matters**: Stack overflows remain common in embedded devices and NAS systems running legacy C/C++ code. They're particularly dangerous in internet-facing administration interfaces and often provide the initial foothold for sophisticated attack chains against enterprise infrastructure.

### Use-After-Free (UAF)

**What It Is**: A use-after-free vulnerability occurs when a program continues to use a pointer after the memory it points to has been freed. This creates a "dangling pointer" that can be exploited by carefully controlling heap allocations to place attacker-controlled data where the freed object once lived.

**Case Study - CVE-2024-2883 (Chrome ANGLE Use-After-Free)**:

- **The Bug**: Google Chrome's ANGLE (Almost Native Graphics Layer Engine) component, which translates OpenGL ES API calls to DirectX, Vulkan, or native OpenGL, contained a use-after-free vulnerability. The bug occurred when WebGL contexts were destroyed while still referenced by pending graphics operations, leaving dangling pointers to freed graphics objects.
- **The Attack**: An attacker could create a malicious HTML page with specially crafted WebGL JavaScript code that triggered rapid creation and destruction of graphics contexts. By carefully timing these operations, the attacker could cause ANGLE to reference already-freed memory. Using heap spray and heap feng-shui techniques, the attacker could control the contents of the freed memory region.
- **The Impact**: Remote code execution via a crafted web page with no user interaction beyond visiting the page. By placing a fake object in the freed memory location, the attacker could hijack control flow and execute arbitrary code in the renderer process. This could be chained with sandbox escape exploits for full system compromise.
- **The Fix**: Google Chrome 123.0.6312.86 (released March 2024) fixed the vulnerability by implementing proper