mirror of
https://github.com/The-Art-of-Hacking/h4cker.git
synced 2024-12-18 19:06:08 +00:00
Merge pull request #161 from The-Art-of-Hacking/santosomar-patch-5
Update README.md
This commit is contained in:
commit
42feffba7e
@ -1,9 +1,36 @@
|
|||||||
# Exploit Development References
|
# Exploit Development References
|
||||||
|
|
||||||
|
Exploit development is a complex field requiring deep knowledge of various programming languages, networking, operating systems, and security principles. The following are some key areas you should focus on:
|
||||||
|
|
||||||
|
1. **Programming Languages**: You should have a strong command of at least one low-level programming language like C or C++, as understanding how these languages interact with hardware and memory is crucial for exploit development. High-level languages like Python are also important for scripting and automating tasks.
|
||||||
|
|
||||||
|
2. **Assembly Language & Reverse Engineering**: Knowledge of assembly language is essential. It is the language of the processor, and understanding it will give you insight into how software behaves at the lowest level. Coupled with reverse engineering skills, you can deconstruct and understand how software is working, even when you don't have the source code.
|
||||||
|
|
||||||
|
3. **Operating Systems**: Have a deep understanding of the internals of various operating systems (especially Windows, Linux, and possibly macOS). Focus on topics like processes, threads, memory management, and the kernel.
|
||||||
|
|
||||||
|
4. **Networking**: Strong knowledge of networking is important. You should understand TCP/IP at a minimum, but also higher-level protocols like HTTP and DNS.
|
||||||
|
|
||||||
|
5. **Buffer Overflows & Vulnerabilities**: Study common types of vulnerabilities such as buffer overflows, use-after-free, race conditions, format string vulnerabilities, and integer overflows. Understanding how these vulnerabilities occur and how they can be exploited is key.
|
||||||
|
|
||||||
|
6. **Exploitation Techniques**: Study various exploitation techniques, such as Return-oriented Programming (ROP), heap spraying, and format string exploitation. These techniques are often used in crafting exploits for known vulnerabilities.
|
||||||
|
|
||||||
|
7. **Shellcoding**: Learn how to write shellcode, which is the payload that runs after successfully exploiting a vulnerability.
|
||||||
|
|
||||||
|
8. **Fuzzing**: Fuzzing is a technique for discovering bugs and potential vulnerabilities in software. Learning how to implement intelligent fuzzing strategies could help you find new exploits.
|
||||||
|
|
||||||
|
9. **Security Tools**: Get familiar with tools used in exploit development like debuggers (GDB, WinDbg), disassemblers (IDA Pro, Ghidra), and fuzzing tools (AFL, libFuzzer).
|
||||||
|
|
||||||
|
10. **Ethics and Legal Concerns**: Remember, all these skills must be used responsibly. You should have a strong understanding of the ethics involved in hacking, and you should only attempt to exploit software in legal contexts, such as part of a job where you have been given permission to do so, or in a controlled environment for research or educational purposes.
|
||||||
|
|
||||||
|
11. **Keep up with Industry Trends**: Exploit development is a constantly evolving field. Keep yourself updated with the latest vulnerabilities, exploitation techniques, and patches. Participate in Capture The Flag (CTF) competitions and follow various security blogs and forums.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## Tutorials and Examples
|
## Tutorials and Examples
|
||||||
|
|
||||||
* [Shellcode Tutorial](http://www.vividmachines.com/shellcode/shellcode.html)
|
* [Shellcode Tutorial](https://www.vividmachines.com/shellcode/shellcode.html)
|
||||||
* [Shellcode Examples](http://shell-storm.org/shellcode/)
|
* [Shellcode Examples](https://shell-storm.org/shellcode/)
|
||||||
* [Exploit Writing Tutorials](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)
|
* [Exploit Writing Tutorials](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)
|
||||||
* [Exploit Exercises](https://exploit-exercises.com/)
|
* [Exploit Exercises](https://exploit-exercises.com/)
|
||||||
|
|
||||||
@ -11,15 +38,15 @@
|
|||||||
|
|
||||||
* [HexEdit.js](https://hexed.it) - Browser-based hex editing.
|
* [HexEdit.js](https://hexed.it) - Browser-based hex editing.
|
||||||
* [Hexinator](https://hexinator.com/) - World's finest (proprietary, commercial) Hex Editor.
|
* [Hexinator](https://hexinator.com/) - World's finest (proprietary, commercial) Hex Editor.
|
||||||
* [Frhed](http://frhed.sourceforge.net/) - Binary file editor for Windows.
|
* [Frhed](https://frhed.sourceforge.net/) - Binary file editor for Windows.
|
||||||
* [0xED](http://www.suavetech.com/0xed/0xed.html) - Native macOS hex editor that supports plug-ins to display custom data types.
|
* [0xED](https://www.suavetech.com/0xed/0xed.html) - Native macOS hex editor that supports plug-ins to display custom data types.
|
||||||
|
|
||||||
|
|
||||||
## File Format Analysis Tools
|
## File Format Analysis Tools
|
||||||
|
|
||||||
* [Kaitai Struct](http://kaitai.io/) - File formats and network protocols dissection language and web IDE, generating parsers in C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
|
* [Kaitai Struct](https://kaitai.io/) - File formats and network protocols dissection language and web IDE, generating parsers in C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
|
||||||
* [Veles](https://codisec.com/veles/) - Binary data visualization and analysis tool.
|
* [Veles](https://codisec.com/veles/) - Binary data visualization and analysis tool.
|
||||||
* [Hachoir](http://hachoir3.readthedocs.io/) - Python library to view and edit a binary stream as tree of fields and tools for metadata extraction.
|
* [Hachoir](https://hachoir3.readthedocs.io/) - Python library to view and edit a binary stream as tree of fields and tools for metadata extraction.
|
||||||
|
|
||||||
## Reverse Engineering Tools
|
## Reverse Engineering Tools
|
||||||
|
|
||||||
@ -27,11 +54,11 @@ The following are some of the most popular reverse engineering tools. HOWEVER! G
|
|||||||
* [Ghidra](https://ghidra-sre.org/) - a software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate
|
* [Ghidra](https://ghidra-sre.org/) - a software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate
|
||||||
* [Interactive Disassembler (IDA Pro)](https://www.hex-rays.com/products/ida/) - Proprietary multi-processor disassembler and debugger for Windows, GNU/Linux, or macOS; also has a free version, [IDA Free](https://www.hex-rays.com/products/ida/support/download_freeware.shtml).
|
* [Interactive Disassembler (IDA Pro)](https://www.hex-rays.com/products/ida/) - Proprietary multi-processor disassembler and debugger for Windows, GNU/Linux, or macOS; also has a free version, [IDA Free](https://www.hex-rays.com/products/ida/support/download_freeware.shtml).
|
||||||
* [WDK/WinDbg](https://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx) - Windows Driver Kit and WinDbg.
|
* [WDK/WinDbg](https://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx) - Windows Driver Kit and WinDbg.
|
||||||
* [OllyDbg](http://www.ollydbg.de/) - x86 debugger for Windows binaries that emphasizes binary code analysis.
|
* [OllyDbg](https://www.ollydbg.de/) - x86 debugger for Windows binaries that emphasizes binary code analysis.
|
||||||
* [Radare2](http://rada.re/r/index.html) - Open source, crossplatform reverse engineering framework.
|
* [Radare2](https://rada.re/r/index.html) - Open source, crossplatform reverse engineering framework.
|
||||||
* [x64dbg](http://x64dbg.com/) - Open source x64/x32 debugger for windows.
|
* [x64dbg](https://x64dbg.com/) - Open source x64/x32 debugger for windows.
|
||||||
* [Immunity Debugger](http://debugger.immunityinc.com/) - Powerful way to write exploits and analyze malware.
|
* [Immunity Debugger](https://debugger.immunityinc.com/) - Powerful way to write exploits and analyze malware.
|
||||||
* [Evan's Debugger](http://www.codef00.com/projects#debugger) - OllyDbg-like debugger for GNU/Linux.
|
* [Evan's Debugger](https://www.codef00.com/projects#debugger) - OllyDbg-like debugger for GNU/Linux.
|
||||||
* [Medusa](https://github.com/wisk/medusa) - Open source, cross-platform interactive disassembler.
|
* [Medusa](https://github.com/wisk/medusa) - Open source, cross-platform interactive disassembler.
|
||||||
* [plasma](https://github.com/joelpx/plasma) - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.
|
* [plasma](https://github.com/joelpx/plasma) - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.
|
||||||
* [peda](https://github.com/longld/peda) - Python Exploit Development Assistance for GDB.
|
* [peda](https://github.com/longld/peda) - Python Exploit Development Assistance for GDB.
|
||||||
@ -39,7 +66,7 @@ The following are some of the most popular reverse engineering tools. HOWEVER! G
|
|||||||
* [binwalk](https://github.com/devttys0/binwalk) - Fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
|
* [binwalk](https://github.com/devttys0/binwalk) - Fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
|
||||||
* [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable Reverse Engineering sandbox by Cisco-Talos.
|
* [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable Reverse Engineering sandbox by Cisco-Talos.
|
||||||
* [Voltron](https://github.com/snare/voltron) - Extensible debugger UI toolkit written in Python.
|
* [Voltron](https://github.com/snare/voltron) - Extensible debugger UI toolkit written in Python.
|
||||||
* [Capstone](http://www.capstone-engine.org/) - Lightweight multi-platform, multi-architecture disassembly framework.
|
* [Capstone](https://www.capstone-engine.org/) - Lightweight multi-platform, multi-architecture disassembly framework.
|
||||||
* [rVMI](https://github.com/fireeye/rVMI) - Debugger on steroids; inspect userspace processes, kernel drivers, and preboot environments in a single tool.
|
* [rVMI](https://github.com/fireeye/rVMI) - Debugger on steroids; inspect userspace processes, kernel drivers, and preboot environments in a single tool.
|
||||||
* [Frida](https://www.frida.re/) - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
|
* [Frida](https://www.frida.re/) - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
|
||||||
|
|
||||||
@ -57,18 +84,18 @@ The following are some of the most popular reverse engineering tools. HOWEVER! G
|
|||||||
* [MS Signed mimikatz in just 3 steps](https://github.com/secretsquirrel/SigThief)
|
* [MS Signed mimikatz in just 3 steps](https://github.com/secretsquirrel/SigThief)
|
||||||
* [Hiding your process from sysinternals](https://riscybusiness.wordpress.com/2017/10/07/hiding-your-process-from-sysinternals/)
|
* [Hiding your process from sysinternals](https://riscybusiness.wordpress.com/2017/10/07/hiding-your-process-from-sysinternals/)
|
||||||
* [Luckystrike: An Evil Office Document Generator](https://www.shellntel.com/blog/2016/9/13/luckystrike-a-database-backed-evil-macro-generator)
|
* [Luckystrike: An Evil Office Document Generator](https://www.shellntel.com/blog/2016/9/13/luckystrike-a-database-backed-evil-macro-generator)
|
||||||
* [The Absurdly Underestimated Dangers of CSV Injection](http://georgemauer.net/2017/10/07/csv-injection.html)
|
* [The Absurdly Underestimated Dangers of CSV Injection](https://georgemauer.net/2017/10/07/csv-injection.html)
|
||||||
* [Macro-less Code Exec in MSWord](https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/)
|
* [Macro-less Code Exec in MSWord](https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/)
|
||||||
* [Multi-Platform Macro Phishing Payloads](https://medium.com/@malcomvetter/multi-platform-macro-phishing-payloads-3b688e8eff68)
|
* [Multi-Platform Macro Phishing Payloads](https://medium.com/@malcomvetter/multi-platform-macro-phishing-payloads-3b688e8eff68)
|
||||||
* [Macroless DOC malware that avoids detection with Yara rule](https://furoner.wordpress.com/2017/10/17/macroless-malware-that-avoids-detection-with-yara-rule/amp/)
|
* [Macroless DOC malware that avoids detection with Yara rule](https://furoner.wordpress.com/2017/10/17/macroless-malware-that-avoids-detection-with-yara-rule/amp/)
|
||||||
* [Empire without powershell](https://bneg.io/2017/07/26/empire-without-powershell-exe/)
|
* [Empire without powershell](https://bneg.io/2017/07/26/empire-without-powershell-exe/)
|
||||||
* [Powershell without Powershell to bypass app whitelist](https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/)
|
* [Powershell without Powershell to bypass app whitelist](https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/)
|
||||||
* [Phishing between the app whitelists](https://medium.com/@vivami/phishing-between-the-app-whitelists-1b7dcdab4279)
|
* [Phishing between the app whitelists](https://medium.com/@vivami/phishing-between-the-app-whitelists-1b7dcdab4279)
|
||||||
* [Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files)](http://subt0x10.blogspot.sg/2017/04/bypass-application-whitelisting-script.html)
|
* [Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files)](https://subt0x10.blogspot.sg/2017/04/bypass-application-whitelisting-script.html)
|
||||||
* [Bypassing Application Whitelisting using MSBuild.exe - Device Guard Example and Mitigations](http://subt0x10.blogspot.sg/2017/04/bypassing-application-whitelisting.html)
|
* [Bypassing Application Whitelisting using MSBuild.exe - Device Guard Example and Mitigations](https://subt0x10.blogspot.sg/2017/04/bypassing-application-whitelisting.html)
|
||||||
* [Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
* [Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||||
* [Week of Evading Microsoft ATA - Announcement and Day 1 to Day 5](http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html)
|
* [Week of Evading Microsoft ATA - Announcement and Day 1 to Day 5](https://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html)
|
||||||
* [AMSI How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It](http://www.labofapenetrationtester.com/2016/09/amsi.html)
|
* [AMSI How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It](https://www.labofapenetrationtester.com/2016/09/amsi.html)
|
||||||
* [USING A SCF FILE TO GATHER HASHES](https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/)
|
* [USING A SCF FILE TO GATHER HASHES](https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/)
|
||||||
* [USING THE DDE ATTACK WITH POWERSHELL EMPIRE](https://1337red.wordpress.com/using-the-dde-attack-with-powershell-empire/)
|
* [USING THE DDE ATTACK WITH POWERSHELL EMPIRE](https://1337red.wordpress.com/using-the-dde-attack-with-powershell-empire/)
|
||||||
* [AVSignSeek](https://github.com/hegusung/AVSignSeek)
|
* [AVSignSeek](https://github.com/hegusung/AVSignSeek)
|
||||||
@ -83,81 +110,37 @@ The following are some of the most popular reverse engineering tools. HOWEVER! G
|
|||||||
|
|
||||||
|
|
||||||
## <a name="Return_oriented_programming" />Return Oriented Programming
|
## <a name="Return_oriented_programming" />Return Oriented Programming
|
||||||
+ [The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls](http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
|
+ [The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls](https://cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
|
||||||
+ [Blind return-oriented programming](http://www.scs.stanford.edu/brop/bittau-brop.pdf)
|
+ [Blind return-oriented programming](https://www.scs.stanford.edu/brop/bittau-brop.pdf)
|
||||||
+ [Sigreturn-oriented Programming](https://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf)
|
+ [Sigreturn-oriented Programming](https://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf)
|
||||||
+ [Jump-Oriented Programming: A New Class of Code-Reuse Attack](http://ftp.ncsu.edu/pub/tech/2010/TR-2010-8.pdf)
|
+ [Jump-Oriented Programming: A New Class of Code-Reuse Attack](https://www.csc2.ncsu.edu/techreports/tech/2010/TR-2010-8.pdf)
|
||||||
+ [Out of control: Overcoming control-flow integrity](http://www.cs.stevens.edu/~gportoka/files/outofcontrol_oakland14.pdf)
|
+ [ROP is Still Dangerous: Breaking Modern Defenses](https://people.eecs.berkeley.edu/~daw/papers/rop-usenix14.pdf)
|
||||||
+ [ROP is Still Dangerous: Breaking Modern Defenses](http://www.cs.berkeley.edu/~daw/papers/rop-usenix14.pdf)
|
|
||||||
+ [Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses](https://www.sec.in.tum.de/assets/staff/muntean/Loop-Oriented_Programming_A_New_Code_Reuse_Attack_to_Bypass_Modern0ADefenses.pdf) - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015]
|
+ [Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses](https://www.sec.in.tum.de/assets/staff/muntean/Loop-Oriented_Programming_A_New_Code_Reuse_Attack_to_Bypass_Modern0ADefenses.pdf) - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015]
|
||||||
+ [Systematic Analysis of Defenses Against Return-Oriented Programming](https://people.csail.mit.edu/nickolai/papers/skowyra-rop.pdf) -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013]
|
+ [Systematic Analysis of Defenses Against Return-Oriented Programming](https://people.csail.mit.edu/nickolai/papers/skowyra-rop.pdf) -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013]
|
||||||
+ [Return-oriented programming without returns](https://www.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf) -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010]
|
+ [Return-oriented programming without returns](https://www.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf) -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010]
|
||||||
+ [Jump-oriented programming: a new class of code-reuse attack](https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf) -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011]
|
+ [Jump-oriented programming: a new class of code-reuse attack](https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf) -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011]
|
||||||
+ [Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-davi.pdf) - by L. Davi, A. Sadeghi, and D. Lehmann [2014]
|
+ [Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-davi.pdf) - by L. Davi, A. Sadeghi, and D. Lehmann [2014]
|
||||||
+ [Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-goktas.pdf) - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014]
|
+ [Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-goktas.pdf) - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014]
|
||||||
+ [Buffer overflow attacks bypassing DEP (NX/XD bits) – part 1](http://www.mastropaolo.com/2005/06/04/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-1/) - by Marco Mastropaolo [2005]
|
+ [Buffer overflow attacks bypassing DEP (NX/XD bits) – part 1](https://www.mastropaolo.com/2005/06/04/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-1/) - by Marco Mastropaolo [2005]
|
||||||
+ [Buffer overflow attacks bypassing DEP (NX/XD bits) – part 2](http://www.mastropaolo.com/2005/06/05/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-2-code-injection/) - by Marco Mastropaolo [2005]
|
+ [Buffer overflow attacks bypassing DEP (NX/XD bits) – part 2](https://www.mastropaolo.com/2005/06/05/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-2-code-injection/) - by Marco Mastropaolo [2005]
|
||||||
+ [Practical Rop](http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf) - by Dino Dai Zovi [2010]
|
+ [Practical Rop](https://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf) - by Dino Dai Zovi [2010]
|
||||||
+ [Exploitation with WriteProcessMemory](https://packetstormsecurity.com/papers/general/Windows-DEP-WPM.txt) - by Spencer Pratt [2010]
|
+ [Exploitation with WriteProcessMemory](https://packetstormsecurity.com/papers/general/Windows-DEP-WPM.txt) - by Spencer Pratt [2010]
|
||||||
+ [Exploitation techniques and mitigations on Windows](http://hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf) - by skape
|
+ [Exploitation techniques and mitigations on Windows](https://hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf) - by skape
|
||||||
+ [A little return oriented exploitation on Windows x86 – Part 1](http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on.html) - by Harmony Security and Stephen Fewer [2010]
|
+ [A little return oriented exploitation on Windows x86 – Part 1](https://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on.html) - by Harmony Security and Stephen Fewer [2010]
|
||||||
+ [A little return oriented exploitation on Windows x86 – Part 2](http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on_16.html) - by Harmony Security and Stephen Fewer [2010]
|
+ [A little return oriented exploitation on Windows x86 – Part 2](https://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on_16.html) - by Harmony Security and Stephen Fewer [2010]
|
||||||
|
|
||||||
|
|
||||||
## <a name="Windows_memory_protections" />Windows memory protections
|
## Windows memory protections
|
||||||
*Windows memory protections Introduction Articles.*
|
*Windows memory protections Introduction Articles.*
|
||||||
+ [Data Execution Prevention](http://support.microsoft.com/kb/875352)
|
+ [Data Execution Prevention](https://support.microsoft.com/kb/875352)
|
||||||
+ [/GS (Buffer Security Check)](http://msdn.microsoft.com/en-us/library/Aa290051)
|
+ [/GS (Buffer Security Check)](https://msdn.microsoft.com/en-us/library/Aa290051)
|
||||||
+ [/SAFESEH](http://msdn.microsoft.com/en-us/library/9a89h429(VS.80).aspx)
|
+ [/SAFESEH](https://msdn.microsoft.com/en-us/library/9a89h429(VS.80).aspx)
|
||||||
+ [ASLR](http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx)
|
+ [ASLR](https://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx)
|
||||||
+ [SEHOP](http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
|
+ [SEHOP](https://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
|
||||||
|
|
||||||
|
|
||||||
## <a name="Bypassing_filter_and_protections" />Bypassing filter and protections
|
|
||||||
*Windows memory protections Bypass Methods Articles.*
|
|
||||||
+ [Third Generation Exploitation smashing heap on 2k](http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt) - by Halvar Flake [2002]
|
|
||||||
+ [Creating Arbitrary Shellcode In Unicode Expanded Strings](http://www.net-security.org/dl/articles/unicodebo.pdf) - by Chris Anley
|
|
||||||
+ [Advanced windows exploitation](http://www.immunityinc.com/downloads/immunity_win32_exploitation.final2.ppt) - by Dave Aitel [2003]
|
|
||||||
+ [Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server](http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf) - by David Litchfield
|
|
||||||
+ [Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2)](http://cybertech.net/~sh0ksh0k/projects/winheap/XPSP2%20Heap%20Exploitation.ppt) - by Matt Conover in cansecwest 2004
|
|
||||||
+ [Safely Searching Process Virtual Address Space](http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf) - by Matt Miller [2004]
|
|
||||||
+ [IE exploit and used a technology called Heap Spray](http://www.exploit-db.com/exploits/612)
|
|
||||||
+ [Bypassing hardware-enforced DEP](http://www.uninformed.org/?v=2&a=4&t=pdf) - by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005]
|
|
||||||
+ [Exploiting Freelist[0] On XP Service Pack 2](http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist%5B0%5D%20On%20XP%20Service%20Pack%202.pdf) - by Brett Moore [2005]
|
|
||||||
+ [Kernel-mode Payloads on Windows in uninformed](http://www.uninformed.org/?v=3&a=4&t=pdf)
|
|
||||||
+ [Exploiting 802.11 Wireless Driver Vulnerabilities on Windows](http://www.uninformed.org/?v=6&a=2&t=pdf)
|
|
||||||
+ [Heap Feng Shui in JavaScript](http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf) by Alexander sotirov [2007]
|
|
||||||
+ [Bypassing browser memory protections in Windows Vista](http://taossa.com/archive/bh08sotirovdowd.pdf) - by Mark Dowd and Alex Sotirov [2008]
|
|
||||||
+ [Return oriented programming Exploitation without Code Injection](http://cseweb.ucsd.edu/~hovav/dist/blackhat08.pdf) - by Hovav Shacham (and others ) [2008]
|
|
||||||
+ [Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8](http://www.argeniss.com/research/TokenKidnapping.pdf) - by Cesar Cerrudo [2008]
|
|
||||||
+ [Defeating DEP Immunity Way](http://www.immunityinc.com/downloads/DEPLIB.pdf) - by Pablo Sole [2008]
|
|
||||||
+ [Practical Windows XP2003 Heap Exploitation](http://www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf) - by John McDonald and Chris Valasek [2009]
|
|
||||||
+ [Bypassing SEHOP](http://www.sysdream.com/articles/sehop_en.pdf) - by Stefan Le Berre Damien Cauquil [2009]
|
|
||||||
+ [Interpreter Exploitation : Pointer Inference and JIT Spraying](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf) - by Dionysus Blazakis[2010]
|
|
||||||
+ [Write-up of Pwn2Own 2010](http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf) - by Peter Vreugdenhil
|
|
||||||
+ [All in one 0day presented in rootedCON](http://wintercore.com/downloads/rootedcon_0day_english.pdf) - by Ruben Santamarta [2010]
|
|
||||||
+ [DEP/ASLR bypass using 3rd party](http://web.archive.org/web/20130820021520/http://abysssec.com/files/The_Arashi.pdf) - by Shahin Ramezany [2013]
|
|
||||||
+ [Bypassing EMET 5.0](http://blog.sec-consult.com/2014/10/microsoft-emet-armor-against-zero-days.html) - by René Freingruber [2014]
|
|
||||||
|
|
||||||
|
## Exploit development tutorial series
|
||||||
## <a name="Typical_windows_exploits" />Typical windows exploits
|
|
||||||
+ [Real-world HW-DEP bypass Exploit](http://www.exploit-db.com/exploits/3652) - by Devcode
|
|
||||||
+ [Bypassing DEP by returning into HeapCreate](http://www.metasploit.com/redmine/projects/framework/repository/revisions/7246/entry/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb) - by Toto
|
|
||||||
+ [First public ASLR bypass exploit by using partial overwrite ](http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/email/ani_loadimage_chunksize.rb) - by Skape
|
|
||||||
+ [Heap spray and bypassing DEP](http://skypher.com/SkyLined/download/www.edup.tudelft.nl/%7Ebjwever/exploits/InternetExploiter2.zip) - by Skylined
|
|
||||||
+ [First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability](http://www.metasploit.com/redmine/projects/framework/repository/revisions/8833/raw/modules/exploits/windows/fileformat/adobe_libtiff.rb)
|
|
||||||
+ [Exploit codes of bypassing browsers memory protections](http://phreedom.org/research/bypassing-browser-memory-protections/bypassing-browser-memory-protections-code.zip)
|
|
||||||
+ [PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1](http://www.argeniss.com/research/Churrasco.zip) - by Cesar Cerrudo
|
|
||||||
+ [PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2](http://www.argeniss.com/research/Churrasco2.zip) - by Cesar Cerrudo
|
|
||||||
+ [An exploit works from win 3.1 to win 7](http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip) - by Tavis Ormandy KiTra0d
|
|
||||||
+ [Old ms08-067 metasploit module multi-target and DEP bypass](http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/smb/ms08_067_netapi.rb)
|
|
||||||
+ [PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass](http://www.exploit-db.com/exploits/12189)
|
|
||||||
+ [SMBv2 Exploit](http://www.metasploit.com/redmine/projects/framework/repository/revisions/8916/raw/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb) - by Stephen Fewer
|
|
||||||
+ [Microsoft IIS 7.5 remote heap buffer overflow](http://www.phrack.org/issues/68/12.html) - by redpantz
|
|
||||||
+ [Browser Exploitation Case Study for Internet Explorer 11](https://labs.bluefrostsecurity.de/files/Look_Mom_I_Dont_Use_Shellcode-WP.pdf) - by Moritz Jodeit [2016]
|
|
||||||
|
|
||||||
|
|
||||||
## <a name="Exploit_development_tutorial_series" />Exploit development tutorial series
|
|
||||||
*Exploid Development Tutorial Series Base on Windows Operation System Articles.*
|
*Exploid Development Tutorial Series Base on Windows Operation System Articles.*
|
||||||
<a name="corelan" />
|
<a name="corelan" />
|
||||||
- Corelan Team
|
- Corelan Team
|
||||||
@ -184,27 +167,27 @@ The following are some of the most popular reverse engineering tools. HOWEVER! G
|
|||||||
+ [Part 7: Return Oriented Programming](https://www.fuzzysecurity.com/tutorials/expDev/7.html)
|
+ [Part 7: Return Oriented Programming](https://www.fuzzysecurity.com/tutorials/expDev/7.html)
|
||||||
+ [Part 8: Spraying the Heap Chapter 1: Vanilla EIP](https://www.fuzzysecurity.com/tutorials/expDev/8.html)
|
+ [Part 8: Spraying the Heap Chapter 1: Vanilla EIP](https://www.fuzzysecurity.com/tutorials/expDev/8.html)
|
||||||
+ [Part 9: Spraying the Heap Chapter 2: Use-After-Free](https://www.fuzzysecurity.com/tutorials/expDev/11.html)
|
+ [Part 9: Spraying the Heap Chapter 2: Use-After-Free](https://www.fuzzysecurity.com/tutorials/expDev/11.html)
|
||||||
+ [Part 10: Kernel Exploitation -> Stack Overflow](http://www.fuzzysecurity.com/tutorials/expDev/14.html)
|
+ [Part 10: Kernel Exploitation -> Stack Overflow](https://www.fuzzysecurity.com/tutorials/expDev/14.html)
|
||||||
+ [Part 11: Kernel Exploitation -> Write-What-Where](http://www.fuzzysecurity.com/tutorials/expDev/15.html)
|
+ [Part 11: Kernel Exploitation -> Write-What-Where](https://www.fuzzysecurity.com/tutorials/expDev/15.html)
|
||||||
+ [Part 12: Kernel Exploitation -> Null Pointer Dereference](http://www.fuzzysecurity.com/tutorials/expDev/16.html)
|
+ [Part 12: Kernel Exploitation -> Null Pointer Dereference](https://www.fuzzysecurity.com/tutorials/expDev/16.html)
|
||||||
+ [Part 13: Kernel Exploitation -> Uninitialized Stack Variable](http://www.fuzzysecurity.com/tutorials/expDev/17.html)
|
+ [Part 13: Kernel Exploitation -> Uninitialized Stack Variable](https://www.fuzzysecurity.com/tutorials/expDev/17.html)
|
||||||
+ [Part 14: Kernel Exploitation -> Integer Overflow](http://www.fuzzysecurity.com/tutorials/expDev/18.html)
|
+ [Part 14: Kernel Exploitation -> Integer Overflow](https://www.fuzzysecurity.com/tutorials/expDev/18.html)
|
||||||
+ [Part 15: Kernel Exploitation -> UAF](http://www.fuzzysecurity.com/tutorials/expDev/19.html)
|
+ [Part 15: Kernel Exploitation -> UAF](https://www.fuzzysecurity.com/tutorials/expDev/19.html)
|
||||||
+ [Part 16: Kernel Exploitation -> Pool Overflow](http://www.fuzzysecurity.com/tutorials/expDev/20.html)
|
+ [Part 16: Kernel Exploitation -> Pool Overflow](https://www.fuzzysecurity.com/tutorials/expDev/20.html)
|
||||||
+ [Part 17: Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)](http://www.fuzzysecurity.com/tutorials/expDev/21.html)
|
+ [Part 17: Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)](https://www.fuzzysecurity.com/tutorials/expDev/21.html)
|
||||||
+ [Heap Overflows For Humans 101](http://www.fuzzysecurity.com/tutorials/mr_me/2.html)
|
+ [Heap Overflows For Humans 101](https://www.fuzzysecurity.com/tutorials/mr_me/2.html)
|
||||||
+ [Heap Overflows For Humans 102](http://www.fuzzysecurity.com/tutorials/mr_me/3.html)
|
+ [Heap Overflows For Humans 102](https://www.fuzzysecurity.com/tutorials/mr_me/3.html)
|
||||||
+ [Heap Overflows For Humans 102.5](http://www.fuzzysecurity.com/tutorials/mr_me/4.html)
|
+ [Heap Overflows For Humans 102.5](https://www.fuzzysecurity.com/tutorials/mr_me/4.html)
|
||||||
+ [Heap Overflows For Humans 103](http://www.fuzzysecurity.com/tutorials/mr_me/5.html)
|
+ [Heap Overflows For Humans 103](https://www.fuzzysecurity.com/tutorials/mr_me/5.html)
|
||||||
+ [Heap Overflows For Humans 103.5](http://www.fuzzysecurity.com/tutorials/mr_me/6.html)
|
+ [Heap Overflows For Humans 103.5](https://www.fuzzysecurity.com/tutorials/mr_me/6.html)
|
||||||
|
|
||||||
- <a name="securitysift" />Securitysift
|
- <a name="securitysift" />Securitysift
|
||||||
+ [Windows Exploit Development – Part 1: The Basics](http://www.securitysift.com/windows-exploit-development-part-1-basics/)
|
+ [Windows Exploit Development – Part 1: The Basics](https://www.securitysift.com/windows-exploit-development-part-1-basics/)
|
||||||
+ [Windows Exploit Development – Part 2: Intro to Stack Based Overflows](http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/)
|
+ [Windows Exploit Development – Part 2: Intro to Stack Based Overflows](https://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/)
|
||||||
+ [Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules](http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/)
|
+ [Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules](https://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/)
|
||||||
+ [Windows Exploit Development – Part 4: Locating Shellcode With Jumps](http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/)
|
+ [Windows Exploit Development – Part 4: Locating Shellcode With Jumps](https://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/)
|
||||||
+ [Windows Exploit Development – Part 5: Locating Shellcode With Egghunting](http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/)
|
+ [Windows Exploit Development – Part 5: Locating Shellcode With Egghunting](https://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/)
|
||||||
+ [Windows Exploit Development – Part 6: SEH Exploits](http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/)
|
+ [Windows Exploit Development – Part 6: SEH Exploits](https://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/)
|
||||||
+ [Windows Exploit Development – Part 7: Unicode Buffer Overflows](http://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows/)
|
+ [Windows Exploit Development – Part 7: Unicode Buffer Overflows](https://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows/)
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user