SHARE
TWEET

From 0x90 to 0x4c454554, a journey into exploitation.

a guest Dec 30th, 2013 6,804 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Originally from : http://myne-us.blogspot.com/2010/08/from-0x90-to-0x4c454554-journey-into.html
  2.  
  3. #############################################################################################################
  4. #
  5. #                               From 0x90 to 0x4c454554, a journey into exploitation.
  6. #
  7. #############################################################################################################
  8.  
  9. I put some time in and compiled a list in a course type layout to help people in process of learning exploit development. I hope my research will help others spend more time learning and less time searching.
  10.  
  11. First off I want to thank the corelan guys for the help they have provided me so far in the process.
  12.  
  13. layout: I will be posting in a hierarchical structure, each hierarchy structure should be fully understood before moving on to the next section. I will also post sets of Parallel learning topics that you can use to study in line with other topics to help prevent monotony. These Parallel areas will have a start and end mark which shows when they should be complete in perspective to the overall learning
  14.  
  15. desktop background Link to Backgrounds: http://redmine.corelan.be:8800/projects/corelanart/files
  16.  
  17. Other Posts like this one:
  18. Because of quality of these posts I wanted to put them at the top. I could not figure out where to put them in the list because they cover so much.
  19.  
  20. past-present-future of windows exploitation: http://www.abysssec.com/blog/2010/05/past-present-future-of-windows-exploitation/
  21.  
  22. smashing the stack in 2010: http://5d4a.wordpress.com/2010/08/02/smashing-the-stack-in-2010/
  23.  
  24. IT-Sec-catalog: https://code.google.com/p/it-sec-catalog/
  25.  
  26. #############################################################################################################
  27. #                              
  28. #                                             Part 1: Programming
  29. #
  30. #############################################################################################################
  31.  
  32.  
  33.     Parallel learning #1:(complete this section before getting to the book "Hacking Art of exploitation")
  34.     While going through the programming area I concentrate on core topics to help us later on with exploit writing. One area that is very good to pick up is some kind of scripting language. Listed below are some of the most popular scripting languages and ones I feel will prove to be the most useful.
  35.  
  36.     Python: One of my favorite languages and growing in popularity python is a powerful language that is easy to use and well documented.
  37.  
  38.     Learn Python the hard way: http://learnpythonthehardway.org/book/
  39.  
  40.     Wikibooks Python: http://en.wikibooks.org/wiki/Subject:Python_programming_language
  41.  
  42.     http://docs.python.org/
  43.  
  44.     onlinecomputerbooks.com: http://www.onlinecomputerbooks.com/free-python-books.php
  45.  
  46.     Grey hat python: http://oreilly.com/catalog/9781593271923
  47.  
  48. ################################
  49.  
  50.     Ruby: If you plan on later on working inside of metasploit this may be the language you want to start with. I highly suggest this for exploit developers to learn.
  51.  
  52.     Wikibooks Ruby: http://en.wikibooks.org/wiki/Subject:Ruby_programming_language
  53.  
  54.     LittleBookOfRuby: http://www.sapphiresteel.com/IMG/pdf/LittleBookOfRuby.pdf
  55.  
  56.     Ruby Programmers Guide: http://www.ruby-doc.org/docs/ProgrammingRuby/
  57.  
  58.     onlinecomputerbooks.com: http://www.onlinecomputerbooks.com/free-ruby-books.php
  59.  
  60. ################################
  61.  
  62.     Perl: An older language that still has a lot of use perl is one of the highest used scripting languages and you will see it used in many exploits. (I would suggest python over perl)
  63.  
  64.     [book] O'Reilly Learning Perl: http://www.amazon.com/Learning-Perl-5th-Randal-Schwartz/dp/0596520107/ref=sr_1_1?ie=UTF8&s=books&qid=1280901933&sr=8-1
  65.  
  66.     onlinecomputerbooks.com: http://www.onlinecomputerbooks.com/free-perl-books.php
  67.  
  68. ################################
  69.  
  70.     C and C++ programming:
  71.     It is very important to understand what you are exploiting so to get started let us figure out what we are exploiting. You do not need to go through all of these but when finished with this section you should have a good understanding of C and C++ programming.
  72.  
  73.     Cprogramming.com
  74.  
  75.     http://www.java2s.com/Tutorial/C/CatalogC.htm
  76.  
  77.     http://beej.us/guide/bgc/
  78.  
  79.     onlinecomputerbooks.com: http://www.onlineprogrammingbooks.com/free-c-books.php
  80.  
  81. ################################
  82.  
  83.     X86 Assembly:
  84.     Ok now to understand what the computer reads when we compile C and C++. I am going to mostly stick to the IA-32(X86) assembly language. Read the first link to understand why. It explains it very well.
  85.  
  86.     Skullsecurity: Assembly: http://www.skullsecurity.org/wiki/index.php/Fundamentals
  87.  
  88.     Windows Assembly Programming Tutorial: http://www.acm.uiuc.edu/sigwin/old/workshops/winasmtut.pdf
  89.  
  90.     http://en.wikibooks.org/wiki/X86_Assembly
  91.  
  92.     [book]The Art of Assembly: http://homepage.mac.com/randyhyde/webster.cs.ucr.edu/index.html
  93.  
  94.     Assembly primer for hackers: http://www.securitytube.net/Assembly-Primer-for-Hackers-%28Part-1%29-System-Organization-video.aspx
  95.  
  96.     PC Assembly Language: http://www.drpaulcarter.com/pcasm/
  97.  
  98. ################################
  99.  
  100.     Windows Programming:
  101.     This is to help understand what we are programming in and the structure of libraries in the OS. This area is very important far down the line
  102.  
  103.     http://en.wikibooks.org/wiki/Windows_Programming
  104.  
  105.     http://www.relisoft.com/win32/index.htm
  106.  
  107.     [book]Windows Internals 5: http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Dstripbooks&field-keywords=windows+sysinternals&x=0&y=0
  108.  
  109.     [book]Windows Internals 4: http://www.amazon.com/Microsoft-Windows-Internals-4th-Server/dp/0735619174
  110.  
  111. ################################
  112.  
  113.     Disassembly:
  114.     Dissassembly is not as much programming as it is what the computer understands and the way it is interpreted from CPU and memory. This is where we start getting into the good stuff.
  115.  
  116.     http://en.wikibooks.org/wiki/X86_disassembly
  117.  
  118.     The Art of Disassembly: http://tuts4you.com/download.php?view.187
  119.  
  120.  
  121. #############################################################################################################
  122. #                              
  123. #                                             Part 2: Getting started
  124. #
  125. #############################################################################################################
  126.  
  127.  
  128.     Now that we have a very good understanding of programming languages and what the machine is doing we can start working on task at hand, exploitation.
  129.     Here I will start a lot of the learning in very much a list format and adding in comments or Parallel learning areas when needed.
  130.  
  131. ################################
  132.  
  133.     Smash the stack for fun and profit (Phrack 49): http://www.phrack.org/issues.html?issue=49&id=14#article
  134.  
  135.     C function call conventions and the stack: http://cs.umbc.edu/~chang/cs313.s02/stack.shtml
  136.  
  137.     Anatomy of a program in memory: http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory
  138.  
  139.     Function Calls, Part 1 (the Basics): http://www.codeguru.com/cpp/misc/misc/assemblylanguage/article.php/c14641
  140.  
  141.     IA-32 Architecture: http://www.sandpile.org/ia32/index.htm
  142.  
  143.     [videos]Code Audit from cryptocity.net: http://pentest.cryptocity.net/code-audits/
  144.  
  145. ################################
  146.  
  147.     (Parallel learning #1 finished: You should now have finished on Parallel learning 1 and have a good understanding of one of the 3 languages)
  148.  
  149.     [Book]Hacking art of exploitation [Chapter 1&2]: http://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/ref=sr_1_fkmr1_1?ie=UTF8&qid=1280905635&sr=1-1-fkmr1
  150.  
  151.     Corelan T1: http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
  152.  
  153.     Corelan T2: http://www.corelan.be:8800/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/
  154.  
  155. ################################
  156.  
  157.     Parallel learning #2:(complete this section before end of part 2)
  158.  
  159.     (Read the first few posts on this blog has some good info)
  160.     Kspice blog: http://blog.ksplice.com/2010/03/
  161.  
  162.     (Read some of the post from this blog they are very helpful with starting out with fuzzers.)
  163.     Nullthreat's blog: http://www.nullthreat.net/
  164.  
  165.     (I am linked directly to a demo exploit for this area but this is a useful blog to keep track of for many things)
  166.     A demo exploit: http://www.darklevel.org/index.php?option=com_content&task=view&id=54&Itemid=89
  167.  
  168.  
  169.     tenouk.com: Buffer overflow intro: http://www.tenouk.com/Bufferoverflowc/stackbasedbufferoverflow.html
  170.  
  171.     The Tao of Windows Buffer Overflow: http://www.cultdeadcow.com/cDc_files/cDc-351/index.html
  172.  
  173.     nsfsecurity on BOF: http://nsfsecurity.pr.erau.edu/bom/index.html
  174.  
  175.     Hacker center: BOF: http://www.hackerscenter.com/index.php?/Downloads/Library/Application-Security/View-category.html
  176.  
  177.     [video]Buffer overflow Primer: http://www.securitytube.net/Buffer-Overflow-Primer-Part-1-%28Smashing-the-Stack%29-video.aspx
  178.  
  179.     [Book]Shellcoder's Handbook Ch1&2: http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=sr_1_1?ie=UTF8&s=books&qid=1282450549&sr=8-1
  180.  
  181.     [Book]Hacking art of exploitation [Chapter 3]: http://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/ref=sr_1_fkmr1_1?ie=UTF8&qid=1280905635&sr=1-1-fkmr1
  182.  
  183.  
  184.     Corelan T3A: http://www.corelan.be:8800/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/
  185.  
  186.     Corelan T3B: http://www.corelan.be:8800/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
  187.  
  188.     SEH Based Exploits and the development process: http://www.ethicalhacker.net/content/view/309/2/
  189.  
  190.     SEH overwrite simplified: http://www.shell-storm.org/papers/files/405.pdf
  191.  
  192.     ((Parallel learning #2 finished:)
  193.  
  194. #############################################################################################################
  195. #                              
  196. #                                              Part 3:Tools of the trade
  197. #
  198. #############################################################################################################
  199.  
  200.     This is a list of tools I have started using and find very useful.
  201.  
  202.     Immunity Debugger: http://www.immunityinc.com/products-immdbg.shtml
  203.  
  204.     Ollydbg: http://www.ollydbg.de/
  205.  
  206.     Windbg: http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
  207.  
  208.     IDA Pro: http://www.hex-rays.com/idapro/
  209.  
  210.     explorer suite: http://myne-us.blogspot.com/2010/08/from-0x90-to-0x4c454554-journey-into.html
  211.  
  212.     Sysinternals: http://technet.microsoft.com/en-us/sysinternals/bb795533.aspx
  213.  
  214. ################################
  215.  
  216.     And here are some corelan posts on how to use them. I will supply more in future but this is a very good start.
  217.  
  218.     Corelan T5: http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
  219.  
  220.     Corelan: Immunity debugger cheatsheet: http://www.corelan.be:8800/index.php/2010/01/26/starting-to-write-immunity-debugger-pycommands-my-cheatsheet/
  221.  
  222. #############################################################################################################
  223. #                              
  224. #                                              Part 4: Network and Metasploit
  225. #
  226. #############################################################################################################
  227.  
  228.  
  229.     (Networking)
  230.  
  231.     Beej.us network programming: http://beej.us/guide/bgnet/output/html/multipage/index.html
  232.  
  233.     [Book]Hacking art of exploitation [Chapter 4]: http://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/ref=sr_1_fkmr1_1?ie=UTF8&qid=1280905635&sr=1-1-fkmr1
  234.  
  235.     Socket Programming in ruby: https://www6.software.ibm.com/developerworks/education/l-rubysocks/l-rubysocks-a4.pdf
  236.  
  237. ################################
  238.  
  239.     (Metasploit)
  240.  
  241.     [Video]Security Tube: Metasploit Megaprimer: http://www.securitytube.net/Metasploit-Megaprimer-%28Exploitation-Basics-and-need-for-Metasploit%29-Part-1-video.aspx
  242.  
  243.     Metasploit.com: http://www.metasploit.com/
  244.  
  245.     Metasploit Unleashed: http://www.offensive-security.com/metasploit-unleashed/
  246.  
  247.     [video]Metasploit Louisville Class: http://www.irongeek.com/i.php?page=videos/metasploit-class
  248.  
  249.     Metasploitable (a target): http://blog.metasploit.com/2010/05/introducing-metasploitable.html
  250.  
  251.     Corelan T4: http://www.corelan.be:8800/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/
  252.  
  253.     intern0t: developing my first exploit: http://guides.intern0t.net/msf2.php
  254.  
  255.     [video]DHAtEnclaveForensics: Exploit Creation in Metasploit: http://www.youtube.com/user/DHAtEnclaveForensics#p/u/9/rGlvgeeU0vQ
  256.  
  257.     Wikibooks Metasploit/Writing Windows Exploit: http://en.wikibooks.org/wiki/Metasploit/WritingWindowsExploit
  258.  
  259. #############################################################################################################
  260. #                              
  261. #                                              Part 5: Shellcode
  262. #
  263. #############################################################################################################
  264.  
  265.  
  266.     Corelan T9: http://www.corelan.be:8800/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
  267.  
  268.     projectShellcode: Shellcode Tutorial: http://projectshellcode.com/?q=node/12
  269.  
  270.     [Book]Shellcoder's Handbook Ch3: http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=sr_1_1?ie=UTF8&s=books&qid=1282450549&sr=8-1
  271.  
  272.     [Book]Hacking art of exploitation [Chapter 5]: http://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441/ref=sr_1_fkmr1_1?ie=UTF8&qid=1280905635&sr=1-1-fkmr1
  273.  
  274.     Writing small shellcode: http://www.shell-storm.org/papers/files/440.pdf
  275.  
  276.     Shell-storm Shellcode database: http://www.shell-storm.org/shellcode/
  277.  
  278.     Advanced shellcode: http://www.vividmachines.com/shellcode/shellcode.html#as
  279.  
  280. #############################################################################################################
  281. #                              
  282. #                                       Part 6: Engineering in Reverse
  283. #
  284. #############################################################################################################
  285.  
  286.  
  287.     Parallel Learning #3:(constant place to reference and use for reversing)
  288.  
  289.     Understanding Code: http://www.reteam.org/papers/e57.pdf
  290.  
  291.     Reverse Engineering the World: http://mattoh.wordpress.com/
  292.  
  293.     Reversing for Newbies: http://tuts4you.com/download.php?list.17
  294.  
  295.     Room362.com reversing blog post: http://www.room362.com/blog/2009/6/12/getting-your-fill-of-reverse-engineering-and-malware-analysi.html
  296.  
  297.     Ethicalhacker.net intro to reverse engineering: http://www.ethicalhacker.net/content/view/152/2/
  298.  
  299.     acm.uiuc.edu Intro to Reverse Engineering software: http://www.acm.uiuc.edu/sigmil/RevEng/
  300.  
  301.     [Book]Reversing: secrets of reverse engineering: http://www.amazon.com/Reversing-Secrets-Engineering-Eldad-Eilam/dp/0764574817/ref=sr_1_1?s=books&ie=UTF8&qid=1280937813&sr=1-1
  302.  
  303.     [video]Reverse Engineering from cryptocity.net: http://pentest.cryptocity.net/reverse-engineering/
  304.  
  305.     CrackZ's Reverse Engineering Page: http://www.woodmann.com/crackz/
  306.  
  307.     Reverse engineering techniques: http://www.securitytube.net/Reverse-Engineering-Techniques-to-find-Security-Vulnerabilities-video.aspx
  308.  
  309.     CBM_1_2_2006_Goppit_PE_Format_Reverse_Engineer_View: http://dl.dropbox.com/u/5489930/CBM_1_2_2006_Goppit_PE_Format_Reverse_Engineer_View.pdf
  310.  
  311.     HistoryofPackingTechnology: http://securitylabs.websense.com/content/Assets/HistoryofPackingTechnology.pdf
  312.  
  313.     Windows PE Header: http://marcoramilli.blogspot.com/2010/12/windows-pe-header.html
  314.  
  315.     OpenRCE Articles: http://www.openrce.org/articles/
  316.  
  317.  
  318.     [GAME]Crackmes.de: http://crackmes.de/
  319.  
  320. #############################################################################################################
  321. #                              
  322. #                                    Part 7: Getting a little deeper into BOF
  323. #
  324. #############################################################################################################
  325.  
  326.  
  327.     Parallel Learning #4:(To the end of the course and beyond)
  328.     Find old exploits on Exploit-db (http://www.exploit-db.com/) download them, test them, rewrite them, understand them.
  329.  
  330. ################################
  331.  
  332.     (Part A: preventions)
  333.  
  334.     Buffer overflow protection: http://en.wikipedia.org/wiki/Buffer_overflow_protection
  335.  
  336.     The evolution of Microsoft's Mitigations: http://technet.microsoft.com/en-us/security/dd285253.aspx
  337.  
  338.     Purdue.edu: Canary Bit: http://www.cs.purdue.edu/homes/mkirkpat/papers/canbit.pdf
  339.  
  340.     Preventing the exploitation of SEH Overwrites with SEHOP: http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx
  341.  
  342.     Bypassing SEHOP: http://www.sysdream.com/articles/sehop_en.pdf
  343.  
  344.     Wikipedia Executable space protextion: http://en.wikipedia.org/wiki/Executable_space_protection
  345.  
  346.     Wikipedia DEP: http://en.wikipedia.org/wiki/Data_Execution_Prevention
  347.  
  348.     Bypassing Hardware based DEP: http://www.securestate.com/Docs/Bypassing_Hardware_based_Data_Execution_Prevention.pdf
  349.  
  350.     Wikipedia ASLR: http://en.wikipedia.org/wiki/ASLR
  351.  
  352.     Symantec ASLR in Vista: http://www.symantec.com/avcenter/reference/Address_Space_Layout_Randomization.pdf
  353.  
  354.     Defeating the Stack Based Buffer Overflow Prevention: http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf
  355.  
  356.     Corelan T6: http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
  357.  
  358.     Return to libc: https://secure.wikimedia.org/wikipedia/en/wiki/Return-to-libc_attack
  359.  
  360.     [video] microsoft protections video: http://technet.microsoft.com/en-us/security/dd285253.aspx
  361.  
  362. ################################
  363.  
  364.     (Part B: Advanced BOF)
  365.  
  366.     [video]Exploitation from cryptocity.net: http://pentest.cryptocity.net/exploitation/
  367.  
  368.     Corelan T7: http://www.corelan.be:8800/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
  369.  
  370.     Corelan T8: http://www.corelan.be:8800/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
  371.  
  372.     Corelan T10: http://www.corelan.be:8800/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
  373.  
  374.     Virtual Worlds - Real Exploits: http://www.youtube.com/watch?v=UIKy1Shxd6Q&feature=related
  375.  
  376.  
  377.     [GAME]Gera's Insecure Programming: http://community.corest.com/~gera/
  378.  
  379.     [GAME]Smash the stack wargaming network: http://www.smashthestack.org/
  380.  
  381. #############################################################################################################
  382. #                              
  383. #                                                 Part 8: Heap overflow
  384. #
  385. #############################################################################################################
  386.  
  387.    
  388.     Heap Overflows for Humans-101: http://www.exploit-db.com/download_pdf/15982
  389.  
  390.     rm -rf / on heap overflow: http://pthreads.blogspot.com/2007/04/heap-overflow.html
  391.  
  392.     w00w00 on heap overflow: http://www.w00w00.org/files/articles/heaptut.txt
  393.  
  394.     [book]Shellcoder's Handbook Ch4&5: http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=sr_1_1?ie=UTF8&s=books&qid=1282450549&sr=8-1
  395.  
  396.     h-online A heap of Risk: http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html
  397.  
  398.     [video]Defcon 15 remedial Heap Overflows: http://www.youtube.com/watch?v=2W4tuxHcOnE
  399.  
  400.     heap overflow: ancient art of unlink seduction: http://www.thehackerslibrary.com/?p=872
  401.  
  402.     Memory corruptions part II -- heap: http://advancedwindowsdebugging.com/ch06.pdf
  403.  
  404.  
  405.     [book]Read the rest of Shellcoder's Handbook: http://www.amazon.com/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X/ref=sr_1_1?ie=UTF8&s=books&qid=1282450549&sr=8-1
  406.  
  407. #############################################################################################################
  408. #                              
  409. #                                             Part 9: Exploit listing sites
  410. #
  411. #############################################################################################################
  412.    
  413.  
  414.     Exploit-DB: http://www.exploit-db.com/
  415.  
  416.     Injector: http://inj3ct0r.com/
  417.  
  418.     CVE Details: http://www.cvedetails.com/
  419.  
  420.     Packetstorm: http://www.packetstormsecurity.org/assess/exploits/
  421.  
  422.     CERT: http://www.us-cert.gov/cas/techalerts/
  423.  
  424.     Mitre: http://cve.mitre.org/cve/index.html
  425.  
  426.     National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/search?cid=3
  427.  
  428. ################################
  429.  
  430.     (bonus: site that lists types of vulnerabilties and info)
  431.     Common Weakness Enumberation: http://cwe.mitre.org/index.html
  432.  
  433.  
  434.  
  435. If anyone has any good links to add post a comment and I will try to add them or send me the link and I will review and add it.
  436.  
  437. If anyone finds any bad or false information in any of these tutorials please let me know. I do not want people reading this getting bad information.
RAW Paste Data
Pastebin PRO Autumn Special!
Get 40% OFF on Pastebin PRO accounts!
Top