SHARE
TWEET

Untitled

a guest Jul 29th, 2010 3,895 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. This document is in fieri, and, as such, will be subject to change in the near future.
  2.  
  3.  
  4. My intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker.
  5. I have tried to order the articles by technique and chronology.
  6.  
  7. - sar
  8.  
  9.  
  10. Buffer overflows:
  11. -----------------
  12. http://insecure.org/stf/mudge_buffer_overflow_tutorial.html        How to write buffer overflows, mudge, 1995
  13. http://www.phrack.com/issues.html?issue=49&id=14                   Smashing the stack for fun and profit, Aleph One, 1996
  14. http://www.phrack.com/issues.html?issue=55&id=8                    The Frame Pointer Overwrite, klog, 1999
  15. http://www.phrack.com/issues.html?issue=55&id=15                   win32 buffer overflows, dark spyrit, 1999
  16.  
  17. Return-into-lib / Return oriented programming:
  18. ----------------------------------------------
  19. http://marc.info/?l=bugtraq&m=87602746719512                                    Getting around non-executable stack (and fix) (First public description of a return-into-libc exploit), Solar Designer, 1997
  20. http://www.phrack.com/issues.html?issue=58&id=4                                 More advanced ret-into-lib(c) techniques, Nergal, 2001
  21. http://benpfaff.org/papers/asrandom.pdf                                         On the effectiveness of address-space randomization, , 2004
  22. http://www.suse.de/~krahmer/no-nx.pdf                                           Borrowed code chunks exploitation technique, Sebastian Krahmer, 2005
  23. http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf                                 The Geometry of Innocent Flesh on the Bone: Return-into-libc without function calls, Hovav Shacham, 2007
  24. http://www.immunitysec.com/downloads/DEPLIB.pdf                                 Defeating DEP, the Immunity Debugger way, Pablo Sole,2008
  25. http://www.usenix.org/event/evtwote09/tech/full_papers/checkoway.pdf            The Case of Return-Oriented Programming and the AVC Advantage, 2009
  26. http://www.sourceconference.com/bos10pubs/Dino.pdf                              Practical Return-Oriented Programming, Dino A. Dai Zovi, 2010
  27.  
  28. Heap exploitation:
  29. ------------------
  30. http://w00w00.org/files/articles/heaptut.txt                                           w00w00 on heap overflows, Matt Conover, 1999
  31. http://www.phrack.com/issues.html?issue=57&id=8                                        Vudo - An object superstitiously believed to embody magical powers, Michel "MaXX" Kaempf, 2001
  32. http://www.phrack.com/issues.html?issue=57&id=9                                        Once upon a free(), anonymous author, 2001
  33. http://www.phrack.com/issues.html?issue=61&id=6                                        Advanced Doug Lea's malloc exploits, jp, 2003
  34. http://www.derkeiler.com/Mailing-Lists/securityfocus/vuln-dev/2004-02/0024.html        Exploiting the wilderness, Phantasmal Phantasmagoria, 2004
  35. http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt                 Malloc Maleficarum, Phantasmal Phantasmagoria, 2005
  36. http://www.phrack.com/issues.html?issue=66&id=6                                        Yet another free() exploitation technique, huku, 2009
  37.  
  38. Format string exploitation:
  39. ---------------------------
  40. http://crypto.stanford.edu/cs155old/cs155-spring08/papers/formatstring-1.2.pdf  Exploiting format string vulnerabilities, scut / Team-TESO, 2001
  41. http://www.phrack.com/issues.html?issue=59&id=7                                 Advances in format string exploitation, gera, 2002
  42. http://www.milw0rm.com/papers/103                                               An alternative method in format string exploitation, K-sPecial, 2006
  43.  
  44.  
  45. Integer overflows:
  46. --------------
  47. http://www.phrack.com/issues.html?issue=60&id=9         Big Loop Integer Protection, Oded Horovitz, 2002
  48. http://www.phrack.com/issues.html?issue=60&id=10        Basic Integer Overflows, blexim, 2002
  49.  
  50.  
  51. Null-ptr dereference:
  52. ---------------------
  53. http://cansecwest.com/core05/memory_vulns_delalleau.pdf                                Large memory management vulnerabilities, Gael Delalleau, 2005
  54. http://www.uninformed.org/?v=4&a=5&t=pdf                                               Exploiting the Otherwise Non-exploitable on Windows, skape, 2006
  55. http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf     Vector rewrite attack, Barnaby Jack, 2007
  56. http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf                          Application-Specific Attacks: Leveraging the ActionScript Virtual Machine, Mark Dowd, 2008
  57.  
  58. JIT-spray:
  59. ----------
  60. http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf                                  Pointer inference and JIT-Spraying, Dion Blazakis, 2010
  61. http://dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf     Writing JIT shellcode for fun and profit, Alexey Sintsov, 2010
  62.  
  63.  
  64. Other:
  65. ------
  66. http://seclists.org/bugtraq/2000/Dec/175            Overwriting the .dtors section, Juan M. Bello Rivas, 2000
  67. http://vxheavens.com/lib/viz00.html                 Abusing .CTORS and .DTORS for fun 'n profit, Izik, 2006
  68.  
  69.  
  70.  
  71. Unorganized:
  72. ------------
  73.  
  74.  
  75.  
  76. http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/
  77.  
  78.  
  79.  
  80.  
  81.  
  82. http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf exploit null ptr dereference
  83.  
  84.  
  85. http://www.phrack.com/issues.html?issue=57&id=18       writing ia32 alphanumeric shellcode
  86.  
  87.  
  88.  
  89.  
  90. http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf
  91.  
  92.  
  93.  
  94. http://www.usenix.org/events/sec05/tech/full_papers/kruegel/kruegel_html/attack.html             Automating mimicry attacks using static binary analysis
  95.  
  96.  
  97.  
  98. http://cansecwest.com/core05/memory_vulns_delalleau.pdf   Large memory management vulnerabilities, Gael Delalleau, 2005
  99.  
  100.  
  101.  
  102. http://timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/
  103.  
  104.  
  105.  
  106. http://www.corelan.be:8800/index.php/category/security/exploit-writing-tutorials/
  107.  
  108. http://hackitoergosum.org/wp-content/uploads/2010/04/HES10-jvanegue_zero-allocations.pdf
  109.  
  110. http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
  111.  
  112.  
  113.  
  114. http://www.phrack.com/issues.html?issue=64&id=6, Attacking the Core : Kernel Exploiting Notes, 2007
  115.  
  116. http://lkml.org/lkml/2010/5/27/490
  117.  
  118. http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
  119.  
  120. http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/
  121.  
  122.  http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
  123.  
  124.  
  125. •http://eeyeresearch.typepad.com/blog/2006/08/post_ms06035_ma.html
  126. •http://www.phrack.org/phrack/63/p63-0x0e_Shifting_the_Stack_Pointer.txt
  127. •http://seclists.org/vuln-dev/2002/Nov/att-0056/0
  128. •http://www.pine.nl/press/pine-cert-20030101.txt
  129. •http://seclists.org/bugtraq/2000/Jan/0016.html
  130.  
  131.  
  132.  
  133.    1.
  134.       ASLR:
  135.    2.
  136.       _____
  137.    3.
  138.        
  139.    4.
  140.       www-users.rwth-aachen.de/Tilo.Mueller/ASLRpaper.pdf                                      Aslr Smack and Laugh Reference
  141.    5.
  142.       cs.tau.ac.il/tausec/lectures/Advanced_Buffer_Overflow_Methods.ppt                                      Advanced Buffer Overflow Methods
  143.    6.
  144.       sts.synflood.de/dump/doc/smackthestack.txt                                                   Smack the Stack
  145.    7.
  146.       blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-whitepaper.pdf Exploiting the random number generator to bypass ASLR
  147.    8.
  148.       en.wikipedia.org/wiki/Address_space_layout_randomization                                                   Wikipedia on ASLR
  149.    9.
  150.       usenix.org/events/sec09/tech/slides/sotirov.pdf           Bypassing Memory Protections: The Future of Exploitation
  151.   10.
  152.       stanford.edu/~blp/papers/asrandom.pdf                              On the Effectiveness of Address-Space Randomization
  153.   11.
  154.       milw0rm.com/papers/55                                            Exploiting with linux-gate.so.1
  155.   12.
  156.       milw0rm.com/papers/94                                            Circumventing the VA kernel patch For Fun and Profit
  157.   13.
  158.       timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/                  Defeating the Matasano C++ Challenge
  159.   14.
  160.       phrack.com/issues.html?issue=59&id=9                                       Bypassing PaX ASLR protection
  161.   15.
  162.       nibbles.tuxfamily.org/?p=1190                                 Thoughts about ASLR, NX Stack and format string attacks
  163.   16.
  164.       cseweb.ucsd.edu/~hovav/dist/geometry.pdf                                                                   Return-into-libc without Function Calls
  165.   17.
  166.       cr0.org/paper/to-jt-linux-alsr-leak.pdf            Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes
  167.   18.
  168.       corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
  169.   19.
  170.       securitytube.net/Exploiting-a-buffer-overflow-under-Linux-kernel-2.6-with-ASLR-through-ret2reg-video.aspx
  171.   20.
  172.       securitytube.net/Bypassing-the-Linux-Kernel-ASLR-and-Exploiting-a-Buffer-Overflow-Vulnerable-Application-with-ret2esp-video.aspx
  173.   21.
  174.       securitytube.net/Exploiting-Buffer-Overflows-on-kernels-with-ASLR-enabled-using-Brute-Force-on-the-Stack-Layer-video.aspx
  175.  
  176.  
  177.  
  178. http://ilm.thinkst.com/folklore/index.shtml
  179.  
  180. http://www.corelan.be:8800/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top