Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- This document is in fieri, and, as such, will be subject to change in the near future.
- My intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker.
- I have tried to order the articles by technique and chronology.
- - sar
- Buffer overflows:
- -----------------
- http://insecure.org/stf/mudge_buffer_overflow_tutorial.html How to write buffer overflows, mudge, 1995
- http://www.phrack.com/issues.html?issue=49&id=14 Smashing the stack for fun and profit, Aleph One, 1996
- http://www.phrack.com/issues.html?issue=55&id=8 The Frame Pointer Overwrite, klog, 1999
- http://www.phrack.com/issues.html?issue=55&id=15 win32 buffer overflows, dark spyrit, 1999
- Return-into-lib / Return oriented programming:
- ----------------------------------------------
- http://marc.info/?l=bugtraq&m=87602746719512 Getting around non-executable stack (and fix) (First public description of a return-into-libc exploit), Solar Designer, 1997
- http://www.phrack.com/issues.html?issue=58&id=4 More advanced ret-into-lib(c) techniques, Nergal, 2001
- http://benpfaff.org/papers/asrandom.pdf On the effectiveness of address-space randomization, , 2004
- http://www.suse.de/~krahmer/no-nx.pdf Borrowed code chunks exploitation technique, Sebastian Krahmer, 2005
- http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf The Geometry of Innocent Flesh on the Bone: Return-into-libc without function calls, Hovav Shacham, 2007
- http://www.immunitysec.com/downloads/DEPLIB.pdf Defeating DEP, the Immunity Debugger way, Pablo Sole,2008
- http://www.usenix.org/event/evtwote09/tech/full_papers/checkoway.pdf The Case of Return-Oriented Programming and the AVC Advantage, 2009
- http://www.sourceconference.com/bos10pubs/Dino.pdf Practical Return-Oriented Programming, Dino A. Dai Zovi, 2010
- Heap exploitation:
- ------------------
- http://w00w00.org/files/articles/heaptut.txt w00w00 on heap overflows, Matt Conover, 1999
- http://www.phrack.com/issues.html?issue=57&id=8 Vudo - An object superstitiously believed to embody magical powers, Michel "MaXX" Kaempf, 2001
- http://www.phrack.com/issues.html?issue=57&id=9 Once upon a free(), anonymous author, 2001
- http://www.phrack.com/issues.html?issue=61&id=6 Advanced Doug Lea's malloc exploits, jp, 2003
- http://www.derkeiler.com/Mailing-Lists/securityfocus/vuln-dev/2004-02/0024.html Exploiting the wilderness, Phantasmal Phantasmagoria, 2004
- http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt Malloc Maleficarum, Phantasmal Phantasmagoria, 2005
- http://www.phrack.com/issues.html?issue=66&id=6 Yet another free() exploitation technique, huku, 2009
- Format string exploitation:
- ---------------------------
- http://crypto.stanford.edu/cs155old/cs155-spring08/papers/formatstring-1.2.pdf Exploiting format string vulnerabilities, scut / Team-TESO, 2001
- http://www.phrack.com/issues.html?issue=59&id=7 Advances in format string exploitation, gera, 2002
- http://www.milw0rm.com/papers/103 An alternative method in format string exploitation, K-sPecial, 2006
- Integer overflows:
- --------------
- http://www.phrack.com/issues.html?issue=60&id=9 Big Loop Integer Protection, Oded Horovitz, 2002
- http://www.phrack.com/issues.html?issue=60&id=10 Basic Integer Overflows, blexim, 2002
- Null-ptr dereference:
- ---------------------
- http://cansecwest.com/core05/memory_vulns_delalleau.pdf Large memory management vulnerabilities, Gael Delalleau, 2005
- http://www.uninformed.org/?v=4&a=5&t=pdf Exploiting the Otherwise Non-exploitable on Windows, skape, 2006
- http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf Vector rewrite attack, Barnaby Jack, 2007
- http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf Application-Specific Attacks: Leveraging the ActionScript Virtual Machine, Mark Dowd, 2008
- JIT-spray:
- ----------
- http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf Pointer inference and JIT-Spraying, Dion Blazakis, 2010
- http://dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf Writing JIT shellcode for fun and profit, Alexey Sintsov, 2010
- Other:
- ------
- http://seclists.org/bugtraq/2000/Dec/175 Overwriting the .dtors section, Juan M. Bello Rivas, 2000
- http://vxheavens.com/lib/viz00.html Abusing .CTORS and .DTORS for fun 'n profit, Izik, 2006
- Unorganized:
- ------------
- http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/
- http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf exploit null ptr dereference
- http://www.phrack.com/issues.html?issue=57&id=18 writing ia32 alphanumeric shellcode
- http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf
- http://www.usenix.org/events/sec05/tech/full_papers/kruegel/kruegel_html/attack.html Automating mimicry attacks using static binary analysis
- http://cansecwest.com/core05/memory_vulns_delalleau.pdf Large memory management vulnerabilities, Gael Delalleau, 2005
- http://timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/
- http://www.corelan.be:8800/index.php/category/security/exploit-writing-tutorials/
- http://hackitoergosum.org/wp-content/uploads/2010/04/HES10-jvanegue_zero-allocations.pdf
- http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
- http://www.phrack.com/issues.html?issue=64&id=6, Attacking the Core : Kernel Exploiting Notes, 2007
- http://lkml.org/lkml/2010/5/27/490
- http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
- http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/
- http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
- •http://eeyeresearch.typepad.com/blog/2006/08/post_ms06035_ma.html
- •http://www.phrack.org/phrack/63/p63-0x0e_Shifting_the_Stack_Pointer.txt
- •http://seclists.org/vuln-dev/2002/Nov/att-0056/0
- •http://www.pine.nl/press/pine-cert-20030101.txt
- •http://seclists.org/bugtraq/2000/Jan/0016.html
- 1.
- ASLR:
- 2.
- _____
- 3.
- 4.
- www-users.rwth-aachen.de/Tilo.Mueller/ASLRpaper.pdf Aslr Smack and Laugh Reference
- 5.
- cs.tau.ac.il/tausec/lectures/Advanced_Buffer_Overflow_Methods.ppt Advanced Buffer Overflow Methods
- 6.
- sts.synflood.de/dump/doc/smackthestack.txt Smack the Stack
- 7.
- blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-whitepaper.pdf Exploiting the random number generator to bypass ASLR
- 8.
- en.wikipedia.org/wiki/Address_space_layout_randomization Wikipedia on ASLR
- 9.
- usenix.org/events/sec09/tech/slides/sotirov.pdf Bypassing Memory Protections: The Future of Exploitation
- 10.
- stanford.edu/~blp/papers/asrandom.pdf On the Effectiveness of Address-Space Randomization
- 11.
- milw0rm.com/papers/55 Exploiting with linux-gate.so.1
- 12.
- milw0rm.com/papers/94 Circumventing the VA kernel patch For Fun and Profit
- 13.
- timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/ Defeating the Matasano C++ Challenge
- 14.
- phrack.com/issues.html?issue=59&id=9 Bypassing PaX ASLR protection
- 15.
- nibbles.tuxfamily.org/?p=1190 Thoughts about ASLR, NX Stack and format string attacks
- 16.
- cseweb.ucsd.edu/~hovav/dist/geometry.pdf Return-into-libc without Function Calls
- 17.
- cr0.org/paper/to-jt-linux-alsr-leak.pdf Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes
- 18.
- corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
- 19.
- securitytube.net/Exploiting-a-buffer-overflow-under-Linux-kernel-2.6-with-ASLR-through-ret2reg-video.aspx
- 20.
- securitytube.net/Bypassing-the-Linux-Kernel-ASLR-and-Exploiting-a-Buffer-Overflow-Vulnerable-Application-with-ret2esp-video.aspx
- 21.
- securitytube.net/Exploiting-Buffer-Overflows-on-kernels-with-ASLR-enabled-using-Brute-Force-on-the-Stack-Layer-video.aspx
- http://ilm.thinkst.com/folklore/index.shtml
- http://www.corelan.be:8800/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement