API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 29th, 2010
5,884
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.01 KB | None | 0 0
raw download clone embed print report
  1. This document is in fieri, and, as such, will be subject to change in the near future.
  2.  
  3.  
  4. My intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker.
  5. I have tried to order the articles by technique and chronology.
  6.  
  7. - sar
  8.  
  9.  
  10. Buffer overflows:
  11. -----------------
  12. http://insecure.org/stf/mudge_buffer_overflow_tutorial.html How to write buffer overflows, mudge, 1995
  13. http://www.phrack.com/issues.html?issue=49&id=14 Smashing the stack for fun and profit, Aleph One, 1996
  14. http://www.phrack.com/issues.html?issue=55&id=8 The Frame Pointer Overwrite, klog, 1999
  15. http://www.phrack.com/issues.html?issue=55&id=15 win32 buffer overflows, dark spyrit, 1999
  16.  
  17. Return-into-lib / Return oriented programming:
  18. ----------------------------------------------
  19. http://marc.info/?l=bugtraq&m=87602746719512 Getting around non-executable stack (and fix) (First public description of a return-into-libc exploit), Solar Designer, 1997
  20. http://www.phrack.com/issues.html?issue=58&id=4 More advanced ret-into-lib(c) techniques, Nergal, 2001
  21. http://benpfaff.org/papers/asrandom.pdf On the effectiveness of address-space randomization, , 2004
  22. http://www.suse.de/~krahmer/no-nx.pdf Borrowed code chunks exploitation technique, Sebastian Krahmer, 2005
  23. http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf The Geometry of Innocent Flesh on the Bone: Return-into-libc without function calls, Hovav Shacham, 2007
  24. http://www.immunitysec.com/downloads/DEPLIB.pdf Defeating DEP, the Immunity Debugger way, Pablo Sole,2008
  25. http://www.usenix.org/event/evtwote09/tech/full_papers/checkoway.pdf The Case of Return-Oriented Programming and the AVC Advantage, 2009
  26. http://www.sourceconference.com/bos10pubs/Dino.pdf Practical Return-Oriented Programming, Dino A. Dai Zovi, 2010
  27.  
  28. Heap exploitation:
  29. ------------------
  30. http://w00w00.org/files/articles/heaptut.txt w00w00 on heap overflows, Matt Conover, 1999
  31. http://www.phrack.com/issues.html?issue=57&id=8 Vudo - An object superstitiously believed to embody magical powers, Michel "MaXX" Kaempf, 2001
  32. http://www.phrack.com/issues.html?issue=57&id=9 Once upon a free(), anonymous author, 2001
  33. http://www.phrack.com/issues.html?issue=61&id=6 Advanced Doug Lea's malloc exploits, jp, 2003
  34. http://www.derkeiler.com/Mailing-Lists/securityfocus/vuln-dev/2004-02/0024.html Exploiting the wilderness, Phantasmal Phantasmagoria, 2004
  35. http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt Malloc Maleficarum, Phantasmal Phantasmagoria, 2005
  36. http://www.phrack.com/issues.html?issue=66&id=6 Yet another free() exploitation technique, huku, 2009
  37.  
  38. Format string exploitation:
  39. ---------------------------
  40. http://crypto.stanford.edu/cs155old/cs155-spring08/papers/formatstring-1.2.pdf Exploiting format string vulnerabilities, scut / Team-TESO, 2001
  41. http://www.phrack.com/issues.html?issue=59&id=7 Advances in format string exploitation, gera, 2002
  42. http://www.milw0rm.com/papers/103 An alternative method in format string exploitation, K-sPecial, 2006
  43.  
  44.  
  45. Integer overflows:
  46. --------------
  47. http://www.phrack.com/issues.html?issue=60&id=9 Big Loop Integer Protection, Oded Horovitz, 2002
  48. http://www.phrack.com/issues.html?issue=60&id=10 Basic Integer Overflows, blexim, 2002
  49.  
  50.  
  51. Null-ptr dereference:
  52. ---------------------
  53. http://cansecwest.com/core05/memory_vulns_delalleau.pdf Large memory management vulnerabilities, Gael Delalleau, 2005
  54. http://www.uninformed.org/?v=4&a=5&t=pdf Exploiting the Otherwise Non-exploitable on Windows, skape, 2006
  55. http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf Vector rewrite attack, Barnaby Jack, 2007
  56. http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf Application-Specific Attacks: Leveraging the ActionScript Virtual Machine, Mark Dowd, 2008
  57.  
  58. JIT-spray:
  59. ----------
  60. http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf Pointer inference and JIT-Spraying, Dion Blazakis, 2010
  61. http://dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf Writing JIT shellcode for fun and profit, Alexey Sintsov, 2010
  62.  
  63.  
  64. Other:
  65. ------
  66. http://seclists.org/bugtraq/2000/Dec/175 Overwriting the .dtors section, Juan M. Bello Rivas, 2000
  67. http://vxheavens.com/lib/viz00.html Abusing .CTORS and .DTORS for fun 'n profit, Izik, 2006
  68.  
  69.  
  70.  
  71. Unorganized:
  72. ------------
  73.  
  74.  
  75.  
  76. http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/
  77.  
  78.  
  79.  
  80.  
  81.  
  82. http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf exploit null ptr dereference
  83.  
  84.  
  85. http://www.phrack.com/issues.html?issue=57&id=18 writing ia32 alphanumeric shellcode
  86.  
  87.  
  88.  
  89.  
  90. http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf
  91.  
  92.  
  93.  
  94. http://www.usenix.org/events/sec05/tech/full_papers/kruegel/kruegel_html/attack.html Automating mimicry attacks using static binary analysis
  95.  
  96.  
  97.  
  98. http://cansecwest.com/core05/memory_vulns_delalleau.pdf Large memory management vulnerabilities, Gael Delalleau, 2005
  99.  
  100.  
  101.  
  102. http://timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/
  103.  
  104.  
  105.  
  106. http://www.corelan.be:8800/index.php/category/security/exploit-writing-tutorials/
  107.  
  108. http://hackitoergosum.org/wp-content/uploads/2010/04/HES10-jvanegue_zero-allocations.pdf
  109.  
  110. http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
  111.  
  112.  
  113.  
  114. http://www.phrack.com/issues.html?issue=64&id=6, Attacking the Core : Kernel Exploiting Notes, 2007
  115.  
  116. http://lkml.org/lkml/2010/5/27/490
  117.  
  118. http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
  119.  
  120. http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/
  121.  
  122. http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
  123.  
  124.  
  125. •http://eeyeresearch.typepad.com/blog/2006/08/post_ms06035_ma.html
  126. •http://www.phrack.org/phrack/63/p63-0x0e_Shifting_the_Stack_Pointer.txt
  127. •http://seclists.org/vuln-dev/2002/Nov/att-0056/0
  128. •http://www.pine.nl/press/pine-cert-20030101.txt
  129. •http://seclists.org/bugtraq/2000/Jan/0016.html
  130.  
  131.  
  132.  
  133. 1.
  134. ASLR:
  135. 2.
  136. _____
  137. 3.
  138.  
  139. 4.
  140. www-users.rwth-aachen.de/Tilo.Mueller/ASLRpaper.pdf Aslr Smack and Laugh Reference
  141. 5.
  142. cs.tau.ac.il/tausec/lectures/Advanced_Buffer_Overflow_Methods.ppt Advanced Buffer Overflow Methods
  143. 6.
  144. sts.synflood.de/dump/doc/smackthestack.txt Smack the Stack
  145. 7.
  146. blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-whitepaper.pdf Exploiting the random number generator to bypass ASLR
  147. 8.
  148. en.wikipedia.org/wiki/Address_space_layout_randomization Wikipedia on ASLR
  149. 9.
  150. usenix.org/events/sec09/tech/slides/sotirov.pdf Bypassing Memory Protections: The Future of Exploitation
  151. 10.
  152. stanford.edu/~blp/papers/asrandom.pdf On the Effectiveness of Address-Space Randomization
  153. 11.
  154. milw0rm.com/papers/55 Exploiting with linux-gate.so.1
  155. 12.
  156. milw0rm.com/papers/94 Circumventing the VA kernel patch For Fun and Profit
  157. 13.
  158. timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/ Defeating the Matasano C++ Challenge
  159. 14.
  160. phrack.com/issues.html?issue=59&id=9 Bypassing PaX ASLR protection
  161. 15.
  162. nibbles.tuxfamily.org/?p=1190 Thoughts about ASLR, NX Stack and format string attacks
  163. 16.
  164. cseweb.ucsd.edu/~hovav/dist/geometry.pdf Return-into-libc without Function Calls
  165. 17.
  166. cr0.org/paper/to-jt-linux-alsr-leak.pdf Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes
  167. 18.
  168. corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
  169. 19.
  170. securitytube.net/Exploiting-a-buffer-overflow-under-Linux-kernel-2.6-with-ASLR-through-ret2reg-video.aspx
  171. 20.
  172. securitytube.net/Bypassing-the-Linux-Kernel-ASLR-and-Exploiting-a-Buffer-Overflow-Vulnerable-Application-with-ret2esp-video.aspx
  173. 21.
  174. securitytube.net/Exploiting-Buffer-Overflows-on-kernels-with-ASLR-enabled-using-Brute-Force-on-the-Stack-Layer-video.aspx
  175.  
  176.  
  177.  
  178. http://ilm.thinkst.com/folklore/index.shtml
  179.  
  180. http://www.corelan.be:8800/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!