Exploitation Resources
General courses
Assembly basics
- x86 asm guide
- MazeGen's x86 reference
- x86 / amd64 instruction reference
- Skull Security x86 register guide
- 64-bit NASM tutorial
Shellcoding
Basics
- Corelan's stacked based overflow intro
- Security Sift intro to Windows exploit development
- Security Sift intro to stack overflow
- Shellcoding for Linux and Windows
- The Shellcoder's Handbook
- Hacking: The Art of Exploitation
Jump techniques
- Two-byte jumps by Daniel B. Sedory
- Jumping with bad characters
- Corelan: jumping to shellcode
- Security Sift: locating shellcode with jumps
win32 specific
- ch3rn0byl's win32 shellcoding samples
- Security Sift handling changing offsets and rebased modules
- Create a custom shellcode using System() function
- Corelan intro to win32 shellcoding
- FuzzySecurity writing win32 shellcode
- Comprehensive list of Windows syscalls
Fuzzing
Methodologies
Tools
SEH
- Corelan SEH tutorial part 1
- Corelan SEH tutorial part 2
- FuzzySecurity Structured Exception Handler
- Security Sift SEH exploits
- The need for POP POP RET instruction sequence
- SEH overflow + egghunter in 1 go
Egg hunting
- Corelan win32 egghunting tutorial
- FuzzySecurity egghunting
- Security Sift locating shellcode with egg-hunting
- Infosec Institute egghunter exploitation tutorial
- Corelan win32 eggs to omelet
- Safely Searching Process Virtual Address Space (PDF)
- Corelan Wow64 egghunter
- x64 egg-hunting in Linux systems
PE
General reference
Backdooring
- Fully undetectable backdooring PE file
- Backdooring PE file with ASLR
- analysing PE executables and their ASLR, DEP, SEH and CFG security flags
AV bypass
Tools
ELF
GOT / PLT
DEP / ROP
Background
Bypassing
- FuzzySecurity ROP
- Bytes Over Bombs bypassing DEP with ROP (32-bit)
- ROP writeups
- Corelan ropping eggs for beakfast
- Corelan ROP retn+offset and impact on stack setup
- Corelan chaining DEP with ROP - the Rubik's Cube
- Corelan universal DEP/ASLR bypass with msvcr71.dll and mona.py
win32 DEP function reference
- WriteProcessMemory
- VirtualAlloc
- HeapCreate
- SetProcessDEPPolicy
- NtSetInformationProcess
- VirtualProtect
- Memory protection constants
ASLR
- Bypassing ASLR with partial EIP overwrite
- FireEye ASLR bypass in recent zero-day exploits
- Bypassing Windows ASLR with MS-Help
- Corelan bypassing stack cookies, SafeSEH, SEHOP, HW DEP, and ASLR
- McAfee emerging stack pivoting exploits
Stack canaries
Heap Exploitation
Spraying
- FuzzySecurity putting needles in the haystack
- FuzzySecurity finding a needle in the haystack
- Heap spraying in IE with rop nops
- Corelan precise heap spray on Firefox and IE10
- Corelan Windows 10 x86/wow64 userland heap
- Corelan heap spraying demystified
Walkthroughs
Encoding shellcode
Methodologies
Tools
One-way shellcode
- Phrack history and advances in Windows shellcode
- skape's Understanding Windows Shellcode
- Shellcode/socket reuse
- Windows reuse shellcode based on socket's lifetime
- Brett Moore's 91-byte cmd.exe-spawning method
Unicode
- Phrack building IA32 unicode-proof shellcodes
- Corelan exploit writing tutorial - unicode
- FuzzySecurity unicode
- Security Sift Windows unicode buffer overflows
Network attacks
- Symantec: Cisco SNMP configuration attack with a GRE tunnel
- Hacking networks with SNMP
- Bypassing router ACLs
- Bypassing Cisco SNMP access lists using spoofed SNMP requests
- TCP session hijacking
Exploits in the wild
Exploit DB
- HP OpenView NNM SEH overflow
- Solar FTP Server 2.1.1 overflow
- KenWard's Zipper filename overflow
- Easy File Management Web Server 5.3 remote overflow
- Easy File Sharing FTP Server 3.5 remote overflow
- freeFTPd 1.0.10 remote overflow
Walkthroughs / guides
- Offensive Security QuickZip stack buffer overflow
- Knapsy's QuickZip Win7 x64 SEH / egghunter / custom encoder
- Corelan Offensive Security exploit weekend writeup
- Easy Chat Server Exploit <= 3.1 - SEH stack based overflow
- Mati Aharoni - from bug to 0day (video)