wk LINKS list find blog view edit

This document is in fieri, and, as such, will be subject to change in the near future.


My intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker.
I have tried to order the articles by technique and chronology.

- sar


Buffer overflows:
-----------------
http://insecure.org/stf/mudge_buffer_overflow_tutorial.html How to write buffer overflows, mudge, 1995
http://www.phrack.com/issues.html?issue=49&id=14 Smashing the stack for fun and profit, Aleph One, 1996
http://www.phrack.com/issues.html?issue=55&id=8 The Frame Pointer Overwrite, klog, 1999
http://www.phrack.com/issues.html?issue=55&id=15 win32 buffer overflows, dark spyrit, 1999

Return-into-lib / Return oriented programming:
----------------------------------------------
http://marc.info/?l=bugtraq&m=87602746719512 Getting around non-executable stack (and fix) (First public description of a return-into-libc exploit), Solar Designer, 1997
http://www.phrack.com/issues.html?issue=58&id=4 More advanced ret-into-lib(c) techniques, Nergal, 2001
http://benpfaff.org/papers/asrandom.pdf On the effectiveness of address-space randomization, , 2004
http://www.suse.de/~krahmer/no-nx.pdf Borrowed code chunks exploitation technique, Sebastian Krahmer, 2005
http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf The Geometry of Innocent Flesh on the Bone: Return-into-libc without function calls, Hovav Shacham, 2007
http://www.immunitysec.com/downloads/DEPLIB.pdf Defeating DEP, the Immunity Debugger way, Pablo Sole,2008
http://www.usenix.org/event/evtwote09/tech/full_papers/checkoway.pdf The Case of Return-Oriented Programming and the AVC Advantage, 2009
http://www.sourceconference.com/bos10pubs/Dino.pdf Practical Return-Oriented Programming, Dino A. Dai Zovi, 2010

Heap exploitation:
------------------
http://w00w00.org/files/articles/heaptut.txt w00w00 on heap overflows, Matt Conover, 1999
http://www.phrack.com/issues.html?issue=57&id=8 Vudo - An object superstitiously believed to embody magical powers, Michel "MaXX" Kaempf, 2001
http://www.phrack.com/issues.html?issue=57&id=9 Once upon a free(), anonymous author, 2001
http://www.phrack.com/issues.html?issue=61&id=6 Advanced Doug Lea's malloc exploits, jp, 2003
http://www.derkeiler.com/Mailing-Lists/securityfocus/vuln-dev/2004-02/0024.html Exploiting the wilderness, Phantasmal Phantasmagoria, 2004
http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt Malloc Maleficarum, Phantasmal Phantasmagoria, 2005
http://www.phrack.com/issues.html?issue=66&id=6 Yet another free() exploitation technique, huku, 2009

Format string exploitation:
---------------------------
http://crypto.stanford.edu/cs155old/cs155-spring08/papers/formatstring-1.2.pdf Exploiting format string vulnerabilities, scut / Team-TESO, 2001
http://www.phrack.com/issues.html?issue=59&id=7 Advances in format string exploitation, gera, 2002
http://www.milw0rm.com/papers/103 An alternative method in format string exploitation, K-sPecial, 2006


Integer overflows:
--------------
http://www.phrack.com/issues.html?issue=60&id=9 Big Loop Integer Protection, Oded Horovitz, 2002
http://www.phrack.com/issues.html?issue=60&id=10 Basic Integer Overflows, blexim, 2002


Null-ptr dereference:
---------------------
http://cansecwest.com/core05/memory_vulns_delalleau.pdf Large memory management vulnerabilities, Gael Delalleau, 2005
http://www.uninformed.org/?v=4&a=5&t=pdf Exploiting the Otherwise Non-exploitable on Windows, skape, 2006
http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf Vector rewrite attack, Barnaby Jack, 2007
http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf Application-Specific Attacks: Leveraging the ActionScript Virtual Machine, Mark Dowd, 2008

JIT-spray:
----------
http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf Pointer inference and JIT-Spraying, Dion Blazakis, 2010
http://dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf Writing JIT shellcode for fun and profit, Alexey Sintsov, 2010


Other:
------
http://seclists.org/bugtraq/2000/Dec/175 Overwriting the .dtors section, Juan M. Bello Rivas, 2000
http://vxheavens.com/lib/viz00.html Abusing .CTORS and .DTORS for fun 'n profit, Izik, 2006



Unorganized:
------------



http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/





http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf exploit null ptr dereference


http://www.phrack.com/issues.html?issue=57&id=18 writing ia32 alphanumeric shellcode




http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf



http://www.usenix.org/events/sec05/tech/full_papers/kruegel/kruegel_html/attack.html Automating mimicry attacks using static binary analysis



http://cansecwest.com/core05/memory_vulns_delalleau.pdf Large memory management vulnerabilities, Gael Delalleau, 2005



http://timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/



http://www.corelan.be:8800/index.php/category/security/exploit-writing-tutorials/

http://hackitoergosum.org/wp-content/uploads/2010/04/HES10-jvanegue_zero-allocations.pdf

http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf



http://www.phrack.com/issues.html?issue=64&id=6, Attacking the Core : Kernel Exploiting Notes, 2007

http://lkml.org/lkml/2010/5/27/490

http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf

http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/

 http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf


â~@¢http://eeyeresearch.typepad.com/blog/2006/08/post_ms06035_ma.html
â~@¢http://www.phrack.org/phrack/63/p63-0x0e_Shifting_the_Stack_Pointer.txt
â~@¢http://seclists.org/vuln-dev/2002/Nov/att-0056/0
â~@¢http://www.pine.nl/press/pine-cert-20030101.txt
â~@¢http://seclists.org/bugtraq/2000/Jan/0016.html



  1.
  ASLR:
  2.
  _____
  3.

  4.
  www-users.rwth-aachen.de/Tilo.Mueller/ASLRpaper.pdf Aslr Smack and Laugh Reference
  5.
  cs.tau.ac.il/tausec/lectures/Advanced_Buffer_Overflow_Methods.ppt Advanced Buffer Overflow Methods
  6.
  sts.synflood.de/dump/doc/smackthestack.txt Smack the Stack
  7.
  blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-whitepaper.pdf Exploiting the random number generator to bypass ASLR
  8.
  en.wikipedia.org/wiki/Address_space_layout_randomization Wikipedia on ASLR
  9.
  usenix.org/events/sec09/tech/slides/sotirov.pdf Bypassing Memory Protections: The Future of Exploitation
  10.
  stanford.edu/~blp/papers/asrandom.pdf On the Effectiveness of Address-Space Randomization
  11.
  milw0rm.com/papers/55 Exploiting with linux-gate.so.1
  12.
  milw0rm.com/papers/94 Circumventing the VA kernel patch For Fun and Profit
  13.
  timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/ Defeating the Matasano C++ Challenge
  14.
  phrack.com/issues.html?issue=59&id=9 Bypassing PaX ASLR protection
  15.
  nibbles.tuxfamily.org/?p=1190 Thoughts about ASLR, NX Stack and format string attacks
  16.
  cseweb.ucsd.edu/~hovav/dist/geometry.pdf Return-into-libc without Function Calls
  17.
  cr0.org/paper/to-jt-linux-alsr-leak.pdf Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes
  18.
  corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
  19.
  securitytube.net/Exploiting-a-buffer-overflow-under-Linux-kernel-2.6-with-ASLR-through-ret2reg-video.aspx
  20.
  securitytube.net/Bypassing-the-Linux-Kernel-ASLR-and-Exploiting-a-Buffer-Overflow-Vulnerable-Application-with-ret2esp-video.aspx
  21.
  securitytube.net/Exploiting-Buffer-Overflows-on-kernels-with-ASLR-enabled-using-Brute-Force-on-the-Stack-Layer-video.aspx



http://ilm.thinkst.com/folklore/index.shtml

http://www.corelan.be:8800/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
~
~