|
Index
* Me .. Notes .. Blog .. GTK .. NodeJS .. iOS * N900 * Radare .. TODO * Main .. LINKS .. TOR .. SQL .. Go .. GAS .. LUKS .. Audio .. GStreamer .. Oprofile .. pcme0 .. PVC .. 0xFFFF .. Vala .. Vim .. LOL .. Loongson2F .. OpenSolaris .. OpenSolaris2 .. BadCoding .. UseED .. OSX .. DTrace .. Network .. Mercurial .. OpenMoko .. txt .. iPodTouch .. XDefaults |
This document is in fieri, and, as such, will be subject to change in the near future.
My intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker. I have tried to order the articles by technique and chronology. - sar Buffer overflows: ----------------- http://insecure.org/stf/mudge_buffer_overflow_tutorial.html How to write buffer overflows, mudge, 1995 http://www.phrack.com/issues.html?issue=49&id=14 Smashing the stack for fun and profit, Aleph One, 1996 http://www.phrack.com/issues.html?issue=55&id=8 The Frame Pointer Overwrite, klog, 1999 http://www.phrack.com/issues.html?issue=55&id=15 win32 buffer overflows, dark spyrit, 1999 Return-into-lib / Return oriented programming: ---------------------------------------------- http://marc.info/?l=bugtraq&m=87602746719512 Getting around non-executable stack (and fix) (First public description of a return-into-libc exploit), Solar Designer, 1997 http://www.phrack.com/issues.html?issue=58&id=4 More advanced ret-into-lib(c) techniques, Nergal, 2001 http://benpfaff.org/papers/asrandom.pdf On the effectiveness of address-space randomization, , 2004 http://www.suse.de/~krahmer/no-nx.pdf Borrowed code chunks exploitation technique, Sebastian Krahmer, 2005 http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf The Geometry of Innocent Flesh on the Bone: Return-into-libc without function calls, Hovav Shacham, 2007 http://www.immunitysec.com/downloads/DEPLIB.pdf Defeating DEP, the Immunity Debugger way, Pablo Sole,2008 http://www.usenix.org/event/evtwote09/tech/full_papers/checkoway.pdf The Case of Return-Oriented Programming and the AVC Advantage, 2009 http://www.sourceconference.com/bos10pubs/Dino.pdf Practical Return-Oriented Programming, Dino A. Dai Zovi, 2010 Heap exploitation: ------------------ http://w00w00.org/files/articles/heaptut.txt w00w00 on heap overflows, Matt Conover, 1999 http://www.phrack.com/issues.html?issue=57&id=8 Vudo - An object superstitiously believed to embody magical powers, Michel "MaXX" Kaempf, 2001 http://www.phrack.com/issues.html?issue=57&id=9 Once upon a free(), anonymous author, 2001 http://www.phrack.com/issues.html?issue=61&id=6 Advanced Doug Lea's malloc exploits, jp, 2003 http://www.derkeiler.com/Mailing-Lists/securityfocus/vuln-dev/2004-02/0024.html Exploiting the wilderness, Phantasmal Phantasmagoria, 2004 http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt Malloc Maleficarum, Phantasmal Phantasmagoria, 2005 http://www.phrack.com/issues.html?issue=66&id=6 Yet another free() exploitation technique, huku, 2009 Format string exploitation: --------------------------- http://crypto.stanford.edu/cs155old/cs155-spring08/papers/formatstring-1.2.pdf Exploiting format string vulnerabilities, scut / Team-TESO, 2001 http://www.phrack.com/issues.html?issue=59&id=7 Advances in format string exploitation, gera, 2002 http://www.milw0rm.com/papers/103 An alternative method in format string exploitation, K-sPecial, 2006 Integer overflows: -------------- http://www.phrack.com/issues.html?issue=60&id=9 Big Loop Integer Protection, Oded Horovitz, 2002 http://www.phrack.com/issues.html?issue=60&id=10 Basic Integer Overflows, blexim, 2002 Null-ptr dereference: --------------------- http://cansecwest.com/core05/memory_vulns_delalleau.pdf Large memory management vulnerabilities, Gael Delalleau, 2005 http://www.uninformed.org/?v=4&a=5&t=pdf Exploiting the Otherwise Non-exploitable on Windows, skape, 2006 http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf Vector rewrite attack, Barnaby Jack, 2007 http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf Application-Specific Attacks: Leveraging the ActionScript Virtual Machine, Mark Dowd, 2008 JIT-spray: ---------- http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf Pointer inference and JIT-Spraying, Dion Blazakis, 2010 http://dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf Writing JIT shellcode for fun and profit, Alexey Sintsov, 2010 Other: ------ http://seclists.org/bugtraq/2000/Dec/175 Overwriting the .dtors section, Juan M. Bello Rivas, 2000 http://vxheavens.com/lib/viz00.html Abusing .CTORS and .DTORS for fun 'n profit, Izik, 2006 Unorganized: ------------ http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/ http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf exploit null ptr dereference http://www.phrack.com/issues.html?issue=57&id=18 writing ia32 alphanumeric shellcode http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf http://www.usenix.org/events/sec05/tech/full_papers/kruegel/kruegel_html/attack.html Automating mimicry attacks using static binary analysis http://cansecwest.com/core05/memory_vulns_delalleau.pdf Large memory management vulnerabilities, Gael Delalleau, 2005 http://timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/ http://www.corelan.be:8800/index.php/category/security/exploit-writing-tutorials/ http://hackitoergosum.org/wp-content/uploads/2010/04/HES10-jvanegue_zero-allocations.pdf http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf http://www.phrack.com/issues.html?issue=64&id=6, Attacking the Core : Kernel Exploiting Notes, 2007 http://lkml.org/lkml/2010/5/27/490 http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/ http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf â~@¢http://eeyeresearch.typepad.com/blog/2006/08/post_ms06035_ma.html â~@¢http://www.phrack.org/phrack/63/p63-0x0e_Shifting_the_Stack_Pointer.txt â~@¢http://seclists.org/vuln-dev/2002/Nov/att-0056/0 â~@¢http://www.pine.nl/press/pine-cert-20030101.txt â~@¢http://seclists.org/bugtraq/2000/Jan/0016.html 1. ASLR: 2. _____ 3. 4. www-users.rwth-aachen.de/Tilo.Mueller/ASLRpaper.pdf Aslr Smack and Laugh Reference 5. cs.tau.ac.il/tausec/lectures/Advanced_Buffer_Overflow_Methods.ppt Advanced Buffer Overflow Methods 6. sts.synflood.de/dump/doc/smackthestack.txt Smack the Stack 7. blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-whitepaper.pdf Exploiting the random number generator to bypass ASLR 8. en.wikipedia.org/wiki/Address_space_layout_randomization Wikipedia on ASLR 9. usenix.org/events/sec09/tech/slides/sotirov.pdf Bypassing Memory Protections: The Future of Exploitation 10. stanford.edu/~blp/papers/asrandom.pdf On the Effectiveness of Address-Space Randomization 11. milw0rm.com/papers/55 Exploiting with linux-gate.so.1 12. milw0rm.com/papers/94 Circumventing the VA kernel patch For Fun and Profit 13. timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/ Defeating the Matasano C++ Challenge 14. phrack.com/issues.html?issue=59&id=9 Bypassing PaX ASLR protection 15. nibbles.tuxfamily.org/?p=1190 Thoughts about ASLR, NX Stack and format string attacks 16. cseweb.ucsd.edu/~hovav/dist/geometry.pdf Return-into-libc without Function Calls 17. cr0.org/paper/to-jt-linux-alsr-leak.pdf Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes 18. corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ 19. securitytube.net/Exploiting-a-buffer-overflow-under-Linux-kernel-2.6-with-ASLR-through-ret2reg-video.aspx 20. securitytube.net/Bypassing-the-Linux-Kernel-ASLR-and-Exploiting-a-Buffer-Overflow-Vulnerable-Application-with-ret2esp-video.aspx 21. securitytube.net/Exploiting-Buffer-Overflows-on-kernels-with-ASLR-enabled-using-Brute-Force-on-the-Stack-Layer-video.aspx http://ilm.thinkst.com/folklore/index.shtml http://www.corelan.be:8800/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ ~ ~ |