1. How to use this wiki ... or several advices for beginners 1.1. Required knowledgeAt least the basic knowledge of assembly, OS internals, C/C++ languages are needed to get the most value from this wiki. Also you will need to know how to work with tools like debuggers, disassemblers, etc. Knowledge of some scripting language (like Python, Perl, Ruby) will help to develop exploits faster and some handy tools you might need. Tutorials works just like a glue that ties together theoretical knowledge and gives you a boost in a practical usage. Links that covers these requirements are not listed here - it is assumed that you will find them yourself, this is exploitation wiki. However, you can look for that what you need to get required knowledge here: "From 0x90 to 0x4c454554, a journey into exploitation". 1.2. What to start withMost simple vulnerabilities from the point of view of exploitation are stack-based buffer overflows. Obviously, for novice exploit writers this is good start point. Peter Van Eeckhoutte's (corelanc0d3r) series of tutorials are right thing to start with - those structure is well-formed, explained step-by-step and covers most exploitation topics starting from those easy, continuing with more and more complex. Another great reading that definitely will help novice exploit writers to warm up is the "Smashing the stack in 2010" by Andrea Cugliari and Mariano Graziano. These papers covers both Windows and Linux environments, explains assembly, and contains real-world vulnerabilities exploitation examples. And for all those who are assuming long prospective roadmap: "How do I become a Ninja?". 1.3. Actual and outdated topicsKeep in mind that old articles (or new, that focused on old OS) might confuse you. In recent years there had appeared several mitigation techniques across the OS's, different kernel changes were applied, API's were broadened, etc. So, be careful when trying to reproduce tutorial steps. Most likely, you will need to disable mitigations or setup some older operating system to make your exploits work. It is worth to go through the section "Timeline and history" first. Another suggestion for beginners in the field of exploitation - do not hurry with covering complex topics like ALSR, DEP bypassing, heap exploitation, etc. Is is better to devote time for learning that what is mentioned in subject 1.1 and follow tutorials. Introducing new obstacles step by step is good strategy not only in learning, but in overall exploit development. 1.4. Types of referencesAs you might have noticed, in table there is a column called Type. Those types means following: - Tutorial - explanation of subject in detail, with real vulnerability examples;
- Article - explanation of subject in detail, more theoretically-oriented;
- Blog post - brief explanation of subject, might include subjective opinion;
All other types should be clear from their names. Sometimes references points directly to downloadable PDF files, those links are in italic. 1.5. About classificationSometimes it is hard to determine where to put the reference in. It happens because topic can cover multiple items at once. However, references are placed under the category where the author wanted to make attention to. Another thing to take into mind is that OS/Arch are related here only to an exploitation or explanation discussed in topic, not to possible affected systems/software. 2. Exploiting vulnerabilities2.1. Stack based buffer overflowCWE-121: Stack-based Buffer Overflow | Nr | URL | Description | Date | Type | OS/Arch | Info | | 1 | http://blogs.securiteam.com/index.php/archives/638 | Heap Spraying: Exploiting Internet Explorer VML 0-day | 23-09-2006 | Tutorial | Windows, x86-32 | CVE-2006-4868 | | 2 | http://www.i-hacked.com/freefiles/EasyChat_SEH_exploit_v1.3.pdf | Understanding SEH (Structured Exception Handler) Exploitation | 06-07-2009 | Article | Windows, x86-32 | CVE-2004-2466 | | 3 | http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ | Exploit writing tutorial part 1 : Stack Based Overflows | 19-07-2009 | Tutorial | Windows, x86-32 | EDB-ID-9177 | | 4 | http://www.corelan.be:8800/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/ | Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode | 23-07-2009 | Tutorial | Windows, x86-32 | N/A | | 5 | http://www.corelan.be:8800/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/ | Exploit writing tutorial part 3 : SEH Based Exploits | 25-07-2009 | Tutorial, video | Windows, x86-32 | N/A | | 6 | http://www.corelan.be:8800/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/ | Exploit writing tutorial part 3b : SEH Based Exploits – just another example | 28-07-2009 | Tutorial | Windows, x86-32 | EDB-ID-9298 | | 7 | http://grey-corner.blogspot.com/2010/01/seh-stack-based-windows-buffer-overflow.html | SEH Stack Based Buffer Overflow Tutorial | 07-01-2010 | Tutorial | Windows, x86-32 | OSVDB-61386 | | 8 | http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html | Stack Based Buffer Overflow Tutorial | 07-01-2010 | Tutorial | Windows, x86-32 | CVE-2004-2271 | | 9 | http://www.phreedom.org/research/vulnerabilities/ani-header/ | Windows ANI header buffer overflow | 29-03-2010 | Article, slides, video | Windows, x86-32 | CVE-2007-0038 | | 10 | http://www.ethicalhacker.net/content/view/309/2/ | Tutorial: SEH Based Exploits and the Development Process | 04-05-2010 | Tutorial | Windows, x86-32 | OSVDB-62779 | | 11 | https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=1tioiVT1jjM-xCzYc-2EPTcATOZ07gUcMshqKf8GHNp47vLvn5yT7wprAUpkb&hl=en | Debugging an SEH 0day | 29-05-2010 | Tutorial (PDF) | Windows, x86-32 | CVE-2010-0688 | | 12 | http://www.offensive-security.com/vulndev/evocam-remote-buffer-overflow-on-osx/ | Evocam Remote Buffer Overflow on OSX | 04-06-2010 | Tutorial | Mac OS X (Leopard 10.5.8), x86-32 | CVE-2010-2309 | | 13 | http://turkeyland.net/projects/overflow/index.php | Buffer Overflows and You | 04-08-2010 | Article | Linux x86-64 | N/A | | 14 | http://www.vupen.com/blog/20100909.Adobe_Acrobat_Reader_0_Day_Exploit_CVE-2010-2883_Technical_Analysis.php | Criminals Are Getting Smarter: Analysis of the Adobe Acrobat / Reader 0-Day Exploit | 09-09-2010 | Article | Windows, x86-32 | CVE-2010-2883 | | 15 | http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/ | Bypassing UAC with User Privilege under Windows Vista/7 – Mirror | 26-11-2010 | Article, video | Windows, x86-32 | CVE-2010-4398 | | 16 | http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-1-%E2%80%94-introduction/ | Stack Based Buffer Overflow Tutorial, part 1 — Introduction | 09-03-2011 | Tutorial | Windows, x86-32 | N/A | | 17 | http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-2-%E2%80%94-exploiting-the-stack-overflow/ | Stack Based Buffer Overflow Tutorial, part 2 — Exploiting the stack overflow | 09-03-2011 | Tutorial | Windows, x86-32 | N/A | | 18 | http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-3-%E2%80%94-adding-shellcode/ | Stack Based Buffer Overflow Tutorial, part 3 — Adding shellcode | 09-03-2011 | Tutorial | Windows, x86-32 | N/A | | 19 | http://resources.infosecinstitute.com/seh-exploit/ | SEH Based Overflow Exploit Tutorial | 28-04-2011 | Tutorial | Windows, x86-32 | N/A | | 20 | http://blogs.securiteam.com/index.php/archives/1558 | VMware UDF Stack Buffer Overflow | 10-10-2011 | Blog | Windows, x86-32 | CVE-2011-3868 | | 21 | http://www.greyhathacker.net/?p=380 | RemoteExec Computers List Buffer Overflow ROP Exploit | 06-11-2011 | Tutorial | Windows, x86-32 | http://secunia.com/advisories/38733/ | | 22 | http://blog.carlosgarciaprado.com/?p=1036 | x86-64 Exploitation 101. A comparative primer. | 29-04-2012 | Tutorial | Linux, x86-64 | N/A |
2.2. Heap based buffer overflowCWE-122: Heap-based Buffer Overflow | Nr | URL | Description | Date | Type | OS/Arch | Info | | 1 | http://immunitysec.com/resources-papers.shtml (part 1) (part 2) | Exploiting the MSRPC Heap Overflow | 11-09-2003 | Tutorial (PDF) | Windows, x86-32 | CVE-2003-0352 | | 2 | http://lists.virus.org/darklab-0402/msg00000.html | Windows Heap Overflow Exploitation | 02-02-2004 | Article | Windows, x86-32 | N/A | | 3 | http://www.exploit-db.com/papers/13178/ | Windows Heap Overflows using the Process Environment Block (PEB) | 31-05-2006 | Article | Windows, x86-32 | N/A | | 4 | http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html | A heap of risk: Buffer overflows on the heap and how they are exploited | 28-06-2006 | Article | Windows, x86-32 | N/A | | 5 | http://securityevaluators.com/files/papers/isewoot08.pdf | Engineering Heap Overflow Exploits with JavaScript | 08-09-2008 | Article (PDF) | - | N/A | | 6 | http://www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf | Practical Windows XP/2003 Heap Exploitation | xx-07-09 | Article (PDF) | Windows, x86-32 | N/A | | 7 | http://crazylazy.info/blog/?q=print/content/0x41-weekly-exploitation-matters-heap-overflow-fundamentals | 0x41 - weekly exploitation matters - Heap overflow fundamentals | 23-03-2010 | Tutorial | Windows, x86-32 | CVE-2009-4324 | | 8 | http://grey-corner.blogspot.com/2010/03/difference-between-heap-overflow-and.html | The Difference Between Heap Overflow and Use After Free Vulnerabilities | 31-03-2010 | Article | - | N/A | | 9 | http://blogs.cisco.com/security/comments/exploring_heap-based_buffer_overflows_with_the_application_verifier/ | Exploring Heap-Based Buffer Overflows with the Application Verifier | 29-03-2010 | Article | Windows, x86-32 | N/A | | 10 | http://blogs.iss.net/archive/RequiredReading.html | Heap Cache Exploitation - White Paper by IBM Internet Security Systems | xx-07-2010 | Article | Windows, x86-32 | N/A | | 11 | https://net-ninja.net/blog/?p=293 | Heap Overflows For Humans – 101 | 24-10-2010 | Article | Windows, x86-32 | N/A | | 12 | http://www.breakingpointsystems.com/community/blog/ie-vulnerability/ | When A DoS Isn't A DoS | 16-12-2010 | Tutorial | Windows, x86-32 | OSVDB-69796 | | 13 | http://www.vupen.com/blog/20101221.Exim_string_vformat_Remote_Overflow_Analysis_CVE-2010-4344.php | Technical Analysis of Exim "string_vformat()" Buffer Overflow Vulnerability | 21-12-2010 | Article | Linux x86-32 | CVE-2010-4344 | | 14 | http://www.breakingpointsystems.com/community/blog/microsoft-vulnerability-proof-of-concept/ | From Patch to Proof-of-Concept: MS10-081 | 10-01-2011 | Tutorial | Windows, x86-32 | CVE-2010-2746 | | 15 | http://vreugdenhilresearch.nl/ms11-002-pwn2own-heap-overflow/ | MS11-002 Pwn2Own heap overflow | 12-01-2011 | Blog post, Article (PDF) | Windows, x86-32 | CVE-2011-0027 | | 16 | http://www.skullsecurity.org/blog/2011/a-deeper-look-at-ms11-058 | A deeper look at ms11-058 | 23-08-2011 | Article | Windows, x86-32 | CVE-2011-1966 | | 17 | https://net-ninja.net/blog/?p=674 | Heap Overflows For Humans – 102 | 02-09-2011 | Article | Windows, x86-32 | N/A | | 18 | http://net-ninja.net/blog/?p=952 | Heap Overflows For Humans 102.5 | 28-12-2011 | Article | Windows, x86-32 | N/A | | 19 | http://net-ninja.net/blog/?p=1034 | Heap Overflows For Humans 103 | 04-01-2012 | Article | Windows, x86-32 | N/A | | 20 | http://net-ninja.net/blog/?p=1260 | Heap Overflows For Humans 103.5 | 13-01-2012 | Article | Windows, x86-32 | N/A | | 21 | http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php | Analysis & Advanced Exploitation of Windows Multimedia Library Heap Overflow (MS12-004) | 17-01-2012 | Article | Windows, x86-32 | CVE-2012-0003 | | 22 | https://net-ninja.net/article/2012/Mar/1/heap-overflows-for-humans-104/ | Heap Overflows For Humans 104 | 11-03-2012 | Article | Windows, x86-32 | N/A |
2.3. Data type issuesCWE-682: Incorrect Calculation, CWE-704: Incorrect Type Conversion or Cast 2.4. Format string injectionCWE-134: Uncontrolled Format String 2.5. Pointer issuesCWE-465: Pointer Issues, CWE-415: Double Free, CWE-476: NULL Pointer Dereference | Nr | URL | Description | Date | Type | OS/Arch | Info | | 1 | http://www.symantec.com/ (part 1) (part 2) | Double Free Vulnerabilities | 19/22-01-2007 | Article | Windows XP SP2, x86-32 | N/A | | 2 | http://www.theregister.co.uk/2007/06/13/null_exploit_interview/ | Embedded problems: exploiting NULL pointer dereferences | 13-06-2007 | Interview | ARM, XScale | N/A | | 3 | https://www.blackhat.com/presentations/bh-usa-07/Afek/Whitepaper/bh-usa-07-afek-WP.pdf | Dangling Pointer - Smashing the Pointer for Fun and Profit | 02-07-2007 | Article | Windows, x32 | CVE-2005-4360 | | 4 | http://searchsecurity.techtarget.com.au/news/2240019328/QA-Mark-Dowd-on-NULL-pointer-dereference-bugs | Q&A: Mark Dowd on NULL pointer dereference bugs | 02-05-2008 | Transcript | - | N/A | | 5 | http://blogs.iss.net/archive/cve-2008-0017.html | What You May Have Missed About CVE-2008-0017: A Firefox NULL Dereference Bug | 26-11-2008 | Article | Windows, x86-32 | CVE-2008-0017 | | 6 | http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/ | Much ado about NULL: Exploiting a kernel NULL dereference | 13-04-2010 | Article | Linux, x86 | N/A | | 7 | http://www.vupen.com/blog/20101018.Stuxnet_Win32k_Windows_Kernel_0Day_Exploit_CVE-2010-2743.php | Technical Analysis of the Windows Win32K.sys Keyboard Layout Stuxnet Exploit | 18-10-2010 | Article | Windows, x86-32 | CVE-2010-2743 | | 8 | http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html | Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability | 24-01-2010 | Tutorial | Windows, x86-32 | CVE-2010-0249 | | 9 | http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html | Insecticides don't kill bugs, Patch Tuesdays do (use-after-free) | 16-06-2011 | Article | Windows, x86-32 | CVE-2011-1260 | | 10 | http://www.exploit-monday.com/2011/07/post-mortem-analysis-of-use-after-free_07.html | Post-mortem Analysis of a Use-After-Free Vulnerability (CVE-2011-1260) | 07-07-2011 | Article | Windows, x86-32 | CVE-2011-1260 | | 11 | http://j00ru.vexillium.org/?p=893 | CVE-2011-1281: A story of a Windows CSRSS Privilege Escalation vulnerability | 12-07-2011 | Article | Windows, x86-32 | CVE-2011-1281 | | 12 | http://j00ru.vexillium.org/?p=932 | CVE-2011-1282: User-Mode NULL Pointer Dereference & co. | 21-07-2011 | Article | Windows, x86-32 | CVE-2011-1282 | | 13 | http://blogs.norman.com/2011/malware-detection-team/drag-and-drop-vulnerability-in-ms11-050 | Drag and Drop Vulnerability in MS11-050 | 29-07-2011 | Article | Windows, x32 | CVE-2011-1254 | | 14 | http://picturoku.blogspot.com/2011/08/diaries-of-vulnerability.html | Diaries of a vulnerability: Understanding CVE-2011-1260 | 17-08-2011 | Article | Windows, x86-32 | CVE-2011-1260 | | 15 | http://picturoku.blogspot.com/2011/09/diaries-of-vulnerability-take-2.html | Diaries of a vulnerability - take 2: Stage 1 exploit - Controlling EIP | 01-09-2011 | Article | Windows, x86-32 | CVE-2011-1260 | | 16 | http://picturoku.blogspot.com/2011/11/diaries-of-vulnerability-take-3.html | Diaries of a vulnerability - take 3: Pray after free and use after pray | 02-11-2011 | Article | Windows, x86-32 | CVE-2011-1260 | | 17 | https://community.qualys.com/blogs/securitylabs/2011/12/02/ms11-077-from-patch-to-proof-of-concept | MS11-077: From Patch to Proof-of-Concept | 02-12-2011 | Article | Windows, x86-32 | CVE-2011-1985 | | 18 | http://www.vupen.com/blog/20120116.Advanced_Exploitation_of_ProFTPD_Remote_Use_after_free_CVE-2011-4130_Part_II.php | Advanced Exploitation of ProFTPD Response Pool Use-after-free (CVE-2011-4130) - Part II | 16-01-2012 | Article | Linux, x86-32 | CVE-2011-4130 | | 19 | http://ifsec.blogspot.com/2012/02/reliable-windows-7-exploitation-case.html (PoC) | Reliable Windows 7 Exploitation: A Case Study | 28-02-2012 | Article | Windows, x86-32 | CVE-2011-1999 | | 20 | http://dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup | Pwn2Own Challenges: Heapsprays are for the 99% | 15-03-2012 | Article | Windows, x86-32 | CVE-2010-0248 |
2.6. Other cases3. Mitigations and other obstacles3.1. Resolving character and other issues| Nr | URL | Description | Date | Type | OS/Arch | Info | | 1 | http://www.corelan.be:8800/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/ | Exploit writing tutorial part 7 : Unicode – from 0×00410041 to calc | 06-11-2009 | Tutorial | Windows, x86-32 | OSVDB-66912 | | 2 | http://grey-corner.blogspot.com/2010/01/windows-buffer-overflow-tutorial.html | Windows Buffer Overflow Tutorial: Dealing with Character Translation | 17-01-2010 | Tutorial | Windows, x86-32 | OSVDB-59772 | | 3 | http://www.abysssec.com/blog/2010/03/ken-ward-zipper-stack-bof-0day-a-not-so-typical-seh-exploit/ | Ken Ward Zipper Stack BOF 0day – a not so typical SEH exploit | 18-03-2010 | Tutorial | Windows, x86-32 | OSVDB-63125 | | 4 | http://www.corelan.be:8800/index.php/2010/03/27/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion/ | Exploiting Ken Ward Zipper : Taking advantage of payload conversion | 27-03-2010 | Tutorial | Windows, x86-32 | N/A | | 5 | http://www.corelan.be:8800/index.php/2010/03/27/quickzip-stack-bof-0day-a-box-of-chocolates/ | QuickZip Stack BOF 0day: a box of chocolates (2 parts) | 27-03-2010 | Tutorial | Windows, x86-32 | N/A | | 6 | https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=1U1cGztE8e08ALZuGjSFRemHW5dhZ01YT1ab-ShCKOd5E82X62T82l7eQt2fb&hl=en | Unicode, the magic of exploiting 0×00410041 | 29-05-2010 | Tutorial (PDF) | Windows, x86-32 | CVE-2009-2225 | | 7 | http://www.exploit-db.com/winamp-5-58-from-dos-to-code-execution/ | Winamp 5.58 from Denial of Service to Code Execution | 20-10-2010 | Tutorial | Windows, x86-32 | OSVDB-68645 | | 8 | http://www.exploit-db.com/winamp-exploit-part-2/ | Winamp 5.58 from Denial of Service to Code Execution Part 2 | 02-11-2010 | Tutorial | Windows, x86-32 | OSVDB-68645 | | 9 | https://www.corelan.be/index.php/2011/07/27/metasploit-bounty-the-good-the-bad-and-the-ugly/ | Metasploit Bounty – the Good, the Bad and the Ugly | 27-07-2011 | Tutorial | Windows, x86-32 | OSVDB-72817 |
3.2. Overcoming mitigations| Nr | URL | Description | Date | Type | OS/Arch | Info | | 1 | http://www.symantec.com/connect/articles/new-way-bypass-windows-heap-protections | A new way to bypass Windows heap protections | 31-08-2005 | Article | Windows XP SP2, x86-32 | N/A | | 2 | https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B64ViR5GhSKINDcxZGM1YTItM2U0Ni00ZGZlLWFhNDgtZmY4YjE2Y2I1Y2Rk&hl=en | x86-64 buffer overflow exploits and the borrowed code chunks | 28-09-2005 | Article (PDF) | Linux x86-64 | N/A | | 3 | http://www.uninformed.org/?v=2&a=4 | Bypassing Windows Hardware-enforced Data Execution Prevention | 02-10-2005 | Article | Windows, x86-32 | OSVDB-875 | | 4 | http://cseweb.ucsd.edu/~hovav/papers/s07.html | The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) | xx-10-2007 | Article (PDF) | x86 | N/A | | 5 | http://taossa.com/archive/bh08sotirovdowd.pdf | Bypassing Browser Memory Protections | 07-08-2008 | Article | Windows, x86-32 | N/A | | 6 | http://www.sophsec.com/research/aslr_research.html | Attacking ASLR on Linux 2.6 | 27-05-2009 | Article | Linux | N/A | | 7 | http://www.packetstormsecurity.org/papers/bypass/bypass-dep.pdf | Bypassing hardware based DEP on Windows Server 2003 SP2 | 10-06-2009 | Tutorial (PDF) | Windows, x86-32 | N/A | | 8 | http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ | Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR | 12-09-2009 | Tutorial | Windows, x86-32 | CVE-2006-6199 | | 9 | http://bernardodamele.blogspot.com/2009/12/dep-bypass-with-setprocessdeppolicy.html | DEP bypass with SetProcessDEPPolicy() | 09-12-2009 | Article | Windows, x86-32 | N/A | | 10 | http://vrt-blog.snort.org/2009/12/dep-and-heap-sprays.html | DEP and Heap Sprays | 17-12-2009 | Blog post | Windows | N/A | | 11 | http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/ | A gentle introduction to return-oriented programming | 12-03-2010 | Article | x86 | N/A | | 12 | http://archives.neohapsis.com/archives/fulldisclosure/2010-03/att-0553/Windows-DEP-WPM.txt | Exploitation With WriteProcessMemory()/Yet Another DEP Trick | xx-03-2010 | Article | Windows | N/A | | 13 | http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on.html | A little return oriented exploitation on Windows x86 (Part 1) | 12-04-2010 | Article | Windows, x86-32 | CVE-2010-0838 | | 14 | http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on_16.html | A little return oriented exploitation on Windows x86 (Part 2) | 16-04-2010 | Article | Windows, x86-32 | N/A | | 15 | http://divine-protection.com/wordpress/?p=20 | Advanced Return-Oriented Exploit | 05-05-2010 | Article | Linux, x86-32 | N/A | | 16 | http://www.corelan.be:8800/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ | Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’sTM Cube | 16-06-2010 | Tutorial | Windows, x86-32 | N/A | | 17 | https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=1g5FD5gjWAIu0iGf7gaF-DBfgya-u9kYX2KT9EgAdbpyjVzXI90imHI783LIF&hl=en | Bypassing ASLR and DEP under Windows | 17-06-2010 | Article (PDF) | Windows, x86-32 | N/A | | 18 | http://eticanicomana.blogspot.com/2010/06/so-called-return-oriented-programming.html | The so called Return Oriented Programming... | 21-06-2010 | Blog post | Windows, x86-32 | N/A | | 19 | http://www.exploit-db.com/osx-rop-exploits-evocam-case-study/ | OSX ROP Exploit – EvoCam Case Study | 06-07-2010 | Tutorial | Mac OS X | OSVDB-65043 | | 20 | http://force.vnsecurity.net/download/longld/BHUS10_Paper_Payload_already_inside_data_reuse_for_ROP_exploits.pdf | Payload already inside: data reuse for rop exploits | 28-07-2010 | Article | Linux x86 | N/A | | 21 | http://www.vnsecurity.net/2010/10/simple-mac-os-x-ret2libc-exploit-x86/ | Simple Mac OS X ret2libc exploit (x86) | 05-10-2010 | Blog post | Mac OS X, x86-32 | N/A | | 22 | http://j00ru.vexillium.org/?p=690 | Exploiting the otherwise non-exploitable: Windows Kernel-mode GS cookies subverted | 11-01-2011 | Article (PDF) | Windows, x86-32 | CVE-2010-4398 | | 23 | http://www.dis9.com/x-security/dep-bypass-with-setprocessdeppolicy.html | DEP bypass with SetProcessDEPPolicy() | 13-02-2011 | Blog post | Windows, x86-32 | N/A | | 24 | http://vulnfactory.org/blog/2011/09/21/defeating-windows-8-rop-mitigation/ | Defeating Windows 8 ROP Mitigation | 21-09-2011 | Blog post | Windows 8 | N/A | | 25 | http://www.secfence.com/whitepapers/Whitepaper-on-ASLR-DEP-Bypass-Secfence-Technologies.pdf | Bypassing ASLR/DEP | 25-09-2011 | Article | Windows, x86-32 | CVE-2011-0065 | | 26 | http://www.nes.fr/docs/NES-BypassWin7KernelAslr.pdf | Bypassing Windows 7 Kernel ASLR | 11-10-2011 | Article | Windows, x86-32 | N/A | | 27 | http://falken.tuxfamily.org/?p=115 | Beat SMEP on Linux with Return-Oriented Programming | 09-11-2011 | Article | Linux, x86-64 | N/A | | 28 | http://www.exploit-monday.com/2011/11/man-vs-rop-overcoming-adversity-one.html | Man vs. ROP - Overcoming Adversity One Gadget at a Time | 14-11-2011 | Article | Windows, x86-32 | N/A | | 29 | http://blog.bkis.com/en/advanced-generic-rop-chain-for-windows-8/ | Advanced Generic ROP chain for Windows 8 | 16-11-2011 | Article | Windows 8 | CVE-2011-0065 | | 30 | http://www.greyhathacker.net/?p=483 | Bypassing EMET’s EAF with custom shellcode using kernel pointer | 19-12-2011 | Tutorial | Windows, x86-32 | CVE-2010-3654 | | 31 | http://seclists.org/fulldisclosure/2012/Jan/124 | SafeSEH+SEHOP all-at-once bypass explotation method principles | 10-01-2012 | Post | Windows, x86-32 | N/A | | 32 | http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/ | Apache ModSetEnvIf Integer Overflow | 11-01-2012 | Article | Linux | CVE-2011-3607 | | 33 | http://piotrbania.com/all/articles/anti_emet_eaf.txt | BYPASSING EMET Export Address Table Access Filtering feature | 19-01-2012 | Post | Windows, x86-32 | N/A | | 34 | http://recxltd.blogspot.com/2012/03/partial-technique-against-aslr-multiple.html | A Partial Technique Against ASLR - Multiple O/Ss | 02-03-2012 | Article | Windows, x86-32 | N/A |
3.3. Advanced techniques, improvements3.4. About mitigations4. Shellcode writing| Nr | URL | Description | Date | Type | OS/Arch | Info | | 1 | http://hick.org/code/skape/papers/win32-shellcode.pdf | Understanding Windows Shellcode | 12-06-2003 | Article (PDF) | Windows, x86-32 | N/A | | 2 | http://www.vividmachines.com/shellcode/shellcode.html | Shellcoding for Linux and Windows Tutorial | xx-06-2007 | Article | Windows, x86-32/Linux | N/A | | 3 | http://blog.harmonysecurity.com/2009/08/calling-api-functions.html | Calling API Functions | 05-08-2009 | Article | Windows, x86-32 | N/A | | 4 | http://blog.harmonysecurity.com/search/label/Shellcode | Implementing a Windows, x86-32 Kernel Shellcode | 05-11-2009 | Article | Windows, x86-32 | N/A | | 5 | http://www.corelan.be:8800/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/ | Exploit writing tutorial part 8 : Windows, x86-32 Egg Hunting | 09-01-2010 | Tutorial | Windows, x86-32 | CVE-2009-3837 | | 6 | http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html | Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump | 13-02-2010 | Tutorial | Windows, x86-32 | CVE-2005-0338 | | 7 | http://www.corelan.be:8800/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/ | Exploit writing tutorial part 9 : Introduction to Windows, x86-32 shellcoding | 25-02-2010 | Tutorial | Windows, x86-32 | N/A | | 8 | http://www.corelan.be:8800/index.php/2010/08/22/exploit-notes-win32-eggs-to-omelet/ | Exploit notes – win32 eggs-to-omelet | 22-08-2010 | Article | Windows, x86-32 | N/A | | 9 | http://www.exploit-db.com/foxit-reader-stack-overflow-exploit-egghunter/ | Foxit Reader Stack Overflow Exploit – Egghunter Edition | 14-11-2010 | Tutorial | Windows, x86-32 | OSVDB-68648 | | 10 | http://mcdermottcybersecurity.com/articles/windows-x64-shellcode | Windows x64 shellcode | 11-01-2011 | Article | Windows, x86-64 | N/A | | 11 | http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-3-%E2%80%94-adding-shellcode/ | Stack Based Buffer Overflow Tutorial, part 3 — Adding shellcode | 09-03-2011 | Tutorial | Windows, x86-32 | N/A | | 12 | http://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for-breakfast/ | Hack Notes : Ropping eggs for breakfast | 12-05-2011 | Tutorial | Windows, x86-32 | N/A | | 13 | http://gdtr.wordpress.com/2011/07/23/universal-rop-shellcode-for-os-x-x64/ | Universal ROP shellcode for OS X x64 | 23-07-2011 | Article | Mac OS X, x64 | N/A | | 14 | http://www.vnsecurity.net/2011/07/yet-another-universal-osx-x86_64-dyld-rop-shellcode/ | Yet another universal OSX x86_64 dyld ROP shellcode | 30-07-2011 | Article | Mac OS X, x64 | N/A | | 15 | http://www.codeproject.com/Articles/325776/The-Art-of-Win32-Shellcoding | The Art of Win32 Shellcoding | 06-02-2012 | Article | Windows, x86-32 | N/A |
5. Vulnerability explained| Nr | URL | Description | Date | OS/Arch | Info | | 1 | http://roeehay.blogspot.com/2008/10/graphviz-buffer-overflow-code-execution.html | Graphviz Buffer Overflow Code Execution | 08-10-2008 | - | N/A | | 2 | http://dvlabs.tippingpoint.com/blog/2009/06/30/exploiting-ms-advisory-971778---quicktime-directshow-vulnerability | Exploiting MS Advisory 971778: QuickTime DirectShow | 28-05-2009 | Windows, x86-32 | CVE-2009-1537 | | 3 | http://roeehay.blogspot.com/2009/06/apple-quicktime-image-description-atom.html | Apple QuickTime Image Description Atom Sign Extension Memory Corruption | 02-06-2009 | Windows, x86-32 | CVE-2009-0955 | | 4 | http://roeehay.blogspot.com/2009/08/advisory-adobe-flash-player-avm2.html | Advisory: Adobe Flash Player and AIR AVM2 intf_count Integer Overflow | 02-08-2009 | Windows, x86-32 | CVE-2009-1869 | | 5 | http://code.google.com/p/chromium/issues/attachmentText?id=35724&aid=126993484832405244&name=Pwnium-1.3.html&token=feb53c401c565218ebbb4e57977988f2 | Pwnium 1.3 - an exploit for an integer overflow in WebGLUnsignedIntArray. | 01-03-2010 | Windows, x86-32 | N/A | | 6 | http://dvlabs.tippingpoint.com/blog/2010/09/01/zdi-10-169-on-exploitability | Security Advisory for NetWare 6.5 OpenSSH | 01-09-2010 | Windows, x32 | ZDI-10-169 | | 7 | http://em386.blogspot.com/2010/12/webkit-css-type-confusion.html | WebKit CSS Type Confusion | 15-12-2010 | - | CVE-2010-4577 | | 8 | http://esec-lab.sogeti.com/dotclear/index.php?post/2010/12/09/CVE-2010-3830-iOS-4.2.1-packet-filter-local-kernel-vulnerability | CVE-2010-3830 - iOS < 4.2.1 packet filter local kernel vulnerability | 18-12-2010 | iOS < 4.2.1 | CVE-2010-3830 | | 9 | http://cissrt.blogspot.com/2011/02/cve-2011-0045-ms-windows-xp.html | CVE-2011-0045: MS Windows XP WmiTraceMessageVa Integer Truncation Vulnerability | 26-02-2011 | Windows | CVE-2011-0045 | | 10 | http://www.vupen.com/blog/20110326.Technical_Analysis_and_Win7_Exploitation_Adobe_Flash_0Day_CVE-2011-0609.php | Technical Analysis and Advanced Exploitation of Adobe Flash 0-Day (CVE-2011-0609) | 26-03-2011 | Windows, x86-32 | CVE-2011-0609 | | 11 | http://bugix-security.blogspot.com/2011/04/cve-2011-0611-adobe-flash-zero-day.html | CVE-2011-0611 Adobe Flash Zero Day embeded in DOC | 12-04-2011 | Windows, x86-32 | CVE-2011-0611 | | 12 | http://blogs.technet.com/b/mmpc/archive/2011/04/12/analysis-of-the-cve-2011-0611-adobe-flash-player-vulnerability-exploitation.aspx | Analysis of the CVE-2011-0611 Adobe Flash Player vulnerability exploitation | 12-04-2011 | Windows, x86-32 | CVE-2011-0611 | | 13 | http://secunia.com/blog/210 | Adobe Flash Player 0-day Exploit Analysis (CVE-2011-0611) | 14-04-2011 | Windows, x86-32 | CVE-2011-0611 | | 14 | http://research.reversingcode.com/index.php/advisories/75-apple-quicktime-player-h264-issues | Apple QuickTime Player H.264 issues | 01-09-2011 | Windows, x86-32 | CVE-2011-0247 | | 15 | http://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/ | MS11-080 – A Voyage into Ring Zero | 06-12-2011 | Windows, x86-32 | CVE-2011-2005 | | 16 | http://thexploit.com/secdev/a-textbook-buffer-overflow-a-look-at-the-freebsd-telnetd-code/ | A Textbook Buffer Overflow: A Look at the FreeBSD telnetd Code | 25-12-2011 | FreeBSD | CVE-2011-4862 | | 17 | http://newsoft-tech.blogspot.com/2012/01/ms11-014-this-is-not-bug-your-are.html | MS11-014: this is not the bug your are looking for … | 10-01-2012 | Windows, x86-32 | CVE-2011-0039 | | 18 | http://www.vupen.com/blog/20120110.Technical_Analysis_of_ProFTPD_Remote_Use_after_free_CVE-2011-4130_Part_I.php | Technical Analysis of ProFTPD Response Pool Remote Use-after-free (CVE-2011-4130) - Part I | 10-01-2012 | Linux, x86-32 | CVE-2011-4130 | | 19 | http://www.dis9.com/ms11-077-from-patch-to-proof-of-concept.html | MS11-077: From Patch to Proof-of-Concept | 16-01-2012 | Windows, x86-32 | CVE-2011-1985 |
Following blog collects huge amount of vulnerabilities mapped to CVE's: http://xorl.wordpress.com/category/bugs/. Binary analysis also with CVE's can be found here: http://www.abysssec.com/blog/tag/binary-analysis/. Vulnerability analysis blog using DarunGrim: http://exploitshop.wordpress.com/. Other analysis of vulnerabilities: http://0x1byte.blogspot.com/search/label/0-days. 6. Tools and projects7. Other collections, wiki's, etc.8. Media9. Timeline and history10. Debugging
|
