Snippets
Created by
Alexander Hanel
last modified
This document is in fieri, and, as such, will be subject to change in the near future.
My intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker.
I have tried to order the articles by technique and chronology.
- sar
Buffer overflows:
How to write buffer overflows, mudge, 1995
Smashing the stack for fun and profit, Aleph One, 1996
The Frame Pointer Overwrite, klog, 1999
win32 buffer overflows, dark spyrit, 1999
Return-into-lib / Return oriented programming:
Getting around non-executable stack (and fix) (First public description of a return-into-libc exploit), Solar Designer, 1997
More advanced ret-into-lib(c) techniques, Nergal, 2001
On the effectiveness of address-space randomization, , 2004
Borrowed code chunks exploitation technique, Sebastian Krahmer, 2005
The Geometry of Innocent Flesh on the Bone: Return-into-libc without function calls, Hovav Shacham, 2007
Defeating DEP, the Immunity Debugger way, Pablo Sole,2008
The Case of Return-Oriented Programming and the AVC Advantage, 2009
Practical Return-Oriented Programming, Dino A. Dai Zovi, 2010
Heap exploitation:
w00w00 on heap overflows, Matt Conover, 1999
Vudo - An object superstitiously believed to embody magical powers, Michel "MaXX" Kaempf, 2001
Once upon a free(), anonymous author, 2001
Advanced Doug Lea's malloc exploits, jp, 2003
Exploiting the wilderness, Phantasmal Phantasmagoria, 2004
Malloc Maleficarum, Phantasmal Phantasmagoria, 2005
Yet another free() exploitation technique, huku, 2009
Format string exploitation:
Exploiting format string vulnerabilities, scut / Team-TESO, 2001
Advances in format string exploitation, gera, 2002
An alternative method in format string exploitation, K-sPecial, 2006
Integer overflows:
Big Loop Integer Protection, Oded Horovitz, 2002
Basic Integer Overflows, blexim, 2002
Null-ptr dereference:
Large memory management vulnerabilities, Gael Delalleau, 2005
Exploiting the Otherwise Non-exploitable on Windows, skape, 2006
Vector rewrite attack, Barnaby Jack, 2007
Application-Specific Attacks: Leveraging the ActionScript Virtual Machine, Mark Dowd, 2008
JIT-spray:
Pointer inference and JIT-Spraying, Dion Blazakis, 2010
Writing JIT shellcode for fun and profit, Alexey Sintsov, 2010
Other:
Overwriting the .dtors section, Juan M. Bello Rivas, 2000
Abusing .CTORS and .DTORS for fun 'n profit, Izik, 2006
Unorganized:
- http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/
- http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf exploit null ptr dereference
- http://www.phrack.com/issues.html?issue=57&id=18
- http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf
- http://www.usenix.org/events/sec05/tech/full_papers/kruegel/kruegel_html/attack.html
- http://cansecwest.com/core05/memory_vulns_delalleau.pdf Large memory management vulnerabilities, Gael Delalleau, 2005
- http://timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/
- http://www.corelan.be:8800/index.php/category/security/exploit-writing-tutorials/
- http://hackitoergosum.org/wp-content/uploads/2010/04/HES10-jvanegue_zero-allocations.pdf
- http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
- http://www.phrack.com/issues.html?issue=64&id=6, Attacking the Core : Kernel Exploiting Notes, 2007
- http://lkml.org/lkml/2010/5/27/490
- http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
- http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/
- http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
- http://eeyeresearch.typepad.com/blog/2006/08/post_ms06035_ma.html
- http://www.phrack.org/phrack/63/p63-0x0e_Shifting_the_Stack_Pointer.txt
- http://seclists.org/vuln-dev/2002/Nov/att-0056/0
- http://www.pine.nl/press/pine-cert-20030101.txt
- http://seclists.org/bugtraq/2000/Jan/0016.html
ASLR
Aslr Smack and Laugh Reference
- www-users.rwth-aachen.de/Tilo.Mueller/ASLRpaper.pdf
Advanced Buffer Overflow Methods
- cs.tau.ac.il/tausec/lectures/Advanced_Buffer_Overflow_Methods.ppt
Smack the Stack
- sts.synflood.de/dump/doc/smackthestack.txt
Exploiting the random number generator to bypass ASLR
- blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-whitepaper.pdf
Wikipedia on ASLR
- en.wikipedia.org/wiki/Address_space_layout_randomization
Bypassing Memory Protections: The Future of Exploitation
- usenix.org/events/sec09/tech/slides/sotirov.pdf
On the Effectiveness of Address-Space Randomization
- stanford.edu/~blp/papers/asrandom.pdf
Exploiting with linux-gate.so.1
- milw0rm.com/papers/55
Circumventing the VA kernel patch For Fun and Profit
- milw0rm.com/papers/94
Defeating the Matasano C++ Challenge
- timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/
Bypassing PaX ASLR protection
- phrack.com/issues.html?issue=59&id=9
Thoughts about ASLR, NX Stack and format string attacks
- nibbles.tuxfamily.org/?p=1190
Return-into-libc without Function Calls
- cseweb.ucsd.edu/~hovav/dist/geometry.pdf
Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes
- cr0.org/paper/to-jt-linux-alsr-leak.pdf
- corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
- securitytube.net/Exploiting-a-buffer-overflow-under-Linux-kernel-2.6-with-ASLR-through-ret2reg-video.aspx
- securitytube.net/Bypassing-the-Linux-Kernel-ASLR-and-Exploiting-a-Buffer-Overflow-Vulnerable-Application-with-ret2esp-video.aspx
- securitytube.net/Exploiting-Buffer-Overflows-on-kernels-with-ASLR-enabled-using-Brute-Force-on-the-Stack-Layer-video.aspx
- http://ilm.thinkst.com/folklore/index.shtml
- http://www.corelan.be:8800/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
Comments (0)
You can clone a snippet to your computer for local editing. Learn more.