articles missing information like CVEs, having wrong category, or probably
having broken links. I also want to rename several categories, add new columns,
and remove some. It might be done in sooner time.
At least the basic knowledge of assembly, OS internals, C/C++ languages are needed to get the most value from this wiki. Also you will need to know how to work with tools like debuggers, disassemblers, etc. Knowledge of some scripting language (like Python, Perl, Ruby) will help to develop exploits faster and some handy tools you might need. Tutorials works just like a glue that ties together theoretical knowledge and gives you a boost in a practical usage. Links that covers these requirements are not listed here - it is assumed that you will find them yourself, this is exploitation wiki. However, you can look for that what you need to get required knowledge here: "From 0x90 to 0x4c454554, a journey into exploitation".
Most simple vulnerabilities from the point of view of exploitation are stack-based buffer overflows. Obviously, for novice exploit writers this is good start point.
Peter Van Eeckhoutte's (corelanc0d3r) series of tutorials are right thing to start with - those structure is well-formed, explained step-by-step and covers most exploitation topics starting from those easy, continuing with more and more complex.
Another great reading that definitely will help novice exploit writers to warm up is the "Smashing the stack in 2010" by Andrea Cugliari and Mariano Graziano. These papers covers both Windows and Linux environments, explains assembly, and contains real-world vulnerabilities exploitation examples.
And for all those who are assuming long prospective roadmap: "How do I become a Ninja?".
Keep in mind that old articles (or new, that focused on old OS) might confuse you. In recent years there had appeared several mitigation techniques across the OS's, different kernel changes were applied, API's were broadened, etc. So, be careful when trying to reproduce tutorial steps. Most likely, you will need to disable mitigations or setup some older operating system to make your exploits work. It is worth to go through the section "Timeline and history" first.
Another suggestion for beginners in the field of exploitation - do not hurry with covering complex topics like ALSR, DEP bypassing, heap exploitation, etc. Is is better to devote time for learning that what is mentioned in subject 1.1 and follow tutorials.
Introducing new obstacles step by step is good strategy not only in learning, but in overall exploit development.
As you might have noticed, in table there is a column called Type. Those types means following:
- Tutorial - explanation of subject in detail, with real vulnerability examples;
- Article - explanation of subject in detail, possibly more theory-oriented;
- Blog post - brief explanation of subject; All other types should be clear from their names. Sometimes references points directly to downloadable PDF files, those links are in italic.
Sometimes it is hard to determine where to put the reference in. It happens because topic can cover multiple items at once. However, references are placed under the category where the author wanted to make attention to. Another thing to take into mind is that OS/Arch are related here only to an exploitation or explanation discussed in topic, not to possible affected systems/software.
CWE-121: Stack-based Buffer Overflow
Nr | URL | Description | Date | Type | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://blogs.securiteam.com/index.php/archives/638 | Heap Spraying: Exploiting Internet Explorer VML 0-day | 23-09-2006 | Tutorial | Windows, x86-32 | CVE-2006-4868 |
2 | http://sysc.tl/2009/07/04/cve-2008-3531-exploit/ | CVE-2008-3531: FreeBSD kernel stack overflow exploit development | 04-07-2009 | Article | FreeBSD | CVE-2008-3531 |
3 | http://www.i-hacked.com/freefiles/EasyChat_SEH_exploit_v1.3.pdf | Understanding SEH (Structured Exception Handler) Exploitation | 06-07-2009 | Article | Windows, x86-32 | CVE-2004-2466 |
4 | http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ | Exploit writing tutorial part 1 : Stack Based Overflows | 19-07-2009 | Tutorial | Windows, x86-32 | EDB-ID-9177 |
5 | http://www.corelan.be:8800/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/ | Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode | 23-07-2009 | Tutorial | Windows, x86-32 | N/A |
6 | http://www.corelan.be:8800/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/ | Exploit writing tutorial part 3 : SEH Based Exploits | 25-07-2009 | Tutorial, video | Windows, x86-32 | N/A |
7 | http://www.corelan.be:8800/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/ | Exploit writing tutorial part 3b : SEH Based Exploits – just another example | 28-07-2009 | Tutorial | Windows, x86-32 | EDB-ID-9298 |
8 | http://grey-corner.blogspot.com/2010/01/seh-stack-based-windows-buffer-overflow.html | SEH Stack Based Buffer Overflow Tutorial | 07-01-2010 | Tutorial | Windows, x86-32 | OSVDB-61386 |
9 | http://grey-corner.blogspot.com/2010/01/beginning-stack-based-buffer-overflow.html | Stack Based Buffer Overflow Tutorial | 07-01-2010 | Tutorial | Windows, x86-32 | CVE-2004-2271 |
10 | http://www.phreedom.org/research/vulnerabilities/ani-header/ | Windows ANI header buffer overflow | 29-03-2010 | Article, slides, video | Windows, x86-32 | CVE-2007-0038 |
11 | http://www.ethicalhacker.net/content/view/309/2/ | Tutorial: SEH Based Exploits and the Development Process | 04-05-2010 | Tutorial | Windows, x86-32 | OSVDB-62779 |
12 | https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=1tioiVT1jjM-xCzYc-2EPTcATOZ07gUcMshqKf8GHNp47vLvn5yT7wprAUpkb&hl=en | Debugging an SEH 0day | 29-05-2010 | Tutorial (PDF) | Windows, x86-32 | CVE-2010-0688 |
13 | http://www.offensive-security.com/vulndev/evocam-remote-buffer-overflow-on-osx/ | Evocam Remote Buffer Overflow on OSX | 04-06-2010 | Tutorial | Mac OS X (Leopard 10.5.8), x86-32 | CVE-2010-2309 |
14 | http://turkeyland.net/projects/overflow/index.php | Buffer Overflows and You | 04-08-2010 | Article | Linux x86-64 | N/A |
15 | http://www.vupen.com/blog/20100909.Adobe_Acrobat_Reader_0_Day_Exploit_CVE-2010-2883_Technical_Analysis.php | Criminals Are Getting Smarter: Analysis of the Adobe Acrobat / Reader 0-Day Exploit | 09-09-2010 | Article | Windows, x86-32 | CVE-2010-2883 |
16 | http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/ | Bypassing UAC with User Privilege under Windows Vista/7 – Mirror | 26-11-2010 | Article, video | Windows, x86-32 | CVE-2010-4398 |
17 | http://www.exploit-db.com/wp-content/themes/exploit/docs/16030.pdf | Non-Executable Stack ARM Exploitation | 23-01-2011 | Whitepaper | ARM | N/A |
18 | http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-1-%E2%80%94-introduction/ | Stack Based Buffer Overflow Tutorial, part 1 — Introduction | 09-03-2011 | Tutorial | Windows, x86-32 | N/A |
19 | http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-2-%E2%80%94-exploiting-the-stack-overflow/ | Stack Based Buffer Overflow Tutorial, part 2 — Exploiting the stack overflow | 09-03-2011 | Tutorial | Windows, x86-32 | N/A |
20 | http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-3-%E2%80%94-adding-shellcode/ | Stack Based Buffer Overflow Tutorial, part 3 — Adding shellcode | 09-03-2011 | Tutorial | Windows, x86-32 | N/A |
21 | http://resources.infosecinstitute.com/seh-exploit/ | SEH Based Overflow Exploit Tutorial | 28-04-2011 | Tutorial | Windows, x86-32 | N/A |
22 | http://inseclab.org/papers/smashing_w8_stack.pdf | Smashing the stack in Windows 8 | xx-09-2011 | Article | Windows 8 | N/A |
23 | http://blogs.securiteam.com/index.php/archives/1558 | VMware UDF Stack Buffer Overflow | 10-10-2011 | Blog | Windows, x86-32 | CVE-2011-3868 |
24 | http://www.greyhathacker.net/?p=380 | RemoteExec Computers List Buffer Overflow ROP Exploit | 06-11-2011 | Tutorial | Windows, x86-32 | http://secunia.com/advisories/38733/ |
25 | http://www.poppopret.org/?p=40 | Anatomy of a SCADA Exploit: Part 1 – From Overflow to EIP | 07-01-2012 | Tutorial | Windows, x86-32 | N/A |
26 | http://blog.ring0.me/2012/01/wireshark-14x-145-cve-2011-1591.html | Wireshark 1.4.X (< 1.4.5) - CVE-2011-1591 2010.05 | 12-01-2012 | Tutorial | Linux | CVE-2011-1591 |
27 | http://blog.carlosgarciaprado.com/?p=1036 | x86-64 Exploitation 101. A comparative primer. | 29-04-2012 | Tutorial | Linux, x86-64 | N/A |
28 | http://www.greyhathacker.net/?p=549 | Heap spraying in Internet Explorer with rop nops | 19-06-2012 | Tutorial | Windows, x86-32 | CVE-2007-6387 |
29 | http://www.poppopret.org/?p=141 | Anatomy of a SCADA Exploit: Part 2 – From EIP to Shell | 21-08-2012 | Tutorial | Windows, x86-32 | N/A |
30 | https://community.rapid7.com/community/metasploit/blog/2012/09/06/cve-2012-2611-the-walk-to-the-shell | New Metapsloit Exploit: SAP NetWeaver CVE-2012-2611 | 06-09-2012 | Blog post | Windows, x86-32 | CVE-2012-2611 |
31 | http://www.devttys0.com/2012/10/exploiting-a-mips-stack-overflow/ | Exploiting a MIPS Stack Overflow | 08-10-2012 | Article | MIPS | N/A |
32 | http://shar33f12.blogspot.com.es/2012/10/rop.html | ROP | 01-11-2012 | Tutorial | Linux, x86-32 | N/A |
33 | http://www.exploit-db.com/papers/24085/ | Stack Smashing On A Modern Linux System | 21-12-2012 | Article | Linux, x86-64 | N/A |
34 | http://www.floyd.ch/?p=629 | Automated generation of code alignment code for Unicode buffer overflow exploitation | 17-01-2012 | Tutorial | Windows, x86-32 | N/A |
35 | http://www.exploit-db.com/wp-content/themes/exploit/docs/27657.pdf | Smashing the stack, an example from 2013 | 17-08-2013 | Article | Linux | N/A |
36 | http://csmatt.com/notes/?p=96 | MIPS Buffer Overflows with Bowcaster | 13-10-2013 | Tutorial | MIPS | N/A |
37 | http://funoverip.net/2013/10/watchguard-cve-2013-6021-stack-based-buffer-overflow-exploit/ | WatchGuard – CVE-2013-6021 – Stack Based Buffer Overflow Exploit | 27-10-2013 | Article | Linux | CVE-2013-6021 |
38 | http://dl.packetstormsecurity.net/papers/attack/64bit-overflow.pdf | 64 Bits Linux Stack Based Buffer Overflow | 09-06-2014 | Article | Linux | N/A |
39 | https://hatriot.github.io/blog/2015/01/06/ntpdc-exploit/ | Ntpdc Local Buffer Overflow | 06-01-2015 | Blogpost | Linux | N/A |
CWE-122: Heap-based Buffer Overflow Heap OOB reads and writes also falls into this category.
Nr | URL | Description | Date | Type | OS/Arch | Info |
---|---|---|---|---|---|---|
0 | http://www.cgsecurity.org/exploit/heaptut.txt | w00w00 on Heap Overflows | xx-01-1999 | Article | Linux | N/A |
1 | http://immunitysec.com/resources-papers.shtml (part 1) (part 2) | Exploiting the MSRPC Heap Overflow | 11-09-2003 | Tutorial (PDF) | Windows, x86-32 | CVE-2003-0352 |
2 | http://lists.virus.org/darklab-0402/msg00000.html | Windows Heap Overflow Exploitation | 02-02-2004 | Article | Windows, x86-32 | N/A |
3 | http://www.exploit-db.com/papers/13178/ | Windows Heap Overflows using the Process Environment Block (PEB) | 31-05-2006 | Article | Windows, x86-32 | N/A |
4 | http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html | A heap of risk: Buffer overflows on the heap and how they are exploited | 28-06-2006 | Article | Windows, x86-32 | N/A |
5 | http://securityevaluators.com/files/papers/isewoot08.pdf | Engineering Heap Overflow Exploits with JavaScript | 08-09-2008 | Article (PDF) | - | N/A |
6 | http://www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf | Practical Windows XP/2003 Heap Exploitation | xx-07-09 | Article (PDF) | Windows, x86-32 | N/A |
7 | http://crazylazy.info/blog/?q=print/content/0x41-weekly-exploitation-matters-heap-overflow-fundamentals | 0x41 - weekly exploitation matters - Heap overflow fundamentals | 23-03-2010 | Tutorial | Windows, x86-32 | CVE-2009-4324 |
8 | http://grey-corner.blogspot.com/2010/03/difference-between-heap-overflow-and.html | The Difference Between Heap Overflow and Use After Free Vulnerabilities | 31-03-2010 | Article | - | N/A |
9 | http://blogs.cisco.com/security/comments/exploring_heap-based_buffer_overflows_with_the_application_verifier/ | Exploring Heap-Based Buffer Overflows with the Application Verifier | 29-03-2010 | Article | Windows, x86-32 | N/A |
10 | http://blogs.iss.net/archive/RequiredReading.html | Heap Cache Exploitation - White Paper by IBM Internet Security Systems | xx-07-2010 | Article | Windows, x86-32 | N/A |
11 | https://net-ninja.net/blog/?p=293 | Heap Overflows For Humans – 101 | 24-10-2010 | Article | Windows, x86-32 | N/A |
12 | http://www.breakingpointsystems.com/community/blog/ie-vulnerability/ | When A DoS Isn't A DoS | 16-12-2010 | Tutorial | Windows, x86-32 | OSVDB-69796 |
13 | http://www.vupen.com/blog/20101221.Exim_string_vformat_Remote_Overflow_Analysis_CVE-2010-4344.php | Technical Analysis of Exim "string_vformat()" Buffer Overflow Vulnerability | 21-12-2010 | Article | Linux x86-32 | CVE-2010-4344 |
14 | http://www.breakingpointsystems.com/community/blog/microsoft-vulnerability-proof-of-concept/ | From Patch to Proof-of-Concept: MS10-081 | 10-01-2011 | Tutorial | Windows, x86-32 | CVE-2010-2746 |
15 | http://vreugdenhilresearch.nl/ms11-002-pwn2own-heap-overflow/ | MS11-002 Pwn2Own heap overflow | 12-01-2011 | Blog post, Article (PDF) | Windows, x86-32 | CVE-2011-0027 |
16 | http://www.skullsecurity.org/blog/2011/a-deeper-look-at-ms11-058 | A deeper look at ms11-058 | 23-08-2011 | Article | Windows, x86-32 | CVE-2011-1966 |
17 | https://net-ninja.net/blog/?p=674 | Heap Overflows For Humans – 102 | 02-09-2011 | Article | Windows, x86-32 | N/A |
18 | http://net-ninja.net/blog/?p=952 | Heap Overflows For Humans 102.5 | 28-12-2011 | Article | Windows, x86-32 | N/A |
19 | http://net-ninja.net/blog/?p=1034 | Heap Overflows For Humans 103 | 04-01-2012 | Article | Windows, x86-32 | N/A |
20 | http://net-ninja.net/blog/?p=1260 | Heap Overflows For Humans 103.5 | 13-01-2012 | Article | Windows, x86-32 | N/A |
21 | http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php | Analysis & Advanced Exploitation of Windows Multimedia Library Heap Overflow (MS12-004) | 17-01-2012 | Article | Windows, x86-32 | CVE-2012-0003 |
22 | https://net-ninja.net/article/2012/Mar/1/heap-overflows-for-humans-104/ | Heap Overflows For Humans 104 | 11-03-2012 | Article | Windows, x86-32 | N/A |
23 | http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php | Advanced Exploitation of Internet Explorer Heap Overflow (Pwn2Own 2012 Exploit) | 10-07-2012 | Article | Windows, x86-32 | CVE-2012-1876 |
24 | https://community.rapid7.com/community/metasploit/blog/2012/12/19/new-metasploit-exploit-crystal-reports-viewer-cve-2010-2590 | New Metasploit Exploit: Crystal Reports Viewer CVE-2010-2590 | 19-12-2012 | Article | Windows, x86-32 | CVE-2010-2590 |
25 | http://blog.stalkr.net/2013/06/golang-heap-corruption-during-garbage.html | Golang heap corruption during garbage collection | 04-06-2013 | Blogpost | Linux | N/A |
26 | https://www.corelan.be/index.php/2013/07/02/root-cause-analysis-integer-overflows/ | Root Cause Analysis – Integer Overflows | 02-07-2013 | Tutorial | Windows, x86-32 | N/A |
27 | http://doar-e.github.io/blog/2013/09/09/pinpointing-heap-related-issues-ollydbg2-off-by-one-story/ | Pinpointing Heap-related Issues: OllyDbg2 Off-by-one Story | 09-09-2013 | Blogpost | Windows | N/A |
28 | http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Technical-Analysis-of-CVE-2014-1761-RTF-Vulnerability/ba-p/6440048#.U0MYW_ldV8F | Technical Analysis of CVE-2014-1761 RTF Vulnerability | 07-04-2014 | Article | Windows | CVE-2014-1761 |
29 | http://radare.today/technical-analysis-of-the-gnutls-hello-vulnerability/ | Technical Analysis Of The GnuTLS Hello Vulnerability | 01-06-2014 | Blogpost | Linux | CVE-2014-3466 |
30 | http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002 | ZDI-14-173/CVE-2014-0195 - OpenSSL DTLS Fragment Out-of-Bounds Write: Breaking up is hard to do | 05-06-2014 | Blogpost | Linux | CVE-2014-0195 |
31 | http://googleprojectzero.blogspot.de/2014/07/pwn4fun-spring-2014-safari-part-i_24.html | pwn4fun Spring 2014 - Safari - Part I | 24-07-2014 | Article | Mac OS X x64 | N/A |
32 | http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php | Advanced Exploitation of VirtualBox 3D Acceleration VM Escape Vulnerability (CVE-2014-0983) | 25-07-2014 | Blogpost | Windows | CVE-2014-0983 |
33 | http://googleprojectzero.blogspot.de/2014/08/the-poisoned-nul-byte-2014-edition.html | http://googleprojectzero.blogspot.de/2014/08/the-poisoned-nul-byte-2014-edition.html | 25-08-2014 | Article | Fedora 20, x32 | CVE-2014-5119 |
34 | https://fail0verflow.com/blog/2014/hubcap-chromecast-root-pt1.html | HubCap: pwning the ChromeCast pt. 1 | 29-08-2014 | Article | ARMv7 | N/A |
35 | https://fail0verflow.com/blog/2014/hubcap-chromecast-root-pt2.html | HubCap: pwning the ChromeCast pt. 2 | 04-09-2014 | Article | ARMv7 | N/A |
36 | http://blog.binamuse.com/2014/09/coregraphics-information-disclosure.html | CoreGraphics Information Disclosure - CVE-2014-4378 | 18-09-2014 | Blogpost | iOS 7.1 | CVE-2014-4378 |
37 | http://googleprojectzero.blogspot.de/2014/09/exploiting-cve-2014-0556-in-flash.html | Exploiting CVE-2014-0556 in Flash | 23-09-2014 | Blogpost | Linux x64 | CVE-2014-0556 |
38 | http://acez.re/ps-vita-level-1-webkitties-3/ | PS Vita Level 1: Webkitties | 31-10-2014 | Blogpost | ARMv7 | N/A |
39 | https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/ | FROM 0-DAY TO EXPLOIT – BUFFER OVERFLOW IN BELKIN N750 (CVE-2014-1635) | 06-11-2014 | Blogpost | MIPS | CVE-2014-1635 |
CWE-682: Incorrect Calculation, CWE-704: Incorrect Type Conversion or Cast
CWE-134: Uncontrolled Format String
CWE-465: Pointer Issues, CWE-415: Double Free, CWE-476: NULL Pointer Dereference
Nr | URL | Description | Date | Type | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://www.symantec.com/ (part 1) (part 2) | Double Free Vulnerabilities | 19/22-01-2007 | Article | Windows XP SP2, x86-32 | N/A |
2 | http://www.theregister.co.uk/2007/06/13/null_exploit_interview/ | Embedded problems: exploiting NULL pointer dereferences | 13-06-2007 | Interview | ARM, XScale | N/A |
3 | https://www.blackhat.com/presentations/bh-usa-07/Afek/Whitepaper/bh-usa-07-afek-WP.pdf | Dangling Pointer - Smashing the Pointer for Fun and Profit | 02-07-2007 | Article | Windows, x32 | CVE-2005-4360 |
4 | http://searchsecurity.techtarget.com.au/news/2240019328/QA-Mark-Dowd-on-NULL-pointer-dereference-bugs | Q&A: Mark Dowd on NULL pointer dereference bugs | 02-05-2008 | Transcript | - | N/A |
5 | http://blogs.iss.net/archive/cve-2008-0017.html | What You May Have Missed About CVE-2008-0017: A Firefox NULL Dereference Bug | 26-11-2008 | Article | Windows, x86-32 | CVE-2008-0017 |
6 | http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/ | Much ado about NULL: Exploiting a kernel NULL dereference | 13-04-2010 | Article | Linux, x86 | N/A |
7 | http://www.vupen.com/blog/20101018.Stuxnet_Win32k_Windows_Kernel_0Day_Exploit_CVE-2010-2743.php | Technical Analysis of the Windows Win32K.sys Keyboard Layout Stuxnet Exploit | 18-10-2010 | Article | Windows, x86-32 | CVE-2010-2743 |
8 | http://grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html | Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability | 24-01-2010 | Tutorial | Windows, x86-32 | CVE-2010-0249 |
9 | http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html | Insecticides don't kill bugs, Patch Tuesdays do (use-after-free) | 16-06-2011 | Article | Windows, x86-32 | CVE-2011-1260 |
10 | http://www.exploit-monday.com/2011/07/post-mortem-analysis-of-use-after-free_07.html | Post-mortem Analysis of a Use-After-Free Vulnerability (CVE-2011-1260) | 07-07-2011 | Article | Windows, x86-32 | CVE-2011-1260 |
11 | http://j00ru.vexillium.org/?p=893 | CVE-2011-1281: A story of a Windows CSRSS Privilege Escalation vulnerability | 12-07-2011 | Article | Windows, x86-32 | CVE-2011-1281 |
12 | http://j00ru.vexillium.org/?p=932 | CVE-2011-1282: User-Mode NULL Pointer Dereference & co. | 21-07-2011 | Article | Windows, x86-32 | CVE-2011-1282 |
13 | http://blogs.norman.com/2011/malware-detection-team/drag-and-drop-vulnerability-in-ms11-050 | Drag and Drop Vulnerability in MS11-050 | 29-07-2011 | Article | Windows, x32 | CVE-2011-1254 |
14 | http://picturoku.blogspot.com/2011/08/diaries-of-vulnerability.html | Diaries of a vulnerability: Understanding CVE-2011-1260 | 17-08-2011 | Article | Windows, x86-32 | CVE-2011-1260 |
15 | http://picturoku.blogspot.com/2011/09/diaries-of-vulnerability-take-2.html | Diaries of a vulnerability - take 2: Stage 1 exploit - Controlling EIP | 01-09-2011 | Article | Windows, x86-32 | CVE-2011-1260 |
16 | http://picturoku.blogspot.com/2011/11/diaries-of-vulnerability-take-3.html | Diaries of a vulnerability - take 3: Pray after free and use after pray | 02-11-2011 | Article | Windows, x86-32 | CVE-2011-1260 |
17 | https://community.qualys.com/blogs/securitylabs/2011/12/02/ms11-077-from-patch-to-proof-of-concept | MS11-077: From Patch to Proof-of-Concept | 02-12-2011 | Article | Windows, x86-32 | CVE-2011-1985 |
18 | http://www.vupen.com/blog/20120116.Advanced_Exploitation_of_ProFTPD_Remote_Use_after_free_CVE-2011-4130_Part_II.php | Advanced Exploitation of ProFTPD Response Pool Use-after-free (CVE-2011-4130) - Part II | 16-01-2012 | Article | Linux, x86-32 | CVE-2011-4130 |
19 | http://ifsec.blogspot.com/2012/02/reliable-windows-7-exploitation-case.html (PoC) | Reliable Windows 7 Exploitation: A Case Study | 28-02-2012 | Article | Windows, x86-32 | CVE-2011-1999 |
20 | http://dvlabs.tippingpoint.com/blog/2012/03/15/pwn2own-2012-challenge-writeup | Pwn2Own Challenges: Heapsprays are for the 99% | 15-03-2012 | Article | Windows, x86-32 | CVE-2010-0248 |
21 | http://www.vupen.com/blog/20120625.Advanced_Exploitation_of_Mozilla_Firefox_UaF_CVE-2012-0469.php | Advanced Exploitation of Mozilla Firefox Use-after-free Vulnerability (MFSA 2012-22) | 25-06-2012 | Article | Windows, x86-32 | CVE-2012-0469 |
22 | http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/ | Happy New Year Analysis of CVE-2012-4792 | 02-01-2013 | Article | Windows, x86-32 | CVE-2012-4792 |
23 | https://www-304.ibm.com/connections/blogs/xforce/entry/use_after_frees_that_pointer_may_be_pointing_to_something_bad?lang=en_us | Use-after-frees: That pointer may be pointing to something bad | 01-04-2013 | Blogpost | Windows, x86-32 | CVE-2012-4969, CVE-2012-4792 |
24 | http://blog.trailofbits.com/2013/05/20/writing-exploits-with-the-elderwood-kit-part-2/ | Writing Exploits with the Elderwood Kit (Part 2) | 20-05-2013 | Article | Windows | N/A |
25 | http://blogs.technet.com/b/srd/archive/2013/08/06/the-story-of-ms13-002-how-incorrectly-casting-fat-pointers-can-make-your-code-explode.aspx | The story of MS13-002: How incorrectly casting fat pointers can make your code explode | 06-08-2013 | Blogpost | - | N/A |
26 | http://h30499.www3.hp.com/t5/blogs/blogarticleprintpage/blog-id/off-by-on-software-security-blog/article-id/97 | CVE-2013-3112: From NULL to Control - Persistence pays off with crashes | 26-09-2013 | Article | Windows, x86-32 | CVE-2013-3112 |
27 | http://cyvera.com/cve-2013-3893-analysis-of-the-new-ie-0-day/ | CVE-2013-3893 – ANALYSIS OF THE NEW IE 0-DAY | 07-10-2013 | Article | Windows, x86-32 | CVE-2013-3893 |
28 | http://cyvera.com/cve-2013-3897-analysis-of-yet-another-ie-0-day/ | CVE-2013-3897 – ANALYSIS OF YET ANOTHER IE 0-DAY | 08-10-2013 | Article | Windows, x86-32 | CVE-2013-3897 |
29 | http://blog.spiderlabs.com/2013/10/another-day-another-ie-zero-day.html | Another Day, SpiderLabs Discovers Another IE Zero-Day | 08-2013 | Article | Windows, x86-32 | CVE-2013-3897 |
30 | http://blog.spiderlabs.com/2013/10/ie-zero-day-cve-2013-3897-technical-aspects.html | The Technical Aspects of Exploiting IE Zero-Day CVE-2013-3897 | 10-2013 | Article | Windows, x86-32 | CVE-2013-3897 |
31 | http://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/ | Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 1 | 11-10-2013 | Article | Windows, x86-32 | CVE-2013-3893 |
32 | http://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-explorer-zero-day-part-2/ | Anatomy of an exploit - inside the CVE-2013-3893 Internet Explorer zero-day - Part 2 | 25-10-2013 | Article | Windows, x86-32 | CVE-2013-3893 |
33 | http://blog.exodusintel.com/2013/11/26/browser-weakest-byte/ | A browser is only as strong as its weakest byte | 26-11-2013 | Article | Windows | CVE-2013-3147 |
34 | http://blog.exodusintel.com/2013/12/09/a-browser-is-only-as-strong-as-its-weakest-byte-part-2/ | A browser is only as strong as its weakest byte - Part 2 | 09-12-2013 | Article | Windows | CVE-2013-3147 |
35 | http://blog.spiderlabs.com/2014/03/deep-analysis-of-cve-2014-0502-a-double-free-story.html | Deep Analysis of CVE-2014-0502 – A Double Free Story | 12-03-2014 | Blogpost | Windows | CVE-2014-0502 |
36 | http://carterjones.logdown.com/posts/2014/03/14/cve-2014-0301-analysis | CVE-2014-0301 Analysis | 14-03-2014 | Blogpost | Windows | CVE-2014-0301 |
37 | http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Double-Dip-Using-the-latest-IE-0-day-to-get-RCE-and-an-ASLR/ba-p/6466280 | Double-Dip: Using the latest IE 0-day to get RCE and an ASLR Bypass | 06-05-2014 | Blogpost | Windows | N/A |
38 | http://www.vupen.com/blog/20140520.Advanced_Exploitation_Firefox_UaF_Pwn2Own_2014.php | Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) | 20-05-2014 | Blogpost | Windows | CVE-2014-1512 |
39 | http://blog.trendmicro.com/trendlabs-security-intelligence/root-cause-analysis-of-cve-2014-1772-an-internet-explorer-use-after-free-vulnerability/ | Root Cause Analysis of CVE-2014-1772 – An Internet Explorer Use After Free Vulnerability | 05-11-2014 | Blogpost | Windows | CVE-2014-1772 |
40 | http://googleprojectzero.blogspot.de/2015/01/exploiting-nvmap-to-escape-chrome.html | Exploiting NVMAP to escape the Chrome sandbox - CVE-2014-5332 | 22-01-2015 | Blogpost | Android | CVE-2014-5332 |
Nr | URL | Description | Date | Type | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://www.vupen.com/blog/20120717.Advanced_Exploitation_of_Internet_Explorer_XML_CVE-2012-1889_MS12-043.php | Advanced Exploitation of IE MSXML Remote Uninitialized Memory (MS12-043 / CVE-2012-1889) | 17-07-2012 | Article | Windows, x86-32 | CVE-2012-1889 |
2 | http://immunityproducts.blogspot.de/2013/06/adobe-xfa-exploits-for-all-first-part.html | Adobe XFA exploits for all! First Part: The Info-leak | 24-06-2013 | Article | Windows 7 | CVE-2013-0640 |
3 | http://labs.portcullis.co.uk/blog/cve-2013-0640-adobe-reader-xfa-oneofchild-un-initialized-memory-vulnerability-part-1/ | CVE-2013-0640: Adobe Reader XFA oneOfChild Un-initialized memory vulnerability (part 1) | 26-09-2013 | Article | Windows | CVE-2013-0640 |
4 | http://labs.portcullis.co.uk/blog/cve-2013-0640-adobe-reader-xfa-oneofchild-un-initialized-memory-vulnerability-part-2/ | CVE-2013-0640: Adobe Reader XFA oneOfChild Un-initialized memory vulnerability (part 2) | 15-10-2013 | Article | Windows | CVE-2013-0640 |
5 | http://ifsec.blogspot.de/2013/11/exploiting-internet-explorer-11-64-bit.html | Exploiting Internet Explorer 11 64-bit on Windows 8.1 Preview | 06-11-2013 | Article | Windows 8, x86-64 | N/A |
This section includes different kinds of vulnerabilities that do not involve memory corruption, but still leads to system compromise and are not purely web-application specific bugs.
Nr | URL | Description | Date | Type | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://blog.zx2c4.com/749 | Linux Local Privilege Escalation via SUID /proc/pid/mem Write | 21-01-2012 | Article | Linux | CVE-2012-0056 |
2 | http://blog.chromium.org/2012/06/tale-of-two-pwnies-part-2.html | A Tale Of Two Pwnies (Part 2) | 11-06-2012 | Article | - | CVE-2011-3063, CVE-2011-3054, CVE-2011-3072 , CVE-2011-3084 |
3 | http://www.saurik.com/id/17 | Exploit (& Fix) Android "Master Key" | xx-07-2013 | Article | Android | CVE-2013-4787 |
4 | https://viaforensics.com/mobile-security/chained-vulnerabilities-firefox-android-pimp-browser.html | How I met Firefox: A tale about chained vulnerabilities | 02-10-2013 | Article | Android | N/A |
5 | http://www.contextis.com/research/blog/Expressing_Yourself_Analysis_Dot_Net_Elevation_Pri/ | EXPRESSING YOURSELF: ANALYSIS OF A DOT NET ELEVATION OF PRIVILEGE VULNERABILITY | xx-12-2013 | Article | Windows | CVE-2013-3133 |
6 | http://googleprojectzero.blogspot.de/2014/10/did-man-with-no-name-feel-insecure.html | Did the “Man With No Name” Feel Insecure? | 20-08-2014 | Blogpost | Windows | CVE-2014-3196 |
7 | https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Services_-_All_roads_lead_to_SYSTEM.pdf | Windows Services – All roads lead to SYSTEM | 31-10-2014 | Article | Windows | N/A |
8 | http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day-root-cause | Bypassing Microsoft’s Patch for the Sandworm Zero Day: a Detailed Look at the Root Cause | 11-11-2014 | Blogpost | Windows | N/A |
9 | http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm | Bypassing Microsoft’s Patch for the Sandworm Zero Day: Even ‘Editing’ Can Cause Harm | 12-11-2014 | Blogpost | Windows | N/A |
10 | http://googleprojectzero.blogspot.de/2014/12/internet-explorer-epm-sandbox-escape.html | Internet Explorer EPM Sandbox Escape CVE-2014-6350 | 01-12-2014 | Blogpost | Windows | CVE-2014-6350 |
11 | http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2015-0016-escaping-the-internet-explorer-sandbox/ | CVE-2015-0016: Escaping the Internet Explorer Sandbox | 27-01-2015 | Blogpost | Windows | CVE-2015-0016 |
Can be different chained bugs or not belonging to any other section.
Nr | URL | Description | Date | Type | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://www.corelan.be:8800/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/ | Exploit writing tutorial part 7 : Unicode – from 0×00410041 to calc | 06-11-2009 | Tutorial | Windows, x86-32 | OSVDB-66912 |
2 | http://grey-corner.blogspot.com/2010/01/windows-buffer-overflow-tutorial.html | Windows Buffer Overflow Tutorial: Dealing with Character Translation | 17-01-2010 | Tutorial | Windows, x86-32 | OSVDB-59772 |
3 | http://www.abysssec.com/blog/2010/03/ken-ward-zipper-stack-bof-0day-a-not-so-typical-seh-exploit/ | Ken Ward Zipper Stack BOF 0day – a not so typical SEH exploit | 18-03-2010 | Tutorial | Windows, x86-32 | OSVDB-63125 |
4 | http://www.corelan.be:8800/index.php/2010/03/27/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion/ | Exploiting Ken Ward Zipper : Taking advantage of payload conversion | 27-03-2010 | Tutorial | Windows, x86-32 | N/A |
5 | http://www.corelan.be:8800/index.php/2010/03/27/quickzip-stack-bof-0day-a-box-of-chocolates/ | QuickZip Stack BOF 0day: a box of chocolates (2 parts) | 27-03-2010 | Tutorial | Windows, x86-32 | N/A |
6 | https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=1U1cGztE8e08ALZuGjSFRemHW5dhZ01YT1ab-ShCKOd5E82X62T82l7eQt2fb&hl=en | Unicode, the magic of exploiting 0×00410041 | 29-05-2010 | Tutorial (PDF) | Windows, x86-32 | CVE-2009-2225 |
7 | http://www.exploit-db.com/winamp-5-58-from-dos-to-code-execution/ | Winamp 5.58 from Denial of Service to Code Execution | 20-10-2010 | Tutorial | Windows, x86-32 | OSVDB-68645 |
8 | http://www.exploit-db.com/winamp-exploit-part-2/ | Winamp 5.58 from Denial of Service to Code Execution Part 2 | 02-11-2010 | Tutorial | Windows, x86-32 | OSVDB-68645 |
9 | https://www.corelan.be/index.php/2011/07/27/metasploit-bounty-the-good-the-bad-and-the-ugly/ | Metasploit Bounty – the Good, the Bad and the Ugly | 27-07-2011 | Tutorial | Windows, x86-32 | OSVDB-72817 |
Nr | URL | Description | Date | Type | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://www.symantec.com/connect/articles/new-way-bypass-windows-heap-protections | A new way to bypass Windows heap protections | 31-08-2005 | Article | Windows XP SP2, x86-32 | N/A |
2 | https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=0B64ViR5GhSKINDcxZGM1YTItM2U0Ni00ZGZlLWFhNDgtZmY4YjE2Y2I1Y2Rk&hl=en | x86-64 buffer overflow exploits and the borrowed code chunks | 28-09-2005 | Article (PDF) | Linux x86-64 | N/A |
3 | http://www.uninformed.org/?v=2&a=4 | Bypassing Windows Hardware-enforced Data Execution Prevention | 02-10-2005 | Article | Windows, x86-32 | OSVDB-875 |
4 | http://cseweb.ucsd.edu/~hovav/papers/s07.html | The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) | xx-10-2007 | Article (PDF) | x86 | N/A |
5 | http://taossa.com/archive/bh08sotirovdowd.pdf | Bypassing Browser Memory Protections | 07-08-2008 | Article | Windows, x86-32 | N/A |
6 | http://www.sophsec.com/research/aslr_research.html | Attacking ASLR on Linux 2.6 | 27-05-2009 | Article | Linux | N/A |
7 | http://www.packetstormsecurity.org/papers/bypass/bypass-dep.pdf | Bypassing hardware based DEP on Windows Server 2003 SP2 | 10-06-2009 | Tutorial (PDF) | Windows, x86-32 | N/A |
8 | http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/ | Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR | 12-09-2009 | Tutorial | Windows, x86-32 | CVE-2006-6199 |
9 | http://bernardodamele.blogspot.com/2009/12/dep-bypass-with-setprocessdeppolicy.html | DEP bypass with SetProcessDEPPolicy() | 09-12-2009 | Article | Windows, x86-32 | N/A |
10 | http://vrt-blog.snort.org/2009/12/dep-and-heap-sprays.html | DEP and Heap Sprays | 17-12-2009 | Blog post | Windows | N/A |
11 | http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/ | A gentle introduction to return-oriented programming | 12-03-2010 | Article | x86 | N/A |
12 | http://archives.neohapsis.com/archives/fulldisclosure/2010-03/att-0553/Windows-DEP-WPM.txt | Exploitation With WriteProcessMemory()/Yet Another DEP Trick | xx-03-2010 | Article | Windows | N/A |
13 | http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on.html | A little return oriented exploitation on Windows x86 (Part 1) | 12-04-2010 | Article | Windows, x86-32 | CVE-2010-0838 |
14 | http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on_16.html | A little return oriented exploitation on Windows x86 (Part 2) | 16-04-2010 | Article | Windows, x86-32 | N/A |
15 | http://divine-protection.com/wordpress/?p=20 | Advanced Return-Oriented Exploit | 05-05-2010 | Article | Linux, x86-32 | N/A |
16 | http://www.corelan.be:8800/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/ | Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’sTM Cube | 16-06-2010 | Tutorial | Windows, x86-32 | N/A |
17 | https://docs.google.com/viewer?a=v&pid=explorer&chrome=true&srcid=1g5FD5gjWAIu0iGf7gaF-DBfgya-u9kYX2KT9EgAdbpyjVzXI90imHI783LIF&hl=en | Bypassing ASLR and DEP under Windows | 17-06-2010 | Article (PDF) | Windows, x86-32 | N/A |
18 | http://eticanicomana.blogspot.com/2010/06/so-called-return-oriented-programming.html | The so called Return Oriented Programming... | 21-06-2010 | Blog post | Windows, x86-32 | N/A |
19 | http://www.exploit-db.com/osx-rop-exploits-evocam-case-study/ | OSX ROP Exploit – EvoCam Case Study | 06-07-2010 | Tutorial | Mac OS X | OSVDB-65043 |
20 | http://force.vnsecurity.net/download/longld/BHUS10_Paper_Payload_already_inside_data_reuse_for_ROP_exploits.pdf | Payload already inside: data reuse for rop exploits | 28-07-2010 | Article | Linux x86 | N/A |
21 | http://www.vnsecurity.net/2010/10/simple-mac-os-x-ret2libc-exploit-x86/ | Simple Mac OS X ret2libc exploit (x86) | 05-10-2010 | Blog post | Mac OS X, x86-32 | N/A |
22 | http://j00ru.vexillium.org/?p=690 | Exploiting the otherwise non-exploitable: Windows Kernel-mode GS cookies subverted | 11-01-2011 | Article (PDF) | Windows, x86-32 | CVE-2010-4398 |
23 | http://www.dis9.com/x-security/dep-bypass-with-setprocessdeppolicy.html | DEP bypass with SetProcessDEPPolicy() | 13-02-2011 | Blog post | Windows, x86-32 | N/A |
24 | http://vulnfactory.org/blog/2011/09/21/defeating-windows-8-rop-mitigation/ | Defeating Windows 8 ROP Mitigation | 21-09-2011 | Blog post | Windows 8 | N/A |
25 | http://www.secfence.com/whitepapers/Whitepaper-on-ASLR-DEP-Bypass-Secfence-Technologies.pdf | Bypassing ASLR/DEP | 25-09-2011 | Article | Windows, x86-32 | CVE-2011-0065 |
26 | http://www.nes.fr/docs/NES-BypassWin7KernelAslr.pdf | Bypassing Windows 7 Kernel ASLR | 11-10-2011 | Article | Windows, x86-32 | N/A |
27 | http://falken.tuxfamily.org/?p=115 | Beat SMEP on Linux with Return-Oriented Programming | 09-11-2011 | Article | Linux, x86-64 | N/A |
28 | http://www.exploit-monday.com/2011/11/man-vs-rop-overcoming-adversity-one.html | Man vs. ROP - Overcoming Adversity One Gadget at a Time | 14-11-2011 | Article | Windows, x86-32 | N/A |
29 | http://blog.bkis.com/en/advanced-generic-rop-chain-for-windows-8/ | Advanced Generic ROP chain for Windows 8 | 16-11-2011 | Article | Windows 8 | CVE-2011-0065 |
30 | http://www.greyhathacker.net/?p=483 | Bypassing EMET’s EAF with custom shellcode using kernel pointer | 19-12-2011 | Tutorial | Windows, x86-32 | CVE-2010-3654 |
31 | http://seclists.org/fulldisclosure/2012/Jan/124 | SafeSEH+SEHOP all-at-once bypass explotation method principles | 10-01-2012 | Post | Windows, x86-32 | N/A |
32 | http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/ | Apache ModSetEnvIf Integer Overflow | 11-01-2012 | Article | Linux | CVE-2011-3607 |
33 | http://piotrbania.com/all/articles/anti_emet_eaf.txt | BYPASSING EMET Export Address Table Access Filtering feature | 19-01-2012 | Post | Windows, x86-32 | N/A |
34 | http://recxltd.blogspot.com/2012/03/partial-technique-against-aslr-multiple.html | A Partial Technique Against ASLR - Multiple O/Ss | 02-03-2012 | Article | Windows, x86-32 | N/A |
35 | http://esec-lab.sogeti.com/post/Bypassing-ASLR-and-DEP-on-Adobe-Reader-X | Bypassing ASLR and DEP on Adobe Reader X | 22-06-2012 | Article | Windows, x86-32 | N/A |
36 | https://community.rapid7.com/community/metasploit/blog/2012/07/06/stack-smashing-when-code-execution-becomes-a-nightmare | Stack Smashing: When Code Execution Becomes a Nightmare | 06-07-2012 | Tutorial | Windows, x86-32 | CVE-2012-0124 |
37 | https://community.rapid7.com/community/metasploit/blog/2012/08/15/the-stack-cookies-bypass-on-cve-2012-0549 | The Stack Cookies Bypass on CVE-2012-0549 | 15-08-2012 | Blog post | Windows, x86-32 | CVE-2012-0549 |
38 | http://blog.ptsecurity.com/2012/09/intel-smep-overview-and-partial-bypass.html | Intel SMEP overview and partial bypass on Windows 8 | 17-09-2012 | Article | Windows 8 | N/A |
39 | http://c0decstuff.blogspot.com.es/2012/12/defeating-windows-8-rop-mitigation.html | Defeating Windows 8 ROP Mitigation | 19-12-2012 | Article | Windows 8 | N/A |
40 | http://kingcope.wordpress.com/2013/01/24/attacking-the-windows-78-address-space-randomization/ | Attacking the Windows 7/8 Address Space Randomization | 24-01-2013 | Post | Windows 7/8 | N/A |
41 | https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/ | DEPS – Precise Heap Spray on Firefox and IE10 | 19-02-2013 | Article | Windows | N/A |
42 | http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html | Introduction to return oriented programming (ROP) | 28-05-2013 | Article | Linux | N/A |
43 | http://www.fireeye.com/blog/technical/cyber-exploits/2013/10/aslr-bypass-apocalypse-in-lately-zero-day-exploits.html | ASLR Bypass Apocalypse in Recent Zero-Day Exploits | 15-10-2013 | Article | Windows | CVE-2013-0640, CVE-2013-0634, CVE-2013-3163, CVE-2013-1690, CVE-2013-1493 |
44 | http://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf | BYPASSING EMET 4.1 | xx-02-2014 | Article | Windows | N/A |
45 | http://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/ | Disarming Enhanced Mitigation Experience Toolkit | 01-07-2014 | Blogpost | Windows | N/A |
46 | https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/ | Windows 8 Kernel Memory Protections Bypass | 15-08-2014 | Blogpost | Windows 8 | N/A |
47 | http://k33nteam.org/blog-4-use-after-free-not-dead-in-internet-explorer-part-1.htm | USE-AFTER-FREE NOT DEAD IN INTERNET EXPLORER: PART 1 | 13-10-2014 | Blogpost | Windows 8.1 | MS14-056 |
48 | http://www.contextis.com/resources/blog/windows-mitigaton-bypass/ | Bypassing Windows 8.1 Mitigations using Unsafe COM Objects | 15-06-2014 | Blogpost | Windows 8.1 | N/A |
49 | http://atredispartners.blogspot.de/2014/08/here-be-dragons-vulnerabilities-in.html | Here Be Dragons: Vulnerabilities in TrustZone | 15-08-2014 | Blogpost | ARM | N/A |
50 | https://www.offensive-security.com/vulndev/disarming-emet-v5-0/ | Disarming EMET v5.0 | 29-09-2014 | Blogpost | Windows | CVE-2012-1876 |
51 | http://blog.lse.epita.fr/articles/74-getting-back-determinism-in-the-lfh.html | Getting back determinism in the Low Fragmentation Heap | 02-11-2014 | Blogpost | Windows 8 | N/A |
52 | https://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/ | Disarming and Bypassing EMET 5.1 | 18-11-2014 | Blogpost | Windows | N/A |
53 | http://tekwizz123.blogspot.de/2015/01/bypassing-emets-eaf-protection-slightly.html | An Theoretical Approach to Getting Around EMET's EAF Protection | 18-01-2015 | Blogpost | Windows | N/A |
Nr | URL | Description | Date | Type | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://cansecwest.com/slides07/Vector-Rewrite-Attack.pdf | Vector Rewrite Attack - Exploitable NULL Pointer Vulnerabilities on ARM and XScale Architectures | xx-03-2007 | Whitepaper | ARM/XScale | - |
2 | http://www.phreedom.org/presentations/heap-feng-shui/ | Heap Feng Shui in JavaScript | 2007 | Slides, video, paper | Windows, x86-32 | N/A |
3 | http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf | Application-Specific Attacks: Leveraging the ActionScript Virtual Machine | xx-04-2008 | Article (PDF) | - | - |
4 | https://code.google.com/p/em386/downloads/detail?name=Exploring_the_STL_Owning_erase.pdf&can=2&q= | Exploring the STL: Owning erase( ) | 20-07-2009 | Article | Linux | - |
5 | http://dsecrg.com/pages/pub/show.php?id=22 | Writing JIT-Spray Shellcode for fun and profit | 05-03-2010 | Article (PDF) | Windows, x86-32 | N/A |
6 | http://census-labs.com/media/bheu-2010-wp.pdf | Binding the Daemon: FreeBSD Kernel Stack and Heap Exploitation | 22-04-2010 | Whitepaper | FreeBSD | CVE-2008-3531 |
7 | https://sites.google.com/site/zerodayresearch/Adobe_Readers_Custom_Memory_Management_a_Heap_of_Trouble.pdf?attredirects=0 | Adobe Reader's Custom Memory Management: A Heap Of Trouble | 22-04-2010 | Whitepaper | - | CVE-2010-1241 |
8 | http://www.mista.nu/research/MANDT-kernelpool-PAPER.pdf | Kernel Pool Exploitation on Windows 7 | 12-01-2011 | Whitepaper | Windows | N/A |
9 | http://ifsec.blogspot.com/2011/06/memory-disclosure-technique-for.html | Memory disclosure technique for Internet Explorer | 09-06-2011 | Article | Windows, x86-32 | N/A |
10 | http://www.whitephosphorus.org/sayonara.txt | White Phosphorus Exploit Pack Sayonara ASLR DEP Bypass Technique | 21-06-2011 | Note | Windows, x86-32 | N/A |
11 | http://www.matasano.com/research/Attacking_Clientside_JIT_Compilers_Paper.pdf | Attacking Clientside JIT Compilers | 07-08-2011 | Article (PDF) | - | N/A |
12 | https://media.blackhat.com/bh-us-11/Brossard/BH_US_11_Brossard_Post_Memory_WP.pdf | Post Memory Corruption Memory Analysis | 03-08-2011 | Article (PDF) | Linux, x86 | N/A |
13 | http://blog.cdleary.com/2011/08/understanding-jit-spray/ | Understanding JIT spray | 29-08-2011 | Article | - | N/A |
14 | http://www.exploit-monday.com/2011/08/targeted-heap-spraying-0x0c0c0c0c-is.html | Targeted Heap Spraying – 0x0c0c0c0c is a Thing of the Past | 29-08-2011 | Article | - | N/A |
15 | https://community.rapid7.com/community/metasploit/blog/2011/10/11/monasploit | MonaSploit | 11-10-2011 | Article | - | N/A |
16 | http://j00ru.vexillium.org/?p=1038 | Windows Kernel Address Protection | xx-08-2011 | Article | Windows | N/A |
17 | http://media.blackhat.com/bh-ad-11/Drake/bh-ad-11-Drake-Exploiting_Java_Memory_Corruption-WP.pdf | Exploiting Memory Corruption Vulnerabilities in the Java Runtime | 15-12-2011 | Article | - | CVE-2009-3869, CVE-2010-3552 |
18 | https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ | Exploit writing tutorial part 11 : Heap Spraying Demystified | 31-12-2011 | Tutorial | Windows, x86-32 | N/A |
19 | http://sysc.tl/2012/01/03/linux-kernel-heap-exploitation/ | The Linux kernel memory allocators from an exploitation perspective | 03-01-2012 | Article | Linux | N/A |
20 | http://zhodiac.hispahack.com/my-stuff/security/Flash_ASLR_bypass.pdf | CVE-2012-0769, the case of the perfect info leak | 09-04-2012 | Article | Windows | CVE-2012-0769 |
21 | http://badishi.com/jit-spraying-primer-and-cve-2010-3654/ | JIT Spraying Primer and CVE-2010-3654 | 26-05-2012 | Article | Windows | CVE-2010-3654 |
22 | https://media.blackhat.com/bh-us-12/Briefings/Argyoudis/BH_US_12_Argyroudis_Exploiting_the_%20jemalloc_Memory_%20Allocator_WP.pdf | Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap | 25-07-2012 | Whitepaper | nix | N/A |
23 | https://media.blackhat.com/bh-us-12/Briefings/Serna/BH_US_12_Serna_Leak_Era_WP.pdf | CVE-2012-0769, the case of the perfect info leak | 25-07-2012 | Whitepaper | Windows | CVE-2012-0769 |
24 | https://media.blackhat.com/bh-us-12/Briefings/Esser/BH_US_12_Esser_iOS_Kernel_Heap_Armageddon_WP.pdf | iOS Kernel Heap Armageddon | 26-07-2012 | Whitepaper | iOS | N/A |
25 | https://communities.coverity.com/blogs/security/2012/07/31/windows-8-heap-internals-update | Windows 8 Heap Internals | 31-07-2012 | Whitepaper | Windows | N/A |
26 | https://subreption.com/site_media/uploads/reports/droidleak_release.pdf | Android exploitation primers: lifting the veil on mobile offensive security (Vol. I) | xx-08-2012 | Whitepaper | Android | CVE-2010-4577 |
27 | http://www.vdalabs.com/tools/DeMott_BlueHat_Submission.pdf | BlueHat Prize Submission (/ROP) | xx-03-2012 | Whitepaper | Windows | N/A |
28 | http://www.trailofbits.com/threads/2012_LeafSR_NaCl_paper_BlackHat.pdf | Google Native Client - Analysis Of A Secure Browser Plugin Sandbox | 25-07-2012 | Whitepaper | - | N/A |
29 | http://mainisusuallyafunction.blogspot.de/2012/11/attacking-hardened-linux-systems-with.html | Attacking hardened Linux systems with kernel JIT spraying | 17-11-2012 | Article | Linux | NA |
30 | https://sites.google.com/site/zerodayresearch/smashing_the_heap_with_vector_Li.pdf | Smashing the Heap with Vector: Advanced Exploitation Technique in Recent Flash Zero-day Attack | xx-02-2013 | Whitepaper | - | CVE-2013-0643 |
31 | https://media.blackhat.com/eu-13/briefings/Liu/bh-eu-13-liu-advanced-heap-WP.pdf | Advanced Heap Manipulation in Windows 8 | 15-03-2013 | Whitepaper | Windows 8 | N/A |
32 | http://j00ru.vexillium.org/?p=1695 | SyScan 2013, Bochspwn paper and slides | 24-04-2013 | Whitepaper | Windows | N/A |
33 | http://zhodiac.hispahack.com/my-stuff/security/Flash_Jit_InfoLeak_Gadgets.pdf | Flash JIT – Spraying info leak gadgets | 19-07-2013 | Whitepaper | - | N/A |
34 | http://blog.azimuthsecurity.com/2013/12/attacking-zone-page-metadata-in-ios-7.html | Attacking Zone Page Metadata in iOS 7 and OS X Mavericks | 19-12-2013 | Article | iOS | N/A |
35 | http://www.slideshare.net/xiong120/exploit-ie-using-scriptable-active-x-controls-version-english | Exploit IE Using Scriptable ActiveX Controls (version English) | 22-03-2014 | Article | Windows | N/A |
36 | https://community.rapid7.com/community/metasploit/blog/2014/04/07/hack-away-at-the-unessential-with-explib2-in-metasploit | "Hack Away at the Unessential" with ExpLib2 in Metasploit | 07-04-2014 | Article | Windows | N/A |
37 | https://doar-e.github.io/blog/2014/04/30/corrupting-arm-evt/ | Corrupting the ARM Exception Vector Table | 30-04-2014 | Article | ARM | N/A |
38 | http://blog.fortinet.com/post/advanced-exploit-techniques-attacking-the-ie-script-engine | Advanced Exploit Techniques Attacking the IE Script Engine | 16-06-2014 | Blogpost | Windows | N/A |
39 | https://www.blackhat.com/docs/us-14/materials/us-14-Gorenc-Thinking-Outside-The-Sandbox-Violating-Trust-Boundaries-In-Uncommon-Ways-WP.pdf | Thinking outside the sandbox - Violating trust boundaries in uncommon ways | 05-08-2014 | Article | Windows | CVE-2014-1705, CVE-2014-4015, CVE-2014-0506, CVE-2014-1713 |
40 | http://atredispartners.blogspot.de/2014/08/here-be-dragons-vulnerabilities-in.html | Here Be Dragons: Vulnerabilities in TrustZone | 14-08-2014 | Article | ARM | N/A |
41 | http://www.alex-ionescu.com/?p=231 | Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool | 29-12-2014 | Blogpost | Windows | N/A |
42 | http://tfpwn.com/blog/turn-it-into-a-uaf.html | Turn it into a UAF | 11-01-2015 | Blogpost | - | N/A |
Nr | URL | Description | Date | Type | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://hick.org/code/skape/papers/win32-shellcode.pdf | Understanding Windows Shellcode | 12-06-2003 | Article (PDF) | Windows, x86-32 | N/A |
2 | http://www.vividmachines.com/shellcode/shellcode.html | Shellcoding for Linux and Windows Tutorial | xx-06-2007 | Article | Windows, x86-32/Linux | N/A |
3 | http://blog.harmonysecurity.com/2009/08/calling-api-functions.html | Calling API Functions | 05-08-2009 | Article | Windows, x86-32 | N/A |
4 | http://blog.harmonysecurity.com/search/label/Shellcode | Implementing a Windows, x86-32 Kernel Shellcode | 05-11-2009 | Article | Windows, x86-32 | N/A |
5 | http://www.corelan.be:8800/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/ | Exploit writing tutorial part 8 : Windows, x86-32 Egg Hunting | 09-01-2010 | Tutorial | Windows, x86-32 | CVE-2009-3837 |
6 | http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html | Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump | 13-02-2010 | Tutorial | Windows, x86-32 | CVE-2005-0338 |
7 | http://www.corelan.be:8800/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/ | Exploit writing tutorial part 9 : Introduction to Windows, x86-32 shellcoding | 25-02-2010 | Tutorial | Windows, x86-32 | N/A |
8 | http://www.corelan.be:8800/index.php/2010/08/22/exploit-notes-win32-eggs-to-omelet/ | Exploit notes – win32 eggs-to-omelet | 22-08-2010 | Article | Windows, x86-32 | N/A |
9 | http://www.exploit-db.com/foxit-reader-stack-overflow-exploit-egghunter/ | Foxit Reader Stack Overflow Exploit – Egghunter Edition | 14-11-2010 | Tutorial | Windows, x86-32 | OSVDB-68648 |
10 | http://www.exploit-db.com/papers/15652/ | How to Create a Shellcode on ARM Architecture | 25-11-2010 | Article | ARM | N/A |
11 | http://mcdermottcybersecurity.com/articles/windows-x64-shellcode | Windows x64 shellcode | 11-01-2011 | Article | Windows, x86-64 | N/A |
12 | http://resources.infosecinstitute.com/stack-based-buffer-overflow-tutorial-part-3-%E2%80%94-adding-shellcode/ | Stack Based Buffer Overflow Tutorial, part 3 — Adding shellcode | 09-03-2011 | Tutorial | Windows, x86-32 | N/A |
13 | http://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for-breakfast/ | Hack Notes : Ropping eggs for breakfast | 12-05-2011 | Tutorial | Windows, x86-32 | N/A |
14 | http://gdtr.wordpress.com/2011/07/23/universal-rop-shellcode-for-os-x-x64/ | Universal ROP shellcode for OS X x64 | 23-07-2011 | Article | Mac OS X, x64 | N/A |
15 | http://www.vnsecurity.net/2011/07/yet-another-universal-osx-x86_64-dyld-rop-shellcode/ | Yet another universal OSX x86_64 dyld ROP shellcode | 30-07-2011 | Article | Mac OS X, x64 | N/A |
16 | http://www.codeproject.com/Articles/325776/The-Art-of-Win32-Shellcoding | The Art of Win32 Shellcoding | 06-02-2012 | Article | Windows, x86-32 | N/A |
17 | http://blog.markloiseau.com/2012/06/64-bit-linux-shellcode/ | 64-bit Linux Shellcode | 10-06-2012 | Article | Linux, x86-64 | N/A |
18 | https://community.rapid7.com/community/metasploit/blog/2012/07/06/an-example-of-egghunting-to-exploit-cve-2012-0124 | An example of EggHunting to exploit CVE-2012-0124 | 06-07-2012 | Tutorial | Windows, x86-32 | CVE-2012-0124 |
19 | https://www.offensive-security.com/vulndev/aix-shellcode-metasploit/ | Fun with AIX Shellcode and Metasploit | 20-11-2012 | Article | AIX | N/A |
20 | http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html | Writing Optimized Windows Shellcode in C | 16-08-2013 | Article | Windows | N/A |
Tends to contain analysis of the root issue including source code or reversed binary, explaining the problem.
(New section, to be updated...)
Analysis of full-blown exploits with shellcode, DEP/ASLR bypasses and all the things, usually found in the wild.
Nr | URL | Description | Date | Type |
---|---|---|---|---|
1 | http://reverse.put.as/wp-content/uploads/2011/06/hackingleopard.pdf | Hacking Leopard: Tools and Techniques for Attacking the Newest Mac OS X | 22-06-2007 | Article |
2 | http://www.corelan.be:8800/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/ | Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics | 12-08-2009 | Tutorial |
3 | http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/ | Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development | 05-09-2009 | Tutorial |
4 | http://www.corelan.be:8800/index.php/2010/01/26/starting-to-write-immunity-debugger-pycommands-my-cheatsheet/ | Starting to write Immunity Debugger PyCommands : my cheatsheet | 26-01-2010 | Tutorial |
5 | http://skypher.com/SkyLined/heap_spray/small_heap_spray_generator.html | Heap spray generator | - | Online service |
6 | http://www.offensive-security.com/metasploit-unleashed/exploit-development | Exploit Development | - | Site |
7 | http://gorope.me/ | FREE Online ROP Gadgets Search | - | Online service |
8 | https://www.corelan.be/index.php/security/corelan-ropdb/ | Corelan ROPdb | - | Online service |
9 | https://blog.mandiant.com/archives/1899 | Exploring Artifacts in Heap Memory with Heap Inspector | - | Tool, Article |
10 | http://redmine.corelan.be/projects/mona | Corelan Team project page for 'mona', a PyCommand for Immunity Debugger | - | Tool |
11 | http://www.hsc.fr/ressources/outils/skyrack/index.html.en | ROP gadget search tool | - | Tool |
12 | http://blog.metasploit.com/2008/08/byakugan-windbg-plugin-released.html | Set of extensions for exploit development under WinDbg | - | Tool |
13 | http://www.whitephosphorus.org/ | Public releases of White Phosphorus (ASLR/DEP bypasses) | - | - |
14 | https://github.com/djrbliss/libplayground | A simple framework for developing Linux kernel heap exploit techniques | - | Tool |
15 | http://exploit-exercises.com/ | exploit-exercises.com provides a variety of virtual machines ... | - | OS |
16 | http://sourceforge.net/projects/metasploitable/files/ | Metasploitable 2 | - | OS |
17 | http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Heappie | Heappie! is an exploit-writing-oriented memory analysis tool | - | Tool |
18 | https://community.rapid7.com/community/metasploit/blog/2012/07/05/part-1-metasploit-module-development--the-series | Metasploit exploit development - The series Part 1. | 05-07-2012 | Tutorial |
19 | https://www.corelan.be/index.php/2012/12/31/jingle-bofs-jingle-rops-sploiting-all-the-things-with-mona-v2/ | Jingle BOFs, Jingle ROPs, Sploiting all the things… with Mona v2 !! | 31-12-2012 | Blog |
20 | http://www.alertlogic.com/modern-userland-linux-exploitation-courseware/ | Modern Userland Linux Exploitation Courseware | 21-04-2013 | Courseware |
21 | https://github.com/neuromancer/sea | Symbolic Exploit Assistant | - | Tool |
22 | http://www.blackhatlibrary.net/Shellcodecs | Shellcodecs is a collection of shellcodes, loaders, sources, and generators | - | Wiki |
Nr | URL | Description | Date |
---|---|---|---|
1 | http://redmine.corelan.be:8800/projects/corelanart/files | Graphics and Art (Wallpapers) | 30-11-2010 |
2 | https://community.rapid7.com/community/infosec/blog/2011/02/24/dual-cores-metasploit-track-free-download | Dual Core's Metasploit Track: Free Download! | 24-02-2011 |
Nr | URL | Description | Date |
---|---|---|---|
1 | http://ilm.thinkst.com/folklore/index.shtml | Memory Corruption and Hacker Folklore | xx-xx-2010 |
2 | https://zynamics.files.wordpress.com/2010/02/code_reuse_timeline1.png | Code Reuse Timeline | xx-02-2010 |
3 | http://www.abysssec.com/blog/2010/05/past-present-future-of-windows-exploitation/ | Past, Present, Future of Windows Exploitation | 08-05-2010 |
4 | https://media.blackhat.com/bh-us-10/whitepapers/Meer/BlackHat-USA-2010-Meer-History-of-Memory-Corruption-Attacks-wp.pdf | Memory Corruption Attacks: The (almost) Complete History | 25-06-2010 |
5 | https://paulmakowski.wordpress.com/2011/01/25/smashing-the-stack-in-2011/ | Smashing the Stack in 2011 | 25-01-2011 |
6 | http://www.isg.rhul.ac.uk/sullivan/pubs/tr/technicalreport-ir-cs-73.pdf | Memory Errors: The Past, the Present, and the Future | 12-09-2012 |
7 | http://blogbromium.files.wordpress.com/2013/01/heap-sprays-to-sandbox-escapes_issa0113.pdf | Heap Sprays to Sandbox Escapes: A Brief History of Browser Exploitation | xx-01-2013 |