on-pwning

This repository contains my solutions to some CTF challenges and a list of interesting resources about pwning stuff.

Readings

• A binary analysis, count me if you can
• A Memory Allocator
• A Methodical Approach to Browser Exploitation | Ret2 Systems Blog, Vulnerability Discovery Against Apple Safari | Ret2 Systems Blog, Timeless Debugging of Complex Software | Ret2 Systems Blog, Weaponization of a JavaScriptCore Vulnerability
• About Exploits Writing
• All Your Docs Are Belong To Us › reversing an av engine to compose signatures capable of detecting classified documents
• Almost booting an iOS kernel in QEMU
• ASLR Protection for Statically Linked Executables — Leviathan Security • ASLR, ELF, RELRO
• Beware of strncpy() and strncat()
• Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA
• Collection of Known Patching Techniques • ELF
• Common Pitfalls When Writing Exploits
• Controlling uninitialized memory with LD_PRELOAD
• Cross debugging for MIPS ELF with QEMU/toolchain
• [CB16] House of Einherjar — Yet Another Heap Exploitation Technique on GLIBC by Hiroki Matsukuma
• Dirty COW and why lying is bad even if you are the Linux kernel
• ELF Binary Code Injection, Loader/'Decrypter'
• Endpoint Security Self-Protection on MacOS – MDSec
• Exploiting Format String Vulnerabilities
• Frag Grenade! A Remote Code Execution Vulnerability in the Steam Client
• FrizN - glibc - From Heap to RIP
• Fully undetectable backdooring PE files
• Fuzzing arbitrary functions in ELF binaries - Blah Cats
• Fuzzing Counter-Strike: Global Offensive maps files with AFL
• Fuzzing workflows; a fuzz job from start to finish
• Game hacking reinvented? – A cod exploit
• GLIBC MALLOC FOR EXPLOITERS
• GOT and PLT for pwning.
• Hardening C/C++ Programs Part II – Executable-Space Protection and ASLR – Productive C++
• Heap Exploitation
• Hiding content from Git + more on escape sequences | TwistlockLabs Experiment
• How main() is executed on Linux
• How programs get run: ELF binaries
• How to Create a Virus Using the Assembly Language
• Injecting missing methods at runtime | Hopper Disassembler
• Introduction to Reverse Engineering Cocoa Applications | FireEye Inc
• iOS Security
• Ivan Fratric's Security Blog: So you want to work in security? (and for some reason ended up here rather than reading other people’s posts on the topic).
• Keygenning with KLEE
• ldd arbitrary code execution
• Linux x86 Program Start Up
• linux-insides
• macOS Security and Privacy Guide
• Making a low level (Linux) debugger, part 3: our first program
• Memory Corruption Attacks: The (almost) Complete History
• New bypass and protection techniques for ASLR on Linux
• Overcoming (some) Spectre browser mitigations
• Playing with canaries
• Push the Red Button: Fuzzing with AFL is an Art
• Pwning coworkers thanks to LaTeX
• Qualys Security Advisory - The Stack Clash
• Radare2 of the Lost Magic Gadget
• Recommended compiler and linker flags for GCC
• Replacing x86 firmware with Linux and Go
• Return to VDSO using ELF Auxiliary Vectors
• Reversing C++ programs with IDA pro and Hex-rays
• secfigo/Awesome-Fuzzing: A curated list of fuzzing resources ( Books, courses - free and paid, videos, tools, tutorials and vulnerable applications to practice on ) for learning Fuzzing and initial phases of Exploit Development like root cause analysis.
• Siguza/ios-resources: Useful resources for iOS hacking
• Some universal gadget sequence for Linux x86_64 ROP payload
• Tearing apart printf()
• Technical aspects of CTF contest organization - CERT Polska
• The Art Of ELF: Analysis and Exploitations
• The Chakra Exploit And The Limitations Of Modern Cyber Security Threat Mitigation Techniques
• The hacker known as "Alex" — Operation Luigi: How I hacked my friend without her noticing
• The one-gadget in glibc
• The real power of Linux executables
• Understanding L1 Terminal Fault aka Foreshadow: What you need to know
• Unix ELF parasites and virus
• UNIX Syscalls
• Welcome to the New Order: A DEF CON 2018 Retrospective
• What are vdso and vsyscall?
• What is the difference between .got and .got.plt section?
• What is this protection that seems to prevent ROP when ASLR in ON?

Exploits

• aPAColypse now: Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript
• AnC - VUSec • ASLR⊕Cache
• ArmisSecurity/blueborne: PoC scripts demonstrating the BlueBorne vulnerabilities
• Attacking a co-hosted VM: A hacker, a hammer and two memory modules - This is Security :: by Stormshield
• Avast Antivirus: Remote Stack Buffer Overflow with Magic Numbers
• Back to 28: Grub2 Authentication 0-Day
• Better slow than sorry – VirtualBox 3D acceleration considered harmful
• BlueBorne RCE on Android 6.0.1 (CVE-2017-0781) [English]
• Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets | Exodus Intelligence
• Browser security beyond sandboxing – Windows Security blog
• "Bypassing" Microsoft's Patch for CVE-2017-0199
• Cisco's Talos Intelligence Group Blog: Vulnerability Walkthrough: 7zip CVE-2016-2334 HFS+ Code Execution Vulnerability
• Coalfire-Research/iOS-11.1.2-15B202-Jailbreak
• CVE-2017-2636: exploit the race condition in the n_hdlc Linux kernel driver bypassing SMEP
• CY-2017-011: Type Confusion in Adobe Acrobat
• Dirty COW and why lying is bad even if you are the Linux kernel
• Disabling MacOS SIP via a VirtualBox kext Vulnerability – MDSec
• Educational Heap Exploitation
• elttam - Remote LD_PRELOAD Exploitation
• Escaping Docker container using waitid() - CVE-2017-5123 | Twistlock
• Exploit writing tutorial part 11 : Heap Spraying Demystified
• Exploiting CVE-2017-5123
• Exploiting the DRAM rowhammer bug to gain kernel privileges
• fail0verflow :: The First PS4 Kernel Exploit: Adieu
• Finding Function's Load Address • DT_STRTAB
• File Stream Pointer Overflows
• FILE Structure Exploitation ('vtable' check bypass)
• Flash JIT – Spraying info leak gadgets
• Fun with FORTIFY_SOURCE
• Fuzzing CS:GO BSP Files
• geohot presents an evasi0n7 writeup
• “Huge Dirty COW” (CVE-2017–1000405)
• IAIK/meltdown: This repository contains several applications, demonstrating the Meltdown bug.
• IOHIDeous | IOHIDFamily 0day
• Kernel Pool Overflow Exploitation In Real World – Windows 10 | TRACKWATCH
• kkamagui/linux-kernel-exploits: Linux kernel exploits for local privilege escalation
• Libc Realpath Buffer Underflow
• Linux heap exploitation intro series: riding free on the heap – double free attacks!
• Linux/x86 - sockfd trick + dup2(0,0), dup2(0,1), dup2(0,2) + execve /bin/sh - 50 bytes
• Mental Snapshot - _int_free and unlink • free, heap, unlink
• Never-Ending Security: eBPF and Analysis of the get-rekt-linux-hardened.c Exploit for CVE-2017-16995
• Offset2lib: bypassing full ASLR on 64bit Linux
• Play with FILE Structure - Yet Another Binary Exploit Technique
• Playing with signals : An overview on Sigreturn Oriented Programming
• Please Stop Naming Vulnerabilities: Exploring 6 Previously Unknown Remote Kernel Bugs Affecting Android Phones
• Project Zero: Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices
• Pwn2Own: Safari sandbox part 1 – Mount yourself a root shell
• Pwn2Own: Safari sandbox part 2 – Wrap your way around to root
• Pwning (sometimes) with style - Dragons' notes on CTFs
• pwnlib.dynelf — Resolving remote functions using leaks
• Qualys Security Advisory - Buffer overflow in glibc's ld.so
• Reading privileged memory with a side-channel
• SSD Advisory – VirtualBox VRDP Guest-to-Host Escape – SecuriTeam Blogs
• The info leak era on software exploitation
• v0rtex | IOSurface exploit
• What is vulnerable about this C code? • env
• x86 Exploitation 101: heap overflows… unlink me, would you please? • dlmalloc, heap, unlink
• Xen SMEP (and SMAP) bypass
• xoreaxeaxeax/rosenbridge: Hardware backdoors in some x86 CPUs
• Zero Day Initiative — Reading Backwards – Controlling an Integer Underflow in Adobe Reader
• Zero Day Initiative — Use-After-Silence: Exploiting a quietly patched UAF in VMware

Papers

• A Eulogy for Format Strings • Phrack
• ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem
• Advanced Doug Lea's malloc exploits • Phrack
• Advances in format string exploitation • Phrack
• AEG: Automatic Exploit Generation • NDSS 2011
• ASLR on the Line: Practical Cache Attacks on the MMU • NDSS 2017, ASLR⊕Cache
• Drammer: Deterministic Rowhammer Attacks on Mobile Platforms • CCS 2016
• Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors • ISCA 2014
• Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU
• Hacking Blind • S&P 2014, BROP
• How the ELF Ruined Christmas • USENIX 2015, _dl_runtime_resolve
• Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR • MICRO 2016
• On the Effectiveness of Address-Space Randomization • CCS 2004, ASLR
• On the Effectiveness of Full-ASLR on 64-bit Linux • DeepSec 2014, offset2lib
• Once upon a free()... • Phrack
• Smashing The Stack For Fun And Profit • Phrack
• The advanced return-into-lib(c) exploits: PaX case study • Phrack, ret-into-dl
• The Malloc Maleficarum • Phrack
• Vudo - An object superstitiously believed to embody magical powers • Phrack, dlmalloc, frontlink, unlink

Talks/Presentations

• $hell on Earth: From Browser to System Compromise • Black Hat USA 2016
• Attacking The XNU Kernel In El Capitan • Black Hat Europe 2015
• Behind the Scenes with iOS Security • Black Hat USA 2016
• Bot vs. Bot: Evading Machine Learning Malware Detection • Black Hat USA 2017
• Breaking the x86 Instruction Set • Black Hat USA 2017
• Bypassing clang’s SafeStack for Fun and Profit • Black Hat Europe 2016
• Effective file format fuzzing by j00ru • Black Hat Europe 2016
• Fixing/Making Holes in Binaries • Black Hat USA 2002
• Heap Feng Shui in JavaScript • Black Hat Europe 2007
• Infosec and failure by 杏👼Ąż • Hack.lu 2017
• iOS kernel exploitation archaeology by argp • 34C3
• Linux Vulnerabilities Windows Exploits: Escalating Privileges with WSL by Saar Amar • BlueHat IL 2018
• Machine learning, offense, and the future of automation by halvarflake • ZeroNights 2017
• Practical C++ Decompilation • REcon 2011
• Pwned By The Owner: What Happens When You Steal A Hacker's Computer by Zoz • DEF CON 18
• return-to-csu: A New Method to Bypass 64-bit Linux ASLR • Black Hat Asia 2018
• Unexpected Stories From a Hacker Inside the Government by Mudge • DEF CON 21

Write-ups

• 0ctf Quals 2017 - BabyHeap2017 • fastbins
• 33C3 CTF – babyfengshui
• c00kies@venice - FAUST CTF 2017 Write-Up: Alexa
• c00kies@venice - Google CTF 2017 (Quals) Write-Up: Inst Prof
• CSAW '17 PWN - Auir (200pt)
• CSAW 2017 Finals - kws2
• CSAW Quals 2017 FuntimeJS - RPISEC Blog
• CSAW Quals 2017: Zone Writeup
• [DEFCON 2018] Doublethink – 8-Architecture Assembly Polyglot – Robert Xiao
• Dragon Sector: Pwn2Win 2017 - Shift Register
• Exploit Exercise - Format String FORTIFY_SOURCE Bypass • FORTIFY_SOURCE
• exploit exercises - protostar - heap levels | research | sprawl
• Hack.lu's OREO with ret2dl-resolve
• Heap Exploitation ~ Fastbin Attack
• Hitcon2017CTF - 家徒四壁Everlasting Imaginative Void
• Hohoho • bash
• HXP CTF 2017 - Writeup • FORTIFY_SOURCE, seccomp
• Nebula level15 write-up • RPATH
• [Official Write-up] HITCON CTF 2017 - pwn327 Real Ruby Escaping
• Play With Capture The Flag: [Write-up] Google CTF 2017 - pwn474 primary
• RingZer0Team - Shellcoding
• seadog007/noxCTF-2018-PSRF-as-Pwn • SSRF
• Tokyo Westerns MMA 2016 - Diary • seccomp