Awesome
on-pwning
This repository contains my solutions to some CTF challenges and a list of interesting resources about pwning stuff.
Write-Ups/PoCs
- 365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools | googleprojectzero.blogspot.com • fuzzing
- 7zip CVE-2016-2334 HFS+ Code Execution Vulnerability | talosintelligence.com
- A cache invalidation bug in Linux memory management | googleprojectzero.blogspot.com
- A collection of JavaScript engine CVEs with PoCs | github.com/tunz
- A Methodical Approach to Browser Exploitation | blog.ret2.io
- Vulnerability Discovery Against Apple Safari | blog.ret2.io
- Timeless Debugging of Complex Software | blog.ret2.io
- Weaponization of a JavaScriptCore Vulnerability | blog.ret2.io
- Cracking the Walls of the Safari Sandbox | blog.ret2.io • Frida, fuzzing
- Exploiting the macOS WindowServer for root | blog.ret2.io • Frida
- A Pwn2Own exploit chain | github.com/saelo
- A Story About Three Bluetooth Vulnerabilities in Android
- All Your Docs Are Belong To Us › reversing an av engine to compose signatures capable of detecting classified documents | objective-see.com
- Avast Antivirus: Remote Stack Buffer Overflow with Magic Numbers | landave.io
- Back to 28: Grub2 Authentication 0-Day | hmarco.org
- Better slow than sorry – VirtualBox 3D acceleration considered harmful | phoenhex.re
- Browser security beyond sandboxing | microsoft.com
- Covering Ian Beer's exploit techniques for getvolattrlist bug (iOS 11-11.3.1) | 4ldebaran.blogspot.com
- CVE-2017-2636: exploit the race condition in the n_hdlc Linux kernel driver bypassing SMEP | a13xp0p0v.github.io
- Disabling MacOS SIP via a VirtualBox kext Vulnerability | mdsec.co.uk
- eBPF and Analysis of the get-rekt-linux-hardened.c Exploit for CVE-2017-16995 | ricklarabee.blogspot.com
- Exploiting CVE-2017-5123 | reverse.put.as
- Exploring 6 Previously Unknown Remote Kernel Bugs Affecting Android Phones | pleasestopnamingvulnerabilities.com
- Extracting a 19 Year Old Code Execution from WinRAR | checkpoint.com
- Frag Grenade! A Remote Code Execution Vulnerability in the Steam Client | contextis.com
- From fuzzing Apache httpd server to CVE-2017-7668 and a $1500 bounty • AFL, rr, valgrind
- Fuzzing Counter-Strike: Global Offensive maps files with AFL | phoenhex.re
- Fuzzing CS:GO BSP Files | path.network
- Game hacking reinvented? – A cod exploit | momo5502.com
- geohot presents an evasi0n7 writeup | geohot.com
- IOHIDeous | IOHIDFamily 0day | siguza.github.io
- iOS 11 Jailbreak | github.com/Coalfire-Research
- IPC Voucher UaF Remote Jailbreak Stage 2 | 360.cn
- Jailbreaks Demystified | geosn0w.github.io
- Kernel RCE caused by buffer overflow in Apple's ICMP packet-handling code (CVE-2018-4407) • QL
- Meltdown Proof-of-Concept | github.com/iaik
- Pwn2Own: Safari sandbox part 1 – Mount yourself a root shell | phoenhex.re
- Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices | googleprojectzero.blogspot.com
- Reading Backwards – Controlling an Integer Underflow in Adobe Reader | zerodayinitiative.com
- Remote LD_PRELOAD Exploitation | elttam.com.au
- System Down: A systemd-journald exploit | openwall.com
- Taking a page from the kernel's book: A TLB issue in mremap() | googleprojectzero.blogspot.com
- The First PS4 Kernel Exploit: Adieu | fail0verflow.com
- v0rtex | IOSurface exploit | siguza.github.io/v0rtex
- VirtualBox VRDP Guest-to-Host Escape | securiteam.com
- virtualbox_e1000_0day | github.com/MorteNoir1
- Xen SMEP (and SMAP) bypass | nccgroup.trust
CTFs
- 0CTF 2017 Quals | BabyHeap2017 | uaf.io
- 33C3 CTF 2016 | babyfengshui | galhacktictrendsetters.wordpress.com
- 33C3 CTF 2016 | hohoho | github.com/InfoSecIITR • bash
- 35C3 CTF 2018 | newphonewhodis | mhackeroni.it
- Atredis BlackHat CTF 2018 | msreverseengineering.com
- CSAW 2017 Finals | kws2 | s3.eurecom.fr
- CSAW 2017 Quals | FuntimeJS | rpis.ec
- DEF CON 2018 Finals | Doublethink | robertxiao.ca
- FAUST CTF 2017 | Alexa | secgroup.github.io
- Google CTF 2017 Quals | Inst Prof | secgroup.github.io
- Google CTF 2017 Quals | Primary | david942j.blogspot.com
- Google CTF 2018 Quals | Sandbox Compat | david942j.blogspot.com
- Hack.lu CTF 2014 | OREO | wapiflapi.github.io • ret2dl-resolve
- Hack.lu CTF 2018 | Baby Kernel | Rusty Codepad | maltekraus.de
- HITCON CTF 2017 Quals | Everlasting Imaginative Void | pwning.fun
- HITCON CTF 2017 Quals | Real Ruby Escaping | david942j.blogspot.com
- HXP CTF 2017 | Flag Store | pwning.re • FORTIFY_SOURCE, seccomp
- noxCTF 2018 | PSRF | github.com/seadog007 • SSRF
- Pwn2Win 2017 | Shift Register | dragonsector.pl
- RingZer0 Team Online CTF | Shellcoding | github.com/VulnHub
- TokyoWesterns CTF 2018 | EscapeMe | david942j.blogspot.com
- TokyoWesterns/MMA CTF 2016 | Diary | uaf.io • seccomp
Readings
- 50 CVEs in 50 Days: Fuzzing Adobe Reader | checkpoint.com • WinAFL
- 6.828: Operating System Engineering | mit.edu
- A binary analysis, count me if you can | shell-storm.org • Pin
- A Eulogy for Format Strings | phrack.org
- A Memory Allocator | g.oswego.edu • dlmalloc
- Advanced Doug Lea's malloc exploits | phrack.org
- Advances in format string exploitation | phrack.org
- AEG: Automatic Exploit Generation • NDSS 2011
- Almost booting an iOS kernel in QEMU | worthdoingbadly.com
- An updated collection of resources targeting browser-exploitation | github.com/m1ghtym0
- AnC | vusec.net • ASLR⊕Cache
- ASLR on the Line: Practical Cache Attacks on the MMU • NDSS 2017, ASLR⊕Cache
- ASLR Protection for Statically Linked Executables | leviathansecurity.com • ELF, RELRO
- Attacking a co-hosted VM: A hacker, a hammer and two memory modules | thisissecurity.stormshield.com
- ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem | atcommands.org
- Awesome Fuzzing | github.com/secfigo
- Beware of strncpy() and strncat() | eklitzke.org
- Binary fuzzing strategies: what works, what doesn't | lcamtuf.blogspot.com
- BlueBorne Information from the Research Team | armis.com
- Bot vs. Bot: Evading Machine Learning Malware Detection • Black Hat USA 2017
- Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets | exodusintel.com
- Bypassing clang’s SafeStack for Fun and Profit • Black Hat Europe 2016
- Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA | nccgroup.trust
- Common Pitfalls When Writing Exploits | mathyvanhoef.com
- Controlling uninitialized memory with LD_PRELOAD | vulnfactory.org
- CPU.fail | cpu.fail
- Cross debugging for MIPS ELF with QEMU/toolchain | reverseengineering.stackexchange.com
- Cyber Security Base • course
- Dirty COW and why lying is bad even if you are the Linux kernel | chao-tic.github.io
- Drammer: Deterministic Rowhammer Attacks on Mobile Platforms • CCS 2016
- Dynamic Binary Instrumentation Primer | deniable.org • DynamoRIO, Frida, Pin
- Educational Heap Exploitation | github.com/shellphish
- Effective file format fuzzing • Black Hat Europe 2016
- ELF Binary Code Injection, Loader/'Decrypter' | pinkstyle.org
- Endpoint Security Self-Protection on MacOS | mdsec.co.uk
- Exploit writing tutorial part 11 : Heap Spraying Demystified | corelan.be
- Exploiting Format String Vulnerabilities | crypto.stanford.edu
- Exploiting the DRAM rowhammer bug to gain kernel privileges | googleprojectzero.blogspot.com
- Extra Exploitation Technique 1: _dl_open | dangokyo.me
- File Stream Pointer Overflows | ouah.org
- FILE Structure Exploitation ('vtable' check bypass) | dhavalkapil.com
- Finding Function's Load Address | uaf.io • DT_STRTAB
- First Steps in Hyper-V Research | microsoft.com
- From Heap to RIP | frizn.fr • dlmalloc, ptmalloc2
- Fully undetectable backdooring PE files | haiderm.com
- Fun with FORTIFY_SOURCE | vulnfactory.org
- Fuzzing arbitrary functions in ELF binaries | blahcat.github.io • LIEF
- Fuzzing with AFL is an Art | moyix.blogspot.com
- Fuzzing workflows; a fuzz job from start to finish | foxglovesecurity.com • AFL
- Generating Software Tests | fuzzingbook.org
- Getting Physical: Extreme abuse of Intel based Paging Systems - Part 1 | secureauth.com
- GLIBC MALLOC FOR EXPLOITERS | yannayl.github.io
- GOT and PLT for pwning. | systemoverlord.com
- Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU | cs.vu.nl
- GTFOBins | gtfobins.github.io
- Hacking a game to learn FRIDA basics (Pwn Adventure 3) | x-c3ll.github.io
- Hacking Blind • S&P 2014, BROP
- Hardening C/C++ Programs Part II – Executable-Space Protection and ASLR | productive-cpp.com
- Hardening ELF binaries using Relocation Read-Only (RELRO) | redhat.com
- Hardware backdoors in some x86 CPUs | github.com/xoreaxeaxeax
- Heap Exploitation | dhavalkapil.com
- Heap Feng Shui in JavaScript • Black Hat Europe 2007
- House of Einherjar — Yet Another Heap Exploitation Technique on GLIBC • CODE BLUE 2016
- How main() is executed on Linux | tldp.org
- How programs get run: ELF binaries | lwn.net
- How the ELF Ruined Christmas • USENIX 2015, _dl_runtime_resolve
- How to build a C program using a custom version of glibc and static linking? | stackoverflow.com
- How to Create a Virus Using the Assembly Language | cranklin.wordpress.com • ELF
- Injecting missing methods at runtime | hopperapp.com • Mach-O
- iOS Hacking Resources | github.com/Siguza
- iOS kernel exploitation archaeology • 34C3
- Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR • MICRO 2016
- Keygenning with KLEE | doar-e.github.io
- ldd arbitrary code execution | catonmat.net
- Learning KVM - implement your own Linux kernel | david942j.blogspot.com
- Linux x86 Program Start Up | dbp-consulting.com
- linux-insides | 0xax.gitbooks.io
- Linux/x86 - sockfd trick + dup2(0,0), dup2(0,1), dup2(0,2) + execve /bin/sh - 50 bytes | shell-storm.org
- macOS Security and Privacy Guide | github.com/drduh
- Making a low level (Linux) debugger, part 3: our first program | asrpo.com
- Meltdown and Spectre | meltdownattack.com
- Memory Corruption Attacks: The (almost) Complete History • Black Hat USA 2010
- Mental Snapshot - _int_free and unlink | uaf.io
- Multiple glibc libraries on a single host | stackoverflow.com
- Named vulnerabilities and their practical impact | github.com/hannob
- New bypass and protection techniques for ASLR on Linux | ptsecurity.com
- On the Effectiveness of Address-Space Randomization • CCS 2004, ASLR
- On vsyscalls and the vDSO | lwn.net
- Once upon a free()... | phrack.org
- OSDev Wiki | osdev.org
- Overcoming (some) Spectre browser mitigations | alephsecurity.com
- FILE Structures: Another Binary Exploitation Technique • HITB GSEC 2018
- Playing with canaries | elttam.com.au
- Playing with signals : An overview on Sigreturn Oriented Programming | thisissecurity.stormshield.com
- Practical C++ Decompilation • REcon 2011
- Programming Z3
- ptmalloc fanzine | tukan.farm
- Pwning (sometimes) with style - Dragons' notes on CTFs • Insomni'hack 2015
- Pwning coworkers thanks to LaTeX | scumjr.github.io
- pwnlib.dynelf — Resolving remote functions using leaks | pwntools.com
- Radare2 of the Lost Magic Gadget | 0xabe.io
- Reading privileged memory with a side-channel | googleprojectzero.blogspot.com
- Recommended compiler and linker flags for GCC | redhat.com
- Return to VDSO using ELF Auxiliary Vectors | voidsecurity.in
- Reversing C++ programs with IDA pro and Hex-rays | 0xbadc0de.be
- SAT/SMT by example | yurichev.com
- So you want to work in security? (and for some reason ended up here rather than reading other people’s posts on the topic). | ifsec.blogspot.com
- Some universal gadget sequence for Linux x86_64 ROP payload | voidsecurity.in
- Smashing The Stack For Fun And Profit | phrack.org
- Super Awesome Fuzzing, Part One | f-secure.com
- Symbolic Execution: Intuition and Implementation
- Tearing apart printf() | maizure.org
- Technical aspects of CTF contest organization| cert.pl
- The advanced return-into-lib(c) exploits: PaX case study | phrack.org • ret-into-dl
- The Malloc Maleficarum | phrack.org
- The one-gadget in glibc | david942j.blogspot.com
- The real power of Linux executables | ownyourbits.com
- The Stack Clash | qualys.com
- The single instruction C compiler | github.com/xoreaxeaxeax
- Transforming an ELF executable into a library
- Understanding L1 Terminal Fault aka Foreshadow: What you need to know | redhat.com
- UNIX Syscalls | john-millikin.com
- Vudo - An object superstitiously believed to embody magical powers | phrack.org
- Vulnerability hunting with Semmle QL, part 1 | microsoft.com
- What is an ELF Export? | m4b.io
- Why is My Perfectly Good Shellcode Not Working?: Cache Coherency on MIPS and ARM | senr.io
Talks/Presentations
- From Kernel to VMM by Jacob Torrey (@JacobTorrey)
- $hell on Earth: From Browser to System Compromise by Matt Molinyawe, Jasiel Spelman, Abdul-Aziz Hariri and Joshua Smith • Black Hat USA 2016
- A Christmas Carol - The Spectres of the Past, Present, and Future by Moritz Lipp, Michael Schwarz, Daniel Gruss and Claudio Canella • 35C3
- Attacking The XNU Kernel In El Capitan by Luca Todesco (@qwertyoruiop) • Black Hat Europe 2015
- Behind the Scenes with iOS Security by Ivan Krstić • Black Hat USA 2016
- Breaking the x86 Instruction Set by Christopher Domas (@xoreaxeaxeax) • Black Hat USA 2017
- Browser bug hunting - Memoirs of a last man standing by Atte Kettunen • 44CON 2013
- Fixing/Making Holes in Binaries by Shaun Clowes • Black Hat USA 2002
- Infosec and failure by Ange Albertini • Hack.lu 2017
- Jailbreaking iOS by tihmstar • 35C3
- Linux Vulnerabilities Windows Exploits: Escalating Privileges with WSL by Saar Amar (@AmarSaar) • BlueHat IL 2018
- Modern Windows Userspace Exploitation by Saar Amar (@AmarSaar) • 35C3
- Pwned By The Owner: What Happens When You Steal A Hacker's Computer by Zoz • DEF CON 18
- The Layman's Guide to Zero-Day Engineering by Markus Gaasedelen and Amy (@itszn) • 35C3
- Unexpected Stories From a Hacker Inside the Government by Mudge • DEF CON 21
- Unlocking secrets of proprietary software using Frida by Ole André Vadla Ravnås • NDC 2018
- Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? by James Mickens
Tools
- AFL | lcamtuf.coredump.cx
- angr | angr.io
- BinNavi | github.com/google
- Bootlin | bootlin.com
- bowkin | github.com/integeruser
- Buildroot | buildroot.org
- cave_miner | github.com/Antonin-Deniau
- Cling | cern.ch
- Compiler Explorer | godbolt.org
- crashwalk | github.com/bnagy
- crosstool-NG | crosstool-ng.github.io
- dockcross | github.com/dockcross
- Exodus | github.com/intoli
- FLARE VM | github.com/fireeye
- Frida | frida.re
- GEF | github.com/hugsy
- ghidra | github.com/NationalSecurityAgency
- HackSys Extreme Vulnerable Driver | github.com/hacksysteam
- KLEE | klee.github.io
- LIEF | github.com/lief-project
- linux-kernel-module-cheat | github.com/cirosantilli
- McSema | github.com/trailofbits
- ODA | onlinedisassembler.com
- one_gadget | github.com/david942j
- osxcross | github.com/tpoechtrager
- patchelf | github.com/NixOS
- preeny | github.com/zardus
- pwndbg | github.com/pwndbg
- pwnjs | github.com/theori-io
- PyREBox | github.com/Cisco-Talos
- QIRA | github.com/geohot
- RetDec | github.com/avast-tl
- rr | rr-project.org
- seccomp-tools | github.com/david942j
- Villoc | github.com/wapiflapi
- Woboq | woboq.org
- Z3 | github.com/Z3Prover
IDA
- A list of IDA Plugins | github.com/onethawt
- A set of exploitation/reversing aids for IDA | github.com/1111joe1111
- An IDA Pro plugin to examine the glibc heap, focused on exploit development | github.com/danigargu
- Collaborative Reverse Engineering plugin for IDA Pro & Hex-Rays | github.com/IDArlingTeam
- Hex-Rays Decompiler plugin for better code navigation | github.com/REhints
- HexRaysPyTools | github.com/igogo-x86
- IDA 2016 plugin contest winner! Symbolic Execution just one-click away! | github.com/illera88
- IDA Pro utilities from FLARE team | github.com/fireeye
- Make your IDA Lazy! | github.com/L4ys
- Multi-architecture assembler for IDA Pro. Powered by Keystone Engine. | github.com/keystone-engine