194 lines
20 KiB
Markdown
Raw Normal View History

2017-12-26 00:11:34 -05:00
# Exploit Development References
Exploit development is a complex field requiring deep knowledge of various programming languages, networking, operating systems, and security principles. The following are some key areas you should focus on:
1. **Programming Languages**: You should have a strong command of at least one low-level programming language like C or C++, as understanding how these languages interact with hardware and memory is crucial for exploit development. High-level languages like Python are also important for scripting and automating tasks.
2. **Assembly Language & Reverse Engineering**: Knowledge of assembly language is essential. It is the language of the processor, and understanding it will give you insight into how software behaves at the lowest level. Coupled with reverse engineering skills, you can deconstruct and understand how software is working, even when you don't have the source code.
3. **Operating Systems**: Have a deep understanding of the internals of various operating systems (especially Windows, Linux, and possibly macOS). Focus on topics like processes, threads, memory management, and the kernel.
4. **Networking**: Strong knowledge of networking is important. You should understand TCP/IP at a minimum, but also higher-level protocols like HTTP and DNS.
5. **Buffer Overflows & Vulnerabilities**: Study common types of vulnerabilities such as buffer overflows, use-after-free, race conditions, format string vulnerabilities, and integer overflows. Understanding how these vulnerabilities occur and how they can be exploited is key.
6. **Exploitation Techniques**: Study various exploitation techniques, such as Return-oriented Programming (ROP), heap spraying, and format string exploitation. These techniques are often used in crafting exploits for known vulnerabilities.
7. **Shellcoding**: Learn how to write shellcode, which is the payload that runs after successfully exploiting a vulnerability.
8. **Fuzzing**: Fuzzing is a technique for discovering bugs and potential vulnerabilities in software. Learning how to implement intelligent fuzzing strategies could help you find new exploits.
9. **Security Tools**: Get familiar with tools used in exploit development like debuggers (GDB, WinDbg), disassemblers (IDA Pro, Ghidra), and fuzzing tools (AFL, libFuzzer).
10. **Ethics and Legal Concerns**: Remember, all these skills must be used responsibly. You should have a strong understanding of the ethics involved in hacking, and you should only attempt to exploit software in legal contexts, such as part of a job where you have been given permission to do so, or in a controlled environment for research or educational purposes.
11. **Keep up with Industry Trends**: Exploit development is a constantly evolving field. Keep yourself updated with the latest vulnerabilities, exploitation techniques, and patches. Participate in Capture The Flag (CTF) competitions and follow various security blogs and forums.
2017-12-26 00:11:34 -05:00
## Tutorials and Examples
* [Shellcode Tutorial](https://www.vividmachines.com/shellcode/shellcode.html)
* [Shellcode Examples](https://shell-storm.org/shellcode/)
2017-12-26 00:11:34 -05:00
* [Exploit Writing Tutorials](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)
2018-01-20 01:57:28 -05:00
* [Exploit Exercises](https://exploit-exercises.com/)
2017-12-26 00:11:34 -05:00
## Hex Editors
* [HexEdit.js](https://hexed.it) - Browser-based hex editing.
* [Hexinator](https://hexinator.com/) - World's finest (proprietary, commercial) Hex Editor.
* [Frhed](https://frhed.sourceforge.net/) - Binary file editor for Windows.
* [0xED](https://www.suavetech.com/0xed/0xed.html) - Native macOS hex editor that supports plug-ins to display custom data types.
2017-12-26 00:11:34 -05:00
## File Format Analysis Tools
* [Kaitai Struct](https://kaitai.io/) - File formats and network protocols dissection language and web IDE, generating parsers in C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
2017-12-26 00:11:34 -05:00
* [Veles](https://codisec.com/veles/) - Binary data visualization and analysis tool.
* [Hachoir](https://hachoir3.readthedocs.io/) - Python library to view and edit a binary stream as tree of fields and tools for metadata extraction.
2017-12-26 00:11:34 -05:00
## Reverse Engineering Tools
2018-01-20 01:55:59 -05:00
The following are some of the most popular reverse engineering tools. HOWEVER! GO TO THE [REVERSE ENGINEERING SECTION](https://github.com/The-Art-of-Hacking/art-of-hacking/blob/master/reverse_engineering/README.md) for more references.
2019-05-30 15:20:45 -04:00
* [Ghidra](https://ghidra-sre.org/) - a software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate
2017-12-26 00:11:34 -05:00
* [Interactive Disassembler (IDA Pro)](https://www.hex-rays.com/products/ida/) - Proprietary multi-processor disassembler and debugger for Windows, GNU/Linux, or macOS; also has a free version, [IDA Free](https://www.hex-rays.com/products/ida/support/download_freeware.shtml).
* [WDK/WinDbg](https://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx) - Windows Driver Kit and WinDbg.
* [OllyDbg](https://www.ollydbg.de/) - x86 debugger for Windows binaries that emphasizes binary code analysis.
* [Radare2](https://rada.re/r/index.html) - Open source, crossplatform reverse engineering framework.
* [x64dbg](https://x64dbg.com/) - Open source x64/x32 debugger for windows.
* [Immunity Debugger](https://debugger.immunityinc.com/) - Powerful way to write exploits and analyze malware.
* [Evan's Debugger](https://www.codef00.com/projects#debugger) - OllyDbg-like debugger for GNU/Linux.
2017-12-26 00:11:34 -05:00
* [Medusa](https://github.com/wisk/medusa) - Open source, cross-platform interactive disassembler.
* [plasma](https://github.com/joelpx/plasma) - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.
* [peda](https://github.com/longld/peda) - Python Exploit Development Assistance for GDB.
* [dnSpy](https://github.com/0xd4d/dnSpy) - Tool to reverse engineer .NET assemblies.
* [binwalk](https://github.com/devttys0/binwalk) - Fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
* [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable Reverse Engineering sandbox by Cisco-Talos.
* [Voltron](https://github.com/snare/voltron) - Extensible debugger UI toolkit written in Python.
* [Capstone](https://www.capstone-engine.org/) - Lightweight multi-platform, multi-architecture disassembly framework.
2017-12-26 00:11:34 -05:00
* [rVMI](https://github.com/fireeye/rVMI) - Debugger on steroids; inspect userspace processes, kernel drivers, and preboot environments in a single tool.
* [Frida](https://www.frida.re/) - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
## Implant Creation
* [Exploiting CVE-2017-0199: HTA Handler Vulnerability](https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/)
* [CVE-2017-0199 Toolkit](https://github.com/bhdresh/CVE-2017-0199)
* [CVE-2017-8759-Exploit-sample](https://github.com/vysec/CVE-2017-8759-Exploit-sample)
* [Window Signed Binary](https://github.com/vysec/Windows-SignedBinary)
* [Wepwnise](https://labs.mwrinfosecurity.com/tools/wepwnise/)
* [Bash Bunny](https://hakshop.com/products/bash-bunny)
* [Generate Macro - Tool](https://github.com/enigma0x3/Generate-Macro)
* [How To: Empires Cross Platform Office Macro](https://www.blackhillsinfosec.com/empires-cross-platform-office-macro/)
* [Excel macros with PowerShell](https://4sysops.com/archives/excel-macros-with-powershell/)
* [PowerPoint and Custom Actions](https://phishme.com/powerpoint-and-custom-actions/)
* [MS Signed mimikatz in just 3 steps](https://github.com/secretsquirrel/SigThief)
* [Hiding your process from sysinternals](https://riscybusiness.wordpress.com/2017/10/07/hiding-your-process-from-sysinternals/)
* [Luckystrike: An Evil Office Document Generator](https://www.shellntel.com/blog/2016/9/13/luckystrike-a-database-backed-evil-macro-generator)
* [The Absurdly Underestimated Dangers of CSV Injection](https://georgemauer.net/2017/10/07/csv-injection.html)
* [Macro-less Code Exec in MSWord](https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/)
* [Multi-Platform Macro Phishing Payloads](https://medium.com/@malcomvetter/multi-platform-macro-phishing-payloads-3b688e8eff68)
* [Macroless DOC malware that avoids detection with Yara rule](https://furoner.wordpress.com/2017/10/17/macroless-malware-that-avoids-detection-with-yara-rule/amp/)
* [Empire without powershell](https://bneg.io/2017/07/26/empire-without-powershell-exe/)
* [Powershell without Powershell to bypass app whitelist](https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/)
* [Phishing between the app whitelists](https://medium.com/@vivami/phishing-between-the-app-whitelists-1b7dcdab4279)
* [Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files)](https://subt0x10.blogspot.sg/2017/04/bypass-application-whitelisting-script.html)
* [Bypassing Application Whitelisting using MSBuild.exe - Device Guard Example and Mitigations](https://subt0x10.blogspot.sg/2017/04/bypassing-application-whitelisting.html)
* [Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
* [Week of Evading Microsoft ATA - Announcement and Day 1 to Day 5](https://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html)
* [AMSI How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It](https://www.labofapenetrationtester.com/2016/09/amsi.html)
* [USING A SCF FILE TO GATHER HASHES](https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/)
* [USING THE DDE ATTACK WITH POWERSHELL EMPIRE](https://1337red.wordpress.com/using-the-dde-attack-with-powershell-empire/)
* [AVSignSeek](https://github.com/hegusung/AVSignSeek)
* [Keying Payloads for Scripting Languages](https://adapt-and-attack.com/2017/11/15/keying-payloads-for-scripting-languages/)
* [Executing Metasploit & Empire Payloads from MS Office Document Properties (part 1 of 2)](https://stealingthe.network/executing-metasploit-empire-payloads-from-ms-office-document-properties-part-1-of-2/)
* [Executing Metasploit & Empire Payloads from MS Office Document Properties (part 2 of 2)](https://stealingthe.network/executing-metasploit-empire-payloads-from-ms-office-document-properties-part-2-of-2/)
* [Microsoft Office NTLM Hashes via Frameset](https://pentestlab.blog/2017/12/18/microsoft-office-ntlm-hashes-via-frameset/)
* [Abusing Microsoft Word Features for Phishing: “subDoc”](https://rhinosecuritylabs.com/research/abusing-microsoft-word-features-phishing-subdoc/)
* [code signing certificate cloning attacks and defenses](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec)
* [userland api monitoring and code injection detection](https://0x00sec.org/t/userland-api-monitoring-and-code-injection-detection/5565)
* [In memory evasion](https://blog.cobaltstrike.com/2018/02/08/in-memory-evasion/)
2018-12-02 22:22:45 -05:00
## <a name="Return_oriented_programming" />Return Oriented Programming
+ [The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls](https://cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
+ [Blind return-oriented programming](https://www.scs.stanford.edu/brop/bittau-brop.pdf)
2018-12-02 22:22:45 -05:00
+ [Sigreturn-oriented Programming](https://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf)
+ [Jump-Oriented Programming: A New Class of Code-Reuse Attack](https://www.csc2.ncsu.edu/techreports/tech/2010/TR-2010-8.pdf)
+ [ROP is Still Dangerous: Breaking Modern Defenses](https://people.eecs.berkeley.edu/~daw/papers/rop-usenix14.pdf)
2018-12-02 22:22:45 -05:00
+ [Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses](https://www.sec.in.tum.de/assets/staff/muntean/Loop-Oriented_Programming_A_New_Code_Reuse_Attack_to_Bypass_Modern0ADefenses.pdf) - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015]
+ [Systematic Analysis of Defenses Against Return-Oriented Programming](https://people.csail.mit.edu/nickolai/papers/skowyra-rop.pdf) -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013]
+ [Return-oriented programming without returns](https://www.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf) -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010]
+ [Jump-oriented programming: a new class of code-reuse attack](https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf) -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011]
+ [Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-davi.pdf) - by L. Davi, A. Sadeghi, and D. Lehmann [2014]
+ [Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-goktas.pdf) - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014]
+ [Buffer overflow attacks bypassing DEP (NX/XD bits) part 1](https://www.mastropaolo.com/2005/06/04/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-1/) - by Marco Mastropaolo [2005]
+ [Buffer overflow attacks bypassing DEP (NX/XD bits) part 2](https://www.mastropaolo.com/2005/06/05/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-2-code-injection/) - by Marco Mastropaolo [2005]
+ [Practical Rop](https://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf) - by Dino Dai Zovi [2010]
2018-12-02 22:22:45 -05:00
+ [Exploitation with WriteProcessMemory](https://packetstormsecurity.com/papers/general/Windows-DEP-WPM.txt) - by Spencer Pratt [2010]
+ [Exploitation techniques and mitigations on Windows](https://hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf) - by skape
+ [A little return oriented exploitation on Windows x86 Part 1](https://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on.html) - by Harmony Security and Stephen Fewer [2010]
+ [A little return oriented exploitation on Windows x86 Part 2](https://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on_16.html) - by Harmony Security and Stephen Fewer [2010]
2018-12-02 22:22:45 -05:00
## Windows memory protections
2018-12-02 22:22:45 -05:00
*Windows memory protections Introduction Articles.*
+ [Data Execution Prevention](https://support.microsoft.com/kb/875352)
+ [/GS (Buffer Security Check)](https://msdn.microsoft.com/en-us/library/Aa290051)
+ [/SAFESEH](https://msdn.microsoft.com/en-us/library/9a89h429(VS.80).aspx)
+ [ASLR](https://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx)
+ [SEHOP](https://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
## Exploit development tutorial series
2018-12-02 22:22:45 -05:00
*Exploid Development Tutorial Series Base on Windows Operation System Articles.*
<a name="corelan" />
- Corelan Team
+ [Exploit writing tutorial part 1 : Stack Based Overflows](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)
+ [Exploit writing tutorial part 2 : Stack Based Overflows jumping to shellcode](https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/)
+ [Exploit writing tutorial part 3 : SEH Based Exploits](https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/)
+ [Exploit writing tutorial part 3b : SEH Based Exploits just another example](https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/)
+ [Exploit writing tutorial part 4 : From Exploit to Metasploit The basics](https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/)
+ [Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development](https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/)
+ [Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/)
+ [Exploit writing tutorial part 7 : Unicode from 0x00410041 to calc](https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/)
+ [Exploit writing tutorial part 8 : Win32 Egg Hunting](https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/)
+ [Exploit writing tutorial part 9 : Introduction to Win32 shellcoding](https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/)
+ [Exploit writing tutorial part 10 : Chaining DEP with ROP the Rubiks Cube](https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/)
+ [Exploit writing tutorial part 11 : Heap Spraying Demystified](https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/)
- <a name="fuzzysecurity" />Fuzzysecurity
+ [Part 1: Introduction to Exploit Development](https://www.fuzzysecurity.com/tutorials/expDev/1.html)
+ [Part 2: Saved Return Pointer Overflows](https://www.fuzzysecurity.com/tutorials/expDev/2.html)
+ [Part 3: Structured Exception Handler (SEH)](https://www.fuzzysecurity.com/tutorials/expDev/3.html)
+ [Part 4: Egg Hunters](https://www.fuzzysecurity.com/tutorials/expDev/4.html)
+ [Part 5: Unicode 0x00410041](https://www.fuzzysecurity.com/tutorials/expDev/5.html)
+ [Part 6: Writing W32 shellcode](https://www.fuzzysecurity.com/tutorials/expDev/6.html)
+ [Part 7: Return Oriented Programming](https://www.fuzzysecurity.com/tutorials/expDev/7.html)
+ [Part 8: Spraying the Heap Chapter 1: Vanilla EIP](https://www.fuzzysecurity.com/tutorials/expDev/8.html)
+ [Part 9: Spraying the Heap Chapter 2: Use-After-Free](https://www.fuzzysecurity.com/tutorials/expDev/11.html)
+ [Part 10: Kernel Exploitation -> Stack Overflow](https://www.fuzzysecurity.com/tutorials/expDev/14.html)
+ [Part 11: Kernel Exploitation -> Write-What-Where](https://www.fuzzysecurity.com/tutorials/expDev/15.html)
+ [Part 12: Kernel Exploitation -> Null Pointer Dereference](https://www.fuzzysecurity.com/tutorials/expDev/16.html)
+ [Part 13: Kernel Exploitation -> Uninitialized Stack Variable](https://www.fuzzysecurity.com/tutorials/expDev/17.html)
+ [Part 14: Kernel Exploitation -> Integer Overflow](https://www.fuzzysecurity.com/tutorials/expDev/18.html)
+ [Part 15: Kernel Exploitation -> UAF](https://www.fuzzysecurity.com/tutorials/expDev/19.html)
+ [Part 16: Kernel Exploitation -> Pool Overflow](https://www.fuzzysecurity.com/tutorials/expDev/20.html)
+ [Part 17: Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)](https://www.fuzzysecurity.com/tutorials/expDev/21.html)
+ [Heap Overflows For Humans 101](https://www.fuzzysecurity.com/tutorials/mr_me/2.html)
+ [Heap Overflows For Humans 102](https://www.fuzzysecurity.com/tutorials/mr_me/3.html)
+ [Heap Overflows For Humans 102.5](https://www.fuzzysecurity.com/tutorials/mr_me/4.html)
+ [Heap Overflows For Humans 103](https://www.fuzzysecurity.com/tutorials/mr_me/5.html)
+ [Heap Overflows For Humans 103.5](https://www.fuzzysecurity.com/tutorials/mr_me/6.html)
2018-12-02 22:22:45 -05:00
- <a name="securitysift" />Securitysift
+ [Windows Exploit Development Part 1: The Basics](https://www.securitysift.com/windows-exploit-development-part-1-basics/)
+ [Windows Exploit Development Part 2: Intro to Stack Based Overflows](https://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/)
+ [Windows Exploit Development Part 3: Changing Offsets and Rebased Modules](https://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/)
+ [Windows Exploit Development Part 4: Locating Shellcode With Jumps](https://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/)
+ [Windows Exploit Development Part 5: Locating Shellcode With Egghunting](https://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/)
+ [Windows Exploit Development Part 6: SEH Exploits](https://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/)
+ [Windows Exploit Development Part 7: Unicode Buffer Overflows](https://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows/)
2018-12-02 22:22:45 -05:00