cyber-security-resources/exploit_development/README.md
2018-12-02 22:22:45 -05:00

215 lines
24 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Development References
## Tutorials and Examples
* [Shellcode Tutorial](http://www.vividmachines.com/shellcode/shellcode.html)
* [Shellcode Examples](http://shell-storm.org/shellcode/)
* [Exploit Writing Tutorials](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)
* [Exploit Exercises](https://exploit-exercises.com/)
## Hex Editors
* [HexEdit.js](https://hexed.it) - Browser-based hex editing.
* [Hexinator](https://hexinator.com/) - World's finest (proprietary, commercial) Hex Editor.
* [Frhed](http://frhed.sourceforge.net/) - Binary file editor for Windows.
* [0xED](http://www.suavetech.com/0xed/0xed.html) - Native macOS hex editor that supports plug-ins to display custom data types.
## File Format Analysis Tools
* [Kaitai Struct](http://kaitai.io/) - File formats and network protocols dissection language and web IDE, generating parsers in C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
* [Veles](https://codisec.com/veles/) - Binary data visualization and analysis tool.
* [Hachoir](http://hachoir3.readthedocs.io/) - Python library to view and edit a binary stream as tree of fields and tools for metadata extraction.
## Reverse Engineering Tools
The following are some of the most popular reverse engineering tools. HOWEVER! GO TO THE [REVERSE ENGINEERING SECTION](https://github.com/The-Art-of-Hacking/art-of-hacking/blob/master/reverse_engineering/README.md) for more references.
* [Interactive Disassembler (IDA Pro)](https://www.hex-rays.com/products/ida/) - Proprietary multi-processor disassembler and debugger for Windows, GNU/Linux, or macOS; also has a free version, [IDA Free](https://www.hex-rays.com/products/ida/support/download_freeware.shtml).
* [WDK/WinDbg](https://msdn.microsoft.com/en-us/windows/hardware/hh852365.aspx) - Windows Driver Kit and WinDbg.
* [OllyDbg](http://www.ollydbg.de/) - x86 debugger for Windows binaries that emphasizes binary code analysis.
* [Radare2](http://rada.re/r/index.html) - Open source, crossplatform reverse engineering framework.
* [x64dbg](http://x64dbg.com/) - Open source x64/x32 debugger for windows.
* [Immunity Debugger](http://debugger.immunityinc.com/) - Powerful way to write exploits and analyze malware.
* [Evan's Debugger](http://www.codef00.com/projects#debugger) - OllyDbg-like debugger for GNU/Linux.
* [Medusa](https://github.com/wisk/medusa) - Open source, cross-platform interactive disassembler.
* [plasma](https://github.com/joelpx/plasma) - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.
* [peda](https://github.com/longld/peda) - Python Exploit Development Assistance for GDB.
* [dnSpy](https://github.com/0xd4d/dnSpy) - Tool to reverse engineer .NET assemblies.
* [binwalk](https://github.com/devttys0/binwalk) - Fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
* [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable Reverse Engineering sandbox by Cisco-Talos.
* [Voltron](https://github.com/snare/voltron) - Extensible debugger UI toolkit written in Python.
* [Capstone](http://www.capstone-engine.org/) - Lightweight multi-platform, multi-architecture disassembly framework.
* [rVMI](https://github.com/fireeye/rVMI) - Debugger on steroids; inspect userspace processes, kernel drivers, and preboot environments in a single tool.
* [Frida](https://www.frida.re/) - Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
## Implant Creation
* [Exploiting CVE-2017-0199: HTA Handler Vulnerability](https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/)
* [CVE-2017-0199 Toolkit](https://github.com/bhdresh/CVE-2017-0199)
* [CVE-2017-8759-Exploit-sample](https://github.com/vysec/CVE-2017-8759-Exploit-sample)
* [Window Signed Binary](https://github.com/vysec/Windows-SignedBinary)
* [Wepwnise](https://labs.mwrinfosecurity.com/tools/wepwnise/)
* [Bash Bunny](https://hakshop.com/products/bash-bunny)
* [Generate Macro - Tool](https://github.com/enigma0x3/Generate-Macro)
* [How To: Empires Cross Platform Office Macro](https://www.blackhillsinfosec.com/empires-cross-platform-office-macro/)
* [Excel macros with PowerShell](https://4sysops.com/archives/excel-macros-with-powershell/)
* [PowerPoint and Custom Actions](https://phishme.com/powerpoint-and-custom-actions/)
* [MS Signed mimikatz in just 3 steps](https://github.com/secretsquirrel/SigThief)
* [Hiding your process from sysinternals](https://riscybusiness.wordpress.com/2017/10/07/hiding-your-process-from-sysinternals/)
* [Luckystrike: An Evil Office Document Generator](https://www.shellntel.com/blog/2016/9/13/luckystrike-a-database-backed-evil-macro-generator)
* [The Absurdly Underestimated Dangers of CSV Injection](http://georgemauer.net/2017/10/07/csv-injection.html)
* [Macro-less Code Exec in MSWord](https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/)
* [Multi-Platform Macro Phishing Payloads](https://medium.com/@malcomvetter/multi-platform-macro-phishing-payloads-3b688e8eff68)
* [Macroless DOC malware that avoids detection with Yara rule](https://furoner.wordpress.com/2017/10/17/macroless-malware-that-avoids-detection-with-yara-rule/amp/)
* [Empire without powershell](https://bneg.io/2017/07/26/empire-without-powershell-exe/)
* [Powershell without Powershell to bypass app whitelist](https://www.blackhillsinfosec.com/powershell-without-powershell-how-to-bypass-application-whitelisting-environment-restrictions-av/)
* [Phishing between the app whitelists](https://medium.com/@vivami/phishing-between-the-app-whitelists-1b7dcdab4279)
* [Bypass Application Whitelisting Script Protections - Regsvr32.exe & COM Scriptlets (.sct files)](http://subt0x10.blogspot.sg/2017/04/bypass-application-whitelisting-script.html)
* [Bypassing Application Whitelisting using MSBuild.exe - Device Guard Example and Mitigations](http://subt0x10.blogspot.sg/2017/04/bypassing-application-whitelisting.html)
* [Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
* [Week of Evading Microsoft ATA - Announcement and Day 1 to Day 5](http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html)
* [AMSI How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It](http://www.labofapenetrationtester.com/2016/09/amsi.html)
* [USING A SCF FILE TO GATHER HASHES](https://1337red.wordpress.com/using-a-scf-file-to-gather-hashes/)
* [USING THE DDE ATTACK WITH POWERSHELL EMPIRE](https://1337red.wordpress.com/using-the-dde-attack-with-powershell-empire/)
* [AVSignSeek](https://github.com/hegusung/AVSignSeek)
* [Keying Payloads for Scripting Languages](https://adapt-and-attack.com/2017/11/15/keying-payloads-for-scripting-languages/)
* [Executing Metasploit & Empire Payloads from MS Office Document Properties (part 1 of 2)](https://stealingthe.network/executing-metasploit-empire-payloads-from-ms-office-document-properties-part-1-of-2/)
* [Executing Metasploit & Empire Payloads from MS Office Document Properties (part 2 of 2)](https://stealingthe.network/executing-metasploit-empire-payloads-from-ms-office-document-properties-part-2-of-2/)
* [Microsoft Office NTLM Hashes via Frameset](https://pentestlab.blog/2017/12/18/microsoft-office-ntlm-hashes-via-frameset/)
* [Abusing Microsoft Word Features for Phishing: “subDoc”](https://rhinosecuritylabs.com/research/abusing-microsoft-word-features-phishing-subdoc/)
* [code signing certificate cloning attacks and defenses](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec)
* [userland api monitoring and code injection detection](https://0x00sec.org/t/userland-api-monitoring-and-code-injection-detection/5565)
* [In memory evasion](https://blog.cobaltstrike.com/2018/02/08/in-memory-evasion/)
## <a name="Return_oriented_programming" />Return Oriented Programming
+ [The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls](http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
+ [Blind return-oriented programming](http://www.scs.stanford.edu/brop/bittau-brop.pdf)
+ [Sigreturn-oriented Programming](https://www.cs.vu.nl/~herbertb/papers/srop_sp14.pdf)
+ [Jump-Oriented Programming: A New Class of Code-Reuse Attack](http://ftp.ncsu.edu/pub/tech/2010/TR-2010-8.pdf)
+ [Out of control: Overcoming control-flow integrity](http://www.cs.stevens.edu/~gportoka/files/outofcontrol_oakland14.pdf)
+ [ROP is Still Dangerous: Breaking Modern Defenses](http://www.cs.berkeley.edu/~daw/papers/rop-usenix14.pdf)
+ [Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses](https://www.sec.in.tum.de/assets/staff/muntean/Loop-Oriented_Programming_A_New_Code_Reuse_Attack_to_Bypass_Modern0ADefenses.pdf) - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015]
+ [Systematic Analysis of Defenses Against Return-Oriented Programming](https://people.csail.mit.edu/nickolai/papers/skowyra-rop.pdf) -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013]
+ [Return-oriented programming without returns](https://www.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf) -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010]
+ [Jump-oriented programming: a new class of code-reuse attack](https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf) -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011]
+ [Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-davi.pdf) - by L. Davi, A. Sadeghi, and D. Lehmann [2014]
+ [Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-goktas.pdf) - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014]
+ [Buffer overflow attacks bypassing DEP (NX/XD bits) part 1](http://www.mastropaolo.com/2005/06/04/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-1/) - by Marco Mastropaolo [2005]
+ [Buffer overflow attacks bypassing DEP (NX/XD bits) part 2](http://www.mastropaolo.com/2005/06/05/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-2-code-injection/) - by Marco Mastropaolo [2005]
+ [Practical Rop](http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf) - by Dino Dai Zovi [2010]
+ [Exploitation with WriteProcessMemory](https://packetstormsecurity.com/papers/general/Windows-DEP-WPM.txt) - by Spencer Pratt [2010]
+ [Exploitation techniques and mitigations on Windows](http://hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf) - by skape
+ [A little return oriented exploitation on Windows x86 Part 1](http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on.html) - by Harmony Security and Stephen Fewer [2010]
+ [A little return oriented exploitation on Windows x86 Part 2](http://blog.harmonysecurity.com/2010/04/little-return-oriented-exploitation-on_16.html) - by Harmony Security and Stephen Fewer [2010]
## <a name="Windows_memory_protections" />Windows memory protections
*Windows memory protections Introduction Articles.*
+ [Data Execution Prevention](http://support.microsoft.com/kb/875352)
+ [/GS (Buffer Security Check)](http://msdn.microsoft.com/en-us/library/Aa290051)
+ [/SAFESEH](http://msdn.microsoft.com/en-us/library/9a89h429(VS.80).aspx)
+ [ASLR](http://blogs.msdn.com/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx)
+ [SEHOP](http://blogs.technet.com/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
## <a name="Bypassing_filter_and_protections" />Bypassing filter and protections
*Windows memory protections Bypass Methods Articles.*
+ [Third Generation Exploitation smashing heap on 2k](http://www.blackhat.com/presentations/win-usa-02/halvarflake-winsec02.ppt) - by Halvar Flake [2002]
+ [Creating Arbitrary Shellcode In Unicode Expanded Strings](http://www.net-security.org/dl/articles/unicodebo.pdf) - by Chris Anley
+ [Advanced windows exploitation](http://www.immunityinc.com/downloads/immunity_win32_exploitation.final2.ppt) - by Dave Aitel [2003]
+ [Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server](http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf) - by David Litchfield
+ [Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2)](http://cybertech.net/~sh0ksh0k/projects/winheap/XPSP2%20Heap%20Exploitation.ppt) - by Matt Conover in cansecwest 2004
+ [Safely Searching Process Virtual Address Space](http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf) - by Matt Miller [2004]
+ [IE exploit and used a technology called Heap Spray](http://www.exploit-db.com/exploits/612)
+ [Bypassing hardware-enforced DEP](http://www.uninformed.org/?v=2&a=4&t=pdf) - by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005]
+ [Exploiting Freelist[0] On XP Service Pack 2](http://www.orkspace.net/secdocs/Windows/Protection/Bypass/Exploiting%20Freelist%5B0%5D%20On%20XP%20Service%20Pack%202.pdf) - by Brett Moore [2005]
+ [Kernel-mode Payloads on Windows in uninformed](http://www.uninformed.org/?v=3&a=4&t=pdf)
+ [Exploiting 802.11 Wireless Driver Vulnerabilities on Windows](http://www.uninformed.org/?v=6&a=2&t=pdf)
+ [Exploiting Comon Flaws In Drivers](http://www.reversemode.com/index.php?option=com_content&task=view&id=38&Itemid=1)
+ [Heap Feng Shui in JavaScript](http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf) by Alexander sotirov [2007]
+ [Understanding and bypassing Windows Heap Protection](http://kkamagui.springnote.com/pages/1350732/attachments/579350) - by Nicolas Waisman [2007]
+ [Heaps About Heaps](http://www.insomniasec.com/publications/Heaps_About_Heaps.ppt) - by Brett moore [2008]
+ [Bypassing browser memory protections in Windows Vista](http://taossa.com/archive/bh08sotirovdowd.pdf) - by Mark Dowd and Alex Sotirov [2008]
+ [Attacking the Vista Heap](http://www.ruxcon.org.au/files/2008/hawkes_ruxcon.pdf) - by ben hawkes [2008]
+ [Return oriented programming Exploitation without Code Injection](http://cseweb.ucsd.edu/~hovav/dist/blackhat08.pdf) - by Hovav Shacham (and others ) [2008]
+ [Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8](http://www.argeniss.com/research/TokenKidnapping.pdf) - by Cesar Cerrudo [2008]
+ [Defeating DEP Immunity Way](http://www.immunityinc.com/downloads/DEPLIB.pdf) - by Pablo Sole [2008]
+ [Practical Windows XP2003 Heap Exploitation](http://www.blackhat.com/presentations/bh-usa-09/MCDONALD/BHUSA09-McDonald-WindowsHeap-PAPER.pdf) - by John McDonald and Chris Valasek [2009]
+ [Bypassing SEHOP](http://www.sysdream.com/articles/sehop_en.pdf) - by Stefan Le Berre Damien Cauquil [2009]
+ [Interpreter Exploitation : Pointer Inference and JIT Spraying](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf) - by Dionysus Blazakis[2010]
+ [Write-up of Pwn2Own 2010](http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf) - by Peter Vreugdenhil
+ [All in one 0day presented in rootedCON](http://wintercore.com/downloads/rootedcon_0day_english.pdf) - by Ruben Santamarta [2010]
+ [DEP/ASLR bypass using 3rd party](http://web.archive.org/web/20130820021520/http://abysssec.com/files/The_Arashi.pdf) - by Shahin Ramezany [2013]
+ [Bypassing EMET 5.0](http://blog.sec-consult.com/2014/10/microsoft-emet-armor-against-zero-days.html) - by René Freingruber [2014]
## <a name="Typical_windows_exploits" />Typical windows exploits
+ [Real-world HW-DEP bypass Exploit](http://www.exploit-db.com/exploits/3652) - by Devcode
+ [Bypassing DEP by returning into HeapCreate](http://www.metasploit.com/redmine/projects/framework/repository/revisions/7246/entry/modules/exploits/windows/brightstor/mediasrv_sunrpc.rb) - by Toto
+ [First public ASLR bypass exploit by using partial overwrite ](http://www.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/email/ani_loadimage_chunksize.rb) - by Skape
+ [Heap spray and bypassing DEP](http://skypher.com/SkyLined/download/www.edup.tudelft.nl/%7Ebjwever/exploits/InternetExploiter2.zip) - by Skylined
+ [First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability](http://www.metasploit.com/redmine/projects/framework/repository/revisions/8833/raw/modules/exploits/windows/fileformat/adobe_libtiff.rb)
+ [Exploit codes of bypassing browsers memory protections](http://phreedom.org/research/bypassing-browser-memory-protections/bypassing-browser-memory-protections-code.zip)
+ [PoCs on Tokken TokenKidnapping . PoC for 2k3 -part 1](http://www.argeniss.com/research/Churrasco.zip) - by Cesar Cerrudo
+ [PoCs on Tokken TokenKidnapping . PoC for 2k8 -part 2](http://www.argeniss.com/research/Churrasco2.zip) - by Cesar Cerrudo
+ [An exploit works from win 3.1 to win 7](http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip) - by Tavis Ormandy KiTra0d
+ [Old ms08-067 metasploit module multi-target and DEP bypass](http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/smb/ms08_067_netapi.rb)
+ [PHP 6.0 Dev str_transliterate() Buffer overflow NX + ASLR Bypass](http://www.exploit-db.com/exploits/12189)
+ [SMBv2 Exploit](http://www.metasploit.com/redmine/projects/framework/repository/revisions/8916/raw/modules/exploits/windows/smb/ms09_050_smb2_negotiate_func_index.rb) - by Stephen Fewer
+ [Microsoft IIS 7.5 remote heap buffer overflow](http://www.phrack.org/issues/68/12.html) - by redpantz
+ [Browser Exploitation Case Study for Internet Explorer 11](https://labs.bluefrostsecurity.de/files/Look_Mom_I_Dont_Use_Shellcode-WP.pdf) - by Moritz Jodeit [2016]
## <a name="Exploit_development_tutorial_series" />Exploit development tutorial series
*Exploid Development Tutorial Series Base on Windows Operation System Articles.*
<a name="corelan" />
- Corelan Team
+ [Exploit writing tutorial part 1 : Stack Based Overflows](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)
+ [Exploit writing tutorial part 2 : Stack Based Overflows jumping to shellcode](https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/)
+ [Exploit writing tutorial part 3 : SEH Based Exploits](https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/)
+ [Exploit writing tutorial part 3b : SEH Based Exploits just another example](https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/)
+ [Exploit writing tutorial part 4 : From Exploit to Metasploit The basics](https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/)
+ [Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development](https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/)
+ [Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/)
+ [Exploit writing tutorial part 7 : Unicode from 0x00410041 to calc](https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/)
+ [Exploit writing tutorial part 8 : Win32 Egg Hunting](https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/)
+ [Exploit writing tutorial part 9 : Introduction to Win32 shellcoding](https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/)
+ [Exploit writing tutorial part 10 : Chaining DEP with ROP the Rubiks Cube](https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/)
+ [Exploit writing tutorial part 11 : Heap Spraying Demystified](https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/)
- <a name="fuzzysecurity" />Fuzzysecurity
+ [Part 1: Introduction to Exploit Development](https://www.fuzzysecurity.com/tutorials/expDev/1.html)
+ [Part 2: Saved Return Pointer Overflows](https://www.fuzzysecurity.com/tutorials/expDev/2.html)
+ [Part 3: Structured Exception Handler (SEH)](https://www.fuzzysecurity.com/tutorials/expDev/3.html)
+ [Part 4: Egg Hunters](https://www.fuzzysecurity.com/tutorials/expDev/4.html)
+ [Part 5: Unicode 0x00410041](https://www.fuzzysecurity.com/tutorials/expDev/5.html)
+ [Part 6: Writing W32 shellcode](https://www.fuzzysecurity.com/tutorials/expDev/6.html)
+ [Part 7: Return Oriented Programming](https://www.fuzzysecurity.com/tutorials/expDev/7.html)
+ [Part 8: Spraying the Heap Chapter 1: Vanilla EIP](https://www.fuzzysecurity.com/tutorials/expDev/8.html)
+ [Part 9: Spraying the Heap Chapter 2: Use-After-Free](https://www.fuzzysecurity.com/tutorials/expDev/11.html)
+ [Part 10: Kernel Exploitation -> Stack Overflow](http://www.fuzzysecurity.com/tutorials/expDev/14.html)
+ [Part 11: Kernel Exploitation -> Write-What-Where](http://www.fuzzysecurity.com/tutorials/expDev/15.html)
+ [Part 12: Kernel Exploitation -> Null Pointer Dereference](http://www.fuzzysecurity.com/tutorials/expDev/16.html)
+ [Part 13: Kernel Exploitation -> Uninitialized Stack Variable](http://www.fuzzysecurity.com/tutorials/expDev/17.html)
+ [Part 14: Kernel Exploitation -> Integer Overflow](http://www.fuzzysecurity.com/tutorials/expDev/18.html)
+ [Part 15: Kernel Exploitation -> UAF](http://www.fuzzysecurity.com/tutorials/expDev/19.html)
+ [Part 16: Kernel Exploitation -> Pool Overflow](http://www.fuzzysecurity.com/tutorials/expDev/20.html)
+ [Part 17: Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)](http://www.fuzzysecurity.com/tutorials/expDev/21.html)
+ [Heap Overflows For Humans 101](http://www.fuzzysecurity.com/tutorials/mr_me/2.html)
+ [Heap Overflows For Humans 102](http://www.fuzzysecurity.com/tutorials/mr_me/3.html)
+ [Heap Overflows For Humans 102.5](http://www.fuzzysecurity.com/tutorials/mr_me/4.html)
+ [Heap Overflows For Humans 103](http://www.fuzzysecurity.com/tutorials/mr_me/5.html)
+ [Heap Overflows For Humans 103.5](http://www.fuzzysecurity.com/tutorials/mr_me/6.html)
- <a name="securitysift" />Securitysift
+ [Windows Exploit Development Part 1: The Basics](http://www.securitysift.com/windows-exploit-development-part-1-basics/)
+ [Windows Exploit Development Part 2: Intro to Stack Based Overflows](http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/)
+ [Windows Exploit Development Part 3: Changing Offsets and Rebased Modules](http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/)
+ [Windows Exploit Development Part 4: Locating Shellcode With Jumps](http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/)
+ [Windows Exploit Development Part 5: Locating Shellcode With Egghunting](http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/)
+ [Windows Exploit Development Part 6: SEH Exploits](http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/)
+ [Windows Exploit Development Part 7: Unicode Buffer Overflows](http://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows/)