exploitation.md

Exploitation

• Go back to Home page (awesome list)
• See also Cybersecurity related content

Content

• Embedded and RTOS
• Guides, Tutorials and Writeups
  • Heap
  • Linux kernel
  • Other
• Libcs
• Mitigations
• Misc
• Practice
• TEE
• Tools

Embedded and RTOS

• "MCUBOOT: Security Assessment":
  • Part 1
  • Part 2
• "MCUBoot Under (good) Pressure":
  • Part 1
  • Part 2
• "Zephyr and MCUboot Security Analysis"

Guides, Tutorials and Writeups

Heap

• "Dynamic Allocator Misuse" (pwn.college)
• Exploiting Heap Allocators: part of CS6265: Information Security Lab
• Heap Exploitation (dhavalkapil): guide for understanding the internals of 'heap memory.
• Heap Exploitation (nightmare): heap tutorials (part of the Nightmare binary exploitation series)
• how2heap: epository for learning various heap exploitation techniques.
• Writeups:
  • "Analysis of Malloc Protections on Singly Linked Lists"
  • "Analyzing an Old Netatalk dsi_writeinit Buffer Overflow Vulnerability in NETGEAR Router"
  • "Behind the Shield: Unmasking Scudo's Defenses"
  • "Bypassing GLIBC 2.32’s Safe-Linking Without Leaks into Code Execution: The House of Rust"
  • "CUCTF 2020 Dr. Xorisaurus Heap Writeup (glibc 2.32 UAF)"
  • "Cueing up a calculator: an introduction to exploit development on Linux"
  • "Diving deep into heap — Glibc fastbin consolidation"
  • "Diving deep into the heap"
    • Part 1
    • Part 2
  • "Don't Be Silly - It's Only a Lightbulb"
  • "Everything In It’s Right Place"
  • "Exploiting a Remote Heap Overflow with a Custom TCP Stack"
  • "Exploiting an Unbounded memcpy in Parallels Desktop"
  • "Exploiting Sudo Heap Overflow On Debian 10"
  • "Exploring Android Heap Allocations in jemalloc 'New'"
  • "Glibc Heap Exploitation Basics":
    • Part 1
    • Part 2
    • Part 3
  • Heap Exploitation Series by Azeria
    • "Part 1: Understanding the Glibc Heap Implementation"
    • "Part 2: Understanding the Glibc Heap Implementation"
    • "Case Study from an in-the-wild iOS 0-day"
    • "Heap Overflows and the iOS Kernel Heap"
    • "Grooming the iOS Kernel Heap"
  • "Heap overflow using Malloc Maleficarum"
  • "Heap overflow using unlink"
  • "House of Corrosion"
  • "House of Husk - In Depth Explanation"
  • "House of Mind - Fastbin Variant Revived"
  • "House of IO - Heap Reuse"
  • "House of Io – Remastered"
  • "House of Muney - Leakless Heap Exploitation Technique"
  • "munmap madness"
  • "Off-By-One Vulnerability (Heap Based)"
  • "Overview of Malloc" (glibc documentation)
  • "Safe-Linking – Eliminatig a 20 Year-Old malloc() Exploit Primitive"
  • "The art of exploiting heap overflow":
    • Part 1
    • Part 2
    • Part 3
    • Part 4
    • Part 5
    • Part 6
    • Part 7
  • "The Malloc Maleficarum"
  • "The toddler’s introduction to Heap Exploitation"
    • Part 1
    • Part 2
    • Part 3
    • Part 4
    • Part 4.1
    • Part 4.2
    • Part 4.3
    • Part 4.4
  • "Understanding glibc malloc"
  • "Understanding the Heap - a beautiful mess"
  • "Use-After-Free"
  • "Vudo malloc tricks"
  • "x86 Exploitation 101: “House of Lore” – People and Traditions"
  • "Your NAS is not your NAS !"

Linux Kernel

• DirtyCow: race condition in the way the Linux kernel's memory subsystem handled the copy-on-write.
• DirtyPipe: pipes and splices for verwriting data in arbitrary read-only files.
  • "Technical Review: A Deep Analysis of the Dirty Pipe Vulnerability"
• Exploitable kernel structures
• kernel exploit practive: repository for kernel exploit practice
• Kernel exploitation: collection of resources for kernel layer exploitation.
• kernelCTF (Google): part of the Google VRP and is focused on making exploiting Linux kernel vulnerabilities harder.
  • kctf: CTF infrastructure written on top of Kubernetes.
• kasld: Kernel Address Space Layout Derandomization
• kernelpwn: CTF kernel-pwn challenges and writeups
• linux-kernel-exploitation: collection of links related to Linux kernel security and exploitation.
• Writeups:
  • "A Journey To The Dawn"
  • "A Systematic Study of Elastic Objects in Kernel Exploitation"
  • "Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938"
  • "Beginner's first kernel CTF with CVE-2017-5123"
  • "CUCTF 2020 Hotrod Kernel Writeup (Userfaultfd Race + Kernel UAF + Timerfd_Ctx Overwrite)"
  • "CVE-2017-11176: A step-by-step Linux Kernel exploitation":
    • Part 1
    • Part 2
    • Part 3
    • Part 4
  • "CVE-2017-2636: Exploit the race condition in the n_hdlc Linux kernel driver"
  • "CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem"
  • "CVE-2021–20226 a reference counting bug which leads to local privilege escalation in io_uring"
  • "CVE-2021-32606: CAN ISOTP local privilege escalation"
  • "CVE-2021-3609: CAN BCM local privilege escalation"
  • "CVE-2022-0185 - Winning a $31337 Bounty after Pwning Ubuntu and Escaping Google's KCTF Containers"
  • "CVE-2022-2586 Writeup"
  • "CVE-2022-2602: DirtyCred File Exploitation applied on an io_uring UAF"
  • "CVE-2022-27666: Exploit esp6 modules in Linux kernel"
  • "CVE-2022-29582 An io_uring vulnerability"
  • "Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse"
  • "Cautious! A New Exploitation Method! No Pipe but as Nasty as Dirty Pipe"
  • "Conquering the memory through io_uring - Analysis of CVE-2023-2598"
  • "corCTF 2021 Fire of Salvation Writeup: Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel"
  • "corCTF 2021 ret2cds writeup: Escaping a Seccomp Sandbox via Class Data Sharing regions in OpenJDK"
  • "corCTF 2023 sysruption - Exploiting Sysret on Linux in 2023"
  • "corCTF 2023: sysruption writeup"
  • "CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel"
  • "DiceCTF 2021 HashBrown Writeup: From Kernel Module Hashmap Resize Race Condition to FG-KASLR Bypass"
  • "Devils Are in the File Descriptors: It Is Time To Catch Them All"
  • "Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel"
  • "DirtyCred: Escalating Privilege in Linux Kernel"
  • "DirtyCred Remastered: how to turn an UAF into Privilege Escalation"
  • "EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)"
  • "Escaping the Google kCTF Container with a Data-Only Exploit"
  • "Exploit Engineering – Attacking the Linux Kernel"
  • "Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver"
  • "Exploiting CVE-2022-42703 - Bringing back the stack attack"
  • "Exploring Linux's New Random Kmalloc Caches"
  • "Exploiting Kernel Races Through Taming Thread Interleaving"
  • "Exploiting null-dereferences in the Linux kernel"
  • "Exploiting race conditions on [ancient] Linux"
  • "Exploiting the Linux kernel via packet sockets"
  • "Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques"
  • "Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux kernel"
  • "Function Granular KASLR"
  • "Gaining kernel code execution on an MTE-enabled Pixel 8"
  • "Hotrod: Exploiting timerfd_ctx Objects In The Linux Kernel"
  • "How a simple Linux kernel memory corruption bug can lead to complete system compromise"
  • "How STACKLEAK improves Linux kernel security"
  • "Introduction to kernel exploitation"
  • "Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG"
  • "io_uring - new code, new bugs, and a new exploit technique"
  • "IPS"
  • "Linux Kernel Exploit (CVE-2022–32250) with mqueue"
  • "Linux Kernel Exploit Development: 1day case study"
  • "Linux Kernel Exploitation":
    • "Getting started & BOF"
    • "Heap techniques"
    • "Exploiting race-condition + UAF"
  • "Linux Kernel Exploitation Technique: Overwriting modprobe_path"
  • "Linux kernel heap feng shui in 2022"
  • "Linux kernel heap quarantine versus use-after-free exploits"
  • "Linux Kernel ROP":
    • Part 1
    • Part 2
  • "Linux Kernel universal heap spray"
  • "Linux SLUB Allocator Internals and Debugging":
    • Part 1
    • Part 2
    • Part 3
    • Part 4
  • "Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu"
  • "Monitoring Surveillance Vendors: A Deep Dive into In-the-Wild Android Full Chains in 2021"
  • "pbctf 2021 Nightclub Writeup: More Fun with Linux Kernel Heap Notes!"
  • "Racing against the clock -- hitting a tiny kernel race window"
  • "ret2dir: Rethinking Kernel Isolation"
    • slides
  • "Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage"
  • "Ret2page: The Art of Exploiting Use-After-Free Vulnerabili4es in the Dedicated Cache"
  • "SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)"
  • "The tale of a GSM Kernel LPE"
  • "USMA: Share Kernel Code with Me"
  • "Wall Of Perdition: Utilizing msg_msg Objects For Arbitrary Read And Arbitrary Write In The Linux Kernel"
  • "zer0pts CTF 2022 kRCE writeup: Limited Userland Interface to Kernel RCE"

Other

• CS6265: Information Security Lab: Reversing, debugging, exploitation tutorials.
• CTF Wiki pwn
• pwning slides: collection of slides and material on exploitation (not mainatined)
• Writeups:
  • "15 years later: Remote Code Execution in qmail (CVE-2005-1513)"
  • "A Kernel Hacker Meets Fuchsia OS"
  • "Android Kernel Exploitation"
  • "ARM64 Reversing And Exploitation" (8ksec)
    • Part 1
    • Part 2
    • Part 3
    • Part 4
    • Part 5
    • Part 6
    • Part 7
    • Part 8
    • Part 9
    • Part 10
  • "BitUnmap: Attacking Android Ashmem"
  • "BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution"
  • "Examining Pointer Authentication on the iPhone XS"
  • "GOT and PLT for pwning"
  • "Learning Linux kernel exploitation" (0x434b):
    • "Part 1 - Laying the groundwork"
    • "Part 2 - CVE-2022-0847"
  • "Learning Linux Kernel Exploitation" (lkmidas):
    • Part 1
    • Part 2
    • Part 3
  • "nftables Adventures: Bug Hunting and N-day Exploitation (CVE-2023-31248)"
  • "Over the Air":
    • "Exploiting Broadcom’s Wi-Fi Stack (Part 1)"
    • "Exploiting Broadcom’s Wi-Fi Stack (Part 2)"
    • "Exploiting The Wi-Fi Stack on Apple Devices (Pt. 1)"
    • "Exploiting The Wi-Fi Stack on Apple Devices (Pt. 2)"
    • "Exploiting The Wi-Fi Stack on Apple Devices (Pt. 3)"
  • "PAC it up: Towards Pointer Integrity using ARM Pointer Authentication"
  • "Rope2 HackTheBox Writeup (Chromium V8, FSOP + glibc heap, Linux Kernel heap pwnable)"
  • "UIUCTF 2022 - SMM Cowsay 1, 2, 3"

Libcs

• Bionic
  • Documentation
• glibc
  • Documentation
• musl
  • Documentation
• uclibc-ng
  • Documentation

Mitigations

• Linux kernel:
  • FGKASLR: Function Granular Kernel Address Space Layout Randomization (fgkaslr)
  • "SLAB freelist randomization"

Misc

• exploit_mitigations: Knowledge base of exploit mitigations
• KernelCTF: KernelCTf by Google.
• Linux Kernel Defence Map: relationships between vulnerability classes, exploitation techniques, bug detection mechanisms, and defence technologies.
• "ret2dl_resolve x64: Exploiting Dynamic Linking Procedure In x64 ELF Binaries Devil"
• "The Oddest Place You Will Ever Find PAC"

Practice

• awesome-ctf (wargames): list of wargames websites.
• exploit.education: VM for practiving exploitation.
• overthewire: earn and practice security concepts.
• pwn.college: learn about, and practice, core cybersecurity concepts in a hands-on fashion.
• pwnable.kr: wargame site which provides various pwn challenges.
• pwnable.tw: wargame site for hackers to test and expand their binary exploiting skills.
• ropemporium: learn return-oriented programming through a series of challenges.

TEE

• "ARM TrustZone: pivoting to the secure world"
• TEE-reversing
• Writeups:
  • "Breaking TEE Security":
    • "part 1"
    • "part 2"
    • "part 3"
  • "Trust Issues: Exploiting TrustZone TEEs"

Tools

• crash: Linux kernel crash utility
• GDB: The GNU Project Debugger
  • Documentation
• like-gdb: Fully dockerized Linux kernel debugging environment
• GEF: GDB Enhanced Feature
  • GEF: fork of GEF with functionalities specific for the Linux kernel
• pwntools: CTF framework and exploit development library