CNIT 127: Exploit Development
CNIT 127 meets at 1:00 PM Sat Dec 1
Fall 2018 Sam BowneSchedule · Lecture Notes · ProjectsHow to Join this Course |
Catalog DescriptionLearn how to find vulnerabilities and exploit them to gain control of target systems, including Linux, Windows, Mac, and Cisco. This class covers how to write tools, not just how to use them; essential skills for advanced penetration testers and software security professionals. Student Learning Outcomes1. Read and write basic assembly code routines Textbook"The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q Buy from Amazon QuizzesThe quizzes are multiple-choice, online, and open-book. However, you may not ask other people to help you during the quizzes. You will need to study the textbook chapter before the lecture covering it, and take the quiz before that class. Each quiz is due 30 min. before class. Each quiz has 5 questions, you have ten minutes to take it, and you can make two attempts If you take the quiz twice, the second score is the one that counts, not necessarily the higher score. Live StreamingYou can attend class remotely using Zoom. For class-related questions, please emailcnit.127sam@gmail.com |
LecturesGrading Policy
Introduction to Exploitation: Linux on x86
Ch 1: Before you begin ·
KEY
WindowsCh 6: The Wild World of Windows · KEYLecture 7: Intro to 64-Bit Assembler (Not in book) · KEY We'll skip Ch 7: Windows shellcode
Ch 8: Windows overflows (Part 1) ·
KEY We'll skip chapters 9 through 13
Ch 14: Protection Mechanisms ·
KEY Vulnerability DiscoveryWe'll skip chapter 15
Ch 16: Fault Injection and 17: The Art of Fuzzing ·
KEY |
Links for Chapter LecturesCh 1a: Anatomy of a Program in Memory - Excellent explanation from 2009Ch 1b: assembly - difference between 'or eax,eax' and 'test eax,eax'
Ch 2a: Smashing the Stack for Fun and Profit by Aleph One
Ch 3b: What's the difference of the Userland vs the Kernel?
Ch 4a: Format String Exploitation-Tutorial By Saif El-Sherel (updated 1-25-18, ty B Meixell)
Ch 5a: A Memory Allocator by Doug Lea
Ch 6a: theForger's Win32 API Tutorial
L7a: AMD64 Architecture Processor (pdf, downloads immediately) (updated 1-25-18, ty B Meixell)
Ch 8a: Win32 Thread Information Block - Wikipedia
Ch 17a: Awesome-Fuzzing: A curated list of fuzzing resources ( Books, courses - free and paid, videos, tools, tutorials and vulnerable applications to practice on )
Ch 18a: Cscope Home Page
Fuzz 1: Failure Observation Engine (FOE) tutorial - YouTube
Ch 16a: Socket.NoDelay Property
Hopper 1: Use The Debugger with Hopper Disassembler/Decompiler - YouTube Miscellaneous LinksSmashTheStack Wargaming NetworkGreat exploit tutorials from 2012 in the WayBack Machine Exploit Exercises farlight.org -- useful exploits and shells Bypassing AV Scanners -- OLLYDBG PROJECT IN HERE Valgrind Tutorial Bypassing EMET's EAF with custom shellcode using kernel pointer (from 2011) Disarming Enhanced Mitigation Experience Toolkit (EMET) v 5.0 Rootkits by Csaba Barta (from 2009) (updated 1-25-18, ty B Meixell) PSA: don't run 'strings' on untrusted files -- WORTH EXPLOITING From 0-day to exploit -- Buffer overflow in Belkin N750 (CVE-2014-1635) Disarming and Bypassing EMET 5.1 BinScope Binary Analyzer -- vulnerability detector Popular security suites open to attack -- DEP and ASLR Not Enabled GDB: Debugging stripped binaries USBPcap -- USE FOR PROJECTS PBKDF2 - Wikipedia Installing VMware Tools on Kali Linux Kali Linux Downloads IMMUNITY : Download How to setup Dark Comet RAT (with download and pictures) : hacking Cython: C-Extensions for Python -- MAKES SMALL EXEs HT Editor -- powerful binary ELF editor ntpdc local buffer overflow - Exploit Development example, interesting GDB commands Seven Resume Strategies for the Long-Term Unemployed KdExploitMe - Hackable Windows Kernel Driver -- USE FOR PROJECTS 64-bit Linux Return-Oriented Programming Exploit Exercises -- GOOD FOR PROJECTS WIRESHARK 1.12.4 and below Access Violation and Memory Corruption PoC Fuzzing with AFL-Fuzz, a Practical Example ( AFL vs binutils ) -- USEFUL FOR PROJECT Radare portable reversing framework Hopper: The OS X and Linux Disassembler -- GOOD FOR PROJECTS Gdbinit: user-friendly gdb configuration file -- GOOD FOR PROJECTS Format String Bug Exploration -USEFUL FOR PROJECT 90s-style security flaw puts "millions" of routers at risk -- LOOKS GOOD FOR A PROJECT Exploit Development Class for Win 7 64-bit -- USEFUL FOR PROJECTS EDB (Evan's Debugger) -- Like OllyDbg on Linux ty @offsectraining Sophos AV Bypass - YouTube New buffer overflow protection in gcc 4.9 -fstack-protector-strong Old Versions of Kali Linux Animated Metasploit Linux Payload in gdb - YouTube Stack Smashing On A Modern Linux System Buffer Overflow Vulnerability Lab VMware Tools installation fails when Easy Install is in progress -- GOOD SOLUTION Installing VMware Tools in an Ubuntu virtual machine How to turn OFF (or at least override) syntax highlighting in nano via ~/.nanorc? Exploit writing tutorial part 11 : Heap Spraying Demystified | Corelan Team MemGC and Control Flow Guard (May, 2015) How exploit writers find bugs in Java Machine? - Reverse Engineering Stack Exchange Mac OS Xploitation (2009) Modern Binary Exploitation class from RPI A binary analysis, count me if you can -- VERY USEFUL picoCTF 2014 Baleful - Solving with Pin -- INTERESTING TECHNIQUE How to detect a NX stack and other protections against buffer overflows -- VERY USEFUL ROP for Linux ELF files: finding JMP ESP Performing a ret2libc Attack (updated 1-25-18, ty B Meixell) How to disable ASLR in linux permanently. Python multiprocessing.Pool: -- EXCELLENT EXAMPLE Rooting Freshly -- GOOD EXAMPLE OF PENETRATING A LINUX WEB SERVER Exploiting memory corruption bugs in PHP Part 3: Popping Remote Shells Execute Bash Commands Without Spaces with Brace Expansion x64dbg: An open-source x64/x32 debugger for windows -- ALTERNATIVE TO IDA PRO gdb bug on 64-bit ubuntu with fix: No module name libstdcxx - Stack Overflow gdb - debugging with pipe using mkfifio Fuzzing on MacOS X -- MANY USEFUL TIPS Carnegie Mellon - Tools - VulWiki The Ultimate Disassembly Framework -- Capstone binjitsu/binjitsu: CTF framework and exploit development library How To Install VMware Workstation 11 On Ubuntu 14.10 Exploitation of mem-corruptions vulns in remote C/C++ programs without source or binary Artistic Rendering of Exploit Development Process Blind Return Oriented Programming (BROP) Linux Assembly Tutorial - Step-by-Step Guide A fundamental introduction to x86 assembly programming RIP ROP: Intel's cunning plot to kill stack-hopping exploits at CPU level with "shadow stack" (June, 2016) Introductory Intel x86: Architecture, Assembly, Applications - YouTube Assembly Primer for Hackers (Part 1) System Organization Tutorial.mp4 - YouTube ARM Exploitation: Return Oriented Programming on ARM (on Linux) How to read arbitrary RAM with format string vulnerability The best resources for learning exploit development -- MANY GOOD PROJECT IDEAS Use The Debugger with Hopper Disassembler/Decompiler - YouTube Over the Wire Narnia Level 2 -) 3 -- GOOD EXTRA CREDIT PROJECT Demystifying the Execve Shellcode (Stack Method) Program exiting after executing int 0x80 instruction when running shellcode Debugging - Modifying Code At Runtime How to specify base addresses for sections with gcc -- ESSENTIAL FOR KALI 2017 PROJECTS Windows Kernel Exploitation Tutorial [Kernel Exploitation] 2: Payloads Infosec_Reference/Exploit Development Requests: HTTP for Humans -- Requests 2.18.4 documentation PEDA - Python Exploit Development Assistance for GDB Getting cozy with exploit development Bypassing NX/DEP -- PoC || GTFO Simple ASLR/NX bypass on a Linux 32 bit binary Binary Analysis Tool -- INTERESTING FOR PROJECTS Linux Kernel Debugging with VMWare Player Free Force GCC to push arguments on the stack before calling function (using PUSH instruction) Analyzing Metasploit linux/x86/exec payload EXPLOITATION PROJECT: HeapSpray, SEH, EggHunter Vulnserver -- GMON command SEH based overflow exploit OakSim: ARM Assembly Simulator ARM Assembly and Exploitation -- USEFUL FOR PROJECTS VM of Ubuntu with ARM in QEMU x64dbg -- Recommended by @malwareunicorn New Unsorted LinksRadare2 Projects: "Practical case : Buffer Overflow 0x01 : https://t.co/rMSdRZFzfv 2)Methods and macros: the call stack : https://t.co/oDNYb0sAsr 3) Practical case: Patch Me 0x01 : https://t.co/Ta2cgWQm4E 4)Conditions and loops : https://t.co/hcZg1yNx3Z cc @LibraAnalysis"L7r: x86-64 - Wikipedia Immunity error: pycommands: error importing module -- caused by using 64-bit Python The Cost of Buffer Security Checks in Visual C Ch 14h: GS (Buffer Security Check) -- Official Microsoft Documentation Enable or disable specific mitigations used by Exploit protection | Microsoft Docs Control Flow Guard | Microsoft Docs vulnserver/vulnserver.c at master � stephenbradshaw/vulnserver � GitHub Dangling Pointers Avoid them Strictly! Wxploiting Format Strings in Windows 6 Best Wireshark Alternatives for Android DLL Hijacking with Ghidra--USE FOR PROJECT wntools --CTF framework and exploit development library Return Oriented Programming on ARM (32-bit)--USE FOR PROJECTS Reverse Engineering with Ghidra -- USE FOR PROJECTS Online Courses -- Ghidra Heap Overflow Exploitation on Windows 10 Explained Honggfuzz finding a double-free in VLC -- USE FOR PROJECT How to Compile 32-bit Apps on 64-bit Ubuntu? Debug 32 bit application with gdb in 64 bit environment Modern Windows Exploit Development.pdf Dump TEB/PEB in immunitydbg - Reverse Engineering Stack Exchange Ch 7r: Maximum addressable memory under the current operating systems L7r: Maximum addressable memory under the current operating systems Demystifying Dot NET Reverse Engineering, Part 1: Big Introduction Demystifying dot NET reverse engineering - PART 2: Introducing Byte Patching Demystifying dot NET reverse engineering - PART 3: Advanced Byte Patching Bypassing SEHOP DEP Bypass using ROP Chains | Garima Sinha - securityresearch - Medium Linux Kernel ROP - Ropping your way to # (Part 1) | Trustwave | SpiderLabs | Trustwave Libxml2 Tutorial | AFLplusplus -- FUZZER PROJECT 2020-05-13: Solving Uninitialized Stack Memory on Windows -- INTERESTING CHART OF ROOT CAUSES Porting VulnServer TRUN /.:/ exploit to Metasploit -- Duncan Winfrey Bypassing SEHOP (but only 1/512 of the time) Ch 3o: assembly - How to use sysenter under Linux? GitHub - johnjhacking/Buffer-Overflow-Guide: This Bufferflow Guide includes instructions and the scripts necessary for Buffer Overflow Exploitation. This guide is a supplement for TheCyberMentor's walkthrough. Please watch his walkthrough if you're confused. Feel free to implement Pull Requests or raise Issues. Labs | CyberDefenders ® | Blue Team CTF Challenges 2021-12-02: ydkhatri/mac_apt: macOS ( and ios) Artifact Parsing Tool Learning Linux kernel exploitation - Part 1 - Laying the groundwork Beginner Reverse Engineering Tutorials Resources for learning exploit development OSED - Navigating The Shadows OSCP Guide OFFENSIVE SECURITY & REVERSE ENGINEERING (OSRE) Course |