on-pwning

This repository contains my solutions to some CTF challenges and a list of interesting resources about pwning stuff.

Write-Ups/PoCs

• 365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools | googleprojectzero.blogspot.com • fuzzing
• 7zip CVE-2016-2334 HFS+ Code Execution Vulnerability | talosintelligence.com
• A cache invalidation bug in Linux memory management | googleprojectzero.blogspot.com
• A collection of JavaScript engine CVEs with PoCs | github.com/tunz
• A Methodical Approach to Browser Exploitation | blog.ret2.io
  • Vulnerability Discovery Against Apple Safari | blog.ret2.io
  • Timeless Debugging of Complex Software | blog.ret2.io
  • Weaponization of a JavaScriptCore Vulnerability | blog.ret2.io
  • Cracking the Walls of the Safari Sandbox | blog.ret2.io • Frida, fuzzing
  • Exploiting the macOS WindowServer for root | blog.ret2.io • Frida
• A Pwn2Own exploit chain | github.com/saelo
• A Story About Three Bluetooth Vulnerabilities in Android
• All Your Docs Are Belong To Us › reversing an av engine to compose signatures capable of detecting classified documents | objective-see.com
• Avast Antivirus: Remote Stack Buffer Overflow with Magic Numbers | landave.io
• Back to 28: Grub2 Authentication 0-Day | hmarco.org
• Better slow than sorry – VirtualBox 3D acceleration considered harmful | phoenhex.re
• Browser security beyond sandboxing | microsoft.com
• Covering Ian Beer's exploit techniques for getvolattrlist bug (iOS 11-11.3.1) | 4ldebaran.blogspot.com
• CVE-2017-2636: exploit the race condition in the n_hdlc Linux kernel driver bypassing SMEP | a13xp0p0v.github.io
• Disabling MacOS SIP via a VirtualBox kext Vulnerability | mdsec.co.uk
• eBPF and Analysis of the get-rekt-linux-hardened.c Exploit for CVE-2017-16995 | ricklarabee.blogspot.com
• Exploiting CVE-2017-5123 | reverse.put.as
• Exploring 6 Previously Unknown Remote Kernel Bugs Affecting Android Phones | pleasestopnamingvulnerabilities.com
• Extracting a 19 Year Old Code Execution from WinRAR | checkpoint.com
• Frag Grenade! A Remote Code Execution Vulnerability in the Steam Client | contextis.com
• From fuzzing Apache httpd server to CVE-2017-7668 and a $1500 bounty • AFL, rr, valgrind
• Fuzzing Counter-Strike: Global Offensive maps files with AFL | phoenhex.re
• Fuzzing CS:GO BSP Files | path.network
• Game hacking reinvented? – A cod exploit | momo5502.com
• geohot presents an evasi0n7 writeup | geohot.com
• IOHIDeous | IOHIDFamily 0day | siguza.github.io
• iOS 11 Jailbreak | github.com/Coalfire-Research
• IPC Voucher UaF Remote Jailbreak Stage 2 | 360.cn
• Jailbreaks Demystified | geosn0w.github.io
• Kernel RCE caused by buffer overflow in Apple's ICMP packet-handling code (CVE-2018-4407) • QL
• Meltdown Proof-of-Concept | github.com/iaik
• Pwn2Own: Safari sandbox part 1 – Mount yourself a root shell | phoenhex.re
  • Pwn2Own: Safari sandbox part 2 – Wrap your way around to root | phoenhex.re
• Over The Air - Vol. 2, Pt. 1: Exploiting The Wi-Fi Stack on Apple Devices | googleprojectzero.blogspot.com
• Reading Backwards – Controlling an Integer Underflow in Adobe Reader | zerodayinitiative.com
• Remote LD_PRELOAD Exploitation | elttam.com.au
• System Down: A systemd-journald exploit | openwall.com
• Taking a page from the kernel's book: A TLB issue in mremap() | googleprojectzero.blogspot.com
• The First PS4 Kernel Exploit: Adieu | fail0verflow.com
• v0rtex | IOSurface exploit | siguza.github.io/v0rtex
• VirtualBox VRDP Guest-to-Host Escape | securiteam.com
• virtualbox_e1000_0day | github.com/MorteNoir1
• Xen SMEP (and SMAP) bypass | nccgroup.trust

CTFs

• 0CTF 2017 Quals | BabyHeap2017 | uaf.io
• 33C3 CTF 2016 | babyfengshui | galhacktictrendsetters.wordpress.com
• 33C3 CTF 2016 | hohoho | github.com/InfoSecIITR • bash
• 35C3 CTF 2018 | newphonewhodis | mhackeroni.it
• Atredis BlackHat CTF 2018 | msreverseengineering.com
• CSAW 2017 Finals | kws2 | s3.eurecom.fr
• CSAW 2017 Quals | FuntimeJS | rpis.ec
• DEF CON 2018 Finals | Doublethink | robertxiao.ca
• FAUST CTF 2017 | Alexa | secgroup.github.io
• Google CTF 2017 Quals | Inst Prof | secgroup.github.io
• Google CTF 2017 Quals | Primary | david942j.blogspot.com
• Google CTF 2018 Quals | Sandbox Compat | david942j.blogspot.com
• Hack.lu CTF 2014 | OREO | wapiflapi.github.io • ret2dl-resolve
• Hack.lu CTF 2018 | Baby Kernel | Rusty Codepad | maltekraus.de
• HITCON CTF 2017 Quals | Everlasting Imaginative Void | pwning.fun
• HITCON CTF 2017 Quals | Real Ruby Escaping | david942j.blogspot.com
• HXP CTF 2017 | Flag Store | pwning.re • FORTIFY_SOURCE, seccomp
• noxCTF 2018 | PSRF | github.com/seadog007 • SSRF
• Pwn2Win 2017 | Shift Register | dragonsector.pl
• RingZer0 Team Online CTF | Shellcoding | github.com/VulnHub
• TokyoWesterns CTF 2018 | EscapeMe | david942j.blogspot.com
• TokyoWesterns/MMA CTF 2016 | Diary | uaf.io • seccomp

Readings

• 50 CVEs in 50 Days: Fuzzing Adobe Reader | checkpoint.com • WinAFL
• 6.828: Operating System Engineering | mit.edu
• A binary analysis, count me if you can | shell-storm.org • Pin
• A Eulogy for Format Strings | phrack.org
• A Memory Allocator | g.oswego.edu • dlmalloc
• Advanced Doug Lea's malloc exploits | phrack.org
• Advances in format string exploitation | phrack.org
• AEG: Automatic Exploit Generation • NDSS 2011
• Almost booting an iOS kernel in QEMU | worthdoingbadly.com
• An updated collection of resources targeting browser-exploitation | github.com/m1ghtym0
• AnC | vusec.net • ASLR⊕Cache
• ASLR on the Line: Practical Cache Attacks on the MMU • NDSS 2017, ASLR⊕Cache
• ASLR Protection for Statically Linked Executables | leviathansecurity.com • ELF, RELRO
• Attacking a co-hosted VM: A hacker, a hammer and two memory modules | thisissecurity.stormshield.com
• ATtention Spanned: Comprehensive Vulnerability Analysis of AT Commands Within the Android Ecosystem | atcommands.org
• Awesome Fuzzing | github.com/secfigo
• Beware of strncpy() and strncat() | eklitzke.org
• Binary fuzzing strategies: what works, what doesn't | lcamtuf.blogspot.com
• BlueBorne Information from the Research Team | armis.com
• Bot vs. Bot: Evading Machine Learning Malware Detection • Black Hat USA 2017
• Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom's Wi-Fi Chipsets | exodusintel.com
• Bypassing clang’s SafeStack for Fun and Profit • Black Hat Europe 2016
• Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA | nccgroup.trust
• Common Pitfalls When Writing Exploits | mathyvanhoef.com
• Controlling uninitialized memory with LD_PRELOAD | vulnfactory.org
• CPU.fail | cpu.fail
• Cross debugging for MIPS ELF with QEMU/toolchain | reverseengineering.stackexchange.com
• Cyber Security Base • course
• Dirty COW and why lying is bad even if you are the Linux kernel | chao-tic.github.io
• Drammer: Deterministic Rowhammer Attacks on Mobile Platforms • CCS 2016
• Dynamic Binary Instrumentation Primer | deniable.org • DynamoRIO, Frida, Pin
• Educational Heap Exploitation | github.com/shellphish
• Effective file format fuzzing • Black Hat Europe 2016
• ELF Binary Code Injection, Loader/'Decrypter' | pinkstyle.org
• Endpoint Security Self-Protection on MacOS | mdsec.co.uk
• Exploit writing tutorial part 11 : Heap Spraying Demystified | corelan.be
• Exploiting Format String Vulnerabilities | crypto.stanford.edu
• Exploiting the DRAM rowhammer bug to gain kernel privileges | googleprojectzero.blogspot.com
• Extra Exploitation Technique 1: _dl_open | dangokyo.me
• File Stream Pointer Overflows | ouah.org
• FILE Structure Exploitation ('vtable' check bypass) | dhavalkapil.com
• Finding Function's Load Address | uaf.io • DT_STRTAB
• First Steps in Hyper-V Research | microsoft.com
• From Heap to RIP | frizn.fr • dlmalloc, ptmalloc2
• Fully undetectable backdooring PE files | haiderm.com
• Fun with FORTIFY_SOURCE | vulnfactory.org
• Fuzzing arbitrary functions in ELF binaries | blahcat.github.io • LIEF
• Fuzzing with AFL is an Art | moyix.blogspot.com
• Fuzzing workflows; a fuzz job from start to finish | foxglovesecurity.com • AFL
• Generating Software Tests | fuzzingbook.org
• Getting Physical: Extreme abuse of Intel based Paging Systems - Part 1 | secureauth.com
• GLIBC MALLOC FOR EXPLOITERS | yannayl.github.io
• GOT and PLT for pwning. | systemoverlord.com
• Grand Pwning Unit: Accelerating Microarchitectural Attacks with the GPU | cs.vu.nl
• GTFOBins | gtfobins.github.io
• Hacking a game to learn FRIDA basics (Pwn Adventure 3) | x-c3ll.github.io
• Hacking Blind • S&P 2014, BROP
• Hardening C/C++ Programs Part II – Executable-Space Protection and ASLR | productive-cpp.com
• Hardening ELF binaries using Relocation Read-Only (RELRO) | redhat.com
• Hardware backdoors in some x86 CPUs | github.com/xoreaxeaxeax
• Heap Exploitation | dhavalkapil.com
• Heap Feng Shui in JavaScript • Black Hat Europe 2007
• House of Einherjar — Yet Another Heap Exploitation Technique on GLIBC • CODE BLUE 2016
• How main() is executed on Linux | tldp.org
• How programs get run: ELF binaries | lwn.net
• How the ELF Ruined Christmas • USENIX 2015, _dl_runtime_resolve
• How to build a C program using a custom version of glibc and static linking? | stackoverflow.com
• How to Create a Virus Using the Assembly Language | cranklin.wordpress.com • ELF
• Injecting missing methods at runtime | hopperapp.com • Mach-O
• iOS Hacking Resources | github.com/Siguza
• iOS kernel exploitation archaeology • 34C3
• Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR • MICRO 2016
• Keygenning with KLEE | doar-e.github.io
• ldd arbitrary code execution | catonmat.net
• Learning KVM - implement your own Linux kernel | david942j.blogspot.com
• Linux x86 Program Start Up | dbp-consulting.com
• linux-insides | 0xax.gitbooks.io
• Linux/x86 - sockfd trick + dup2(0,0), dup2(0,1), dup2(0,2) + execve /bin/sh - 50 bytes | shell-storm.org
• macOS Security and Privacy Guide | github.com/drduh
• Making a low level (Linux) debugger, part 3: our first program | asrpo.com
• Meltdown and Spectre | meltdownattack.com
• Memory Corruption Attacks: The (almost) Complete History • Black Hat USA 2010
• Mental Snapshot - _int_free and unlink | uaf.io
• Multiple glibc libraries on a single host | stackoverflow.com
• Named vulnerabilities and their practical impact | github.com/hannob
• New bypass and protection techniques for ASLR on Linux | ptsecurity.com
• On the Effectiveness of Address-Space Randomization • CCS 2004, ASLR
• On vsyscalls and the vDSO | lwn.net
• Once upon a free()... | phrack.org
• OSDev Wiki | osdev.org
• Overcoming (some) Spectre browser mitigations | alephsecurity.com
• FILE Structures: Another Binary Exploitation Technique • HITB GSEC 2018
• Playing with canaries | elttam.com.au
• Playing with signals : An overview on Sigreturn Oriented Programming | thisissecurity.stormshield.com
• Practical C++ Decompilation • REcon 2011
• Programming Z3
• ptmalloc fanzine | tukan.farm
• Pwning (sometimes) with style - Dragons' notes on CTFs • Insomni'hack 2015
• Pwning coworkers thanks to LaTeX | scumjr.github.io
• pwnlib.dynelf — Resolving remote functions using leaks | pwntools.com
• Radare2 of the Lost Magic Gadget | 0xabe.io
• Reading privileged memory with a side-channel | googleprojectzero.blogspot.com
• Recommended compiler and linker flags for GCC | redhat.com
• Return to VDSO using ELF Auxiliary Vectors | voidsecurity.in
• Reversing C++ programs with IDA pro and Hex-rays | 0xbadc0de.be
• SAT/SMT by example | yurichev.com
• So you want to work in security? (and for some reason ended up here rather than reading other people’s posts on the topic). | ifsec.blogspot.com
• Some universal gadget sequence for Linux x86_64 ROP payload | voidsecurity.in
• Smashing The Stack For Fun And Profit | phrack.org
• Super Awesome Fuzzing, Part One | f-secure.com
• Symbolic Execution: Intuition and Implementation
• Tearing apart printf() | maizure.org
• Technical aspects of CTF contest organization| cert.pl
• The advanced return-into-lib(c) exploits: PaX case study | phrack.org • ret-into-dl
• The Malloc Maleficarum | phrack.org
• The one-gadget in glibc | david942j.blogspot.com
• The real power of Linux executables | ownyourbits.com
• The Stack Clash | qualys.com
• The single instruction C compiler | github.com/xoreaxeaxeax
• Transforming an ELF executable into a library
• Understanding L1 Terminal Fault aka Foreshadow: What you need to know | redhat.com
• UNIX Syscalls | john-millikin.com
• Vudo - An object superstitiously believed to embody magical powers | phrack.org
• Vulnerability hunting with Semmle QL, part 1 | microsoft.com
• What is an ELF Export? | m4b.io
• Why is My Perfectly Good Shellcode Not Working?: Cache Coherency on MIPS and ARM | senr.io

Talks/Presentations

• From Kernel to VMM by Jacob Torrey (@JacobTorrey)
• $hell on Earth: From Browser to System Compromise by Matt Molinyawe, Jasiel Spelman, Abdul-Aziz Hariri and Joshua Smith • Black Hat USA 2016
• A Christmas Carol - The Spectres of the Past, Present, and Future by Moritz Lipp, Michael Schwarz, Daniel Gruss and Claudio Canella • 35C3
• Attacking The XNU Kernel In El Capitan by Luca Todesco (@qwertyoruiop) • Black Hat Europe 2015
• Behind the Scenes with iOS Security by Ivan Krstić • Black Hat USA 2016
• Breaking the x86 Instruction Set by Christopher Domas (@xoreaxeaxeax) • Black Hat USA 2017
• Browser bug hunting - Memoirs of a last man standing by Atte Kettunen • 44CON 2013
• Fixing/Making Holes in Binaries by Shaun Clowes • Black Hat USA 2002
• Infosec and failure by Ange Albertini • Hack.lu 2017
• Jailbreaking iOS by tihmstar • 35C3
• Linux Vulnerabilities Windows Exploits: Escalating Privileges with WSL by Saar Amar (@AmarSaar) • BlueHat IL 2018
• Modern Windows Userspace Exploitation by Saar Amar (@AmarSaar) • 35C3
• Pwned By The Owner: What Happens When You Steal A Hacker's Computer by Zoz • DEF CON 18
• The Layman's Guide to Zero-Day Engineering by Markus Gaasedelen and Amy (@itszn) • 35C3
• Unexpected Stories From a Hacker Inside the Government by Mudge • DEF CON 21
• Unlocking secrets of proprietary software using Frida by Ole André Vadla Ravnås • NDC 2018
• Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? by James Mickens

Tools

• AFL | lcamtuf.coredump.cx
• angr | angr.io
• BinNavi | github.com/google
• Bootlin | bootlin.com
• bowkin | github.com/integeruser
• Buildroot | buildroot.org
• cave_miner | github.com/Antonin-Deniau
• Cling | cern.ch
• Compiler Explorer | godbolt.org
• crashwalk | github.com/bnagy
• crosstool-NG | crosstool-ng.github.io
• dockcross | github.com/dockcross
• Exodus | github.com/intoli
• FLARE VM | github.com/fireeye
• Frida | frida.re
• GEF | github.com/hugsy
• ghidra | github.com/NationalSecurityAgency
• HackSys Extreme Vulnerable Driver | github.com/hacksysteam
• KLEE | klee.github.io
• LIEF | github.com/lief-project
• linux-kernel-module-cheat | github.com/cirosantilli
• McSema | github.com/trailofbits
• ODA | onlinedisassembler.com
• one_gadget | github.com/david942j
• osxcross | github.com/tpoechtrager
• patchelf | github.com/NixOS
• preeny | github.com/zardus
• pwndbg | github.com/pwndbg
• pwnjs | github.com/theori-io
• PyREBox | github.com/Cisco-Talos
• QIRA | github.com/geohot
• RetDec | github.com/avast-tl
• rr | rr-project.org
• seccomp-tools | github.com/david942j
• Villoc | github.com/wapiflapi
• Woboq | woboq.org
• Z3 | github.com/Z3Prover

IDA

• A list of IDA Plugins | github.com/onethawt
• A set of exploitation/reversing aids for IDA | github.com/1111joe1111
• An IDA Pro plugin to examine the glibc heap, focused on exploit development | github.com/danigargu
• Collaborative Reverse Engineering plugin for IDA Pro & Hex-Rays | github.com/IDArlingTeam
• Hex-Rays Decompiler plugin for better code navigation | github.com/REhints
• HexRaysPyTools | github.com/igogo-x86
• IDA 2016 plugin contest winner! Symbolic Execution just one-click away! | github.com/illera88
• IDA Pro utilities from FLARE team | github.com/fireeye
• Make your IDA Lazy! | github.com/L4ys
• Multi-architecture assembler for IDA Pro. Powered by Keystone Engine. | github.com/keystone-engine