Complete Resources About Exploitation Development for Ethical Hackers

Assembly Language:

• http://www.drpaulcarter.com/pcasm/
• Assembly Language Step-by-Step: Programming with Linux
• The Art of Assembly Language
• Windows Assembly Language Megaprimer
• Assembly Language Megaprimer for Linux

C/C++:

• C Programming Absolute Beginner’s Guide
• The C Programming Language
• Introduction to Computer Science CS50x
• Programming: Principles and Practice Using C++
• C++ Primer
• Accelerated C++: Practical Programming by Example

Python:

Python has a wonderful official documentation, apart from that you can use the following books/courses:

• Learn Python the hard way
• How to think like a computer scientist
• Learning Python
• Introduction to computer science and programming using Python MITx 6.00.1x

BOOKS

• Hacking – The art of exploitation
• A bug Hunter’s Diary: A Guided Tour Through the Wilds of Software Security
• The Shellcoder’s Handbook: Discovering and Exploiting Security Holes
• Sockets, shellcode, Porting, and coding: reverse engineering Exploits and Tool coding for security professionals
• Writing Security tools and Exploits
• Buffer overflow attacks: Detect, exploit, Prevent
• Metasploit toolkit for Penetration Testing, exploit Development, and vulnerability research

---

TUTORIALS

Corelan.be

• https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
• https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/
• https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/
• https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
• https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/
• https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
• https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
• https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
• https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
• https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
• https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
• https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
• https://www.corelan.be/index.php/2010/01/26/starting-to-write-immunity-debugger-pycommands-my-cheatsheet/
• https://www.corelan.be/index.php/2010/03/22/ken-ward-zipper-exploit-write-up-on-abysssec-com/
• https://www.corelan.be/index.php/2010/03/27/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion/
• https://www.corelan.be/index.php/2011/01/30/hack-notes-rop-retnoffset-and-impact-on-stack-setup/
• https://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for-breakfast/
• https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/
• https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/
• https://www.corelan.be/index.php/2012/02/29/debugging-fun-putting-a-process-to-sleep/
• https://www.corelan.be/index.php/2012/12/31/jingle-bofs-jingle-rops-sploiting-all-the-things-with-mona-v2/
• https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/
• https://www.corelan.be/index.php/2013/01/18/heap-layout-visualization-with-mona-py-and-windbg/
• https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/
• https://www.corelan.be/index.php/2013/07/02/root-cause-analysis-integer-overflows/

Opensecuritytraining.info

• http://opensecuritytraining.info/Exploits1.html
• http://opensecuritytraining.info/Exploits2.html

Securitytube.net

• http://www.securitytube.net/groups?operation=view&groupId=7 exploit research megaprimer
• http://www.securitytube.net/groups?operation=view&groupId=4 buffer overflow exploitation for linux megaprimer
• http://www.securitytube.net/groups?operation=view&groupId=3 Format string vulnerabilities megaprimer

Massimiliano Tomassoli’s blog

• http://expdev-kiuhnm.rhcloud.com/2015/05/11/contents/

Samsclass.info

• https://samsclass.info/127/127_F15.shtml

Securitysift.com

• http://www.securitysift.com/windows-exploit-development-part-1-basics/
• http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/
• http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/
• http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/
• http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting
• http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits
• http://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows

Justbeck.com

• http://www.justbeck.com/getting-started-in-exploit-development/

0xdabbad00.com

• http://0xdabbad00.com/2012/12/09/hurdles-for-a-beginner-to-exploit-a-simple-vulnerability-on-modern-windows/

fuzzysecurity.com

• Part 1: Introduction to Exploit Development
• Part 2: Saved Return Pointer Overflows
• Part 3: Structured Exception Handler (SEH)
• Part 4: Egg Hunters
• Part 5: Unicode 0x00410041
• Part 6: Writing W32 shellcode
• Part 7: Return Oriented Programming
• Part 8: Spraying the Heap [Chapter 1: Vanilla EIP]
• Part 9: Spraying the Heap [Chapter 2: Use-After-Free]

sploitfun.wordpress.com

• https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/

sneakerhax.com

• http://sneakerhax.com/jumping-into-exploit-development/

community.rapid7.com

• https://community.rapid7.com/community/metasploit/blog/2012/07/05/part-1-metasploit-module-development–the-series

resources.infosecinstitute.com

• http://resources.infosecinstitute.com/debugging-fundamentals-for-exploit-development/

rafayhackingarticles.net

• http://www.rafayhackingarticles.net/2011/07/from-minor-bug-to-zero-day-exploit.html
• Smashing the stack for fun and for profit: revived
• Automating format string exploits
• IT-Sec catalog 2.0 (Exploit development) by Arthur Gerkis

Stack Based Overflow Articles

• Win32 Buffer Overflows (Location, Exploitation and Prevention) – by Dark spyrit [1999]
• Writing Stack Based Overflows on Windows – by Nish Bhalla’s [2005]

Heap Based Overflow Articles

• Third Generation Exploitation smashing heap on 2k – by Halvar Flake [2002]
• Exploiting the MSRPC Heap Overflow Part 1 – by Dave Aitel (MS03-026) [September 2003]
• Exploiting the MSRPC Heap Overflow Part 2 – by Dave Aitel (MS03-026) [September 2003]
• Windows heap overflow penetration in black hat – by David Litchfield [2004]

Kernel Based Exploit Development Articles

• How to attack kernel based vulns on windows was done – by a Polish group called “sec-labs” [2003]
• Sec-lab old whitepaper
• Sec-lab old exploit
• Windows Local Kernel Exploitation (based on sec-lab research) – by S.K Chong [2004]
• How to exploit Windows kernel memory pool – by SoBeIt [2005]
• Exploiting remote kernel overflows in windows – by Eeye Security
• Kernel-mode Payloads on Windows in uninformed – by Matt Miller
• Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
• BH US 2007 Attacking the Windows Kernel
• Remote and Local Exploitation of Network Drivers
• Exploiting Comon Flaws In Drivers
• I2OMGMT Driver Impersonation Attack
• Real World Kernel Pool Exploitation
• Exploit for windows 2k3 and 2k8
• Alyzing local privilege escalations in win32k
• Intro to Windows Kernel Security Development
• There’s a party at ring0 and you’re invited
• Windows kernel vulnerability exploitation

Windows memory protections Introduction Articles.

• Data Execution Prevention
• /GS (Buffer Security Check)
• /SAFESEH
• ASLR
• SEHOP

Windows memory protections Bypass Methods Articles.

• Third Generation Exploitation smashing heap on 2k – by Halvar Flake [2002]
• Creating Arbitrary Shellcode In Unicode Expanded Strings – by Chris Anley
• Advanced windows exploitation – by Dave Aitel [2003]
• Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server – by David Litchfield
• Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2) – by Matt Conover in cansecwest 2004
• Safely Searching Process Virtual Address Space – by Matt Miller [2004]
• IE exploit and used a technology called Heap Spray
• Bypassing hardware-enforced DEP – by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005]
• Exploiting Freelist[0] On XP Service Pack 2 – by Brett Moore [2005]
• Kernel-mode Payloads on Windows in uninformed
• Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
• Exploiting Comon Flaws In Drivers
• Heap Feng Shui in JavaScript by Alexander sotirov [2007]
• Understanding and bypassing Windows Heap Protection – by Nicolas Waisman [2007]
• Heaps About Heaps – by Brett moore [2008]
• Bypassing browser memory protections in Windows Vista – by Mark Dowd and Alex Sotirov [2008]
• Attacking the Vista Heap – by ben hawkes [2008]
• Return oriented programming Exploitation without Code Injection – by Hovav Shacham (and others ) [2008]
• Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 – by Cesar Cerrudo [2008]
• Defeating DEP Immunity Way – by Pablo Sole [2008]
• Practical Windows XP2003 Heap Exploitation – by John McDonald and Chris Valasek [2009]
• Bypassing SEHOP – by Stefan Le Berre Damien Cauquil [2009]
• Interpreter Exploitation : Pointer Inference and JIT Spraying – by Dionysus Blazakis[2010]
• Write-up of Pwn2Own 2010 – by Peter Vreugdenhil
• All in one 0day presented in rootedCON – by Ruben Santamarta [2010]
• DEP/ASLR bypass using 3rd party – by Shahin Ramezany [2013]

Windows Exploits

• Real-world HW-DEP bypass Exploit – by Devcode
• Bypassing DEP by returning into HeapCreate – by Toto
• First public ASLR bypass exploit by using partial overwrite – by Skape
• Heap spray and bypassing DEP – by Skylined
• First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability
• Exploit codes of bypassing browsers memory protections
• PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1 – by Cesar Cerrudo
• PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2 – by Cesar Cerrudo
• An exploit works from win 3.1 to win 7 – by Tavis Ormandy KiTra0d
• Old ms08-067 metasploit module multi-target and DEP bypass
• PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass
• SMBv2 Exploit – by Stephen Fewer

---

TRAININGS

Opensecuritytraining.info

• http://opensecuritytraining.info/Exploits1.html
• http://opensecuritytraining.info/Exploits2.html

Module 12 of Advanced penetration testing cource on Cybrary.it

• https://www.cybrary.it/course/advanced-penetration-testing/

Securitytube.net

• http://www.securitytube.net/groups?operation=view&groupId=7 research megaprimer
• http://www.securitytube.net/groups?operation=view&groupId=4 exploitation for linux megaprimer
• http://www.securitytube.net/groups?operation=view&groupId=3 Format string vulnerabilities megaprimer

infiniteskills.com

• http://www.infiniteskills.com/training/reverse-engineering-and-exploit-development.html

---

COURSES

Corelan

• https://www.corelan-training.com

Offensive Security

• https://www.offensive-security.com/information-security-training/advanced-windows-exploitation/ AWE (Advanced Windows Exploitation)

SANS

• https://www.sans.org/course/advance-exploit-development-pentetration-testers SANS SEC760: Advanced Exploit Development for Penetration Testers

Ptrace Security

• http://www.ptrace-security.com/training/courses/advanced-software-exploitation/ Advanced Software Exploitation

Udemy

• https://www.udemy.com/windows-exploit-development-megaprimer/learn/#/ Windows exploit Development Megaprimer by Ajin Abraham

---

VIDEOS

• LiveOverflow Youtube channel

---

TOOLS

• IDA Pro – Windows disassembler and debugger, with a free evaluation version.
• OllyDbg – An assembly-level debugger for Windows executables.
• WinDbg
• Mona.py
• angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab.
• BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework.
• binnavi – Binary analysis IDE for reverse engineering based on graph visualization.
• Bokken – GUI for Pyew and Radare.
• Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
• codebro – Web based code browser using clang to provide basic code analysis.
• dnSpy – .NET assembly editor, decompiler and debugger.
• Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
• GDB – The GNU debugger.
• GEF – GDB Enhanced Features, for exploiters and reverse engineers.
• hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
• Immunity Debugger – Debugger for malware analysis and more, with a Python API.
• ltrace – Dynamic analysis for Linux executables.
• objdump – Part of GNU binutils, for static analysis of Linux binaries.
• PANDA – Platform for Architecture-Neutral Dynamic Analysis
• PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands.
• pestudio – Perform static analysis of Windows executables.
• Process Monitor – Advanced monitoring tool for Windows programs.
• Pyew – Python tool for malware analysis.
• Radare2 – Reverse engineering framework, with debugger support.
• SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
• strace – Dynamic analysis for Linux executables.
• Udis86 – Disassembler library and tool for x86 and x86_64.
• Vivisect – Python tool for malware analysis.
• X64dbg – An open-source x64/x32 debugger for windows.
• SploitKit – a suite of cli tools to automate the tedious parts of exploit development
• ShellSploit framework
• ROP Injector

---

HEAP EXPLOITATION TECHNIQUES

• https://github.com/shellphish/how2heap

---

VULNERABLE APPLICATIONS

Exploit-exercises.com

• https://exploit-exercises.com/protostar/ Protostar
• https://exploit-exercises.com/fusion/ Fusion
• StackSmash – A collection of toy programs for teaching buffer overflow vulnerabilities
• CTF-Workshop – challenges for binary exploitation workshop 28 hacking sites to practise your skills in a legal way https://www.peerlyst.com/blog-post/practise-your-infosec-skill-on-these-legal-28-hacking-sites

---

EXPLOITS DATABASE

• https://www.exploit-db.com
• https://www.milw00rm.com
• http://0day.today
• https://packetstormsecurity.com
• http://www.securityfocus.com
• http://www.windowsexploits.com
• http://iedb.ir
• http://www.macexploit.com