the reason why I'm writting this kind of how-to become you into a exploit writer is because I was in the same boat as you , So I had to research link by link to find the right ones. I call this kind of how-to course from noob to hero covering the basics of penetration testing to the hottest topic such as Sandbox Escape.
What has been kept me so interested and motivated into 0day research , and everything I googled led me to google security research team known as Google Project Zero. Don't judme maybe I cannot reach at that level yet, but the day I gave up on my dreams, I will be dead inside.
- Aim for the impossible
- This is not a basic course even if I call it "noob"
- Be prepared to suffer as much as possible
- Nightmares
- Don't be afraid of assembly
- Network with other cybersecurity folks
- Get familiar with WinDBG,Immunity , and IDA
- Don't be as those people who tell you "Try harder" (which in some cases means: I am not going to help you)
- Netcat
- google hacking
- Email Harvesting
- Netcraft
- whois
- OSINT Framework
- Pipl Search
- Shodan
- DNSRecon
- Gobuster
- Nikto
- Burp suite
- Hunter
- Maltego
- nmap
- Exploit writing tutorial part 1 : Stack Based Overflows
- Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode
- Part 1: Introduction to Exploit Development
- Part 2: Saved Return Pointer Overflows
- Finding Bad Characters with Immunity Debugger and Mona.py
- Hunting bad characters with mona
- Windows Privilege Escalation Fundamentals
- Basic Linux Privilege Escalation
- Privilege Escalation linux & windows
- Cross Site Scripting (XSS)
- Stealing Cookies and Session Information
- File Local Inclusion
- Remote File Inclusion
- MySQL SQL Injection
- SSH Port Forwarding/Tunnelling
- Introduction to pivoting, Part 1: SSH
- Pivoting
- Explore Hidden Networks With Double Pivoting
- A Red Teamer's guide to pivoting
At this point you will be able to perfom Penetration testing / Red Team stuff as an entry level
I didn't mention The Metasploit Framework, because I want you learn the TECHNIQUES
- Backdooring PE File by Adding New Section Header
- Backdooring PE-File (with ASLR)
- Introduction to Manual Backdooring
- Art of Anti Detection 1 – Introduction to AV & Detection Techniques
- Art of Anti Detection 2 – PE Backdoor Manufacturing
corelan
- Exploit writing tutorial part 1 : Stack Based Overflows
- Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode
- Exploit writing tutorial part 3 : SEH Based Exploits
- Exploit writing tutorial part 3b : SEH Based Exploits – just another example
- Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics
- Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development
- Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
- Exploit writing tutorial part 8 : Win32 Egg Hunting
- Exploit writing tutorial part 9 : Introduction to Win32 shellcoding
- Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube
fuzzysecurity
- Part 1: Introduction to Exploit Development
- Part 2: Saved Return Pointer Overflows
- Part 3: Structured Exception Handler (SEH)
- Part 4: Egg Hunters
- Part 6: Writing W32 shellcode
- Part 7: Return Oriented Programming
- boofuzz - A fork and successor of Sulley framework
- Fuzzing with Peach Part 1 - by Jason Kratzer of corelan team
- Fuzzing with Peach Part 2 - by Jason Kratzer of corelan team.
- Win AFL - A fork of AFL for fuzzing Windows binaries by Ivan Fratic
- Peach Fuzzer - Framework which helps to create custom dumb and smart fuzzers.
- libFuzzer - In-process, coverage-guided, evolutionary fuzzing engine for targets written in C/C++.
-
Windbg - The preferred debugger by exploit writers.
-
Immunity Debugger - Immunity Debugger by Immunity Sec.
-
Mona.py ( Plugin for windbg and Immunity dbg ) - Awesome tools that makes life easy for exploit developers.
-
GDB - Gnu Debugger - The favorite linux debugger.
-
PEDA - Python Exploit Development Assistance for GDB.
Dissemblers, disassembly frameworks etc.,
IDA Pro - The best disassembler
At this point you will be confortable with intermediate exploit development from a somple BOF to bypass software protections such as DEP
do an intensive reverse engineering course before jumping the third & last stage. you will not know the light without it
- [[https://www.fuzzysecurity.com/tutorials/expDev/8.html][Part 8: Spraying the Heap (Vanilla EIP)]] by FuzzySecurity
- [[https://www.fuzzysecurity.com/tutorials/expDev/11.html][Part 9: Spraying the Heap (Use-After-Free)]] by FuzzySecurity
- [[https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/][DEPS – Precise Heap Spray on Firefox and IE10]] by Corelan
- [[https://0x00sec.org/t/heap-exploitation-abusing-use-after-free/3580][Heap Exploitation ~ Abusing Use-After-Free]] by _py
- [[http://www.fuzzysecurity.com/tutorials/mr_me/2.html][Heap Overflows For Humans 101]] by FuzzySecurity
- [[http://www.fuzzysecurity.com/tutorials/mr_me/3.html][Heap Overflows For Humans 102]] by FuzzySecurity
- [[http://www.fuzzysecurity.com/tutorials/mr_me/4.html][Heap Overflows For Humans 102.5]] by FuzzySecurity
- [[http://www.fuzzysecurity.com/tutorials/mr_me/5.html][Heap Overflows For Humans 103]] by FuzzySecurity
- [[http://www.fuzzysecurity.com/tutorials/mr_me/6.html][Heap Overflows For Humans 103.5]] by FuzzySecurity
- Pointer inference and JIT-Spraying, Dion Blazakis, 2010
- Writing JIT shellcode for fun and profit, Alexey Sintsov, 2010
- Too LeJIT to Quit: Extending JIT Spraying to ARM
- Interpreter Exploitation: Pointer Inference and JIT Spraying
- Understanding JIT Spray
- Writing JIT-Spray Shellcode For Fun And Profit
- The Devil is in the Constants: Bypassing Defenses in Browser JIT Engines
- Beginners guide to UAT exploits IE 0day exploit development
- Fuzzy Security - Spraying the Heap [Chapter 1: Vanilla EIP] – Putting Needles in the Haystack
- Fuzzy Security - Spraying the Heap [Chapter 2: Use-After-Free] – Finding a needle in a Haystack
- Anatomy of an exploit – inside the CVE-2013-3893 Internet Explorer zero-day – Part 1
- Using the JIT Vulnerability to Pwn Microsoft Edge
- Post-mortem Analysis of a Use-After-Free Vulnerability (CVE-2011-1260)
- Advanced Heapspraying Technique
- HeapSpray Aurora Vulnerability
- Microsoft Edge Chakra JIT Type Confusion CVE-2019-0539
- CVE-2019-0539 Root Cause Analysis
- attacking javascript engines
- Learning browser exploitation via 33C3 CTF feuerfuchs challenge
- A Methodical Approach to Browser Exploitation
- Reducing target scope within JSC, building a JavaScript fuzzer
- Performing root-cause analysis of a JSC vulnerability
- Weaponizing a JSC vulnerability for single-click RCE
- Evaluating the Safari sandbox, and fuzzing WindowServer on MacOS
- Weaponizing a Safari sandbox escape
- Microsoft Edge MemGC Internals
- The ECMA and the Chakra
- Memory Corruption Exploitation In Internet Explorer
- IE 0day Analysis And Exploit
- Write Once, Pwn Anywhere
- The Art of Leaks: The Return of Heap Feng Shui
- IE 11 0day & Windows 8.1 Exploit
- IE11 Sandbox Escapes Presentation
- Spartan 0day & Exploit
- Look Mom, I don't use Shellcode
- Windows 10 x64 edge 0day and exploit
- 1-Day Browser & Kernel Exploitation
- The Secret of ChakraCore: 10 Ways to Go Beyond the Edge
- From Out of Memory to Remote Code Execution
- Attacking WebKit Applications by exploiting memory corruption bugs
- CVE-2018-5129: Out-of-bounds write with malformed IPC messages
- it-sec catalog browser exploitation chapter
- [[https://phoenhex.re/2018-09-26/safari-array-concat][Exploiting a Safari information leak]] by Bruno Keith
- [[https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf][Attacking Client-Side JIT Compilers]] by Samuel Groß
- [[https://www.offensive-security.com/vulndev/disarming-emet-v5-0/][Disarming EMET v5.0]] by Offensive Security
- [[https://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/][Disarming and Bypassing EMET 5.1]] by Offensive Security
- [[https://www.offensive-security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit-emet/][Disarming Enhanced Mitigation Experience Toolkit (EMET)]] by Offensive Security
- [[https://www.xorlab.com/blog/2016/10/27/emet-memprot-bypass/][Bypassing EMET 5.5 MemProt using VirtualAlloc]] by Matthias Ganz
- Disarming EMET v5.0
- Disarming and Bypassing EMET 5.1
- Universal DEP/ASLR bypass with msvcr71.dll and mona.py
- Chaining DEP with ROP – the Rubik’s[TM] Cube
- Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
- Development of a new Windows 10 KASLR Bypass (in One WinDBG Command)
- Disarming Enhanced Mitigation Experience Toolkit (EMET)
- Simple EMET EAF bypass
- Exploit Dev 101: Bypassing ASLR on Windows
- Bypassing Control Flow Guard in Windows 10
- Bypassing Control Flow Guard in Windows 10 - Part II
- BYPASS CONTROL FLOW GUARD COMPREHENSIVELY
- CROSS THE WALL-BYPASS ALL MODERN MITIGATIONS OF MICROSOFT EDGE
- How to find the vulnerability to bypass the Control Flow Guard
- Bypassing Memory Mitigation Using Data-Only Exploitation Technique
- CHAKRA JIT CFG BYPASS
- SMEP: What is it, and how to beat it on Windows
- ROP for SMEP bypass
- Smashing The Browser
- Browser security mitigations against memory corruption vulnerabilities
- b33f (@FuzzySec)
- corelanc0d3r (@corelanc0d3r)
- yeyintminthuhtut @yeyint_mth