User input must be sanitized!
- LANGSEC Language-theoretic Security
- Page about weird machines by halvar flake
- Weird machines, exploitability, and provable unexploitability also slide
- Limiting weird machines Putting boundaries around emergent insecurity
- Exploitation and state machines Programming the “weird machine”, revisited)
- Hacking & Computer Science
- The science of insecurity
- Accidentally Turing-Complete
- Video 2010-07-28 Meredith L. Patterson and Len Sassaman - Black Hat USA 2010 - Exploiting the Forest with Trees
- From Buffer Overflows to “Weird Machines” and Theory of Computation
- On Validating Inputs
- Security, Moore’s law, and the anomaly of cheap complexity
- Proving un-exploitability of parsers
- Maths for Hackers - The Hacker Theorem
- The Good, the Bad, and the Weird
- Data oriented programming
- Secure Code Partitioning With ELF binaries, aka. SCOP
- A Guide to Undefined Behavior in C and C++, Part 1
Unrelated for now but there is an Android's vulnerabilities CVE-2017-13156 where the system parses an
APK or a
DEX allowing to bypass signature.
There are several phases
- gain access
- maintain access
- Kali Linux Revelead PDF
In some cases it's important to make the space containing certain variables big enough to not be guessed in human time.
The most used tool is john the ripper: on a Linux
system is possible to edit the
src/Makefile and compile it with
$ make -C src -f Makefile linux-x86-64-native
One usage is toto generate a mangled list of word starting from a pristine one with the following command:
$ ./run/john --wordlist=wordlist.txt --stdout --rules > expanded-word-list.txt
With no options, john will start in "single" mode first, then move on to "wordlist" mode, and finally to "incremental" mode.
$ john --incremental=Digits --stdout 1952 12345 123456 0065663
Obviously you need a good wordlist!
Custom code execution
See also shellcode.
- Understanding the fundamentals of attacks What is happening when someone writes an exploit? awesome slides by Halvar Flake & Thomas Dullien trying to formalize exploits
- GHOST vulnerability report
- commix: Automated All-in-One OS Command Injection and Exploitation Tool
- How To Heap: A repository for learning various heap exploitation techniques.
- Pure In-Memory (Shell)Code Injection In Linux Userland
Remember that using a too big string to exploit this vulnerability can overwrite sensible stuff, use a string as little as possible.
- Exploiting Format String Vulnerabilities
- Advances in format string exploitation 0x0b, Issue 0x3b, Phile #0x07 of 0x12
- Howto remotely and automatically exploit a format bug
- libformatstr Simplify format string exploitation.
- 0CTF 2017 Quals: EasiestPrintf exploiting
- Liffy: Local File Inclusion Exploitation Tool
- Upgrade from LFI to RCE via PHP Sessions
- Exploiting PHP File Inclusion – Overview
- Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction
- Bitbucket 6.1.1 Path Traversal to RCE
HTTP parameters pollution
HPP attacks can be defined as the feasibilty to override or add
by injecting query string delimiters.
HtmlEntities are out of context here.
- Understanding Server-Side Request Forgery
- Server Side Request Forgery (SSRF)
- A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!
- How I Chained 4 vulnerabilities on GitHub Enterprise, From SSRF Execution Chain to RCE!
- Vimeo upload function SSRF
- Understanding the full potential of sqlmap during bug bounty hunting
- Rails SQLI
- Exploiting difficult SQL injection vulnerabilities using sqlmap: Part 1
- SQL Injection Wiki
- Side-channel attacks on high-security electronic safe locks
- Exploiting Timed Based RCE
- commix Automated All-in-One OS command injection and exploitation tool.
- BranchScope: A New Side-Channel Attack on Directional Branch Predictor
This is possible in language that casts automatically different types when operators are used,
particularly when are present more than one equal operator (
PHP this is more dangerous when a conversion from
JSON is done.
Advanced protection mechanism bypass
- ASLR Smack & Laugh Reference
- Bypassing non-executable-stack during exploitation using return-to-libc
- The advanced return-into-lib(c) exploits: PaX case study
- PAYLOAD ALREADY INSIDE: DATA REUSE FOR ROP EXPLOITS
- Linux ASLR and GNU Libc: Address space layout computing and defence, and “stack canary” protection bypass
- New bypass and protection techniques for ASLR on Linux
- Hardening AWS Environments and Automating Incident Response
- Damn Vulnerable Web App site
- security headers: check headers of your site
- DNSteal: stealthily extract files from a victim machine through DNS requests
- pwntools CTF framework and exploit development library
- online courses
- Exploit Development
- ssh security
- Modern Binary Exploitation
- CSAW Quals 2016 Pwn 500 - Mom's Spaghetti
- CFT Time
- Rise of the machine PDF
- Readers of popular websites targeted by stealthy Stegano exploit kit hiding in pixels of malicious ads
- Don't use VPN services
- Facebook’s ImageTragick story
- Escaping a Python sandbox with a memory corruption bug
- Jinja2 template injection filter bypasses
- Spring Boot RCE via a template code injection
- CVE-2018-13784: PrestaShop 1.6.x Privilege Escalation
- HTTP Desync Attacks: Request Smuggling Reborn
- JWT (JSON Web Token) (in)security