Linux/Unix Exploitation

Buffer Overflow

Stack Traditional techniques Smashing The Stack For Fun And Profit Aleph One The Frame Pointer Overwrite klog Taking advantage of non-terminated adjacent memory spaces twitch Advanced Buffer Overflow Methods Izik Exploiting with linux-gate.so.1 izik Linux Virtual Addresses Exploitation ? Linux vsyscalls may be used as attack vectors ? Smashing the Modern Stack for Fun and Profit craig Buffer Overflow testing on gentoo gcc 4.1.1 KaiJern Buffer overflow exploit in the alpha linux Taeho Oh Stack Overflow Exploits on LiNUX/BSDOS/FREEBSD/SUNOS/SOLARiS/HP-UX THC Exploiting SPARC Buffer Overflow vulnerabilities pr1 Return into Libc Project OMEGA Lamagra The OMEGA project finished Lamagra The advanced return-into-lib(c) exploits Nergal Using Environment for returning into Lib C Elie Heap w00w00 on Heap Overflows Shok & w00w00 Heap Overflows by example Lamagra- Once upon a free() anonymous Vudo - An object superstitiously believed to embody magical powers MaXX The Malloc Maleficarum Phantasmal Heap off by one qitest1 Exploiting The Wilderness phantasmal Double free ? Advanced Doug lea's malloc exploits jp BSD heap smashing bbp OS X heap exploitation techniques nemo An Introduction to Heap overflows on AIX 5.3L David Litchfield Understanding the heap by breacking it Ferguson Misc Radical Environmentalists gloomy & The Itch Radical Environmentalists Part II - The 0-byte technique gloomy & The Itch Overwriting the .dtors section Juan M. Bello Rivas Manipulating the .dtors section bob How to hijack the Global Offset Table with pointers for root shells c0ntex __atexit in memory bugs Pascal Bouchareine File Stream Pointer Overflows Paper killah Non e' tutto Heap quello che non e' Stack (ITA) Nail Smasching C++ VPTRS rix Exotic Vulnerabilities Nomenumbra

Format String Bug

Exploiting Format String Vulnerabilities (Sources) scut Format String Technique sloth Advances in format string exploitation gera Further advances in to exploiting vulnerable format string bugs c0ntex Small buffer format string attack Xpl017Elz FS Dirottamento all'uscita dalla printf() (ITA) ORK Howto remotely and automatically exploit a format bug Frédéric Raynal Remote blind exploitation of a format string bug with multiple staged shellcode mXn An alternative method in format string exploitation K-sPecial Exploiting non-classical format string vulnerability darkeagle

Integer Overflow

Basic Integer Overflows blexim Integer array overflows vade79/v9 Big Loop Integer Protection Oded Horovitz

Kernel Vulnerabilities

Kernel Level Vulnerabilities LSD The story of exploiting kmalloc() overflows qobaiashi Exploiting Kernel Buffer Overflows FreeBSD Style Esa Etelavuori Smashing The Kernel For Fun And Profit Dark-Angel

ShellCode Development

UNIX Assembly Codes Development for Vulnerabilities Illustration Purposes Source LSD Introduction to Linux x86 shellcode posidron Advanced buffer overflow exploit Taeho Oh Chained Payload Attacks UDP Architecture Spanning Shellcode eugene Building ptrace injecting shellcodes anonymous Developing StrongARM/Linux shellcode funkysh Linux/390 shellcode development johnny cyberpunk Writing MIPS/IRIX Shellcode scut PPC shellcode palante Writing Shellcode on SPARC lhall PowerPC/OS X (Darwin) Shellcode Assembly B-r00t Linux System Call Table ?

Filters and IDS Bypass

Bypassing Filters Writing Self-Modifying Code 2 - Advanced Filters, Creating Alpha-Numeric shellcode XORt Writing ia32 alphanumeric shellcodes rix Bypassing MSB Data Filters for Buffer Overflow Exploits on Intel Platforms caezar Implementing a Custom X86 Encoder mmiller Bypassing IDS NOP Equivalent opcodes for shellcodes - Canonical List ? On Polymorphic Evasion ? Polymorphic Shellcode Engine Using Spectrum Analysis ... ADMmutate - A shellcode mutation engine, can evade NIDS ? Polymorphic Shellcodes vs. Application IDSs ? Advanced Polymorphic Worms - Evading IDS by Blending in with Normal Traffic ... About Unix Shellcodes Philippe Biondi Writing anti-IDS shellcode rash NIDS polymorphic evasion - The End? Gushin

Protections against exploitation

Description StackGuard - Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks ... StackGuard - Protecting Against Buffer Overflows Konstantin Rozinov FormatGuard - Automatic Protection From printf Format String Vulnerabilities ? Libsafe - Protecting Critical Elements of Stacks ... Protection Against Exploitation of Stack And Heap Overflows Yinrong Huang Defeating Overflow Attacks Jason Deckard A Comparison of Buffer Overflow Prevention Implementations and Their Weaknesses (Source) Johnson, Silberman Detection, Prevention, and Containment - A Study of grsecurity Brad Spengler PaX - The Guaranteed End of Arbitrary Code Execution ? On the Effectiveness of Address-Space Randomization ... New Security Enhancements in Red Hat Enterprise Linux v.3, update 3 Arjan van de Ven Security Enhancements in Red Hat Enterprise Linux Ulrich Drepper exec-shield vs PaX ... Dnmaloc - A more secure memory allocator ... Memory Allocator Security ... Bypass techniques Bypassing Stackguard and Stackshield Bulba, Kil3r Four different tricks to bypass StackShield and StackGuard protection gera Multiple vulnerabilities in stack smashing protection technologies Core Security Bypassing PaX ASLR protection anonymous Example of Grsecurity protection avoid adam Solution To Red Hat PIE protection Fr0z3n How to Exploit Overflow Vulnerability Under Fedora Core vangelis Advanced exploitation in exec-shield (Fedora Core case study) Slides Xpl017Elz x86-64 buffer overflow exploits and the borrowed code chunk exploitation technique Sebastian Krahmer Defeating Solaris/SPARC Non-Executable Stack Protection.txt Horizon

Misc

Vulnerabilities in your code - Advanced Buffer Overflows CoreSecurity Team Vulnerabilities in your code - Format String CoreSecurity Team Delivering Signals for Fun and Profit Michal Zalewski Tales of the Unknown ? Clutching at straws - When you can shift the stack pointer Andrew Griffiths Breaking Mac OS X ... A Buffer Overflow Study Attacks & Defenses Pierre-Alain Memory Layout in Program Execution Giasson Injecting signals for Fun and Profit shaun2k2 Crafting Symlinks for Fun and Profit Colley OpenBSD Remote Exploit Alfredo Ortega, Gerardo Richarte