Tuesday, August 3, 2010

From 0x90 to 0x4c454554, a journey into exploitation.

I put some time in and compiled a list in a course type layout to help people in process of learning
exploit development. I hope my research will help others spend more time learning and less time
searching.

First off I want to thank the corelan guys for the help they have provided me so far in the process.

layout: I will be posting in a hierarchical structure, each hierarchy structure should be fully understood
before moving on to the next section. I will also post sets of Parallel learning topics that you can use to
study in line with other topics to help prevent monotony. These Parallel areas will have a start and end
mark which shows when they should be complete in perspective to the overall learning

desktop background Link to Backgrounds

Other Posts like this one:

Because of quality of these posts I wanted to put them at the top. I could not figure out where to put
them in the list because they cover so much.
past-present-future of windows exploitation
smashing the stack in 2010
IT-Sec-catalog

1. Part 1: Programming
Parallel learning #1:(complete this section before getting to the book "Hacking Art of
exploitation")
While going through the programming area I concentrate on core topics to help us later on with
exploit writing. One area that is very good to pick up is some kind of scripting language. Listed
below are some of the most popular scripting languages and ones I feel will prove to be the
most useful.

Python: One of my favorite languages and growing in popularity python is a powerful language
that is easy to use and well documented.
Learn Python the hard way
Wikibooks Python
http://docs.python.org/
onlinecomputerbooks.com
Grey hat python
2. Ruby: If you plan on later on working inside of metasploit this may be the language you want to
start with. I highly suggest this for exploit developers to learn.
Wikibooks Ruby
LittleBookOfRuby
Ruby Programmers Guide
onlinecomputerbooks.com

Perl: An older language that still has a lot of use perl is one of the highest used scripting
languages and you will see it used in many exploits. (I would suggest python over perl)
[book] O'Reilly Learning Perl
onlinecomputerbooks.com

C and C++ programming:

It is very important to understand what you are exploiting so to get started let us figure out what
we are exploiting. You do not need to go through all of these but when finished with this section
you should have a good understanding of C and C++ programming.
Cprogramming.com
http://www.java2s.com/Tutorial/C/CatalogC.htm
http://beej.us/guide/bgc/
onlinecomputerbooks.com

X86 Assembly:
Ok now to understand what the computer reads when we compile C and C++. I am going to
mostly stick to the IA-32(X86) assembly language. Read the first link to understand why. It
explains it very well.
Skullsecurity: Assembly
Windows Assembly Programming Tutorial
http://en.wikibooks.org/wiki/X86_Assembly
[book]The Art of Assembly
Assembly primer for hackers
PC Assembly Language

Windows Programming:
This is to help understand what we are programming in and the structure of libraries in the OS.
This area is very important far down the line
http://en.wikibooks.org/wiki/Windows_Programming
https://upload.wikimedia.org/wikipedia/commons/5/57/Windows_Programming.pdf
http://www.relisoft.com/win32/index.htm 
http://slav0nic.org.ua/static/books/C_Cpp/theForger's_Win32APITutorial.pdf
http://www.winprog.org/tutorial/start.html
[book]Windows Internals 5
 [book]Windows Internals 4

Disassembly:
Dissassembly is not as much programming as it is what the computer understands and the way it
is interpreted from CPU and memory. This is where we start getting into the good stuff.
http://en.wikibooks.org/wiki/X86_disassembly
The Art of Disassembly

3. Part 2: Getting started

Now that we have a very good understanding of programming languages and what the machine
is doing we can start working on task at hand, exploitation.
Here I will start a lot of the learning in very much a list format and adding in comments or
Parallel learning areas when needed.

Smash the stack for fun and profit (Phrack 49)

C function call conventions and the stack
Anatomy of a program in memory
Function Calls, Part 1 (the Basics)
IA-32 Architecture
[videos]Code Audit from cryptocity.net

(Parallel learning #1 finished: You should now have finished on Parallel learning 1 and have a
good understanding of one of the 3 languages)

[Book]Hacking art of exploitation [Chapter 1&2]

Corelan T1
Corelan T2

Parallel learning #2:(complete this section before end of part 2)

(Read the first few posts on this blog has some good info)
Kspice blog
(Read some of the post from this blog they are very helpful with starting out with fuzzers.)
Nullthreat's blog
(I am linked directly to a demo exploit for this area but this is a useful blog to keep track of for
many things)
A demo exploit

tenouk.com: Buffer overflow intro

The Tao of Windows Buffer Overflow
nsfsecurity on BOF
Hacker center: BOF
 [video]Buffer overflow Primer
[Book]Shellcoder's Handbook Ch1&2
[Book]Hacking art of exploitation [Chapter 3]
Corelan T3A
Corelan T3B
SEH Based Exploits and the development process
SEH overwrite simplified

((Parallel learning #2 finished:)

4. Part 3:Tools of the trade

This is a list of tools I have started using and find very useful.
Immunity Debugger
Ollydbg
Windbg
IDA Pro
explorer suite
Sysinternals

And here are some corelan posts on how to use them. I will supply more in future but this is a
very good start.
Corelan T5
Corelan: Immunity debugger cheatsheet

5. Part 4: Network and Metasploit

(Networking)
Beej.us network programming
[Book]Hacking art of exploitation [Chapter 4]
Socket Programming in ruby

(Metasploit)
[Video]Security Tube: Metasploit Megaprimer
Metasploit.com
Metasploit Unleashed
[video]Metasploit Louisville Class
Metasploitable (a target)
Corelan T4
intern0t: developing my first exploit
[video]DHAtEnclaveForensics: Exploit Creation in Metasploit
Wikibooks Metasploit/Writing Windows Exploit
6. Part 5: Shellcode
Corelan T9
projectShellcode: Shellcode Tutorial
[Book]Shellcoder's Handbook Ch3
[Book]Hacking art of exploitation [Chapter 5]
Writing small shellcode
Shell-storm Shellcode database
Advanced shellcode

7. Part 6: Engineering in Reverse

Parallel Learning #3:(constant place to reference and use for reversing)
Understanding Code
Reverse Engineering the World
Reversing for Newbies
Room362.com reversing blog post
Ethicalhacker.net intro to reverse engineering
acm.uiuc.edu Intro to Reverse Engineering software
[Book]Reversing: secrets of reverse engineering
[video]Reverse Engineering from cryptocity.net
CrackZ's Reverse Engineering Page
Reverse engineering techniques
CBM_1_2_2006_Goppit_PE_Format_Reverse_Engineer_View
HistoryofPackingTechnology
Windows PE Header
OpenRCE Articles

[GAME]Crackmes.de

8. Part 7: Getting a little deeper into BOF

Parallel Learning #4:(To the end of the course and beyond)
Find old exploits on Exploit-db download them, test them, rewrite them, understand them.

(Part A: preventions)
Buffer overflow protection
The evolution of Microsoft's Mitigations
Purdue.edu: Canary Bit
Preventing the exploitation of SEH Overwrites with SEHOP
Bypassing SEHOP
Wikipedia Executable space protextion
Wikipedia DEP
Bypassing Hardware based DEP
Wikipedia ASLR
 Symantec ASLR in Vista
Defeating the Stack Based Buffer Overflow Prevention
Corelan T6
Return to libc
[video] microsoft protections video

(Part B: Advanced BOF)

[video]Exploitation from cryptocity.net
Corelan T7
Corelan T8
Corelan T10
Virtual Worlds - Real Exploits

[GAME]Gera's Insecure Programming

[GAME]Smash the stack wargaming network

9. Part 8: Heap overflow

Heap Overflows for Humans-101
rm -rf / on heap overflow
w00w00 on heap overflow
[book]Shellcoder's Handbook Ch4&5
h-online A heap of Risk
[video]Defcon 15 remedial Heap Overflows
heap overflow: ancient art of unlink seduction
Memory corruptions part II -- heap

[book]Read the rest of Shellcoder's Handbook

10.Part 9: Exploit listing sites

Exploit-DB
Injector
CVE Details
Packetstorm
CERT
Mitre
National Vulnerability Database

(bonus: site that lists types of vulnerabilties and info)

Common Weakness Enumberation
 11.Part 10: To come
1. Fuzzing
2. File Format
3. and more

If anyone has any good links to add post a comment and I will try to add them or send me the
link and I will review and add it.

If anyone finds any bad or false information in any of these tutorials please let me know. I do
not want people reading this getting bad information.
Posted by Myne-us at
Labels: buffer overflow, exploitation, memory
35 comments:

1.
ricky-lee.bAugust 5, 2010 at 2:50 AM
You may want to add this to the resources for scripting in ruby

http://www.sapphiresteel.com/IMG/pdf/LittleBookOfRuby.pdf
Reply

2.
AnonymousAugust 5, 2010 at 6:01 AM
Thanks for compiling this.

icbkr
Reply

3.
SatyamhaxAugust 6, 2010 at 4:47 AM
Nice compilation! Keep up the good work.

You may like to add..

Assembly language primer (13 videos)

http://securitytube.net/Assembly-Primer-for-Hackers-(Part-1)-System-Organization-video.aspx

Buffer Overflow basics (9 videos)

 http://www.securitytube.net/Buffer-Overflow-Primer-Part-1-(Smashing-the-Stack)-video.aspx

win exploitation by Dino Dai Zovi

http://www.securitytube.net/Windows-Exploit-Programming-Primer-video.aspx

Heap feng shui by Alexander Sotirov

http://www.phreedom.org/research/heap-feng-shui/heap-feng-shui.html

Regards,
satyam pujari
Reply

4.
Myne-usAugust 6, 2010 at 6:12 AM
Thanks everyone

I will review these and get them put in to the list where they belong.
After reviewing my list and comparing to bookmarks it looks like I forgot a few things. I am
working on getting it updated before end of day.
Reply

5.
Myne-usAugust 6, 2010 at 2:54 PM
site has been updated to include some new links and also in the header a link to PDF layout of
the document.
Reply

6.
mesh3alAugust 7, 2010 at 5:00 AM
i think there's a wonderful book need to be included in this journey which is "shell coder
handbook"

beside, wonderful step by step topic.

thanks.
Reply
7.
Myne-usAugust 7, 2010 at 10:09 AM
Thanks neo, I have seen this around and yet to read it. I am going out today to restock on some
reading material and will pick this up.
It will be added in next revision once I review it.
Reply

8.
ricky-lee.bAugust 9, 2010 at 8:14 AM
The link for Course_layout.pdf is linked wrong its directing to

http://myne-us.blogspot.com/2010/08/%E2%80%9Dhttps://sites.google.com/site/
myneuslayout/course_layout%E2%80%9D

instead of

https://sites.google.com/site/myneuslayout/course_layout
Reply

9.
Myne-usAugust 9, 2010 at 2:52 PM
Fixed the course layout pdf issue. I found a few the first day I posted this that did that. Has
something to do with me copy and pasting it over from notepad.

Thanks for the heads up

Reply

10.
UnknownAugust 23, 2010 at 2:49 AM
Nice Work !!!!!!!!!!!!

Keep it coming!!!!!!
Reply
11.
XenorSeptember 8, 2010 at 2:26 AM
Any link's about remote exploits and 0day?
Reply

12.
UnknownOctober 15, 2010 at 2:06 AM
@Xenor
http://inj3ct0r.com
http://milw0rm.com
Reply

13.
Myne-usOctober 15, 2010 at 11:34 PM
Hey Xenor sorry I never saw your post.

as far as 0days, all an 0day is is a day an exploit goes public. So anyone of the sites listed show
multiple 0days. Also this whole course is about developing your own 0days.

With remote exploitation that is pretty vague. Do you have anything specific in mind. A lot of
areas listed have remote exploits info in them.
Reply

14.
AnonymousNovember 6, 2010 at 3:59 AM
Great post, just stumbled across it because someone posted it on Twitter. Really have to go
through these steps at some point.
You might want to add Gray Hat Python (http://oreilly.com/catalog/9781593271923) to the
Python list, I really like it (it's probably the only Python book I enjoy even though I hate the
language, for an unknown reason).
Reply

15.
Myne-usNovember 6, 2010 at 4:12 AM
 Ah yes thank you mleither that is a really good book. I will get that added in.

I personally love python, it is my main programming language but starting to adopt ruby as
main just to write more in metasploit
Reply

16.
Hani BenhabilesDecember 12, 2010 at 10:32 AM
In part 2, you should rather link to this newer tutorial in tenouk.com website rather than the old
one.
http://www.tenouk.com/Bufferoverflowc/stackbasedbufferoverflow.html
Reply

17.
AnishDecember 22, 2010 at 8:35 PM
your guide is excellent in terms of intermediate goals as well as a clear understanding of where
we are headed while studying ... great work :)

please suggest a similar learning exercise for learning Malware Analysis. I am sure just like
Exploit development it would help a lot of folks to understand about malwares

Great work once again :)

Reply

18.
Myne-usDecember 22, 2010 at 10:09 PM
Thanks Anish,

I have to do some updates to this post and have an upcoming post but after that will consider a
layout on malware anaysis.
Reply

19.
musashi42December 25, 2010 at 3:21 AM
 Hey man,
Just wanted to say cool blog, regarding exploit dev I like it, I used your list more like references
because I used to do expl dev, but made long break and I started again recently so it was cool to
be able to basically do fast glancing over and to just continue where I left off. Keep it up :)
Reply

20.
7h3rAmJanuary 10, 2011 at 12:03 AM
First, I would like to thank Myneus and everyone on this post for such an honest attempt to
share information. It really feels wonderful when people contribute towards a greater purpose,
which is "TO LEARN AND EVOLVE" in the security community.

I would like to suggest the following link: https://code.google.com/p/it-sec-catalog/

It provides a lot of useful links which have been categorized under proper areas of study. Guess,
it will help to better understand and document the steps for a through understanding of the
concepts. Probably, some of the links have already been included here.

Myneus, please have a look at it.

Reply

21.
0xffJanuary 24, 2011 at 5:02 PM
marked in my springpad bookmarks :)
Reply

22.
Myne-usFebruary 20, 2011 at 9:49 PM
Thanks for the post 7h3rAm. I looked over this and liked to it in top of the post.

I am going to add the videos that Vivek made on security tube soon to the list. Just want to have
him get a bit further so I can review and put where they are needed.

If you want to start watching now visit HERE

Reply
23.
GrishiraApril 2, 2011 at 9:32 AM
After you learn a bit about exploit methods and tools you can check out my blog at
http://exploitchef.blogspot.com to see some more real world examples.
Reply

24.
VictorioJuly 6, 2011 at 7:33 PM
I love this post, i'm using this text like a guide since a few months ago, and I was learn too
interesting thinks.
Reply

25.
Cool SamarJuly 29, 2011 at 7:37 PM
The "learn python the hard way" link is dead. The PDF version needs to be purchased for now.
Online HTML version available at http://learnpythonthehardway.org/book/
Reply

26.
Myne-usJuly 29, 2011 at 7:45 PM
Thanks Cool Samar fixing that right now. Someday I will update this post to have more content.
Reply

27.
ArunNovember 12, 2011 at 12:11 AM
Thanks for a superb list.
Reply

28.
3rGfn2January 12, 2012 at 2:18 AM
HI MYNEUS
 GREAT WORK.

One suggestion, you should keep posting articles.

You are great helper to Security Enthusiastic people.

So keep it up and all the best.

Reply

29.
UnknownMay 18, 2015 at 1:12 AM
Hows about 10 and more..???
Reply

30.
UnknownOctober 4, 2015 at 5:39 PM
woow, very usefull for me :D ... thanks
Reply

31.
cfd tradeNovember 13, 2015 at 2:37 AM
Thanks for a great read ! I love it, I love it so much that the greedy gnome in me wants more ...
Reply

32.
stupidmonkeyJanuary 19, 2016 at 7:14 PM
EPIC.
Reply

33.
Bridget FaustMay 25, 2016 at 8:23 AM
Overall that's good information.
Reply
34.
YouLoseBellyFatAugust 10, 2016 at 9:36 AM
http://cplusplus.happycodings.com/ is awesome
Reply