└── README.md


/README.md:
--------------------------------------------------------------------------------
 1 | # Exploit Development: Case Studies
 2 | 
 3 | This repository is intended as a personal list of exploit development case studies I stumble upon during my work. My categorization is not very granular — I'm skipping differentiation between user-mode and kernel-mode, as well as type of the software being exploited. Exploit primitives are what's really important, therefore the only two categories I'm using are *Windows* and *Unix-like* (including Linux, Android, MacOS, iOS, BSDs, _et cetera_).
 4 | 
 5 | # Windows
 6 | 
 7 | * [Adobe Shockwave - A case study on memory disclosure](http://phrack.org/issues/69/8.html)
 8 | * [Understanding type confusion vulnerabilities: CVE-2015-0336](https://cloudblogs.microsoft.com/microsoftsecure/2015/06/17/understanding-type-confusion-vulnerabilities-cve-2015-0336/?source=mmpc)
 9 | * [Out-of-bounds read/write Pwn2Own 2014 Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=982974)
10 | * [Pwn2own (3/13/2014): VUPEN exploit.](https://bugs.chromium.org/p/chromium/issues/detail?id=352369)
11 | * [Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014)](https://archive.fo/cwX5L)
12 | * [Advanced Exploitation of VirtualBox 3D Acceleration VM Escape Vulnerability (CVE-2014-0983)](https://archive.fo/YFDSo)
13 | * [CVE-2014-0322 "Snowman" exploit](http://hdwsec.fr/blog/20140331-snowman/)
14 | * [Dissecting the newest IE10 0-day exploit (CVE-2014-0322)](https://blogs.bromium.com/dissecting-the-newest-ie10-0-day-exploit-cve-2014-0322/)
15 | * [R7-2013-19 Disclosure: Yokogawa CENTUM CS 3000 Vulnerabilities](https://blog.rapid7.com/2014/03/10/yokogawa-centum-cs3000-vulnerabilities/)
16 | * [A browser is only as strong as its weakest byte](http://blog.exodusintel.com/2013/11/26/browser-weakest-byte/)
17 | * [MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit](https://labs.mwrinfosecurity.com/blog/mwr-labs-pwn2own-2013-write-up-kernel-exploit/)
18 | * [The story of MS13-002: How incorrectly casting fat pointers can make your code explode](https://blogs.technet.microsoft.com/srd/2013/08/06/the-story-of-ms13-002-how-incorrectly-casting-fat-pointers-can-make-your-code-explode/)
19 | * [Anatomy of an exploit – inside the CVE-2013-3893 Internet Explorer zero-day – Part 1](https://nakedsecurity.sophos.com/2013/10/11/anatomy-of-an-exploit-ie-zero-day-part-1/)
20 | * [Anatomy of an exploit – inside the CVE-2013-3893 Internet Explorer zero-day – Part 2](https://nakedsecurity.sophos.com/2013/10/25/anatomy-of-an-exploit-inside-the-cve-2013-3893-internet-explorer-zero-day-part-2/)
21 | * [The Technical Aspects of Exploiting IE Zero-Day CVE-2013-3897](https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Technical-Aspects-of-Exploiting-IE-Zero-Day-CVE-2013-3897/)
22 | * [In memory of a zero-day – MS13-051](https://blogs.flexera.com/vulnerability-management/2013/11/in-memory-of-a-zero-day-ms13-051/)
23 | * [Advanced Exploitation of Mozilla Firefox Use-after-free Vulnerability (MFSA 2012-22)](https://archive.fo/5YgXf)
24 | * [Advanced Exploitation of Windows Kernel Intel 64-Bit Mode Sysret Vulnerability (MS12-042)](https://archive.fo/KM0hj)
25 | * [Exploiting CVE-2011-2371 (FF reduceRight) without non-ASLR modules](https://gdtr.wordpress.com/2012/02/22/exploiting-cve-2011-2371-without-non-aslr-modules/)
26 | * [Happy New Year Analysis of CVE-2012-4792](http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/)
27 | * [Bypassing ASLR and DEP on Adobe Reader X](http://esec-lab.sogeti.com/posts/2012/06/22/bypassing-aslr-and-dep-on-adobe-reader-x.html)
28 | * [MS11-080 Exploit – A Voyage into Ring Zero](https://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/)
29 | * [Insecticides don't kill bugs, Patch Tuesdays do](https://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html)
30 | * [The Fix That Never Was](https://tk-blog.blogspot.com/2010/02/fix-that-never-was.html)
31 | * [Technical Analysis of the Windows Win32K.sys Keyboard Layout Stuxnet Exploit](https://archive.fo/Tq1rd)
32 | * [Device Drivers Vulnerability Research, Avast a real case](https://evilcodecave.wordpress.com/2009/09/24/device-drivers-vulnerability-research-avast-a-real-case/)
33 | 
34 | # Unix-like
35 | 
36 | * [Xen SMEP (and SMAP) bypass](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/april/xen-smep-and-smap-bypass/?utm_source=marketing&utm_medium=rd0517)
37 | * [Ntpdc Local Buffer Overflow](https://hatriot.github.io/blog/2015/01/06/ntpdc-exploit/)
38 | * [How to exploit the x32 recvmmsg() kernel vulnerability CVE 2014-0038 ](http://blog.includesecurity.com/2014/03/exploit-CVE-2014-0038-x32-recvmmsg-kernel-vulnerablity.html)
39 | * [Exploiting CVE-2014-0196 a walk-through of the Linux pty race condition PoC ](http://blog.includesecurity.com/2014/06/exploit-walkthrough-cve-2014-0196-pty-kernel-race-condition.html)
40 | * [Pwnium 4: v8 OOB read/write with __defineGetter__ and bytesLength](https://bugs.chromium.org/p/chromium/issues/detail?id=351787)
41 | * [Google Chrome Exploitation – A Case Study](https://researchcenter.paloaltonetworks.com/2014/12/google-chrome-exploitation-case-study/)
42 | * [Exploiting “BadIRET” vulnerability (CVE-2014-9322, Linux kernel privilege escalation)](https://blogs.bromium.com/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/)
43 | * [Exploiting 64-bit Linux like a boss](https://scarybeastsecurity.blogspot.com/2013/02/exploiting-64-bit-linux-like-boss.html)
44 | * [A closer look at a recent privilege escalation bug in Linux (CVE-2013-2094)](http://timetobleed.com/a-closer-look-at-a-recent-privilege-escalation-bug-in-linux-cve-2013-2094/)
45 | * [Analysis of nginx 1.3.9/1.4.0 stack buffer overflow and x64 exploitation (CVE-2013-2028)](https://www.vnsecurity.net/research/2013/05/21/analysis-of-nginx-cve-2013-2028.html)
46 | * [Exploiting nginx chunked overflow bug, the undisclosed attack vector (CVE-2013-2028)](http://www.vnsecurity.net/research/2013/07/17/exploiting-nginx-chunked-overflow-bug-the-undisclosed-attack-vector-cve-2013-2028.html)
47 | * [Mobile Pwn2Own Autumn 2013 - Chrome on Android - Exploit Writeup](https://docs.google.com/document/d/1tHElG04AJR5OR2Ex-m_Jsmc8S5fAbRB3s4RmTG_PFnw/edit?pli=1)
48 | * [Packet Storm Advisory 2013-0903-1 - Apple Safari Heap Buffer Overflow](https://packetstormsecurity.com/files/123089/Packet-Storm-Advisory-2013-0903-1-Apple-Safari-Heap-Buffer-Overflow.html)
49 | * [Analysis of CVE-2013-0809](https://axtaxt.wordpress.com/2013/07/06/analysis-of-cve-2013-0809/)
50 | * [Anatomy of a user namespaces vulnerability](https://lwn.net/Articles/543273/)
51 | * [Linux Local Privilege Escalation via SUID /proc/pid/mem Write](https://git.zx2c4.com/CVE-2012-0056/about/)
52 | * [Advanced Exploitation of Xen Hypervisor Sysret VM Escape Vulnerability](https://archive.fo/mckSE)
53 | * [CVE-2012-0217: Intel's sysret Kernel Privilege Escalation (on FreeBSD)](https://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd/)
54 | * [Exploiting Sudo format string vunerability](http://www.vnsecurity.net/research/2012/02/16/exploiting-sudo-format-string-vunerability.html)
55 | * [Technical Analysis of ProFTPD Response Pool Use-after-free (CVE-2011-4130) - Part I](https://archive.fo/i4lQz)
56 | * [Advanced Exploitation of ProFTPD Response Pool Use-after-free (CVE-2011-4130) - Part II](https://archive.fo/UtGrU)
57 | * [Analysis of CVE-2011-3545 (ZDI-11-307)](https://axtaxt.wordpress.com/2012/07/08/analysis-of-cve-2011-3545/)
58 | * [libpng extra row (CVE-2010-1205)](https://d0cs4vage.blogspot.com/2010/07/libpng-extra-row-cve-2010-1205.html)
59 | * [WebKit CSS Type Confusion ](https://em386.blogspot.com/2010/12/webkit-css-type-confusion.html)
60 | * [Technical Analysis of Exim "string_vformat()" Buffer Overflow Vulnerability](https://archive.fo/6fGDT)
61 | * [Bypassing Linux' NULL pointer dereference exploit prevention (mmap_min_addr) ](http://blog.cr0.org/2009/06/bypassing-linux-null-pointer.html)
62 | * [Linux kernel 2.6.31 perf_counter_open exploit](http://redstack.net/blog/linux-kernel-2631-perf_counter_open-exploit.html)
63 | 


--------------------------------------------------------------------------------