└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # exploit_training
  2 | ## The best resources for learning exploit development
  3 | ### Taken from http://www.pentest.guru/index.php/2016/01/28/best-books-tutorials-and-courses-to-learn-about-exploit-development/
  4 | 
  5 | Exploit development is considered to be the climax in the learning path of an ethical hacker or security professional. It is strongly advisable to have mastered the basics before delving into this topic. Exploit development is hard and it’s not something you learn at school or university (usually), not something any of your geek friends will talk about all day long. Only those who are brave to study hard can achieve the joy of controlling the EIP, popping a shell and taking control of a machine while the oblivious user yells at Microsoft for the nth crash of his beloved program.
  6 | 
  7 | What are the prerequisites for learning about exploit development?
  8 | 
  9 | Well, if you want to comprehend and hopefully start developing your own exploits you should have at least a basic knowledge of x86/64 bit system architecture (Windows, Linux or Mac according to your target), low level programming, possibly assembly, C/C++ or Python is fine as well for many tasks, then you should have in mind how the computer memory works (RAM), the concept of stack, heap, CPU registers, the most common operations, system calls, segmentation fault, buffer overflow, race condition and so on. You also should be familiar with disassemblers and a background in reverse engineering or malware analysis may be useful before starting to develop your own exploits.
 10 | 
 11 | Let’s see some resources that can help you to be prepared before attempting the big jump onto the high level world of exploit development, the Olympus of the Godly Hackers.
 12 | 
 13 | x86/64 bit system architecture:
 14 | Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration
 15 | 
 16 | Introductory Intel x86-64: Architecture, Assembly, Applications, & Alliteration
 17 | 
 18 | Intermediate Intel x86: Architecture, Assembly, Applications, & Alliteration
 19 | 
 20 |  
 21 | 
 22 | Assembly language:
 23 | http://www.drpaulcarter.com/pcasm/
 24 | 
 25 | Assembly Language Step-by-Step: Programming with Linux
 26 | 
 27 | The Art of Assembly Language
 28 | 
 29 | Windows Assembly Language Megaprimer
 30 | 
 31 | Assembly Language Megaprimer for Linux
 32 | 
 33 |  
 34 | 
 35 | C/C++:
 36 | C Programming Absolute Beginner’s Guide
 37 | 
 38 | The C Programming Language
 39 | 
 40 | Introduction to Computer Science CS50x
 41 | 
 42 | Programming: Principles and Practice Using C++
 43 | 
 44 | C++ Primer
 45 | 
 46 | Accelerated C++: Practical Programming by Example
 47 | 
 48 |  
 49 | 
 50 | Python:
 51 | Python has a wonderful official documentation, apart from that you can use the following books/courses:
 52 | 
 53 | Learn Python the hard way
 54 | 
 55 | How to think like a computer scientist
 56 | 
 57 | Learning Python
 58 | 
 59 | Introduction to computer science and programming using Python MITx 6.00.1x
 60 | 
 61 |  
 62 | 
 63 | When you feel comfortable with the prerequisites, then you can start learning exploit development following these great resources!
 64 | 
 65 | I compiled a list of books, tutorials, courses, tools and vulnerable applications that you can use for your study.
 66 | 
 67 |  
 68 | 
 69 | BOOKS
 70 | Hacking – The art of exploitation
 71 | A bug Hunter’s Diary: A Guided Tour Through the Wilds of Software Security
 72 | The Shellcoder’s Handbook: Discovering and Exploiting Security Holes
 73 | Sockets, shellcode, Porting, and coding: reverse engineering Exploits and Tool coding for security professionals
 74 | Writing Security tools and Exploits
 75 | Buffer overflow attacks: Detect, exploit, Prevent
 76 | Metasploit toolkit for Penetration Testing, exploit Development, and vulnerability research
 77 |  
 78 | 
 79 | TUTORIALS
 80 | Corelan.be
 81 | 
 82 | https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
 83 | https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/
 84 | https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/
 85 | https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
 86 | https://www.corelan.be/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/
 87 | https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
 88 | https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
 89 | https://www.corelan.be/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
 90 | https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
 91 | https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
 92 | https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/
 93 | https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
 94 | https://www.corelan.be/index.php/2010/01/26/starting-to-write-immunity-debugger-pycommands-my-cheatsheet/
 95 | https://www.corelan.be/index.php/2010/03/22/ken-ward-zipper-exploit-write-up-on-abysssec-com/
 96 | https://www.corelan.be/index.php/2010/03/27/exploiting-ken-ward-zipper-taking-advantage-of-payload-conversion/
 97 | https://www.corelan.be/index.php/2011/01/30/hack-notes-rop-retnoffset-and-impact-on-stack-setup/
 98 | https://www.corelan.be/index.php/2011/05/12/hack-notes-ropping-eggs-for-breakfast/
 99 | https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/
100 | https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/
101 | https://www.corelan.be/index.php/2012/02/29/debugging-fun-putting-a-process-to-sleep/
102 | https://www.corelan.be/index.php/2012/12/31/jingle-bofs-jingle-rops-sploiting-all-the-things-with-mona-v2/
103 | https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/
104 | https://www.corelan.be/index.php/2013/01/18/heap-layout-visualization-with-mona-py-and-windbg/
105 | https://www.corelan.be/index.php/2013/02/19/deps-precise-heap-spray-on-firefox-and-ie10/
106 | https://www.corelan.be/index.php/2013/07/02/root-cause-analysis-integer-overflows/
107 |  
108 | 
109 | Opensecuritytraining.info
110 | http://opensecuritytraining.info/Exploits1.html
111 | http://opensecuritytraining.info/Exploits2.html
112 | Securitytube.net
113 | http://www.securitytube.net/groups?operation=view&groupId=7  exploit  research megaprimer
114 | http://www.securitytube.net/groups?operation=view&groupId=4  buffer overflow  exploitation for  linux megaprimer
115 | http://www.securitytube.net/groups?operation=view&groupId=3 Format string vulnerabilities megaprimer
116 |  
117 | 
118 | Massimiliano Tomassoli’s blog
119 | http://expdev-kiuhnm.rhcloud.com/2015/05/11/contents/
120 | Samsclass.info
121 | https://samsclass.info/127/127_F15.shtml
122 |  
123 | 
124 | Securitysift.com
125 | http://www.securitysift.com/windows-exploit-development-part-1-basics/
126 | http://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/
127 | http://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/
128 | http://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/
129 | http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting
130 | http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits
131 | http://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows
132 | Justbeck.com
133 | 
134 | http://www.justbeck.com/getting-started-in-exploit-development/
135 | 
136 | 0xdabbad00.com
137 | 
138 | http://0xdabbad00.com/2012/12/09/hurdles-for-a-beginner-to-exploit-a-simple-vulnerability-on-modern-windows/
139 | 
140 | fuzzysecurity.com
141 | 
142 | Part 1: Introduction to Exploit Development
143 | Part 2: Saved Return Pointer Overflows
144 | Part 3: Structured Exception Handler (SEH)
145 | Part 4: Egg Hunters
146 | Part 5: Unicode 0x00410041
147 | Part 6: Writing W32 shellcode
148 | Part 7: Return Oriented Programming
149 | Part 8: Spraying the Heap [Chapter 1: Vanilla EIP]
150 | Part 9: Spraying the Heap [Chapter 2: Use-After-Free]
151 | sploitfun.wordpress.com
152 | 
153 | https://sploitfun.wordpress.com/2015/06/26/linux-x86-exploit-development-tutorial-series/
154 | 
155 | sneakerhax.com
156 | 
157 | http://sneakerhax.com/jumping-into-exploit-development/
158 | 
159 | community.rapid7.com
160 | 
161 | https://community.rapid7.com/community/metasploit/blog/2012/07/05/part-1-metasploit-module-development–the-series
162 | 
163 | resources.infosecinstitute.com
164 | 
165 | http://resources.infosecinstitute.com/debugging-fundamentals-for-exploit-development/
166 | 
167 | rafayhackingarticles.net
168 | 
169 | http://www.rafayhackingarticles.net/2011/07/from-minor-bug-to-zero-day-exploit.html
170 | 
171 | Smashing the stack for fun and for profit: revived
172 | 
173 | Automating format string exploits
174 | 
175 | IT-Sec catalog 2.0 (Exploit development) by Arthur Gerkis
176 | 
177 | NCCGroup.trust
178 | 
179 | https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/
180 | 
181 | Desc0n0cid0.blogspot.it
182 | 
183 | https://desc0n0cid0.blogspot.it/2016/09/stack-based-buffer-overflow.html
184 | https://desc0n0cid0.blogspot.it/2016/09/stack-based-buffer-overflow_28.html
185 | https://desc0n0cid0.blogspot.it/2016/09/stack-based-buffer-overflow_29.html
186 | https://desc0n0cid0.blogspot.it/2016/10/part-4-stack-based-buffer-overflow.html
187 | 
188 | Stack Based Overflow Articles.
189 | 
190 | Win32 Buffer Overflows (Location, Exploitation and Prevention) – by Dark spyrit [1999]
191 | Writing Stack Based Overflows on Windows – by Nish Bhalla’s [2005]
192 | Heap Based Overflow Articles.
193 | 
194 | Third Generation Exploitation smashing heap on 2k – by Halvar Flake [2002]
195 | Exploiting the MSRPC Heap Overflow Part 1 – by Dave Aitel (MS03-026) [September 2003]
196 | Exploiting the MSRPC Heap Overflow Part 2 – by Dave Aitel (MS03-026) [September 2003]
197 | Windows heap overflow penetration in black hat – by David Litchfield [2004]
198 | Kernel Based Exploit Development Articles.
199 | 
200 | How to attack kernel based vulns on windows was done – by a Polish group called “sec-labs” [2003]
201 | Sec-lab old whitepaper
202 | Sec-lab old exploit
203 | Windows Local Kernel Exploitation (based on sec-lab research) – by S.K Chong [2004]
204 | How to exploit Windows kernel memory pool – by SoBeIt [2005]
205 | Exploiting remote kernel overflows in windows – by Eeye Security
206 | Kernel-mode Payloads on Windows in uninformed – by Matt Miller
207 | Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
208 | BH US 2007 Attacking the Windows Kernel
209 | Remote and Local Exploitation of Network Drivers
210 | Exploiting Comon Flaws In Drivers
211 | I2OMGMT Driver Impersonation Attack
212 | Real World Kernel Pool Exploitation
213 | Exploit for windows 2k3 and 2k8
214 | Alyzing local privilege escalations in win32k
215 | Intro to Windows Kernel Security Development
216 | There’s a party at ring0 and you’re invited
217 | Windows kernel vulnerability exploitation
218 | Windows memory protections Introduction Articles.
219 | 
220 | Data Execution Prevention
221 | /GS (Buffer Security Check)
222 | /SAFESEH
223 | ASLR
224 | SEHOP
225 | Windows memory protections Bypass Methods Articles.
226 | 
227 | Third Generation Exploitation smashing heap on 2k – by Halvar Flake [2002]
228 | Creating Arbitrary Shellcode In Unicode Expanded Strings – by Chris Anley
229 | Advanced windows exploitation – by Dave Aitel [2003]
230 | Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server – by David Litchfield
231 | Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2) – by Matt Conover in cansecwest 2004
232 | Safely Searching Process Virtual Address Space – by Matt Miller [2004]
233 | IE exploit and used a technology called Heap Spray
234 | Bypassing hardware-enforced DEP – by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005]
235 | Exploiting Freelist[0] On XP Service Pack 2 – by Brett Moore [2005]
236 | Kernel-mode Payloads on Windows in uninformed
237 | Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
238 | Exploiting Comon Flaws In Drivers
239 | Heap Feng Shui in JavaScript by Alexander sotirov [2007]
240 | Understanding and bypassing Windows Heap Protection – by Nicolas Waisman [2007]
241 | Heaps About Heaps – by Brett moore [2008]
242 | Bypassing browser memory protections in Windows Vista – by Mark Dowd and Alex Sotirov [2008]
243 | Attacking the Vista Heap – by ben hawkes [2008]
244 | Return oriented programming Exploitation without Code Injection – by Hovav Shacham (and others ) [2008]
245 | Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 – by Cesar Cerrudo [2008]
246 | Defeating DEP Immunity Way – by Pablo Sole [2008]
247 | Practical Windows XP2003 Heap Exploitation – by John McDonald and Chris Valasek [2009]
248 | Bypassing SEHOP – by Stefan Le Berre Damien Cauquil [2009]
249 | Interpreter Exploitation : Pointer Inference and JIT Spraying – by Dionysus Blazakis[2010]
250 | Write-up of Pwn2Own 2010 – by Peter Vreugdenhil
251 | All in one 0day presented in rootedCON – by Ruben Santamarta [2010]
252 | DEP/ASLR bypass using 3rd party – by Shahin Ramezany [2013]
253 | Typical windows exploits
254 | Real-world HW-DEP bypass Exploit – by Devcode
255 | Bypassing DEP by returning into HeapCreate – by Toto
256 | First public ASLR bypass exploit by using partial overwrite – by Skape
257 | Heap spray and bypassing DEP – by Skylined
258 | First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability
259 | Exploit codes of bypassing browsers memory protections
260 | PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1 – by Cesar Cerrudo
261 | PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2 – by Cesar Cerrudo
262 | An exploit works from win 3.1 to win 7 – by Tavis Ormandy KiTra0d
263 | Old ms08-067 metasploit module multi-target and DEP bypass
264 | PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass
265 | SMBv2 Exploit – by Stephen Fewer
266 |  TRAININGS
267 | Opensecuritytraining.info
268 | 
269 | http://opensecuritytraining.info/Exploits1.html
270 | http://opensecuritytraining.info/Exploits2.html
271 |  
272 | 
273 | Module 12 of Advanced penetration testing cource on Cybrary.it
274 | 
275 | https://www.cybrary.it/course/advanced-penetration-testing/
276 | 
277 | Securitytube.net
278 | 
279 | http://www.securitytube.net/groups?operation=view&groupId=7  research megaprimer
280 | http://www.securitytube.net/groups?operation=view&groupId=4  exploitation for  linux megaprimer
281 | http://www.securitytube.net/groups?operation=view&groupId=3 Format string vulnerabilities megaprimer
282 | infiniteskills.com
283 | 
284 | http://www.infiniteskills.com/training/reverse-engineering-and-exploit-development.html
285 | 
286 |  
287 | 
288 | COURSES
289 | Corelan
290 | https://www.corelan-training.com
291 |  
292 | 
293 | Offensive Security
294 | https://www.offensive-security.com/information-security-training/advanced-windows-exploitation/ AWE (Advanced Windows Exploitation)
295 |  
296 | 
297 | SANS
298 | https://www.sans.org/course/advance-exploit-development-pentetration-testers  SANS SEC760: Advanced Exploit Development for Penetration Testers
299 | Ptrace Security
300 | http://www.ptrace-security.com/training/courses/advanced-software-exploitation/ Advanced Software Exploitation
301 | Udemy
302 | https://www.udemy.com/windows-exploit-development-megaprimer/learn/#/ Windows  exploit Development Megaprimer by Ajin Abraham
303 | VIDEOS
304 | 
305 | LiveOverflow Youtube channel
306 | 
307 |  
308 | 
309 | TOOLS
310 | IDA Pro – Windows disassembler and debugger, with a free evaluation version.
311 | OllyDbg – An assembly-level debugger for Windows executables.
312 | WinDbg – Windows debugger
313 | Mona.py – Immunity debugger helper
314 | angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab.
315 | BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework.
316 | binnavi – Binary analysis IDE for reverse engineering based on graph visualization.
317 | Bokken – GUI for Pyew and Radare.
318 | Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
319 | codebro – Web based code browser using clang to provide basic code analysis.
320 | dnSpy – .NET assembly editor, decompiler and debugger.
321 | Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
322 | GDB – The GNU debugger.
323 | GEF – GDB Enhanced Features, for exploiters and reverse engineers.
324 | hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
325 | Immunity Debugger – Debugger for malware analysis and more, with a Python API.
326 | ltrace – Dynamic analysis for Linux executables.
327 | objdump – Part of GNU binutils, for static analysis of Linux binaries.
328 | PANDA – Platform for Architecture-Neutral Dynamic Analysis
329 | PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands.
330 | pestudio – Perform static analysis of Windows executables.
331 | Process Monitor – Advanced monitoring tool for Windows programs.
332 | Pyew – Python tool for malware analysis.
333 | Radare2 – Reverse engineering framework, with debugger support.
334 | SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
335 | strace – Dynamic analysis for Linux executables.
336 | Udis86 – Disassembler library and tool for x86 and x86_64.
337 | Vivisect – Python tool for malware analysis.
338 | X64dbg – An open-source x64/x32 debugger for windows.
339 | afl – American Fuzzy Lop fuzzer
340 | gef – enhanced gdb debugger
341 | honggfuzz – general purpose fuzzer
342 | libheap – python gdb library for examining glibc heap (ptmalloc)
343 | pwndbg – enhanced gdb framework for exploit development
344 | pwntools – exploit development and CTF toolkit
345 | qira – parallel, timeless debugger
346 | ropper – rop gadget finder
347 | rp++ – rop gadget finder
348 | xrop – rop gadget finder
349 | shellnoob – shellcode writing helper
350 | shellsploit – exploit development toolkitSploitKit – a suite of cli tools to automate the tedious parts of exploit development
351 | ROP Injector – rop injector
352 | HEAP EXPLOITATION TECHNIQUES
353 | 
354 | https://github.com/shellphish/how2heap
355 | 
356 |  
357 | 
358 | VULNERABLE APPLICATIONS
359 | Exploit-exercises.com
360 | https://exploit-exercises.com/protostar/ Protostar
361 | https://exploit-exercises.com/fusion/  Fusion
362 | StackSmash – A collection of toy programs for teaching buffer overflow vulnerabilities
363 | CTF-Workshop – challenges for binary exploitation workshop28 hacking sites to practise your skills in a legal wayhttps://www.peerlyst.com/blog-post/practise-your-infosec-skill-on-these-legal-28-hacking-sites
364 |  
365 | 
366 | EXPLOITS DATABASE
367 |  
368 | 
369 | https://www.exploit-db.com
370 | https://www.milw00rm.com
371 | http://0day.today
372 | https://packetstormsecurity.com
373 | http://www.securityfocus.com
374 | http://www.windowsexploits.com
375 | http://iedb.ir
376 | http://www.macexploit.com
377 | 


--------------------------------------------------------------------------------