| ||
Numerous papers exist on how to write exploits for stack overflows; there are slightly fewer about format strings, and still fewer about heap overflows. If the bug you're trying to exploit is not one of these three, then you probably will have difficulty obtaining the relevant information. Hopefully this book fills in many of the gaps, but if you need more information on a certain bug, the following list might help. We deliberately kept this list of our favorite papers in each category brief.
Keep in mind that reading old exploits can be just as valuable as reading papers. Often, the comments and headers detail particular techniques that may be of interest to novice exploit developers.
There is much excellent information out there that we've had to omit for sake of space, so please accept our apologies if your own paper is not listed. You can find all of these resources on the Shellcoder's Handbook Web site, www. wiley .com/compbooks/koziol, in case a URL changes or you want to get everything all in one spot.
Stack Overflow Basics
"Smashing the Stack for Fun and Profit" (Aleph One)
Phrack Magazine, issue 49, article 14
www.phrack.org/show.php?p=49&a=14
Exploiting Windows NT 4 Buffer Overruns (David Litchfield)
www.nextgenss.com/papers/ntbufferoverflow.html
"Win32 Buffer Overflows: Location, Exploitation and Prevention" (dark spyrit, Barnaby Jack, dspyrit@beavuh.org)
Phrack Magazine, issue 55, article 15
www.phrack.org/show.php?p=55&a=15
The Art of Writing Shellcode (smiler)
http://julianor.tripod.com/art-shellcode.txt
The Tao of Windows Buffer Overflow (as taught by DilDog)
www.cultdeadcow.com/cDc_files/cDc-351/
Unix Assembly Codes Development for Vulnerabilities Illustration Purposes (LSD-PL)
www.lsd-pl.net/documents/asmcodes-1.0.2.pdf
Advanced Stack Overflows
Using Environment for Returning into Lib C (Lupin Bursztein)
www.shellcode.com.ar/docz/bof/rilc.html (Lupin's home page is www.bursztein.net; however, the paper was not there at time of writing)
Non-Stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP (David Litchfield)
www.nextgenss.com/papers/non-stack-bo-windows.pdf
Bypassing Stackguard and StackShield Protection (Gerardo Richarte)
www.coresecurity.com/common/showdoc.php?idx=242&idxseccion=11
Vivisection of an Exploit Development Process (Dave Aitel)
Blackhat Briefings Presentation, Amsterdam 2003
www.blackhat.com/presentations/bh-europe-03/bh-europe-03-aitel.pdf
Heap Overflow Basics
w00w00 on Heap Overflows (Matt Conover)
www.w00w00.org/files/articles/heaptut.txt
"Once upon a free()"
Phrack Magazine, issue 57, article 9
www.phrack.org/show.php?p=57&a=9
"Vudo malloc Tricks" (Michel MaXX Kaempf, maxx@synnergy.net )
Phrack Magazine, issue 57, article 8
www.phrack.org/show.php?p=57&a=8
Integer Overflow Basics
"Basic Integer Overflows" (blexim)
Phrack Magazine , Issue 60, Article 10
www.phrack.org/show.php?p=60&a=10
Format String Basics
Format String Attacks (Tim Newsham)
www.lava.net/~newsham/format-string-attacks.pdf
Exploiting Format String Vulnerabilities (scut)
www.team-teso.net/articles/formatstring/
"Advances in Format String Exploitation" (Gera, Riq)
Phrack Magazine , Issue 59, Article 7
www.phrack.org/show.php?p=59&a=7
Encoders and alternatives
"Writing ia32 Alphanumeric Shellcodes" (rix)
Phrack Magazine, Issue 57, Article 15
www.phrack.org/show.php?p=57&a=15
Creating Arbitrary Shellcode in Unicode Expanded Strings (Chris Anley)
www.nextgenss.com/papers/unicodebo.pdf
Tracing, Bugging and Logging
Tracing activity in Windows NT/2000/XP
"VTrace" system tracing tool (explanatory article)
http://msdn.microsoft.com/msdnmag/issues/1000/VTrace/
"Interception of Win32 API Calls" (MS Research Paper)
www.research.microsoft.com/sn/ detours /
"Writing [a] Linux Kernel Keylogger" (rd)
Phrack Magazine, Issue 59, Article 14
www.phrack.org/show.php?p=59&a=14
"Hacking the Linux Kernel Network Stack" (bioforge)
Phrack Magazine, Issue 61, Article 13
www.phrack.org/show.php?p=61&a=13
".ida Code Red Worm analysis" (Ryan Permeh, Marc Maiffret)
www.eeye.com/html/Research/Advisories/AL20010717.html
The following list contains archives of useful papers. Most of these archives link to many of the papers previously listed, as well as to other useful texts .
http://julianor.tripod.com/bufo.html
http://packetstormsecurity.nl/papers/unix/
www.lsd-pl.net/papers.html
| ||