Binary學習終極導航

前言

前置技能

• C學習指南
• 匯編語言指南

Tools

Tools Guide

• Intro to r2
• Diving into radare2
• Radare2 Book
• radare2使用说明
• Angr初探
• ZIO
• GDB-peda學習筆記
• Exploit利器 - Pwntools
• PwnTools 高級應用

Courses

• Modern Binary Exploitation
• Course Material for Modern Binary Exploitation
• Linux Exploitation Course
• Binary Hacking
• Offensive Computer Security Lecture 2016 version
• Offensive Computer Security Lecture 2014 version
• Exploit Tutorial by Fuzzy Security
• Bintut - a set of tutorials, as well as exercises.
• exploit-writing-tutorials corelan team
• Exploit編寫教程翻譯文
• SploitFun Linux x86 Exploit開發系列教程
• Linux(x86)Exploit Development Series
• linux-exploit-development-tutorial
• Exploit Tutorial:Exploit me for ARM
• CTF Crunch: Learn Exploit
• 軟件安全測試
• Binary Exploitation ELI5– Part 1

Conference Video/Slide

• AFL fuzzing primer
• The Art of Fuzzing
• AIS3 2017 Linux Binary Exploitation
• AIS3 2017 Linux Binary Exploitation里面Example的Writeup by Veritas
• PWN 1(Linux Binary Exploitatuin影片)配合上AIS3來看
• PWN 2
• PWN 3

Books

• Modern Windows Exploit Development

Cheat Sheet

Challenges

• Pwnable KR
• Hackme.inddy
• Pwnable TW
• ROP Emporium
• Pwn challenges list
• Rev challenges list

PWN in CTF/Wargame Writeups/Tips

Writeups

• ROP Emporium平台writeup
• 2000 cuts with Binary Ninja
• CMU Binary Bomb
• 記一道PWN题的解题思路
• 解题思路 | 從一道Pwn题說起
• 三個白帽：來PWN我一下好嗎
• 三個白帽：从pwn me調試到Linux攻防學習
• ASIS CTF 2015 Quals – Saw this (1 & 2)
• CCTF pwn3格式化字符串漏洞详细writeup
• CCTF pwn3格式化字符串漏洞詳細writeup
• 2015-defcon-quals-r0pbaby解析
• UAF 实例-RHme3 CTF 的一道题
• D-CTF Quals 2016 - Warm heap
• Exploit Exercises:Nebula全攻略
• 从一个CTF题目學習Python沙箱逃逸

Pwnable TW

• pwnable.tw-See the file筆記
• pwnable.tw-babystack筆記

Pwnable KR

• 全面剖析Pwnable.kr unlink

HITCON

• HITCON 2017 : Ghost in The Heap Writeup
• HITCON 2017 : Everlasting Imaginative Void
• HITCON CTF Qual 2016 - House of Orange Write up
• House of orange🍊
• HITCON 2016 Baby Heap
• HITCON QUALS CTF 2015 readable writeup

Tips

• Pwn Basic 2(Linux)by TDOH & NTUST
• CTF pwn tips by Naetw
• CTF pwn wiki:A-painter-and-a-black-cat
• CTF All in one: PWN
• 科總CTF+Binary小技巧
• Linux下pwn从入門到放棄
• Play with FILE Structure - Yet Another Binary Exploit Technique
• 掘金CTF——CTF中的内存漏洞利用技巧
• 二进制漏洞挖掘与利用技术题解分享 -XMAN
• CTF Pwn Notes by APTX-4869
• Pwn tips by Skysiders
• 一篇安全學習筆記
• Binary Some Security Notes for PWN
• Pwning with some styles by Dragon Sectors
• Pwn入門 BoFからHouse of Orange まで
• Stack-based BOF exploitation & Protection schemes (& how to break them)
• Heap Analysis with r2
• Linux Interactive Exploit Development with GDB and PEDA
• 堆和栈的區別
• CTF勉強會#Pwnable
• BruceFan 寫的Pwn文章

Knowledge

軟件保護技術

• 保護技術-此文章長期更新 by Poker
• Linux ASLR的实现
• Canary by Tacltrnx
• Relro by Tacltrnx
• PIE & ASLR by Tacltrnx
• Stack buffer overflow protection 學習筆記 – Stack canaries mechanism in User space
• NX & ASLR by Tacltrnx
• Fortify Source

GOT&PLT

• Linux动态链接为什么要用PLT和GOT表？
• GOT and PLT for pwning
• Linux动态链接中的PLT和GOT
• Shared Library 中 PLT 和 GOT 的使用機制

File結構體攻擊

• Pwn with File結構體(一)
• Pwn with File結構體(二)
• Pwn with File結構體(三)
• Pwn with File結構體(四)

棧

• CTF Wik Stack Intro
• 棧溢出漏洞介紹與利用
• CTF-PWN栈溢出入门
• 64位linux棧溢出
• 64位Linux棧溢出教程
• 基礎棧溢出複習一基礎
• 手把手教你棧溢出从入門到放棄(上)
• 手把手教你棧溢出从入門到放棄(下)
• 現代Linux操作系统的棧溢出(上)
• Smashing The Stack For Fun And Profit
• x86 Exploitation-101:when-the-stack-gets-over-its-head
• x86 Exploitation 101: “Off-by-one”
• 一點關於利用_stack_chk_fail繞過canary的方法
• 函数調用&棧
• 棧溢出學習筆記
• 【实验】linux x64栈溢出
• Linux_x64 PWN

Return to Dl Resolve

• By Swing
• By Angel Boy
• 通過ELF動態裝載構造ROP鏈(Return-to-dl-resolve)
• Linux棧溢出利用之return to dl-resolve payload 構造原理(一)
• Linux棧溢出利用之return to dl-resolve payload 構造原理(二)
• ROP之return to dl-resolve
• x64でROP stager + Return-to-dl-resolveによるASLR+DEP回避をやってみる Exploit
• seedLab:returnToLibc
• Return-to-libc Attack Lab
• pwn學習之dl_resolve學習篇
• ret2resolve學習筆記

堆

• Heap Exploitation Tutorials by Dhavalkapil
• Heap Exploitation Tutorial上面系列的翻譯
• Heap Exploit 學習筆記
• poison_null_byte
• 關於heap overflow的一些筆記
• Notes About Heap Overflow Under Linux
• 詳談Heap Exploit
• Dance In Heap(一)：淺析堆的申請釋放及相應保護機制
• Heap Exploitation系列翻譯 by Vancir
• Heap exploitation by angelboy
• Advanced heap exploitation
• 堆溢出漏洞簡介
• Linux堆內存漏洞利用之fastbin
• Fastbin Attack by Tac1t0rnX
• 0day之ret to libc
• 内存管理漏洞part(1)
• x86 Exploitation 101: “House of Lore”
• x86 Exploitation 101: “House of Spirit”
• x86 Exploitation 101: “House of Force”
• x86 Exploitation 101: “House of Mind”
• x86 Exploitation 101: this is the first witchy house
• x86 Exploitation 101:unlink-me
• Exploiting the heap
• 堆之House of Spirit
• unsorted bin attack分析
• Unsorted bin Attack by Tac1t0rnX
• 實戰HeapSpray之CVE2012-1889 Exploit編寫（一）
• Heap Spray原理淺析
• Play with Linux Heap
• Heap Overflow
• Chunk Overlaping
• Poison Null Byte
• House of spirit

Double Free

• freenote_x64堆漏洞double free利用
• Double Free浅析

Unlink

• 堆溢出之Unlink
• Linux堆溢出漏洞利用之unlink
• unsafe unlink攻击技术示例
• Unlink by Tac1t0rnX
• Heap Overflow Using Unlink & Double Free

Glibc內存管理

• PWN之堆内存管理
• 《glibc内存管理ptmalloc源代码分析》
• Understanding glibc malloc
• Syscalls used by malloc
• Glibc Adventures The Forgotten Chunks
• glibc堆管理機制
• Glibc堆管理學習笔记(一)
• Glibc堆管理學習笔记(二)
• Linux堆內存管理深入分析 上
• Linux堆内存管理深入分析 下
• ptmalloc堆内存管理
• 關於堆的一點筆記
• 深入理解glibc malloc

User After Free

• 逆向安全系列：Use After Free漏洞浅析
• 从zergRush深入理解Use After Free
• 利用Linux內核裡的Use-After-Free(UAF)漏洞提權
• 通過靜態分析檢測二进制代碼中的Use-After-Free漏洞
• Pwnable Dragon WP(UAF)
• 内存管理中free的行為
• Use-after-frees: That pointer may be pointing to something bad

How to Heap

• how2heap學習筆記 bt Vancir
• How 2 Heap
• how2heap總結-上
• how2heap總結-下

ROP

• Intro to ROP: ROP Emporium — Split
• Rop by Tac Xing Xing
• 現代棧溢出利用技術基礎：ROP
• 一步一步學ROP之linux_x86篇
• 一步一步學ROP之linux_x64篇
• ropasaurusrex: a primer on return-oriented programming
• ropasaurusrex:ROP入門教程——STACK
• ROP学习之旅(一)
• ROP by Joshua Wong
• 基础栈溢出复习 二 ROP
• 基础栈溢出复习 三 SROP
• 基础栈溢出复习 四 BROP
• SROP學習資料
• SROP By angel boy
• ret2text攻擊技術示例
• ret2shellcode攻擊技術示例
• ret2syscall攻擊技術示例
• ret2libc攻擊技術示例-模拟执行system函数绕过NX保护%E6%83%85%E5%86%B5%E4%B8%8B%E8%BE%93%E5%85%A5binsh%E5%AE%8C%E6%88%90%E5%87%BD%E6%95%B0%E8%B0%83%E7%94%A8)
• ret2libc攻擊技術示例-僅有system()情况下輸入“/bin/sh”完成函數調用%E5%9C%B0%E5%9D%80%E7%BB%95%E8%BF%87ASLR)
• ret2libc攻擊技術示例-泄露libc基地址计算system()地址繞過ASLR%E5%9C%B0%E5%9D%80%E7%BB%95%E8%BF%87ASLR)
• ret2__libc_csu_init攻擊技術示例-使用通用gadget
• Linux x64 rop利用總結
• Linux内核ROP姿勢詳解(一)
• Linux内核ROP姿势詳解(二)
• Sigreturn Oriented Programming (SROP) Attack攻击原理
• Kiwicon 2012 Rop and Rool
• ROP小結
• ROP輕鬆談
• PWN——堆棧平衡的考慮
• x86 Memory Leak在不获取libc.so的情况下进行ROP攻击

格式化字符串

• Format String Exploitation
• Exploiting Format String Vulnerabilities
• 格式化字符串漏洞利用(Exploiting Format String Vulnerablities中文版)
• 格式化字符串漏洞 by Z神
• 格式化字符串的漏洞應用 Part 1
• 格式化字符串漏洞利用小結（一）
• CCTF pwn3格式化字符串漏洞詳細writeup
• 格式化字符串漏洞学习
• 一起来撸printf吧
• fmt_exploit
• 浅析格式化串漏洞
• Format String Exploitation
• 格式化字符串漏洞實驗
• 格式化字符串漏洞 by Edward
• x86 Exploitation 101: “Format Strings” – I’ll tell ya what to say
• 格式化字符串漏洞學習筆記(一)
• 格式化字符串blind pwn詳細教程
• 格式化字符串漏洞学习
• 格式化字符串漏洞简介
• 漏洞挖掘基础之格式化字符串

Fuzzing

• Basics of Fuzzing by Gynvael

Shellcode

• Writing your own shellcode – blog by Paras Chetal
• Shellcode Database
• 远程漏洞利用：无需借助套接字的Shellcode
• x86 Exploitation 101:born-in-a-shell

printf

• 二进制漏洞之——邪恶的printf

ElF file format

• Executable and Linkable Format (ELF) info
• A Magnetized Needle and a Steady Hand– elf structures with a nice storyline
• ELF如何摧毁圣诞 ——通过ELF动态装载机制进行漏洞利用
• 《程序員自我修養》讀書筆記—ELF文件結構 by Swing
• Opensecurity Training:The life of binaries;Part 3:ELF info
• ELF格式&和其分析工具 by Little Hann
• ELF文件格式之動態鏈接
• bss段.data段.text段等這些東西是什么
• 借助DynELF實現無libc的漏洞利用小结
• leak技巧以及DynELF的溫習ELF
• 淺談被加壳ELF調試
• ELF反調試初探
• ELF: Executable and Linking Format part 1
• ELF: Executable and Linking Format part 2

Windows Kernal Exploit

• Windows Kernal Exploit Study(123)
• Windows Kernal Exploitation PDF
• Sec Wiki Windows Kernal Exploit

Linux Kernal Exploit

• 【系列分享】Linux 内核漏洞利用教程（一）：環境配置
• 【系列分享】Linux 内核漏洞利用教程（二）：兩個Demo
• 【系列分享】Linux 内核漏洞利用教程（三）：實踐 CSAW CTF 题目
• linux-kernel expoit study (1-4)
• Sec Wiki Linux Kernal Exploits
• Kernel pwn入门(0) 驅動開發相關
• Kernel pwn入门(1) 簡易環境搭建
• Kernel pwn入门(2) 實戰一下babydriver
• KernelのExploit楽しいな
• Linux Kernel Exploit Environment
• Linux-Kernel-Exploit NULL dereference
• Linux-Kernel-Exploit Stack Smashing

Linux Kernal

• Write Your First Linux Kernel Module
• 編寫屬於你的第一個Linux内核模塊
• 上面教程用到的代碼
• Linux Kernel: Memory Addressing

Buffer Overflow

• Q版緩衝區溢出教程
• 緩衝區溢位攻擊之一(Buffer Overflow)
• 緩衝區溢位攻擊之二(Buffer Overflow)
• 从零开始學Win32平台緩衝區溢出（Part1）
• Win32緩衝區溢出實戰
• 緩衝區溢出漏洞的利用
• 緩衝區溢出攻擊初學者手册（更新版）
• 技術分析：時尚時尚最時尚的緩衝區溢出攻擊

File 結構體

• 溢出利用FILE結構體
• FILE Structure Oriented Programing

Integer Overflow

• x86 Exploitation 101: “Integer overflow”

其他漏洞

Others Repository

• Software Security Learning by Chybeta
• Best books & Tutorials & Course to learn abot explot developement
• SteinsGatep001
• Reading Material by InfoSecIITR
• CTF-Pwn-ResourcesList
• Slideshare for pwn resource
• Reading Material by InfoSecIITR
• 二進制漏洞學習連載

Misc

• Dword Shoot漏洞
• Pwn探索筆記
• Binary wiki by bird for some good articles collection
• PWNABLE Wiki
• Calling Conventions
• AIS3 2016 中區 Binary Exploitation
• AIS3 2016 南區 Binary Exploitation
• 2015計算機安全 Day1
• 2015計算機安全 Day2
• STCS 2016 Week 3
• STCS 2016 Week 4
• STCS 2016 Week 5
• STCS 2016 Week 8
• STCS 2016 Week 10
• STCS 2016 Week 11
• STCS 2016 Week 12
• STCS 2016 Week 13
• STCS 2016 Seccom and Ptrace
• STCS 2016 JavaScript Exploits
• 軟件安全PPT1
• 軟件安全PPT2

待分類

http://blog.hac425.top/categories/ctf/
https://github.com/hacksysteam/HackSysExtremeVulnerableDriver
https://hshrzd.wordpress.com/2017/05/28/starting-with-windows-kernel-exploitation-part-1-setting-up-the-lab/
https://bbs.pediy.com/thread-218838.htm
Write Once, Pwn Anywhere in BlackHat 2014
https://github.com/bruce30262/x86_shellcode_tutorial
Scraps of notes on remote stack overflow exploitation
The House Of Lore: Reloaded ptmalloc v2 & v3: Analysis & Corruption
Kernel instrumentation using kprobes
Infecting loadable kernel modules: kernel versions 2.6.x/3.0.x
A Eulogy for Format Strings
Dynamic Program Analysis and Software Exploitation
Phrackerz: Two Tales
Exploiting DLmalloc frees in 2009
Exploiting TCP Persist Timer Infiniteness
Linux Kernel Heap Tampering Detection
How close are they of hacking your brain
A brief history of the Underground scene
Attacking the Core: Kernel Exploitation Notes
Automated vulnerability auditing in machine code
Hacking deeper in the system
https://github.com/pandazheng/LinuxExploit
http://phrack.org/issues/57/8.html#article
http://phrack.org/issues/57/9.html#article
http://dbp-consulting.com/tutorials/debugging/linuxProgramStartup.html
https://github.com/0xAX/linux-insides/blob/master/SysCall/syscall-4.md
http://eleveneat.com/2015/07/26/Software-Security-Week1/
http://eleveneat.com/2015/08/14/Software-Security-Week2/
https://403forbidden.website/2017/09/%e4%ba%8c%e8%bf%9b%e5%88%b6%e6%bc%8f%e6%b4%9e%e5%ad%a6%e4%b9%a0%e8%bf%9e%e8%bd%bd-0/
http://staff.csie.ncu.edu.tw/hsufh/COURSES/SPRING2018/attackdefense.html
http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html#intro
http://blog.nsfocus.net/null-pointer-vulnerability-analysis-defense/
http://codearcana.com/posts/2013/05/21/a-brief-introduction-to-x86-calling-conventions.html
Sour Pickles – Python pickle problems
Sonic Hacking Utilities
GDB Example ncurses
Exploring Python using GDB
Exploiting PHP File Inclusion
Address Sanitizer
OWASP Top 10 - Presentatioin on Top 10 Web Application Vulnerabilities and how to avoid them.
Vudo malloc tricks
Once upon a free()
RSA Attacks - Explanation of various RSA attacks
How the heck do we get to main()?
Malloc Internals - glibc wiki
10 things InfoSec professionals need to know about networking
ELF executable reconstruction from a core image