精心制作的 Windows Exploitation 资源列表与 Android 安全资源列表。
感谢 TK 教主推荐
项目地址:
- https://github.com/enddo/awesome-windows-exploitation
- https://github.com/enddo/android-security-awesome
Awesome Windows Exploitation
目录
- Windows stack overflows
- Windows heap overflows
- Kernel based Windows overflows
- Return Oriented Programming
- Windows memory protections
- Bypassing filter and protections
- Typical windows exploits
- Exploit development tutorial series
- Corelan Team
- Fuzzysecurity
- Securitysift
- Whitehatters Academy
- TheSprawl
- Tools
Windows stack overflows
Stack Base Overflow Articles.
- Win32 Buffer Overflows (Locatio n, Exploitation and Prevention) - by Dark spyrit [1999]
- Writing Stack Based Overflows on Windows - by Nish Bhalla’s [2005]
- Stack Smashing as of Today - by Hagen Fritsch [2009]
- SMASHING C++ VPTRS - by rix [2000]
Windows heap overflows
Heap Base Overflow Articles.
- Third Generation Exploitation smashing heap on 2k - by Halvar Flake [2002]
- Exploiting the MSRPC Heap Overflow Part 1 - by Dave Aitel (MS03-026) [September 2003]
- Exploiting the MSRPC Heap Overflow Part 2 - by Dave Aitel (MS03-026) [September 2003]
- Windows heap overflow penetration in black hat - by David Litchfield [2004]
- Glibc Adventures: The Forgotten Chunk - by François Goichon [2015]
- Pseudomonarchia jemallocum - by argp & huku
- The House Of Lore: Reloaded - by blackngel [2010]
- Malloc Des-Maleficarum - by blackngel [2009]
- free() exploitation technique - by huku
- Understanding the heap by breaking it - by Justin N. Ferguson [2007]
- The use of set_head to defeat the wilderness - by g463
- The Malloc Maleficarum - by Phantasmal Phantasmagoria [2005]
- Exploiting The Wilderness - by Phantasmal Phantasmagoria [2004]
- Advanced Doug lea's malloc exploits - by jp
Kernel based Windows overflows
Kernel Base Exploit Development Articles.
- How to attack kernel based vulns on windows was done - by a Polish group called “sec-labs” [2003]
- Sec-lab old whitepaper
- Sec-lab old exploit
- Windows Local Kernel Exploitation (based on sec-lab research) - by S.K Chong [2004]
- How to exploit Windows kernel memory pool - by SoBeIt [2005]
- Exploiting remote kernel overflows in windows - by Eeye Security
- Kernel-mode Payloads on Windows in uninformed - by Matt Miller
- Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
- BH US 2007 Attacking the Windows Kernel
- Remote and Local Exploitation of Network Drivers
- Exploiting Comon Flaws In Drivers
- I2OMGMT Driver Impersonation Attack
- Real World Kernel Pool Exploitation
- Exploit for windows 2k3 and 2k8
- Alyzing local privilege escalations in win32k
- Intro to Windows Kernel Security Development
- There’s a party at ring0 and you’re invited
- Windows kernel vulnerability exploitation
- A New CVE-2015-0057 Exploit Technology - by Yu Wang [2016]
- Exploiting CVE-2014-4113 on Windows 8.1 - by Moritz Jodeit [2016]
- Easy local Windows Kernel exploitation - by Cesar Cerrudo [2012]
- Windows Kernel Exploitation - by Simone Cardona 2016
- Exploiting MS16-098 RGNOBJ Integer Overflow on Windows 8.1 x64 bit by abusing GDI objects - by Saif Sherei 2017
- Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes - by keen team [2015]
- Abusing GDI for ring0 exploit primitives - [2016]
Return Oriented Programming
- The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls
- Blind return-oriented programming
- Sigreturn-oriented Programming
- Jump-Oriented Programming: A New Class of Code-Reuse Attack
- Out of control: Overcoming control-flow integrity
- ROP is Still Dangerous: Breaking Modern Defenses
- Loop-Oriented Programming(LOP): A New Code Reuse Attack to Bypass Modern Defenses - by Bingchen Lan, Yan Li, Hao Sun, Chao Su, Yao Liu, Qingkai Zeng [2015]
- Systematic Analysis of Defenses Against Return-Oriented Programming -by R. Skowyra, K. Casteel, H. Okhravi, N. Zeldovich, and W. Streilein [2013]
- Return-oriented programming without returns -by S.Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, and M. Winandy [2010]
- Jump-oriented programming: a new class of code-reuse attack -by T. K. Bletsch, X. Jiang, V. W. Freeh, and Z. Liang [2011]
- Stitching the gadgets: on the ineffectiveness of coarse-grained control-flow integrity protection - by L. Davi, A. Sadeghi, and D. Lehmann [2014]
- Size does matter: Why using gadget-chain length to prevent code-reuse attacks is hard - by E. Göktas, E.Athanasopoulos, M. Polychronakis, H. Bos, and G.Portokalidis [2014]
- Buffer overflow attacks bypassing DEP (NX/XD bits) – part 1 - by Marco Mastropaolo [2005]
- Buffer overflow attacks bypassing DEP (NX/XD bits) – part 2 - by Marco Mastropaolo [2005]
- Practical Rop - by Dino Dai Zovi [2010]
- Exploitation with WriteProcessMemory - by Spencer Pratt [2010]
- Exploitation techniques and mitigations on Windows - by skape
- A little return oriented exploitation on Windows x86 – Part 1 - by Harmony Security and Stephen Fewer [2010]
- A little return oriented exploitation on Windows x86 – Part 2 - by Harmony Security and Stephen Fewer [2010]
Windows memory protections
Windows memory protections Introduction Articles.
Bypassing filter and protections
Windows memory protections Bypass Methods Articles.
- Third Generation Exploitation smashing heap on 2k - by Halvar Flake [2002]
- Creating Arbitrary Shellcode In Unicode Expanded Strings - by Chris Anley
- Advanced windows exploitation - by Dave Aitel [2003]
- Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server - by David Litchfield
- Reliable heap exploits and after that Windows Heap Exploitation (Win2KSP0 through WinXPSP2) - by Matt Conover in cansecwest 2004
- Safely Searching Process Virtual Address Space - by Matt Miller [2004]
- IE exploit and used a technology called Heap Spray
- Bypassing hardware-enforced DEP - by Skape (Matt Miller) and Skywing (Ken Johnson) [October 2005]
- Exploiting Freelist[0] On XP Service Pack 2 - by Brett Moore [2005]
- Kernel-mode Payloads on Windows in uninformed
- Exploiting 802.11 Wireless Driver Vulnerabilities on Windows
- Exploiting Comon Flaws In Drivers
- Heap Feng Shui in JavaScript by Alexander sotirov [2007]
- Understanding and bypassing Windows Heap Protection - by Nicolas Waisman [2007]
- Heaps About Heaps - by Brett moore [2008]
- Bypassing browser memory protections in Windows Vista - by Mark Dowd and Alex Sotirov [2008]
- Attacking the Vista Heap - by ben hawkes [2008]
- Return oriented programming Exploitation without Code Injection - by Hovav Shacham (and others ) [2008]
- Token Kidnapping and a super reliable exploit for windows 2k3 and 2k8 - by Cesar Cerrudo [2008]
- Defeating DEP Immunity Way - by Pablo Sole [2008]
- Practical Windows XP2003 Heap Exploitation - by John McDonald and Chris Valasek [2009]
- Bypassing SEHOP - by Stefan Le Berre Damien Cauquil [2009]
- Interpreter Exploitation : Pointer Inference and JIT Spraying - by Dionysus Blazakis[2010]
- Write-up of Pwn2Own 2010 - by Peter Vreugdenhil
- All in one 0day presented in rootedCON - by Ruben Santamarta [2010]
- DEP/ASLR bypass using 3rd party - by Shahin Ramezany [2013]
- Bypassing EMET 5.0 - by René Freingruber [2014]
Typical windows exploits
- Real-world HW-DEP bypass Exploit - by Devcode
- Bypassing DEP by returning into HeapCreate - by Toto
- First public ASLR bypass exploit by using partial overwrite - by Skape
- Heap spray and bypassing DEP - by Skylined
- First public exploit that used ROP for bypassing DEP in adobe lib TIFF vulnerability
- Exploit codes of bypassing browsers memory protections
- PoC’s on Tokken TokenKidnapping . PoC for 2k3 -part 1 - by Cesar Cerrudo
- PoC’s on Tokken TokenKidnapping . PoC for 2k8 -part 2 - by Cesar Cerrudo
- An exploit works from win 3.1 to win 7 - by Tavis Ormandy KiTra0d
- Old ms08-067 metasploit module multi-target and DEP bypass
- PHP 6.0 Dev str_transliterate() Buffer overflow – NX + ASLR Bypass
- SMBv2 Exploit - by Stephen Fewer
- Microsoft IIS 7.5 remote heap buffer overflow - by redpantz
- Browser Exploitation Case Study for Internet Explorer 11 - by Moritz Jodeit [2016]
Exploit development tutorial series
Exploid Development Tutorial Series Base on Windows Operation System Articles.
- Corelan Team
- Exploit writing tutorial part 1 : Stack Based Overflows
- Exploit writing tutorial part 2 : Stack Based Overflows – jumping to shellcode
- Exploit writing tutorial part 3 : SEH Based Exploits
- Exploit writing tutorial part 3b : SEH Based Exploits – just another example
- Exploit writing tutorial part 4 : From Exploit to Metasploit – The basics
- Exploit writing tutorial part 5 : How debugger modules & plugins can speed up basic exploit development
- Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
- Exploit writing tutorial part 7 : Unicode – from 0x00410041 to calc
- Exploit writing tutorial part 8 : Win32 Egg Hunting
- Exploit writing tutorial part 9 : Introduction to Win32 shellcoding
- Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s Cube
- Exploit writing tutorial part 11 : Heap Spraying Demystified
- Fuzzysecurity
- Part 1: Introduction to Exploit Development
- Part 2: Saved Return Pointer Overflows
- Part 3: Structured Exception Handler (SEH)
- Part 4: Egg Hunters
- Part 5: Unicode 0x00410041
- Part 6: Writing W32 shellcode
- Part 7: Return Oriented Programming
- Part 8: Spraying the Heap Chapter 1: Vanilla EIP
- Part 9: Spraying the Heap Chapter 2: Use-After-Free
- Part 10: Kernel Exploitation -> Stack Overflow
- Part 11: Kernel Exploitation -> Write-What-Where
- Part 12: Kernel Exploitation -> Null Pointer Dereference
- Part 13: Kernel Exploitation -> Uninitialized Stack Variable
- Part 14: Kernel Exploitation -> Integer Overflow
- Part 15: Kernel Exploitation -> UAF
- Part 16: Kernel Exploitation -> Pool Overflow
- Part 17: Kernel Exploitation -> GDI Bitmap Abuse (Win7-10 32/64bit)
- Heap Overflows For Humans 101
- Heap Overflows For Humans 102
- Heap Overflows For Humans 102.5
- Heap Overflows For Humans 103
- Heap Overflows For Humans 103.5
- Securitysift
- Windows Exploit Development – Part 1: The Basics
- Windows Exploit Development – Part 2: Intro to Stack Based Overflows
- Windows Exploit Development – Part 3: Changing Offsets and Rebased Modules
- Windows Exploit Development – Part 4: Locating Shellcode With Jumps
- Windows Exploit Development – Part 5: Locating Shellcode With Egghunting
- Windows Exploit Development – Part 6: SEH Exploits
- Windows Exploit Development – Part 7: Unicode Buffer Overflows
- Whitehatters Academy
- Intro to Windows kernel exploitation 1/N: Kernel Debugging
- Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver
- Intro to Windows kernel exploitation 3/N: My first Driver exploit
- Intro to Windows kernel exploitation 3.5/N: A bit more of the HackSys Driver
- Backdoor 103: Fully Undetected
- Backdoor 102
- Backdoor 101
- TheSprawl
- corelan - integer overflows - exercise solution
- heap overflows for humans - 102 - exercise solution
- exploit exercises - protostar - final levels
- exploit exercises - protostar - network levels
- exploit exercises - protostar - heap levels
- exploit exercises - protostar - format string levels
- exploit exercises - protostar - stack levels
- open security training - introduction to software exploits - uninitialized variable overflow
- open security training - introduction to software exploits - off-by-one
- open security training - introduction to re - bomb lab secret phase
- open security training - introductory x86 - buffer overflow mystery box
- corelan - tutorial 10 - exercise solution
- corelan - tutorial 9 - exercise solution
- corelan - tutorial 7 - exercise solution
- getting from seh to nseh
- corelan - tutorial 3b - exercise solution
Tools
Disassemblers, debuggers, and other static and dynamic analysis tools.
- angr - Platform-agnostic binary analysis framework developed at UCSB's Seclab.
- BARF - Multiplatform, open source Binary Analysis and Reverse engineering Framework.
- Binary Ninja - Multiplatform binary analysis IDE supporting various types of binaries and architecturs. Scriptable via Python.
- binnavi - Binary analysis IDE for reverse engineering based on graph visualization.
- Bokken - GUI for Pyew and Radare.
- Capstone - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
- codebro - Web based code browser using clang to provide basic code analysis.
- dnSpy - .NET assembly editor, decompiler and debugger.
- Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
- GDB - The GNU debugger.
- GEF - GDB Enhanced Features, for exploiters and reverse engineers.
- hackers-grep - A utility to search for strings in PE executables including imports, exports, and debug symbols.
- IDA Pro - Windows disassembler and debugger, with a free evaluation version.
- Immunity Debugger - Debugger for malware analysis and more, with a Python API.
- ltrace - Dynamic analysis for Linux executables.
- objdump - Part of GNU binutils, for static analysis of Linux binaries.
- OllyDbg - An assembly-level debugger for Windows executables.
- PANDA - Platform for Architecture-Neutral Dynamic Analysis
- PEDA - Python Exploit Development Assistance for GDB, an enhanced display with added commands.
- pestudio - Perform static analysis of Windows executables.
- Process Monitor - Advanced monitoring tool for Windows programs.
- Pyew - Python tool for malware analysis.
- Radare2 - Reverse engineering framework, with debugger support.
- SMRT - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
- strace - Dynamic analysis for Linux executables.
- Udis86 - Disassembler library and tool for x86 and x86_64.
- Vivisect - Python tool for malware analysis.
- X64dbg - An open-source x64/x32 debugger for windows.
A collection of android security related resources.
A lot of work is happening in academia and industry on tools to perform dynamic analysis, static analysis and reverse engineering of android apps.
android-security-awesome
ONLINE ANALYZERS
- AndroTotal
- CopperDroid
- Dexter
- SandDroid
- Tracedroid
- Visual Threat
- Mobile Malware Sandbox
- MobiSec Eacus
- IBM Security AppScan Mobile Analyzer - not free
- NVISO ApkScan
- AVC UnDroid
- Fireeye- max 60MB 15/day
- habo 10/day
- Virustotal-max 128MB
- Fraunhofer App-ray - not free
StowawayAnubisMobile app insightMobile-SandboxIjiamiComdroidAndroid SandboxForesafe
STATIC ANALYSIS TOOLS
- Androwarn - detect and warn the user about potential malicious behaviours developped by an Android application.
- ApkAnalyser
- APKInspector
- Droid Intent Data Flow Analysis for Information Leakage
- Several tools from PSU
- Smali CFG generator
- FlowDroid
- Android Decompiler – not free
- PSCout - A tool that extracts the permission specification from the Android OS source code using static analysis
- Amandroid
- SmaliSCA - Smali Static Code Analysis
- CFGScanDroid - Scans and compares CFG against CFG of malicious applications
- Madrolyzer - extracts actionable data like C&C, phone number etc.
- SPARTA - verifies (proves) that an app satisfies an information-flow security policy; built on the Checker Framework
- ConDroid - Performs a combination of symoblic + concrete execution of the app
APP VULNERABILITY SCANNERS
- QARK - QARK by LinkedIn is for app developers to scan app for security issues
- AndroBugs
- Nogotofail
DYNAMIC ANALYSIS TOOLS
- Android DBI frameowork
- Android Malware Analysis Toolkit - (linux distro) Earlier it use to be an online analyzer
- Mobile-Security-Framework MobSF - Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static, dynamic analysis and web API testing.
- AppUse – custom build for pentesting
- Cobradroid – custom image for malware analysis
- ViaLab Community Edition
- Droidbox
- Mercury
- Drozer
- Taintdroid - requires AOSP compilation
- Xposed - equivalent of doing Stub based code injection but without any modifications to the binary
- Android Hooker - API Hooking of java methods triggered by any Android application (requires the Substrate Framework)
- Android tamer - custom image
- Droidscope - custom image for dynamic analysis
- CuckooDroid - Android extension for Cuckoo sandbox
- Mem - Memory analysis of Android (root required)
- Crowdroid – unable to find the actual tool
- AuditdAndroid – android port of auditd, not under active development anymore
- Android Security Evaluation Framework - not under active development anymore
- Android Reverse Engineering – ARE (android reverse engineering) not under active development anymore
- Aurasium – Practical security policy enforcement for Android apps via bytecode rewriting and in-place reference monitor.
- Android Linux Kernel modules *
- Appie - Appie is a software package that has been pre-configured to function as an Android Pentesting Environment.It is completely portable and can be carried on USB stick or smartphone.This is a one stop answer for all the tools needed in Android Application Security Assessment and an awesome alternative to existing virtual machines.
- StaDynA - a system supporting security app analysis in the presence of dynamic code update features (dynamic class loading and reflection). This tool combines static and dynamic analysis of Android applications in order to reveal the hidden/updated behavior and extend static analysis results with this information.
- DroidAnalytics - incomplete
- Vezir Project - Virtual Machine for Mobile Application Pentesting and Mobile Malware Analysis
REVERSE ENGINEERING
- Smali/Baksmali – apk decompilation
- emacs syntax coloring for smali files
- vim syntax coloring for smali files
- AndBug
- Androguard – powerful, integrates well with other tools
- Apktool – really useful for compilation/decompilation (uses smali)
- Android Framework for Exploitation
- Bypass signature and permission checks for IPCs
- Android OpenDebug – make any application on device debuggable (using cydia substrate).
- Dare – .dex to .class converter
- Dex2Jar - dex to jar converter
- Enjarify - dex to jar converter from Google
- Dedexer
- Fino
- Indroid – thread injection kit
- IntentSniffer
- Introspy
- Jad - Java decompiler
- JD-GUI - Java decompiler
- CFR - Java decompiler
- Krakatau - Java decompiler
- Procyon - Java decompiler
- FernFlower - Java decompiler
- Redexer – apk manipulation
- Smali viewer
- ZjDroid (no longer available), fork/mirror
- Simplify Android deobfuscator
- Bytecode viewer
- Radare2
FUZZ TESTING
- IntentFuzzer
- Radamsa Fuzzer
- Honggfuzz
- An Android port of the melkor ELF fuzzer
- Media Fuzzing Framework for Android
APP REPACKAGING DETECTORS
- FSquaDRA - a tool for detection of repackaged Android applications based on app resources hash comparison.
Exploitable Vulnerabilties
SAMPLE SOURCES
- contagio mini dump
- Android malware github repo
- Open Source database
- Drebin
- Admire
- MalGenome - contains 1260 malware samples categorized into 49 different malware families, free for research purpose.
- VirusTotal Malware Intelligence Service - powered by VirusTotal,not free
Reading material
- Android Security (and Not) Internals
- Android security related presentations
- A good collection of static analysis papers
MARKET CRAWLERS
- Google play crawler (Java)
- Google play crawler (Python)
- Google play crawler (Node) - get app details and download apps from official Google Play Store.
- Aptoide downloader (Node) - download apps from Aptoide third-party Android market
- Appland downloader (Node) - download apps from Appland third-party Android market
MISC TOOLS
- smalihook
- APK-Downloader
- AXMLPrinter2 - to convert binary XML files to human-readable XML files
- adb autocomplete
- Dalvik opcodes
- Opcodes table for quick reference
- ExploitMe Android Labs - for practice
- GoatDroid - for practice
- mitmproxy
- dockerfile/androguard
- Android Vulnerability Test Suite - android-vts scans a device for set of vulnerabilities
Good Tutorials
Other Awesome Lists
Other amazingly awesome lists can be found in the awesome-awesomeness list.
本文由 Seebug Paper 发布,如需转载请注明来源。本文地址:https://paper.seebug.org/195/