Links
Prep🔗
Tools🔗
Scripts🔗
Vanilla buffer overflow🔗
SEH🔗
Egghunter🔗
Shellcoding🔗
DEP🔗
ASLR🔗
Prep
- EXP-301 syllabus
- EXP-301 some open-free materials
- Corelan free exploit development articles
- x86 Architecture
- x86 Assembly course
- Intro to Reversing (Beginners)
- Reversing training by Ricardo Narvaja
- Exploit-DB
- Vulnserver (github)
- Vulnserver (blog)
- Tryhackme BOF Prep room
- Tryhackme Brainstorm room
- Tryhackme Brainpan 1 room
- Tryhackme Gatekeeper room
Tools
- WinDdb : debugger
- WinDdb cheatsheet : windbg user mode cheat sheet
- WinDdb themes : dark and white themes
- Pykd : allowing to deploy Python scripts
- Mona.py : multiple task solution tool
- Narly : displaying protection of each module
- IDA : disassembler
- rp++ : displaying gadgets for ROP chain
- Ropper : displaying gadgets for ROP chain
- TCPView : show TCP and UPD endpoints
- code_caver : python script that finds code caves for your exploit
Scripts
Vanilla Buffer Overflow
Writeups
- Stack BOF part 1 by corelan
- Stack BOF part 2 by corelan
- Vulnserver TRUN by fluidattacks
- BOF prep Tryhackme by infosecwriteups
- Brainstorm by steflan-security
- Brainpan1 by medium
- Gatekeeper by steflan-security
Binaries
- Tryhackme BOF Prep room
- Tryhackme Brainstorm room
- Tryhackme Brainpan 1 room
- Tryhackme Gatekeeper room
- Vulnserver (github)
- MiniShare 1.4.1
- PCMan FTP server 2.0.7
- Freefloat FTP server 1.0
- VUPlayer 2.49
SEH
Writeups
- SEH Buffer Overflow by Shelldon
- SEH Based Exploits by corelan
- SEH Based Exploits by corelan (another example)
- SEH Exploitation by Securitysift
- SEH Exploitation by Fuzzysecurity
- SEH Exploitation by Shogun Lab
- Kevin PG practice by xct
- UT99 PG practice by xct (another example)
Binaries
- Millenium MP3 Studio 2.0
- Free MP3 CD Ripper 2.6
- Easy AVI DivX Converter 1.2.2.4
- My Video Converter 1.5.24
- VeryPDF Image2PDF Converter
- ASX to MP3 Converter 3.1.2.1
- Vulnserver (GMON)
- EFS Easy Chat Server 3.1
- Easy File Sharing Web Server 7.2
- freeFTPD 1.0.10
- FathFTP 1.8
- File Sharing Wizard 1.5.0
- Easy Address Book Web server 1.6
Egghunter
Writeups
- Win32 Egg hunting by corelan
- WoW64 Egghunter by corelan
- Egghunter Exploitation by Skape
- Locating Shellcode with egghunting by Securitysift
- Egghunters by Fuzzysecurity
- Egghunter by shogunlab
Binaries
- docPrint Pro 8.0
- Foxit Reder 4.1.1
- Audacity 1.2
- MiniShare 1.5.5
- Free Mp3 CD Ripper 2.8
- Base64 Decoder 1.1.2
- KiTTY Portable 0.65.0.2p
- IP-Tools 2.5
- Vulnserver (GTER, GMON, KSTET)
- Easy File Sharing Web Server 7.2
- TFTP Server 1.4
- MinaliC WebServer 2.0.0
- Sysax Multi Server 5.52
- Savant Web Server 3.1
Shellcoding
Writeups
- Intro to win32 shellcoding by corelan
- Understanding Win shellcode by skape
- Writing small shellcode by Dafydd Stuttard
- Writig shellcode encoders and decoders by ired.team
- Writing W32 shellcode by FuzzySecurity
- Writing Messagebox shellcode by marcosvalle
- Writing Win x32 manual shellcode part 1 && part 2 && part 3 by marcosvalle
Socket reuse technique
- WS32_recv() resuse by Connor McGarr
- Vulnserver - GTER by Zachary Fleming
- Socket Reuse by Shelldon
- Writing a stager by nop
DEP
Writeups
- Understanding DEP by fluidattacks
- Bypassing DEP with ROP by fluidattacks
- Bypassing DEP with VirtualAlloc (PUSHAD method) by Shelldon
- Bypassing DEP with VirtualProtect by Shelldon
- Bypassing DEP with WriteProcessMemory by nop
- Write a ROP decoder by nop
- Changing DEP with ROP by corelan
Binaries
- RemoteApp by Shelldon
- QuoteDB by bmdyy
- Signatus by bmdyy
- Rainbow 1 and 2 by xct
- Easy File Sharing Web Server 7.2 by xct
- And other binaries (You need to turn on Data Execution Prevention in your VM)
ASLR
Writeups
- Bypassing stack cookies, SafeSEH, SEHOP, HW, DEP and ASLR by corelan
- Universal DEP/ASLR bypassing with msvcr71.dll and mona.py by corelan
- Bypassing ASLR/DEP by Vinay Katoch
Binaries
- RemoteApp by Shelldon
- QuoteDB by bmdyy
- Signatus by bmdyy
- Rainbow 1 and 2 by xct
- CoolPlayer+ Portable 2.19.6
- CoolPlayer+ Portable 2.19.12
- BlazeDVD 6.1
- BlazeDVD 5.1
- Simple Web Server 2.2-rc2