Research
Hardware
Nr | URL | Description | Date | Author | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | https://www.blackhat.com/docs/us-14/mate... | QSEE TrustZone Kernel Integer Overflow Vulnerability | 01-07-2014 | Dan Rosenberg | Android | N/A |
1 | http://atredispartners.blogspot.de/2014/... | Here Be Dragons: Vulnerabilities in TrustZone | 14-08-2014 | Nathan Keltner | ARM | N/A |
2 | https://www.blackhat.com/docs/us-15/mate... | Exploiting Trustzone on Android | xx-08-2015 | Di Shen | Android | CVE-2015-4421, CVE-2015-4422 |
3 | http://blog.invisiblethings.org/papers/2... | Intel x86 considered harmful | xx-10-2015 | Joanna Rutkowska | Intel x86 | N/A |
4 | http://blog.invisiblethings.org/papers/2... | State considered harmful - A proposal for a stateless laptop | xx-12-2015 | Joanna Rutkowska | - | N/A |
Compilers, Interpreters
Nr | URL | Description | Date | Author | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | https://code.google.com/p/em386/download... | Exploring the STL: Owning erase( ) | 20-07-2009 | Chris Rohlf | Linux | - |
Virtualization
Nr | URL | Description | Date | Author | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | https://www.ernw.de/download/newsletter/ERN... | XENPWN: BREAKING PARAVIRTUALIZED DEVICES | 17-07-2016 | Felix Wilhelm | - | N/A |
Operating System
Heap
Nr | URL | Description | Date | Author | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | https://www.blackhat.com/presentations/b... | Understanding the heap by breaking it | xx-08-2007 | Jusint N. Ferguson | Linux | N/A |
2 | https://media.blackhat.com/eu-13/briefin... | Advanced Heap Manipulation in Windows 8 | 15-03-2013 | Zhenhua (Eric) Liu | Windows 8 | N/A |
3 | https://www.corelan.be/index.php/2016/07... | Windows 10 x86/wow64 Userland heap | 05-07-2016 | corelanc0d3r | Windows 10 | N/A |
4 | https://www.blackhat.com/docs/us-16/mate... | WINDOWS 10 SEGMENT HEAP INTERNALS | xx-08-2016 | Mark Vincent Yason | Windows 10 | N/A |
Kernel
Nr | URL | Description | Date | Author | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://census-labs.com/media/bheu-2010-w... | Binding the Daemon: FreeBSD Kernel Stack and Heap Exploitation | 22-04-2010 | Patroklos (argp) Argyroudis | FreeBSD | CVE-2008-3531 |
2 | http://www.mista.nu/research/MANDT-kerne... | Kernel Pool Exploitation on Windows 7 | 12-01-2011 | Tarjei (kernelpool) Mandt | Windows | N/A |
3 | http://sysc.tl/2012/01/03/linux-kernel-h... | The Linux kernel memory allocators from an exploitation perspective | 03-01-2012 | Patroklos (argp) Argyroudis | Linux | N/A |
4 | https://media.blackhat.com/bh-us-12/Brie... | iOS Kernel Heap Armageddon | 26-07-2012 | Stefan Esser | iOS | N/A |
5 | http://blog.azimuthsecurity.com/2013/12/... | Attacking Zone Page Metadata in iOS 7 and OS X Mavericks | 19-12-2013 | Tarjei (kernelpool) Mandt | iOS | N/A |
General
Nr | URL | Description | Date | Author | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | https://labs.mwrinfosecurity.com/system/... | Windows Services – All roads lead to SYSTEM | 31-10-2014 | Article | Windows | N/A |
2 | http://census-labs.com/media/Fuzzing_Object... | Fuzzing Objects d’ART: Digging Into the New Android L Runtime Internals | 18-06-2015 | Anestis Bechtsoudis | Android Lollipop | N/A |
3 | http://googleprojectzero.blogspot.de/2015... | Revisiting Apple IPC: (1) Distributed Objects | 28-09-2015 | Ian Beer | Mac | N/A |
4 | https://googleprojectzero.blogspot.de/20... | The Definitive Guide on Win32 to NT Path Conversion | 29-02-2016 | James Forshaw | Windows | N/A |
5 | https://labs.mwrinfosecurity.com/publications/qnx-architectural/ | QNX: Security Architecture Whitepaper | 16-03-2016 | Alex Plaskett, Georgi Geshev | QNX | N/A |
6 | https://specterops.io/assets/resources/S.... | Subverting Trust in Windows | xx-09-2017 | Matt Graeber | Windows | N/A |
Application
Just-In-Time (JIT) and Virtual Machines (VM)
Nr | URL | Description | Date | Author | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://www.inf.fu-berlin.de/groups/ag-si... | Application-Specific Attacks: Leveraging the ActionScript Virtual Machine | xx-04-2008 | Mark Dowd | - | - |
2 | http://dsecrg.com/files/pub/pdf/Writing%20J... | Writing JIT-Spray Shellcode for fun and profit | 05-03-2010 | Alexey Sintsov | Windows, x86-32 | N/A |
3 | http://www.matasano.com/research/Attacki... | Attacking Clientside JIT Compilers | 07-08-2011 | Chris Rohlf, Yan Ivnitsky | - | N/A |
4 | http://blog.cdleary.com/2011/08/understa... | Understanding JIT spray | 29-08-2011 | Chris Leary | - | N/A |
5 | https://web.archive.org/web/201502060818... | JIT Spraying Primer and CVE-2010-3654 | 26-05-2012 | Gal Badishi | Windows | CVE-2010-3654 |
6 | http://mainisusuallyafunction.blogspot.d... | Attacking hardened Linux systems with kernel JIT spraying | 17-11-2012 | keegan | Linux | NA |
7 | http://zhodiac.hispahack.com/my-stuff/se... | Flash JIT – Spraying info leak gadgets | 19-07-2013 | Fermin J. Serna | - | N/A |
8 | https://xuanwulab.github.io/2015/06/09/R... | Research report on using JIT to trigger RowHammer | 09-06-2015 | R3dF09 | - | N/A |
Custom or Application-specific Heaps
Nr | URL | Description | Date | Author | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | https://sites.google.com/site/zerodayres... | Adobe Reader's Custom Memory Management: A Heap Of Trouble | 22-04-2010 | Haifei Li, Guillaume Lovet | - | CVE-2010-1241 |
2 | https://media.blackhat.com/bh-us-12/Brie... | Exploiting the jemalloc Memory Allocator: Owning Firefox's Heap | 25-07-2012 | Patroklos (argp) Argyroudis, Chariton (huku) Karamitas | *nix | N/A |
3 | https://communities.coverity.com/blogs/s... | Windows 8 Heap Internals | 31-07-2012 | Chris Valasek | Windows | N/A |
4 | https://struct.github.io/partition_alloc... | PartitionAlloc - A shallow dive and some rand | 22-01-2016 | Chris Rohlf | - | N/A |
Application Internals And Attacks
Nr | URL | Description | Date | Author | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://media.blackhat.com/bh-ad-11/Drake... | Exploiting Memory Corruption Vulnerabilities in the Java Runtime | 15-12-2011 | Joshua (jduck) J. Drake | - | CVE-2009-3869, CVE-2010-3552 |
2 | https://media.blackhat.com/bh-us-12/Brie... | DIGGING DEEP INTO THE FLASH SANDBOXES | xx-xx-2012 | Paul Sabanal, Mark Vincent Yason | - | N/A |
3 | https://web.archive.org/web/201301190934... | Google Native Client - Analysis Of A Secure Browser Plugin Sandbox | 25-07-2012 | Whitepaper | - | N/A |
4 | http://seclists.org/bugtraq/2012/Sep/29 | Internet Explorer Script Interjection Code Execution (updated) | 06-09-2012 | Derek Soeder | Windows | N/A |
5 | https://sites.google.com/site/zerodayres... | Smashing the Heap with Vector: Advanced Exploitation Technique in Recent Flash Zero-day Attack | xx-02-2013 | Haifei Li | - | CVE-2013-0634 |
6 | http://www.slideshare.net/xiong120/explo... | Exploit IE Using Scriptable ActiveX Controls (version English) | 22-03-2014 | Yuki (guhe120) Chen | Windows | N/A |
7 | http://blog.fortinet.com/post/advanced-e... | Advanced Exploit Techniques Attacking the IE Script Engine | 16-06-2014 | Zhenhua 'Eric' Liu | Windows | N/A |
8 | https://www.blackhat.com/docs/us-14/mate... | Thinking outside the sandbox - Violating trust boundaries in uncommon ways | 05-08-2014 | Brian Gorenc, Jasiel Spelman | Windows | CVE-2014-1705, CVE-2014-4015, CVE-2014-0506, CVE-2014-1713 |
9 | https://www.blackhat.com/docs/us-15/mate... | UNDERSTANDING THE ATTACK SURFACE AND ATTACK RESILIENCE OF PROJECT SPARTAN'S (EDGE) NEW EDGEHTML RENDERING ENGINE | xx-08-2015 | Mark Vincent Yason | Windows | N/A |
10 | https://www.blackhat.com/docs/us-16/mate... | The art of reverse-engineering Flash exploits | xx-07-2016 | Jeong Wook Oh | - | CVE-2015-5122, CVE-2015-8651, CVE-2016-1010, CVE-2015-0336, CVE-2015-8446, CVE-2015-8651 |
Exploitation Techniques
Nr | URL | Description | Date | Author | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://cansecwest.com/slides07/Vector-Re... | Vector Rewrite Attack - Exploitable NULL Pointer Vulnerabilities on ARM and XScale Architectures | xx-03-2007 | Barnaby Jack | ARM/XScale | - |
2 | http://ifsec.blogspot.com/2011/06/memory... | Memory disclosure technique for Internet Explorer | 09-06-2011 | Ivan Fratric | Windows, x86-32 | N/A |
3 | https://web.archive.org/web/20130524082... | White Phosphorus Exploit Pack Sayonara ASLR DEP Bypass Technique | 21-06-2011 | Note | Windows, x86-32 | N/A |
4 | https://media.blackhat.com/bh-us-11/Bros... | Post Memory Corruption Memory Analysis | 03-08-2011 | Jonathan Brossard | Linux, x86 | N/A |
5 | http://zhodiac.hispahack.com/my-stuff/se... | CVE-2012-0769, the case of the perfect info leak | 09-04-2012 | Fermin J. Serna | Windows | CVE-2012-0769 |
6 | http://diyhpl.us/~bryan/papers2/security... | Android exploitation primers: lifting the veil on mobile offensive security (Vol. I) | xx-08-2012 | Larry H, Bastian F | Android | CVE-2010-4577 |
7 | http://h30499.www3.hp.com/t5/HP-Security... | Verifying Windows Kernel Vulnerabilities | 30-10-2013 | Article | Windows | N/A |
8 | https://community.rapid7.com/community/m... | "Hack Away at the Unessential" with ExpLib2 in Metasploit | 07-04-2014 | Wei Chen | Windows | N/A |
9 | https://doar-e.github.io/blog/2014/04/30... | Corrupting the ARM Exception Vector Table | 30-04-2014 | Amat "acez" Cama | ARM | N/A |
10 | http://tfpwn.com/blog/turn-it-into-a-uaf... | Turn it into a UAF | 11-01-2015 | Alexander Eubanks | - | N/A |
11 | https://blog.coresecurity.com/2015/09/28... | Abusing GDI for ring0 exploit primitives | 28-09-2015 | Diego Juarez | Windows | N/A |
12 | https://www.nccgroup.trust/uk/our-resear... | Exploitation Advancements | 07-10-2015 | Aaron Adams | - | N/A |
13 | https://0b3dcaf9-a-62cb3a1a-s-sites.goog... | #BadWinMail: The "Enterprise Killer" Attack Vector in Microsoft Outlook | xx-12-2015 | Haifei Li | Windows | N/A |
14 | http://blog.skylined.nl/20161118001.html | Tetris heap spraying: spraying the heap on a budget | 18-11-2016 | skylined | - | N/A |
Heap/Pool-spray
Nr | URL | Description | Date | Author | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://www.phreedom.org/presentations/he... | Heap Feng Shui in JavaScript | 2007 | Alexander Sotirov | Windows, x86-32 | N/A |
2 | http://www.exploit-monday.com/2011/08/ta... | Targeted Heap Spraying – 0x0c0c0c0c is a Thing of the Past | 29-08-2011 | Matt Graeber | - | N/A |
3 | https://www.corelan.be/index.php/2011/12... | Exploit writing tutorial part 11 : Heap Spraying Demystified | 31-12-2011 | corelanc0d3r | Windows, x86-32 | N/A |
4 | https://www.corelan.be/index.php/2013/02... | DEPS – Precise Heap Spray on Firefox and IE10 | 19-02-2013 | corelanc0d3r | Windows | N/A |
5 | http://blog.ptsecurity.com/2013/03/stars... | Stars aligner’s how-to: kernel pool spraying and VMware CVE-2013-1406 | 06-03-2013 | Article | Windows | CVE-2013-1406 |
6 | http://www.alex-ionescu.com/?p=231 | Sheep Year Kernel Heap Fengshui: Spraying in the Big Kids’ Pool | 29-12-2014 | Alex Ionescu | Windows | N/A |
7 | https://theevilbit.blogspot.de/2017/09/p... | Windows kernel pool spraying fun - Part 1 - Determine kernel object size | 05-09-2017 | theevilbit | Windows | N/A |
8 | https://theevilbit.blogspot.de/2017/09/w... | Windows kernel pool spraying fun - Part 2 - More objects | 11-09-2017 | theevilbit | Windows | N/A |
9 | https://theevilbit.blogspot.de/2017/09/w... | Windows kernel pool spraying fun - Part 3 - Let's make holes | 14-09-2017 | theevilbit | Windows | N/A |
Mitigation Techniques
Nr | URL | Description | Date | Author | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://j00ru.vexillium.org/?p=1038 | Windows Kernel Address Protection | xx-08-2011 | Mateusz (j00ru) Jurczyk | Windows | N/A |
2 | http://www.vdalabs.com/tools/DeMott_Blue... | BlueHat Prize Submission (/ROP) | xx-03-2012 | Jared DeMott | Windows | N/A |
General
Nr | URL | Description | Date | Author | OS/Arch | Info |
---|---|---|---|---|---|---|
1 | http://reversing.it/thesis.pdf | Securing Application Software in Modern Adversarial Settings | xx-07-2015 | Felix Schuster | - | N/A |
2 | http://go.armis.com/hubfs/BlueBorne%20Te... | BlueBorne | xx-09-2017 | Ben Seri, Gregory Vishnepolsky | - | N/A |
3 | https://www.qualys.com/2017/06/19/stack-... | The Stack Clash | 19-06-2017 | Qualys | - | N/A |
4 | https://www.riscure.com/uploads/2017/10/... | Escalating Privileges in Linux using Voltage Fault Injection | xx-10-2017 | Niek Timmers, Cristofaro Mune | Linux | N/A |