README.md

Exploit Development: Case Studies

This repository is intended as a personal list of exploit development case studies I stumble upon during my work. My categorization is not very granular — I'm skipping differentiation between user-mode and kernel-mode, as well as type of the software being exploited. Exploit primitives are what's really important, therefore the only two categories I'm using are Windows and Unix-like (including Linux, Android, MacOS, iOS, BSDs, et cetera).

Windows

• Adobe Shockwave - A case study on memory disclosure
• Understanding type confusion vulnerabilities: CVE-2015-0336
• Out-of-bounds read/write Pwn2Own 2014 Firefox
• Pwn2own (3/13/2014): VUPEN exploit.
• Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014)
• Advanced Exploitation of VirtualBox 3D Acceleration VM Escape Vulnerability (CVE-2014-0983)
• CVE-2014-0322 "Snowman" exploit
• Dissecting the newest IE10 0-day exploit (CVE-2014-0322)
• R7-2013-19 Disclosure: Yokogawa CENTUM CS 3000 Vulnerabilities
• A browser is only as strong as its weakest byte
• MWR Labs Pwn2Own 2013 Write-up - Kernel Exploit
• The story of MS13-002: How incorrectly casting fat pointers can make your code explode
• Anatomy of an exploit – inside the CVE-2013-3893 Internet Explorer zero-day – Part 1
• Anatomy of an exploit – inside the CVE-2013-3893 Internet Explorer zero-day – Part 2
• The Technical Aspects of Exploiting IE Zero-Day CVE-2013-3897
• In memory of a zero-day – MS13-051
• Advanced Exploitation of Mozilla Firefox Use-after-free Vulnerability (MFSA 2012-22)
• Advanced Exploitation of Windows Kernel Intel 64-Bit Mode Sysret Vulnerability (MS12-042)
• Exploiting CVE-2011-2371 (FF reduceRight) without non-ASLR modules
• Happy New Year Analysis of CVE-2012-4792
• Bypassing ASLR and DEP on Adobe Reader X
• MS11-080 Exploit – A Voyage into Ring Zero
• Insecticides don't kill bugs, Patch Tuesdays do
• The Fix That Never Was
• Technical Analysis of the Windows Win32K.sys Keyboard Layout Stuxnet Exploit
• Device Drivers Vulnerability Research, Avast a real case

Unix-like

• Xen SMEP (and SMAP) bypass
• Ntpdc Local Buffer Overflow
• How to exploit the x32 recvmmsg() kernel vulnerability CVE 2014-0038
• Exploiting CVE-2014-0196 a walk-through of the Linux pty race condition PoC
• Pwnium 4: v8 OOB read/write with defineGetter and bytesLength
• Google Chrome Exploitation – A Case Study
• Exploiting “BadIRET” vulnerability (CVE-2014-9322, Linux kernel privilege escalation)
• Exploiting 64-bit Linux like a boss
• A closer look at a recent privilege escalation bug in Linux (CVE-2013-2094)
• Analysis of nginx 1.3.9/1.4.0 stack buffer overflow and x64 exploitation (CVE-2013-2028)
• Exploiting nginx chunked overflow bug, the undisclosed attack vector (CVE-2013-2028)
• Mobile Pwn2Own Autumn 2013 - Chrome on Android - Exploit Writeup
• Packet Storm Advisory 2013-0903-1 - Apple Safari Heap Buffer Overflow
• Analysis of CVE-2013-0809
• Anatomy of a user namespaces vulnerability
• Linux Local Privilege Escalation via SUID /proc/pid/mem Write
• Advanced Exploitation of Xen Hypervisor Sysret VM Escape Vulnerability
• CVE-2012-0217: Intel's sysret Kernel Privilege Escalation (on FreeBSD)
• Exploiting Sudo format string vunerability
• Technical Analysis of ProFTPD Response Pool Use-after-free (CVE-2011-4130) - Part I
• Advanced Exploitation of ProFTPD Response Pool Use-after-free (CVE-2011-4130) - Part II
• Analysis of CVE-2011-3545 (ZDI-11-307)
• libpng extra row (CVE-2010-1205)
• WebKit CSS Type Confusion
• Technical Analysis of Exim "string_vformat()" Buffer Overflow Vulnerability
• Bypassing Linux' NULL pointer dereference exploit prevention (mmap_min_addr)
• Linux kernel 2.6.31 perf_counter_open exploit