# Binary Exploitation - [Stack](/notes/binexp/stack.md) - [Introduction](/notes/binexp/stack/introduction.md): An introduction to binary exploitation - [ret2win](/notes/binexp/stack/ret2win.md): The most basic binexp challenge - [De Bruijn Sequences](/notes/binexp/stack/de-bruijn-sequences.md): The better way to calculate offsets - [Shellcode](/notes/binexp/stack/shellcode.md): Running your own code - [NOPs](/notes/binexp/stack/nops.md): More reliable shellcode exploits - [32- vs 64-bit](/notes/binexp/stack/32-vs-64-bit.md): The differences between the sizes - [No eXecute](/notes/binexp/stack/no-execute.md): The defence against shellcode - [Return-Oriented Programming](/notes/binexp/stack/return-oriented-programming.md): Bypassing NX - [Calling Conventions](/notes/binexp/stack/return-oriented-programming/calling-conventions.md): A more in-depth look into parameters for 32-bit and 64-bit programs - [Gadgets](/notes/binexp/stack/return-oriented-programming/gadgets.md): Controlling execution with snippets of code - [Exploiting Calling Conventions](/notes/binexp/stack/return-oriented-programming/exploiting-calling-conventions.md): Utilising Calling Conventions - [ret2libc/ret2system](/notes/binexp/stack/return-oriented-programming/ret2libc.md): The standard ROP exploit - [Stack Alignment](/notes/binexp/stack/return-oriented-programming/stack-alignment.md): A minor issue - [Format String Bug](/notes/binexp/stack/format-string.md): Reading memory off the stack - [Stack Canaries](/notes/binexp/stack/canaries.md): The Buffer Overflow defence - [PIE](/notes/binexp/stack/pie.md): Position Independent Code - [Pwntools, PIE and ROP](/notes/binexp/stack/pie/pwntools-pie-and-rop.md) - [PIE Bypass with Given Leak](/notes/binexp/stack/pie/pie-exploit.md): Exploiting PIE with a given leak - [PIE Bypass](/notes/binexp/stack/pie/pie-bypass.md): Using format string - [ASLR](/notes/binexp/stack/aslr.md): Address Space Layout Randomisation - [ASLR Bypass with Given Leak](/notes/binexp/stack/aslr/aslr-bypass-with-given-leak.md) - [PLT and GOT](/notes/binexp/stack/aslr/plt_and_got.md): Bypassing ASLR - [ret2plt ASLR bypass](/notes/binexp/stack/aslr/ret2plt-aslr-bypass.md) - [Virtual Addresses and Virtual Memory](/notes/binexp/stack/virtual-addresses-and-virtual-memory.md) - [GOT Overwrite](/notes/binexp/stack/got-overwrite.md): Hijacking functions - [Exploiting a GOT overwrite](/notes/binexp/stack/got-overwrite/exploiting-a-got-overwrite.md) - [RELRO](/notes/binexp/stack/relro.md): Relocation Read-Only - [Reliable Shellcode](/notes/binexp/stack/reliable-shellcode.md): Shellcode, but without the guesswork - [ROP and Shellcode](/notes/binexp/stack/reliable-shellcode/rop-and-shellcode.md) - [Using RSP](/notes/binexp/stack/reliable-shellcode/using-rsp.md) - [ret2reg](/notes/binexp/stack/reliable-shellcode/ret2reg.md): Using Registers to bypass ASLR - [Using ret2reg](/notes/binexp/stack/reliable-shellcode/ret2reg/using-ret2reg.md) - [One Gadgets and Malloc Hook](/notes/binexp/stack/one-gadgets-and-malloc-hook.md): Quick shells and pointers - [Syscalls](/notes/binexp/stack/syscalls.md): Interfacing directly with the kernel - [Exploitation with Syscalls](/notes/binexp/stack/syscalls/exploitation-with-syscalls.md) - [Sigreturn-Oriented Programming (SROP)](/notes/binexp/stack/syscalls/sigreturn-oriented-programming-srop.md): Controlling all registers at once - [Using SROP](/notes/binexp/stack/syscalls/sigreturn-oriented-programming-srop/using-srop.md) - [ret2dlresolve](/notes/binexp/stack/ret2dlresolve.md): Resolving our own libc functions - [Exploitation](/notes/binexp/stack/ret2dlresolve/exploitation.md) - [ret2csu](/notes/binexp/stack/ret2csu.md): Controlling registers when gadgets are lacking - [Exploitation](/notes/binexp/stack/ret2csu/exploitation.md) - [CSU Hardening](/notes/binexp/stack/ret2csu/csu-hardening.md) - [Exploiting over Sockets](/notes/binexp/stack/exploiting-over-sockets.md): File Descriptors and Sockets - [Exploit](/notes/binexp/stack/exploiting-over-sockets/exploit.md): Duplicating the Descriptors - [Socat](/notes/binexp/stack/exploiting-over-sockets/socat.md): More on socat - [Forking Processes](/notes/binexp/stack/forking-processes.md): Flaws with fork() - [Stack Pivoting](/notes/binexp/stack/stack-pivoting.md): Lack of space for ROP - [Exploitation](/notes/binexp/stack/stack-pivoting/exploitation.md): Stack Pivoting - [pop rsp](/notes/binexp/stack/stack-pivoting/exploitation/pop-rsp.md): Using a pop rsp gadget to stack pivot - [leave](/notes/binexp/stack/stack-pivoting/exploitation/leave.md): Using leave; ret to stack pivot - [Pointer Authentication](/notes/binexp/stack/pointer-authentication.md): An Arm hardware protection to combat ROP - [Memory Tagging Extension (MTE)](/notes/binexp/stack/memory-tagging-extension-mte.md): Arm's MTE Hardware Protection - [Memory Integrity Enforcement](/notes/binexp/stack/memory-integrity-enforcement.md) - [Heap](/notes/binexp/heap.md): Still learning :) - [Introduction to the Heap](/notes/binexp/heap/introduction-to-the-heap.md) - [Chunks](/notes/binexp/heap/chunks.md) - [Freeing Chunks and the Bins](/notes/binexp/heap/bins.md) - [Operations of the Fastbin](/notes/binexp/heap/bins/operations-of-the-fastbin.md) - [Operations of the Other Bins](/notes/binexp/heap/bins/chunk-allocation-and-reallocation.md) - [The Top Chunk and Remainder](/notes/binexp/heap/the-top-chunk-and-remainder.md): Creating more heap space - [Malloc State](/notes/binexp/heap/malloc-state.md) - [malloc\_consolidate()](/notes/binexp/heap/malloc_consolidate.md): Consolidating fastbins - [Heap Overflow](/notes/binexp/heap/heap-overflow.md) - [heap0](/notes/binexp/heap/heap-overflow/heap0.md): http://exploit.education/phoenix/heap-zero/ - [heap1](/notes/binexp/heap/heap-overflow/heap1.md): http://exploit.education/phoenix/heap-one/ - [Use-After-Free](/notes/binexp/heap/use-after-free.md) - [Double-Free](/notes/binexp/heap/double-free.md) - [Double-Free Protections](/notes/binexp/heap/double-free/double-free-protections.md) - [Double-Free Exploit](/notes/binexp/heap/double-free/double-free-exploit.md) - [Unlink Exploit](/notes/binexp/heap/unlink-exploit.md) - [The Tcache](/notes/binexp/heap/the-tcache.md): New and efficient heap management - [Tcache: calloc()](/notes/binexp/heap/the-tcache/tcache-calloc.md) - [Tcache Poisoning](/notes/binexp/heap/the-tcache/tcache-poisoning.md): Reintroducing double-frees - [The Malloc Maleficarum](/notes/binexp/heap/the-malloc-maleficarum.md): The first heap exploits - [The House of Force](/notes/binexp/heap/the-malloc-maleficarum/the-house-of-force.md): Exploiting the wilderness - [Tcache Keys](/notes/binexp/heap/tcache-keys.md): A primitive double-free protection - [Safe Linking](/notes/binexp/heap/safe-linking.md) - [Kernel](/notes/binexp/kernel.md) - [Introduction](/notes/binexp/kernel/introduction.md) - [Writing a Char Module](/notes/binexp/kernel/writing-a-char-module.md) - [An Interactive Char Driver](/notes/binexp/kernel/writing-a-char-module/a-communicatable-char-driver.md) - [Interactivity with IOCTL](/notes/binexp/kernel/writing-a-char-module/interactivity-with-ioctl.md): A more useful way to interact with the driver - [A Basic Kernel Interaction Challenge](/notes/binexp/kernel/a-basic-kernel-interaction-challenge.md) - [Compiling, Customising and booting the Kernel](/notes/binexp/kernel/compiling-customising-and-booting-the-kernel.md): Instructions for compiling the kernel with your own settings, as well as compiling kernel modules for a specific kernel version. - [Double-Fetch](/notes/binexp/kernel/double-fetch.md): The most simple of vulnerabilities - [Double-Fetch without Sleep](/notes/binexp/kernel/double-fetch/double-fetch-without-sleep.md): Removing the artificial sleep - [The Ultimate Aim of Kernel Exploitation - Process Credentials](/notes/binexp/kernel/the-ultimate-aim-of-kernel-exploitation-process-credentials.md) - [Kernel ROP - ret2usr](/notes/binexp/kernel/kernel-rop-ret2usr.md): ROPpety boppety, but now in the kernel - [Debugging a Kernel Module](/notes/binexp/kernel/debugging-a-kernel-module.md): A practical example - [SMEP](/notes/binexp/kernel/smep.md): Supervisor Memory Execute Protection - [Kernel ROP - Disabling SMEP](/notes/binexp/kernel/smep/kernel-rop-disabling-smep.md): An old technique - [Kernel ROP - Privilege Escalation in Kernel Space](/notes/binexp/kernel/smep/kernel-rop-privilege-escalation-in-kernel-space.md): Bypassing SMEP by ropping through the kernel - [Kernel ROP - Stack Pivoting](/notes/binexp/kernel/smep/kernel-rop-stack-pivoting.md) - [SMAP](/notes/binexp/kernel/smap.md): Supervisor Memory Access Protection - [Overwriting modprobe\_path](/notes/binexp/kernel/modprobe_path.md): A simple way to pop a shell - [KASLR](/notes/binexp/kernel/kaslr.md) - [KPTI](/notes/binexp/kernel/kpti.md): Kernel Page Table Isolation - [Kernel Heap](/notes/binexp/kernel/page.md): The pain of it all - [Heap Structures](/notes/binexp/kernel/heap-structures.md) - [TODO](/notes/binexp/kernel/todo.md): Random stuff I want to mention somewhere, but too small for its own page - [Browser Exploitation](/notes/binexp/browser-exploitation.md) - [\*CTF 2019 - oob-v8](/notes/binexp/browser-exploitation/ctf-2019-oob-v8.md): Setting Up - [The Challenge](/notes/binexp/browser-exploitation/ctf-2019-oob-v8/the-challenge.md): The actual challenge - [picoCTF 2021 - Kit Engine](/notes/binexp/browser-exploitation/picoctf-2021-kit-engine.md): A lesson in floating-point form - [picoCTF 2021 - Download Horsepower](/notes/binexp/browser-exploitation/picoctf-2021-download-horsepower.md): Another OOB, but with pointer compression - [Browser Architecture](/notes/binexp/browser-exploitation/browser-architecture.md): A look at how browsers work under the hood - [Operation of the Renderer](/notes/binexp/browser-exploitation/browser-architecture/operation-of-the-renderer.md): How the renderer process works - [An Introduction to Turbofan](/notes/binexp/browser-exploitation/an-introduction-to-turbofan.md): V8's Optimizer - [A Typer Bug](/notes/binexp/browser-exploitation/an-introduction-to-turbofan/a-typer-bug.md): One of my favourites - [Memory Safety](/notes/binexp/memory-safety.md): Languages like Rust and Swift claim to be "memory-safe". What does that mean? - [C++ Smart Pointers](/notes/binexp/memory-safety/c++-smart-pointers.md): C++'s foray into memory safety - [RAII (Resource Acquisition is Initialization)](/notes/binexp/memory-safety/raii-resource-acquisition-is-initialization.md) - [Garbage Collection](/notes/binexp/memory-safety/garbage-collection.md) - [Tracing Garbage Collection](/notes/binexp/memory-safety/garbage-collection/tracing-garbage-collection.md) - [Automatic Reference Counting](/notes/binexp/memory-safety/garbage-collection/automatic-reference-counting.md): Apple's preferred approach to automatic memory management - [Rust](/notes/binexp/memory-safety/rust.md): The poster child for memory safety - [Python (and C#, Java)](/notes/binexp/memory-safety/python-and-c-java.md) - [Swift](/notes/binexp/memory-safety/swift.md): Swift uses purely ARC. How does it fix the problems that arise without a tracing garbage collector? - [Sandboxing](/notes/binexp/memory-safety/sandboxing.md) - [Dynamic Binary Instrumentation](/notes/binexp/dynamic-binary-instrumentation.md): Manipulating programs without the source