Bird's Blog
首页
Binary Wiki
分类
标签
归档
友链
关于
# Binary Wiki
CTF
Browser
Exploit
Android
iOS
Windows
Linux
macOS
Reverse
IoT
Fuzzing
Mobile
Others
> 自2017年11月7日 ##
CTF
- [Linux堆开发介绍系列 – (BONUS)printf可能会泄漏!](https://sensepost.com/blog/2018/linux-heap-exploitation-intro-series-bonus-printf-might-be-leaking/) 2018-01-19 - [exploit_me - ARM 应用程序漏洞示例](https://github.com/bkerler/exploit_me) 2018-01-03 - [HITCON 2017 部分pwn题writeup](https://github.com/scwuaptx/CTF/tree/master/2017-writeup/hitcon) 2017-11-11 - [HITCON 2017 ghost in the heap writeup](https://tradahacking.vn/hitcon-2017-ghost-in-the-heap-writeup-ee6384cd0b7) 2017-11-10 - [二进制中的奥妙:文件结构](https://www.slideshare.net/AngelBoy1/play-with-file-structure-yet-another-binary-exploit-technique) 2017-11-07 ##
Browser
- [浏览器内部工作原理解析](https://www.html5rocks.com/zh/tutorials/internals/howbrowserswork/) 2018-06-12 - [jsvu - Google Chrome Labs 开源的一个 JavaScript 引擎版本升级工具,有了 jsvu,就不用每次从头自己编译了。支持 Chakra、JavaScriptCore、SpiderMonkey、V8](https://github.com/GoogleChromeLabs/jsvu) 2017-12-07 - [IE浏览器缓解技术逆向初探](https://www.anquanke.com/post/id/87816) 2017-12-01 - [V8 JavaScript 引擎 JS 代码解析(Parsing)、Ignition 与 TurboFan 编译器编译、二进制代码生成、JIT 优化的过程](https://speakerdeck.com/brn/source-to-binary-journey-of-v8-javascript-engine-english-version) 2017-11-30 - [《From Out of Memory to Remote Code Execution》,来自古河在 PacSec 2017 会议的演讲。其中介绍了浏览器(主要是 Edge ChakraCore 引擎)中内存耗尽(OOM)相关漏洞的挖掘和利用,包括如何利用可控、不中断(Continuable)的 OOM 漏洞触发新的分支路径触发漏洞,以及如何利用这种 OOM 漏洞实现 RCE。最后还介绍了一个利用 Fast Array Buffer 实现 64 位地址空间 Heap Spray 的技巧](https://speakerdeck.com/yukichen/from-out-of-memory-to-remote-code-execution) 2017-11-07 ##
Exploit
- [从零开始编写 ARM Bindshell 的 Shellcode](https://azeria-labs.com/downloads/HITB-v1.0.pdf) 2018-04-13 - [ARM 上的 shellcode 编写与漏洞利用开发](https://github.com/invictus1306/Workshop-BSidesMunich2018/blob/master/workshop_slides.pdf) 2018-04-09 - [CVE-2018-4878 Exploit生成器](http://py4.me/blog/?p=572) 2018-02-25 - [利用 CVE-2016-4657 漏洞越狱任天堂 Switch 游戏机](https://github.com/iDaN5x/Switcheroo) 2018-01-31 - [IoT ARM 漏洞利用开发介绍](https://www.exploit-db.com/docs/english/43906-arm-exploitation-for-iot.pdf) 2018-01-30 - [1day浏览器和内核漏洞利用](http://powerofcommunity.net/poc2017/andrew.pdf) 2018-01-27 - [Windows kernel exploitation 之走进 CVE-2018-5189](https://www.fidusinfosec.com/jungo-windriver-code-execution-cve-2018-5189/) 2018-01-11 - [Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04 and 16.04) 本地提权漏洞利用](https://cxsecurity.com/issue/WLB-2018010018) 2018-01-08 - [PS4固件内核漏洞利用crashdump](https://fail0verflow.com/blog/2017/ps4-crashdump-dump/) 2017-12-28 - [PS4固件内核漏洞利用](https://github.com/Cryptogenic/PS4-4.05-Kernel-Exploit) 2017-12-28 - [通过33C3 CTF学习浏览器利用](https://bruce30262.github.io/2017/12/15/Learning-browser-exploitation-via-33C3-CTF-feuerfuchs-challenge/) 2017-12-20 - [GDI 不可用之后,利用 X64 内核分页机制中的 PTE Space 实现虚拟地址的稳定控制,进一步实现 NVIDIA DxgDdiEscape Handler 漏洞的利用,来自 CoreSecurity](https://www.coresecurity.com/blog/making-something-out-zeros-alternative-primitive-windows-kernel-exploitation) 2017-12-15 - [漏洞利用中的堆内存布局优化技巧实战,来自 BlackHat Europe 2017 会议](https://seanhn.files.wordpress.com/2017/12/eu-17-heelan-heap-layout-optimisation-for-exploitation1.pdf) 2017-12-08 - [利用 Windows 内核 NtQuerySystemInformation Warbird Class 的漏洞实现内核漏洞的提取利用。漏洞由 Project Zero mjurczyk 发现,这篇 Blog 作者为 Secarma 团队的 Adam(XPN)](https://blog.xpnsec.com/windows-warbird-privesc/) 2017-11-28 - [如何在 Azeria Labs 的 ARM 逆向虚拟机实验环境中测试栈溢出](https://azeria-labs.com/part-3-stack-overflow-challenges/) 2017-11-28 - [BH中的Windows本地内核漏洞演讲Python利用库更新](https://theevilbit.blogspot.hk/2017/11/kex-python-kernel-exploit-library-major.html) 2017-11-26 - [A Link to System Privilege](http://keenlab.tencent.com/zh/2016/11/18/A-Link-to-System-Privilege/) 2017-11-24 - [《Make LoadLibrary Great Again》,来自绿盟科技张云海在 POC 2017 会议的演讲。介绍了如何 Bypass 各种缓解措施,实现 Windows 10 系统中 LoadLibrary 的再次利用](https://github.com/f0rgetting/Presentations/blob/master/POC%202017%20-%20Make%20LoadLibrary%20Great%20Again.pdf) 2017-11-14 - [VMware RPC 接口的漏洞挖掘和利用,来自 ZDI 研究员在 RuxCON 会议的演讲](https://ruxcon.org.au/assets/2017/slides/ForTheGreaterGood.pdf) 2017-11-14 - [KernelBleed - 来自 j00ru 在华沙 PWNing 会议的演讲,关于 Windows/Linux 内核的漏洞和利用(非中文)](http://j00ru.vexillium.org/slides/2017/pwning.pdf) 2017-11-10 ##
Android
- [CVE-2017-8890漏洞分析与利用(Root Android 7.x)](http://www.freebuf.com/articles/terminal/160041.html) 2018-01-16 - [Android ALSA SoC 声卡驱动中的漏洞挖掘,来自韩国 PoC 会议](http://powerofcommunity.net/poc2017/yu.pdf) 2018-01-12 - [研究员 jiayy 公开了多个 Android 漏洞的 PoC](https://github.com/jiayy/android_vuln_poc-exp) 2017-12-21 - [Android SafetyNet Attestation 保护机制的深度分析](https://www.blackhat.com/docs/eu-17/materials/eu-17-Mulliner-Inside-Androids-SafetyNet-Attestation-wp.pdf) 2017-12-08 - [ParseDroid漏洞:针对Android开发者和安全分析人员](https://www.anquanke.com/post/id/89557) 2017-12-07 - [Apktool未正确解析XML导致的XXE漏洞分析](https://www.anquanke.com/post/id/89316) 2017-12-07 - [Android 内核非常见 UAF 漏洞的利用,来自科恩实验室申迪(Retme)在 PacSec 2017 会议的演讲](https://speakerdeck.com/retme7/the-art-of-exploiting-unconventional-use-after-free-bugs-in-android-kernel) 2017-11-13 - [探索影响Android的6个内核漏洞](https://pleasestopnamingvulnerabilities.com/) 2017-11-07 ##
iOS
- [iOS 11.2 -> iOS 11.3.1 越狱项目 Osiris-Jailbreak 发布(开发中)](https://github.com/GeoSn0w/Osiris-Jailbreak) 2018-06-16 - [iOS 11.0 - 11.3.1 越狱代码发布](https://github.com/HackerFantastic/Public/blob/master/tools/multi_path.tgz) 2018-06-12 - [iOS 11.1.2 (15B202) 越狱 Exploit 代码](https://github.com/Coalfire-Research/iOS-11.1.2-15B202-Jailbreak) 2018-02-02 - [memctl - 研究员 bazad 开发的一个用于 iOS 系统的实时内核插桩、内存读写工具,方便内核漏洞的分析和利用的编写](https://github.com/bazad/memctl) 2018-01-22 - [iOS内核利用考古学(主要介绍了evasi0n7越狱的内核exploit的技术细节)](https://media.ccc.de/v/34c3-8720-ios_kernel_exploitation_archaeology) 2018-01-12 - [iOS 内核调试教程](http://www.instructables.com/id/IOS-Kernel-Debugging/) 2018-01-02 - [有研究员公开了一个 iOS 11 的越狱网站,支持 iOS 11.0 - 11.1.2 的所有 64 位设备](http://epimetheus.ijapija00.com/) 2017-12-21 - [如何为指定的 iOS 版本找内核调试符号(Kernel Symbols)](https://medium.com/cji_/hunting-for-ios-kernel-symbols-e48a446bb00) 2017-12-14 - [IOSurfaceRootUserClient Port UAF 漏洞的完整 Exploit 代码分析](https://siguza.github.io/v0rtex/) 2017-12-08 - [IOSurfaceRootUserClient Port UAF](http://blog.pangu.io/iosurfacerootuserclient-port-uaf/) 2017-12-08 - [盘古的【iOS 11.2 修复的 IOSurfaceRootUserClient Port UAF 漏洞的分析】,有研究员公开了一个完整的 Exploit 代码](https://github.com/Siguza/v0rtex/blob/master/v0rtex.m) 2017-12-07 - [Reverse Engineering the iOS Backup](https://www.richinfante.com/2017/3/16/reverse-engineering-the-ios-backup) 2017-11-29 ##
Windows
- [关于CVE-2018-8120的最新Windows提权漏洞分析](http://www.freebuf.com/vuls/174183.html) 2018-06-16 - [Windows Kernel pool overflow 漏洞分析以及如何通过改写 Heap Spray 后的 TypeIndex 实现利用](https://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html) 2017-12-14 - [KernelExplorer - 研究员 Pavel Yosifovich 开源的用于分析 Windows 内核的工具集,包括 MemMapView、ProcList、JobView 等多个子工具](https://github.com/zodiacon/KernelExplorer) 2017-12-04 - [Office保护视图沙盒的内存破坏漏洞](https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-corrupting-memory-in-ms-office-protected-view-v2.pdf) 2017-11-24 - [CVE-2017-11882(MS Word) POC](https://github.com/embedi/CVE-2017-11882) 2017-11-21 - [从 PE 文件结构角度出发,如何手动植入后门](http://www.abatchy.com/2017/05/introduction-to-manual-backdooring_24.html) 2017-11-14 - [了解 UAC 背后的 ALPC/RPC 机制,来自 PacSec 2017 会议](https://hakril.net/slides/A_view_into_ALPC_RPC_pacsec_2017.pdf) 2017-11-10 - [从汇编代码中看 Windows 64 位的 SEH(Structured Exception Handling)实现](https://www.codeproject.com/Articles/1212332/bit-Structured-Exception-Handling-SEH-in-ASM) 2017-11-07 - [如何逆向 Windows 未文档化的内部数据结构](https://sww-it.ru/2017-11-06/1493) 2017-11-07 ##
Linux
- [Professional Linux Kernel Architecture 》(深入Linux内核架构) PDF](https://cse.yeditepe.edu.tr/~kserdaroglu/spring2014/cse331/termproject/BOOKS/ProfessionalLinuxKernelArchitecture-WolfgangMauerer.pdf) 2018-04-13 - [Linux内核防御地图](https://github.com/a13xp0p0v/linux-kernel-defence-map) 2018-04-07 - [加载“无文件”共享对象](https://x-c3ll.github.io/posts/fileless-memfd_create/) 2018-02-14 - [KASLR is Dead: Long Live KASLR,针对 KASLR 的研究介绍(papaer)](https://gruss.cc/files/kaiser.pdf) 2018-01-08 - [Linux 内核新引入的 Page Table Isolation 保护机制的分析](http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table) 2018-01-02 - [利用 Linux 内核 waitid() 系统调用的任意地址写漏洞(CVE-2017-5123)实现 Docker 容器的逃逸](https://www.twistlock.com/2017/12/27/escaping-docker-container-using-waitid-cve-2017-5123/) 2018-01-02 - [Linux 上 ELF 可执行文件的理解与分析](https://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/) 2017-12-26 - [Linux利用动态链接共享对象库提权](https://www.contextis.com/blog/linux-privilege-escalation-via-dynamically-linked-shared-object-library) 2017-12-07 - [编写简单 Linux 内核模块的实例](https://blog.sourcerer.io/writing-a-simple-linux-kernel-module-d9dc3762c234) 2017-12-04 - [如何构建一个可移植的Linux二进制文件](http://blog.gibson.sh/2017/11/26/creating-portable-linux-binaries/) 2017-11-28 - [轻松图解Linux](https://jvns.ca/linux-comics-zine.pdf) 2017-11-26 - [Linux中的x64 Egg hunting](https://pentesterslife.blog/2017/11/24/x64-egg-hunting-in-linux-systems/) 2017-11-24 - [CVE-2017-16544 Busybox自动完成漏洞](https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/) 2017-11-21 - [CVE-2017-5123利用浅谈](https://reverse.put.as/2017/11/07/exploiting-cve-2017-5123/) 2017-11-08 - [Exploiting CVE-2017-5123 with full protections. SMEP, SMAP, and the Chrome Sandbox](https://salls.github.io/Linux-Kernel-CVE-2017-5123/) 2017-11-07 ##
macOS
- [ProcInfo - macOS 上用于监视进程的开源库](https://github.com/objective-see/ProcInfo) 2018-01-23 - [IOHIDeous - IOHIDFamily 中的一个内核任意地址读写漏洞,只影响 macOS 系统](https://siguza.github.io/IOHIDeous/) 2018-01-02 - [公开的免费书: Mac OS X and iOS Internals: To the Apple's Core](http://newosxbook.com/MOXiI.pdf) 2017-12-21 - [动手写一个简单的Mac内核反反调试扩展](http://www.alonemonkey.com/2017/11/20/get-start-antidebug-kext/) 2017-11-22 ##
Reverse
- [使用 ptrace 进行反调试并实现对 ptrace 的隐藏调用](https://github.com/yellowbyte/analysis-of-anti-analysis/blob/master/research/hiding_call_to_ptrace/hiding_call_to_ptrace.md) 2018-06-16 - [使用 Angr 将自己伪造成 C&C 服务器以研究恶意软件的通信协议](https://www.securityartwork.es/2018/04/09/reversing-of-malware-network-protocols-with-angr/) 2018-04-10 - [Wii U解剖与分析](http://hexkyz.blogspot.hk/2018/01/anatomy-of-wii-u-end.html) 2018-01-15 - [Nintendo Switch Binary loader for IDA Pro 7.0](https://github.com/pgarba/SwitchIDAProLoader) 2018-01-08 - [如何为 PE 可执行文件实现加壳和数据混淆](https://0x00sec.org/t/packers-executable-compression-and-data-obfuscation/847) 2017-12-11 - [逆向工程英特尔 FSP 入门指南](https://puri.sm/posts/primer-to-reverse-engineering-intel-fsp/) 2017-12-04 - [Duo Labs 开源了两个 IDAPython 脚本,用于辅助 ARM Cortex M 固件逆向以及 ARM thumb 指令搜索](https://github.com/duo-labs/idapython) 2017-12-01 - [Using Existing Malware to Save You Time》,为了解决恶意代码中解密、解压缩算法逆向工作量大的问题,Palo Alot 这篇 Blog 提出了一种方法,提取恶意软件中的解密逻辑代码,单独编译,省时而且方便批量解密](https://researchcenter.paloaltonetworks.com/2017/11/unit42-using-existing-malware-save-time/) 2017-11-23 - [汇编语言的艺术](https://www.ic.unicamp.br/~pannain/mc404/aulas/pdfs/Art%20Of%20Intel%20x86%20Assembly.pdf) 2017-11-23 - [Lua程序逆向之Luajit文件格式](http://bobao.360.cn/learning/detail/4731.html) 2017-11-22 - [Digging into radare2 for fun and profit](http://radare.org/get/r2avtokyo-en.pdf) 2017-11-14 - [Azeria Labs 分享的用于学习 ARM 二进制逆向和漏洞利用的虚拟机](https://azeria-labs.com/arm-lab-vm/) 2017-11-13 - [x86 Systemland Assembly Cheat](https://github.com/cirosantilli/x86-bare-metal-examples) 2017-11-13 - [x86 Userland Assembly Cheat](https://github.com/cirosantilli/x86-assembly-cheat) 2017-11-13 - [逆向分析 MMORPG 游戏(Unity)](https://www.slideshare.net/AntoninBeaujeant/reverse-engineering-a-mmorpg) 2017-11-10 - [ARM汇编基础](https://azeria-labs.com/assembly-basics-cheatsheet/) 2017-11-10 - [任天堂 Switch 逆向工程](https://github.com/dekuNukem/Nintendo_Switch_Reverse_Engineering) 2017-11-07 ##
IoT
- [用于实践 ARM 路由器漏洞利用的实验环境 - DVAR](http://blog.exploitlab.net/2018/01/dvar-damn-vulnerable-arm-router.html) 2018-01-15 - [对嵌入式设备的逆向分析与漏洞利用:The Software Stack ,PART 1](https://p16.praetorian.com/blog/reversing-and-exploiting-embedded-devices-part-1-the-software-stack) 2018-01-15 - [CVE-2018-5318:D-Link soap.cgi Stack Buffer Overflow](https://paper.seebug.org/504/) 2018-01-11 - [如何越狱苹果手表,来自 BlackHat Eu 2017 大会](https://speakerdeck.com/mbazaliy/jailbreaking-apple-watch-1) 2017-12-08 - [物联网硬件安全分析基础-固件提取](https://paper.seebug.org/468/) 2017-12-04 - [物联网硬件安全分析基础-硬件分析初探](https://paper.seebug.org/460/) 2017-12-04 - [树莓派自学教程:从A到Z](https://github.com/wtsxDev/Raspberry-Pi) 2017-12-02 - [看我如何逆向Huawei E5573 LTE加密狗设备](https://advancedpersistentjest.com/2017/12/01/notes-reversing-the-e5573/) 2017-12-02 - [RFCrack:软件定义的无线信号攻击工具](http://console-cowboys.blogspot.hk/2017/11/rfcrack-release-software-defined-radio.html) 2017-11-28 - [嵌入式安全利器——JTAG 调试实战](https://mp.weixin.qq.com/s/3EuDxDoGfsCbfaHCcZX21A) 2017-11-27 - [TP-LINK WR941N路由器研究](https://paper.seebug.org/448/) 2017-11-13 - [ARM exploitation for IoT - 基于增强版 GDB 调试工具 GEF 调试 ARM Exploit](https://quequero.org/2017/11/arm-exploitation-iot-episode-3/) 2017-11-08 ##
Fuzzing
- [Fuzzing ELF二进制文件中的任意函数](https://blahcat.github.io/2018/03/11/fuzzing-arbitrary-functions-in-elf-binaries/) 2018-03-13 - [AFL Fuzzer 的编译时插桩过程分析](https://tunnelshade.in/blog/2018/01/afl-internals-compile-time-instrumentation/) 2018-02-02 - [基于IOCTLBF框架编写的驱动漏洞挖掘工具KDRIVER FUZZER](https://whereisk0shl.top/post/2018-01-30) 2018-02-02 - [Mutiny Fuzzing Framework - Talos 团队开源了一个用于 Fuzz 网络应用程序的框架,这个框架结合 Decept 代理程序实现高效 Fuzzing](http://blog.talosintelligence.com/2017/12/mutiny-decept.html) 2017-12-08 - [内置接口自动感知能力的安卓 Linux 内核驱动 Fuzzing,来自 BlackHat Europe 2017 会议](https://www.blackhat.com/docs/eu-17/materials/eu-17-Corina-Difuzzing-Android-Kernel-Drivers.pdf) 2017-12-07 - [difuze - Linux 内核驱动 Fuzz 工具](https://github.com/ucsb-seclab/difuze) 2017-12-04 - [模糊测试的艺术与应用实例](https://sec-consult.com/en/blog/2017/11/the-art-of-fuzzing-slides-and-demos/index.html) 2017-11-22 - [afl-unicorn - 将 Unicorn 的模拟执行能力集成进 AFL Fuzz 中,Fuzz 无源码的二进制代码](https://medium.com/njvoss299/afl-unicorn-fuzzing-arbitrary-binary-code-563ca28936bf) 2017-11-09 ##
Mobile
- [开源移动安全测试框架MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) 2017-11-28 ##
Others
- [500 行代码实现 Linux containers](https://blog.lizzie.io/linux-containers-in-500-loc.html) 2018-06-12 - [通过C语言来实现虚拟机](https://felixangell.com/blog/virtual-machine-in-c) 2018-06-12 - [HITB2018AMS Day 1 大会议题](https://conference.hitb.org/files/hitbsecconf2018ams/materials/) 2018-04-13 - [Vulnerability Modeling with Binary Ninja](https://blog.trailofbits.com/2018/04/04/vulnerability-modeling-with-binary-ninja/) 2018-04-08 - [FUZE Card 蓝牙传输协议存在漏洞,可窃取信用卡敏感信息甚至篡改数据](https://blog.ice9.us/2018/04/stealing-credit-cards-from-fuze-bluetooth.html) 2018-04-08 - [教你如何编程利用 Spectre 漏洞](https://blog.fortinet.com/2018/01/17/into-the-implementation-of-spectre) 2018-01-20 - [利用 CPU 数据缓存侧信道漏洞实现任意虚拟内存读](https://googleprojectzero.blogspot.jp/2018/01/reading-privileged-memory-with-side.html) 2018-01-04 - [近期的漏洞利用趋势及缓解、检测策略,来自 zeronights 2017 大会 Matt Oh](https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Matt_Recent%20Exploit%20Trend%20and%20Mitigation,%20Detection%20Tactics-Current.pdf) 2018-01-01 - [网络渗透过程中常见的 Shell 反弹方法](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/) 2017-12-21 - [写一个自己的游戏引擎(C++)](http://preshing.com/20171218/how-to-write-your-own-cpp-game-engine/) 2017-12-20 - [VMware Guest->Host 虚拟机逃逸漏洞案例的总结报告](https://www.blackhat.com/docs/eu-17/materials/eu-17-Mandal-The-Great-Escapes-Of-Vmware-A-Retrospective-Case-Study-Of-Vmware-G2H-Escape-Vulnerabilities.pdf) 2017-12-11 - [网络协议分析中常见协议分析、常用工具使用手册](http://packetlife.net/library/cheat-sheets/) 2017-12-11 - [虚拟内存:堆栈、寄存器与汇编代码](https://blog.holbertonschool.com/hack-virtual-memory-stack-registers-assembly-code/) 2017-12-07 - [看我如何一步一步写一个C语言的编译器(Part 1)](https://norasandler.com/2017/11/29/Write-a-Compiler.html) 2017-12-02 - [A Ghost from PostScript,来自 redrain 和蒸米在 RUXCON 2017 会议的演讲](https://ruxcon.org.au/assets/2017/slides/hong-ps-and-gs-ruxcon2017.pdf) 2017-11-27 - [如何为 Python 写一个基础的 native x86-64 JIT 编译器](https://csl.name/post/python-jit/) 2017-11-10 - [深入理解虚拟内存,实现对内存越界写的检测、实现无碎片内存分配等等需求](http://ourmachinery.com/post/virtual-memory-tricks/) 2017-11-08