======Pré-requis====== - Réaliser les prérequis [[http://wiki.zenk-security.com/doku.php?id=les_pre-requis_retro-ingenierie|"Rétro-ingénierie"]] 1 à 4 - Exploiter une faille system() [[http://gits.hydraze.org/article-14-la-faille-de-system.html|Lien1]] - Exploiter une Race Condition [[http://gits.hydraze.org/article-19-la-race-condition.html|Lien1]] [[http://www.cgsecurity.org/Articles/SecProg/Art5/index-fr.html|Lien2]] [[http://blog.stalkr.net/2010/11/exec-race-condition-exploitations.html|Lien3]] - Exploiter un Buffer Overflow et en profiter pour Apprendre un langage de Script pour automatiser l'éxploitation [[http://hack-and-fun.blogspot.fr/2011/04/buffer-overflow.html|Lien1]] [[http://gits.hydraze.org/article-13-les-buffers-overflows.html|Lien2]] - Exploiter un Format String [[http://forum.zenk-security.com/thread-1613-post-18304.html|Lien1]] [[http://gits.hydraze.org/article-25-format-strings.html|Lien2]] [[http://repo.zenk-security.com/Techniques%20d.attaques%20%20.%20%20Failles/Les%20failles%20Format%20String.pdf|Lien3]] - Exploiter un Heap Overflow via malloc() et un off-by-one [[http://www.phrack.org/issues.html?issue=66&id=10|Lien1]] [[http://www.phrack.org/issues.html?issue=57&id=8|Lien2]] [[http://www.phrack.org/issues.html?issue=57&id=9|Lien3]] [[http://archive.cert.uni-stuttgart.de/vuln-dev/2004/02/msg00025.html|Lien4]] [[http://www.phrack.org/issues.html?issue=66&id=6|Lien5]] [[http://www.cgsecurity.org/exploit/heaptut.txt|Lien6]] [[http://freeworld.thc.org/root/docs/exploit_writing/heap_off_by_one.txt|Lien7]] [[https://sploitfun.wordpress.com/2015/03/04/heap-overflow-using-malloc-maleficarum/|Lien8]] - Apprendre à exploiter un use-after-free [[http://www.garage4hackers.com/entry.php?b=517|Lien1]] [[https://sploitfun.wordpress.com/2015/06/16/use-after-free/|Lien2]] - Apprendre à contourner un cannary [[http://gits.hydraze.org/article-24-buffer-overflows-sous-xp-sp2.html|Lien1]] - Apprendre à contourner l'ASLR [[https://web.archive.org/web/20140207151810/http://users.ece.cmu.edu/~dbrumley/courses/18739c-s11/docs/aslr.pdf|Lien1]] - Apprendre à exploiter un BOF via un ROP (Return Oriented Programming) [[http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf|Lien1]] [[http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/|Lien2]] [[http://trailofbits.files.wordpress.com/2010/04/practical-rop.pdf|Lien3]] [[https://crypto.stanford.edu/~blynn/rop/|Lien4]] - Coder son premier shell code local - Coder son premier shell code permettant d'obtenir une connexion au travers un réseau - Coder son premier egghunter [[http://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/|Lien1]] [[http://exploit.co.il/hacking/manual-egghuntershellcode-encoding/|Lien2]] [[http://www.corelan.be/index.php/2010/08/22/exploit-notes-win32-eggs-to-omelet/|Lien3]] [[http://www.offensive-security.com/videos/defcon-presentation-2008-video/defcon-presentation-2008_controller.swf|Lien4]] ======Lecture conseillée====== - [[https://repo.zenk-security.com/Techniques%20d.attaques%20%20.%20%20Failles/Etude%20de%20techniques%20d%20exploitation%20de%20vulnerabilites%20des%20executables%20sous%20GNU.Linux%20IA-32%20et%20de%20methodes%20de%20protection%20associees.pdf|Mémoire de X_Cli]] (Très bien écrit et à la porté des débutants) - [[http://www.mgraziano.info/docs/stsi2010.pdf|Smashing the stack in 2010]] (En anglais mais assez complet) - [[http://www.amazon.fr/Techniques-hacking-1C%C3%A9d%C3%A9rom-Jon-Erickson/dp/2744022640|Techniques de hacking]] [Livre] - [[http://www.amazon.fr/Shellcoders-Handbook-Discovering-Exploiting-Security/dp/047008023X|The Shellcoder's Handbook: Discovering and Exploiting Security Holes, 2nd edition]] [Livre] - [[http://www.amazon.fr/Rootkits-Subverting-Windows-Greg-Hoglund/dp/0321294319|Rootkits: Subverting the Windows Kernel]] [Livre] - [[http://www.amazon.fr/Rootkit-Arsenal-Escape-Evasion-Corners/dp/1598220616/ref=sr_1_1?ie=UTF8&qid=1329576275&sr=8-1|The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System]] [Livre] /!\ Edition 2 en cours - [[http://www.amazon.fr/Fuzzing-Brute-Force-Vulnerability-Discovery/dp/0321446119/ref=sr_1_1?s=english-books&ie=UTF8&qid=1329576365&sr=1-1|Fuzzing: Brute Force Vulnerability Discovery]] [Livre] - [[http://www.amazon.fr/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426/ref=tmm_gpb_title_0?ie=UTF8&qid=1329576432&sr=1-2-spell|The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities]] [Livre] - [[http://www.amazon.fr/Bug-Hunters-Diary-Software-Security/dp/1593273851/ref=sr_1_1?s=english-books&ie=UTF8&qid=1329576515&sr=1-1|A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security]] [Livre] ======Exercices ====== - Faire les épreuves "Failles applicatives" sans ASLR de Zenk Security, qui sont d’excellents exercices ! (Prérequis : 1 à 5) [[http://www.zenk-security.com/display_epreuve.php?id=14|Lien1]] - Faire les épreuves "Failles applicatives" avec ASLR de Zenk Security (Prérequis : 1 à 9, et probablement d'autres points pas encore présent Big Grin) [[http://www.zenk-security.com/display_epreuve.php?id=8|Lien1]] - Faire les épreuves de SmashTheStack [[http://gits.hydraze.org/|Lien1]] - Faire les épreuves de Corest [[http://community.corest.com/~gera/InsecureProgramming/|Lien1]] - Learning Exploitation with FSExploitMe [[http://blog.opensecurityresearch.com/2014/08/learning-exploitation-with-fsexploitme.html|Lien1]] ======Sites web ====== - [[https://trailofbits.github.io/|trailofbits.github.io]] ======Outils ====== - Les mêmes que ceux de la page [[http://wiki.zenk-security.com/doku.php?id=les_pre-requis_retro-ingenierie|"Rétro-ingénierie"]]