# Awesome Cybersecurity List My personal collection of awesome blog posts, write-ups, and papers focusing on cybersecurity. For a deeper dive into cybersecurity-related tools, check out the dedicated **[Cybersecurity Tools](topics/tools_and_repos.md)** list. ## Outline - [2025](#2025) - [2024](#2024) - [2023](#2023) - [2022](#2022) - [2021](#2021) - [2020](#2020) - [2019](#2019) - [2018](#2018) - [2017](#2017) - [2016](#2016) - [2014](#2014) - [2011](#2011) - [Misc](#misc) - [Other Lists](#other-lists) ## 2025 - ["A First Glimpse of the Starlink User Ternimal"][1084] - ["A Fuzzy Escape - A tale of vulnerability research on hypervisors"][1151] - ["A modern tale of blinkenlights"][1200] - ["A Quick Dive Into The Linux Kernel Page Allocator"][1098] - ["A Series of io_uring pbuf Vulnerabilities"][1083] - ["A Tour of eBPF in the Linux Kernel: Observability, Security and Networking"][1181] - ["Accidentally Uncovering a Seven Years Old Vulnerability in the Linux Kernel"][1021] - ["All You Need Is MCP - LLMs Solving a DEF CON CTF Finals Challenge"][1142] - ["Analysing a 1-day Vulnerability in the Linux Kernel's TLS Subsystem"][1174] - ["Analyzing IOS Kernel Panic Logs"][1037] - ["Android: Scudo"][1070] - ["APPROTECT Bypass on NRF52832"][1139] - ["APT28 Operation Phantom Net Voxel"][1171] - ["Attacking GenAI applications and LLMs – Sometimes all it takes is to ask nicely!"][1132] - ["Attention, High Voltage: Exploring the Attack Surface of the Rockwell Automation PowerMonitor 1000"][1106] - ["Being Overlord on the Steam Deck with 1 Byte"][1044] - "BPFDoor" - ["Part 1 - The Past"][1101] - ["Part 2 - The Present"][1102] - ["Beating xloader at Speed: Generative AI as a Force Multiplier for Reverse Engineering"][1189] - ["Best practices for key derivation"][1023] - ["Binder Fuzzing"][1146] - ["Blasting Past iOS 18"][1038] - ["Booting into Breaches Hunting Windows SecureBoot's Remote Attack Surfaces"][1138] - ["Bootloader to Iris: A Security Teardown of a Hardware Wallet"][1199] - ["Breaking Disassembly — Abusing symbol resolution in Linux programs to obfuscate library calls"][1125] - ["Breaking Into a Brother (MFC-J1010DW): Three Security Flaws in a Seemingly Innocent Printer"][1196] - ["Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach Messages"][1039] - ["Broken Trust: Fixed Supermicro BMC Bug Gains a New Life in Two New Vulnerabilities"][1179] - ["Buried in the Log. Exploiting a 20 years old NTFS Vulnerability"][1124] - ["Bypassing disk encryption on systems with automatic TPM2 unlock"][1018] - ["Bypassing MTE with CVE-2025-0072"][1105] - ["Case Study: Analyzing macOS IONVMeFamily Driver Denial of Service Issue"][1040] - ["Case Study: IOMobileFramebuffer NULL Pointer Dereference"][1041] - ["Challenges and Pitfalls while Emulating Six Current Icelandic Household Routers"][1107] - ["CimFS: Crashing in memory, Finding SYSTEM (Kernel Edition)"][1061] - ["Control Flow Hijacking in the Linux Kernel"][1114] - ["Control Flow Hijacking via Data Pointers"][1085] - ["corCTF 2025 - corphone"][1168] - ["Cross Cache Attack CheetSheet"][1006] - ["CVE-2023-52927 - Turning a Forgotten Syzkaller Report into kCTF Exploit"][1118] - ["CVE-2024-30088 Pwning Windows Kernel @ Pwn2Own Vancouver 2024 (Plus Xbox)"][1149] - ["CVE-2024-53141: an OOB Write Vulnerability in Netfiler Ipset"][1065] - ["CVE-2025-23016 - EXPLOITING THE FASTCGI LIBRARY"][1086] - ["CVE-2025-37752 wo Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds"][1076] - ["CVE-2025-38001 Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: An RBTree Family Drama"][1163] - ["CVE-2025-6554: The (rabbit) Hole"][1188] - ["Debugging the Pixel 8 kernel via KGDB"][1123] - ["Defeating String Obfuscation in Obfuscated NodeJS Malware using AST"][1068] - ["Denial of Ruzzing: Rust in the Windows Kernel"][1185] - ["Dirty Pageflags: Revisiting PTE Exploitation in Linux"][1166] - ["Disassembling a binary: linear sweep and recursive traversal"][1019] - ["Dissecting the macOS 'AppleProcessHub' Stealer: Technical Analysis of a Multi-Stage Attack"][1047] - ["Don’t Phish-let Me Down: FIDO Authentication Downgrade"][1155] - ["EL3vated Privileges: Glitching Google WiFi Pro from Root to EL3"][1121] - ["Emulating an iPhone in QEMU"][1051] - ["Endless Exploits: The Saga of a macOS Vulnerability Struck Nine Times"][1052] - ["Exploitation of AIxCC Nginx bugs: Part I"][1035] - ["Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282)"][1014] - ["Exploiting CVE-2024-0582 via the Dirty Pagetable Method"][1081] - ["Exploiting CVE-2025-21479 on a Samsung S23"][1184] - ["Exploiting Retbleed in the real world"][1141] - ["Exploiting the Synology TC500 at Pwn2Own Ireland 2024"][1122] - ["Exploiting Zero-Day (CVE-2025–9961) Vulnerability in the TP-Link AX10 Router"][1164] - ["Exploiting Heroes of Might and Magic V"][1119] - ["Exploring Grapheneos Secure Allocator: Hardened Malloc"][1167] - ["Exploring Heap Exploitation Mechanisms: Understanding the House of Force Technique"][1029] - ["Eternal-Tux: Crafting a Linux Kernel KSMBD 0-Click RCE Exploit from N-Days"][1172] - ["Extraction of Synology Encrypted Archives - Pwn2Own Ireland 2024"][1152] - ["False Injections: Tales of Physics, Misconceptions and Weird Machines"][1120] - ["Fast & Faulty - A Use After Free in KGSL Fault Handling"][1182] - ["FiberGateway GR241AG - Full Exploit Chain"][1097] - ["First analysis of Apple's USB Restricted Mode bypass (CVE-2025-24200)"][1058] - ["FLOP: Breaking the Apple M3 CPU via False Load Output Predictions"][1059] - ["Fundamental of Virtual Memory"][1162] - ["From Chrome renderer code exec to kernel with MSG_OOB"][1153] - ["Game Hacking - Valve Anti-Cheat (VAC)"][1074] - ["Gone in 5 Seconds: How WARN_ON Stole 10 Minutes"][1103] - ["Google CTF 2025 Quals Writeup"][1131] - ["Hack The Emulated Planet: Vulnerability Hunting on Planet WGS-804HPT Industrial Switches"][1031] - ["Hacking the XBox 360 Hypervisor"] - [Part 1][1109] - [Part 2][1110] - ["Hacking Sonoff Smart Home IoT Device - Extract, Modify, Boot, Intercept, Clone!"][1129] - ["Hacking the Nokia Beacon 1 Router: UART, Command Injection, and Password Generation with Qiling"][1198] - ["HITCON CTF 2025 -- calc"][1145] - ["How I ruined my vacation by reverse engineering WSC"][1077] - ["How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation"][1090] - ["How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)"][1115] - "Hydroph0bia (CVE-2025-4275)" - ["a trivial SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O"][1143] - ["a bit more than just a trivial SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O"][1144] - ["a fixed SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O"][1108] - ["Hypervisors for Memory Introspection and Reverse Engineering"][1099] - ["Kernel Exploitation Techniques: Turning The (Page) Tables"][1100] - ["Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel"][1180] - ["Inside Riot Vanguard's Dispatch Table Hooks"][1073] - ["Intercepting HTTPS Communication in Flutter: Going Full Hardcore Mode with Frida"][1079] - "iOS 17: New Version, New Acronyms": - [Part 1][1042] - [Part 2][1043] - ["kASLR Internals and Evolution"][1095] - ["Kernel-Hack-Drill: Environment For Developing Linux Kernel Exploits"][1082] - ["KernelSnitch: Side-Channel Attacks on Kernel Data Structures"][1005] - ksmbd (doyensec): - ["ksmbd vulnerability research"][1033] - ["Fuzzing Improvements and Vulnerability Discovery"][1175] - ["Exploiting CVE-2025-37947"][1176] - ["Laser Fault Injection on a Budget: RP2350 Edition"][1017] - ["Last barrier destroyed, or compromise of Fuse Encryption Key for Intel Security Fuses"][1072] - ["Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5"][1137] - ["Lifting Binaries, Part 0: Devirtualizing VMProtect and Themida: It's Just Flattening?"][1147] - ["Linux Kernel Exploitation For Beginners"][1113] - ["Linux Kernel Hfsplus Slab-out-of-bounds Write"][1066] - ["Linux kernel Rust module for rootkit detection"][1026] - ["Llama's Paradox - Delving deep into Llama.cpp and exploiting Llama.cpp's Heap Maze, from Heap-Overflow to Remote-Code Execution"][1011] - ["LunoBotnet: A Self-Healing Linux Botnet with Modular DDoS and Cryptojacking Capabilities"][1177] - ["Mali-cious Intent: Exploiting GPU Vulnerabilities (CVE-2022-22706 / CVE-2021-39793)"][1050] - ["MCTF 2025 - Write-up Sec Mem - Pwn"][1080] - ["Mindshare: Using Binary Ninja API to Detect Potential Use-after-free Vulnerabilities"][1069] - ["Modern (Kernel) Low Fragmentation Heap Exploitation"][1127] - ["My Emulation Goes to the Moon... Until False Flag"][1094] - ["NASA cFS version Aquila Software Vulnerability Assessment"][1056] - ["nRF51 RBPCONF bypass for firmware dumping"][1154] - ["One‑Click Memory Corruption in Alibaba’s UC Browser: Exploiting patch-gap V8 vulnerabilities to steal your data"][1193] - ["Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers"][1186] - ["Out-of-bound read in ANGLE CopyNativeVertexData from Compromised Renderer"][1148] - ["Overview of Map Exploitation in v8"][1075] - ["Patch-Gapping the Google Container-Optimized OS for $0"][1032] - ["PatchGuard Internals"][1092] - ["Phoenix: Rowhammer Attacks on DDR5 with Self-Correcting Synchronization"][1170] - ["Print Scan Hacks: Identifying multiple vulnerabilities acro ss multiple Brother devices"][1136] - ["Project Rain:L1TF"][1178] - ["Pwn2Own 2025: Pwning Lexmark’s Postscript Processor"][1194] - ["Pwn2Own Ireland 2024: Canon imageCLASS MF656Cdw"][1104] - ["Pwn2Own Ireland 2024 – Ubiquiti AI Bullet"][1117] - ["pyghidra-mcp: Headless Ghidra MCP Server for Project-Wide, Multi-Binary Analysis"][1134] - ["Python Dirty Arbitrary File Write to RCE via Writing Shared Object Files Or Overwriting Bytecode Files"][1087] - ["Qualcomm DSP Kernel Internals"][1135] - ["Race Against Time in the Kernel’s Clockwork"][1160] - ["Recovering Metadata from .NET Native AOT Binaries"][1089] - ["Reliable system call interception"][1010] - ["Replacing a Space Heater Firmware Over WiFi"][1020] - ["Reverse Engineering Hanwha Security Camera Firmware File Decryption with IDA Pro"][1093] - ["Reversing, Discovering, And Exploiting A TP-Link Router Vulnerability — CVE-2024–54887"][1013] - ["Reversing Samsung's H-Arx Hypervisor Framework - Part 1"][1036] - ["Reversing the QardioArm"][1048] - ["Reviving the modprobe_path Technique: Overcoming search_binary_handler() Patch"][1071] - ["Root Shell on Credit Card Terminal"][1112] - ["Rooting the TP-Link Tapo C200 Rev.5"][1130] - ["ROPing our way to RCE"][1028] - ["RV130X Firmware Analysis"][1025] - ["Security through Transparency: Tales from the RP2350 Hacking Challenge"][1187] - ["SLAP: Data Speculation Attacks via Load Address Prediction on Apple Silicon"][1060] - ["smoltalk: RCE in Open Source Agents"][1045] - ["Solo: A Pixel 6 Pro Story (When one bug is all you need)"][1128] - ["SoK: Security of EMV Contactless Payment Systems"][1088] - ["Sound and Efficient Generation of Data-Oriented Exploits via Programming Language Synthesis"][1034] - ["Stack Overflows, Heap Overflows, and Existential Dread"][1150] - ["State of Linux Snapshot Fuzzing"][1078] - ["STM32L05 Voltage Glitching"][1111] - ["Streaming Zero-Fi Shells to Your Smart Speaker"][1096] - ["System Register Hijacking: Compromising Kernel Integrity By Turning System Registers Against the System"][1196] - ["The Art of Linux Kernel Rootkits"][1008] - "The Evolution of Dirty COW": - [Part 1][1062] - [Part 2][1063] - ["The Journey of Bypassing Ubuntu’s Unprivileged Namespace Restriction"][1116] - ["TLS NoVerify: Bypass All The Things"][1165] - ["Tracing Back to the Source | SPTM Round 3"][1046] - ["Turning Camera Surveillance on its Axis"][1158] - ["Untangling the Knot: Breaking Access Control in Home Wireless Mesh Networks"][1126] - ["Use-After-Free Vulnerability in the Can BCM Subsystem Leading to Information Disclosure (CVE-2023-52922)"][1133] - ["VMware Workstation guest-to-host escape"][1161] - ["We are ARMed no more ROPpery Here"][1016] - "When a Wi-Fi SSID Gives You Root on an MT02 Repeater" - [Part 1][1156] - [Part 2][1157] - ["When Good Kernel Defenses Go Bad: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks"][1067] - ["Windows arm64 Internals: Deconstructing Pointer Authentication"][1190] - ["Windows Heap Exploitation - From Heap Overflow to Arbitrary R/W"][1195] - ["WireTap: Breaking Server SGX via DRAM Bus Interposition"][1183] - ["Writing a Ghidra processor module"][1064] - ["You Already Have Our Personal Data, Take Our Phone Calls Too"][1140] - ["Zen and the Art of Microcode Hacking"][1027] ## 2024 - ["1-click Exploit in South Korea's biggest mobile chat app"][965] - ["4 exploits, 1 bug: exploiting cve-2024-20017 4 different ways"][959] - "64 bytes and a ROP chain – A journey through nftables": - [Part 1][865] - [Part 2][866] - "nix libX11: Uncovering and exploiting a 35-year-old vulnerability": - [Part 1][703] - [Part 2][704] - ["A few notes on AWS Nitro Enclaves: Images and attestation"][738] - ["A first look at Android 14 forensics"][669] - ["A "Gau-Hack" from EuskalHack"][893] - ["A Journey From sudo iptables To Local Privilege Escalation"][1009] - ["A Practical Guide to PrintNightmare in 2024"][709] - ["A Technical Deep Dive: Comparing Anti-Cheat Bypass and EDR Bypass "][714] - ["A Trip Down Memory Lane"][715] - [AArch64 memory and paging][1015] - ["An Introduction to Chrome Exploitation - Maglev Edition"][882] - ["An unexpected journey into Microsoft Defender's signature World"][876] - ["Analysis of CVE-2024-21310 Pool Overflow Windows Cloud Filter Driver"][952] - ["Advanced CyberChef Techniques For Malware Analysis - Detailed Walkthrough and Examples"][736] - ["AES-GCM and breaking it on nonce reuse"][912] - ["Analyzing Mutation-Coded - VM Protect and Alcatraz English"][834] - ["ARLO: I'M WATCHING YOU"][810] - ["ASLRn’t: How memory alignment broke library ASLR"][731] - ["Attack of the clones: Getting RCE in Chrome’s renderer with duplicate object properties"][911] - ["Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938"][852] - ["Automotive Memory Protection Units: Uncovering Hidden Vulnerabilities"][1173] - "Base64 Beyond Encoding" - [Part 1][945] - [Part 2][946] - ["Becoming any Android app via Zygote command injection"][863] - ["Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems"][895] - ["BGGP4: A 420 Byte Self-Replicating UEFI App For x64"][728] - ["Binary type inference in Ghidra"][905] - ["Blackbox-Fuzzing of IoT Devices Using the Router TL-WR902AC as Example"][803] - ["Breaking the Barrier: Post-Barrier Spectre Attacks"][970] - ["Breaking Down Adversarial Machine Learning Attacks Through Red Team Challenges"][987] - ["Breaking Down Multipart Parsers: File upload validation bypass"][966] - ["Breaking the Flash Encryption Feature of Espressif’s Parts"][589] - ["Bus Pirate 5: The Swiss ARRRmy Knife of Hardware Hacking"][886] - ["Buying Spying Insights into Commercial Surveillance Vendors"][733] - ["Bypassing EDRs With EDR-Preloading"][716] - ["Bytecode Breakdown: Unraveling Factorio's Lua Security Flaws"][920] - "Chaining N-days to Compromise All": - [Part 1][836] - [Part 2][837] - [Part 3][838] - [Part 4][839] - [Part 5][840] - ["Check Point - Wrong Check Point (CVE-2024-24919)"][875] - ["Code injection on Android without ptrace"][874] - "CodeQL zero to hero": [Part 1][858] [Part 2][859] [Part 3][860] [Part 4][1191] [Part 5][1192] - ["Commonly Abused Linux Initial Access Techniques and Detection Strategies"][896] - ["Compiler Options Hardening Guide for C and C++"][877] - ["Continuously fuzzing Python C extensions"][734] - ["corCTF 2024: trojan-turtles writeup"][929] - ["corMine 1 and 2"][948] - ["Cross-Process Spectre Exploitation"][969] - ["CVE-2024-20356: Jailbreaking a Cisco appliance to run DOOM"][861] - ["CVE-2022-2586 Writeup"][849] - ["CVE-2020-27786 ( Race Condition + Use-After-Free )"][967] - ["CVE-2022-4262"][864] - ["CVE-2024-5274: A Minor Flaw in V8 Parser Leading to Catastrophes"][1012] - ["CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog()"][697] - ["Declawing PUMAKIT"][989] - [Deep Dive into RCU Race Condition: Analysis of TCP-AO UAF (CVE-2024–27394)][1003] - ["Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero"][699] - ["Deobfuscating Android ARM64 strings with Ghidra: Emulating, Patching, and Automating"][683] - ["Dissecting a complex vulnerability and achieving arbitrary code execution in Ichitaro Word"][805] - ["Diving Deep into F5 Secure Vault"][918] - ["DJI - The ART of obfuscation"][705] - ["Docker Security – Step-by-Step Hardening (Docker Hardening)"][729] - ["Driving forward in Android drivers"][908] - ["Emulating RH850 architecture with Unicorn Engine"][853] - "Everyday Ghidra: Ghidra Data Types" - [Part 1][973] - [Part 2][974] - ["Exploit detail about CVE-2024-26581"][944] - ["Exploring AMD Platform Secure Boot"][701] - ["Exploring GNU extensions in the Linux kernel"][878] - ["Exploiting Android’s Hardened Memory Allocator"][1030] - ["Exploiting Empire C2 Framework"][723] - "Exploiting Enterprise Backup Software For Privilege Escalation": - [Part 1][906] - [Part 2][907] - "Exploiting Reversing (ER) series": - [Article 01][583] - [Article 02][584] - ["Exploiting Steam: Usual and Unusual Ways in the CEF Framework"][898] - ["Exploring object file formats"][684] - ["Extracting Secure Onboard Communication (SecOC) keys from a 2021 Toyota RAV4 Prime"][735] - ["Fault Injection Attacks against the ESP32-C3 and ESP32-C6"][590] - ["Fault Injection – Down the Rabbit Hole"][993] - "Finding Bugs in Kernel": - [Part 1][996] - [Part 2][997] - ["Flatlined: Analyzing Pulse Secure Firmware and Bypassing Integrity Checking"][883] - ["Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques"][804] - ["From fault injection to RCE"][990] - ["From object transition to RCE in the Chrome renderer"][940] - ["Fuzzing between the lines in popular barcode software"][968] - ["Gaining kernel code execution on an MTE-enabled Pixel 8"][808] - ["Ghidra nanoMIPS ISA module"][873] - ["Going Native - Malicious Native Applications"][842] - ["Google Chrome V8 CVE-2024-0517 Out-of-Bounds Write Code Execution"][674] - ["GhostRace: Exploiting and Mitigating Speculative Race Conditions"][802] - ["GPUAF - Two ways of Rooting All Qualcomm based Android phones"][994] - ["GraphStrike: Anatomy of Offensive Tool Development"][712] - ["Hacking a 2014 tablet... in 2024!"][932] - ["Hacking a Smart Home Device"][691] - ["Hacking Android Games"][949] - ["Heap exploitation, glibc internals and nifty tricks"][938] - ["HEAP HEAP HOORAY — Unveiling GLIBC heap overflow vulnerability (CVE-2023–6246)"][818] - ["Hi, My Name is Keyboard"][676] - ["Hiding Linux Processes with Bind Mounts"][925] - ["How I Also Hacked my Car"][976] - ["How to Bypass Golang SSL Verification"][941] - ["Hunting Bugs in Linux Kernel With KASAN: How to Use it & What's the Benefit?"][995] - ["Hunting down the HVCI bug in UEFI"][668] - ["Hunting for Unauthenticated n-days in Asus Routers"][662] - "Iconv, Set the Charset to RCE": - [Part 1][870] - [Part 2][871] - ["Java Deserialization Tricks"][815] - ["JTAG Hacking with a Raspberry Pi"][851] - ["Kuiper Ransomware’s Evolution"][702] - ["Inside a New OT/IoT Cyberweapon: IOCONTROL"][1001] - ["Inside the LogoFAIL PoC: From Integer Overflow to Arbitrary Code Execution"][692] - ["Introduction to Fuzzing Android Native Components"][984] - "Learning LLVM": - [Part 1][934] - [Part 2][935] - ["LeftoverLocals: Listening to LLM responses through leaked GPU local memory"][687] - ["Leveraging Binary Ninja il to Reverse a Custom ISA: Cracking the “pot of gold” 37C3"][612] - ["Linux Kernel Attack Surface: beyond IOCTL. DMA-BUF"][999] - "Linux Kernel Exploitation": - ["Environment"][922] - ["ret2usr"][923] - ["Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap – BlackHat USA 2024 Whitepaper"][939] - "ManageEngine ADAudit - Reverse engineering Windows RPC to find CVEs": - [Part 1][901] - [Part 2][902] - [Part 3][903] - ["Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu"][809] - ["Mali GPU Kernel LPE"][786] - ["MalpediaFLOSSed"][814] - ["Microsoft BitLocker Bypasses are Practical"][718] - ["Modern implant design: position independent malware development"][690] - ["My new superpower"][688] - ["Not the Drones You're Looking For"][825] - "Operation triangulation": - ["Keychain module analysis"][823] - ["audio module analysis"][824] - ["OtterRoot: Netfilter Universal Root 1-day"][986] - ["Out-of-bounds read & write in the glibc's qsort()"][698] - ["PageJack: A Powerful Exploit Technique With Page-Level UAF"][951] - ["Page-Oriented Programming: Subverting Control-Flow Integrity of Commodity Operating System Kernels with Non-Writable Code Pages"][1000] - ["Patch Tuesday Diffing: CVE-2024-20696 - Windows Libarchive RCE"][835] - ["Pinning User-space Pages in the Linux Kernel: Exploring get_user_pages, pin_user_pages, and Page Table Walking"][983] - ["PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack"][711] - ["Playing with libmalloc in 2024"][610] - ["Puckungfu 2: Another NETGEAR WAN Command Injection"][730] - ["Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap"][910] - ["Pwn2Own Automotive 2024: Hacking the ChargePoint Home Flex (and their cloud...)"][933] - ["Pwning browsers like a kernel"][957] - "Pwn2Own: WAN-to-LAN Exploit Showcase": - ["Pwn2Own: WAN-to-LAN Exploit Showcase, Part 1"][950] - ["Pwn2Own: Pivoting from WAN to LAN to Attack a Synology BC500 IP Camera, Part 2"][942] - "Pwn2Own Toronto 2023": - ["How it all started"][829] - ["Exploring the Attack Surface"][830] - ["Exploration"][831] - ["Memory Corruption Analysis"][832] - ["The Exploit"][833] - ["Pwning a Brother labelmaker, for fun and interop!"][897] - "Pwntools 10x": - [Part 1][867] - [Part 2][868] - [Part 3][869] - ["Pygmy Goat"][972] - ["Recovering an ECU firmware using disassembler and branches"][921] - ["regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387)"][919] - ["Resolving Stack Strings with Capstone Disassembler & Unicorn in Python"][846] - ["Retrofitting encrypted firmware is a Bad Idea"][1024] - ["Reverse engineering a car key fob signal "][801] - ["Reverse Engineering and Dismantling Kekz Headphones"][962] - ["Reverse Engineering Protobuf Definitions From Compiled Binaries"][820] - ["Reverse engineering the 59-pound printer onboard the Space Shuttle"][943] - ["Reverse Engineering the AM335x Boot ROM"][947] - ["Reverse Engineering The Stream Deck Plus"][1004] - "Ring Around The Regex" - [Part 1][955] - [Part 2][956] - ["RISCVuzz: Discovering Architectural CPU Vulnerabilities via Differential Hardware Fuzzing"][958] - ["RomCom exploits Firefox and Windows zero days in the wild"][981] - ["ROPing Routers from scratch: Step-by-step Tenda Ac8v4 Mips 0day Flow-control ROP -> RCE"][892] - ["Route to Safety: Navigating Router Pitfalls"][816] - ["Rooting a Hive Camera"][819] - ["SAME70 Emulator"][879] - "Say Friend and Enter": - [Part 1][812] - [Part 2][813] - ["Samsung NX related posts"][887] - ["Scavy: Automated Discovery of Memory Corruption Targets in Linux Kernel for Privilege Escalation"][975] - ["SECGlitcher (Part 1) - Reproducible Voltage Glitching on STM32 Microcontrollers"][862] - ["SELinux bypasses"][963] - ["SLUB Internals for Exploit Developers"][980] - ["SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel"][937] - ["Shell We Assemble?"][689] - ["Shellcode evasion using WebAssembly and Rust"][726] - "SMM isolation": - ["SMI deprivileging (ISRD)"][847] - ["Security policy reporting (ISSR)"][848] - ["SoK: Where’s the “up”?! A Comprehensive (bottom-up) Study on the Security of Arm Cortex-M Systems"][1049] - ["Strengthening the Shield: MTE in Heap Allocators"][596] - ["Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation"][913] - ["The architecture of SAST tools: An explainer for developers"][739] - ["The Dark Side of UEFI: A technical Deep-Dive into Cross-Silicon Exploitation"][880] - ["The Definitive Guide to Linux Process Injection"][971] - ["The 'Invisibility Cloak' - Slash-Proc Magic"][924] - ["The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit"][1007] - ["The rev.ng decompiler goes open source + start of the UI closed beta"][694] - ["The tale of a GSM Kernel LP"][850] - ["The Wild West of Proof of Concept Exploit Code (PoC)"][926] - "The Windows Registry Adventure": - [Part 1][914] - [Part 2][915] - [Part 3][916] - ["TIKTAG: Breaking ARM’s Memory Tagging Extension with Speculative Execution"][894] - ["Tony Hawk’s Pro Strcpy"][928] - ["Toolchain Necromancy: Past Mistakes Haunting ASLR"][732] - ["TP-Link Firmware Decryption C210 V2 cloud camera bootloaders"][988] - ["TP-Link TDDP Buffer Overflow Vulnerability"][695] - ["Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762"][787] - ["Understanding AddressSanitizer: Better memory safety for your code"][889] - ["Understanding Unix Garbage Collection and its Interaction with io_uring"][891] - ["Understanding Windows x64 Assembly"][693] - ["Using Symbolic Execution to Devirtualise a Virtualised Binary"][936] - ["Utilizing Cross-CPU Allocation to Exploit Preempt-Disabled Linux Kernel"][985] - ["VBA: having fun with macros, overwritten pointers & R/W/X memory"][843] - ["Vulnerabilities of Realtek SD card reader driver"][1002] - ["Why Code Security Matters - Even in Hardened Environments"][953] - ["Windows Secure-Launch on Qualcomm devices"][811] - ["Windows Sockets: From Registered I/O to SYSTEM Privileges"][998] - ["Windows vs Linux Loader Architecture"][844] - ["Windows Wi-Fi Driver RCE Vulnerability – CVE-2024-30078"][954] - "Writing a Debugger From Scratch" - ["Attaching to a Process"][449] - ["Register State and Stepping"][450] - ["Reading Memory"][451] - ["Exports and Private Symbols"][452] - ["Breakpoints"][453] - ["Stacks"][454] - ["Disassembly"][455] - ["Writing a system call tracer using eBPF"][931] - ["Your NVMe Had Been Syz’ed: Fuzzing NVMe-oF/TCP Driver for Linux with Syzkaller"][854] - ["x64 Return Address Spoofing"][991] - ["x64 Call Stack Spoofing"][992] ## 2023 - ["A Deep Dive Into Brute Ratel C4 Payloads"][374] - ["A Deep Dive into Penetration Testing of macOS Applications (Part 1)"][49] - ["A Deep Dive into TPM-based BitLocker Drive Encryption"][611] - ["A Detailed Look at Pwn2own Automotive EV Charger Hardware"][537] - ["A LibAFL Introductory Workshop"][826] - ["A look at CVE-2023-29360, a beautiful logical LPE vuln"][260] - ["A Journey Into Hacking Google Search Appliance"][203] - ["A new method for container escape using file-based DirtyCred"][201] - ["A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition"][273] - ["A Potholing Tour in a SoC"][189] - "A Practical Tutorial on PCIe for Total Beginners on Windows": - [Part 1][806] - [Part 2][807] - ["A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM"][255] - ["A Red-Teamer diaries"][156] - ["A story about tampering EDRs"][293] - ["Abusing Liftoff assembly and efficiently escaping from sbx"][677] - ["Abusing RCU callbacks with a Use-After-Free read to defeat KASLR"][857] - ["Abusing undocumented features to spoof PE section headers"][139] - ["Achieving Remote Code Execution in Steam: a journey into the Remote Play protocol"][587] - ["All about LeakSanitizer"][460] - ["All cops are broadcasting: TETRA under scrutiny"][237] - ["All my favorite tracing tools: eBPF, QEMU, Perfetto, new ones I built and more"][513] - ["An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit"][392] - ["An Introduction into Stack Spoofing"][580] - ["Analysis on legit tools abused in human operated ransomware"][4] - "Analysis of CVE-2023-3519 in Citrix ADC and NetScaler Gateway": - [Part 1][196] - [Part 2][197] - ["Analysis of VirtualBox CVE-2023-21987 and CVE-2023-21991"][119] - ["Analyzing a Modern In-the-wild Android Exploit"][379] - ["Analyzing an Old Netatalk dsi_writeinit Buffer Overflow Vulnerability in NETGEAR Route"][326] - "ARM64 Reversing And Exploitation" (8ksec) - [Part 1][107] - [Part 2][108] - [Part 3][109] - [Part 4][110] - [Part 5][111] - [Part 6][112] - [Part 7][113] - [Part 8][388] - [Part 9][389] - [Part 10][390] - "Attacking an EDR" - [Part 1][395] - [Part 2][396] - ["Attacking IoT Devices from Web Perspective"][608] - ["Attacking JS engines: Fundamentals for understanding memory corruption crashes"][720] - ["Audio with embedded Linux training"][267] - ["Automating C2 Infrastructure with Terraform, Nebula, Caddy and Cobalt Strike"][300] - ["b3typer - bi0sCTF 2022"][554] - ["Back to the Future with Platform Security"][97] - ["Bash Privileged-Mode Vulnerabilities in Parallel Desktop and CDPATH Handling in MacOS"][100] - ["Bee-yond Capacity: Unauthenticated RCE in Extreme Networks/Aerohive Wireless APs - CVE-2023-35803"][91] - ["Behind the Shield: Unmasking Scudos's Defenses"][8] - ["BlackLotus UEFI bootkit: Myth confirmed"][429] - ["BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses"][618] - ["BPF Memory Forensics with Volatility 3"][881] - ["Breaking Fortinet Firmware Encryption"][233] - ["Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability"][81] - ["Breaking Secure Boot on the Silicon Labs Gecko platform"][262] - ["Building a Custom Mach-O Memory Loader for macOS"][523] - ["Building an Exploit for FortiGate Vulnerability CVE-2023-27997"][475] - ["Bypassing a noexec by elf roping"][528] - ["Bypassing PPL in Userland (again)"][308] - ["Bypassing SELinux with init_module"][494] - "C101101: D-Link DIR-865L": - ["Remote Code Execution (pre-auth)"][599] - ["Unsigned firmware upload lead to persistent backdoor (pre-auth)"][600] - ["Memory corruptions lead to Remote Code Execution (pre-auth)"][601] - ["CAN Injection: keyless car theft"][195] - "chonked" - ["minidlna 1.3.2 http chunk parsing heap overflow (cve-2023-33476) root cause analysis"][193] - ["exploiting cve-2023-33476 for remote code execution"][194] - ["Code Execution in Chromium’s V8 Heap Sandbox"][896] - ["Coffee: A COFF loader made in Rust"][93] - ["Competing in Pwn2Own ICS 2022 Miami: Exploiting a zero click remote memory corruption in ICONICS Genesis64"][397] - ["Conquering the memory through io_uring - Analysis of CVE-2023-2598"][528] - "Cracking Windows Kernel with HEVD" - ["Chapter 0"][656] - ["Chapter 1"][657] - ["Chapter 2"][658] - ["Chapter 3"][659] - ["Chapter 4"][660] - ["Cueing up a calculator: an introduction to exploit development on Linux"][534] - "Customizing Sliver": - [Part 1][603] - [Part 2][604] - [Part 3][605] - ["CVE-2022-27666: My file your memory"][616] - ["CVE-2023-0179: Linux kernel stack buffer overflow in nftables: PoC and writeup"][567] - ["CVE-2023-2008 - Analyzing and exploiting a bug in the udmabuf driver"][72] - ["CVE-2023-23504: XNU Heap Underwrite in dlil.c"][543] - ["CVE-2023-26258 – Remote Code Execution in ArcServe UDP Backup"][99] - ["CVE-2023-36844 And Friends: RCE In Juniper Devices"][281] - ["CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent"][186] - ["cURL audit: How a joke led to significant findings"][459] - ["D^ 3CTF2023 d3kcache: From null-byte cross-cache overflow to infinite arbitrary read & write."][964] - ["Debugger Ghidra Class"][28] - ["Debugging D-Link: Emulating firmware and hacking hardware"][290] - ["Decompilation Debugging"][508] - ["Deep Lateral Movement in OT Networks: When is a Perimeter not a Perimeter?"][253] - ["Defining the cobalt strike reflective loader"][320] - ["Demystifying bitwise operations, a gentle C tutorial"][400] - ["Detecting and decrypting Sliver C2 – a threat hunter’s guide"][480] - ["Detecting BPFDoor Backdoor Variants Abusing BPF Filters"][183] - ["Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel"][51] - ["Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”"][164] - ["Diving Into Smart Contract Decompilation"][204] - ["Diving into Starlink's User Terminal Firmware"][268] - "DJI Mavic 3 Drone Research" - ["Firmware Analysis"][376] - ["Vulnerability Analysis"][713] - ["Drone Security and Fault Injection Attacks"][82] - "DualShock4 Reverse Engineering": - [Part 1][149] - [Part 3][150] - [Part 3][151] - ["eBPF: A new frontier for malware"][621] - ["Emulating IoT Firmware Made Easy: Start Hacking Without the Physical Device"][47] - ["Encrypted Doesn't Mean Authenticated: ShareFile RCE (CVE-2023-24489)"][182] - ["ENLBufferPwn (CVE-2022-47949)"][422] - ["Escaping the Google kCTF Container with a Data-Only Exploit"][178] - ["Exploitation of a kernel pool overflow from a restrictive chunk size (CVE-2021-31969)"][827] - ["Exploitation of Openfire CVE-2023-32315"][283] - ["Exploiting a Critical Spoofing Vulnerability in Windows CryptoAPI"][572] - ["Exploiting a Flaw in Bitmap Handling in Windows User-Mode Printer Drivers"][130] - ["Exploiting CVE-2021-3490 for Container Escapes"][552] - ["Exploiting null-dereferences in the Linux kernel"][148] - ["Exploring UNIX pipes for iOS kernel exploit primitives"][514] - ["EPF: Evil Packet Filter"][73] - ["Escaping from Bhyve"][192] - ["ESP32-C3 Wireless Adventure A Comprehensive Guide to IoT"][69] - ["Espressif ESP32: Breaking HW AES with Electromagnetic Analysis"][394] - ["Espressif ESP32: Breaking HW AES with Power Analysis"][393] - ["Examining OpenSSH Sandboxing and Privilege Separation – Attack Surface Analysis"][324] - ["Executing Arbitrary Code & Executables in Read-Only FileSystems"][52] - ["Exploit Engineering – Attacking the Linux Kernel"][146] - ["Exploiting a Remote Heap Overflow with a Custom TCP Stack"][322] - ["Exploring Hell's Gate"][594] - ["Exploiting a bug in the Linux kernel with Zig"][597] - ["Exploiting HTTP Parsers Inconsistencies"][391] - ["Exploiting MikroTik RouterOS Hardware with CVE-2023-30799"][198] - ["Exploring Android Heap Allocations in Jemalloc 'New'"][7] - ["Exploring Linux's New Random Kmalloc Caches"][511] - ["Exploring the section layout in linker output"][609] - "Fantastic Rootkits: And Where To Find Them": - [Part 1][275] - [Part 2][276] - [Part 3][277] - ["Few lesser known tricks, quirks and features of C"][354] - ["Finding and exploiting process killer drivers with LOL for 3000$"][172] - ["Finding bugs in C code with Multi-Level IR and VAST"][92] - ["Finding Gadgets for CPU Side-Channels with Static Analysis Tools"][75] - ["For Science! - Using an Unimpressive Bug in EDK II to Do Some Fun Exploitation"][70] - ["FortiNAC - Just a few more RCEs"][95] - ["Fortinet Series 3 — CVE-2022–42475 SSLVPN exploit strategy"][32] - ["Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues"][90] - ["From C, with inline assembly, to shellcode"][235] - "Fuzzing Farm": - ["Fuzzing GEGL with fuzzuf"][43] - ["Evaluating Performance of Fuzzer"][44] - ["Patch Analysis and PoC Development"][45] - ["Hunting and Exploiting 0-day \[CVE-2022-24834\]"][46] - ["Fuzzing Golang msgpack for fun and panic"][643] - ["Getting RCE in Chrome with incomplete object initialization in the Maglev compiler"][486] - "Ghidra" (Craig Young): - ["A Guide to Reversing Shared Objects with Ghidra"][121] - ["Reversing a Simple CrackMe with Ghidra Decompiler"][122] - ["Vulnerability Hunting with Ghidra"][123] - ["Patching a Bug from a Ghidra Listing"][124] - ["Vulnerability Analysis with Ghidra Scripting"][125] - ["Ghost In The Wire, Sonic In The Wall - Adventures With SonicWall"][481] - ["Google Chrome V8 ArrayShift Race Condition Remote Code Execution"][530] - ["Hacking a Tapo TC60 Camera"][350] - ["Hacking Amazon's eero 6 (part 1)"][86] - ["Hacking Brightway scooters: A case study"][29] - ["Hacking ICS Historians: The Pivot Point from IT to OT"][444] - ["Hacking the Nintendo DSi Browser"][456] - ["Hardware Hacking to Bypass BIOS Passwords"][5] - ["Heads up! Xdr33, A Variant Of CIA’s HIVE Attack Kit Emerges"][443] - ["How a simple K-TypeConfusion took me 3 months long to create a exploit? \[HEVD\] - Windows 11 (build 22621)"][240] - ["How does Linux start a process"][501] - "How NATs Work": - [Part 1][152] - [Part 2][153] - [Part 3][154] - [Part 4][155] - "How I Hacked my Car": - [Part 1][101] - [Part 2][102] - [Part 3][103] - [Part 4][104] - [Part 5][105] - [Part 6][106] - ["How I hacked smart lights: the story behind CVE-2022-47758"][841] - ["How to Emulate Android Native Libraries Using Qiling"][482] - ["How to Voltage Fault Injection"][685] - ["How To Secure A Linux Server"][140] - ["Hunting Vulnerable Kernel Drivers"][661] - ["Icicle: A Re-designed Emulator for Grey-Box Firmware Fuzzing"][171] - ["In-depth analysis on Valorant’s Guarded Regions"][141] - ["In-Memory-Only ELF Execution (Without tmpfs)"][355] - ["Intel BIOS Advisory – Memory Corruption in HID Drivers "][257] - ["Intercepting Allocations with the Global Allocator"][79] - ["Intro to Cutter"][637] - ["Introduction to SELinux"][59] - "IoT Series": - ["Are People Ready to go?"][465] - ["How To Build Kernel Image From Scratch"][466] - ["Firmware testing in QEMU"][467] - ["Debugging with GDB & GHIDRA + Zero-day"][468] - ["JTAG 'Hacking' the Original Xbox in 2023"][244] - ["Kernel Exploit Factory"][159] - ["Learn Makefiles With the tastiest examples"][24] - ["Let's build a Chrome extension that steals everything"][463] - ["Let’s Go into the rabbit hole — the challenges of dynamically hooking Golang programs"][387] - [Part 1][387] - [Part 2][904] - [Part 3][930] - ["Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation)"][327] - ["lexmark printer haxx"][652] - [linux-re-101][169] - ["Linux debugging, profiling and tracing training"][353] - "Linux Kernel Exploitation" - ["Getting started & BOF"][678] - ["Heap techniques"][679] - ["Exploiting race-condition + UAF"][680] - "Linux Kernel PWN": - ["ret2dir"][899] - ["DirtyCred"][900] - ["Linux Kernel Unauthenticated Remote Heap Overflow Within KSMBD"][544] - ["Linux Kernel Teaching"][131] - ["Linux Malware: Defense Evasion Techniques"][165] - "Linux Red Team": - ["Exploitation Techniques"][222] - ["Privilege Escalation Techniques"][223] - ["Persistence Techniques"][224] - ["Linux Remote Process Injection - (Injecting into a firefox process)"][569] - ["Linux rootkits explained – Part 1: Dynamic linker hijacking"][60] - ["Linux Shellcode 101: From Hell to Shell"][53] - ["Local Privilege Escalation on the DJI RM500 Smart Controller"][160] - "Lord Of The Ring0": - [Part 1][10] - [Part 2][11] - [Part 3][12] - [Part 4][13] - [Part 5][14] - ["Low-Level Software Security for Compiler Developers"][15] - ["LPE and RCE in RenderDoc: CVE-2023-33865, CVE-2023-33864, CVE-2023-33863"][202] - ["Making TOCTOU Great again – X(R)IP"][474] - "Malware Reverse Engineering for Beginners": - [Part 1][128] - [Part 2][129] - ["Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP Redirects"][285] - "mast1c0re" - ["Introduction – Exploiting the PS4 and PS5 through a game save"][38] - ["Part 1 – Modifying PS2 game save files"][39] - ["Part 2 – Arbitrary PS2 code execution"][40] - ["Part 3 – Escaping the emulator"][41] - ["Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts"][330] - ["Meterpreter vs Modern EDR(s)"][170] - "MTE As Implemented": - [Part 1][366] - [Part 2][367] - ["mTLS: When certificate authentication is done wrong"][270] - ["MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis"][177] - ["Multiple Vulnerabilities in Qualcomm and Lenovo ARM-based Devices"][404] - "NetGear Series: Emulating Netgear R6700V3 circled binary ": - [Part 1][441] - [Part 2][442] - ["New HiatusRAT Router Malware Covertly Spies On Victims"][402] - ["No Alloc, No Problem: Leveraging Program Entry Points for Process Injection"][1091] - ["NVMe: New Vulnerabilities Made Easy"][264] - ["nftables Adventures: Bug Hunting and N-day Exploitation (CVE-2023-31248)"][365] - ["Obscure Windows File Types"][74] - ["Old Bug, Shallow Bug: Exploiting Ubuntu at Pwn2own Vancouver 2023"][254] - ["One shot, Triple kill"][700] - "OPC UA Deep Dive Series": - [Part 1][211] - [Part 2][212] - [Part 3][213] - [Part 4][214] - [Part 5][215] - ["OpenSSH Pre-Auth Double Free CVE-2023-25136 – Writeup and Proof-of-Concept"][42] - ["OrBit: advanced analysis of a Linux dedicated malware"][427] - ["OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow"][428] - ["P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm"][206] - ["P4wnP1-LTE"][209] - ["Patches, Collisions, and Root Shells: A Pwn2Own Adventure"][278] - ["Patch Tuesday -> exploit Wednesday: Pwning windows ancillary function driver for WinSock (afd.sys) in 24 hours"][297] - ["Persistence Techniques That Persist"][299] - ["Practical Introduction to BLE GATT Reverse Engineering: Hacking the Domyos EL500"][166] - ["prctl anon_vma_name: An Amusing Linux Kernel Heap Spray"][184] - ["Producing a POC for CVE-2022-42475 (Fortinet RCE)"][323] - ["Protecting Android clipboard content from unintended exposure"][448] - "Protecting the Phoenix: Unveiling Critical Vulnerabilities in Phoenix Contact HMI" - [Part 1][477] - [Part 2][478] - [Part 3][479] - ["Prototype Pollution in Python"][647] - ["PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique"][758] - ["PyLoose: Python-based fileless malware targets cloud workloads to deliver cryptominer"][98] - ["PwnAgent: A One-Click WAN-side RCE in Netgear RAX Routers with CVE-2023-24749"][318] - ["Pwnassistant - Controlling /home's via a Home Assistant RCE"][613] - ["Pwning Pixel 6 with a leftover patch"][310] - ["Pwning the tp-link ax1800 wifi 6 Router: Uncovered and Exploited a Memory Corruption Vulnerability"][309] - ["Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel"][185] - ["Readline crime: exploiting a SUID logic bug"][439] - ["Red vs. Blue: Kerberos Ticket Times, Checksums, and You!"][30] - ["Reptar"][527] - ["Restoring Dyld Memory Loading"][522] - ["Retreading The AMLogic A113X TrustZone Exploit Process"][77] - ["Reversing UK mobile rail tickets"][551] - "Reversing Windows Container": - [Part 1][821] - [Part 2][822] - ["RISC-V Bytes: Exploring a Custom ESP32 Bootloader"][493] - ["REUnziP: Re-Exploiting Huawei Recovery With FaultyUSB"][364] - ["Revisiting CVE-2017-11176"][48] - "Rooting the FiiO M6": - ["Using the "World's Worst Fuzzer" To Find A Kernel Bug"][499] - ["Writing an LPE Exploit For Our Overflow Bug"][500] - ["Rooting Xiaomi WiFi Routers"][817] - ["Rust Binary Analysis, Feature by Feature"][231] - ["Rust to Assembly: Understanding the Inner Workings of Rust"][134] - "Rustproofing Linux": - [Part 1][575] - [Part 2][576] - [Part 3][577] - [Part 4][578] - ["scudo Hardened Allocator — Unofficial Internals Documentation"][706] - ["Securing our home labs: Frigate code review"][615] - ["Securing our home labs: Home Assistant code review"][614] - ["SHA-1 gets SHAttered"][325] - ["Shambles: The Next-Generation IoT Reverse Engineering Tool to Discover 0-Day Vulnerabilities"][55] - ["Shell in the Ghost: Ghostscript CVE-2023-28879 writeup"][76] - ["Shifting boundaries: Exploiting an Integer Overflow in Apple Safari"][261] - ["Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100"][531] - ["Smart Speaker Shenanigans: Making the Sonos ONE Sing its Secrets"][504] - ["Smashing the state machine: the true potential of web race conditions"][271] - ["SRE deep dive into Linux Page Cache"][94] - ["Sshimpanzee"][16] - ["Stepping Insyde System Management Mode"][256] - ["Sudoedit bypass in Sudo <= 1.9.12p1 CVE-2023-22809"][562] - ["THC's favourite Tips, Tricks & Hacks (Cheat Sheet)"][31] - ["The ARM32 Scheduling and Kernelspace/Userspace Boundary"][512] - ["The art of Fuzzing: Introduction"][57] - ["The art of fuzzing: Windows Binaries"][89] - ["The art of fuzzing-A Step-by-Step Guide to Coverage-Guided Fuzzing with LibFuzzer"][54] - ["The Art Of Linux Persistence"][872] - ["The Blitz Tutorial Lab on Fuzzing with AFL++"][303] - ["The code that wasn’t there: Reading memory on an Android device by accident"][462] - ["The Dragon Who Sold His camaro: Analyzing Custom Router Implant"][228] - ["The Importance of Reverse Engineering in Network Analysis"][426] - ["The Linux Kernel Module Programming Guide"][3] - ["The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders"][284] - ["The Role of the Control Flow Graph in Static Analysis"][509] - ["The Silent Spy Among Us: Smart Intercom Attacks"][331] - ["The Stack Series: The X64 Stack"][356] - ["The Untold Story of the BlackLotus UEFI Bootkit"][205] - ["Tickling ksmbd: fuzzing SMB in the Linux kernel"][386] - ["Tool Release: Cartographer"][371] - ["Total Identity Compromise: Microsoft Incident Response lessons on securing Active Directory"][445] - ["Xortigate, or CVE-2023-27997 - The Rumoured RCE That Was"][80] - ["Your not so "Home Office" - SOHO Hacking at Pwn2Own"][5] - ["Ubuntu Shiftfs: Unbalanced Unlock Exploitation Attempt"][524] - ["Unauthenticated RCE on a RIGOL oscilloscope"][210] - ["UNCONTAINED: Uncovering Container Confusion in the Linux Kernel"][37] - ["Uncovering a crazy privilege escalation from Chrome extensions"][502] - ["Uncovering HinataBot: A Deep Dive into a Go-Based Threat"][311] - ["Under The Hood - Disassembling of IKEA-Sonos Symfonisk Speaker Lamp"][180] - ["Understanding a Payload’s Life Featuring Meterpreter & Other Guests "][315] - ["Understanding Dirty Pagetable - m0leCon Finals 2023 CTF Writeup"][591] - ["Understanding the Heap - a beautiful mess"][348] - ["Unleashing ksmbd: crafting remote exploits of the Linux kernel"][828] - ["Unleashing ksmbd: remote exploitation of the Linux kernel (ZDI-23-979, ZDI-23-980)"][533] - ["Unlimited Results: Breaking Firmware Encryption of ESP32-V3"][598] - "Unveiling secrets of the ESP32": - ["creating an open-source MAC Layer"][653] - ["reverse engineering RX"][654] - ["Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More"][648] - ["What is Loader Lock?"][845] - ["Windows Installer arbitrary content manipulation Elevation of Privilege (CVE-2020-0911)"][58] - ["Windows Installer EOP (CVE-2023-21800)"][314] - ["Writing your own RDI /sRDI loader using C and ASM"][307] - ["Zenbleed"][207] - ["Zero Effort Private Key Compromise: Abusing SSH-Agent For Lateral Movement"][248] ## 2022 - "A journey into IoT": - ["Chip identification, BUSSide, and I2C"][294] - ["Discover components and ports"][295] - ["Firmware dump and analysis"][296] - ["Radio communications"][681] - ["Internal communications"][682] - ["A Kernel Hacker Meets Fuchsia OS"][710] - "A Technical Analysis of Pegasus for Android": - [part 1][564] - [Part 2][565] - [Part 3][566] - ["ALL ABOUT USB-C: INTRODUCTION FOR HACKERS"][747] - ["An In-Depth Look at the ICE-V Wireless FPGA Development Board"][779] - "ARM 64 Assembly Series": - ["Basic definitions and registers"][408] - ["Offset and Addressing modes"][409] - ["Load and Store"][410] - ["Branch"][411] - ["Data Processing (Part 1)"][412] - ["Data Processing (Part 2)"][413] - ["selections and loops"][414] - ["Subroutines"][415] - ["Attacking the Android kernel using the Qualcomm TrustZone"][885] - ["Attacking Titan M with Only One Byte"][259] - ["Avoiding Detection with Shellcode Mutator"][432] - "BasicFUN Series": - ["Hardware Analysis / SPI Flash Extraction"][626] - ["Reverse Engineering Firmware / Reflashing SPI Flash"][627] - ["Dumping Parallel Flash via I2C I/O Expanders"][628] - ["I2C Sniffing, EEPROM Extraction and Parallel Flash Extraction"][629] - ["Basics for Binary Exploitation"][749] - ["Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu"][238] - ["BrokenPrint: A Netgear stack overflow"][782] - "Bypassing software update package encryption ": - ["Extracting the Lexmark MC3224i printer firmware"][190] - ["Exploiting the Lexmark MC3224i printer"][191] - ["Bypassing vtable Check in glibc File Structures"][208] - ["Blind Exploits to Rule Watchguard Firewalls"][173] - ["BPFDoor - An Evasive Linux Backdoor Technical Analysis"][292] - ["Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse"][917] - "Chrome Browser Exploitation": - [Part 1][1053] - [Part 2][1054] - [Part 3][1055] - ["Competing in Pwn2Own 2021 Austin: Icarus at the Zenith"][556] - ["CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel"][759] - ["Corrupting memory without memory corruption"][762] - ["Creating a Rootkit to Learn C"][719] - ["CVE-2022-0435: A Remote Stack Overflow in The Linux Kernel"][377] - ["[CVE-2022-1786] A Journey To The Dawn"][401] - ["CVE-2022-2602: DirtyCred File Exploitation applied on an io_uring UAF"][168] - ["CVE-2022-27666: Exploit esp6 modules in Linux kernel"][532] - ["CVE-2022-29582 An io_uring vulnerability"][495] - ["Deconstructing and Exploiting CVE-2020-6418"][778] - ["DirtyCred Remastered: how to turn an UAF into Privilege Escalation"][167] - ["Disclosing information with a side-channel in Django"][630] - ["Dumping the Amlogic A113X Bootrom"][78] - ["Dynamic analysis of firmware components in IoT devices"][250] - ["Embedded Systems Security and TrustZone"][145] - ["Emulate Until You Make it"][748] - ["EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)"][473] - ["Expanding the Dragon: Adding an ISA to Ghidra"][542] - ["Exploiting: Buffer overflow in Xiongmai DVRs"][742] - ["Exploiting CSN.1 Bugs in MediaTek Basebands"][272] - ["exploiting CVE-2019-2215"][61] - ["Exploiting CVE-2022-42703 - Bringing back the stack attack"][636] - ["Exploration of the Dirty Pipe Vulnerability (CVE-2022-0847)"][707] - ["Exploring the Hidden Attack Surface of OEM IoT Devices"][625] - ["Firmware key extraction by gaining EL3"][316] - ["Fortigate - Authentication Bypass Lead to Full Device Takeover"][291] - "Fourchain": - ["Prologue"][765] - ["Hole"][766] - ["Sandbox"][767] - ["Fuzzing ping(8) … and finding a 24 year old bug"][751] - "Hacking Bluetooth to Brew Coffee from Github Actions": - [Part 1][752] - [Part 2][753] - [Part 3][754] - ["Hackign More Secure Portable Storage Devices"][623] - ["How did I approach making linux LKM rootkit, “reveng_rtkit” ?"][884] - ["How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables"][266] - ["Huawei Security Hypervisor Vulnerability"][435] - "Hunting for Persistence in Linux" - [Part 1][64] - [Part 2][65] - [Part 3][66] - [Part 4][67] - [Part 5][68] - "Hacking Some More Secure USB Flash Drives": - [Part 1][132] - [Part 2][133] - ["Learning eBPF exploitation"][768] - "Intro to Embedded RE": - ["Tools and Series"][351] - ["UART Discovery and Firmware Extraction via UBoot"][352] - "Introduction to x64 Linux Binary Exploitation": - [Part 1][663] - [Part 2][664] - [Part 3][665] - [Part 4][666] - [Part 5][667] - ["io_uring - new code, new bugs, and a new exploit technique"][978] - ["Linux Hardening Guide"][349] - ["Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg"][269] - ["Linux Kernel Exploit (CVE-2022–32250) with mqueue"][242] - "Linux SLUB Allocator Internals and Debugging": - [Part 1][359] - [Part 2][360] - [Part 3][361] - [Part 4][362] - ["Linternals: Introducing Memory Allocators & The Page Allocator"][516] - ["Linternals: The Slab Allocator"][517] - ["Linux kernel heap feng shui in 2022"][535] - ["Looking for Remote Code Execution bugs in the Linux kernel"][503] - ["Manipulating AES Traffic using a Chain of Proxies and Hardcoded Keys"][319] - ["MeshyJSON: A TP-Link tdpServer JSON Stack Overflow"][777] - ["Missing Manuals - io_uring worker pool"][265] - ["Modifying Embedded Filesystems in ARM Linux zImages"][775] - "Netgear Orbi": - ["orbi hunting 0x0: introduction, uart access, recon"][33] - ["orbi hunting 0x1: crashes in soap-api"][34] - ["nday exploit: netgear orbi unauthenticated command injection (cve-2020-27861)"][35] - ["nday exploit: libinput format string bug, canary leak exploit (cve-2022-1215)"][63] - ["NFC Relay Attack on Tesla Model Y"][574] - ["Nightmare: One Byte to ROP // Deep Dive Edition"][582] - ["Overview of GLIBC heap exploitation techniques"][239] - ["Parsing TFTP in Rust"][624] - ["Patching, Instrumenting & Debugging Linux Kernel Modules"][483] - ["PCIe DMA Attack against a secured Jetson Nano (CVE-2022-21819)"][649] - ["pipe_buffer arbitrary read write"][282] - "Pixel 6 Bootloader" - ["Booting up"][286] - ["Emulation, ROP"][287] - ["Exploitation"][288] - ["Port knocking from the scratch"][227] - ["Pulling MikroTik into the Limelight"][120] - ["Racing against the clock -- hitting a tiny kernel race window"][492] - ["Replicating CVEs with KLEE"][763] - ["Reversing C++, Qt based applications using Ghidra"][586] - ["Racing Cats to the Exit: A Boring Linux Kernel Use-After-Free"][406] - ["Replicant: Reproducing a Fault Injection "][675] - ["Researching Xiaomi’s Tee to Get to Chinese Money"][274] - "Reversing embedded device bootloader (U-Boot)": - [Part 1][162] - [Part 2][163] - ["Reverse Engineering a Cobalt Strike Dropper With Binary Ninja"][368] - ["Reverse engineering an EV charger"][606] - "Reverse Engineering Dark Souls 3": - ["Connection"][670] - ["Packets"][671] - ["Key Exchange"][672] - ["Reliable UDP"][673] - ["Reverse engineering integrity checks in Black Ops 3"][220] - ["Reverse engineering thermal printers"][245] - ["Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage"][491] - ["SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)"][484] - ["Shedding Light on Huawei's Security Hypervisor"][434] - ["Shikitega - New stealthy malware targeting Linux"][438] - ["side channels: power analysis"][380] - ["side channels: using the chipwhisperer"][381] - ["SIM Hijacking"][579] - ["Spoofing Call Stacks To Confuse EDRs"][431] - ["SROP Exploitation with radare2"][770] - ["Stealing the Bitlocker key from a TPM"][505] - ["Stranger Strings: An exploitable flaw in SQLite"][588] - ["Survey of security mitigations and architectures, December 2022"][644] - ["Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat"][461] - ["Tetsuji: Remote Code Execution on a GameBoy Colour 22 Years Later"][226] - ["The Dirty Pipe Vulnerability"][321] - ["The Last Breath of Our Netgear RAX30 Bugs - A Tragic Tale before Pwn2Own Toronto 2022"][772] - ["The Old, The New and The Bypass - One-click/Open-redirect to own Samsung S22 at Pwn2Own 2022"][36] - ["TheHole New World - how a small leak will sink a great browser (CVE-2021-38003)"][751] - "The toddler’s introduction to Heap exploitation": - ["Part 1"][339] - ["Part 2"][340] - ["Overflows"][341] - ["Use After Free & Double free"][342] - ["FastBin Dup to Stack"][343] - ["FastBin Dup Consolidate"][344] - ["Unsafe Unlink"][345] - ["House of Spirit"][346] - ["House of Lore"][347] - ["TP-Link Tapo c200 Camera Unauthenticated RCE (CVE-2021-4045)"][553] - ["Tracing and Manipulating with DynamoRIO"][750] - ["Trying To Exploit A Windows Kernel Arbitrary Read Vulnerability"][312] - ["Turning Google smart speakers into wiretaps for $100k"][18] - ["UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice'"][633] - ["Vulnerabilities and Hardware Teardown of GL.iNET GL-MT300N-V2 Router"][126] - "Vulnerabilities in BMC Firmware Affect OT/IoT Device Security": - [Part 1][496] - [Part 2][497] - ["Vulnerability Details for CVE-2022-41218"][563] - ["Vulnerabilities in Tenda's W15Ev2 AC1200 Router"][127] - ["When an N-Day turns into a 0day"][642] - ["WPAxFuzz: Sniffing Out Vulnerabilities in Wi-Fi Implementations"][764] - ["Write a Linux firewall from scratch based on Netfilter"][313] - ["Yet another bug into Netfilter"][457] - ["Xiongmai IoT Exploitation"][650] - ["Zyxel authentication bypass patch analysis (CVE-2022-0342)"][632] ## 2021 - "A dive into the PE file format": - ["Introduction"][332] - ["DOS Header, DOS Stub and Rich Header"][333] - ["NT Headers"][334] - ["Data Directories, Section Headers and Sections"][335] - ["Imports (Import Direcory Table, ILT, IAT)"][336] - ["PE Base Relocations"][337] - ["Writing a PE Parser"][338] - ["A Nerve-Racking Bug Collision in Samsung's NPU Driver"][855] - "A Practical Approach to Attacking IoT Embedded Designs": - [Part 1][721] - [Part 2][722] - ["Attacking Samsung RKP"][909] - ["Automatic unpacking with Qiling framework"][558] - ["BRAKTOOTH: Causing Havoc on Bluetooth Link Manager"][755] - ["Breaking 64 bit aslr on Linux x86-64"][234] - ["Bypassing GLIBC 2.32’s Safe-Linking Without Leaks into Code Execution: The House of Rust"][375] - ["Complete Guide to Stack Buffer Overflow (OSCP Preparation)"][317] - ["CVE-2020-3992 & CVE-2021-21974: Rre-auth Remote Code Execution in VMWare esxi"][561] - ["CVE-2021–20226 a reference counting bug which leads to local privilege escalation in io_uring."][179] - ["CVE-2021-22555: Turning \x00\x00 into 10000$"][977] - ["Da Vinci Hits a Nerve: Exploiting Huawei’s NPU Driver"][756] - "Digging into Linux namespaces": - [Part 1][157] - [Part 2][158] - ["Exploiting crash handlers: LPE on Ubuntu"][760] - ["Extending Ghidra Part 1: Setting up a Development Environment"][655] - ["Fire of Salvation Writeup: Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel"][252] - "Fuzzing101 with LibAFL": - ["Fuzzing Xpdf"][468] - ["Speed Improvements to Part I"][469] - ["Fuzzing libexif"][470] - ["Getting to know memblock"][771] - "Ghidra 101": - ["Cursor Text Highlighting"][416] - ["Slice Highlighting"][417] - ["Decoding Stack Strings"][418] - ["Loading Windows Symbols (PDB files)"][419] - ["Creating Structures in Ghidra"][420] - ["Loading Windows Symbols (PDB files) in Ghidra 10.x"][421] - ["GRCON 2021 - Capture the Signal"][403] - "Hacking the Furbo Dog Camera": - [Part 1][744] - [Part 2][745] - [Part 3][746] - ["How AUTOSLAB Changes the Memory Unsafety Game"][536] - "Learning Linux Kernel Exploitation": - [Part 1][83] - [Part 2][84] - [Part 3][85] - "LinkSys EA6100 AC1200": - [Part 1][740] - [Part 1][741] - ["Linux Internals: How /proc/self/mem writes to unwritable memory"][631] - "Linux Kernel Exploitation": - ["Debugging the Kernel with QEMU"][25] - ["Smashing Stack Overflows in the Kernel"][26] - ["Controlling RIP and Escalating privileges via Stack Overflow"][27] - "Live Debugging Techniques for the Linux Kernel" - [Part 1][470] - [Part 2][471] - [Part 3][472] - "Malware development (0xPat)" - [Part 1][792] - [Part 2][793] - [Part 3][794] - [Part 4][795] - [Part 5][796] - [Part 6][797] - [Part 7][798] - [Part 8][799] - [Part 9][800] - ["mooosl"][602] - ["My RCE PoC walkthrough for (CVE-2021–21974) VMware ESXi OpenSLP heap-overflow vulnerability"][560] - ["New Linux Backdoor RedXOR Likely Operated by Chinese Nation-State Actor"][440] - ["New Old Bugs in the Linux Kernel"][305] - ["Privilege escalation with polkit: How to get root on Linux with a seven-year-old bug"] - ["Pwn2Own Tokyo 2020: Defeating the TP-link AC1750"][555] - ["Recovering a Full PEM Private key when Half of it is Redacted"][96] - ["Reverse Engineering an Unknown Microcontroller"][645] - "Reverse Engineering Bare-Metal Firmware": - [Part 1][142] - [Part 2][143] - [Part 3][144] - ["Reverse Engineering Yaesu FT-70D Firmware Encryption"][147] - "Syzkaller diving": - [Part 1][423] - [Part 2][424] - [Part 3][425] - ["The Art of Exploiting UAF by Ret2bpf in Android Kernel"][595] - ["The Oddest Place You Will Ever Find PAC"][306] - ["Unveiling Evasive Techniques Employed by Malicious Linux Shell Scripts"][888] - "VMProtect 2" - [Part 1][960] - [Part 2][961] - ["Wall Of Perdition: Utilizing msg_msg Objects For Arbitrary Read And Arbitrary Write In The Linux Kernel"][251] ## 2020 - "A Deep Dive Into Samsung's TrustZone" - [Part 1][487] - [Part 2][488] - [Part 3][489] - ["An iOS hacker tries Android"][856] - "BGET Explained Binary Heap Exploitation on OP-TEE": - [Part 1][187] - [Part 2][188] - ["BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution"][372] - ["Building a Basic C2"][1057] - ["CyRC analysis: CVE-2020-7958 biometric data extraction in Android devices"][890] - ["CVE-2020-16040 Analysis & Exploitation"][725] - ["Espressif ESP32: Bypassing Encrypted Secure Boot (CVE-2020-13629)"][641] - ["Espressif ESP32: Bypassing Secure Boot using EMFI"][638] - ["Espressif ESP32: Bypassing Flash Encryption (CVE-2020-15048)"][640] - ["Espressif ESP32: Controlling PC during Secure Boot"][639] - ["Detecting Linux memfd_create() Fileless Malware with Command Line Forensics"][430] - ["Exception(al) Failure - Breaking the STM32F1 Read-Out Protection"][161] - ["Flashback Connects - Cisco RV340 SSL VPN RCE"][525] - "Hardware Debugging for Reverse Engineers": - ["SWD, OpenOCD and Xbox One Controllers"][634] - ["TAG, SSDs and Firmware Extraction"Manipulating AES Traffic][635] - ["Hardware Hacking 101: Identifying and Dumping eMMC Flash"][87] - ["House of Muney - Leakless Heap Exploitation Technique"][181] - ["Learning to Decapsulate Integrated Circuits Using Acid Deposition"][727] - ["Loading Dynamic Libraries on Mac"][458] - ["Minesweeper - TP-Link Archer C7 LAN RCE"][446] - ["My Methods To Achieve Persistence In Linux Systems"][247] - "nRF52 Debug Resurrection": - [Part 1][279] - [Part 2][280] - ["NTLM Relay"][56] - "Patch Diffing a Cisco RV110W Firmware Update" - [Part 1][506] - [Part 2][507] - ["Norec Attack: Stripping BLE encryption from Nordic’s Library (CVE-2020–15509)"][783] - ["ret2dl_resolve x64: Exploiting Dynamic Linking Procedure In x64 ELF Binaries"][370] - ["Safe-linking – Eliminating a 20 Year-old malloc() Exploit Primitive"][780] - ["SSHD Injection and Password Harvesting"][230] - ["There’s A Hole In Your SoC: Glitching The MediaTek BootROM"][737] - ["Weekend Destroyer - RCE in Western Digital PR4100 NAS"][447] - ["What're you telling me, Ghidra?"][358] ## 2019 - ["Breaking out of Docker via runC – Explaining CVE-2019-5736"][369] - "Executable and Linkable Format 101": - ["Sections and Segments"][135] - ["Symbols"][136] - ["Relocations"][137] - ["Dynamic Linking"][138] - ["Exploiting Qualcomm WLAN and Modem Over the Air"][773] - ["Hacking microcontroller firmware through a USB"][243] - ["Hardening Secure Boot on Embedded Devices for Hostile Environments"][175] - ["How to Weaponize the Yubikey"][743] - ["Pew Pew Pew: Designing Secure Boot Securely"][176] - ["Pwn the ESP32 crypto-core"][757] - ["Pwn the ESP32 Secure Boot"][289] - ["Reverse Engineering Architecture And Pinout of Custom Asics"][398] - ["Reverse-engineering Broadcom wireless chipsets"][200] - ["Reverse Engineering of a Not-so-Secure IoT Device"][607] - "Virtualization Internals": - [Part 1][216] - [Part 2][217] - [Part 3][218] - [Part 4][219] ## 2018 - ["A Deep dive into (implicit) Thread Local Storage"][581] - ["A Guide to ARM64 / AArch64 Assembly on Linux with Shellcodes and Cryptography"][464] - "ARM Exploitation": - ["Return oriented Programming"][788] - ["Setup and Tools"][789] - ["Defeating DEP - execute system()"][790] - ["Defeating DEP - executing mprotect()"][791] - "CVE-2017-11176: A step-by-step Linux Kernel exploitation": - [Part 1][19] - [Part 2][20] - [Part 3][21] - [Part 4][22] - ["eMMC Data Recovery from Damaged Smartphone"][88] - ["Kinibi TEE: Trusted Application Exploitation"][781] - ["My journey towards Reverse Engineering a Smart Band — Bluetooth-LE RE"][302] - ["Reverse Engineering BLE Devices"][761] - "Reversing ESP8266 Firmware": - [Part 1][545] - [Part 2][546] - [Part 3][547] - [Part 4][548] - [Part 5][549] - [Part 6][550] - "Vectorized Emulation":[438] - ["Hardware accelerated taint tracking at 2 trillion instructions per second"][382] - ["MMU Design"][383] ## 2017 - ["Escalating Privileges in Linux using Fault Injection"][774] - ["Hardware hacking tutorial: Dumping and reversing firmware"][557] - ["HiSilicon DVR hack"][236] - ["How I Reverse Engineered and Exploited a Smart Massager"][301] - ["Linux Heap Exploitation Intro Series: Riding free on the heap – Double free attacks!"][622] - ["Linux ptrace introduction AKA injecting into sshd for fun"][229] - "Over The Air": - ["Exploiting Broadcom’s Wi-Fi Stack (Part 1)"][539] - ["Exploiting Broadcom’s Wi-Fi Stack (Part 2)"][540] - ["Exploiting The Wi-Fi Stack on Apple Devices"][541] ## 2016 - ["Bypassing Secure Boot using Fault Injection"][174] - ["munmap madness"][199] - ["Implementation of Signal Handling"][23] - "Practical Reverse Engineering" - ["Digging Through the Firmware"][114] - ["Scouting the Firmware"][115] - ["Following the Data"][116] - ["Dumping the Flash"][117] - ["Digging Through the Firmware"][118] - ["Understanding and Hardening Linux Containers"][50] ## 2014 - ["ret2dir: Rethinking Kernel Isolation"][384] ## 2011 - ["Load-time relocation of shared libraries"][592] - ["Position Independent Code (PIC) in shared libraries"][593] ## Misc - [0xtriboulet][619] - ["A Noobs Guide to ARM Exploitation"][241] - ["Advanced binary fuzzing using AFL++-QEMU and libprotobuf: a practical case of grammar-aware in-memory persistent fuzzing"][71] - ["Advanced Compilers: The Self-Guided Online Course"][298] - ["Analysis of a LoadLibraryA Stack String Obfuscation Technique with Radare2 & x86dbg"][559] - ["Android Kernel Exploitation"][571] - [Anti-Debug Tricks][585] - ["ARM TrustZone: pivoting to the secure world"][304] - ["ARMv8 AArch64/ARM64 Full Beginner's Assembly Tutorial"][927] - [Awesome binary parsing][769] - [Awesome Executable Packing][717] - [Awesome Industrial Protocols][510] - ["Brute Ratel - Scandinavian Defence"][436] - [Comprehensive Rust][620] - [cryptopals][1022] - [CVE North Stars][708] - ["Debugger Ghidra Class"][232] - [DhavalKapil/heap-exploitation][363] - [Diffing Portal][378] - [exploit_mitigations][526] - ["fenrir"][1169] - [Ghidriff - Ghidra Binary Diffing Engine][490] - ["Grand Theft Auto A peek of BLE relay attack"][433] - ["Hands-on Firmware Extraction, Exploration, and Emulation"][979] - [ice9-bluetooth-sniffer][437] - "Illustrated Connections": - [dtls][519] - [quic][518] - [tls 1.2][521] - [tls 1.3][520] - "Introduction to encryption for embedded Linux" - ["Introduction to encryption for embedded Linux developers"][0] - ["A hands-on approach to symmetric-key encryption"][1] - ["Asymmetric-Key Encryption and Digital Signatures in Practice"][2] - ["Introduction to Malware Analysis and Reverse Engineering"][407] - ["Kernel Address Space Layout Derandomization"][529] - ["Kernel Exploit Recipes Notebook"][776] - ["Laser-Based Audio Injection on Voice-Controllable Systems"][328] - [Linux Kernel CVEs][385] - ["Linux kernel exploit development"][573] - ["Linux Kernel map"][225] - ["Linux Insides"][246] - ["Linux Privilege Escalation"][982] - ["Linux Syscalls Reference"][17] - ["Lytro Unlock - Making a bad camera slightly better"][373] - ["Minimizing Rust Binary Size"][476] - ["mjsxj09cm Recovering Firmware And Backdooring"][62] - ["Offensive security (0xtriboulet)"][405] - ["Operating System development tutorials in Rust on the Raspberry Pi"][357] - ["parking-game-fuzzer"][1159] - ["Practical Cryprography for Developers"][785] - [Red-Team-Infrastructure-Wiki][498] - ["Reverse Engineering For Everyone!"][399] - ["Reverse Engineering WiFi on RISC-V BL602"][617] - ["Rust Atomics and Locks"][651] - ["RustRedOps"][686] - ["Satellite Hacking Demystified(RTC0007)"][221] - [TEE Reversing][263] - ["THC's favourite Tips, Tricks & Hacks (Cheat Sheet)"][258] - [tmpout.sh][515]: collection of writeups on low-level stuff - ["Trail of Bits Testing Handbook"][724] - [TripleCross][696] - [USB-WiFi][329] - ["VSS: Beginners Guide to Building a Hardware Hacking Lab"][249] - ["WinDBG quick start tutorial"][485] ## Other Lists * [Exploitation](topics/exploitation.md): resources dedicated to the world of binary exploitation * [Linux Kernel](topics/linux_kernel.md): collection of resources dedicated to Linux kernel (internals) * [Wireless](topics/wireless.md): resources dedicated to wireless technologies and security * [OT/IoT Security](topics/ot_security.md) * [Red Teaming and Offensive Security](topics/red-team-adversary-emulation.md) [0]: https://sergioprado.blog/introduction-to-encryption-for-embedded-linux-developers/ [1]: https://sergioprado.blog/a-hands-on-approach-to-symmetric-key-encryption/ [2]: https://sergioprado.blog/asymmetric-key-encryption-and-digital-signatures-in-practice/ [3]: https://sysprog21.github.io/lkmpg/ [4]: https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_1_1_yamashige-nakatani-tanaka_en.pdf [5]: http://conference.hitb.org/files/hitbsecconf2023ams/materials/D1T1%20-%20Your%20Not%20So%20Home%20Office%20-%20Soho%20Hacking%20at%20Pwn2Own%20-%20McCaulay%20Hudson%20&%20Alex%20Plaskett.pdf [7]: https://www.synacktiv.com/publications/exploring-android-heap-allocations-in-jemalloc-new [8]: https://www.synacktiv.com/en/publications/behind-the-shield-unmasking-scudos-defenses [10]: https://idov31.github.io/2022/07/14/lord-of-the-ring0-p1.html [11]: https://idov31.github.io/2022/08/04/lord-of-the-ring0-p2.html [12]: https://idov31.github.io/2022/10/30/lord-of-the-ring0-p3.html [13]: https://idov31.github.io/2023/02/24/lord-of-the-ring0-p4.html [14]: https://idov31.github.io/2023/07/19/lord-of-the-ring0-p5.html [15]: https://llsoftsec.github.io/llsoftsecbook/ [16]: https://blog.lexfo.fr/sshimpanzee.html [17]: https://syscalls.mebeim.net/?table=x86/64/x64/v6.5 [18]: https://downrightnifty.me/blog/2022/12/26/hacking-google-home.html [19]: https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html [20]: https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part2.html [21]: https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part3.html [22]: https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part4.html [23]: http://courses.cms.caltech.edu/cs124/lectures-wi2016/CS124Lec15.pdf [24]: https://makefiletutorial.com [25]: https://blog.k3170makan.com/2020/11/linux-kernel-exploitation-0x0-debugging.html [26]: http://blog.k3170makan.com/2020/11/linux-kernel-exploitation-0x1-smashing.html [27]: https://blog.k3170makan.com/2021/01/linux-kernel-exploitation-0x2.html [28]: https://github.com/NationalSecurityAgency/ghidra/tree/master/GhidraDocs/GhidraClass/Debugger [29]: https://robocoffee.de/?p=436 [30]: https://www.trustedsec.com/blog/red-vs-blue-kerberos-ticket-times-checksums-and-you [31]: https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet [32]: https://medium.com/@INTfinitySG/fortinet-series-3-cve-2022-42475-sslvpn-exploit-strategy-2578597f892f [33]: http://blog.coffinsec.com/research/2022/06/12/orbi-hunting-0-intro-uart.html [34]: http://blog.coffinsec.com/research/2022/06/19/orbi-hunting-1-soap-api-crashes.html [35]: http://blog.coffinsec.com/research/2022/07/02/orbi-nday-exploit-cve-2020-27861.html [36]: https://starlabs.sg/blog/2023/06-the-old-the-new-and-the-bypass-one-clickopen-redirect-to-own-samsung-s22-at-pwn2own-2022/ [37]: https://download.vusec.net/papers/uncontained_sec23.pdf [38]: https://mccaulay.co.uk/mast1c0re-introduction-exploiting-the-ps4-and-ps5-through-a-gamesave/ [39]: https://mccaulay.co.uk/mast1c0re-part-1-modifying-ps2-game-save-files/ [40]: https://mccaulay.co.uk/mast1c0re-part-2-arbitrary-ps2-code-execution/ [41]: https://mccaulay.co.uk/mast1c0re-part-3-escaping-the-emulator/ [42]: https://jfrog.com/blog/openssh-pre-auth-double-free-cve-2023-25136-writeup-and-proof-of-concept/ [43]: https://ricercasecurity.blogspot.com/2023/07/fuzzing-farm-1-fuzzing-gegl-with-fuzzuf.html [44]: https://ricercasecurity.blogspot.com/2023/07/fuzzing-farm-2-evaluating-performance.html [45]: https://ricercasecurity.blogspot.com/2023/07/fuzzing-farm-3-patch-analysis-and-poc.html [46]: https://ricercasecurity.blogspot.com/2023/07/fuzzing-farm-4-hunting-and-exploiting-0.html [47]: https://boschko.ca/qemu-emulating-firmware/ [48]: https://labs.bluefrostsecurity.de/revisiting-cve-2017-11176 [49]: https://www.cyberark.com/resources/threat-research-blog/a-deep-dive-into-penetration-testing-of-macos-applications-part-1 [50]: https://research.nccgroup.com/wp-content/uploads/episerver-images/assets/ad04beb697a64e3ea20579e5bf604b4e/ad04beb697a64e3ea20579e5bf604b4e.pdf [51]: https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html [52]: https://labs.withsecure.com/publications/executing-arbitrary-code-executables-in-read-only-filesystems [53]: https://axcheron.github.io/linux-shellcode-101-from-hell-to-shell/ [54]: https://aviii.hashnode.dev/the-art-of-fuzzing-a-step-by-step-guide-to-coverage-guided-fuzzing-with-libfuzzer [55]: https://boschko.ca/shambles/ [56]: https://en.hackndo.com/ntlm-relay/ [57]: https://bushido-sec.com/index.php/2023/06/19/the-art-of-fuzzing/ [58]: https://offsec.almond.consulting/windows-msiexec-eop-cve-2020-0911.html [59]: https://github.blog/2023-07-05-introduction-to-selinux/ [60]: https://www.wiz.io/blog/linux-rootkits-explained-part-1-dynamic-linker-hijacking [61]: https://cutesmilee.github.io/kernel/linux/android/2022/02/17/cve-2019-2215_writeup.html [62]: https://whiterose-infosec.super.site/mjsxj09cm-recovering-firmware-and-backdooring [63]: http://blog.coffinsec.com/nday/2022/08/04/CVE-2022-1215-libinput-fmt-canary-leak.html [64]: https://pberba.github.io/security/2021/11/22/linux-threat-hunting-for-persistence-sysmon-auditd-webshell/ [65]: https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ [66]: https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/ [67]: https://pberba.github.io/security/2022/02/06/linux-threat-hunting-for-persistence-initialization-scripts-and-shell-configuration/ [68]: https://pberba.github.io/security/2022/02/07/linux-threat-hunting-for-persistence-systemd-generators/ [69]: https://www.espressif.com/sites/default/files/documentation/ESP32-C3%20Wireless%20Adventure.pdf [70]: https://blog.quarkslab.com/for-science-using-an-unimpressive-bug-in-edk-ii-to-do-some-fun-exploitation.html [71]: https://airbus-seclab.github.io/AFLplusplus-blogpost/ [72]: https://labs.bluefrostsecurity.de/blog/cve-2023-2008.html [73]: https://cs.brown.edu/~vpk/papers/epf.atc23.pdf [74]: https://remyhax.xyz/posts/obscure-win-files/ [75]: https://github.com/google/security-research/tree/master/pocs/cpus/spectre-gadgets [76]: https://offsec.almond.consulting/ghostscript-cve-2023-28879.html [77]: https://boredpentester.com/retreading-the-amlogic-a113x-trustzone-exploit-process/ [78]: https://haxx.in/posts/dumping-the-amlogic-a113x-bootrom/ [79]: https://bd103.github.io/blog/2023-06-27-global-allocators [80]: https://labs.watchtowr.com/xortigate-or-cve-2023-27997/ [81]: https://starlabs.sg/blog/2023/06-breaking-the-code-exploiting-and-examining-cve-2023-1829-in-cls_tcindex-classifier-vulnerability/ [82]: https://act-on.ioactive.com/acton/attachment/34793/f-b1aa96d0-bd78-4518-bae3-2889aae340de/1/-/-/-/-/DroneSec-GGonzalez.pdf [83]: https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/ [84]: https://lkmidas.github.io/posts/20210128-linux-kernel-pwn-part-2/ [85]: https://lkmidas.github.io/posts/20210205-linux-kernel-pwn-part-3/ [86]: https://markuta.com/eero-6-hacking-part-1/ [87]: https://riverloopsecurity.com/blog/2020/03/hw-101-emmc/ [88]: https://dangerouspayload.com/2018/10/24/emmc-data-recovery-from-damaged-smartphone/ [89]: https://bushido-sec.com/index.php/2023/06/25/the-art-of-fuzzing-windows-binaries/ [90]: https://papers.mathyvanhoef.com/usenix2023-wifi.pdf [91]: https://research.aurainfosec.io/pentest/bee-yond-capacity/ [92]: https://blog.trailofbits.com/2023/06/15/finding-bugs-with-mlir-and-vast/ [93]: https://labs.hakaioffsec.com/coffee-a-coff-loader-made-in-rust/ [94]: https://biriukov.dev/docs/page-cache/0-linux-page-cache-for-sre/ [95]: https://frycos.github.io/vulns4free/2023/06/18/fortinac.html [96]: https://blog.cryptohack.org/twitter-secrets [97]: https://labs.ioactive.com/2023/06/back-to-future-with-platform-security.html [98]: https://www.wiz.io/blog/pyloose-first-python-based-fileless-attack-on-cloud-workloads [99]: https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/ [100]: https://www.zerodayinitiative.com/blog/2023/4/5/bash-privileged-mode-vulnerabilities-in-parallels-desktop-and-cdpath-handling-in-macos [101]: https://programmingwithstyle.com/posts/howihackedmycar/ [102]: https://programmingwithstyle.com/posts/howihackedmycarpart2/ [103]: https://programmingwithstyle.com/posts/howihackedmycarpart3/ [104]: https://programmingwithstyle.com/posts/howihackedmycarpart4/ [105]: https://programmingwithstyle.com/posts/howihackedmycarpart5/ [106]: https://programmingwithstyle.com/posts/myhackedcarisdoomed/ [107]: https://8ksec.io/arm64-reversing-and-exploitation-part-1-arm-instruction-set-simple-heap-overflow/ [108]: https://8ksec.io/arm64-reversing-and-exploitation-part-2-use-after-free/ [109]: https://8ksec.io/arm64-reversing-and-exploitation-part-3-a-simple-rop-chain/ [110]: https://8ksec.io/arm64-reversing-and-exploitation-part-4-using-mprotect-to-bypass-nx-protection-8ksec-blogs/ [111]: https://8ksec.io/arm64-reversing-and-exploitation-part-5-writing-shellcode-8ksec-blogs/ [112]: https://8ksec.io/arm64-reversing-and-exploitation-part-6-exploiting-an-uninitialized-stack-variable-vulnerability/ [113]: https://8ksec.io/arm64-reversing-and-exploitation-part-7-bypassing-aslr-and-nx/ [114]: http://jcjc-dev.com/2016/04/08/reversing-huawei-router-1-find-uart/ [115]: https://jcjc-dev.com/2016/04/29/reversing-huawei-router-2-scouting-firmware/ [116]: https://jcjc-dev.com/2016/05/23/reversing-huawei-3-sniffing/ [117]: https://jcjc-dev.com/2016/06/08/reversing-huawei-4-dumping-flash/ [118]: https://jcjc-dev.com/2016/12/14/reversing-huawei-5-reversing-firmware/ [119]: https://qriousec.github.io/post/vbox-pwn2own-2023/ [120]: https://margin.re/2022/06/pulling-mikrotik-into-the-limelight/ [121]: https://medium.com/@cy1337/a-guide-to-reversing-shared-objects-with-ghidra-cec83d5031e6 [122]: https://medium.com/@cy1337/reversing-a-simple-crackme-with-ghidra-decompiler-5dd1b1c3c0ba [123]: https://medium.com/@cy1337/vulnerability-hunting-with-ghidra-fb3fc53470ba [124]: https://medium.com/@cy1337/patching-a-bug-from-a-ghidra-listing-8496e529224a [125]: https://medium.com/@cy1337/vulnerability-analysis-with-ghidra-scripting-ccf416cfa56d [126]: https://boschko.ca/glinet-router/ [127]: https://boschko.ca/tenda_ac1200_router/ [128]: https://intezer.com/blog/malware-analysis/malware-reverse-engineering-beginners/ [129]: https://intezer.com/blog/incident-response/malware-reverse-engineering-for-beginners-part-2/ [130]: https://www.zerodayinitiative.com/blog/2023/8/1/exploiting-a-flaw-in-bitmap-handling-in-windows-user-mode-printer-drivers [131]: https://linux-kernel-labs.github.io/refs/heads/master/index.html [132]: https://blog.syss.com/posts/hacking-usb-flash-drives-part-1/ [133]: https://blog.syss.com/posts/hacking-usb-flash-drives-part-2/ [134]: https://eventhelix.com/rust/ [135]: https://intezer.com/blog/research/executable-linkable-format-101-part1-sections-segments/ [136]: https://intezer.com/blog/malware-analysis/executable-linkable-format-101-part-2-symbols/ [137]: https://intezer.com/blog/malware-analysis/executable-and-linkable-format-101-part-3-relocations/ [138]: https://intezer.com/blog/malware-analysis/executable-linkable-format-101-part-4-dynamic-linking/ [139]: https://secret.club/2023/06/05/spoof-pe-sections.html [140]: https://github.com/imthenachoman/How-To-Secure-A-Linux-Server [141]: https://reversing.info/posts/guardedregions/ [142]: https://ragnarsecurity.medium.com/reverse-engineering-bare-metal-kernel-images-part-2-6a52a4afa3ef [143]: https://ragnarsecurity.medium.com/reverse-engineering-bare-metal-kernel-images-part-2-6a52a4afa3ef [144]: https://medium.com/geekculture/reverse-engineering-bare-metal-firmware-part-3-analyzing-arm-assembly-and-exploiting-3b2dbe219f19 [145]: https://embeddedsecurity.io [146]: https://research.nccgroup.com/2023/05/23/offensivecon-2023-exploit-engineering-attacking-the-linux-kernel/ [147]: https://landaire.net/reversing-yaesu-firmware-encryption/ [148]: https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html [149]: https://blog.the.al/2023/01/01/ds4-reverse-engineering.html [150]: https://blog.the.al/2023/01/02/ds4-reverse-engineering-part-2.html [151]: https://blog.the.al/2023/01/03/ds4-reverse-engineering-part-3.html [152]: https://educatedguesswork.org/posts/nat-part-1/ [153]: https://educatedguesswork.org/posts/nat-part-2/ [154]: https://educatedguesswork.org/posts/nat-part-3/ [155]: https://educatedguesswork.org/posts/nat-part-4/ [156]: https://github.com/ihebski/A-Red-Teamer-diaries [157]: https://blog.quarkslab.com/digging-into-linux-namespaces-part-1.html [158]: https://blog.quarkslab.com/digging-into-linux-namespaces-part-2.html [159]: https://github.com/bsauce/kernel-exploit-factory [160]: https://icanhack.nl/blog/dji-rm500-privilege-escalation/ [161]: https://blog.zapb.de/stm32f1-exceptional-failure/ [162]: https://www.shielder.com/blog/2022/03/reversing-embedded-device-bootloader-u-boot-p.1/ [163]: https://www.shielder.com/blog/2022/03/reversing-embedded-device-bootloader-u-boot-p.2/ [164]: https://securityintelligence.com/x-force/dissecting-exploiting-tcp-ip-rce-vulnerability-evilesp/ [165]: https://mutur4.github.io/posts/linux-malware-development/edr/ [166]: https://jcjc-dev.com/2023/03/19/reversing-domyos-el500-elliptical/ [167]: https://exploiter.dev/blog/2022/CVE-2022-2602.html [168]: https://blog.hacktivesecurity.com/index.php/2022/12/21/cve-2022-2602-dirtycred-file-exploitation-applied-on-an-io_uring-uaf/ [169]: https://github.com/michalmalik/linux-re-101 [170]: https://redops.at/en/blog/meterpreter-vs-modern-edrs-in-2023 [171]: https://arxiv.org/pdf/2301.13346.pdf [172]: https://alice.climent-pommeret.red/posts/process-killer-driver/ [173]: https://web.archive.org/web/20230628130110/https://www.ambionics.io/blog/hacking-watchguard-firewalls [174]: https://raelize.com/upload/research/2016/2016_BlackHat-EU_Bypassing-Secure-Boot-Using-Fault-Injection_NT-AS.pdf [175]: https://raelize.com/upload/research/2019/2019_BlueHat-IL_Hardening-Secure-Boot-on-Embedded-Devices-for-Hostile-Environments_NT-AS-CM.pdf [176]: https://raelize.com/upload//research/2019/2019_Designing-Secure-Boot-Securely_NT-AS.pdf [177]: https://securityintelligence.com/x-force/msmq-queuejumper-rce-vulnerability-technical-analysis/# [178]: https://h0mbre.github.io/kCTF_Data_Only_Exploit/# [179]: https://flattsecurity.medium.com/cve-2021-20226-a-reference-counting-bug-which-leads-to-local-privilege-escalation-in-io-uring-e946bd69177a [180]: https://starlabs.sg/blog/2023/08-ikea-sonos-symfonisk-speaker-lamp-teardown/ [181]: https://maxwelldulin.com/BlogPost/House-of-Muney-Heap-Exploitation [182]: https://blog.assetnote.io/2023/07/04/citrix-sharefile-rce/ [183]: https://www.trendmicro.com/en_ph/research/23/g/detecting-bpfdoor-backdoor-variants-abusing-bpf-filters.html [184]: https://starlabs.sg/blog/2023/07-prctl-anon_vma_name-an-amusing-heap-spray/ [185]: https://0xkol.github.io/assets/files/Racing_Against_the_Lock__Exploiting_Spinlock_UAF_in_the_Android_Kernel.pdf [186]: https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt [187]: https://phi1010.github.io/2020-09-14-bget-exploitation/ [188]: https://phi1010.github.io/2020-11-02-bget-exploitation-2/ [189]: https://eshard.com/posts/sca-attacks-on-armv8 [190]: https://research.nccgroup.com/2022/02/17/bypassing-software-update-package-encryption-extracting-the-lexmark-mc3224i-printer-firmware-part-1/ [191]: https://research.nccgroup.com/2022/02/18/analyzing-a-pjl-directory-traversal-vulnerability-exploiting-the-lexmark-mc3224i-printer-part-2/ [192]: https://www.synacktiv.com/publications/escaping-from-bhyve.html [193]: http://blog.coffinsec.com/0day/2023/05/31/minidlna-heap-overflow-rca.html [194]: http://blog.coffinsec.com/0day/2023/06/19/minidlna-cve-2023-33476-exploits.html [195]: https://kentindell.github.io/2023/04/03/can-injection/ [196]: https://blog.assetnote.io/2023/07/21/citrix-CVE-2023-3519-analysis/ [197]: https://blog.assetnote.io/2023/07/24/citrix-rce-part-2-cve-2023-3519/ [198]: https://vulncheck.com/blog/mikrotik-foisted-revisited [199]: http://tukan.farm/2016/07/27/munmap-madness/ [200]: https://blog.quarkslab.com/reverse-engineering-broadcom-wireless-chipsets.html [201]: https://starlabs.sg/blog/2023/07-a-new-method-for-container-escape-using-file-based-dirtycred/ [202]: https://www.qualys.com/2023/06/06/renderdoc/renderdoc.txt [203]: https://devco.re/blog/2023/07/07/a-journey-into-hacking-google-search-appliance-en/ [204]: https://jbecker.dev/research/diving-into-decompilation [205]: https://binarly.io/posts/The_Untold_Story_of_the_BlackLotus_UEFI_Bootkit/index.html [206]: https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/ [207]: http://lock.cmpxchg8b.com/zenbleed.html [208]: https://blog.kylebot.net/2022/10/22/angry-FSROP/ [209]: https://sensepost.com/blog/2023/p4wnp1-lte/ [210]: https://tortel.li/post/insecure-scope/ [211]: https://claroty.com/team82/research/opc-ua-deep-dive-history-of-the-opc-ua-protocol [212]: https://claroty.com/team82/research/opc-deep-dive-part-2-what-is-opc-ua [213]: https://claroty.com/team82/research/opc-ua-deep-dive-part-3-exploring-the-opc-ua-protocol [214]: https://claroty.com/team82/research/opc-ua-deep-dive-series-part-4-targeting-core-opc-ua-components [215]: https://claroty.com/team82/research/opc-ua-deep-dive-series-part-5-inside-team82-s-research-methodology [216]: https://docs.saferwall.com/blog/virtualization-internals-part-1-intro-to-virtualization/ [217]: https://docs.saferwall.com/blog/virtualization-internals-part-2-vmware-and-virtualization-using-binary-translation/ [218]: https://docs.saferwall.com/blog/virtualization-internals-part-3-xen-and-paravirtualization/ [219]: https://docs.saferwall.com/blog/virtualization-internals-part-4-qemu/ [220]: https://web.archive.org/web/20230522230748/https://momo5502.com/posts/2022-11-17-reverse-engineering-integrity-checks-in-black-ops-3/ [221]: https://redteamrecipe.com/Satellite-Hacking-Demystified/ [222]: https://www.linode.com/docs/guides/linux-red-team-exploitation-techniques/ [223]: https://www.linode.com/docs/guides/linux-red-team-privilege-escalation-techniques/ [224]: https://www.linode.com/docs/guides/linux-red-team-persistence-techniques/ [225]: https://makelinux.github.io/kernel/map/ [226]: https://xcellerator.github.io/posts/tetsuji/ [227]: https://antonio-cooler.gitbook.io/coolervoid-tavern/port-knocking-from-the-scratch [228]: https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzing-custom-router-implant/ [229]: https://blog.xpnsec.com/linux-process-injection-aka-injecting-into-sshd-for-fun/ [230]: https://jm33.me/sshd-injection-and-password-harvesting.html [231]: https://research.checkpoint.com/2023/rust-binary-analysis-feature-by-feature/ [232]: https://github.com/NationalSecurityAgency/ghidra/tree/master/GhidraDocs/GhidraClass/Debugger [233]: https://bishopfox.com/blog/breaking-fortinet-firmware-encryption [234]: https://github.com/nick0ve/how-to-bypass-aslr-on-linux-x86_64 [235]: https://steve-s.gitbook.io/0xtriboulet/just-malicious/from-c-with-inline-assembly-to-shellcode [236]: https://github.com/tothi/pwn-hisilicon-dvr/tree/42d8325e68fdb075fe27df8a269932f9fa9601a6 [237]: https://uploads-ssl.webflow.com/64a2900ed5e9bb672af9b2ed/64d42fcc2e3fdcf3d323f3d9_All_cops_are_broadcasting_TETRA_under_scrutiny.pdf [238]: https://fredericb.info/2022/06/breaking-secure-boot-on-google-nest-hub-2nd-gen-to-run-ubuntu.html [239]: https://0x434b.dev/overview-of-glibc-heap-exploitation-techniques/ [240]: https://wafzsucks.medium.com/how-a-simple-k-typeconfusion-took-me-3-months-long-to-create-a-exploit-f643c94d445f [241]: https://ad2001.gitbook.io/a-noobs-guide-to-arm-exploitation/ [242]: https://blog.theori.io/linux-kernel-exploit-cve-2022-32250-with-mqueue-a8468f32aab5 [243]: https://securelist.com/hacking-microcontroller-firmware-through-a-usb/89919/ [244]: https://blog.ret2.io/2023/08/09/jtag-hacking-the-original-xbox-2023/ [245]: https://wes4m.io/posts/epson_rev/ [246]: https://0xax.gitbooks.io/linux-insides/content/ [247]: https://flaviu.io/advanced-persistent-threat/ [248]: https://grahamhelton.com/blog/ssh_agent/ [249]: https://voidstarsec.com/hw-hacking-lab/vss-lab-guide] [250]: https://ics-cert.kaspersky.com/publications/reports/2022/07/06/dynamic-analysis-of-firmware-components-in-iot-devices/ [251]: https://syst3mfailure.io/wall-of-perdition/ [252]: https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html [253]: https://www.forescout.com/resources/l1-lateral-movement-reportg [254]: https://www.synacktiv.com/en/publications/old-bug-shallow-bug-exploiting-ubuntu-at-pwn2own-vancouver-2023 [255]: https://research.nccgroup.com/2023/03/15/a-race-to-report-a-toctou-analysis-of-a-bug-collision-in-intel-smm/ [256]: https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-mode/ [257]: https://research.nccgroup.com/2023/08/08/intel-bios-advisory-memory-corruption-in-hid-drivers/ [258]: https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet [259]: https://blog.quarkslab.com/attacking-titan-m-with-only-one-byte.html [260]: https://big5-sec.github.io/posts/CVE-2023-29360-analysis/ [261]: https://blog.exodusintel.com/2023/07/20/shifting-boundaries-exploiting-an-integer-overflow-in-apple-safari/ [262]: https://blog.quarkslab.com/breaking-secure-boot-on-the-silicon-labs-gecko-platform.html [263]: https://github.com/enovella/TEE-reversing [264]: https://www.cyberark.com/resources/all-blog-posts/nvme-new-vulnerabilities-made-easy [265]: https://blog.cloudflare.com/missing-manuals-io_uring-worker-pool/ [266]: https://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/ [267]: https://bootlin.com/doc/training/audio/audio-slides.pdf [268]: https://blog.quarkslab.com//starlink.html [269]: https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter-use-after-free-in-kmalloc-cg/ [270]: https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/ [271]: https://portswigger.net/research/smashing-the-state-machine [272]: https://labs.taszk.io/articles/post/mtk_baseband_csn1_exploitation/ [273]: https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-connectivity-to-pwn-your-nas-synology-ds920-edition [274]: https://research.checkpoint.com/2022/researching-xiaomis-tee/ [275]: https://www.cyberark.com/resources/all-blog-posts/fantastic-rootkits-and-where-to-find-them-part-1 [276]: https://www.cyberark.com/resources/all-blog-posts/fantastic-rootkits-and-where-to-find-them-part-2 [277]: https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-and-where-to-find-them-part-3-arm-edition [278]: https://www.sonarsource.com/blog/patches-collisions-and-root-shells-a-pwn2own-adventure/ [279]: https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass/ [280]: https://limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass-part-2/ [281]: https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/ [282]: https://www.interruptlabs.co.uk/articles/pipe-buffer [283]: https://vulncheck.com/blog/openfire-cve-2023-32315 [284]: https://wrv.github.io/h26forge.pdf [285]: https://csis.gmu.edu/ksun/publications/WiFi_Interception_SP23.pdf [286]: https://eshard.com/posts/pixel6_bootloader [287]: https://eshard.com/posts/pixel6bootloader-2 [288]: https://eshard.com/posts/pixel6_bootloader_3 [289]: https://limitedresults.com/2019/09/pwn-the-esp32-secure-boot/ [290]: https://www.greynoise.io/blog/debugging-d-link-emulating-firmware-and-hacking-hardware [291]: https://labs.hakaioffsec.com/fortigate-authentication-bypass/ [292]: https://sandflysecurity.com/blog/bpfdoor-an-evasive-linux-backdoor-technical-analysis/ [293]: https://redops.at/blog/a-story-about-tampering-edrs [294]: https://security.humanativaspa.it/a-journey-into-iot-chip-identification-busside-and-i2c/ [295]: https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-1-discover-components-and-ports/ [296]: https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-2-firmware-dump-and-analysis/ [297]: https://securityintelligence.com/x-force/patch-tuesday-exploit-wednesday-pwning-windows-ancillary-function-driver-winsock/ [298]: https://www.cs.cornell.edu/courses/cs6120/2020fa/self-guided/ [299]: https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist [300]: https://blog.malicious.group/automating-c2-infrastructure-with-terraform-nebula-caddy-and-cobalt-strike/ [301]: https://medium.com/@arunmag/how-i-reverse-engineered-and-exploited-a-smart-massager-ee7c9f21bf33 [302]: https://medium.com/@arunmag/my-journey-towards-reverse-engineering-a-smart-band-bluetooth-le-re-d1dea00e4de2 [303]: https://research.checkpoint.com/2023/the-blitz-tutorial-lab-on-fuzzing-with-afl/ [304]: https://blog.thalium.re/posts/pivoting_to_the_secure_world/ [305]: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html [306]: https://blog.ret2.io/2021/06/16/intro-to-pac-arm64/ [307]: https://blog.malicious.group/writing-your-own-rdi-srdi-loader-using-c-and-asm/ [308]: https://blog.scrt.ch/2023/03/17/bypassing-ppl-in-userland-again/ [309]: https://www.tecsecurity.io/blog/tp-link_ax1800 [310]: https://github.blog/2023-04-06-pwning-pixel-6-with-a-leftover-patch/ [311]: https://www.akamai.com/blog/security-research/hinatabot-uncovering-new-golang-ddos-botnet [312]: https://starlabs.sg/blog/2022/06-trying-to-exploit-a-windows-kernel-arbitrary-read-vulnerability/ [313]: https://levelup.gitconnected.com/write-a-linux-firewall-from-scratch-based-on-netfilter-462013202686 [314]: https://blog.doyensec.com/2023/03/21/windows-installer.html [315]: https://attl4s.github.io/assets/pdf/Understanding_a_Payloads_Life.pdf [316]: https://blog.xilokar.info/firmware-key-extraction-by-gaining-el3.html?s=09 [317]: https://steflan-security.com/complete-guide-to-stack-buffer-overflow-oscp/ [318]: https://mahaloz.re/2023/02/25/pwnagent-netgear.html [319]: https://blog.dixitaditya.com/manipulating-aes-traffic-using-a-chain-of-proxies-and-hardcoded-keys [320]: https://securityintelligence.com/x-force/defining-cobalt-strike-reflective-loader/ [321]: https://dirtypipe.cm4all.com [322]: https://www.synacktiv.com/en/publications/exploiting-a-remote-heap-overflow-with-a-custom-tcp-stack.html [323]: https://blog.scrt.ch/2023/03/14/producing-a-poc-for-cve-2022-42475-fortinet-rce/ [324]: https://jfrog.com/blog/examining-openssh-sandboxing-and-privilege-separation-attack-surface-analysis/ [325]: https://evervault.com/blog/sha-1-gets-shattered [326]: https://medium.com/@cq674350529/analyzing-an-old-netatalk-dsi-writeinit-buffer-overflow-vulnerability-in-netgear-router-4e9d59064584 [327]: https://seanpesce.blogspot.com/2023/03/leveraging-ssh-keygen-for-arbitrary.html [328]: https://lightcommands.com [329]: https://github.com/morrownr/USB-WiFi [330]: https://blog.exatrack.com/melofee/ [331]: https://claroty.com/team82/research/the-silent-spy-among-us-modern-attacks-against-smart-intercoms [332]: https://0xrick.github.io/win-internals/pe1/ [333]: https://0xrick.github.io/win-internals/pe3/ [334]: https://0xrick.github.io/win-internals/pe4/ [335]: https://0xrick.github.io/win-internals/pe5/ [336]: https://0xrick.github.io/win-internals/pe6/ [337]: https://0xrick.github.io/win-internals/pe7/ [338]: https://0xrick.github.io/win-internals/pe8/ [339]: https://infosecwriteups.com/the-toddlers-introduction-to-heap-exploitation-part-1-515b3621e0e8 [340]: https://infosecwriteups.com/the-toddlers-introduction-to-heap-exploitation-part-2-d1f325b74286 [341]: https://infosecwriteups.com/the-toddlers-introduction-to-heap-exploitation-overflows-part-3-d3d1aa042d1e [342]: https://medium.com/bugbountywriteup/use-after-free-13544be5a921 [343]: https://infosecwriteups.com/the-toddlers-introduction-to-heap-exploitation-fastbin-dup-to-stack-part-4-1-425592a2870b [344]: https://infosecwriteups.com/the-toddlers-introduction-to-heap-exploitation-fastbin-dup-consolidate-part-4-2-ce6d68136aa8 [345]: https://infosecwriteups.com/the-toddlers-introduction-to-heap-exploitation-unsafe-unlink-part-4-3-75e00e1b0c68 [346]: https://infosecwriteups.com/the-toddlers-introduction-to-heap-exploitation-house-of-spirit-part-4-4-252cd8928f84 [347]: https://infosecwriteups.com/the-toddlers-introduction-to-heap-exploitation-house-of-lore-part-4-5-1b5865297057 [348]: https://jackfromeast.site/2023-01/understand-the-heap-a-beautiful-mess.html [349]: https://madaidans-insecurities.github.io/guides/linux-hardening.html [350]: https://medium.com/@two06/hacking-a-tapo-tc60-camera-e6ce7ca6cad1 [351]: https://voidstarsec.com/blog/intro-to-embedded-part-1 [352]: https://voidstarsec.com/blog/uart-uboot-and-usb [353]: https://bootlin.com/doc/training/debugging/debugging-slides.pdf [354]: https://jorengarenar.github.io/blog/less-known-c [355]: https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html [356]: https://offensivecraft.wordpress.com/2023/02/11/the-stack-series-the-x64-stack/ [357]: https://github.com/rust-embedded/rust-raspberrypi-OS-tutorials [358]: https://byte.how/posts/what-are-you-telling-me-ghidra/ [359]: https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-1 [360]: https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-2 [361]: https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-3 [362]: https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4 [363]: https://heap-exploitation.dhavalkapil.com [364]: https://labs.taszk.io/articles/post/reunzip/ [365]: https://starlabs.sg/blog/2023/09-nftables-adventures-bug-hunting-and-n-day-exploitation/ [366]: https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-1.html [367]: https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-2-mitigation.html [368]: https://binary.ninja/2022/07/22/reverse-engineering-cobalt-strike.html [369]: https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/ [370]: https://syst3mfailure.io/ret2dl_resolve/ [371]: https://research.nccgroup.com/2023/07/20/tool-release-cartographer/ [372]: https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html [373]: https://github.com/ea/lytro_unlock [374]: https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/ [375]: https://c4ebt.github.io/2021/01/22/House-of-Rust.html [376]: https://www.nozominetworks.com/blog/dji-mavic-3-drone-research-part-1-firmware-analysis [377]: https://blog.immunityinc.com/p/a-remote-stack-overflow-in-the-linux-kernel/?ref=0xor0ne.xyz [378]: http://diffing.quarkslab.com/?ref=0xor0ne.xyz [379]: https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-android-exploit.html [380]: https://ktln2.org/experiments-around-side-channels/ [381]: https://ktln2.org/side-channels-using-the-chipwhisperer/ [382]: https://gamozolabs.github.io/fuzzing/2018/10/14/vectorized_emulation.html [383]: https://gamozolabs.github.io/fuzzing/2018/11/19/vectorized_emulation_mmu.html [384]: https://cs.brown.edu/~vpk/papers/ret2dir.sec14.pdf [385]: https://linuxkernelcves.com [386]: https://pwning.tech/ksmbd-syzkaller/ [387]: https://blog.quarkslab.com/lets-go-into-the-rabbit-hole-part-1-the-challenges-of-dynamically-hooking-golang-program.html [388]: https://8ksec.io/arm64-reversing-and-exploitation-part-8-exploiting-an-integer-overflow-vulnerability/ [389]: https://8ksec.io/arm64-reversing-and-exploitation-part-9-exploiting-an-off-by-one-overflow-vulnerability/ [390]: https://8ksec.io/arm64-reversing-and-exploitation-part-10-intro-to-arm-memory-tagging-extension-mte/ [391]: https://rafa.hashnode.dev/exploiting-http-parsers-inconsistencies [392]: https://googleprojectzero.blogspot.com/2023/10/an-analysis-of-an-in-the-wild-ios-safari-sandbox-escape.html [393]: https://raelize.com/blog/espressif-systems-esp32-breaking-hw-aes-with-power-analysis/ [394]: https://raelize.com/blog/espressif-systems-esp32-breaking-hw-aes-with-electromagnetic-analysis/ [395]: https://riccardoancarani.github.io/2023-08-03-attacking-an-edr-part-1/ [396]: https://riccardoancarani.github.io/2023-09-14-attacking-an-edr-part-2/ [397]: https://doar-e.github.io/blog/2023/05/05/competing-in-pwn2own-ics-2022-miami-exploiting-a-zero-click-remote-memory-corruption-in-iconics-genesis64/ [398]: https://sec-consult.com/blog/detail/reverse-engineering-architecture-pinout-plc/ [399]: https://0xinfection.github.io/reversing/ [400]: https://www.andreinc.net/2023/02/01/demystifying-bitwise-ops [401]: https://blog.kylebot.net/2022/10/16/CVE-2022-1786/ [402]: https://blog.lumen.com/new-hiatusrat-router-malware-covertly-spies-on-victims/ [403]: https://blog.tclaverie.eu/posts/grcon-2021---capture-the-signal/ [404]: https://binarly.io/posts/Multiple_Vulnerabilities_in_Qualcomm_and_Lenovo_ARM_based_Devices/index.html [405]: https://steve-s.gitbook.io/0xtriboulet/ [406]: https://accessvector.net/2022/linux-itimers-uaf [407]: https://class.malware.re [408]: https://valsamaras.medium.com/arm-64-assembly-series-basic-definitions-and-registers-ec8cc1334e40 [409]: https://valsamaras.medium.com/arm-64-assembly-series-offset-and-addressing-modes-aa48b65b4c99 [410]: https://valsamaras.medium.com/arm-64-assembly-series-load-and-store-6bfe9c1d1896 [411]: https://valsamaras.medium.com/arm-64-assembly-series-branch-9ce820987fc6 [412]: https://valsamaras.medium.com/arm-64-assembly-series-data-processing-part-1-b6f6f877c56b [413]: https://valsamaras.medium.com/arm-64-assembly-series-data-processing-part-2-3d0526dc07b6 [414]: https://valsamaras.medium.com/practical-arm64-selections-and-loops-89f9a0e7e395 [415]: https://valsamaras.medium.com/practical-arm64-subroutines-1b5ea3935ff5 [416]: https://www.tripwire.com/state-of-security/ghidra-101-cursor-text-highlighting [417]: https://www.tripwire.com/state-of-security/ghidra-101-slice-highlighting [418]: https://www.tripwire.com/state-of-security/ghidra-101-decoding-stack-strings [419]: https://www.tripwire.com/state-of-security/ghidra-101-loading-windows-symbols-pdb-files [420]: https://www.tripwire.com/state-of-security/ghidra-101-creating-structures-in-ghidra [421]: https://www.tripwire.com/state-of-security/ghidra-101-loading-windows-symbols-pdb-files-in-ghidra-10-x [422]: https://github.com/PabloMK7/ENLBufferPwn [423]: https://f0rm2l1n.github.io/2021-02-02-syzkaller-diving-01/ [424]: https://f0rm2l1n.github.io/2021-02-04-syzkaller-diving-02/ [425]: https://f0rm2l1n.github.io/2021-02-10-syzkaller-diving-03/ [426]: https://www.nozominetworks.com/blog/the-importance-of-reverse-engineering-in-network-analysis [427]: https://www.stormshield.com/news/orbit-analysis-of-a-linux-dedicated-malware/ [428]: https://intezer.com/blog/research/orbit-new-undetected-linux-threat/ [429]: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/ [430]: https://sandflysecurity.com/blog/detecting-linux-memfd-create-fileless-malware-with-command-line-forensics/ [431]: https://labs.withsecure.com/publications/spoofing-call-stacks-to-confuse-edrs [432]: https://labs.nettitude.com/blog/shellcode-source-mutations/ [433]: https://rollingpwn.github.io/BLE-Relay-Aattck/ [434]: https://blog.impalabs.com/2212_huawei-security-hypervisor.html [435]: https://blog.impalabs.com/2212_advisory_huawei-security-hypervisor.html [436]: https://protectedmo.de/brute.html [437]: https://github.com/mikeryan/ice9-bluetooth-sniffer [438]: https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-malware-targeting-linux [439]: https://blog.trailofbits.com/2023/02/16/suid-logic-bug-linux-readline/ [440]: https://intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/ [441]: https://medium.com/@INTfinitySG/1-1-emulating-netgear-r6700v3-circled-binary-cve-2022-27644-cve-2022-27646-part-1-5bab391c91f2 [442]: https://medium.com/@INTfinitySG/1-2-emulating-netgear-r6700v3-circled-binary-cve-2022-27644-cve-2022-27646-part-2-cf1571493117 [443]: https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/ [444]: https://claroty.com/team82/research/hacking-ics-historians-the-pivot-point-from-it-to-ot [445]: https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/total-identity-compromise-microsoft-incident-response-lessons-on/ba-p/3753391 [446]: https://www.flashback.sh/blog/minesweeper-tplink-archer-lan-rce [447]: https://www.flashback.sh/blog/weekend-destroyer-wd-pr4100-rce [448]: https://www.microsoft.com/en-us/security/blog/2023/03/06/protecting-android-clipboard-content-from-unintended-exposure/ [449]: https://www.timdbg.com/posts/writing-a-debugger-from-scratch-part-1/ [450]: https://www.timdbg.com/posts/writing-a-debugger-from-scratch-part-2/ [451]: https://www.timdbg.com/posts/writing-a-debugger-from-scratch-part-3/ [452]: https://www.timdbg.com/posts/writing-a-debugger-from-scratch-part-4/ [453]: https://www.timdbg.com/posts/writing-a-debugger-from-scratch-part-5/ [454]: https://www.timdbg.com/posts/writing-a-debugger-from-scratch-part-6/ [455]: https://www.timdbg.com/posts/writing-a-debugger-from-scratch-part-7/ [456]: https://farlow.dev/2023/03/02/hacking-the-nintendo-dsi-browser [457]: https://www.randorisec.fr/yet-another-bug-netfilter/ [458]: http://clarkkromenaker.com/post/library-dynamic-loading-mac/ [459]: https://blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-line-interface/ [460]: https://maskray.me/blog/2023-02-12-all-about-leak-sanitizer [461]: https://intezer.com/blog/research/new-linux-threat-symbiote/ [462]: https://github.blog/2023-02-23-the-code-that-wasnt-there-reading-memory-on-an-android-device-by-accident/ [463]: https://mattfrisbie.substack.com/p/spy-chrome-extension [464]: https://modexp.wordpress.com/2018/10/30/arm64-assembly/?ref=0xor0ne.xyz [465]: https://www.artresilia.com/iot-series-i-are-people-ready-to-go/ [466]: https://www.artresilia.com/iot-series-ii-how-to-build-kernel-image-from-scratch/ [467]: https://www.artresilia.com/iot-series-iii-firmware-testing-in-qemu/ [468]: https://www.artresilia.com/iot-series-iv-debugging-with-gdb-ghidra-zero-day/ [469]: https://mutur4.github.io/posts/remote-process-injection/ [470]: https://blogs.oracle.com/linux/post/live-kernel-debugging-1 [471]: https://blogs.oracle.com/linux/post/live-kernel-debugging-2 [472]: https://blogs.oracle.com/linux/post/live-kernel-debugging-3 [473]: https://www.willsroot.io/2022/12/entrybleed.html [474]: https://onekey.com/blog/making-toctou-great-again-xrip/?ref=0xor0ne.xyz [475]: https://bishopfox.com/blog/building-exploit-fortigate-vulnerability-cve-2023-27997 [476]: https://github.com/johnthagen/min-sized-rust [477]: https://www.nozominetworks.com/blog/14-vulnerabilities-discovered-in-phoenix-contact-hmis [478]: https://www.nozominetworks.com/blog/protecting-the-phoenix-unveiling-critical-vulnerabilities-in-phoenix-contact-hmi-part-2 [479]: https://www.nozominetworks.com/blog/protecting-the-phoenix-unveiling-critical-vulnerabilities-in-phoenix-contact-hmi-part-3 [480]: https://www.immersivelabs.com/blog/detecting-and-decrypting-sliver-c2-a-threat-hunters-guide/ [481]: https://labs.watchtowr.com/ghost-in-the-wire-sonic-in-the-wall/ [482]: https://www.appknox.com/security/how-to-emulate-android-native-libraries-using-qiling [483]: https://sam4k.com/patching-instrumenting-debugging-linux-kernel-modules/ [484]: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/ [485]: http://codemachine.com/articles/windbg_quickstart.html [486]: https://github.blog/2023-10-17-getting-rce-in-chrome-with-incomplete-object-initialization-in-the-maglev-compiler/?ref=0xor0ne.xyz [487]: https://blog.quarkslab.com/a-deep-dive-into-samsungs-trustzone-part-1.how-a-simple-k-typeconfusion-took-me-3-months-long-to-create-a-exploit-f643c94d445f [488]: https://blog.quarkslab.com/a-deep-dive-into-samsungs-trustzone-part-2.how-a-simple-k-typeconfusion-took-me-3-months-long-to-create-a-exploit-f643c94d445f [489]: https://blog.quarkslab.com/a-deep-dive-into-samsungs-trustzone-part-3.html [490]: https://github.com/clearbluejar/ghidriff [491]: https://www.willsroot.io/2022/08/reviving-exploits-against-cred-struct.html [492]: https://googleprojectzero.blogspot.com/2022/03/racing-against-clock-hitting-tiny.html [493]: https://danielmangum.com/posts/risc-v-bytes-exploring-custom-esp32-bootloader/ [494]: https://seanpesce.blogspot.com/2023/05/bypassing-selinux-with-initmodule.html [495]: https://ruia-ruia.github.io/2022/08/05/CVE-2022-29582-io-uring/ [496]: https://www.nozominetworks.com/blog/vulnerabilities-in-bmc-firmware-affect-ot-iot-device-security-part-# [497]: https://www.nozominetworks.com/blog/vulnerabilities-in-bmc-firmware-affect-ot-iot-device-security-part-2 [498]: https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki [499]: https://stigward.github.io/posts/fiio-m6-kernel-bug/ [500]: https://stigward.github.io/posts/fiio-m6-exploit/ [501]: https://iq.thc.org/how-does-linux-start-a-process [502]: https://0x44.xyz/blog/cve-2023-4369/ [503]: https://xairy.io/articles/syzkaller-external-network [504]: http://conference.hitb.org/files/hitbsecconf2023ams/materials/D2T1%20-%20Smart%20Speaker%20Shenanigans%20-%20Making%20the%20SONOS%20One%20Sing%20Its%20Secrets%20-%20Peter%20Geissler.pdf [505]: https://astralvx.com/stealing-the-bitlocker-key-from-a-tpm/ [506]: https://quentinkaiser.be/exploitdev/2020/09/23/ghetto-patch-diffing-cisco/ [507]: https://quentinkaiser.be/exploitdev/2020/10/01/patch-diffing-cisco-rv110/?ref=0xor0ne.xyz [508]: https://clearbluejar.github.io/posts/decompilation-debugging-pretending-all-binaries-come-with-source-code/ [509]: https://nicolo.dev/en/blog/role-control-flow-graph-static-analysis/ [510]: https://github.com/Orange-Cyberdefense/awesome-industrial-protocols [511]: https://sam4k.com/exploring-linux-random-kmalloc-caches/ [512]: https://people.kernel.org/linusw/the-arm32-scheduling-and-kernelspace-userspace-boundary [513]: https://thume.ca/2023/12/02/tracing-methods/ [514]: https://www.corellium.com/blog/exploring-unix-pipes-for-ios-kernel-exploit-primitives [515]: https://tmpout.sh [516]: https://sam4k.com/linternals-memory-allocators-part-1/ [517]: https://sam4k.com/linternals-memory-allocators-0x02/ [518]: https://quic.xargs.org [519]: https://dtls.xargs.org [520]: https://tls13.xargs.org [521]: https://tls12.xargs.org [522]: https://blog.xpnsec.com/restoring-dyld-memory-loading/ [523]: https://blog.xpnsec.com/building-a-mach-o-memory-loader-part-1/ [524]: https://www.synacktiv.com/sites/default/files/2023-11/ubuntu_shiftfs.pdf [525]: https://www.flashback.sh/blog/flashback-connects-cisco-rv340-ssl-vpn-rce [526]: https://github.com/nccgroup/exploit_mitigations?ref=0xor0ne.xyz [527]: https://lock.cmpxchg8b.com/reptar.html [528]: https://anatomic.rip/cve-2023-2598/ [529]: https://github.com/bcoles/kasld [530]: https://blog.exodusintel.com/2023/05/16/google-chrome-v8-arrayshift-race-condition-remote-code-execution/ [531]: https://research.nccgroup.com/2023/12/04/shooting-yourself-in-the-flags-jailbreaking-the-sonos-era-100/ [532]: https://etenal.me/archives/1825 [533]: https://pwning.tech/ksmbd/ [534]: https://github.blog/2023-12-06-cueing-up-a-calculator-an-introduction-to-exploit-development-on-linux/ [535]: https://duasynt.com/blog/linux-kernel-heap-feng-shui-2022 [536]: https://grsecurity.net/how_autoslab_changes_the_memory_unsafety_game [537]: https://www.zerodayinitiative.com/blog/2023/11/28/a-detailed-look-at-pwn2own-automotive-ev-charger-hardware [539]: https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html [540]: https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_11.html [541]: https://googleprojectzero.blogspot.com/2017/10/over-air-vol-2-pt-3-exploiting-wi-fi.html [542]: https://trenchant.io/expanding-the-dragon-adding-an-isa-to-ghidra/ [543]: https://adamdoupe.com/blog/2023/01/23/cve-2023-23504-xnu-heap-underwrite-in-dlil-dot-c/ [544]: https://sysdig.com/blog/cve-2023-0210-linux-kernel-unauthenticated-remote-heap-overflow/ [545]: https://boredpentester.com/reversing-esp8266-firmware-part-1/ [546]: https://boredpentester.com/reversing-esp8266-firmware-part-2/ [547]: https://boredpentester.com/reversing-esp8266-firmware-part-3/ [548]: https://boredpentester.com/reversing-esp8266-firmware-part-4/ [549]: https://boredpentester.com/reversing-esp8266-firmware-part-5/ [550]: https://boredpentester.com/reversing-esp8266-firmware-part-6/ [551]: https://eta.st/2023/01/31/rail-tickets.html [552]: https://www.crowdstrike.com/blog/exploiting-cve-2021-3490-for-container-escapes/ [553]: https://www.hacefresko.com/posts/tp-link-tapo-c200-unauthenticated-rce [554]: https://blog.bi0s.in/2023/01/23/Pwn/bi0sCTF22-b3typer/ [555]: https://www.synacktiv.com/en/publications/pwn2own-tokyo-2020-defeating-the-tp-link-ac1750.html [556]: https://doar-e.github.io/blog/2022/03/26/competing-in-pwn2own-2021-austin-icarus-at-the-zenith/ [557]: https://ivanorsolic.github.io/post/hardwarehacking1/ [558]: https://kernemporium.github.io/posts/unpacking/ [559]: https://www.archcloudlabs.com/projects/loadlibrary-analysis/ [560]: https://straightblast.medium.com/my-poc-walkthrough-for-cve-2021-21974-a266bcad14b9 [561]: https://www.zerodayinitiative.com/blog/2021/3/1/cve-2020-3992-amp-cve-2021-21974-pre-auth-remote-code-execution-in-vmware-esxi [562]: https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf [563]: https://github.com/V4bel/CVE-2022-41218 [564]: https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-1/ [565]: https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-2/ [566]: https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/ [567]: https://seclists.org/oss-sec/2023/q1/20 [569]: https://epi052.gitlab.io/notes-to-self/blog/2021-11-07-fuzzing-101-with-libafl-part-1.5/ [571]: https://cloudfuzz.github.io/android-kernel-exploitation/ [572]: https://www.akamai.com/blog/security-research/exploiting-critical-spoofing-vulnerability-microsoft-cryptoapi [573]: https://breaking-bits.gitbook.io/breaking-bits/exploit-development/linux-kernel-exploit-development?s=09 [574]: https://act-on.ioactive.com/acton/attachment/34793/f-6460b49e-1afe-41c3-8f73-17dc14916847/1/-/-/-/-/NFC-relay-TESlA_JRoriguez.pdf [575]: https://research.nccgroup.com/2023/02/06/rustproofing-linux-part-1-4-leaking-addresses/ [576]: https://research.nccgroup.com/2023/02/08/rustproofing-linux-part-2-4-race-conditions/ [577]: https://research.nccgroup.com/2023/02/14/rustproofing-linux-part-3-4-integer-overflows/ [578]: https://research.nccgroup.com/2023/02/16/rustproofing-linux-part-4-4-shared-memory/ [579]: https://sensepost.com/blog/2022/sim-hijacking/ [580]: https://dtsec.us/2023-09-15-StackSpoofin/ [581]: https://chao-tic.github.io/blog/2018/12/25/tls [582]: https://hackmd.io/@pepsipu/ry-SK44pt?s=09 [583]: https://exploitreversing.files.wordpress.com/2023/04/exploit_reversing_01-1.pdf [584]: https://exploitreversing.files.wordpress.com/2024/01/exploit_reversing_02.pdf [585]: https://anti-debug.checkpoint.com [586]: https://ktln2.org/reversing-c%2B%2B-qt-applications-using-ghidra/ [587]: https://blog.thalium.re/posts/achieving-remote-code-execution-in-steam-remote-play/ [588]: https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-library-api/ [589]: https://courk.cc/breaking-flash-encryption-of-espressif-parts [590]: https://courk.cc/esp32-c3-c6-fault-injection [591]: https://ptr-yudai.hatenablog.com/entry/2023/12/08/093606 [592]: https://eli.thegreenplace.net/2011/08/25/load-time-relocation-of-shared-libraries/ [593]: https://eli.thegreenplace.net/2011/11/03/position-independent-code-pic-in-shared-libraries/ [594]: https://redops.at/en/blog/exploring-hells-gate [595]: https://i.blackhat.com/EU-21/Wednesday/EU-21-Jin-The-Art-of-Exploiting-UAF-by-Ret2bpf-in-Android-Kernel-wp.pdf [596]: https://www.darknavy.org/blog/strengthening_the_shield_mte_in_memory_allocators/ [597]: https://richiejp.com/linux-kernel-exploit-tls_context-uaf [598]: https://eprint.iacr.org/2023/090.pdf [599]: https://therealcoiffeur.com/c101011.html [600]: https://therealcoiffeur.com/c101100.html [601]: https://therealcoiffeur.com/c101101.html [602]: https://blog.kylebot.net/2021/05/08/DEFCON-2021-Quals-mooosl/ [603]: https://security.humanativaspa.it/customizing-sliver-part-1/ [604]: https://security.humanativaspa.it/customizing-sliver-part-2/ [605]: https://security.humanativaspa.it/customizing-sliver-part-3/ [606]: https://www.mnemonic.io/no/resources/blog/reverse-engineering-an-ev-charger/ [607]: https://mcuoneclipse.com/2019/05/26/reverse-engineering-of-a-not-so-secure-iot-device/ [608]: https://lug.uniroma2.it/eventi/linux-day-23/files/Linux%20Day%20-%20Attacking%20IoT%20Devices.pdf [609]: https://maskray.me/blog/2023-12-17-exploring-the-section-layout-in-linker-output [610]: https://blackwinghq.com/blog/posts/playing-with-libmalloc/ [611]: https://itm4n.github.io/tpm-based-bitlocker/ [612]: https://www.synacktiv.com/en/publications/leveraging-binary-ninja-il-to-reverse-a-custom-isa-cracking-the-pot-of-gold-37c3 [613]: https://www.elttam.com/blog/pwnassistant/ [614]: https://github.blog/2023-11-30-securing-our-home-labs-home-assistant-code-review/ [615]: https://github.blog/2023-12-13-securing-our-home-labs-frigate-code-review/ [616]: https://albocoder.github.io/exploit/2023/03/13/KernelFileExploit.html [617]: https://lupyuen.github.io/articles/wifi [618]: https://francozappa.github.io/publication/2023/bluffs/slides.pdf [619]: https://steve-s.gitbook.io/0xtriboulet [620]: https://google.github.io/comprehensive-rust/ [621]: https://redcanary.com/blog/ebpf-malware/ [622]: https://sensepost.com/blog/2017/linux-heap-exploitation-intro-series-riding-free-on-the-heap-double-free-attacks/ [623]: https://www.deepsec.net/docs/Slides/2022/Hacking_More_Secure_Portable_Storage_Devices_Matthias_Deeg.pdf [624]: https://tuckersiemens.com/posts/parsing-tftp-in-rust/ [625]: https://github.com/infobyte/cve-2022-27255/blob/main/DEFCON/slides.pdf [626]: https://wrongbaud.github.io/posts/BasicFUN-flashing/ [627]: https://wrongbaud.github.io/posts/BasicFUN-rom-analysis/ [628]: https://wrongbaud.github.io/posts/MK-Teardown/ [629]: https://wrongbaud.github.io/posts/Holiday-Teardown/ [630]: https://www.sonarsource.com/blog/disclosing-information-with-a-side-channel-in-django/ [631]: https://offlinemark.com/2021/05/12/an-obscure-quirk-of-proc/ [632]: https://security.humanativaspa.it/zyxel-authentication-bypass-patch-analysis-cve-2022-0342/ [633]: https://uploads-ssl.webflow.com/645a4534705010e2cb244f50/64912bac55ece2717e14e84a_Nozomi-Networks-WP-UWB-Real-Time-Locating-Systems.pdf [634]: https://wrongbaud.github.io/posts/stm-xbox-jtag/ [635]: https://wrongbaud.github.io/posts/jtag-hdd/ [636]: https://googleprojectzero.blogspot.com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack.html [637]: https://goggleheadedhacker.com/post/intro-to-cutter [638]: https://raelize.com/blog/espressif-systems-esp32-bypassing-sb-using-emfi/ [639]: https://raelize.com/blog/espressif-systems-esp32-controlling-pc-during-sb/ [640]: https://raelize.com/blog/espressif-systems-esp32-bypassing-flash-encryption/ [641]: https://raelize.com/blog/espressif-esp32-bypassing-encrypted-secure-boot-cve-2020-13629/ [642]: https://github.com/b1ack0wl/vulnerability-write-ups/blob/master/TP-Link/WR940N/112022/Part1.md [643]: https://redcanary.com/blog/fuzzing/ [644]: https://saaramar.github.io/memory_safety_blogpost_2022/ [645]: https://dmitry.gr/?r=05.Projects&proj=30.%20Reverse%20Engineering%20an%20Unknown%20Microcontroller [647]: https://blog.abdulrah33m.com/prototype-pollution-in-python/ [648]: https://samcurry.net/web-hackers-vs-the-auto-industry/ [649]: https://www.thegoodpenguin.co.uk/blog/pcie-dma-attack-against-a-secured-jetson-nano-cve-2022-21819/ [650]: https://vulncheck.com/blog/xiongmai-iot-exploitation [651]: https://marabos.nl/atomics/ [652]: https://github.com/blasty/lexmark [653]: https://zeus.ugent.be/blog/23-24/open-source-esp32-wifi-mac/ [654]: https://zeus.ugent.be/blog/23-24/esp32-reverse-engineering-continued/ [655]: https://voidstarsec.com/blog/ghidra-dev-environment [656]: https://mdanilor.github.io/posts/hevd-0/ [657]: https://mdanilor.github.io/posts/hevd-1/ [658]: https://mdanilor.github.io/posts/hevd-2/ [659]: https://mdanilor.github.io/posts/hevd-3/ [660]: https://mdanilor.github.io/posts/hevd-4/ [661]: https://blogs.vmware.com/security/2023/10/hunting-vulnerable-kernel-drivers.html [662]: https://www.shielder.com/blog/2024/01/hunting-for-~~un~~authenticated-n-days-in-asus-routers/ [663]: https://valsamaras.medium.com/introduction-to-x64-linux-binary-exploitation-part-1-14ad4a27aeef [664]: https://valsamaras.medium.com/introduction-to-x64-binary-exploitation-part-2-return-into-libc-c325017f465 [665]: https://valsamaras.medium.com/introduction-to-x64-linux-binary-exploitation-part-3-rop-chains-3cdcf17e8826 [666]: https://valsamaras.medium.com/introduction-to-x64-linux-binary-exploitation-part-4-stack-canaries-e9b6dd2c3127 [667]: https://valsamaras.medium.com/introduction-to-x64-linux-binary-exploitation-part-5-aslr-394d0dc8e4fb [668]: https://tandasat.github.io/blog/2024/01/15/CVE-2024-21305.html [669]: https://blog.digital-forensics.it/2024/01/a-first-look-at-android-14-forensics.html?m=1 [670]: https://timleonard.uk/2022/05/29/reverse-engineering-dark-souls-3-networking [671]: https://timleonard.uk/2022/06/02/reverse-engineering-dark-souls-3-networking-part-2 [672]: https://timleonard.uk/2022/06/03/reverse-engineering-dark-souls-3-networking-part-3 [673]: https://timleonard.uk/2022/06/09/reverse-engineering-dark-souls-3-networking-part-4 [674]: https://blog.exodusintel.com/2024/01/19/google-chrome-v8-cve-2024-0517-out-of-bounds-write-code-execution/ [675]: https://voidstarsec.com/blog/replicant-part-1 [676]: https://github.com/skysafe/reblog/blob/main/cve-2024-0230/README.md [677]: https://retr0.zip/blog/abusing-Liftoff-assembly-and-efficiently-escaping-from-sbx.html [678]: https://santaclz.github.io/2023/11/03/Linux-Kernel-Exploitation-Getting-started-and-BOF.html [679]: https://santaclz.github.io/2024/01/20/Linux-Kernel-Exploitation-Heap-techniques.html [680]: https://santaclz.github.io/2024/01/29/Linux-Kernel-Exploitation-exploiting-race-condition-and-UAF.html [681]: https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-3-radio-communications/ [682]: https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-part-4-internal-communications/ [683]: https://blog.nviso.eu/2024/01/15/deobfuscating-android-arm64-strings-with-ghidra-emulating-patching-and-automating/ [684]: https://maskray.me/blog/2024-01-14-exploring-object-file-formats [685]: https://www.synacktiv.com/en/publications/how-to-voltage-fault-injectiongg [686]: https://github.com/joaoviictorti/RustRedOps [687]: https://blog.trailofbits.com/2024/01/16/leftoverlocals-listening-to-llm-responses-through-leaked-gpu-local-memory/ [688]: https://zeromips.org/posts/2024-01-08-superpower/ [689]: https://redops.at/en/blog/shell-we-assemble-unleashing-x86-inline-assembly-for-shellcode-execution [690]: https://5pider.net/blog/2024/01/27/modern-shellcode-implant-design/ [691]: https://jmswrnr.com/blog/hacking-a-smart-home-device [692]: https://www.binarly.io/blog/inside-the-logofail-poc-from-integer-overflow-to-arbitrary-code-execution [693]: https://sonictk.github.io/asm_tutorial/ [694]: https://rev.ng/blog/open-sourcing-renvg-decompiler-ui-closed-beta [695]: https://boschko.ca/tp-link-tddp-bof/ [696]: https://github.com/h3xduck/TripleCross [697]: https://seclists.org/oss-sec/2024/q1/68 [698]: https://seclists.org/oss-sec/2024/q1/69 [699]: https://www.whid.ninja/blog/denial-of-pleasure-attacking-unusual-ble-targets-with-a-flipper-zero [700]: https://kaist-hacking.github.io/pubs/2023/kim:kernel-ctf-slides.pdf [701]: https://labs.ioactive.com/2024/02/exploring-amd-platform-secure-boot.html [702]: https://www.trellix.com/blogs/research/the-evolution-of-the-kuiper-ransomware/ [703]: https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-one/ [704]: https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-two/ [705]: https://blog.quarkslab.com/dji-the-art-of-obfuscation.html [706]: https://www.l3harris.com/newsroom/editorial/2023/10/scudo-hardened-allocator-unofficial-internals-documentation [707]: https://lolcads.github.io/posts/2022/06/dirty_pipe_cve_2022_0847/ [708]: https://cve-north-stars.github.io [709]: https://itm4n.github.io/printnightmare-exploitation/ [710]: https://a13xp0p0v.github.io/2022/05/24/pwn-fuchsia.html [711]: https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html [712]: https://redsiege.com/blog/2024/01/graphstrike-developer/ [713]: https://www.nozominetworks.com/blog/dji-mavic-3-drone-research-part-2-vulnerability-analysis [714]: https://whiteknightlabs.com/2024/02/09/a-technical-deep-dive-comparing-anti-cheat-bypass-and-edr-bypass/ [715]: https://gatari.dev/posts/a-trip-down-memory-lane/ [716]: https://malwaretech.com/2024/02/bypassing-edrs-with-edr-preload.html [717]: https://github.com/packing-box/awesome-executable-packing?tab=readme-ov-file [718]: https://blog.compass-security.com/2024/02/microsoft-bitlocker-bypasses-are-practical/ [719]: https://h0mbre.github.io/Learn-C-By-Creating-A-Rootkit/ [720]: https://sidechannel.blog/en/attacking-js-engines/ [721]: https://labs.ioactive.com/2021/02/a-practical-approach-to-attacking-iot.html [722]: https://labs.ioactive.com/2021/02/a-practical-approach-to-attacking-iot_23.html [723]: http://aceresponder.com/blog/exploiting-empire-c2-framework [724]: https://appsec.guide [725]: https://homecrew.dev/posts/cve-2020-16040 [726]: https://balwurk.com/shellcode-evasion-using-webassembly-and-rust/ [727]: https://jcjc-dev.com/2020/10/20/learning-to-decap-ics/ [728]: https://github.com/netspooky/golfclub/tree/master/uefi/bggp4 [729]: https://reynardsec.com/en/docker-platform-security-step-by-step-hardening/ [730]: https://research.nccgroup.com/2024/02/09/puckungfu-2-another-netgear-wan-command-injection/ [731]: https://zolutal.github.io/aslrnt/ [732]: https://grsecurity.net/toolchain_necromancy_past_mistakes_haunting_aslr [733]: https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_Surveillance_Vendors_-_TAG_report.pdf [734]: https://blog.trailofbits.com/2024/02/23/continuously-fuzzing-python-c-extensions/ [735]: https://icanhack.nl/blog/secoc-key-extraction/ [736]: https://www.embeeresearch.io/advanced-cyberchef-operations-netsupport/ [737]: https://research.nccgroup.com/2020/10/15/theres-a-hole-in-your-soc-glitching-the-mediatek-bootrom/ [738]: https://blog.trailofbits.com/2024/02/16/a-few-notes-on-aws-nitro-enclaves-images-and-attestation/ [739]: https://github.blog/2024-02-12-the-architecture-of-sast-tools-an-explainer-for-developers/ [740]: https://0x434b.dev/linksys-ea6100_pt1/ [741]: https://0x434b.dev/linksys-ea6100_pt1/ [742]: https://blog.ret2.me/post/2022-01-26-exploiting-xiongmai-dvrs/ [743]: https://www.blackhillsinfosec.com/how-to-weaponize-the-yubikey/ [744]: https://www.somersetrecon.com/blog/2021/hacking-the-furbo-part-1 [745]: https://www.somersetrecon.com/blog/2021/hacking-the-furbo-dog-camera-part-ii [746]: https://www.somersetrecon.com/blog/2022/hacking-the-furbo-dog-camera-part-iii [747]: https://hackaday.com/2022/12/06/usb-c-introduction-for-hackers/ [748]: https://www.hexacon.fr/slides/hexacon_draytek_2022_final.pdf [749]: https://o5wald.github.io/posts/binary_exploitation_basics/ [750]: https://vx.zone/2022/10/22/tracingwithdynamo-utku.html [751]: https://sha256.net/fuzzing-ping.html [752]: https://grack.com/blog/2022/12/01/hacking-bluetooth-to-brew-coffee-on-github-actions-part-1/ [753]: https://grack.com/blog/2022/12/02/hacking-bluetooth-to-brew-coffee-on-github-actions-part-2/ [754]: https://grack.com/blog/2022/12/04/hacking-bluetooth-to-brew-coffee-on-github-actions-part-3/ [755]: https://asset-group.github.io/disclosures/braktooth/braktooth.pdf [756]: https://labs.taszk.io/articles/post/exploiting_huaweis_npu_driver/ [757]: https://limitedresults.com/2019/08/pwn-the-esp32-crypto-core/ [758]: https://s2-lab.github.io/assets/sec23summer_79-lee-prepub.pdf [759]: https://syst3mfailure.io/corjail// [760]: https://alephsecurity.com/2021/02/16/apport-lpe/ [761]: https://reverse-engineering-ble-devices.readthedocs.io/en/latest/ [762]: https://github.blog/2022-07-27-corrupting-memory-without-memory-corruption/ [763]: https://research.nccgroup.com/2022/12/12/klee-for-the-cve/ [764]: https://www.mdpi.com/2410-387X/6/4/53/ [765]: https://org.anize.rs/HITCON-2022/pwn/fourchain-prologue [766]: https://org.anize.rs/HITCON-2022/pwn/fourchain-hole [767]: https://org.anize.rs/HITCON-2022/pwn/fourchain-sandbox [768]: https://stdnoerr.github.io/writeup/2022/08/21/eBPF-exploitation-(ft.-D-3CTF-d3bpf).html [769]: https://github.com/dloss/binary-parsing [770]: https://bananamafia.dev/post/srop/ [771]: https://insecuremode.com/post/2021/12/14/getting-to-know-memblock.html [772]: https://starlabs.sg/blog/2022/12-the-last-breath-of-our-netgear-rax30-bugs-a-tragic-tale-before-pwn2own-toronto-2022/ [773]: https://i.blackhat.com/USA-19/Thursday/us-19-Pi-Exploiting-Qualcomm-WLAN-And-Modem-Over-The-Air-wp.pdf [774]: https://raelize.com/upload/research/2017/2017_FDTC_Escalating-Privileges-in-Linux-using-Fault-Injection_NT-CM.pdf [775]: https://jamchamb.net/2022/01/02/modify-vmlinuz-arm.html [776]: https://docs.google.com/document/d/1a9uUAISBzw3ur1aLQqKc5JOQLaJYiOP5pe_B4xCT1KA/edit#heading=h.6141m9mqkmgh [777]: https://research.nccgroup.com/2022/12/19/meshyjson-a-tp-link-tdpserver-json-stack-overflow/ [778]: https://starlabs.sg/blog/2022/12-deconstructing-and-exploiting-cve-2020-6418/ [779]: https://tomverbeure.github.io/2022/12/27/The-ICE-V-Wireless-FPGA-Board.html [780]: https://research.checkpoint.com/2020/safe-linking-eliminating-a-20-year-old-malloc-exploit-primitive/ [781]: https://www.synacktiv.com/en/publications/kinibi-tee-trusted-application-exploitation.html# [782]: https://research.nccgroup.com/2022/02/28/brokenprint-a-netgear-stack-overflow/ [783]: https://infosecwriteups.com/norec-attack-stripping-ble-encryption-from-nordics-library-cve-2020-15509-9798ab893b95 [785]: https://cryptobook.nakov.com [786]: https://github.com/0x36/Pixel_GPU_Exploit [787]: https://www.assetnote.io/resources/research/two-bytes-is-plenty-fortigate-rce-with-cve-2024-21762 [788]: https://blog.3or.de/arm-exploitation-return-oriented-programming [789]: https://blog.3or.de/arm-exploitation-setup-and-tools [790]: https://blog.3or.de/arm-exploitation-defeating-dep-execute-system [791]: https://blog.3or.de/arm-exploitation-defeating-dep-executing-mprotect [792]: https://0xpat.github.io/Malware_development_part_1/ [793]: https://0xpat.github.io/Malware_development_part_2/ [794]: https://0xpat.github.io/Malware_development_part_3/ [795]: https://0xpat.github.io/Malware_development_part_4/ [796]: https://0xpat.github.io/Malware_development_part_5/ [797]: https://0xpat.github.io/Malware_development_part_6/ [798]: https://0xpat.github.io/Malware_development_part_7/ [799]: https://0xpat.github.io/Malware_development_part_8/ [800]: https://0xpat.github.io/Malware_development_part_9/ [801]: https://0x44.cc/radio/2024/03/13/reversing-a-car-key-fob-signal.html [802]: https://download.vusec.net/papers/ghostrace_sec24.pdf [803]: https://tsmr.eu/blackbox-fuzzing.html [804]: https://pwning.tech/nftables/ [805]: https://blog.talosintelligence.com/exploiting-low-severity-vulnerability-using-a-frame-pointer-overwrite/ [806]: https://ctf.re/windows/kernel/pcie/tutorial/2023/02/14/pcie-part-1/ [807]: https://ctf.re/kernel/pcie/tutorial/dma/mmio/tlp/2024/03/26/pcie-part-2/ [808]: https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/ [809]: https://blog.exodusintel.com/2024/03/27/mind-the-patch-gap-exploiting-an-io_uring-vulnerability-in-ubuntu/ [810]: https://www.synacktiv.com/en/publications/arlo-im-watching-you [811]: https://github.com/TravMurav/Qcom-Secure-Launch [812]: https://alephsecurity.com/2024/02/20/kontrol-lux-lock-1/ [813]: https://alephsecurity.com/2024/03/07/kontrol-lux-lock-2/ [814]: https://danielplohmann.github.io/blog/2024/03/08/malpediaflossed.html [815]: https://www.synacktiv.com/en/publications/java-deserialization-tricks [816]: https://starlabs.sg/blog/2024/route-to-safety-navigating-router-pitfalls/ [817]: https://blog.thalium.re/posts/rooting-xiaomi-wifi-routers/ [818]: https://medium.com/@elpepinillo/heap-heap-hooray-unveiling-glibc-heap-overflow-vulnerability-cve-2023-6246-0c6412423269 [819]: https://boredpentester.com/rooting-hive-ip-cameras/ [820]: https://arkadiyt.com/2024/03/03/reverse-engineering-protobuf-definitiions-from-compiled-binaries/ [821]: https://blog.quarkslab.com/reversing-windows-container-episode-i-silo.html [822]: https://blog.quarkslab.com/reversing-windows-container-part-ii-silo-to-server-silo.html [823]: https://shindan.io/posts/keychain_module_analysis/ [824]: https://shindan.io/posts/audio_module_analysis/ [825]: https://assets-global.website-files.com/645a4534705010e2cb244f50/663579201211ec0f633afc4b_Nozomi-Networks-WP-Drone-Telemetry.pdf [826]: https://www.atredis.com/blog/2023/12/4/a-libafl-introductory-workshop [827]: https://starlabs.sg/blog/2023/11-exploitation-of-a-kernel-pool-overflow-from-a-restrictive-chunk-size-cve-2021-31969/ [828]: https://pwning.tech/ksmbd/ [829]: https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-1-how-it-all-started/ [830]: https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-2-exploring-the-attack-surface/ [831]: https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-3-exploration/ [832]: https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-4-memory-corruption-analysis/ [833]: https://blog.compass-security.com/2024/03/pwn2own-toronto-2023-part-5-the-exploit/ [834]: https://keowu.re/posts/Analyzing-Mutation-Coded-VM-Protect-and-Alcatraz-English/ [835]: https://clearbluejar.github.io/posts/patch-tuesday-diffing-cve-2024-20696-windows-libarchive-rce/ [836]: https://blog.theori.io/chaining-n-days-to-compromise-all-part-1-chrome-renderer-rce-1afccf56721b [837]: https://blog.theori.io/chaining-n-days-to-compromise-all-part-2-windows-kernel-lpe-a-k-a-chrome-sandbox-escape-44cb49d7a4f8 [838]: https://blog.theori.io/chaining-n-days-to-compromise-all-part-3-windows-driver-lpe-medium-to-system-12f7821d97bb [839]: https://blog.theori.io/chaining-n-days-to-compromise-all-part-4-vmware-workstation-information-leakage-44476b05d410 [840]: https://blog.theori.io/chaining-n-days-to-compromise-all-part-5-vmware-workstation-host-to-guest-escape-5a1297e431b5 [841]: https://pwning.tech/cve-2022-47758/ [842]: https://www.protexity.com/post/going-native-malicious-native-applications [843]: https://adepts.of0x.cc/vba-hijack-pointers-rwa/ [844]: https://github.com/ElliotKillick/windows-vs-linux-loader-architecture?tab=readme-ov-file [845]: https://elliotonsecurity.com/what-is-loader-lock/ [846]: https://www.0ffset.net/reverse-engineering/capstone-resolving-stack-strings/ [847]: https://tandasat.github.io/blog/2024/02/29/ISRD.html [848]: https://tandasat.github.io/blog/2024/03/18/ISSR.html [849]: https://www.jmpeax.dev/CVE-2022-2586-writeup.html [850]: https://www.jmpeax.dev/The-tale-of-a-GSM-Kernel-LPE.html [851]: https://voidstarsec.com/blog/jtag-pifex [852]: https://androidoffsec.withgoogle.com/posts/attacking-android-binder-analysis-and-exploitation-of-cve-2023-20938/ [853]: https://blog.quarkslab.com/emulating-rh850-architecture-with-unicorn-engine.html [854]: https://www.cyberark.com/resources/threat-research-blog/your-nvme-had-been-syzed-fuzzing-nvme-of-tcp-driver-for-linux-with-syzkaller [855]: https://labs.taszk.io/articles/post/bug_collision_in_samsungs_npu_driver/ [856]: https://googleprojectzero.blogspot.com/2020/12/an-ios-hacker-tries-android.html [857]: https://anatomic.rip/abusing_rcu_callbacks_to_defeat_kaslr/ [858]: https://github.blog/developer-skills/github/codeql-zero-to-hero-part-1-the-fundamentals-of-static-analysis-for-vulnerability-research/ [859]: https://github.blog/developer-skills/github/codeql-zero-to-hero-part-2-getting-started-with-codeql/ [860]: https://github.blog/security/vulnerability-research/codeql-zero-to-hero-part-3-security-research-with-codeql/ [861]: https://labs.nettitude.com/blog/cve-2024-20356-jailbreaking-a-cisco-appliance-to-run-doom/ [862]: https://sec-consult.com/blog/detail/secglitcher-part-1-reproducible-voltage-glitching-on-stm32-microcontrollers/ [863]: https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html [864]: https://github.com/bjrjk/CVE-2022-4262/blob/main/FA/FA.md [865]: https://betrusted.it/blog/64-bytes-and-a-rop-chain-part-1/ [866]: https://betrusted.it/blog/64-bytes-and-a-rop-chain-part-2/ [867]: https://www.archcloudlabs.com/projects/pwntools-bof/ [868]: https://www.archcloudlabs.com/projects/pwntools-shellcraft/ [869]: https://www.archcloudlabs.com/projects/pwntools-automating-interactions/ [870]: https://www.ambionics.io/blog/iconv-cve-2024-2961-p1 [871]: https://www.ambionics.io/blog/iconv-cve-2024-2961-p2 [872]: https://hadess.io/the-art-of-linux-persistence/ [873]: https://research.nccgroup.com/2024/05/07/ghidra-nanomips-isa-module/ [874]: https://erfur.dev/blog/dev/code-injection-without-ptrace [875]: https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/ [876]: https://retooling.io/blog/an-unexpected-journey-into-microsoft-defenders-signature-world [877]: https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html [878]: https://maskray.me/blog/2024-05-12-exploring-gnu-extensions-in-linux-kernel [879]: https://www.0x01team.com/sw_security/same70-emulator/ [880]: https://www.binarly.io/blog/the-dark-side-of-uefi-a-technical-deep-dive-into-cross-silicon-exploitation [881]: https://lolcads.github.io/posts/2023/12/bpf_memory_forensics_with_volatility3/ [882]: https://www.matteomalvica.com/blog/2024/06/05/intro-v8-exploitation-maglev/ [883]: https://eclypsium.com/blog/flatlined-analyzing-pulse-secure-firmware-and-bypassing-integrity-checking/ [884]: https://reveng007.github.io/blog/2022/03/08/reveng_rkit_detailed.html [885]: https://tamirzb.com/attacking-android-kernel-using-qualcomm-trustzone [886]: https://eclypsium.com/blog/bus-pirate-5-the-swiss-arrrmy-knife-of-hardware-hacking/ [887]: https://op-co.de/blog/tags/samsung-nx/ [888]: https://www.uptycs.com/blog/threat-research-report-team/evasive-techniques-used-by-malicious-linux-shell-scripts [889]: https://blog.trailofbits.com/2024/05/16/understanding-addresssanitizer-better-memory-safety-for-your-code/ [890]: https://www.synopsys.com/blogs/software-security/cve-2020-7958-trustlet-tee-attack.html [891]: https://blogs.oracle.com/linux/post/unix-garbage-collection-and-iouring [892]: https://0reg.dev/blog/tenda-ac8-rop [893]: https://gum3t.xyz/posts/a-gau-hack-from-euskalhack/ [894]: https://arxiv.org/pdf/2406.08719 [895]: https://arxiv.org/pdf/2401.17618 [896]: https://anvbis.au/posts/code-execution-in-chromiums-v8-heap-sandbox/ [897]: https://sdomi.pl/weblog/20-pwning-a-labelmaker/ [898]: https://www.darknavy.org/blog/exploiting_steam_usual_and_unusual_ways_in_the_cef_framework/ [899]: https://blog.wohin.me/posts/linux-kernel-pwn-05/ [900]: https://blog.wohin.me/posts/linux-kernel-pwn-06/ [901]: https://www.shelltrail.com/research/manageengine-adaudit-reverse-engineering-windows-rpc-to-find-cve-2024-36036-and-cve-2024-36037-part1/ [902]: https://www.shelltrail.com/research/manageengine-adaudit-reverse-engineering-windows-rpc-to-find-cve-2024-36036-and-cve-2024-36037-part2/ [903]: https://www.shelltrail.com/research/manageengine-adaudit-reverse-engineering-windows-rpc-to-find-cve-2024-36036-and-cve-2024-36037-part3/ [904]: https://blog.quarkslab.com/lets-go-into-the-rabbit-hole-part-2-the-challenges-of-dynamically-hooking-golang-program.html [905]: https://blog.trailofbits.com/2024/02/07/binary-type-inference-in-ghidra/ [906]: https://northwave-cybersecurity.com/exploiting-enterprise-backup-software-for-privilege-escalation-part-one [907]: https://northwave-cybersecurity.com/exploiting-enterprise-backup-software-for-privilege-escalation-part-two [908]: https://googleprojectzero.blogspot.com/2024/06/driving-forward-in-android-drivers.html [909]: https://blog.impalabs.com/2111_attacking-samsung-rkp.html [910]: https://www.nccgroup.com/us/research-blog/pumping-iron-on-the-musl-heap-real-world-cve-2022-24834-exploitation-on-an-alpine-mallocng-heap/ [911]: https://github.blog/security/vulnerability-research/attack-of-the-clones-getting-rce-in-chromes-renderer-with-duplicate-object-properties/ [912]: https://frereit.de/aes_gcm/ [913]: https://arxiv.org/pdf/2406.02624 [914]: https://googleprojectzero.blogspot.com/2024/04/the-windows-registry-adventure-1.html [915]: https://googleprojectzero.blogspot.com/2024/04/the-windows-registry-adventure-2.html [916]: https://googleprojectzero.blogspot.com/2024/06/the-windows-registry-adventure-3.html [917]: https://grsecurity.net/exploiting_and_defending_against_same_type_object_reuse [918]: https://offsec.almond.consulting/deep-diving-f5-secure-vault.html [919]: https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt [920]: https://memorycorruption.net/posts/rce-lua-factorio/ [921]: https://blog.quarkslab.com/recovering-an-ecu-firmware-using-disassembler-and-branches.html [922]: https://scoding.de/linux-kernel-exploitation-environment [923]: https://scoding.de/linux-kernel-exploitation-buffer_overflow [924]: https://dfir.ch/posts/slash-proc/ [925]: https://righteousit.com/2024/07/24/hiding-linux-processes-with-bind-mounts/ [926]: https://santandersecurityresearch.github.io/blog/sshing_the_masses.html [927]: https://mariokartwii.com/armv8/ [928]: https://icode4.coffee/?p=954 [929]: https://zolutal.github.io/corctf-trojan-turtles/ [930]: https://blog.quarkslab.com/lets-go-into-the-rabbit-hole-part-3-the-challenges-of-dynamically-hooking-golang-program.html [931]: http://sh4dy.com/2024/08/03/beetracer/ [932]: https://blog.r0rt1z2.com/hacking-a-2014-tablet-in-2024.html [933]: https://sector7.computest.nl/post/2024-08-pwn2own-automotive-chargepoint-home-flex/ [934]: http://sh4dy.com/2024/06/29/learning_llvm_01/ [935]: http://sh4dy.com/2024/07/06/learning_llvm_02/ [936]: https://blog.deobfuscate.io/using-symbolic-execution-for-devirtualisation [937]: https://stefangast.eu/papers/slubstick.pdf [938]: https://blog.quarkslab.com/heap-exploitation-glibc-internals-and-nifty-tricks.html [939]: https://www.nccgroup.com/media/uzbp3ttw/bhus24_sonos_whitepaper.pdf [940]: https://github.blog/security/vulnerability-research/from-object-transition-to-rce-in-the-chrome-renderer/ [941]: https://www.cyberark.com/resources/threat-research-blog/how-to-bypass-golang-ssl-verification [942]: https://claroty.com/team82/research/pivoting-from-wan-to-lan-synology-bc500-ip-camera [943]: https://www.righto.com/2024/08/space-shuttle-interim-teleprinter.html [944]: https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/exploit.md [945]: https://hexarcana.ch/b/2024-08-16-base64-beyond-encoding/ [946]: https://hexarcana.ch/b/2024-08-19-base64-beyond-encoding-p2/ [947]: https://github.com/sjgallagher2/am335xbootrom [948]: https://nnub.es/blog/en/ctf/corctf/2024/cormine/ [949]: https://8ksec.io/hacking-android-games/ [950]: https://claroty.com/team82/research/pwn2own-wan-to-lan-exploit-showcase [951]: https://i.blackhat.com/BH-US-24/Presentations/US24-Qian-PageJack-A-Powerful-Exploit-Technique-With-Page-Level-UAF-Thursday.pdf [952]: https://gabrieldurdiak.github.io/clfd/ [953]: https://www.sonarsource.com/blog/why-code-security-matters-even-in-hardened-environments/ [954]: https://www.crowdfense.com/windows-wi-fi-driver-rce-vulnerability-cve-2024-30078/ [955]: https://secret.club/2024/06/30/ring-around-the-regex-1.html [956]: https://secret.club/2024/08/23/ring-around-the-regex-2.html [957]: https://phrack.org/issues/71/10 [958]: https://ghostwriteattack.com/riscvuzz.pdf [959]: https://blog.coffinsec.com/0day/2024/08/30/exploiting-CVE-2024-20017-four-different-ways.html [960]: https://blog.back.engineering/17/05/2021/ [961]: https://blog.back.engineering/21/06/2021/ [962]: https://nv1t.github.io/blog/kekz-headphones/ [963]: https://klecko.github.io/posts/selinux-bypasses/ [964]: https://blog.arttnba3.cn/2023/05/02/CTF-0X08_D3CTF2023_D3KCACHE/ [965]: https://stulle123.github.io/posts/kakaotalk-account-takeover/ [966]: https://blog.sicuranext.com/breaking-down-multipart-parsers-validation-bypass/ [967]: https://ii4gsp.github.io/cve-2020-27786/ [968]: https://blog.trailofbits.com/2024/10/31/fuzzing-between-the-lines-in-popular-barcode-software/ [969]: https://grsecurity.net/cross_process_spectre_exploitation [970]: https://comsec.ethz.ch/wp-content/files/ibpb_sp25.pdf [971]: https://www.akamai.com/blog/security-research/the-definitive-guide-to-linux-process-injection [972]: https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/pygmy-goat/ncsc-mar-pygmy-goat.pdf [973]: https://medium.com/@clearbluejar/everyday-ghidra-ghidra-data-types-when-to-create-custom-gdts-part-1-143fe45777eb [974]: https://medium.com/@clearbluejar/everyday-ghidra-ghidra-data-types-creating-custom-gdts-from-windows-headers-part-2-39b8121e1d82 [975]: https://www.usenix.org/system/files/usenixsecurity24-avllazagaj.pdf [976]: https://goncalomb.com/blog/2024/01/30/f57cf19b-how-i-also-hacked-my-car [977]: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html [978]: https://www.starlabs.sg/blog/2022/06-io_uring-new-code-new-bugs-and-a-new-exploit-technique/#unlinking-attack [979]: https://github.com/onekey-sec/BHEU23-firmware-workshop [980]: https://static.sched.com/hosted_files/lsseu2024/37/2024%2C%20LSS%20EU_%20SLUB%20Internals%20for%20Exploit%20Developers.pdf [981]: https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/ [982]: https://tbhaxor.com/linux-privilege-escalation/ [983]: https://blogs.oracle.com/linux/post/pinning-userspace-pages-in-the-linux-kernel?source=:ow:o:s:po:::_lk%2B:ow:lp:cpo [984]: https://blog.convisoappsec.com/en/introduction-to-fuzzing-android-native-components/ [985]: https://www.hexacon.fr/slides/Cho_Lee-Utilizing_Cross-CPU_Allocation_to_Exploit_Preempt-Disabled_Linux_Kernel.pdf [986]: https://osec.io/blog/2024-11-25-netfilter-universal-root-1-day [987]: https://boschko.ca/adversarial-ml/ [988]: https://watchfulip.github.io/28-12-24/tp-link_c210_v2.html [989]: https://www.elastic.co/security-labs/declawing-pumakit [990]: https://fahrplan.events.ccc.de/congress/2024/fahrplan/media/38c3/submissions/YM3UTV/resources/ccc_Heppyky.pdf [991]: https://hulkops.gitbook.io/blog/red-team/x64-return-address-spoofing [992]: https://hulkops.gitbook.io/blog/red-team/x64-call-stack-spoofing [993]: https://security.humanativaspa.it/fault-injection-down-the-rabbit-hole/ [994]: https://powerofcommunity.net/poc2024/Pan%20Zhenpeng%20&%20Jheng%20Bing%20Jhong,%20GPUAF%20-%20Two%20ways%20of%20rooting%20All%20Qualcomm%20based%20Android%20phones.pdf [995]: https://slavamoskvin.com/hunting-bugs-in-linux-kernel-with-kasan-how-to-use-it-whats-the-benefit/ [996]: https://slavamoskvin.com/finding-bugs-in-kernel.-part-1-crashing-a-vulnerable-driver-with-syzkaller/ [997]: https://slavamoskvin.com/finding-bugs-in-kernel.-part-2-fuzzing-the-actual-kernel/ [998]: https://blog.exodusintel.com/2024/12/02/ [999]: https://slavamoskvin.com/linux-kernel-attack-surface-beyond-ioctl.-dma-buf/ [1000]: https://www.usenix.org/system/files/usenixsecurity24-han-seunghun.pdf [1001]: https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol [1002]: https://zwclose.github.io/2024/10/14/rtsper1.html [1003]: https://blog.theori.io/deep-dive-into-rcu-race-condition-analysis-of-tcp-ao-uaf-cve-2024-27394-f40508b84c42 [1004]: https://den.dev/blog/reverse-engineer-stream-deck-plus/ [1005]: https://lukasmaar.github.io/papers/ndss25-kernelsnitch.pdf [1006]: https://u1f383.github.io/linux/2025/01/03/cross-cache-attack-cheatsheet.html [1007]: https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpectedly-excavating-exploit.html [1008]: https://inferi.club/post/the-art-of-linux-kernel-rootkits [1009]: https://www.shielder.com/blog/2024/09/a-journey-from-sudo-iptables-to-local-privilege-escalation/ [1010]: https://blog.mggross.com/intercepting-syscalls/ [1011]: https://retr0.blog/blog/llama-rpc-rce [1012]: https://www.darknavy.org/blog/cve_2024_5274_a_minor_flaw_in_v8_parser_leading_to_catastrophes/ [1013]: https://infosecwriteups.com/reversing-discovering-and-exploiting-a-tp-link-router-vulnerability-cve-2024-54887-341552c4b104 [1014]: https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282/ [1015]: https://krinkinmu.github.io/2024/01/14/aarch64-virtual-memory.html [1016]: https://zeyadazima.com/exploit%20development/pointer_pac/ [1017]: https://courk.cc/rp2350-challenge-laser [1018]: https://oddlama.org/blog/bypassing-disk-encryption-with-tpm2-unlock/ [1019]: https://nicolo.dev/en/blog/disassembling-binary-linear-recursive/ [1020]: https://blog.includesecurity.com/2025/02/replacing-a-space-heater-firmware-over-wifi/ [1021]: https://allelesecurity.com/accidentally-uncovering-a-seven-years-old-vulnerability-in-the-linux-kernel/ [1022]: https://cryptopals.com [1023]: https://blog.trailofbits.com/2025/01/28/best-practices-for-key-derivation/ [1024]: https://haxx.in/posts/wtm-wtf/ [1025]: https://raffo24.github.io/hardware%20hacking/FirmwareAnalysis/ [1026]: https://blog.thalium.re/posts/linux-kernel-rust-module-for-rootkit-detection/ [1027]: https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking [1028]: https://modzero.com/en/blog/roping-our-way-to-rce/ [1029]: https://www.darkrelay.com/post/exploring-heap-exploitation-mechanisms-understanding-the-house-of-force-technique [1030]: https://www.usenix.org/system/files/woot24-mao.pdf [1031]: https://claroty.com/team82/research/hack-the-emulated-planet-vulnerability-hunting-on-planet-wgs-804hpt-industrial-switches [1032]: https://h0mbre.github.io/Patch_Gapping_Google_COS/ [1033]: https://blog.doyensec.com/2025/01/07/ksmbd-1.html [1034]: https://ilyasergey.net/assets/pdf/papers/doppler-usenix25.pdf [1035]: https://roundofthree.github.io/posts/nginx-aixcc-pwn/ [1036]: https://dayzerosec.com/blog/2025/03/08/reversing-samsungs-h-arx-hypervisor-part-1.html [1037]: https://8ksec.io/analyzing-kernel-panic-ios/?srsltid=AfmBOopTbPIEmMzcKlC4Qnyc6tH5HnSIt0PbuB9eVVf2Tms8DH6lwsgl [1038]: https://blog.dfsec.com/ios/2025/05/30/blasting-past-ios-18/ [1039]: https://googleprojectzero.blogspot.com/2025/05/breaking-sound-barrier-part-i-fuzzing.html [1040]: https://afine.com/case-study-analyzing-macos-ionvmefamily-driver-denial-of-service-issue/ [1041]: https://afine.com/case-study-iomobileframebuffer-null-pointer-dereference/ [1042]: https://www.df-f.com/blog/ios17 [1043]: https://www.df-f.com/blog/ios-17round2 [1044]: https://blog.quarkslab.com/being-overlord-on-the-steam-deck-with-1-byte.html [1045]: https://magic-box.dev/hacking/smoltalk/ [1046]: https://www.df-f.com/blog/sptm3 [1047]: https://www.kandji.io/blog/macos-appleprocesshub-stealer [1048]: https://n0psn0ps.github.io/2025/02/13/Reversing-the-QardioArm/ [1049]: https://www.usenix.org/system/files/woot24-tan.pdf [1050]: https://starlabs.sg/blog/2025/12-mali-cious-intent-exploiting-gpu-vulnerabilities-cve-2022-22706/ [1051]: https://eshard.com/posts/emulating-ios-14-with-qemu [1052]: https://jhftss.github.io/Endless-Exploits/?utm_source=feedly [1053]: https://jhalon.github.io/chrome-browser-exploitation-1/ [1054]: https://jhalon.github.io/chrome-browser-exploitation-2/ [1055]: https://jhalon.github.io/chrome-browser-exploitation-3/ [1056]: https://visionspace.com/nasa-cfs-version-aquila-software-vulnerability-assessment/ [1057]: https://0xrick.github.io/misc/c2/ [1058]: https://blog.quarkslab.com/first-analysis-of-apples-usb-restricted-mode-bypass-cve-2025-24200.html [1059]: https://predictors.fail/files/FLOP.pdf [1060]: https://predictors.fail/files/SLAP.pdf [1061]: https://starlabs.sg/blog/2025/03-cimfs-crashing-in-memory-finding-system-kernel-edition/ [1062]: https://u1f383.github.io/linux/2025/03/27/the-evolution-of-COW-1.html [1063]: https://u1f383.github.io/linux/2025/03/29/the-evolution-of-COW-2.html [1064]: https://irisc-research-syndicate.github.io/2025/02/14/writing-a-ghidra-processor-module/ [1065]: https://u1f383.github.io/linux/2025/01/07/cve-2024-53141-an-oob-write-vulnerability-in-netfilter-ipset.html [1066]: https://ssd-disclosure.com/ssd-advisory-linux-kernel-hfsplus-slab-out-of-bounds-write/ [1067]: https://lukasmaar.github.io/papers/usenix25-tlbsidechannel.pdf [1068]: https://dinohacks.com/posts/2025/2025-03-17-defeating-string-obfuscation-in-obfuscated-nodejs-malware/ [1069]: https://www.zerodayinitiative.com/blog/2025/3/20/mindshare-using-binary-ninja-api-to-detect-potential-use-after-free-vulnerabilities [1070]: https://technologeeks.com/blog/Scudo/ [1071]: https://theori.io/blog/reviving-the-modprobe-path-technique-overcoming-search-binary-handler-patch [1072]: https://swarm.ptsecurity.com/last-barrier-destroyed-or-compromise-of-fuse-encryption-key-for-intel-security-fuses/ [1073]: https://archie-osu.github.io/2025/04/11/vanguard-research.html [1074]: https://codeneverdies.github.io/posts/gh-2/ [1075]: https://xia0.sh/blog/visit-the-map/visit-the-map?ref=blog.exploits.club [1076]: https://syst3mfailure.io/two-bytes-of-madness/ [1077]: https://blog.es3n1n.eu/posts/how-i-ruined-my-vacation/ [1078]: https://fuzzinglabs.com/state-of-linux-snapshot-fuzzing/ [1079]: https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/ [1080]: https://blog.itarow.xyz/posts/mctf_2025_sec_mem/ [1081]: https://kuzey.rs/posts/Dirty_Page_Table/ [1082]: https://a13xp0p0v.github.io/img/Alexander_Popov-Kernel_Hack_Drill-Zer0Con.pdf [1083]: https://u1f383.github.io/linux/2025/03/02/a-series-of-io_uring-pbuf-vulnerabilities.html [1084]: https://www.darknavy.org/blog/a_first_glimpse_of_the_starlink_user_ternimal/ [1085]: https://www.legacyy.xyz/defenseevasion/windows/2025/04/16/control-flow-hijacking-via-data-pointers.html [1086]: https://www.synacktiv.com/en/publications/cve-2025-23016-exploiting-the-fastcgi-library [1087]: https://siunam321.github.io/research/python-dirty-arbitrary-file-write-to-rce-via-writing-shared-object-files-or-overwriting-bytecode-files/ [1088]: https://arxiv.org/pdf/2504.12812 [1089]: https://blog.washi.dev/posts/recovering-nativeaot-metadata/ [1090]: https://sean.heelan.io/2025/05/22/how-i-used-o3-to-find-cve-2025-37899-a-remote-zeroday-vulnerability-in-the-linux-kernels-smb-implementation/ [1091]: https://bohops.com/2023/06/09/no-alloc-no-problem-leveraging-program-entry-points-for-process-injection/ [1092]: https://r0keb.github.io/posts/PatchGuard-Internals/ [1093]: https://brownfinesecurity.com/blog/hanwha-firmware-file-decryption [1094]: https://retooling.io/blog/my-emulation-goes-to-the-moon-until-false-flag [1095]: https://r0keb.github.io/posts/kASLR-Internals-and-Evolution/ [1096]: https://blog.ret2.io/2025/06/11/pwn2own-soho-2024-sonos-exploit/ [1097]: https://r0ny.net/FiberGateway-GR241AG-Full-Exploit-Chain/ [1098]: https://syst3mfailure.io/linux-page-allocator/ [1099]: https://secret.club/2025/06/02/hypervisors-for-memory-introspection-and-reverse-engineering.html [1100]: https://sam4k.com/page-table-kernel-exploitation/ [1101]: https://haxrob.net/bpfdoor-past-and-present-part-1/ [1102]: https://haxrob.net/bpfdoor-past-and-present-part-2/ [1103]: https://starlabs.sg/blog/2025/05-gone-in-5-seconds-how-warn_on-stole-10-minutes/ [1104]: https://neodyme.io/en/blog/pwn2own-2024_canon_rce/#exif-format-introduction [1105]: https://github.blog/security/vulnerability-research/bypassing-mte-with-cve-2025-0072/ [1106]: https://claroty.com/team82/research/attention-high-voltage-exploring-the-attack-surface-of-the-rockwell-automation-powermonitor-1000 [1107]: https://skemman.is/bitstream/1946/50456/1/Challenges_and_Pitfalls_while_Emulating_Six_Current_Icelandic_Household_Routers.pdf [1108]: https://coderush.me/hydroph0bia-part3/ [1109]: https://icode4.coffee/?p=1047 [1110]: https://icode4.coffee/?p=1081 [1111]: https://blog.syss.com/posts/voltage-glitching-the-stm32l05-microcontroller/ [1112]: https://stefan-gloor.ch/yomani-hack [1113]: https://rvasec.com/slides/2025/Massey_Linux_Kernel_Exploitation_For_Beginners.pdf [1114]: https://pt-phdays.storage.yandexcloud.net/Yashnikov_Valerij_Obhod_sredstv_zashhity_yadra_Linux_pri_perehvate_potoka_upravleniya_compressed_373ea39bd6.pdf [1115]: https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/ [1116]: https://u1f383.github.io/linux/2025/06/26/the-journey-of-bypassing-ubuntus-unprivileged-namespace-restriction.html [1117]: https://blog.compass-security.com/2025/06/pwn2own-ireland-2024-ubiquiti-ai-bullet/ [1118]: https://seadragnol.github.io/posts/CVE-2023-52927/ [1119]: https://www.synacktiv.com/en/publications/exploiting-heroes-of-might-and-magic-v [1120]: https://raelize.com/upload/research/2025/Dartmouth_202505_False-Injections-Tales-of-Physics-Misconceptions-and-Weird-Machines_v1.1.pdf [1121]: https://raelize.com/upload/research/2025/Hw_io-USA-2025_EL3vated-Privileges-Glitching-Google-Wifi-Pro-from-Root-to-EL3_v1.0.pdf [1122]: https://blog.infosectcbr.com.au/2025/08/01/exploiting-the-synology-tc500-at-pwn2own-ireland-2024/ [1123]: https://xairy.io/articles/pixel-kgdb [1124]: https://swarm.ptsecurity.com/buried-in-the-log-exploiting-a-20-years-old-ntfs-vulnerability/ [1125]: https://blog.elmo.sg/posts/breaking-disassembly-through-symbol-resolution/ [1126]: https://www.cs.ucr.edu/%7Ezhiyunq/pub/ccs24_wireless_mesh.pdf [1127]: https://r0keb.github.io/posts/Modern-(Kernel)-Low-Fragmentation-Heap-Exploitation/ [1128]: https://starlabs.sg/blog/2025/06-solo-a-pixel-6-pro-story-when-one-bug-is-all-you-need/ [1129]: https://jerinsunny.github.io/blogs/iotsecurity/2025/01/03/sonoff-firmware-extraction.html [1130]: https://quentinkaiser.be/security/2025/07/25/rooting-tapo-c200/ [1131]: https://mystiz.hk/posts/2025/2025-06-30-google-ctf/ [1132]: https://hnsecurity.it/blog/attacking-genai-applications-and-llms-sometimes-all-it-takes-is-to-ask-nicely/ [1133]: https://allelesecurity.com/uaf-can-bcm/ [1134]: https://clearbluejar.github.io/posts/pyghidra-mcp-headless-ghidra-mcp-server-for-project-wide-multi-binary-analysis/ [1135]: https://streypaws.github.io/posts/DSP-Kernel-Internals/ [1136]: https://assets.contentstack.io/v3/assets/blte4f029e766e6b253/blt6495b3c6adf2867f/685aa980a26c5e2b1026969c/vulnerability-disclosure-whitepaper.pdf [1137]: https://www.synacktiv.com/en/publications/let-me-cook-you-a-vulnerability-exploiting-the-thermomix-tm5 [1138]: https://i.blackhat.com/BH-USA-25/Presentations/US-25-Yang-Booting-into-breaches-Wednesday.pdf [1139]: https://www.matiassoler.com/posts/approtect_bypass_nrf52832/ [1140]: https://labs.watchtowr.com/you-already-have-our-personal-data-take-our-phone-calls-too-freepbx-cve-2025-57819/ [1141]: https://bughunters.google.com/blog/6243730100977664/exploiting-retbleed-in-the-real-world [1142]: https://wilgibbs.com/blog/defcon-finals-mcp/ [1143]: https://coderush.me/hydroph0bia-part1/ [1144]: https://coderush.me/hydroph0bia-part2/ [1145]: https://bruce30262.github.io/hitcon-ctf-2025-calc/ [1146]: https://androidoffsec.withgoogle.com/posts/binder-fuzzing/ [1147]: https://nac-l.github.io/2025/01/25/lifting_0.html [1148]: https://qriousec.github.io/post/oob-angle/ [1149]: https://exploits.forsale/pwn2own-2024/ [1150]: https://labs.watchtowr.com/stack-overflows-heap-overflows-and-existential-dread-sonicwall-sma100-cve-2025-40596-cve-2025-40597-and-cve-2025-40598/ [1151]: https://bughunters.google.com/blog/5800341475819520/a-fuzzy-escape-a-tale-of-vulnerability-research-on-hypervisors [1152]: https://www.synacktiv.com/en/publications/extraction-of-synology-encrypted-archives-pwn2own-ireland-2024 [1153]: https://projectzero.google/2025/08/from-chrome-renderer-code-exec-to-kernel.html?m=1 [1154]: https://lessonsec.com/posts/nrf51-bypass/ [1155]: https://www.proofpoint.com/us/blog/threat-insight/dont-phish-let-me-down-fido-authentication-downgrade [1156]: https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root/ [1157]: https://chocapikk.com/posts/2025/when-a-wifi-name-gives-you-root-part-two/ [1158]: https://claroty.com/team82/research/turning-camera-surveillance-on-its-axis [1159]: https://github.com/addisoncrump/parking-game-fuzzer [1160]: https://streypaws.github.io/posts/Race-Against-Time-in-the-Kernel-Clockwork/ [1161]: https://www.nccgroup.com/media/b2chcbti/vmware-workstation-guest-to-host-escape.pdf [1162]: https://nghiant3223.github.io/2025/05/29/fundamental_of_virtual_memory.html [1163]: https://syst3mfailure.io/rbtree-family-drama/ [1164]: https://blog.byteray.co.uk/exploiting-zero-day-cve-2025-9961-in-the-tp-link-ax10-router-8745f9af9c46 [1165]: https://f0rw4rd.github.io/posts/tls-noverify-bypass-all-the-things/ [1166]: https://ptr-yudai.hatenablog.com/entry/2025/09/14/180326 [1167]: https://www.synacktiv.com/en/publications/exploring-grapheneos-secure-allocator-hardened-malloc [1168]: https://u1f383.github.io/android/2025/09/08/corCTF-2025-corphone.html [1169]: https://github.com/R0rt1z2/fenrir [1170]: https://comsec-files.ethz.ch/papers/phoenix_sp26.pdf [1171]: https://blog.sekoia.io/apt28-operation-phantom-net-voxel/ [1172]: https://www.willsroot.io/2025/09/ksmbd-0-click.html [1173]: https://plaxidityx.com/blog/blog-post/is-your-memory-protecteduncovering-hidden-vulnerabilities-in-automotive-mpu-mechanisms/ [1174]: https://faith2dxy.xyz/2025-10-02/kCTF-TLS-nday-analysis/ [1175]: https://blog.doyensec.com/2025/09/02/ksmbd-2.html [1176]: https://blog.doyensec.com/2025/10/08/ksmbd-3.html [1177]: https://cyble.com/blog/lunobotnet-a-self-healing-linux-botnet/ [1178]: https://bughunters.google.com/blog/project-rainl1tf [1179]: https://www.binarly.io/blog/broken-trust-fixed-supermicro-bmc-bug-gains-a-new-life-in-two-new-vulnerabilities [1180]: https://a13xp0p0v.github.io/2025/09/02/kernel-hack-drill-and-CVE-2024-50264.html [1181]: https://www.lucavall.in/blog/a-tour-of-ebpf-in-the-linux-kernel-observability-security-and-networking [1182]: https://streypaws.github.io/posts/Fast-and-Faulty-A-Use-After-Free-in-KGSL-Fault-Handling/ [1183]: https://wiretap.fail [1184]: https://xploitbengineer.github.io/CVE-2025-21479 [1185]: https://research.checkpoint.com/2025/denial-of-fuzzing-rust-in-the-windows-kernel/ [1186]: https://blog.quarkslab.com/nvidia_gpu_kernel_vmalloc_exploit.html [1187]: https://www.usenix.org/system/files/woot25-muench.pdf [1188]: https://retr0.zip/blog/cve-2025-6554-the-rabbit-hole.html [1189]: https://research.checkpoint.com/2025/generative-ai-for-reverse-engineering/ [1190]: https://www.originhq.com/blog/windows-arm64-internals-deconstructing-pointer-authentication [1191]: https://github.blog/security/vulnerability-research/codeql-zero-to-hero-part-4-gradio-framework-case-study/ [1192]: https://github.blog/security/vulnerability-research/codeql-zero-to-hero-part-5-debugging-queries/?ref=blog.exploits.club [1193]: https://www.interruptlabs.co.uk/articles/one-click-memory-corruption-in-alibabas-uc-browser-exploiting-patch-gap-v8-vulnerabilities-to-steal-your-data [1194]: https://boredpentester.com/pwn2own-2025-pwning-lexmarks-postscript-processor/ [1195]: https://mrt4ntr4.github.io/Windows-Heap-Exploitation-dadadb/ [1196]: https://starlabs.sg/blog/2025/11-breaking-into-a-brother-mfc-j1010dw/ [1197]: https://kylebot.net/papers/ret2entry.pdf [1198]: https://spaceraccoon.dev/nokia-beacon-router-uart-command-injection/ [1199]: https://hhj4ck.github.io/en/iris-wallet-security-teardown.html [1200]: https://blog.quarkslab.com/modern-tale-blinkenlights.html