0xor0ne/awesome-list

# 精选网络安全列表 我个人收集的专注于网络安全的精选博客文章、报告和论文。 想要更深入地了解网络安全相关工具，请查看专门的 **[网络安全工具](topics/tools_and_repos.md)** 列表。 ## 目录 - [2025](#2025) - [2024](#2024) - [2023](#2023) - [2022](#2022) - [2021](#2021) - [2020](#2020) - [2019](#2019) - [2018](#2018) - [2017](#2017) - [2016](#2016) - [2014](#2014) - [2011](#2011) - [杂项](#misc) - [其他列表](#other-lists) ## 2025 - ["A File Format Uncracked for 20 Years"][1202] - ["A First Glimpse of the Starlink User Ternimal"][1084] - ["A Fuzzy Escape - A tale of vulnerability research on hypervisors"][1151] - ["A modern tale of blinkenlights"][1200] - ["A Quick Dive Into The Linux Kernel Page Allocator"][1098] - ["A Series of io_uring pbuf Vulnerabilities"][1083] - ["A Tour of eBPF in the Linux Kernel: Observability, Security and Networking"][1181] - ["Accidentally Uncovering a Seven Years Old Vulnerability in the Linux Kernel"][1021] - ["All You Need Is MCP - LLMs Solving a DEF CON CTF Finals Challenge"][1142] - ["Analysing a 1-day Vulnerability in the Linux Kernel's TLS Subsystem"][1174] - ["Analyzing IOS Kernel Panic Logs"][1037] - ["Android: Scudo"][1070] - ["APPROTECT Bypass on NRF52832"][1139] - ["APT28 Operation Phantom Net Voxel"][1171] - ["Attacking GenAI applications and LLMs – Sometimes all it takes is to ask nicely!"][1132] - ["Attention, High Voltage: Exploring the Attack Surface of the Rockwell Automation PowerMonitor 1000"][1106] - ["Being Overlord on the Steam Deck with 1 Byte"][1044] - "BPFDoor" - ["Part 1 - The Past"][1101] - ["Part 2 - The Present"][1102] - ["Beating xloader at Speed: Generative AI as a Force Multiplier for Reverse Engineering"][1189] - ["Best practices for key derivation"][1023] - ["Binder Fuzzing"][1146] - ["Blasting Past iOS 18"][1038] - ["Booting into Breaches Hunting Windows SecureBoot's Remote Attack Surfaces"][1138] - ["Bootloader to Iris: A Security Teardown of a Hardware Wallet"][1199] - ["Breaking Disassembly — Abusing symbol resolution in Linux programs to obfuscate library calls"][1125] - ["Breaking Into a Brother (MFC-J1010DW): Three Security Flaws in a Seemingly Innocent Printer"][1196] - ["Breaking the Sound Barrier Part I: Fuzzing CoreAudio with Mach Messages"][1039] - ["Broken Trust: Fixed Supermicro BMC Bug Gains a New Life in Two New Vulnerabilities"][1179] - ["Buried in the Log. Exploiting a 20 years old NTFS Vulnerability"][1124] - ["Bypassing disk encryption on systems with automatic TPM2 unlock"][1018] - ["Bypassing MTE with CVE-2025-0072"][1105] - ["Case Study: Analyzing macOS IONVMeFamily Driver Denial of Service Issue"][1040] - ["Case Study: IOMobileFramebuffer NULL Pointer Dereference"][1041] - ["Challenges and Pitfalls while Emulating Six Current Icelandic Household Routers"][1107] - ["CimFS: Crashing in memory, Finding SYSTEM (Kernel Edition)"][1061] - ["Control Flow Hijacking in the Linux Kernel"][1114] - ["Control Flow Hijacking via Data Pointers"][1085] - ["corCTF 2025 - corphone"][1168] - ["Cross Cache Attack CheetSheet"][1006] - ["CVE-2023-52927 - Turning a Forgotten Syzkaller Report into kCTF Exploit"][1118] - ["CVE-2024-30088 Pwning Windows Kernel @ Pwn2Own Vancouver 2024 (Plus Xbox)"][1149] - ["CVE-2024-53141: an OOB Write Vulnerability in Netfiler Ipset"][1065] - ["CVE-2025-23016 - EXPLOITING THE FASTCGI LIBRARY"][1086] - ["CVE-2025-37752 wo Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds"][1076] - ["CVE-2025-38001 Exploiting All Google kernelCTF Instances And Debian 12 With A 0-Day For $82k: An RBTree Family Drama"][1163] - ["CVE-2025-6554: The (rabbit) Hole"][1188] - ["Debugging the Pixel 8 kernel via KGDB"][1123] - ["Defeating String Obfuscation in Obfuscated NodeJS Malware using AST"][1068] - ["Denial of Ruzzing: Rust in the Windows Kernel"][1185] - ["Dirty Pageflags: Revisiting PTE Exploitation in Linux"][1166] - ["Disassembling a binary: linear sweep and recursive traversal"][1019] - ["Dissecting the macOS 'AppleProcessHub' Stealer: Technical Analysis of a Multi-Stage Attack"][1047] - ["Don’t Phish-let Me Down: FIDO Authentication Downgrade"][1155] - ["EL3vated Privileges: Glitching Google WiFi Pro from Root to EL3"][1121] - ["Emulating an iPhone in QEMU"][1051] - ["Endless Exploits: The Saga of a macOS Vulnerability Struck Nine Times"][1052] - ["Exploitation of AIxCC Nginx bugs: Part I"][1035] - ["Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282)"][1014] - ["Exploiting CVE-2024-0582 via the Dirty Pagetable Method"][1081] - ["Exploiting CVE-2025-21479 on a Samsung S23"][1184] - ["Exploiting Retbleed in the real world"][1141] - ["Exploiting the Synology TC500 at Pwn2Own Ireland 2024"][1122] - ["Exploiting Zero-Day (CVE-2025–9961) Vulnerability in the TP-Link AX10 Router"][1164] - ["Exploiting Heroes of Might and Magic V"][1119] - ["Exploring Grapheneos Secure Allocator: Hardened Malloc"][1167] - ["Exploring Heap Exploitation Mechanisms: Understanding the House of Force Technique"][1029] - ["Eternal-Tux: Crafting a Linux Kernel KSMBD 0-Click RCE Exploit from N-Days"][1172] - ["Extraction of Synology Encrypted Archives - Pwn2Own Ireland 2024"][1152] - ["False Injections: Tales of Physics, Misconceptions and Weird Machines"][1120] - ["Fast & Faulty - A Use After Free in KGSL Fault Handling"][1182] - ["FiberGateway GR241AG - Full Exploit Chain"][1097] - ["First analysis of Apple's USB Restricted Mode bypass (CVE-2025-24200)"][1058] - ["FLOP: Breaking the Apple M3 CPU via False Load Output Predictions"][1059] - ["Fundamental of Virtual Memory"][1162] - ["From Chrome renderer code exec to kernel with MSG_OOB"][1153] - ["Game Hacking - Valve Anti-Cheat (VAC)"][1074] - ["Gone in 5 Seconds: How WARN_ON Stole 10 Minutes"][1103] - ["Google CTF 2025 Quals Writeup"][1131] - ["Hack The Emulated Planet: Vulnerability Hunting on Planet WGS-804HPT Industrial Switches"][1031] - ["Hacking the XBox 360 Hypervisor"] - [Part 1][1109] - [Part 2][1110] - ["Hacking Sonoff Smart Home IoT Device - Extract, Modify, Boot, Intercept, Clone!"][1129] - ["Hacking the Nokia Beacon 1 Router: UART, Command Injection, and Password Generation with Qiling"][1198] - ["HITCON CTF 2025 -- calc"][1145] - ["How I ruined my vacation by reverse engineering WSC"][1077] - ["How I used o3 to find CVE-2025-37899, a remote zeroday vulnerability in the Linux kernel’s SMB implementation"][1090] - ["How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)"][1115] - "Hydroph0bia (CVE-2025-4275)" - ["a trivial SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O"][1143] - ["a bit more than just a trivial SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O"][1144] - ["a fixed SecureBoot bypass for UEFI-compatible firmware based on Insyde H2O"][1108] - ["Hypervisors for Memory Introspection and Reverse Engineering"][1099] - ["Kernel Exploitation Techniques: Turning The (Page) Tables"][1100] - ["Kernel-hack-drill and a new approach to exploiting CVE-2024-50264 in the Linux kernel"][1180] - ["Inside Riot Vanguard's Dispatch Table Hooks"][1073] - ["Intercepting HTTPS Communication in Flutter: Going Full Hardcore Mode with Frida"][1079] - "iOS 17: New Version, New Acronyms": - [Part 1][1042] - [Part 2][1043] - ["kASLR Internals and Evolution"][1095] - ["Kernel-Hack-Drill: Environment For Developing Linux Kernel Exploits"][1082] - ["KernelSnitch: Side-Channel Attacks on Kernel Data Structures"][1005] - ksmbd (doyensec): - ["ksmbd vulnerability research"][1033] - ["Fuzzing Improvements and Vulnerability Discovery"][1175] - ["Exploiting CVE-2025-37947"][1176] - ["Laser Fault Injection on a Budget: RP2350 Edition"][1017] - ["Last barrier destroyed, or compromise of Fuse Encryption Key for Intel Security Fuses"][1072] - ["Let Me Cook You a Vulnerability: Exploiting the Thermomix TM5"][1137] - ["Lifting Binaries, Part 0: Devirtualizing VMProtect and Themida: It's Just Flattening?"][1147] - ["Linux Kernel Exploitation For Beginners"][1113] - ["Linux Kernel Hfsplus Slab-out-of-bounds Write"][1066] - ["Linux kernel Rust module for rootkit detection"][1026] - ["Llama's Paradox - Delving deep into Llama.cpp and exploiting Llama.cpp's Heap Maze, from Heap-Overflow to Remote-Code Execution"][1011] - ["LunoBotnet: A Self-Healing Linux Botnet with Modular DDoS and Cryptojacking Capabilities"][1177] - ["Mali-cious Intent: Exploiting GPU Vulnerabilities (CVE-2022-22706 / CVE-2021-39793)"][1050] - ["MCTF 2025 - Write-up Sec Mem - Pwn"][1080] - ["Mindshare: Using Binary Ninja API to Detect Potential Use-after-free Vulnerabilities"][1069] - ["Modern (Kernel) Low Fragmentation Heap Exploitation"][1127] - ["My Emulation Goes to the Moon... Until False Flag"][1094] - ["NASA cFS version Aquila Software Vulnerability Assessment"][1056] - ["nRF51 RBPCONF bypass for firmware dumping"][1154] - ["One‑Click Memory Corruption in Alibaba’s UC Browser: Exploiting patch-gap V8 vulnerabilities to steal your data"][1193] - ["Oops! It's a kernel stack use-after-free: Exploiting NVIDIA's GPU Linux drivers"][1186] - ["Out-of-bound read in ANGLE CopyNativeVertexData from Compromised Renderer"][1148] - ["Overview of Map Exploitation in v8"][1075] - ["Patch-Gapping the Google Container-Optimized OS for $0"][1032] - ["PatchGuard Internals"][1092] - ["Phoenix: Rowhammer Attacks on DDR5 with Self-Correcting Synchronization"][1170] - ["Print Scan Hacks: Identifying multiple vulnerabilities acro ss multiple Brother devices"][1136] - ["Project Rain:L1TF"][1178] - ["Pwn2Own 2025: Pwning Lexmark’s Postscript Processor"][1194] - ["Pwn2Own Ireland 2024: Canon imageCLASS MF656Cdw"][4] - ["Pwn2Own Ireland 2024 – Ubiquiti AI Bullet"][1117] - ["pyghidra-mcp: Headless Ghidra MCP Server for Project-Wide, Multi-Binary Analysis"][1134] - ["Python Dirty Arbitrary File Write to RCE via Writing Shared Object Files Or Overwriting Bytecode Files"][1087] - ["Qualcomm DSP Kernel Internals"][1135] - ["Race Against Time in the Kernel’s Clockwork"][1160] - ["Recovering Metadata from .NET Native AOT Binaries"][1089] - ["Reliable system call interception"][1010] - ["Replacing a Space Heater Firmware Over WiFi"][1020] - ["Reverse Engineering Hanwha Security Camera Firmware File Decryption with IDA Pro"][1093] - ["Reverse engineering Realtek RTL8761B* Bluetooth chips, to make better Bluetooth security tools & classes"][1201] - ["Reversing, Discovering, And Exploiting A TP-Link Router Vulnerability — CVE-2024–54887"][1013] - ["Reversing Samsung's H-Arx Hypervisor Framework - Part 1"][1036] - ["Reversing the QardioArm"][1048] - ["Reviving the modprobe_path Technique: Overcoming search_binary_handler() Patch"][1071] - ["Root Shell on Credit Card Terminal"][1112] - ["Rooting the TP-Link Tapo C200 Rev.5"][1130] - ["ROPing our way to RCE"][1028] - ["RV130X Firmware Analysis"][1025] - ["Security through Transparency: Tales from the RP2350 Hacking Challenge"][1187] - ["SLAP: Data Speculation Attacks via Load Address Prediction on Apple Silicon"][1060] - ["smoltalk: RCE in Open Source Agents"][1045] - ["Solo: A Pixel 6 Pro Story (When one bug is all you need)"][1128] - ["SoK: Security of EMV Contactless Payment Systems"][1088] - ["Sound and Efficient Generation of Data-Oriented Exploits via Programming Language Synthesis"][1034] - ["Stack Overflows, Heap Overflows, and Existential Dread"][1150] - ["State of Linux Snapshot Fuzzing"][1078] - ["STM32L05 Voltage Glitching"][1111] - ["Streaming Zero-Fi Shells to Your Smart Speaker"][1096] - ["System Register Hijacking: Compromising Kernel Integrity By Turning System Registers Against the System"][1196] - ["The Art of Linux Kernel Rootkits"][1008] - "The Evolution of Dirty COW": - [Part 1][1062] - [Part 2][1063] - ["The Journey of Bypassing Ubuntu’s Unprivileged Namespace Restriction"][1116] - ["TLS NoVerify: Bypass All The Things"][1165] - ["Tp-Link Router Deep Research"][1203] - ["Tracing Back to the Source | SPTM Round 3"][1046] - ["Turning Camera Surveillance on its Axis"][1158] - ["Untangling the Knot: Breaking Access Control in Home Wireless Mesh Networks"][1126] - ["Use-After-Free Vulnerability in the Can BCM Subsystem Leading to Information Disclosure (CVE-2023-52922)"][1133] - ["VMware Workstation guest-to-host escape"][1161] - ["We are ARMed no more ROPpery Here"][1016] - "When a Wi-Fi SSID Gives You Root on an MT02 Repeater" - [Part 1][1156] - [Part 2][1157] - ["When Good Kernel Defenses Go Bad: Reliable and Stable Kernel Exploits via Defense-Amplified TLB Side-Channel Leaks"][1067] - ["Windows arm64 Internals: Deconstructing Pointer Authentication"][1190] - ["Windows Heap Exploitation - From Heap Overflow to Arbitrary R/W"][1195] - "Windows Inter Process Communication A Deep Dive Beyond the Surface" - [Part 1][1204] - [Part 1][1205] - [Part 1][1206] - [Part 1][1207] - [Part 1][1208] - ["WireTap: Breaking Server SGX via DRAM Bus Interposition"][1183] - ["Writing a Ghidra processor module"][1064] - ["You Already Have Our Personal Data, Take Our Phone Calls Too"][1140] - ["Zen and the Art of Microcode Hacking"][1027] ## 2024 - ["1-click Exploit in South Korea's biggest mobile chat app"][965] - ["4 exploits, 1 bug: exploiting cve-2024-20017 4 different ways"][959] - "64 bytes and a ROP chain – A journey through nftables": - [Part 1][865] - [Part 2][866] - "nix libX11: Uncovering and exploiting a 35-year-old vulnerability": - [Part 1][703] - [Part 2][704] - ["A few notes on AWS Nitro Enclaves: Images and attestation"][738] - ["A first look at Android 14 forensics"][669] - ["A "Gau-Hack" from EuskalHack"][893] - ["A Journey From sudo iptables To Local Privilege Escalation"][1009] - ["A Practical Guide to PrintNightmare in 2024"][709] - ["A Technical Deep Dive: Comparing Anti-Cheat Bypass and EDR Bypass "][714] - ["A Trip Down Memory Lane"][715] - [AArch64 memory and paging][1015] - ["An Introduction to Chrome Exploitation - Maglev Edition"][882] - ["An unexpected journey into Microsoft Defender's signature World"][876] - ["Analysis of CVE-2024-21310 Pool Overflow Windows Cloud Filter Driver"][952] - ["Advanced CyberChef Techniques For Malware Analysis - Detailed Walkthrough and Examples"][736] - ["AES-GCM and breaking it on nonce reuse"][912] - ["Analyzing Mutation-Coded - VM Protect and Alcatraz English"][834] - ["ARLO: I'M WATCHING YOU"][810] - ["ASLRn’t: How memory alignment broke library ASLR"][731] - ["Attack of the clones: Getting RCE in Chrome’s renderer with duplicate object properties"][911] - ["Attacking Android Binder: Analysis and Exploitation of CVE-2023-20938"][852] - ["Automotive Memory Protection Units: Uncovering Hidden Vulnerabilities"][1173] - "Base64 Beyond Encoding" - [Part 1][945] - [Part 2][946] - ["Becoming any Android app via Zygote command injection"][863] - ["Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems"][895] - ["BGGP4: A 420 Byte Self-Replicating UEFI App For x64"][728] - ["Binary type inference in Ghidra"][905] - ["Blackbox-Fuzzing of IoT Devices Using the Router TL-WR902AC as Example"][803] - ["Breaking the Barrier: Post-Barrier Spectre Attacks"][970] - ["Breaking Down Adversarial Machine Learning Attacks Through Red Team Challenges"][987] - ["Breaking Down Multipart Parsers: File upload validation bypass"][966] - ["Breaking the Flash Encryption Feature of Espressif’s Parts"][589] - ["Bus Pirate 5: The Swiss ARRRmy Knife of Hardware Hacking"][886] - ["Buying Spying Insights into Commercial Surveillance Vendors"][733] - ["Bypassing EDRs With EDR-Preloading"][716] - ["Bytecode Breakdown: Unraveling Factorio's Lua Security Flaws"][920] - "Chaining N-days to Compromise All": - [Part 1][836] - [Part 2][837] - [Part 3][838] - [Part 4][839] - [Part 5][840] - ["Check Point - Wrong Check Point (CVE-2024-24919)"][875] - ["Code injection on Android without ptrace"][874] - "CodeQL zero to hero": [Part 1][858] [Part 2][859] [Part 3][860] [Part 4][1191] [Part 5][1192] - ["Commonly Abused Linux Initial Access Techniques and Detection Strategies"][896] - ["Compiler Options Hardening Guide for C and C++"][877] - ["Continuously fuzzing Python C extensions"][734] - ["corCTF 2024: trojan-turtles writeup"][929] - ["corMine 1 and 2"][948] - ["Cross-Process Spectre Exploitation"][969] - ["CVE-2024-20356: Jailbreaking a Cisco appliance to run DOOM"][861] - ["CVE-2022-2586 Writeup"][849] - ["CVE-2020-27786 ( Race Condition + Use-After-Free )"][967] - ["CVE-2022-4262"][864] - ["CVE-2024-5274: A Minor Flaw in V8 Parser Leading to Catastrophes"][1012] - ["CVE-2023-6246: Heap-based buffer overflow in the glibc's syslog()"][697] - ["Declawing PUMAKIT"][989] - [Deep Dive into RCU Race Condition: Analysis of TCP-AO UAF (CVE-2024–27394)][1003] - ["Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero"][699] - ["Deobfuscating Android ARM64 strings with Ghidra: Emulating, Patching, and Automating"][683] - ["Dissecting a complex vulnerability and achieving arbitrary code execution in Ichitaro Word"][805] - ["Diving Deep into F5 Secure Vault"][918] - ["DJI - The ART of obfuscation"][705] - ["Docker Security – Step-by-Step Hardening (Docker Hardening)"][729] - ["Driving forward in Android drivers"][908] - ["Emulating RH850 architecture with Unicorn Engine"][853] - "Everyday Ghidra: Ghidra Data Types" - [Part 1][973] - [Part 2][974] - ["Exploit detail about CVE-2024-26581"][944] - ["Exploring AMD Platform Secure Boot"][701] - ["Exploring GNU extensions in the Linux kernel"][878] - ["Exploiting Android’s Hardened Memory Allocator"][1030] - ["Exploiting Empire C2 Framework"][723] - "Exploiting Enterprise Backup Software For Privilege Escalation": - [Part 1][906] - [Part 2][907] - "Exploiting Reversing (ER) series": - [Article 01][583] - [Article 02][584] - ["Exploiting Steam: Usual and Unusual Ways in the CEF Framework"][898] - ["Exploring object file formats"][684] - ["Extracting Secure Onboard Communication (SecOC) keys from a 2021 Toyota RAV4 Prime"][735] - ["Fault Injection Attacks against the ESP32-C3 and ESP32-C6"][590] - ["Fault Injection – Down the Rabbit Hole"][993] - "Finding Bugs in Kernel": - [Part 1][996] - [Part 2][997] - ["Flatlined: Analyzing Pulse Secure Firmware and Bypassing Integrity Checking"][883] - ["Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques"][804] - ["From fault injection to RCE"][990] - ["From object transition to RCE in the Chrome renderer"][940] - ["Fuzzing between the lines in popular barcode software"][968] - ["Gaining kernel code execution on an MTE-enabled Pixel 8"][808] - ["Ghidra nanoMIPS ISA module"][873] - ["Going Native - Malicious Native Applications"][842] - ["Google Chrome V8 CVE-2024-0517 Out-of-Bounds Write Code Execution"][674] - ["GhostRace: Exploiting and Mitigating Speculative Race Conditions"][802] - ["GPUAF - Two ways of Rooting All Qualcomm based Android phones"][994] - ["GraphStrike: Anatomy of Offensive Tool Development"][712] - ["Hacking a 2014 tablet... in 2024!"][932] - ["Hacking a Smart Home Device"][691] - ["Hacking Android Games"][949] - ["Heap exploitation, glibc internals and nifty tricks"][938] - ["HEAP HEAP HOORAY — Unveiling GLIBC heap overflow vulnerability (CVE-2023–6246)"][818] - ["Hi, My Name is Keyboard"][676] - ["Hiding Linux Processes with Bind Mounts"][925] - ["How I Also Hacked my Car"][976] - ["How to Bypass Golang SSL Verification"][941] - ["Hunting Bugs in Linux Kernel With KASAN: How to Use it & What's the Benefit?"][995] - ["unting down the HVCI bug in UEFI"][668] - ["Hunting for Unauthenticated n-days in Asus Routers"][662] - "Iconv, Set the Charset to RCE": - [Part 1][870] - [Part 2][871] - ["Java Deserialization Tricks"][815] - ["JTAG Hacking with a Raspberry Pi"][851] - ["Kuiper Ransomware’s Evolution"][702] - ["Inside a New OT/IoT Cyberweapon: IOCONTROL"][1001] - ["Inside the LogoFAIL PoC: From Integer Overflow to Arbitrary Code Execution"][692] - ["Introduction to Fuzzing Android Native Components"][984] - "Learning LLVM": - [Part 1][934] - [Part 2][935] - ["LeftoverLocals: Listening to LLM responses through leaked GPU local memory"][687] - ["Leveraging Binary Ninja il to Reverse a Custom ISA: Cracking the “pot of gold” 37C3"][612] - ["Linux Kernel Attack Surface: beyond IOCTL. DMA-BUF"][999] - "Linux Kernel Exploitation": - ["Environment"][922] - ["ret2usr"][923] - ["Listen Up: Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap – BlackHat USA 2024 Whitepaper"][939] - "ManageEngine ADAudit - Reverse engineering Windows RPC to find CVEs": - [Part 1][901] - [Part 2][902] - [Part 3][903] - ["Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu"][809] - ["Mali GPU Kernel LPE"][786] - ["MalpediaFLOSSed"][814] - ["Microsoft BitLocker Bypasses are Practical"][718] - ["Modern implant design: position independent malware development"][690] - ["My new superpower"][688] - ["Not the Drones You're Looking For"][825] - "Operation triangulation": - ["Keychain module analysis"][823] - ["audio module analysis"][824] - ["OtterRoot: Netfilter Universal Root 1-day"][986] - ["Out-of-bounds read & write in the glibc's qsort()"][698] - ["PageJack: A Powerful Exploit Technique With Page-Level UAF"][951] - ["Page-Oriented Programming: Subverting Control-Flow Integrity of Commodity Operating System Kernels with Non-Writable Code Pages"][1000] - ["Patch Tuesday Diffing: CVE-2024-20696 - Windows Libarchive RCE"][835] - ["Pinning User-space Pages in the Linux Kernel: Exploring get_user_pages, pin_user_pages, and Page Table Walking"][983] - ["PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack"][711] - ["Playing with libmalloc in 2024"][610] - ["Puckungfu 2: Another NETGEAR WAN Command Injection"][730] - ["Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap"][910] - ["Pwn2Own Automotive 2024: Hacking the ChargePoint Home Flex (and their cloud...)"][933] - ["Pwning browsers like a kernel"][957] - "Pwn2Own: WAN-to-LAN Exploit Showcase": - ["Pwn2Own: WAN-to-LAN Exploit Showcase, Part 1"][950] - ["Pwn2Own: Pivoting from WAN to LAN to Attack a Synology BC500 IP Camera, Part 2"][942] - "Pwn2Own Toronto 2023": - ["How it all started"][829] - ["Exploring the Attack Surface"][830] - ["Exploration"][831] - ["Memory Corruption Analysis"][832] - ["The Exploit"][833] - ["Pwning a Brother labelmaker, for fun and interop!"][897] - "Pwntools 10x": - [Part 1][867] - [Part 2][868] - [Part 3][869] - ["Pygmy Goat"][972] - ["Recovering an ECU firmware using disassembler and branches"][921] - ["regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387)"][919] - ["Resolving Stack Strings with Capstone Disassembler & Unicorn in Python"][846] - ["Retrofitting encrypted firmware is a Bad Idea"][1024] - ["Reverse engineering a car key fob signal "][801] - ["Reverse Engineering and Dismantling Kekz Headphones"][962] - ["Reverse Engineering Protobuf Definitions From Compiled Binaries"][820] - ["Reverse engineering the 59-pound printer onboard the Space Shuttle"][943] - ["Reverse Engineering the AM335x Boot ROM"][947] - ["Reverse Engineering The Stream Deck Plus"][1004] - "Ring Around The Regex" - [Part 1][955] - [Part 2][956] - ["RISCVuzz: Discovering Architectural CPU Vulnerabilities via Differential Hardware Fuzzing"][958] - ["RomCom exploits Firefox and Windows zero days in the wild"][981] - ["ROPing Routers from scratch: Step-by-step Tenda Ac8v4 Mips 0day Flow-control ROP -> RCE"][892] - ["Route to Safety: Navigating Router Pitfalls"][816] - ["Rooting a Hive Camera"][819] - ["SAME70 Emulator"][879] - "Say Friend and Enter": - [Part 1][812] - [Part 2][813] - ["Samsung NX related posts"][887] - ["Scavy: Automated Discovery of Memory Corruption Targets in Linux Kernel for Privilege Escalation"][975] - ["SECGlitcher (Part 1) - Reproducible Voltage Glitching on STM32 Microcontrollers"][862] - ["SELinux bypasses"][963] - ["SLUB Internals for Exploit Developers"][980] - ["SLUBStick: Arbitrary Memory Writes through Practical Software Cross-Cache Attacks within the Linux Kernel"][937] - ["Shell We Assemble?"][689] - ["Shellcode evasion using WebAssembly and Rust"][726] - "SMM isolation": - ["SMI deprivileging (ISRD)"][847] - ["Security policy reporting (ISSR)"][848] - ["SoK: Where’s the “up”?! A Comprehensive (bottom-up) Study on the Security of Arm Cortex-M Systems"][1049] - ["Strengthening the Shield: MTE in Heap Allocators"][596] - ["Take a Step Further: Understanding Page Spray in Linux Kernel Exploitation"][913] - ["The architecture of SAST tools: An explainer for developers"][739] - ["The Dark Side of UEFI: A technical Deep-Dive into Cross-Silicon Exploitation"][880] - ["The Definitive Guide to Linux Process Injection"][971] - ["The 'Invisibility Cloak' - Slash-Proc Magic"][924] - ["The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit"][1007] - ["The rev.ng decompiler goes open source + start of the UI closed beta"][694] - ["The tale of a GSM Kernel LP"][850] - ["The Wild West of Proof of Concept Exploit Code (PoC)"][926] - "The Windows Registry Adventure": - [Part 1][914] - [Part 2][915] - [Part 3][916] - ["TIKTAG: Breaking ARM’s Memory Tagging Extension with Speculative Execution"][894] - ["Tony Hawk’s Pro Strcpy"][928] - ["Toolchain Necromancy: Past Mistakes Haunting ASLR"][732] - ["TP-Link Firmware Decryption C210 V2 cloud camera bootloaders"][988] - ["TP-Link TDDP Buffer Overflow Vulnerability"][695] - ["Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762"][787] - ["Understanding AddressSanitizer: Better memory safety for your code"][889] - ["Understanding Unix Garbage Collection and its Interaction with io_uring"][891] - ["Understanding Windows x64 Assembly"][693] - ["Using Symbolic Execution to Devirtualise a Virtualised Binary"][936] - ["Utilizing Cross-CPU Allocation to Exploit Preempt-Disabled Linux Kernel"][985] - ["VBA: having fun with macros, overwritten pointers & R/W/X memory"][843] - ["Vulnerabilities of Realtek SD card reader driver"][1002] - ["Why Code Security Matters - Even in Hardened Environments"][953] - ["Windows Secure-Launch on Qualcomm devices"][811] - ["Windows Sockets: From Registered I/O to SYSTEM Privileges"][998] - ["Windows vs Linux Loader Architecture"][844] - ["Windows Wi-Fi Driver RCE Vulnerability – CVE-2024-30078"][954] - "Writing a Debugger From Scratch" - ["Attaching to a Process"][449] - ["Register State and Stepping"][450] - ["Reading Memory"][451] - ["Exports and Private Symbols"][452] - ["Breakpoints"][453] - ["Stacks"][454] - ["Disassembly"][455] - ["Writing a system call tracer using eBPF"][931] - ["Your NVMe Had Been Syz’ed: Fuzzing NVMe-oF/TCP Driver for Linux with Syzkaller"][854] - ["x64 Return Address Spoofing"][991] - ["x64 Call Stack Spoofing"][992] ## 2023 - ["A Deep Dive Into Brute Ratel C4 Payloads"][374] - ["A Deep Dive into Penetration Testing of macOS Applications (Part 1)"][49] - ["A Deep Dive into TPM-based BitLocker Drive Encryption"][611] - ["A Detailed Look at Pwn2own Automotive EV Charger Hardware"][537] - ["A LibAFL Introductory Workshop"][826] - ["A look at CVE-2023-29360, a beautiful logical LPE vuln"][260] - ["A Journey Into Hacking Google Search Appliance"][203] - ["A new method for container escape using file-based DirtyCred"][201] - ["A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition"][273] - ["A Potholing Tour in a SoC"][189] - "A Practical Tutorial on PCIe for Total Beginners on Windows": - [Part 1][806] - [Part 2][807] - ["A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM"][255] - ["A Red-Teamer diaries"][156] - ["A story about tampering EDRs"][293] - ["Abusing Liftoff assembly and efficiently escaping from sbx"][677] - ["Abusing RCU callbacks with a Use-After-Free read to defeat KASLR"][857] - ["Abusing undocumented features to spoof PE section headers"][139] - ["Achieving Remote Code Execution in Steam: a journey into the Remote Play protocol"][587] - ["All about LeakSanitizer"][460] - ["All cops are broadcasting: TETRA under scrutiny"][237] - ["All my favorite tracing tools: eBPF, QEMU, Perfetto, new ones I built and more"][513] - ["An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit"][392] - ["An Introduction into Stack Spoofing"][580] - ["Analysis on legit tools abused in human operated ransomware"][4] - "Analysis of CVE-2023-3519 in Citrix ADC and NetScaler Gateway": - [Part 1][196] - [Part 2][197] - ["Analysis of VirtualBox CVE-2023-21987 and CVE-2023-21991"][119] - ["Analyzing a Modern In-the-wild Android Exploit"][379] - ["Analyzing an Old Netatalk dsi_writeinit Buffer Overflow Vulnerability in NETGEAR Route"][326] - "ARM64 Reversing And Exploitation" (8ksec) - [Part 1][107] - [Part 2][108] - [Part 3][109] - [Part 4][110] - [Part 5][111] - [Part 6][112] - [Part 7][113] - [Part 8][388] - [Part 9][389] - [Part 10][390] - "Attacking an EDR" - [Part 1][395] - [Part 2][396] - ["Attacking IoT Devices from Web Perspective"][608] - ["Attacking JS engines: Fundamentals for understanding memory corruption crashes"][720] - ["Audio with embedded Linux training"][267] - ["Automating C2 Infrastructure with Terraform, Nebula, Caddy and Cobalt Strike"][300] - ["b3typer - bi0sCTF 2022"][55] - ["Back to the Future with Platform Security"][97] - ["Bash Privileged-Mode Vulnerabilities in Parallel Desktop and CDPATH Handling in MacOS"][100] - ["Bee-yond Capacity: Unauthenticated RCE in Extreme Networks/Aerohive Wireless APs - CVE-2023-35803"][91] - ["Behind the Shield: Unmasking Scudos's Defenses"][8] - ["BlackLotus UEFI bootkit: Myth confirmed"][429] - ["BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses"][618] - ["BPF Memory Forensics with Volatility 3"][881] - ["Breaking Fortinet Firmware Encryption"][233] - ["Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability"][81] - ["Breaking Secure Boot on the Silicon Labs Gecko platform"][262] - ["Building a Custom Mach-O Memory Loader for macOS"][523] - ["Building an Exploit for FortiGate Vulnerability CVE-2023-27997"][475] - ["Bypassing a noexec by elf roping"][528] - ["Bypassing PPL in Userland (again)"][308] - ["Bypassing SELinux with init_module"][494] - "C101101: D-Link DIR-865L": - ["Remote Code Execution (pre-auth)"][599] - ["Unsigned firmware upload lead to persistent backdoor (pre-auth)"][600] - ["Memory corruptions lead to Remote Code Execution (pre-auth)"][601] - ["CAN Injection: keyless car theft"][195] - "chonked" - ["minidlna 1.3.2 http chunk parsing heap overflow (cve-2023-33476) root cause analysis"][193] - ["exploiting cve-2023-33476 for remote code execution"][194] - ["Code Execution in Chromium’s V8 Heap Sandbox"][896] - ["Coffee: A COFF loader made in Rust"][93] - ["Competing in Pwn2Own ICS 2022 Miami: Exploiting a zero click remote memory corruption in ICONICS Genesis64"][397] - ["Conquering the memory through io_uring - Analysis of CVE-2023-2598"][528] - "Cracking Windows Kernel with HEVD" - ["Chapter 0"][656] - ["Chapter 1"][657] - ["Chapter 2"][658] - ["Chapter 3"][659] - ["Chapter 4"][660] - ["Cueing up a calculator: an introduction to exploit development on Linux"][534] - "Customizing Sliver": - [Part 1][603] - [Part 2][604] - [Part 3][605] - ["CVE-2022-27666: My file your memory"][616] - ["CVE-2023-0179: Linux kernel stack buffer overflow in nftables: PoC and writeup"][567] - ["CVE-2023-2008 - Analyzing and exploiting a bug in the udmabuf driver"][72] - ["CVE-2023-23504: XNU Heap Underwrite in dlil.c"][543] - ["CVE-2023-26258 – Remote Code Execution in ArcServe UDP Backup"][99] - ["CVE-2023-36844 And Friends: RCE In Juniper Devices"][281] - ["CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent"][186] - ["cURL audit: How a joke led to significant findings"][459] - ["D^ 3CTF2023 d3kcache： From null-byte cross-cache overflow to infinite arbitrary read & write."][964] - ["Debugger Ghidra Class"][28] - ["Debugging D-Link: Emulating firmware and hacking hardware"][290] - ["Decompilation Debugging"][508] - ["Deep Lateral Movement in OT Networks: When is a Perimeter not a Perimeter?"][253] - ["Defining the cobalt strike reflective loader"][320] - ["Demystifying bitwise operations, a gentle C tutorial"][400] - ["Detecting and decrypting Sliver C2 – a threat hunter’s guide"][480] - ["Detecting BPFDoor Backdoor Variants Abusing BPF Filters"][183] - ["Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel"][51] - ["Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”"][164] - ["Diving Into Smart Contract Decompilation"][204] - ["Diving into Starlink's User Terminal Firmware"][268] - "DJI Mavic 3 Drone Research" - ["Firmware Analysis"][376] - ["Vulnerability Analysis"][713] - ["Drone Security and Fault Injection Attacks"][82] - "DualShock4 Reverse Engineering": - [Part 1][149] - [Part 3][150] - [Part 3][151] - ["eBPF: A new frontier for malware"][621] - ["Emulating IoT Firmware Made Easy: Start Hacking Without the Physical Device"][47] - ["Encrypted Doesn't Mean Authenticated: ShareFile RCE (CVE-2023-24489)"][182] - ["ENLBufferPwn (CVE-2022-47949)"][422] - ["Escaping the Google kCTF Container with a Data-Only Exploit"][178] - ["Exploitation of a kernel pool overflow from a restrictive chunk size (CVE-2021-31969)"][827] - ["Exploitation of Openfire CVE-2023-32315"][283] - ["Exploiting a Critical Spoofing Vulnerability in Windows CryptoAPI"][572] - ["Exploiting a Flaw in Bitmap Handling in Windows User-Mode Printer Drivers"][130] - ["Exploiting CVE-2021-3490 for Container Escapes"][552] - ["Exploiting null-dereferences in the Linux kernel"][148] - ["Exploring UNIX pipes for iOS kernel exploit primitives"][514] - ["EPF: Evil Packet Filter"][73] - ["Escaping from Bhyve"][192] - ["ESP32-C3 Wireless Adventure A Comprehensive Guide to IoT"][69] - ["Espressif ESP32: Breaking HW AES with Electromagnetic Analysis"][394] - ["Espressif ESP32: Breaking HW AES with Power Analysis"][393] - ["Examining OpenSSH Sandboxing and Privilege Separation – Attack Surface Analysis"][324] - ["Executing Arbitrary Code & Executables in Read-Only FileSystems"][52] - ["Exploit Engineering – Attacking the Linux Kernel"][146] - ["Exploiting a Remote Heap Overflow with a Custom TCP Stack"][322] - ["Exploring Hell's Gate"][594] - ["Exploiting a bug in the Linux kernel with Zig"][597] - ["Exploiting HTTP Parsers Inconsistencies"][391] - ["Exploiting MikroTik RouterOS Hardware with CVE-2023-30799"][198] - ["Exploring Android Heap Allocations in Jemalloc 'New'"][7] - ["Exploring Linux's New Random Kmalloc Caches"][511] - ["Exploring the section layout in linker output"][609] - "Fantastic Rootkits: And Where To Find Them": - [Part 1][275] - [Part 2][276] - [Part 3][277] - ["Few lesser known tricks, quirks and features of C"][354] - ["Finding and exploiting process killer drivers with LOL for 3000$"][172] - ["Finding bugs in C code with Multi-Level IR and VAST"][92] - ["Finding Gadgets for CPU Side-Channels with Static Analysis Tools"][75] - ["For Science! - Using an Unimpressive Bug in EDK II to Do Some Fun Exploitation"][70] - ["FortiNAC - Just a few more RCEs"][95] - ["Fortinet Series 3 — CVE-2022–42475 SSLVPN exploit strategy"][32] - ["Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues"][90] - ["From C, with inline assembly, to shellcode"][235] - "Fuzzing Farm": - ["Fuzzing GEGL with fuzzuf"][43] - ["Evaluating Performance of Fuzzer"][44] - ["Patch Analysis and PoC Development"][45] - ["Hunting and Exploiting 0-day \[CVE-2022-24834\]"][46] - ["Fuzzing Golang msgpack for fun and panic"][643] - ["Getting RCE in Chrome with incomplete object initialization in the Maglev compiler"][486] - "Ghidra" (Craig Young): - ["A Guide to Reversing Shared Objects with Ghidra"][121] - ["Reversing a Simple CrackMe with Ghidra Decompiler"][122] - ["Vulnerability Hunting with Ghidra"][123] - ["Patching a Bug from a Ghidra Listing"][124] - ["Vulnerability Analysis with Ghidra Scripting"][125] - ["Ghost In The Wire, Sonic In The Wall - Adventures With SonicWall"][481] - ["Google Chrome V8 ArrayShift Race Condition Remote Code Execution"][530] - ["Hacking a Tapo TC60 Camera"][350] - ["Hacking Amazon's eero 6 (part 1)"][86] - ["Hacking Brightway scooters: A case study"][29] - ["Hacking ICS Historians: The Pivot Point from IT to OT"][444] - ["Hacking the Nintendo DSi Browser"][456] - ["Hardware Hacking to Bypass BIOS Passwords"][5] - ["Heads up! Xdr33, A Variant Of CIA’s HIVE Attack Kit Emerges"][443] - ["How a simple K-TypeConfusion took me 3 months long to create a exploit? \[HEVD\] - Windows 11 (build 22621)"][240] - ["How does Linux start a process"][501] - "How NATs Work": - [Part 1][152] - [Part 2][153] - [Part 3][154] - [Part 4][155] - "How I Hacked my Car": - [Part 1][101] - [Part 2][102] - [Part 3][103] - [Part 4][104] - [Part 5][105] - [Part 6][106] - ["How I hacked smart lights: the story behind CVE-2022-47758"][841] - ["How to Emulate Android Native Libraries Using Qiling"][482] - ["How to Voltage Fault Injection"][685] - ["How To Secure A Linux Server"][140] - ["Hunting Vulnerable Kernel Drivers"][661] - ["Icicle: A Re-designed Emulator for Grey-Box Firmware Fuzzing"][171] - ["In-depth analysis on Valorant’s Guarded Regions"][141] - ["In-Memory-Only ELF Execution (Without tmpfs)"][355] - ["Intel BIOS Advisory – Memory Corruption in HID Drivers "][257] - ["Intercepting Allocations with the Global Allocator"][79] - ["Intro to Cutter"][637] - ["Introduction to SELinux"][59] - "IoT Series": - ["Are People Ready to go?"][465] - ["How To Build Kernel Image From Scratch"][466] - ["Firmware testing in QEMU"][467] - ["Debugging with GDB & GHIDRA + Zero-day"][468] - ["JTAG 'Hacking' the Original Xbox in 2023"][244] - ["Kernel Exploit Factory"][159] - ["Learn Makefiles With the tastiest examples"][24] - ["Let's build a Chrome extension that steals everything"][463] - ["Let’s Go into the rabbit hole — the challenges of dynamically hooking Golang programs"][387] - [Part 1][387] - [Part 2][904] - [Part 3][930] - ["Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation)"][327] - ["lexmark printer haxx"][652] - [linux-re-101][169] - ["Linux debugging, profiling and tracing training"][353] - "Linux Kernel Exploitation" - ["Getting started & BOF"][678] - ["Heap techniques"][679] - ["Exploiting race-condition + UAF"][680] - "Linux Kernel PWN": - ["ret2dir"][899] - ["DirtyCred"][900] - ["Linux Kernel Unauthenticated Remote Heap Overflow Within KSMBD"][544] - ["Linux Kernel Teaching"][131] - ["Linux Malware: Defense Evasion Techniques"][165] - "Linux Red Team": - ["Exploitation Techniques"][222] - ["Privilege Escalation Techniques"][223] - ["Persistence Techniques"][224] - ["Linux Remote Process Injection - (Injecting into a firefox process)"][569] - ["Linux rootkits explained – Part 1: Dynamic linker hijacking"][60] - ["Linux Shellcode 101: From Hell to Shell"][53] - ["Local Privilege Escalation on the DJI500 Smart Controller"][160] - "Lord Of The Ring0": - [Part 1][10] - [Part 2][11] - [Part 3][12] - [Part 4][13] - [Part 5][14] - ["Low-Level Software Security for Compiler Developers"][15] - ["LPE and RCE in RenderDoc: CVE-2023-33865, CVE-2023-33864, CVE-2023-33863"][202] - ["Making TOCTOU Great again – X(R)IP"][474] - "Malware Reverse Engineering for Beginners": - [Part 1][128] - [Part 2][129] - ["Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP Redirects"][285] - "mast1c0re" - ["Introduction – Exploiting the PS4 and PS5 through a game save"][38] - ["Part 1 – Modifying PS2 game save files"][39] - ["Part 2 – Arbitrary PS2 code execution"][40] - ["Part 3 – Escaping the emulator"][41] - ["Mélofée: a new alien malware in the Panda's toolset targeting Linux hosts"][330] - ["Meterpreter vs Modern EDR(s)"][170] - "MTE As Implemented": - [Part 1][366] - [Part 2][367] - ["mTLS: When certificate authentication is done wrong"][270] - ["MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis"][177] - ["Multiple Vulnerabilities in Qualcomm and Lenovo ARM-based Devices"][404] - "NetGear Series: Emulating Netgear R6700V3 circled binary ": - [Part 1][441] - [Part 2][442] - ["New HiatusRAT Router Malware Covertly Spies On Victims"][402] - ["No Alloc, No Problem: Leveraging Program Entry Points for Process Injection"][1091] - ["NVMe: New Vulnerabilities Made Easy"][264] - ["nftables Adventures: Bug Hunting and N-day Exploitation (CVE-2023-31248)"][365] - ["Obscure Windows File Types"][74] - ["Old Bug, Shallow Bug: Exploiting Ubuntu at Pwn2own Vancouver 2023"][254] - ["One shot, Triple kill"][700] - "OPC UA Deep Dive Series": - [Part 1][211] - [Part 2][212] - [Part 3][213] - [Part 4][214] - [Part 5][215] - ["OpenSSH Pre-Auth Double Free CVE-2023-25136 – Writeup and Proof-of-Concept"][42] - ["OrBit: advanced analysis of a Linux dedicated malware"][427] - ["OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow"][428] - ["P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm"][206] - ["P4wnP1-LTE"][209] - ["Patches, Collisions, and Root Shells: A Pwn2Own Adventure"][278] - ["Patch Tuesday -> exploit Wednesday: Pwning windows ancillary function driver for WinSock (afd.sys) in 24 hours"][297] - ["Persistence Techniques That Persist"][299] - ["Practical Introduction to BLE GATT Reverse Engineering: Hacking the Domyos EL500"][166] - ["prctl anon_vma_name: An Amusing Linux Kernel Heap Spray"][184] - ["Producing a POC for CVE-2022-42475 (Fortinet RCE)"][323] - ["Protecting Android clipboard content from unintended exposure"][448] - "Protecting the Phoenix: Unveiling Critical Vulnerabilities in Phoenix Contact HMI" - [Part 1][477] - [Part 2][478] - [Part 3][479] - ["Prototype Pollution in Python"][647] - ["PSPRAY: Timing Side-Channel based Linux Kernel Heap Exploitation Technique"][758] - ["PyLoose: Python-based fileless malware targets cloud workloads to deliver cryptominer"][98] - ["PwnAgent: A One-Click WAN-side RCE in Netgear RAX Routers with CVE-2023-24749"][318] - ["Pwnassistant - Controlling /home's via a Home Assistant RCE"][613] - ["Pwning Pixel 6 with a leftover patch"][310] - ["Pwning the tp-link ax1800 wifi 6 Router: Uncovered and Exploited a Memory Corruption Vulnerability"][309] - ["Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel"][185] - ["Readline crime: exploiting a SUID logic bug"][439] - ["Red vs. Blue: Kerberos Ticket Times, Checksums, and You!"][30] - ["Reptar"][527] - ["Restoring Dyld Memory Loading"][522] - ["Retreading The AMLogic A113X TrustZone Exploit Process"][77] - ["Reversing UK mobile rail tickets"][551] - "Reversing Windows Container": - [Part 1][821] - [Part 2][822] - ["RISC-V Bytes: Exploring a Custom ESP32 Bootloader"][493] - ["REUnziP: Re-Exploiting Huawei Recovery With FaultyUSB"][364] - ["Revisiting CVE-2017-11176"][48] - "Rooting the FiiO M6": - ["Using the "World's Worst Fuzzer" To Find A Kernel Bug"][499] - ["Writing an LPE Exploit For Our Overflow Bug"][500] - ["Rooting Xiaomi WiFi Routers"][817] - ["Rust Binary Analysis, Feature by Feature"][231] - ["Rust to Assembly: Understanding the Inner Workings of Rust"][134] - "Rustproofing Linux": - [Part 1][575] - [Part 2][576] - [Part 3][577] - [Part 4][578] - ["scudo Hardened Allocator — Unofficial Internals Documentation"][706] - ["Securing our home labs: Frigate code review"][615] - ["Securing our home labs: Home Assistant code review"][614] - ["SHA-1 gets SHAttered"][325] - ["Shambles: The Next-Generation IoT Reverse Engineering Tool to Discover 0-Day Vulnerabilities"][55] - ["Shell in the Ghost: Ghostscript CVE-2023-28879 writeup"][76] - ["Shifting boundaries: Exploiting an Integer Overflow in Apple Safari"][261] - ["Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100"][531] - ["Smart Speaker Shenanigans: Making the Sonos ONE Sing its Secrets"][504] - ["Smashing the state machine: the true potential of web race conditions"][271] - ["SRE deep dive into Linux Page Cache"][94] - ["Sshimpanzee"][16] - ["Stepping Insyde System Management Mode"][256] - ["Sudoedit bypass in Sudo <= 1.9.12p1 CVE-2023-22809"][562] - ["THC's favourite Tips, Tricks & Hacks (Cheat Sheet)"][31] - ["The ARM32 Scheduling and Kernelspace/Userspace Boundary"][512] - ["The art of Fuzzing: Introduction"][57] - ["The art of fuzzing: Windows Binaries"][89] - ["The art of fuzzing-A Step-by-Step Guide to Coverage-Guided Fuzzing with LibFuzzer"][54] - ["The Art Of Linux Persistence"][872] - ["The Blitz Tutorial Lab on Fuzzing with AFL++"][303] - ["The code that wasn’t there: Reading memory on an Android device by accident"][462] - ["The Dragon Who Sold His camaro: Analyzing Custom Router Implant"][228] - ["The Importance of Reverse Engineering in Network Analysis"][426] - ["The Linux Kernel Module Programming Guide"][3] - ["The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders"][284] - ["The Role of the Control Flow Graph in Static Analysis"][509] - ["The Silent Spy Among Us: Smart Intercom Attacks"][331] - ["The Stack Series: The X64 Stack"][356] - ["The Untold Story of the BlackLotus UEFI Bootkit"][205] - ["Tickling ksmbd: fuzzing SMB in the Linux kernel"][386] - ["Tool Release: Cartographer"][371] - ["Total Identity Compromise: Microsoft Incident Response lessons on securing Active Directory"][445] - ["Xortigate, or CVE-2023-27997 - The Rumoured RCE That Was"][80] - ["Your not so "Home Office" - SOHO Hacking at Pwn2Own"][5] - ["Ubuntu Shiftfs: Unbalanced Unlock Exploitation Attempt"][524] - ["Unauthenticated RCE on a RIGOL oscilloscope"][210] - ["UNCONTAINED: Uncovering Container Confusion in the Linux Kernel"][37] - ["Uncovering a crazy privilege escalation from Chrome extensions"][502] - ["Uncovering HinataBot: A Deep Dive into a Go-Based Threat"][311] - ["Under The Hood - Disassembling of IKEA-Sonos Symfonisk Speaker Lamp"][180] - ["Understanding a Payload’s Life Featuring Meterpreter & Other Guests "][315] - ["Understanding Dirty Pagetable - m0leCon Finals 2023 CTF Writeup"][591] - ["Understanding the Heap - a beautiful mess"][348] - ["Unleashing ksmbd: crafting remote exploits of the Linux kernel"][828] - ["Unleashing ksmbd: remote exploitation of the Linux kernel (ZDI-23-979, ZDI-23-980)"][533] - ["Unlimited Results: Breaking Firmware Encryption of ESP32-VV"][598] - "Unveiling secrets of the ESP32": - ["creating an open-source MAC Layer"][653] - ["reverse engineering RX"][654] - ["Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More"][648] - ["What is Loader Lock?"][845] - ["Windows Installer arbitrary content manipulation Elevation of Privilege (CVE-2020-0911)"][58] - ["Windows Installer EOP (CVE-2023-21800)"][314] - ["Writing your own RDI /sRDI loader using C and ASM"][307] - ["Zenbleed"][207] - ["Zero Effort Private Key Compromise: Abusing SSH-Agent For Lateral Movement"][248] ## 2022 - "A journey into IoT": - ["Chip identification, BUSSide, and I2C"][294] - ["Discover components and ports"][295] - ["Firmware dump and analysis"][296] - ["Radio communications"][681] - ["Internal communications"][682] - ["A Kernel Hacker Meets Fuchsia OS"][710] - "A Technical Analysis of Pegasus for Android": - [part 1][564] - [Part 2][565] - [Part 3][566] - ["ALL ABOUT USB-C: INTRODUCTION FOR HACKERS"][747] - ["An In-Depth Look at the ICE-V Wireless FPGA Development Board"][779] - "ARM 64 Assembly Series": - ["Basic definitions and registers"][408] - ["Offset and Addressing modes"][409] - ["Load and Store"][410] - ["Branch"][411] - ["Data Processing (Part 1)"][412] - ["Data Processing (Part 2)"][413] - ["selections and loops"][414] - ["Subroutines"][415] - ["Attacking the Android kernel using the Qualcomm TrustZone"][885] - ["Attacking Titan M with Only One Byte"][259] - ["Avoiding Detection with Shellcode Mutator"][432] - "BasicFUN Series": - ["Hardware Analysis / SPI Flash Extraction"][626] - ["Reverse Engineering Firmware / Reflashing SPI Flash"][627] - ["Dumping Parallel Flash via I2C I/O Expanders"][628] - ["I2C Sniffing, EEPROM Extraction and Parallel Flash Extraction"][629] - ["Basics for Binary Exploitation"][749] - ["Breaking Secure Boot on Google Nest Hub (2nd Gen) to run Ubuntu"][238] - ["BrokenPrint: A Netgear stack overflow"][782] - "Bypassing software update package encryption ": - ["Extracting the Lexmark MC3224i printer firmware"][190] - ["Exploiting the Lexmark MC3224i printer"][191] - ["Bypassing vtable Check in glibc File Structures"][208] - ["Blind Exploits to Rule Watchguard Firewalls"][173] - ["BPFDoor - An Evasive Linux Backdoor Technical Analysis"][292] - ["Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse"][917] - "Chrome Browser Exploitation": - [Part 1][1053] -Part 2][1054] - [Part 3][1055] - ["Competing in Pwn2Own 2021 Austin: Icarus at the Zenith"][556] - ["CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel"][759] - ["Corrupting memory without memory corruption"][762] - ["Creating a Rootkit to Learn C"][719] - ["CVE-2022-0435: A Remote Stack Overflow in The Linux Kernel"][377] - ["[CVE-2022-1786] A Journey To The Dawn"][401] - ["CVE-2022-2602: DirtyCred File Exploitation applied on an io_uring UAF"][168] - ["CVE-2022-27666: Exploit esp6 modules in Linux kernel"][532] - ["CVE-2022-29582 An io_uring vulnerability"][495] - ["Deconstructing and Exploiting CVE-2020-6418"][778] - ["DirtyCred Remastered: how to turn an UAF into Privilege Escalation"][167] - ["Disclosing information with a side-channel in Django"][630] - ["Dumping the Amlogic A113X Bootrom"][78] - ["Dynamic analysis of firmware components in IoT devices"][250] - ["Embedded Systems Security and TrustZone"][145] - ["Emulate Until You Make it"][748] - ["EntryBleed: Breaking KASLR under KPTI with Prefetch (CVE-2022-4543)"][473] - ["Expanding the Dragon: Adding an ISA to Ghidra"][542] - ["Exploiting: Buffer overflow in Xiongmai DVRs"][742] - ["Exploiting CSN.1 Bugs in MediaTek Basebands"][272] - ["exploiting CVE-2019-2215"][61] - ["Exploiting CVE-2022-42703 - Bringing back the stack attack"][636] - ["Exploration of the Dirty Pipe Vulnerability (CVE-2022-0847)"][707] - ["Exploring the Hidden Attack Surface of OEM IoT Devices"][625] - ["Firmware key extraction by gaining EL3"][316] - ["Fortigate - Authentication Bypass Lead to Full Device Takeover"][291] - "Fourchain": - ["Prologue"][765] - ["Hole"][766] - ["Sandbox"][767] - ["Fuzzing ping(8) … and finding a 24 year old bug"][751] - "Hacking Bluetooth to Brew Coffee from Github Actions": - [Part 1][752] - [Part 2][753] - [Part 3][754] - ["Hackign More Secure Portable Storage Devices"][623] - ["How did I approach making linux LKM rootkit, “reveng_rtkit” ?"][884] - ["How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables"][266] - ["Huawei Security Hypervisor Vulnerability"][435] - "Hunting for Persistence in Linux" - [Part 1][64] - [Part 2][65] - [Part 3][66] - [Part 4][67] - [Part 5][68] - "Hacking Some More Secure USB Flash Drives": - [Part 1][132] - [Part 2][133] - ["Learning eBPF exploitation"][768] - "Intro to Embedded RE": - ["Tools and Series"][351] - ["UART Discovery and Firmware Extraction via UBoot"][352] - "Introduction to x64 Linux Binary Exploitation": - [Part 1][663] - [Part 2][664] - [Part 3][665] - [Part 4][666] - [Part 5][667] - ["io_uring - new code, new bugs, and a new exploit technique"][978] - ["Linux Hardening Guide"][349] - ["Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg"][269] - ["Linux Kernel Exploit (CVE-2022–32250) with mqueue"][242] - "Linux SLUB Allocator Internals and Debugging": - [Part 1][359] - [Part 2][360] - [Part 3][361] - [Part 4][362] - ["Linternals: Introducing Memory Allocators & The Page Allocator"][516] - ["Linternals: The Slab Allocator"][517] - ["Linux kernel heap feng shui in 2022"][535] - ["Looking for Remote Code Execution bugs in the Linux kernel"][503] - ["Manipulating AES Traffic using a Chain of Proxies and Hardcoded Keys"][319] - ["MeshyJSON: A TP-Link tdpServer JSON Stack Overflow"][777] - ["Missing Manuals - io_uring worker pool"][265] - ["Modifying Embedded Filesystems in ARM Linux zImages"][775] - "Netgear Orbi": - ["orbi hunting 0x0: introduction, uart access, recon"][33] - ["orbi hunting 0x1: crashes in soap-api"][34] - ["nday exploit: netgear orbi unauthenticated command injection (cve-2020-27861)"][35] - ["nday exploit: libinput format string bug, canary leak exploit (cve-2022-1215)"][63] - ["NFC Relay Attack on Tesla Model Y"][574] - ["Nightmare: One Byte to ROP // Deep Dive Edition"][582] - ["Overview of GLIBC heap exploitation techniques"][239] - ["Parsing TFTP in Rust"][624] - ["Patching, Instrumenting & Debugging Linux Kernel Modules"][483] - ["PCIe DMA Attack against a secured Jetson Nano (CVE-2022-21819)"][649] - ["pipe_buffer arbitrary read write"][282] - "Pixel 6 Bootloader" - ["Booting up"][286] - ["Emulation, ROP"][287] - ["Exploitation"][288] - ["Port knocking from the scratch"][227] - ["Pulling MikroTik into the Limelight"][120] - ["Racing against the clock -- hitting a tiny kernel race window"][492] - ["Replicating CVEs with KLEE"][763] - ["Reversing C++, Qt based applications using Ghidra"][586] - ["Racing Cats to the Exit: A Boring Linux Kernel Use-After-Free"][406] - ["Replicant: Reproducing a Fault Injection "][675] - ["Researching Xiaomi’s Tee to Get to Chinese Money"][274] - "Reversing embedded device bootloader (U-Boot)": - [Part 1][162] - [Part 2][163] - ["Reverse Engineering a Cobalt Strike Dropper With Binary Ninja"][368] - ["Reverse engineering an EV charger"][606] - "Reverse Engineering Dark Souls 3": - ["Connection"][670] - ["Packets"][671] - ["Key Exchange"][672] - ["Reliable UDP"][673] - ["Reverse engineering integrity checks in Black Ops 3"][220] - ["Reverse engineering thermal printers"][245] - ["Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage"][491] - ["SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)"][484] - ["Shedding Light on Huawei's Security Hypervisor"][434] - ["Shikitega - New stealthy malware targeting Linux"][438] - ["side channels: power analysis"][380] - ["side channels: using the chipwhisperer"][381] - ["SIM Hijacking"][579] - ["Spoofing Call Stacks To Confuse EDRs"][431] - ["SROP - ["Dumping the Flash"][117] - ["Digging Through the Firmware"][118] - ["Understanding and Hardening Linux Containers"][50] ## 2014 - ["ret2dir: Rethinking Kernel Isolation"][384] ## 2011 - ["Load-time relocation of shared libraries"][592] - ["Position Independent Code (PIC) in shared libraries"][593] ## 杂项 - [0xtriboulet][619] - ["A Noobs Guide to ARM Exploitation"][241] - ["Advanced binary fuzzing using AFL++-QEMU and libprotobuf: a practical case of grammar-aware in-memory persistent fuzzing"][71] - ["Advanced Compilers: The Self-Guided Online Course"][298] - ["Analysis of a LoadLibraryA Stack String Obfuscation Technique with Radare2 & x86dbg"][559] - ["Android Kernel Exploitation"][571] - [Anti-Debug Tricks][585] - ["ARM TrustZone: pivoting to the secure world"][304] - ["ARMv8 AArch64/ARM64 Full Beginner's Assembly Tutorial"][927] - [Awesome binary parsing][769] - [Awesome Executable Packing][717] - [Awesome Industrial Protocols][510] - ["Brute Ratel - Scandinavian Defence"][436] - [ComprehensiveRust][620] - [cryptopals][1022] - [CVE North Stars][708] - ["Debugger Ghidra Class"][232] - [DhavalKapil/heap-exploitation][363] - [Diffing Portal][378] - [exploit_mitigations][526] - ["fenrir"][1169] - [Ghidriff - Ghidra Binary Diffing Engine][490] - ["Grand Theft Auto A peek of BLE relay attack"][433] - ["Hands-on Firmware Extraction, Exploration, and Emulation"][979] - [ice9-bluetooth-sniffer][437] - "Illustrated Connections": - [dtls][519] - [quic][518] - [tls 1.2][521] - [tls 1.3][520] - "Introduction to encryption for embedded Linux" - ["Introduction to encryption for embedded Linux developers"][0] - ["A hands-on approach to symmetric-key encryption"][1] - ["Asymmetric-Key Encryption and Digital Signatures in Practice"][2] - ["Introduction to Malware Analysis and Reverse Engineering"][407] - ["Kernel Address Space Layout Derandomization"][529] - ["Kernel Exploit Recipes Notebook"][776] - ["Laser-Based Audio Injection on Voice-Controllable Systems"][328] - [Linux Kernel CVEs][385] - ["Linux kernel exploit development"][573] - ["Linux Kernel map"][225] - ["Linux Insides"][246] - ["Linux Privilege Escalation"][982] - ["Linux Syscalls Reference"][17] - ["Lytro Unlock - Making a bad camera slightly better"][373] - ["Minimizing Rust Binary Size"][476] - ["mjsxj09cm Recovering Firmware And Backdooring"][62] - ["Offensive security (0xtriboulet)"][405] - ["Operating System development tutorials in Rust on the Raspberry Pi"][357] - ["parking-game-fuzzer"][1159] - ["Practical Cryprography for Developers"][785] - [Red-Team-Infrastructure-Wiki][498] - ["Reverse Engineering For Everyone!"][399] - ["Reverse Engineering WiFi on RISC-V BL602"][617] - ["Rust Atomics and Locks"][651] - ["RustRedOps"][686] - ["Satellite Hacking Demystified(RTC0007)"][221] - [TEE Reversing][263] - ["THC's favourite Tips, Tricks & Hacks (Cheat Sheet)"][258] - [tmpout.sh][515]: 关于底层内容的文章合集 - ["Trail of Bits Testing Handbook"][724] - [TripleCross][696] - [USB-WiFi][329] - ["VSS: Beginners Guide to Building a Hardware Hacking Lab"][249] - ["WinDBG quick start tutorial"][485] ## 其他列表 * [漏洞利用](topics/exploitation.md): 专注于二进制漏洞利用领域的资源 * [Linux 内核](topics/linux_kernel.md): 专注于 Linux 内核 (内部机制) 的资源集合 * [无线通信](topics/wireless.md): 专注于无线技术和 安全性的资源 * [OT/IoT 安全](topics/ot_security.md) * [红队与攻击性安全](topics/red-team-adversary-emulation.md)

标签：0day挖掘, AI安全, Android安全, APT攻击, Awesome List, Chaos, Chat Copilot, Conpot, DAST, DLL 劫持, Fuzzing, iOS安全, IoT安全, PKINIT, Windows安全, Write-up, 二进制分析, 云安全运维, 云资产清单, 内核安全, 博客合集, 固件安全, 大语言模型, 安全渗透, 工控安全, 恶意软件分析, 情报收集, 技术文档, 攻防技术, 漏洞分析, 漏洞研究, 白皮书, 网络安全, 路径探测, 逆向工程, 防御加固, 隐私保护