update: first commit and many things will be append.

Author: Sn0rt

.gitignore

@@ -0,0 +1,3 @@
+*.aux
+*.out
+peda*

Makefile

@@ -0,0 +1,18 @@
+Index = "index"
+Tex = ".tex"
+Aux = ".aux"
+
+all: compile clean
+
+compile:
+	xelatex $(Index)$(Tex)
+	bibtex $(Index)$(Aux)
+	xelatex $(Index)$(Tex)
+	xelatex $(Index)$(Tex)
+
+clean:
+	$(RM) -rf *.log *.aux *.toc *.bbl *.bbg *.blg *.out */*.aux auto
+
+.PHONY:clean_all
+clean_all:
+	$(RM) -rf *.log *.aux *.toc *.bbl *.bbg *.blg *.out */*.aux auto

README.md

@@ -0,0 +1,48 @@
+# linux exploit development tutorial
+
+## what's this ?
+
+A series tutorial for linux exploit development to newbie.
+
+## how to organize ?
+
+### chapter 1: Basic knowledge
+    
+base knowledge like : what's stack and heap ? how convert c language to assembly language ? what's elf and memroy layout? etc..
+base vulnerability problems like : what's is overflow and memory corruption ? how heap working ? etc...
+    
+### chapter 2: Stack security
+    
+we focus userspace stack security mechanism and bypass.
+
+### chapter 3: Heap security
+    
+we focus userspace heap(ptmalloc2 of glibc) security mechanism and bypass.
+
+### chapter 4: Kernel security
+
+we focus kernel security mechanism for self and userland.
+WIP...
+
+### chapter 5: Vulnerability discovery
+
+WIP...
+
+## how to modify and update ?
+
+```shell
+sudo dnf install texlive-\* -y 
+git clone git@github.com:hardenedlinux/linux_exploit_development_tutorial.git
+cd linux_exploit_development_tutorial
+make # preview
+```
+
+## how to hand on ?
+
+some source code in `lab-code`.
+
+WIP...
+
+## copyleft
+
+CC-BY-NC-SA 4.0 Unported

chapter1/chapter_preparation.tex

@@ -0,0 +1,91 @@
+\chapter{预备}
+\par 在这个level 我将要花点时间给大家介绍基本的漏洞类型和安全机制,然后关闭全部的安全
+ 保护机制,学习如何在Linux下面编写最基本的exp.
+
+ \section{安全机制}
+ \par 分为两大类:编译相关(elf加固),部分编译选项控制着生成更安全的代码(损失部分性能或
+ 者空间),还有就说运行时的安全,都是为增加了漏洞利用的难度,不能从本质上去除软件的
+ 漏洞.
+
+ \subsection{STACK CANARY}
+ \par Canary 是放置在缓冲区和控制数据之间的一个words被用来检测缓冲区溢出, 如果发生缓
+ 冲区溢出那么第一个被修改的数据通常是canary,当其验证失败通常说明发生了栈溢出,更
+ 多信息参考这里
+ \footnote{\url{https://en.wikipedia.org/wiki/Buffer_overflow_protection\#Canaries}}.
+ \begin{lstlisting}[language=sh]
+   gcc -fstack-protector
+ \end{lstlisting}
+ 
+ \subsection{NX}
+ \par 在早期,指令是数据,数据也是数据,当PC指向哪里,那里的数据就会被当成指令被cpu执行,
+ 后来NX标志位被引入来区分指令和数据.更
+ 多信息参考这里\cite{Intel}
+\footnote{<<Intel® 64 and IA-32 Architectures Software Developer’s Manual>> volumes 3 section 4.6}
+\footnote{\url{https://en.wikipedia.org/wiki/NX_bit}}.
+
+ \begin{lstlisting}[language=sh]
+   gcc -z execstack
+ \end{lstlisting}
+ 
+
+ \subsection{FORTIFY}
+ \par 在编译和运行时候保护glibc:
+ \begin{list}{\textbullet}{%
+    \setlength\topsep{0pt} \setlength\partopsep{0pt}
+    \setlength\parsep{0pt} \setlength\itemsep{0pt}
+  }
+\item expand unbounded calls to "sprintf", "strcpy" into their "n"
+  length-limited cousins when the size of a destination buffer is known
+  (protects against memory overflows).
+\item stop format string "\%n" attacks when the format string is in a writable \% memory segment. 
+\item require checking various important function return codes and arguments (e.g.system, write, open).
+\item require explicit file mask when creating new files. 
+\end{list}
+ \begin{lstlisting}[language=sh]
+   gcc -D_FORTIFY_SOURCE=2 -O
+ \end{lstlisting}
+ 
+ \subsection{PIE}
+ -fPIC:
+ 类似于-fpic不过克服了部分平台对偏移表尺寸的限制.
+ 生成可用于共享库的位置独立代码。所有的内部寻址均通过全局偏移表(GOT)完成.要确
+ 定一个地址,需要将代码自身的内存位置作为表中一项插入.该选项需要操作系统支持,因
+ 此并不是在所有系统上均有效.该选项产生可以在共享库中存放并从中加载的目标模块.
+ 参考链接
+ \footnote{\url{https://en.wikipedia.org/wiki/Position-independent_code\#PIE}}.
+ 
+ -fPIE:
+ 这选项类似于-fpic与-fPIC,但生成的位置无关代码只可以链接为可执行文件,它通常的链
+ 接选项是-pie.
+ \begin{lstlisting}[language=sh]
+   gcc -pie -fPIE
+ \end{lstlisting}
+
+ \subsection{RELRO}
+\par Hardens ELF programs against loader memory area overwrites by having the loader mark any areas of the relocation table as read-only for any symbols resolved at
+ load-time ("read-only relocations"). This reduces the area of possible
+ GOT-overwrite-style memory corruption attacks
+ \footnote{\url{http://blog.isis.poly.edu/exploitation\%20mitigation\%20techniques/exploitation\%20techniques/2011/06/02/relro-relocation-read-only/}}.
+
+ \subsubsection{ASLR}
+ \footnote{\url{https://en.wikipedia.org/wiki/Address_space_layout_randomization}}
+
+ \section{漏洞类型}
+ \subsection{栈溢出}
+ \subsection{整数溢出}
+ \subsection{off-by-one(stack base)}
+ \subsection{格式化字符串}
+ \%h(短写)
+ \%n\$d(直接参数访问)
+ \%n(任意内存写)
+ \%s(任意内存读)
+
+ \section{Exp开发}
+ \subsection{rop}
+ nop seld + shellcode + ret
+ \subsection{.dtors(废弃)}
+ 
+ \begin{lstlisting}[language=C]
+   static void cleanup() __attribute__((destructor))
+ \end{lstlisting}
+ \subsection{覆写GOT}

chapter2/chapter_stack.tex

@@ -0,0 +1,31 @@
+\chapter{stack}
+\par 这个阶段可能要花点时间了,需要学习主流的bypass安全机制的部分手段(base
+stack).
+\par ret2any: 返回到任何可以执行的地方, 已知的地方
+\begin{list}{\textbullet}{%
+    \setlength\topsep{0pt} \setlength\partopsep{0pt}
+    \setlength\parsep{0pt} \setlength\itemsep{0pt}
+  }
+\item stack
+\item data/heap
+\item text
+\item library (libc)
+\item code chunk (ROP)
+\end{list}
+
+\section{CANARY}
+\subsection{overwriting TLS}
+
+\section{NX}
+\subsection{return-to-libc}
+\footnote{\url{https://sploitfun.wordpress.com/2015/05/08/bypassing-nx-bit-using-return-to-libc/}}.\newline
+\subsection{chained return-to-libc} 
+\footnote{\url{https://sploitfun.wordpress.com/2015/05/08/bypassing-nx-bit-using-chained-return-to-libc/}}.\newline
+
+\section{ASLR}
+\subsection{return-to-plt}
+\footnote{\url{https://sploitfun.wordpress.com/2015/05/08/bypassing-aslr-part-i/}}.\newline
+\subsection{brute-force}
+\footnote{\url{https://sploitfun.wordpress.com/2015/05/08/bypassing-aslr-part-ii/}}.\newline
+\subsection{overwriting GOT}
+\footnote{\url{https://sploitfun.wordpress.com/2015/05/08/bypassing-aslr-part-iii/}}.\newline

chapter3/chapter_heap.tex

@@ -0,0 +1,16 @@
+\chapter{heap}
+
+这个阶段可能要花更多的时间了,堆上面的安全一直是个相对高级的话题(windows下也是如
+此),在这个阶段讲要学习堆区域的bug.
+
+\section{overflow using unlink}
+\footnote{\url{https://sploitfun.wordpress.com/2015/02/26/heap-overflow-using-unlink/}}.
+
+\section{overwrite using malloc}
+\footnote{\url{https://sploitfun.wordpress.com/2015/03/04/heap-overflow-using-malloc-maleficarum/}}.
+
+\section{off by one}
+\footnote{\url{https://sploitfun.wordpress.com/2015/06/09/off-by-one-vulnerability-heap-based}}.
+
+\section{UAF(use after free)}
+\footnote{\url{https://sploitfun.wordpress.com/2015/06/16/use-after-free/}}.

chapter4/chapter_kernel.tex

@@ -0,0 +1,20 @@
+\chapter{内核}
+ 这个阶段归档了kernel安全相关的文档(安全保护,利用).
+ \section{安全机制}
+ 早期kernel可以随意访问用户态代码,ret2usr技术可以让内核执行用户态的代码,不过随着
+ Linux的发展SMAP(禁止kernel随意访问用户态,RFLAGE.AC标志位置位可以),SMEP禁止
+ kernel态直接执行用户态代码.
+ \subsection{SMAP}
+现代Linux默认启用.
+\subsection{SMEP/PXN}
+现代Linux默认启用.
+\subsection{kaslr}
+ubuntu 14.04 desktop默认还没有启用,更多信息参考Ubuntu security Features
+\footnote{\url{https://wiki.ubuntu.com/Security/Features\#Userspace_Hardening}}
+\section{利用方法}
+\subsection{rop-2-usr(废弃)}
+早期能工作
+\subsection{rop}
+
+\subsection{vDSO overwriting}
+SEMP using vDSO overwrites(CSAW Fianl 2015 string IPC)

chapter5/chapter_vuln_detection.tex

@@ -0,0 +1,36 @@
+\chapter{漏洞挖掘}
+漏洞挖掘的重要性不言而喻,打个比喻上面写的如何啃肉,漏洞挖掘就是肉在哪里.
+\section{fuzz}
+
+\subsection{why fuzz?}
+- 容易实现
+– 覆盖面广
+– 低投入高产出
+
+\subsection{why not fuzz?}
+– 分析困难(无法调试)
+– Panic多 / Exploitable少
+– 欠缺精度
+
+\subsection{where to fuzz?}
+– ioctl
+– sysctl
+– File system
+– Network
+\subsection{how to fuzz?}
+
+    
+
+\section{代码审计}
+\subsection{source}
+ \begin{list}{\textbullet}{%
+    \setlength\topsep{0pt} \setlength\partopsep{0pt}
+    \setlength\parsep{0pt} \setlength\itemsep{0pt}
+  }
+    \item - Heap Overflow
+    \item - Integer Overflow
+    \item - Type Confusion
+    \item - Use after Free
+    \item - Logical Error
+    \item - Kernel Information Leak
+\end{list}

fonts-external.sty

@@ -0,0 +1,27 @@
+\NeedsTeXFormat{LaTeX2e}[1994/06/01]
+\ProvidesPackage{fonts_external}[2016/10/09 fonts external package]
+
+\RequirePackage{fontspec}
+\RequirePackage{xeCJK}
+
+\defaultfontfeatures{Path = fonts-external/, Mapping=tex-text}
+
+\setCJKmainfont[
+BoldFont=msyhbd.ttc,
+ItalicFont=msyhl.ttc,
+SmallCapsFont=msyh.ttc
+]{msyh.ttc}
+\setCJKsansfont{msyh.ttc}
+\setCJKmonofont{consola.ttf}
+
+\setCJKfamilyfont{zhsong}{simsun.ttc}
+\setCJKfamilyfont{zhhei}{simhei.ttf}
+\setCJKfamilyfont{zhfs}{simfang.ttf}
+\setCJKfamilyfont{zhkai}{simkai.ttf}
+
+\newcommand*{\songti}{\CJKfamily{zhsong}} % 宋体
+\newcommand*{\heiti}{\CJKfamily{zhhei}}   % 黑体
+\newcommand*{\kaishu}{\CJKfamily{zhkai}}  % 楷书
+\newcommand*{\fangsong}{\CJKfamily{zhfs}} % 仿宋
+
+\endinput