Notes Index for Secure Software

Mastery Goal A:

Learn just enough C to compile an executable that does some basic stuff

Class 1: C basics, compiling, loops, etc.

Mastery Goal B:

Learn how to look at the x86 assembly from a compiled executable and recognize most of the above classic code components. Reverse some simple password crackers. (radare2 and gdb)

Class 2: How local variables are stored

Class 3: Registers, x86 instructions, Radare2, and first crackmes

Class 4: Radare2 and Reversing Crackmes

Class 5: Reversing Practice (for mastery)

Mastery Goal C:

Learn the calling conventions for 32-bit and 64-bit functions. Write a program in bare assembly that uses both calling conventions. (nasm and ld)

Class 6: Calling-Convention Brain Dump is a choose your own adventure story to help with 32-bit calling convention

Class 7: Calling-Conventions Part 2: Parameters

Class 8: Intro to Shellcode and ASM (Project 1 Starter and also Master Task E)

Mastery Goal D:

Simple buffer overflow that reroutes the instruction pointer to a win function. Do this in the simple case of fixed function addresses (no-PIE [position independent execution]). (pwntools, checksec, and rabin2)

Class 9: Buffer Overflow Exploits, Debugging Tricks, Applied Calling Conventions

Mastery Goal E:

Exploit a binary by providing shellcode and jumping the instruction pointer to your shellcode. (The simple case is that addressing is handled for you.) (shellcraft and google)

Class 8: Intro to Shellcode and ASM (Project 1 Starter and also Master Task E)

Mastery Goal F:

Exploit a buffer overflow by creating a ROP-chain that crafts it's own shellcode in small available pieces in a no-PIE environment. (ROPgadget)

Class 10: Intro to ROP chains and Write-ups

Mastery Goal G:

Learn how address randomization works in x86. (/proc/:pid/maps)

Class 11: Address randomization and PLT/GOT

Mastery Goal H:

Use an address leak to create a ROP chain that escapes into glibc. (, rabin2, and pwntools ELF)

Class 12: Address randomization and PLT/GOT part 2 (the daily PWN is ret2libc)

Mastery Goal I:

Create your own address leak and then escape into glibc.

Class 13: Manufacturing Leaks and the 32-bit Auto-PWNer

Mastery Goal J:

Master the primitive of a write-what-where by way of a printf vulnerability. (pwntools: fmtstr_payload)

Class 14: Intro to printf vulns

Class 15: First Write-What-Where

Mastery Goal K:

Use a write-what-where to alter the GOT table in order to create a shell, also use write-what-where and GOT to generate a glibc address leak. (Around about this point of mastery is sufficient for Project 2.) (pwntools: ELF(binary).got)

Class 16: printf tooling, learning from write-ups, some printf gotchas

Class 17: Full printf demo

Mastery Goal L:

Master the use of a syscall instruction (both 32-bit and 64-bit) to make operating system calls (syscall tables) SROP too

Class 18: Life without a Win: pt 1 - SROP and syscalls

STEP BACK: An abstract PWN framework

Class 19: The parts of any exploit and exponentially growing your skills

Mastery Goal M:

Understand the structure of the heap and perform a heap overflow exploit. (pwndbg vis)

Class 20: Intro to gdb (pwndbg)

Class 21: Intro to the Heap

Class 22: how2heap and Linking an old glibc effectively

Mastery Goal P:

House of [Force, Orange, Spirit, Einherjar, Storm] (How to Heap and glibc versions)

Class 23: follow a write-up for House of Force

Class 24: Homemade House of Force

Class 32: House of Orange (unsorted bin attack / partial unlink)

Class 35: Finish 2.23 FSOP, HOO wrap-up pt. 1

Class 36: HOO wrap-up pt. 2 OR cutting edge exploit via FSOP

Class 38: Fake Chunks and House of Einherjar

Mastery Goal N:

Fastbin and Arena exploits (pwndbg arena)

Class 25: THE BINS

Class 26: Heap Fundamentals 1 - tcache why and how

Class 31: tcache/fastbin exploits in 2.34

Mastery Goal O:

Double-Free, Use-after-free exploits (linked lists vis)

Class 27: Use-After-Free exploits

Class 28: Tales from the heap - debug glibc malloc, main_arena, fastbins (Also an awesome heap vuln playground source)

Class 29: Fastbin dup story

Class 30: Fastbin Dup targeting malloc_hook-35

Mastery Goal Q:

Pratice Security Research vis FSOP

Class 33: Intro to FSOP

Class 34: 2.23 FSOP Exploits

Class 37: A cutting edge (2.34) exploit and hunting strategy


Class 39: A look back, a look forward, last class.