Jumping into exploit development

I have done a little bit of exploit development over the years starting with stack overflows, reading Hacking The Art of Exploitation, The Shellcoders Handbook Second Edition, and some CTF related stuff but I really had let my skills fall stale in the last few years. I went seeking out resources to freshen up my knowledge and found that it was spread out all over the place. So I figured why not put them all together for anybody looking to refresh their memory or just get started learning. I feel that at least a fundamental understanding of exploit development at the very least enough to make modification to public exploits is necessary for anybody seeking a career in penetration testing. Also it’s just downright fun to play around in a debugger.


A couple of books that I referenced above that got me started  and can give you a great foundation

Hacking the Art of ExploitationThe Shellcoders Handbook 2nd Edition


You going to need to learn some assembly to understand what you are seeing in the debugger and also for writing your own custom shellcode:

A great place to start is with securitytube.net that offers a great class on assembly language

Securitytube Windows assembly language megaprimer can be found here 

Securitytube Linux assembly language megaprimer can be found here

You can then follow this up with the Securitytube buffer overflow for Linux megaprimer here

The Shellcoders handbook serves as a great resource which you can buy from Amazon

Shellcoding for Linux and Windows tutorials be found here

The project shellcode tutorials can be found here

Windows exploitation

Of course first and foremost @corelancod3r has some excellent material you can find here

fuzzsecurity has some great stuff as well here

Opensecurity training @opensectraining offers a great wealth of information on the topic here

Opensecurity training also has a video series to accompany some of the topics that I found very useful here

A wiki on metasploit that has some great info can be found here

A great @metasploit post about stack overflows that is very detailed can be found here

The grey corner posts some detailed material

  • Stack based overflows here
  • SEH stack based overflows here

Linux exploitation

Fuzzysecurity also offers material on Linux exploit development here

Corelan coder does the same with his Linux exploit material here

Exploit databases

Exploit databases can be a great place to see already working and public exploit code. Taking a look at code and understanding it can be a big step towards writing your own successful exploit code.

Some sites to find exploit code:

@exploitdb run by Offensive Security(@offsectraininghere

@Rapid7 provides some good information including available modules for metasploit here

There are probably many more good resources out there so feel free to tweet me. I love to post resources to help people find good material that has helped me so you will probably see a lot of that on this blog. I hope this list grows as people give me suggestions.

Post navigation