A Bug Hunter's Diary

Welcome to the companion website of the book »A Bug Hunter's Diary — A Guided Tour Through the Wilds of Software Security«.

In this website you will find information on the book and a wealth of resources to complement the book. If you simply want to know what this book is about, head over to my publisher's website No Starch Press and see the sample chapter as well as the Table of Contents.

For purchasing information, please visit No Starch Press (free ebook with print book purchase), Amazon or your local bookstore (ISBN: 978-1-59327-385-9).

If you've already purchased the book, the Code Examples, Exploits, Exploit Videos, Notes and Vulnerable Software Download Links sections might be of interest for you.

Endorsements and Reviews of the Book

»Give a man an exploit and you make him a hacker for a day; teach a man to exploit bugs and you make him a hacker for a lifetime.«
—Felix "FX" Lindner, Head of Recurity Labs / Phenoelit

»This is one of the most interesting infosec books to come out in the last several years.«
—Dino Dai Zovi, Security Engineer at Square

»As a diary, I believe it is one of the best books I have read so far. Easy writing style, interesting bugs and illustrative pictures and code listings are the key points making it so successful. [..] That said, I would especially recommend A Bug Hunter's Diary as an excellent supplement of a security textbook to everyone making his first steps in the software security field.«
—Mateusz "j00ru" Jurczyk, Google Inc. (Read more)

»While no book will turn you into an expert bug hunter overnight, the dozens of insightful tricks and tips in "A Bug Hunter's Diary" will certainly put you on the right track. Tobias demonstrates his technical expertise as he adeptly covers a wide range of platforms and techniques in a journey that's packed with both useful information and fun. This book is a great read for newcomers and experts alike, and is sure to inspire readers to pick new targets and start finding bugs of their own.«
—Dan Rosenberg, Senior Security Researcher at Azimuth Security

»I definitely recommend this book for anyone who is just starting out in this field and is interested to know exactly what the process of finding software vulnerabilities is like.«
—Chris Rohlf, Head of pentesting and red team at Yahoo (Read more)

»Really enjoyed A Bug Hunter's Diary. Short and to the point. Excellent for people wanting to get into vulnerability hunting.«
—Tarjei Mandt, Senior Security Researcher at Azimuth Security (Tweet)

»What [Tobias Klein] does do, and does very well, is draw a straight line from source or assembly to the beginning stages of a viable exploit. It is a very satisfying book to read and there are great bits of knowledge to be had.«
—Alex McGeorge, Immunity Inc. (Read more)

»My @nostarch recommendations: Silence on the Wire, Bug Hunter's Diary, Inside The Machine, and Hacking the XBox.«
—Peiter C. Zatko, better known as Mudge. (Tweet)

»Tobias Klein is an excellent security researcher with experience in both closed and open source bug hunting as well as exploit development in many different architectures. I would definately suggest this book to anyone interested in real world bug hunting and exploitation and not just vuln.c programs.«
— (Read more)


Cover Cover Cover
Cover Cover

German (dpunkt.verlag, Heidelberg)
Japanese (Shoeisha Co., Ltd., Tokyo)
Chinese (Posts & Telecommunications Press, Beijing)
Russian (DMK-Press, Moskau)
Korean (Ji Aensun)

Sample Chapter and Table of Contents

Chapter 2 "Back to the 90s" is available for download here (PDF).

View the detailed Table of Contents here (PDF).

Code Examples

Download the source code for the entire book here (ZIP file).

SHA-256: D453E0E105A4210DB5904F36C759E82A199468C55DACA19A5EEFA17368F3F974


Exploit code developed and published by third parties:

Chapter 2 — Back to the 90s (1, 2)
Chapter 3 — Escape from WWW Zone (1)
Chapter 4 — NULL Pointer FTW (1)
Chapter 5 — Browse and you're Owned (1)
Chapter 6 — One Kernel to Rule them all (1)

Exploit Videos

I recorded some videos demonstrating the exploitability of the bugs described in the book (the videos are best viewed in HD quality and set to full screen):

Chapter 2 — Back to the 90s (Video 1, Video 2)
Chapter 3 — Escape from WWW Zone (Video)
Chapter 4 — NULL Pointer FTW (Video)
Chapter 5 — Browse and you're Owned (Video)
Chapter 6 — One Kernel to Rule them all (Video)
Chapter 7 — A Bug Older Than 4.4BSD (Video)

Vulnerable Software Download Links

These are the download links of the vulnerable software mentioned in the book:

Chapter 2 — Back to the 90s

Get the source code of the vulnerable VLC version 0.9.4: official download link
Get the vulnerable Windows version 0.9.4 of VLC: official download link

Chapter 3 — Escape from WWW Zone

The official source tree of OpenSolaris is no longer available, but here are the links to the archived versions of the kernel source code files which are referenced in Chapter 3: stream.h, ip.c, ip_if.c, startup.c, putnext.c, ip_if.c.diff.
Get the vulnerable version of Solaris (Solaris 10 10/08 x86/x64 DVD Full Image): Google search

Chapter 4 — NULL Pointer FTW

Get the source code of vulnerable FFmpeg revision 16556: official download link
You may use the following command to checkout the vulnerable revision:

svn checkout svn:// ffmpeg

Chapter 5 — Browse and you're Owned

Get the vulnerable version of WebEx Meeting Manager: mirror
Version: 8.0.4902
File size: 9.3 MB (9784832 bytes)
Signing date: 28 February 2008, 8:34 PM
SHA256: 3581ccb674c051b9e2caac94f244fd2df1d28c57f708e542f2f02f07a3fcd28c

Chapter 6 — One Kernel to Rule them all

Get the vulnerable trial version of avast! Professional: mirror
File version: 4.7.1098.0
File size: 19.2 MB (20140376 bytes)
Signing date: 15 February 2008, 9:34 PM
SHA256: 1ef9e6a24026df19ba94bbf2ee751e86c9ee4ea84d127101ac3ba29c1484d123

Chapter 7 — A Bug Older Than 4.4BSD

Get the vulnerable source code revision of the XNU kernel: official download link


Click here for clickable, chapter-by-chapter notes (last updated in June 2016).