last week we qualified for securinets finals. Java? was a pwn challenge I blooded. we were given a java program, which reads input three times and passes it to a library: import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; public class Main { private String first = ""; private String second = ""; private String last = ""; static { System.loadLibrary("Lib"); } public native void Kabom(); public native void Setup(); public static void main(String[] args) throws IOException{ BufferedReader reader = new BufferedReader(new InputStreamReader(System.…

physler was another challenge from BRICS CTF that I solved. we basically got a kernel module that has two ioctl requests defined: case IOCTL_MAP_PHYS_ADDR: { if (copy_from_user(&_map, (void*)arg, sizeof(_map))) { return -EFAULT; } if (mem) iounmap(mem); mem = ioremap(_map.phys_addr, _map.size); if (!mem) { return -EFAULT; } break; } case IOCTL_WRITE_PHYS_MEM: { if (!mem) return -EFAULT; if (copy_from_user(&_write, (void*)arg, sizeof(_write))) { return -EFAULT; } size = _write.size; if (size > sizeof(kernel_buffer)) size = sizeof(kernel_buffer); if (copy_from_user(kernel_buffer, (char *)_write.…

two weeks ago, I played BRICS CTF with r3kapig, and we ranked 1st! chains was one of the challanges I solved. we were given a program to add/remove proxies and chains. upon executing we’re presented with: 1. Add Proxy 2. Delete Proxy 3. Add Chain 4. View Chain 5. Delete Chain 6. Exit that resembles a typical heap challenge. it turns out to be one, since the following structures are getting allocated dynamically:…

this weekend I played snakeCTF for fun and managed to solve a few pwns. one of them was TLN. the challenge code was pretty simple, introducing a classical oob index vulnerability: case OPT_SET: print("Index: "); index = get_int(); print("Content: "); read_exact(&(notes[index].content), sizeof(item_t) - 1); notes[index].content[sizeof(item_t) - 1] = 0; break; as you can see, no bounds checks at all. the notes array consists of elements of item_t, which is defined like the following:…

my long-time project is writing a kernel fuzzer named lxfuzz. it is a coverage-guided fuzzer for the linux kernel. I chose that project for some reasons: to learn about fuzzing, its mechanisms etc. in general to learn more about the linux kernel, especially to improve my C++ skills :) (the language used for lxfuzz) profit (finding CVEs) undert the hood it’s using qemu to run the kernel and kcov for coverage collection.…

I had a fun time playing BlackHat MEA CTF. this pwn challenge was particulary nice. in “the ring” you were given a FLAC audio file parser, written in C++. you can provide such a custom audio file and get presented the output of the program. notice that there is a python wrapper handling the file and outputs readable text only. now the general functionality of the program: the program checks the magic bytes first (#define FLAC_MAGIC 0x664c6143U) and then immedeately starts looking for the initial TYPE_STREAMINFO block, which may be followed by more blocks.…

I solved the easy pwn chall “valorn’t” during PlaidCTF while playing with Friendly Maltese Citizens. as usual, the goal was to win the game and read the flag int ret = play_pew_pew_game(); if (ret == 0) { read_flage(); } in order to win, is_cheater had to be set and the enemy team win-counter has to be 0 int play_pew_pew_game() { // ... if (is_cheater) { if (res->enemy_team == 0) { return 0; } else { puts("Dang, you're dogwater.…

for the first time I exploited the kernel in real life. I used the bug CVE-2022-24122, which allowed a use-after-free due to bad use of refcount. the exploit itself requires a kaslr leak to prevent an oops during the process, as well as access to user namespaces. it is not really reliable, needs many tries :D to get root I corrupted the slub freelist and wrote to modprobe_path. the exploit code can be found on GitHub or in the following:…

in this article, I’ll present a detailed ios jailbreak writeup and some basic tips and tricks on how to set up an environment for exploiting. the bug I am exploiting is in the iOS kernel. I hope this is a helpful reference for anyone who wants to start with iOS pwn now let us begin! short story: a few weeks ago, I found an old iPad 3,1 by my dad. I wanted to set it up for homeschooling for my sister, but the iOS version was so old, that I was unable to download anything from the AppStore.…

note that this is only an early reference that I initially created for mysELF. I decided to publish it for those, who want to have an overview of the fundamentals. if you spot any mistakes or if you think something should be added, please reach me on discord (bitfriends). I used some pictures from other people because this was only a reference for me. the people who created the pictures are amazing and should feel honored :)…