this weekend I played snakeCTF for fun and managed to solve a few pwns. one of them was TLN. the challenge code was pretty simple, introducing a classical oob index vulnerability: case OPT_SET: print("Index: "); index = get_int(); print("Content: "); read_exact(&(notes[index].content), sizeof(item_t) - 1); notes[index].content[sizeof(item_t) - 1] = 0; break; as you can see, no bounds checks at all. the notes array consists of elements of item_t, which is defined like the following:…

my long-time project is writing a kernel fuzzer named lxfuzz. it is a coverage-guided fuzzer for the linux kernel. I chose that project for some reasons: to learn about fuzzing, its mechanisms etc. in general to learn more about the linux kernel, especially to improve my C++ skills :) (the language used for lxfuzz) profit (finding CVEs) undert the hood it’s using qemu to run the kernel and kcov for coverage collection.…

I had a fun time playing BlackHat MEA CTF. this pwn challenge was particulary nice. in “the ring” you were given a FLAC audio file parser, written in C++. you can provide such a custom audio file and get presented the output of the program. notice that there is a python wrapper handling the file and outputs readable text only. now the general functionality of the program: the program checks the magic bytes first (#define FLAC_MAGIC 0x664c6143U) and then immedeately starts looking for the initial TYPE_STREAMINFO block, which may be followed by more blocks.…

I solved the easy pwn chall “valorn’t” during PlaidCTF while playing with Friendly Maltese Citizens. as usual, the goal was to win the game and read the flag int ret = play_pew_pew_game(); if (ret == 0) { read_flage(); } in order to win, is_cheater had to be set and the enemy team win-counter has to be 0 int play_pew_pew_game() { // ... if (is_cheater) { if (res->enemy_team == 0) { return 0; } else { puts("Dang, you're dogwater.…

for the first time I exploited the kernel in real life. I used the bug CVE-2022-24122, which allowed a use-after-free due to bad use of refcount. the exploit itself requires a kaslr leak to prevent an oops during the process, as well as access to user namespaces. it is not really reliable, needs many tries :D to get root I corrupted the slub freelist and wrote to modprobe_path. the exploit code can be found on GitHub or in the following:…

in this article, I’ll present a detailed ios jailbreak writeup and some basic tips and tricks on how to set up an environment for exploiting. the bug I am exploiting is in the iOS kernel. I hope this is a helpful reference for anyone who wants to start with iOS pwn now let us begin! short story: a few weeks ago, I found an old iPad 3,1 by my dad. I wanted to set it up for homeschooling for my sister, but the iOS version was so old, that I was unable to download anything from the AppStore.…

note that this is only an early reference that I initially created for mysELF. I decided to publish it for those, who want to have an overview of the fundamentals. if you spot any mistakes or if you think something should be added, please reach me on discord (bitfriends). I used some pictures from other people because this was only a reference for me. the people who created the pictures are amazing and should feel honored :)…

I like programming and low-level, do vuln research, pwn stuff and play ctf with ARESx/FMC. When I’m not using my pc, I enjoy spending time with music, playing airsoft and working on motorcycles.…