TOY/2: this weekend we played as P1G SEKAI and managed to qualify to the finals. TOY/2 was a challenge I solved. in this challenge we’re given a C++ binary that emulates some 16-bit architecture. it had several instructions, one of them included an oob bug: case 13: /* STT */ mem_write(_regs.a & (size() - 1), _regs.t); break; this is bad code, since we write two bytes but the AND let’s us place those one byte before the emulator memory ends → one-byte oob write.…

last week we qualified for securinets finals. Java? was a pwn challenge I blooded. we were given a java program, which reads input three times and passes it to a library: import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; public class Main { private String first = ""; private String second = ""; private String last = ""; static { System.loadLibrary("Lib"); } public native void Kabom(); public native void Setup(); public static void main(String[] args) throws IOException{ BufferedReader reader = new BufferedReader(new InputStreamReader(System.…

physler was another challenge from BRICS CTF that I solved. we basically got a kernel module that has two ioctl requests defined: case IOCTL_MAP_PHYS_ADDR: { if (copy_from_user(&_map, (void*)arg, sizeof(_map))) { return -EFAULT; } if (mem) iounmap(mem); mem = ioremap(_map.phys_addr, _map.size); if (!mem) { return -EFAULT; } break; } case IOCTL_WRITE_PHYS_MEM: { if (!mem) return -EFAULT; if (copy_from_user(&_write, (void*)arg, sizeof(_write))) { return -EFAULT; } size = _write.size; if (size > sizeof(kernel_buffer)) size = sizeof(kernel_buffer); if (copy_from_user(kernel_buffer, (char *)_write.…

two weeks ago, I played BRICS CTF with r3kapig, and we ranked 1st! chains was one of the challanges I solved. we were given a program to add/remove proxies and chains. upon executing we’re presented with: 1. Add Proxy 2. Delete Proxy 3. Add Chain 4. View Chain 5. Delete Chain 6. Exit that resembles a typical heap challenge. it turns out to be one, since the following structures are getting allocated dynamically:…

this weekend I played snakeCTF for fun and managed to solve a few pwns. one of them was TLN. the challenge code was pretty simple, introducing a classical oob index vulnerability: case OPT_SET: print("Index: "); index = get_int(); print("Content: "); read_exact(&(notes[index].content), sizeof(item_t) - 1); notes[index].content[sizeof(item_t) - 1] = 0; break; as you can see, no bounds checks at all. the notes array consists of elements of item_t, which is defined like the following:…

my long-time project is writing a kernel fuzzer named lxfuzz. it is a coverage-guided fuzzer for the linux kernel. I chose that project for some reasons: to learn about fuzzing, its mechanisms etc. in general to learn more about the linux kernel, especially to improve my C++ skills :) (the language used for lxfuzz) profit (finding CVEs) undert the hood it’s using qemu to run the kernel and kcov for coverage collection.…

I had a fun time playing BlackHat MEA CTF. this pwn challenge was particulary nice. in “the ring” you were given a FLAC audio file parser, written in C++. you can provide such a custom audio file and get presented the output of the program. notice that there is a python wrapper handling the file and outputs readable text only. now the general functionality of the program: the program checks the magic bytes first (#define FLAC_MAGIC 0x664c6143U) and then immedeately starts looking for the initial TYPE_STREAMINFO block, which may be followed by more blocks.…

I solved the easy pwn chall “valorn’t” during PlaidCTF while playing with Friendly Maltese Citizens. as usual, the goal was to win the game and read the flag int ret = play_pew_pew_game(); if (ret == 0) { read_flage(); } in order to win, is_cheater had to be set and the enemy team win-counter has to be 0 int play_pew_pew_game() { // ... if (is_cheater) { if (res->enemy_team == 0) { return 0; } else { puts("Dang, you're dogwater.…

for the first time I exploited the kernel in real life. I used the bug CVE-2022-24122, which allowed a use-after-free due to bad use of refcount. the exploit itself requires a kaslr leak to prevent an oops during the process, as well as access to user namespaces. it is not really reliable, needs many tries :D to get root I corrupted the slub freelist and wrote to modprobe_path. the exploit code can be found on GitHub or in the following:…

in this article, I’ll present a detailed ios jailbreak writeup and some basic tips and tricks on how to set up an environment for exploiting. the bug I am exploiting is in the iOS kernel. I hope this is a helpful reference for anyone who wants to start with iOS pwn now let us begin! short story: a few weeks ago, I found an old iPad 3,1 by my dad. I wanted to set it up for homeschooling for my sister, but the iOS version was so old, that I was unable to download anything from the AppStore.…