Last year, @swapgs and I found a fun bug in the popular enterprise VPN solution Zscaler. The VPN client used the pacparser library to decide which HTTP requests to proxied based on a PAC file.| pspaul's blog
This challenge involves an old version of CS:GO VScript, which is vulnerable to a UAF bug and a type confusion bug. Resources on VScript can be found here. Here is the exploit script. UAF by resizing array in sort compare function The sort function of squirrel array is array_sort in sqbaselib.cpp, which will call _qsort: // v: VM, o: array object, func: compare func _qsort(v, o, 0, _array(o)->Size()-1, func); The r index passed into _qsort is fixed at the beginning, so by abusing array.| nyancat0131
Writeup of FBCTF 2019 rank challenge.| LingSec
Writeup of FBCTF 2019 Overfloat challenge.| LingSec
Full chain| Blog
Pwnable01| Blog
PlaidStore| Blog
pwning your kernelz| Blog
kpets| Blog
IPwnKit| Blog
House-of-loop| Blog
Baby Sandbox| Blog
KSMASH - Kernel Stack Smashing| Blog
Pillow| Blog
The binary loads the flag.txt to the memory and asks us to provide input.| Blog
By judging the program’s interface, we know that it was a heap challenge.| Blog
babyOVERFLOW| Blog
Dealing with glibc 2.32’s new safety measure, safelinking| Daniele Pusceddu
本文拨开二进制Fuzzing的迷雾为Fuzzing战争系列的第二篇,也是Fuzzing战争:从刀剑弓斧到星球大战的续篇。 每个人都期待有全图点亮的体验,然而现实中安全研究的目标却更多是编译好的二进制binary而没有源码。迷雾之下崇山峻岭羊肠小道,但应许之地却往往也隐藏其中。本文将以目前最为主流的Android on ARM/AARCH64为例,综合笔者在 MOSEC 2020 和 RWCT…| Flanker Sky
Fuzzing这个事物大概可以上溯到1950年,当计算机还在读取打孔卡作为输入的时候。那时候的工程师会从垃圾箱里随机检出一些废弃卡片,或者在卡上随机打孔作为输入来测试自己的程序。在1988年,Barton Miller在课堂上将Fuzzing这个名词正式确定,从此拉开三十年波澜壮阔的序幕。 广义上的fuzzing并不是漏洞挖掘中的专属内容,而是DevSecOps和Continous Inte…| Flanker Sky
Vendor binder services proved to be an interesting part of android devices nature. They usually remains close-source, but sometimes open new attack surface for privilege escalation. In these articl…| Flanker Sky
在最近的一系列文章中,我会介绍这些年以来通过Pwn2Own和官方渠道所报告的在各种Android厂商设备中发现的各种CVE,包括通过fuzz和代码审计发现的各式各样的内存破坏漏洞和逻辑漏洞。第一篇文章将会介绍在2017年末我们用来远程攻破Galaxy S8并安装应用的利用链,一个V8漏洞来获取最开始的沙箱内代码执行,和五个逻辑漏洞来最终实现沙箱逃逸和提权来安装任意应用,demo视频...| Flanker Sky
Hello everyone, long time no see! Now begins a series of blog posts about bugs I found before and now on Android vendors, including memory corruption and logical bugs, reported and fixed via Pwn2Ow…| Flanker Sky
A fun multi-stage buffer overflow exploit in a compression algorithm| Daniele Pusceddu
Exploiting an ‘off by one’ in a small string optimization struct| Daniele Pusceddu
Exploiting a tcache double free in glibc 2.27| Daniele Pusceddu
Exploiting uninitialized struct members| Daniele Pusceddu
Exploiting a soundness bug in Rust| Daniele Pusceddu
