Git Product home page Git Product logo

exploit_playground's Introduction

About

This is where I will post analysis of Public Exploits, or some of my 1day exploits.

[ Public exploit analysis ]

  • Personally I think the best way to learn a public exploit is by understanding it line-by-line until I can understand the exploit to the fullest. I will post some of these (overly-commented ;) ) exploits so hopefully others can learn from it, and as an attempt to give something back to the community. Also for documenting purposes, cause these things kind of fade away from my head as time passes.

CVE-2016-8655

  • This is a detailed analysis of rebel's exploit.
  • Thanks rebel for the awesome exploit! :D

CVE-2016-5342

mp3 version

  • This is a commented version of freener's android LPE exploit
  • arm32
  • Heap overflow
  • This exploit directly overwrites a function pointer of another object

tty version

  • This is a commented version of freener's android LPE exploit
  • arm32
  • Heap overflow
  • This exploit overwrites an object pointer in another object. It uses ret2dir attack to make the corrupted pointer point to a predictable fixed address in kernel which holds the exploit payload. This exploit technique bypasses PXN & PAN.

CVE-2016-2434

  • This is a commented version of Jianqiang Zhao's android LPE exploit
  • arm64
  • Zero-out 16 bytes at an arbitrary address
  • This exploit wipes out 16 bytes of a useful global object, which is located at a fixed address in kernel.
  • A corrupted object pointer within the global object references exploit payload from userland. This kind of attack will not work on devices/kernels with PAN(or PAN emulation).

extra_recipe

  • My attempt to understand the extra_recipe jailbreak
  • I was especially interested in the kpp bypass part. Although there were a couple slides on the subject where I could glean a vague image of the bypass, I really wanted to dig into the fine details and see what is actually going on inside the code
  • I also wanted to understand the final ingredients for a jailbreak(Installing Cydia, etc.)

yalu102 (ViewController.m)

  • I commented the part relevant to the actual bug, and how it was exploited.
  • The reason why I looked into yalu102 instead of the original exploit is because the port-feng-shui technique looked more cleaner and straightforward to understand.
  • The analysis stops right before the kpp bypass

xerub's extra_recipe-master (jailbreak.c, unjail.m, patchfinder64.c, pte_stuff.h)

  • I jump here because it had a little more information on the various numeric offsets.
  • Also, the patchfinder.c is intact, as opposed to yalu102 which there is only an object file.
  • The cydia part is kind of incomplete so I jump to the cydia branch after kpp

xerub's extra_recipe-cydia (unjail.m)

  • Trying to understand the ingredients for a jailbreak after tfp0 and post-exploitation

empty_list (sploit.c)

  • A detailed breakdown of Ian Beer's empty_list kernel exploit.
  • It uses amazing techniques to start from really weak primitives, to build a stronger AAR, and finally build a full-fledged task port. The port magic behind the exploit code is unbelievable. All of this with an 8 NULL byte heap overflow. Absolutely mindblowing.
  • I've scribbled some naive ideas to improve the reliability. Hopefully someone will release a more reliable version of the exploit in the future. :)
  • Thanks Ian Beer for the amazing exploit!

[ 1Day ]

CVE-2017-2547

  • One day I looked at the exploit after it was presented at Zer0con, and decided to improve it.
  • This is a standalone version of the exploit, before I integrated it into pwnjs.
  • The improvements include
    • Increased reliability(works flawlessly after extensive browsing sessions with contaminated memory)
    • Removed all hardcoded offsets to make it compatible with various browser versions
    • Used a different exploitation technique(the standard misalign technique)
    • Eventually integrated it into the pwnjs framework by creating a webkit prototype
    • Made the code a lot more readible, and added lots of comments
  • Special Thanks
    • qwertyoruiop & Samuel Grob for the amazing phrack article and public exploits
    • Brian Pak & Andrew Wesie for the awesome pwnjs framework!

exploit_playground's People

Contributors

externalist avatar

Watchers

James Cloos avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.