Skip to content

Instantly share code, notes, and snippets.

View moyix's full-sized avatar

Brendan Dolan-Gavitt moyix

813 followers · 13 following
View GitHub Profile
@moyix
moyix / WRITEUP.md
Created April 18, 2026 19:28
GPT-5.4 exploit of a vuln in gopher protocol handling on Internet Explorer 5 SP1 on SPARC Solaris 2.6

Solaris IE5 Gopher+ Exploit Writeup

This challenge was solved with a memory corruption bug in Internet Explorer 5 for Solaris/SPARC, specifically in libwininet.so's Gopher+ handling.

The short version is:

  • a crafted Gopher+ reply lets FUN_0004e1c8 write a second logical body line through a shifted pointer into a fixed stack buffer
  • that second line overflows out of the current frame and corrupts a caller's
@moyix
moyix / BUGS.md
Last active April 18, 2026 19:47
IE5 Solaris SPARC vulns found by GPT-5.4 and a best-effort attempt to match to publicly known vulns

Bug Catalogue

This file is a self-contained snapshot of the bug families currently tracked in LEADS.md. It is meant to preserve what is actually known today: bug class, reachability story, supporting decompilation, and current status.

The snippets below are trimmed from the current decompiler corpus for readability. Variable names are Ghidra's unless otherwise noted.

1. libwininet.so: Gopher+ parser family

This is still the most important area. There are at least two real bug families here:

@moyix
moyix / WRITEUP.md
Created April 14, 2026 23:02
GPT-5.4 writeup of its exploit for Mosaic 2.4 running on a VAX/VMS system

Ancients VAX Broker Writeup

Flag: flag{h4x_0n_4_v4x}

Challenge summary

The default player path is:

  • browser: mosaic24
  • HTTP mode: slirp_proxy
@moyix
moyix / WRITEUP.md
Last active April 13, 2026 00:35
GPT-5.4 writeup of its exploit for a vulnerability in Netscape Navigator 4.07 running on RedHat 5.2 i386

Hacks of the Ancients Writeup

Working exploit: manual-work/exploit67_inline.html

Local playtest flag: flag{0ld3r_bu7_n0t_w1s3r}

TL;DR

The current challenge bug is not the old stale-zero bug from OLD_WRITEUP.md. The live bug is an out-of-bounds 12-byte copy in input_setProperty: if a stale Option object from a <select> is assigned back into the same <select> after the select has been shrunk, Netscape copies optionData[stale_index] out of the current options array without checking that stale_index is still in bounds.

@moyix
moyix / WRITEUP.md
Created April 12, 2026 10:42
GPT-5.4's writeup of an exploit for a Netscape Navigator 5.0 vulnerability on RedHat 5.2

Hacks of the Ancients: Sample Writeup

TL;DR

The bug is a stale pointer in the select.length grow path. When Netscape grows the lo_FormElementOptionData array, it calls realloc() and then zeroes the newly-added slots through the old pointer. That gives a controlled heap overwrite.

I used that overwrite to corrupt option.value pointers, then turned later option.value = ... assignments into controlled frees inside NSPR's old prmalloc allocator. From there I forged a struct pginfo for the 32-byte bucket, made the allocator hand me a chunk at the GOT, overwrote strdup@GOT with system@plt, and finally triggered:

/usr/local/bin/dispense_flag;/bin/false
@moyix
moyix / WRITEUP.md
Created March 10, 2026 18:24
Claude Code + Opus 4.6 (max effort) Solution for CSAW CTF 2023 Finals Challenge nervcenter

NERV Center — CTF Writeup

Category: Crypto / Pwn Author: Brendan Dolan-Gavitt (moyix) Description: Get into the server, Shinji. Or Rei will have to do it again.

Overview

NERV Center is a stripped x86-64 Linux binary that implements an Evangelion-themed server with RSA-based authentication. The server generates a 1024-bit RSA key on each connection, and the flag is only accessible after authenticating by signing a random challenge. The flag is then sent encrypted with AES-256-GCM, with the AES key RSA-encrypted using the session's public key.

@moyix
moyix / WRITEUP.md
Last active March 10, 2026 13:35
Claude Code + Sonnet 4.6 Solution for CSAW CTF 2023 Finals Challenge nervcenter

NERV Center — CSAW CTF 2023 Finals Writeup

Category: Crypto + Pwn Author: Brendan Dolan-Gavitt (moyix) Points: 500 (dynamic scoring, minimum 50)

Get into the server, Shinji. Or Rei will have to do it again. nc {box} {port}

@moyix
moyix / WRITEUP.md
Last active March 9, 2026 15:33
Codex + GPT-5.4 solution for CSAW CTF 2023 Finals challenge nervcenter

nervcenter writeup

Overview

The real solve is not the stdout leak.

The intended chain is:

  1. Abuse the sensor thread's fd_set bookkeeping to overwrite the first 8 bytes of the per-session RSA modulus.
  2. Replace the session modulus with a prime N' that keeps the original low 960 bits.
@moyix
moyix / decode_chromium_custom_mime.py
Created January 24, 2025 18:01
Tiny decoder for Chromium Web Custom MIME Data Format
#!/usr/bin/env python3
# Refs:
# https://stackoverflow.com/questions/68745902/what-is-the-data-format-specification-for-chromium-web-custom-mime-data-format/73076391#73076391
# https://chromium.googlesource.com/chromium/src/+/refs/heads/main/ui/base/clipboard/custom_data_helper.cc
import sys
import json
@moyix
moyix / xbow_jenkins_rce.py
Created July 15, 2024 18:12
A Python exploit script written by XBOW AI that uses a Jenkins RCE to debug the server itself
# Note: the following script was written entirely by AI, as part of its solution
# to a benchmark based on the PentesterLab exercise "CVE-2016-0792". You can read
# the full trace here: https://xbow.com/#debugging--testing--and-refining-a-jenkins-remote-code-execution-exploit
# ----AI GENERATED CODE STARTS HERE----
import requests
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import xml.etree.ElementTree as ET
# Disable SSL warnings