Skip to content

Instantly share code, notes, and snippets.

View saelo's full-sized avatar

Samuel Groß saelo

  • Zürich, Switzerland
  • X @5aelo
View GitHub Profile
// ===== [ Program B22F0D31-BFB5-40C1-B23B-EC221F2003A6 ] =====
// Corpus entry #8902 on instance CFC51903-38C9-46A1-A7FD-E83AF97694C4
v0 <- LoadBuiltin 'Int32Array'
v1 <- LoadInteger '0'
v2 <- LoadInteger '5'
v3 <- LoadInteger '0'
v4 <- LoadInteger '5'
v5 <- LoadInteger '0'
v6 <- LoadInteger '10'
v7 <- LoadInteger '1'
@saelo
saelo / 3_years_of_attacking_javascript_engines.txt
Created October 27, 2019 16:04
3 Years of Attacking JavaScript Engines
|=-----------------------------------------------------------------------=|
|=-------------=[ 3 Years of Attacking JavaScript Engines ]=-------------=|
|=-----------------------------------------------------------------------=|
|=------------------------------=[ saelo ]=------------------------------=|
|=-----------------------------------------------------------------------=|
The following are some brief notes about the changes that have taken place
since the release of the "Attacking JavaScript Engines" paper [1]. In
general, no big conceptional changes have happened since. Mitigations have
been added to break some of the presented techniques and, as expected, a
@saelo
saelo / writeup.md
Last active February 21, 2023 14:37
Writeup for the "Dezhou Instrumentz" challenge from the Real World CTF Qualifier 2019

Dezhou Instrumentz

The challenge consisted of an iOS app (Calc.app) which implemented a simple calculator. Moreover, the app also registered a custom URL scheme (icalc://) which would simply evaluate the content of the URL. The calculator was implemented using NSExpressions and the input string would simply be parsed as such an expression and executed. NSExpressions are pretty powerful and allow for example calls to ObjC Methods (e.q. typing in sqrt(42) would end up calling +[_NSPredicateUtilities sqrt:@42]). Further, there are two interesting helper functions available in NSExpressions:

FUNCTION(obj, 'foo', "bar")

Which will result in a call of the method 'foo' on object obj with parameter "bar" (an NSString).

@saelo
saelo / yolo.c
Created May 14, 2018 21:44
Exploit for IPWnKit: a macOS IOKit exploit challenge from Defcon Qualifier CTF 2018
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <pthread.h>
#include <sys/mman.h>
#include <IOKit/IOKitLib.h>
#include <CoreFoundation/CFPropertyList.h>
const char* kMyDriversIOKitClassName = "io_oooverflow_IPwnKit";
@saelo
saelo / ec3_pwn.c
Created May 14, 2018 15:34
Exploit for the EC3 qemu escape challenge of Defcon CTF Qualifiers 2018
//
// Exploit for the EC3 qemu escape challenge of Defcon CTF Qualifiers 2018
//
// Also see https://kitctf.de/writeups/hitb2017/babyqemu
//
// Copyright (c) 2018 Samuel Groß
//
#include <fcntl.h>
#include <inttypes.h>
@saelo
saelo / pwn.js
Created May 6, 2018 16:12
Exploit for the "roll a d8" challenge of PlaidCTF 2018
//
// Quick and dirty exploit for the "roll a d8" challenge of PlaidCTF 2018.
// N-day exploit for https://chromium.googlesource.com/v8/v8/+/b5da57a06de8791693c248b7aafc734861a3785d
//
// Scroll down do "BEGIN EXPLOIT" to skip the utility functions.
//
// Copyright (c) 2018 Samuel Groß
//
//
@saelo
saelo / pwn.py
Last active December 15, 2019 23:35
Exploit for "ragnarok" of HITCON CTF 2017
#!/usr/bin/env python3
#
# Exploit for "ragnarok" of HITCON CTF 2017.
#
# Bug:
# ----
# In Odin::add_weapon, the following line of code is executed:
#
# cast_spell(shared_ptr<Figure>(this));
#
@saelo
saelo / authorize.swift
Created July 6, 2017 07:31
Simple program to interact with authd via the macOS authorization API Raw
import Foundation
let rightname = "sys.openfile.readonly./tmp/cantread.txt"
var status: OSStatus
var authref: AuthorizationRef?
let flags = AuthorizationFlags([.interactionAllowed, .extendRights, .preAuthorize])
status = AuthorizationCreate(nil, nil, flags, &authref)
assert(status == errAuthorizationSuccess)
@saelo
saelo / pwn.py
Last active December 15, 2019 23:35
Solution for "assignment" of GoogleCTF 2017
#!/usr/bin/env python3
#
# Exploit for "assignment" of GoogleCTF 2017
#
# CTF-quality exploit...
#
# Slightly simplified and shortened explanation:
#
# The bug is a UAF of one or both values during add_assign() if a GC is
# triggered during allocate_value(). The exploit first abuses this to leak a
@saelo
saelo / writeup.txt
Last active June 14, 2017 19:55
No comment... again...
# No comment... again...
Playing around with gdb attached to the binary running under wine on Linux, we
search for some of the strings that are printed when running the binary. Near
those, we find a string that looks much like ascii art and ends with a '}', so
this must be the flag. Unfortunately, the string only contains the last few
characters, the start seems to have been overwritten. It appears like the
string has been freed, and the front parts reclaimed by the heap allocator.
Switching to Windows, we set a conditional breakpoint on msvcrt!free which