├── .gitignore ├── 15 bugs in Realtek Jungle SDK.md ├── 2023 CTF Challenge And Write-Up Database.md ├── 2023 Firmware Security Thread.md ├── 21 compilers and 3 orders of magnitude in 60 minutes.md ├── 30 Years of Decompilation and the Unsolved Structuring Problem - Part 1.md ├── 30 Years of Decompilation and the Unsolved Structuring Problem - Part 2.md ├── 4 exploits, 1 bug - Exploiting CVE-2024-20017 4 Different Ways.md ├── A Catastrophe For Control - Understanding the ScreenConnect Authentication Bypass.md ├── A Deep Dive into the CoSoSys EndPoint Protector Exploit - Remote Code Execution.md ├── A Handful of Imagination GPU Vulnerabilities.md ├── A LibAFL Introductory Workshop.md ├── A Trick, The Story Of CVE-2024-26230.md ├── A journey through KiUserExceptionDispatcher.md ├── A review of zero-day in-the-wild exploits in 2023.md ├── A step-by-step guide to writing an iOS kernel exploit.md ├── AMD Radeon DirectX 11 Driver Arbitrary Write.md ├── ARLO - I'm Watching You.md ├── Accessory Authentication.md ├── Achieving Remote Code Execution in Steam - a journey into the Remote Play protocol.md ├── Address Sanitizer for Bare-metal Firmware.md ├── An Introduction to Chrome Exploitation - Maglev Edition.md ├── Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials.md ├── Analyzing Modern DRMs.md ├── Attack of the clones - Getting RCE in Chrome's renderer with duplicate object properties.md ├── Attacking Android Binder - Analysis and Exploitation of CVE-2023-20938.md ├── Attacking UNIX Systems via CUPS, Part I.md ├── BadgeLife @ Off-By-One Conference 2024.md ├── Binder Internals.md ├── Breaking Barriers and Assumptions - Techniques for Privilege Escalation on Windows - Part 3.md ├── Breaking Bitlocker - Bypassing the Windows Disk Encryption.md ├── Breaking SIP with Apple-Signed Packages.md ├── Buffer Overflow in Via H264 Processing.md ├── Buffer-overflow in Skia.md ├── Bugs of Yore - A Bug Hunting Journey on VMware's Hypervisor.md ├── Bypassing ARM's Memory Tagging Extension with a Side-Channel Attack.md ├── Bypassing Veeam Authentication CVE-2024-29849.md ├── Bytecode Breakdown - Unraveling Factorio's Lua Security Flaws.md ├── C++ Unwind Exception Metadata - A Hidden Reverse Engineering Bonanza.md ├── CVE-2020-27786 (Race Condition + Use-After-Free).md ├── CVE-2022-22265 Samsung npu driver.md ├── CVE-2023-26322 - Xiaomi Pro 13 isUrlMatchLevel Permissive List of Allowed Inputs Remote Code Execution Vulnerability.md ├── CVE-2023-34992 - Fortinet FortiSIEM Command Injection Deep-Dive.md ├── CVE-2023-36049 - Microsoft .NET CRLF Injection Arbitrary File Write & Deletion Vulnerability.md ├── CVE-2023-42942 - xpcroleaccountd Root Privilege Escalation.md ├── CVE-2023-46263 - Ivanti Avalanche Arbitrary File Upload Vulnerability.md ├── CVE-2023-52447 - Exploit Technique.md ├── CVE-2023-6345 - Integer overflow in Skia.md ├── CVE-2024-0204 - Fortra GoAnywhere MFT Authentication Bypass Deep-Dive.md ├── CVE-2024-1212 - Unauthenticated Command Injection In Progress Kemp LoadMaster.md ├── CVE-2024-1283 - Cross-{Cache, Bucket} Browser Exploit.md ├── CVE-2024-20697 - Windows Libarchive Remote Code Execution Vulnerability.md ├── CVE-2024-21115 - An Oracle VirtualBox LPE Used To Win Pwn2Own.md ├── CVE-2024-22058 Ivanti Landesk LPE.md ├── CVE-2024-2389 - Command Injection Vulnerability In Progress Flowmon.md ├── CVE-2024-25938 - Foxit Reader Barcode widget Calculate event use-after-free vulnerability.md ├── CVE-2024-27815 - A Buffer Overflow in the XNU Kernel.md ├── CVE-2024-27822 - macOS PackageKit Privilege Escalation.md ├── CVE-2024-28183 OTA Anti-Rollback Bypass via TOCTOU in ESP-IDF.md ├── CVE-2024-29510 – Exploiting Ghostscript using format strings.md ├── CVE-2024-29511 - Abusing Ghostscript's OCR device.md ├── CVE-2024-29824 Deep Dive - Ivanti EPM SQL Injection Remote Code Execution Vulnerability.md ├── CVE-2024-30043 - Abusing URL Parsing Confusion To Exploit XXE On SharePoint Server And Cloud.md ├── CVE-2024-37079 - VMware vCenter Server Integer Underflow Code Execution Vulnerability.md ├── CVE-2024-3832 - Object corruption on wasm functions installation.md ├── CVE-2024-3914 - V8 UAF.md ├── CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js.md ├── CVE-2024-4761 - v8 missing check of WasmObject type cast causes type confusion and OOB access.md ├── CVE-2024-4947 - Type Confusion in V8.md ├── CVE-2024-5274 - A Minor Flaw in V8 Parser Leading to Catastrophes.md ├── CVR - The Mines of Kakadûm.md ├── Can You Get Root With Only a Cigarette Lighter?.md ├── Chaining N-days to Compromise All - Part 1 — Chrome Renderer RCE.md ├── Chaining N-days to Compromise All - Part 2 — Windows Kernel LPE (a.k.a Chrome Sandbox Escape).md ├── Chaining N-days to Compromise All - Part 4 — VMware Workstation Information leakage.md ├── Chaining N-days to Compromise All - Part 6 — Windows Kernel LPE - Get SYSTEM.md ├── Chaining N-days to Compromise All -Windows Driver LPE - Medium to System.md ├── Chrome Exploitation - From Zero To Heap-Sandbox Escape.md ├── CodeQL zero to hero part 3 - Security research with CodeQL.md ├── DJI - The ART of obfuscation.md ├── Deep Dive into RCU Race Condition - Analysis of TCP-AO UAF (CVE-2024–27394).md ├── Deploying Rust in Existing Firmware Codebases.md ├── Dissecting the CVE-2024-38106 Fix.md ├── Diving into ADB protocol internals - Pt 1.md ├── Do a firmware update for your AirPods...now.md ├── Driving forward in Android drivers.md ├── Effective Fuzzing - A Dav1d Case Study.md ├── Eliminating Memory Safety Vulnerabilities at the Source.md ├── Emulating RH850 architecture with Unicorn Engine.md ├── Etiquette for dropping PoCs in 2024 - A Linux LPE.md ├── Evernote RCE - From PDF.js font-injection to All-platform Electron exposed ipcRenderer with listened BrokerBridge Remote-Code Execution.md ├── Exploit Development - Windows Kernel Exploitation - Debugging Environment and Stack Overflow.md ├── Exploit GSM.md ├── Exploitation 4011 - Windows Kernel Exploitation.md ├── Exploited V8 Bugs in 2024.md ├── Exploiting American Conquest.md ├── Exploiting Android's Hardened Memory Allocator.md ├── Exploiting Issue-1472121.md ├── Exploiting V8 at openECSC.md ├── Exploiting a SpiderMonkey - From Integer Range Inconsistency to Bound Check Elimination then RCE.md ├── Exploiting the NT Kernel in 24H2 - New Bugs in Old Code & Side Channels Against KASLR.md ├── Exploring AMD Platform Secure Boot.md ├── Exploring Counter-Strike - Global Offensive Attack Surface.md ├── FAQ - The tragedy of low-level exploitation.md ├── Finding Gadgets for CPU Side-Channels with Static Analysis Tools.md ├── Finding Vulnerability Variants at Scale.md ├── FireFox OOB Read via clipboard component.md ├── Fixing an Elgato HD60 S HDMI capture device with the help of Ghidra.md ├── Flipping Pages - An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques.md ├── Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024.md ├── From Pwn2Own Automotive - Taking Over the Autel Maxicharger.md ├── From object transition to RCE in the Chrome renderer.md ├── Fuzz Everything, Everywhere, All at Once.md ├── Fuzzer Development - Sandboxing Syscalls.md ├── Fuzzer Development 3 - Building Bochs, MMU, and File I0.md ├── Fuzzer Development 4 - Snapshots, Code-Coverage, and Fuzzing.md ├── Fuzzware Goes Open-Source.md ├── Gaining kernel code execution on an MTE-enabled Pixel 8.md ├── Ghidra nanoMIPS ISA module.md ├── Ghostrace - Exploiting and Mitigating Speculative Race Conditions.md ├── Ghostwrite CPU Vulnerability.md ├── Glitching in 3D - Low Cost EMFI Attacks.md ├── Google And Arm - Raising The Bar on GPU Security.md ├── Google Chrome V8 CVE-2024-0517 Out-of-Bounds Write Code Execution.md ├── HITCON CTF QUAL 2024 Pwn Challenge Part 1 - Halloween and v8sbx.md ├── Hacking Exchange from the Outside In.md ├── Hacking a 2014 Tablet...in 2024.md ├── Hardware and firmware reverse engineering primer - dissecting an FPV and video surveillance platform.md ├── Heap Buffer Overflow In ANGLE.md ├── Heap exploitation, glibc internals and nifty tricks.md ├── Hi, My Name Is Keyboard.md ├── How Low Can You Go - An Analysis of 2023 Time-to-Exploit Trends.md ├── How an old bug in Lighttpd gained new life in AMI BMC, including Lenovo and Intel products.md ├── How we found and fixed an eBPF Linux Kernel Vulnerability.md ├── Hunting Bugs in Nginx JavaScript Engine (njs).md ├── Hyper-V 1-day Class - CVE-2024-38127.md ├── IERAE CTF 2024 - Intel CET Bypass Challenge.md ├── IPC Fuzzing with Snapshots.md ├── Iconv, set the charset to RCE - Exploiting the glibc to hack the PHP engine part 3.md ├── Inside The iOS Bug That Made Deleted Photos Reappear.md ├── Inside the LogoFAIL PoC - From Integer Overflow to Arbitrary Code Execution.md ├── Introducing Java fuzz harness synthesis using LLMs.md ├── Introducing LLM-based harness synthesis for unfuzzed projects.md ├── Introduction To Windows Secure Channel RCE - CVE-2024-28148.md ├── Ivan Frantic's MacOS Video Decoder Bugs.md ├── Jailbreaking RabbitOS - Uncovering Secret Logs, and GPL Violations.md ├── Jailbreaking The Apple HomePod - Fun With Checkm8 And Smart Speakers.md ├── Jailbreaking an Electric Vehicle in 2023.md ├── Java Deserialization Tricks.md ├── Keynote - Rust in the Linux kernel.md ├── LLM-based Fuzz Harness generation with OSS-Fuzz-gen.md ├── LLVM's 'RFC - C++ Buffer Hardening' at Google.md ├── Leveraging Binary Ninja IL To Reverse a Custom ISA - Cracking The Pot Of Gold 37C3.md ├── Linux - UAF in the tipc_buf_append().md ├── Linux Kernel - Vulnerability in the eBPF verifier register limit tracking.md ├── Linux Kernel CodeQL Queries.md ├── Linux Kernel GSM Multiplexing Race Condition Local Privilege Escalation Vulnerability.md ├── Linux Kernel Int Overflow Leading To Priv Esc.md ├── Linux RCU internal.md ├── Listen Up - Sonos Over-The-Air Remote Kernel Exploitation and Covert Wiretap.md ├── Low-Level Development on Retail Android Hardware - Reconnaissance and Prototyping a Bootloader.md ├── Making Mojo Exploits More Difficult.md ├── Mali GPU Kernel LPE.md ├── Meta Bug Bounty - Fuzzing netconsd for fun and profit.md ├── Mind the Patch Gap - Exploiting an io_uring Vulnerability in Ubuntu.md ├── Missing signs - how several brands forgot to secure a key piece of Android.md ├── Modern Anti-Abuse Mechanisms in Competitive Video Games at Black Hat 2024.md ├── Modern Cryptographic Attacks - A Guide For The Perplexed.md ├── Molding Lies Into Reality - Exploiting CVE-2024-4358.md ├── Multiple Vulnerabilities in the Deep Sea Electronics DSE855.md ├── NVIDIA GPU Compiler Driver Shader Functionality out-of-bounds read vulnerability.md ├── Nintendo Switch Game Hacking Resources.md ├── Nintendo hacking 2023-2008.md ├── No Way, PHP Strikes Again - CVE-2024-4577.md ├── OSS-Fuzz Gen.md ├── OST2 Introductory Course To HyperDbg.md ├── One Year of Mobile VRP - Reward Increases and Lessons Learned.md ├── OpenSSH Backdoors.md ├── Operation Mango - Scalable Discovery of Taint-Style Vulnerabilities in Binary Firmware Services.md ├── Oracle VM VirtualBox 7.0.10 r158379 Escape (CVE-2023-22098 PoC).md ├── Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400).md ├── Pixel Tablet Dock (korlan) Secure Boot Bypass.md ├── Pixel's Proactive Approach to Security - Addressing Vulnerabilities in Cellular Modems.md ├── PixieFail - Nine vulnerabilities in Tianocore's EDK II IPv6 network stack..md ├── PoC for CVE-2023-4427.md ├── Potential One Click MMS RCE on Xiomi via Malicious GIF.md ├── PowerVR - integer overflows in DevmemXIntMapPages() and DevmemXIntUnmapPages(), exploitable as dangling GPU page table entries.md ├── Preauth RCE on NVIDIA Triton Server.md ├── Project Naptime - Evaluating Offensive Security Capabilities of Large Language Models.md ├── Puckungfu 2 - Another NETGEAR WAN Command Injection.md ├── Pumping Iron on the Musl Heap - Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap.md ├── Pwn2Own - Pivoting from WAN to LAN to Attack a Synology BC500 IP Camera, Part 2.md ├── Pwn2Own - WAN-to-LAN Exploit Showcase.md ├── Pwn2Own Automotive - CHARX Vulnerability Discovery.md ├── Pwn2Own Automotive - Popping the CHARX SEC-3100.md ├── Pwn2Own Automotive 2024 - Hacking the JuiceBox 40.md ├── Pwn2Own Stories.md ├── QNAP QTS - QNAPping At The Wheel (CVE-2024-27130 and friends).md ├── QakBot attacks with Windows zero-day (CVE-2024-30051).md ├── Qualys Releases Two glibc Bugs.md ├── RCE & SQLi for pre-auth RCE in IP.Board e-commerce plugin ‘nexus’.md ├── RCE on Ollama.md ├── README.md ├── ROPing Routers From Scratch - Step-By-Step TEnda Ac8v4 MIPs 0day Flow-Control ROP to RCE.md ├── Race condition in 9p File System.md ├── Race conditions in Linux Kernel perf events.md ├── Racing round and round - The little bug that could.md ├── Radek Domanski from FlashBack team on PWN2OWN.md ├── Reasons for the Unreasonable Success of Fuzzing.md ├── Recovering an ECU firmware using disassembler and branches.md ├── Relution Remote Code Execution via Java Deserialization Vulnerability.md ├── Remote, One-Click, Breaking through Smartphones via a Non Well-Known Remote Attack Surface.md ├── Resurrecting Internet Explorer - Threat Actors Using Zero-Day Tricks In Internet Shortcut File To Lure Victims.md ├── Return of the JIT.md ├── Reverse Engineering The XZ Backdoor.md ├── Review of the SAILR paper.md ├── Ring Around The Regex - Lessons learned from fuzzing regex libraries (Part 1).md ├── Ring Around The Regex - Lessons learned from fuzzing regex libraries (Part 2).md ├── Robots Dream of Root Shells.md ├── SIMurai - Slicing Through the Complexity of SIM Card Security Research.md ├── SLUB Internals for Exploit Developers.md ├── SSD ADVISORY - D-LINK DIR-X4860 Security Vulnerabilities.md ├── SSD Advisory - Google Chrome RCE.md ├── SSD Advisory - Linux Kernel taprio OOB.md ├── SSD Advisory - TP-LINK VIGI onvif_discovery Overflow.md ├── SSD Advisory – Foscam R4M UDTMediaServer Buffer Overflow.md ├── Safer with Google - Advancing Memory Safety.md ├── Say Friend and Enter - Digitally lockpicking an advanced smart lock (Part 2).md ├── Say Friend and Enter - Digitally lockpicking an advanced smart lock.md ├── Secure by Design - Google’s Perspective on Memory Safety.md ├── Security research without ever leaving GitHub - From code scanning to CVE via Codespaces and private vulnerability reporting.md ├── Shuffle Up and Deal - Analyzing the Security of Automated Card Shufflers.md ├── Sky's the Limit - Quick Analysis and Exploitation of a Chrome ipcz TOCTOU Vulnerability.md ├── Smoke and Mirrors - Driver Signatures Are Optional.md ├── So You Wanna Find Bugs In The Linux Kernel.md ├── SolarWinds Security Event Manager AMF deserialization RCE (CVE-2024-0692).md ├── Stardew Valley PRNG Seed Cracking.md ├── Start Your Engines - Capturing the First Flag in Google's New v8CTF.md ├── Streaming vulnerabilities from Windows Kernel (Part 1) - Proxying to Kernel.md ├── Streaming vulnerabilities from Windows Kernel - Proxying to Kernel - Part II.md ├── Strengthening the Shield - MTE in Heap Allocators.md ├── Super Hat Trick - Exploit Chrome and Firefox Four Times.md ├── Surviving MiraclePtr Navigating of Webp and Beyond by Kira.md ├── TIKTAG - Breaking ARM’s Memory Tagging Extension with Speculative Execution.md ├── Telegram for Android - Use-after-free in Connection onReceivedData.md ├── The Boom, the Bust, the Adjust and the Unknown.md ├── The Exploit Development Lifecycle.md ├── The FloW Drops PPW.md ├── The V8 Heap Sandbox.md ├── The Way to Android Root - Exploiting Your GPU on Smartphone.md ├── The Windows Registry Adventure 3 - Learning resources.md ├── The Windows Registry Adventure.md ├── The real slim shady - Ivanti Endpoint Manager (EPM) Pre-Auth RCE CVE-2024-29847.md ├── Tianfu Cup 2023 Chrome use-after-free.md ├── Tony Hawk's Pro Strcpy.md ├── Trail Of Bits Handbook - Fuzzing.md ├── Trail of Bits Testing Handbook.md ├── UAF in PowerVR.md ├── UEFI is the new BIOS.md ├── Unauthenticated Command Execution on Tp-Link AC1350.md ├── Unburdened By What Has Been - Exploiting New Attack Surfaces in Radio Layer 2 for Baseband RCE on Samsung Exynos.md ├── Understanding AddressSanitizer - Better memory safety for your code.md ├── Underutilized Fuzzing Strategies for Modern Software Testing.md ├── Universal Code Execution by Chaining Messages in Browser Extensions.md ├── Vanguard x VALORANT.md ├── Veeam Backup & Response - RCE With Auth, But Mostly Without Auth (CVE-2024-40711).md ├── VirtualBox Vuln Research Set-Up.md ├── Vulnerabilities found in VMWare by me.md ├── Vulnerabilities of Realtek SD card reader driver, part 1.md ├── Welcome To 2024 - The SSLVPN Chaos Continues.md ├── When Samsung meets MediaTek - the story of a small bug chain.md ├── Why Code Security Matters - Even in Hardened Environments.md ├── Windows AppLocker Driver LPE Vulnerability - CVE-2024-21338.md ├── Windows WiFi Driver RCE Vulnerability – CVE-2024-30078.md ├── Winning the AIxCC Qualification Round.md ├── You Can't Spell WebRTC without RCE - Part 1.md ├── You Can't Spell WebRTC without RCE - Part 2.md ├── You Can’t Spell WebRTC without RCE - Part 3.md ├── ZDI Discloses Lexmark Pwn2Own Bugs.md ├── ZDI-24-821 - A Remote UAF in The Kernel's net tipc.md ├── Zero-Click Calendar invite - Critical zero-click vulnerability chain in macOS.md ├── angr for real-world use cases.md ├── bug.directory_logo.png ├── corCTF 2024 - trojan-turtles writeup.md ├── exploits.club Weekly Newsletter 20 - Special @_manfp Edition.md ├── gaining access to anyones browser without them even visiting a website.md ├── iMessage with PQ3 -The new state of the art in quantum-secure messaging at scale.md ├── iOS - A Journey In The USB Networking Stack.md ├── ioxide - N_GSM 0 day.md ├── kfd write-ups.md ├── local_demo.mp4 ├── mistymntncop - CVE-2022-4262 PoC.md ├── nix libX11 - Uncovering and Exploiting a 35-year-old Vulnerability.md ├── regreSSHion - RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387).md ├── templates ├── EC Entry.md └── Submission.md └── “To live is to fight, to fight is to live! - IBM ODM Remote Code Execution.md /.gitignore: -------------------------------------------------------------------------------- 1 | /.obsidian/ 2 | -------------------------------------------------------------------------------- /15 bugs in Realtek Jungle SDK.md: -------------------------------------------------------------------------------- 1 | tags: #stack_overflow #iot #router #heap_overflow #command_injection 2 | original link: [15 bugs in Realtek Jungle SDK](https://blog.talosintelligence.com/vulnerability-roundup-july-10-2024/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 29](https://blog.exploits.club/exploits-club-weekly-newsletter-29/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [15 bugs in Realtek Jungle SDK](https://blog.talosintelligence.com/vulnerability-roundup-july-10-2024/?ref=blog.exploits.club) -------------------------------------------------------------------------------- /2023 CTF Challenge And Write-Up Database.md: -------------------------------------------------------------------------------- 1 | tags: #CTF #learning_resource 2 | original link: [2023 CTF Challenge And Write-Up Database](https://r3kapig-not1on.notion.site/2023-4828bf0bb74e45cabce2288370402dc0?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 02](https://blog.exploits.club/exploits-club-weekly-newsletter-02/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@r3kapig](https://twitter.com/r3kapig?ref=blog.exploits.club) put together a Notion site hosting a **collection of challenges from all the most popular CTFs in 2023**. Most of them even include an associated write-up! 8 | -------------------------------------------------------------------------------- /2023 Firmware Security Thread.md: -------------------------------------------------------------------------------- 1 | tags: #firmware #iot #fuzzing #emulation 2 | original link: [2023 Firmware Security Thread](https://twitter.com/pr0me/status/1741820403914248388?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 02](https://blog.exploits.club/exploits-club-weekly-newsletter-02/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Sticking with the "2023 collections" theme, [@prome](https://twitter.com/pr0me?ref=blog.exploits.club) put together a great list of his **favorite firmware security research released over the last year.** 8 | -------------------------------------------------------------------------------- /21 compilers and 3 orders of magnitude in 60 minutes.md: -------------------------------------------------------------------------------- 1 | tags: #compilers #learning_resource 2 | original link: [21 compilers and 3 orders of magnitude in 60 minutes](http://venge.net/graydon/talks/CompilerTalk-2019.pdf?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 32 - Popping Basebands, Pwnie Nominated PrivEscs, The Compiler Landscape, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-32-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > While not new, this deck resurfaced on [X this week](https://x.com/ludwigABAP/status/1816573133350137930?ref=blog.exploits.club) and we figured it would be worth sharing for those who have not seen it. T**he slides from Rust creator Graydon Hoare walk through the landscape of compilers, touching on design choices, history, and the potential future of the area.** It hits all the big players and quite a few we doubt you have seen or heard of. -------------------------------------------------------------------------------- /30 Years of Decompilation and the Unsolved Structuring Problem - Part 1.md: -------------------------------------------------------------------------------- 1 | tags: #decompilation #compilers 2 | original link: [30 Years of Decompilation and the Unsolved Structuring Problem: Part 1](https://mahaloz.re/dec-history-pt1?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 02](https://blog.exploits.club/exploits-club-weekly-newsletter-02/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > This is an excellent blog post discussing the **origins of decompilation, the rise of decompilers in hacker communities, the subsequent pick-up in academia.** It also touches on how the field has evolved, and the technical challenges associated with control flow structuring. -------------------------------------------------------------------------------- /30 Years of Decompilation and the Unsolved Structuring Problem - Part 2.md: -------------------------------------------------------------------------------- 1 | tags: #decompilation #compilers 2 | original link: [30 Years of Decompilation and the Unsolved Structuring Problem: Part 2](https://mahaloz.re/dec-history-pt2?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 03](https://blog.exploits.club/exploits-club-weekly-newsletter-03/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > **Following on from part 1 last week**, this post serves as a follow up to part one and focuses in on the more recent history of decompilation and the structuring problem. It highlights **4 recent approaches** to the problem, **highlighting their strengths and their inevitable compromises.** 8 | 9 | 10 | --- 11 | backlinks: [[30 Years of Decompilation and the Unsolved Structuring Problem - Part 1]] -------------------------------------------------------------------------------- /4 exploits, 1 bug - Exploiting CVE-2024-20017 4 Different Ways.md: -------------------------------------------------------------------------------- 1 | tags: #stack_overflow #mitigation #methodology #learning_resource 2 | original link: [4 exploits, 1 bug - Exploiting CVE-2024-20017 4 Different Ways](https://blog.coffinsec.com/0day/2024/08/30/exploiting-CVE-2024-20017-four-different-ways.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 37 - Juicy Overflows, The Art Of Exploitation, Rust in Firmware, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-37-juicy-overflows-the-art-of-exploitation-rust-in-firmware-and-more/) 4 | 5 | 6 | --- 7 | ## Exploits Club Summary: 8 | > Getting around various mitigations and remembering exploit strategies can be quite the challenge. Thankfully, [@hyprdude](https://x.com/hyprdude?ref=blog.exploits.club)'s most recent post should help you out. **The write-up walks through a stack overflow he found in the MediaTek MT7622/MT7915 SDK**. It gets fun, though, because **he wrote 4 different exploits, leveraging different strategies depending on the mitigations in place.** Starting with no mitigations (ROP to system, baybee), the post works up to **his working exploit for the Netgear WAX206** (NX, ASLR, PIE, full RELO). It's a banger of a post, check it out. -------------------------------------------------------------------------------- /A Deep Dive into the CoSoSys EndPoint Protector Exploit - Remote Code Execution.md: -------------------------------------------------------------------------------- 1 | tags: #macos #windows #enterprise_app #path_traversal 2 | original link: [A Deep Dive into the CoSoSys EndPoint Protector Exploit: Remote Code Execution](https://blog.theori.io/a-deep-dive-into-the-cososys-endpoint-protector-exploit-remote-code-execution-6c0f6b791f4e) 3 | newsletter link: [exploits.club Weekly Newsletter 37 - Juicy Overflows, The Art Of Exploitation, Rust in Firmware, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-37-juicy-overflows-the-art-of-exploitation-rust-in-firmware-and-more/) 4 | 5 | 6 | --- 7 | ## Exploits Club Summary: 8 | > Theori detailed 4 vulnerabilities in the CoSoSys EndPoint Protector which they found during a recent engagement...ironically**, it did not serve as much of a "data loss prevention" tool in this case**. The vulnerabilities allowed for a **complete takeover of both the clients and the server.** Leveraging a **path traversal on the server**, the team could upload a webshell. They then documented **3 ways this newfound access could be abused to take over all the connected clients.** -------------------------------------------------------------------------------- /A Handful of Imagination GPU Vulnerabilities.md: -------------------------------------------------------------------------------- 1 | tags: #GPU #PowerVR #uaf 2 | original link: [A Handful of Imagination GPU Vulnerabilities](https://x.com/1ce0ear/status/1749952249533510094?s=20&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 05](https://blog.exploits.club/exploits-club-weekly-newsletter-05/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@1ce0ear](https://twitter.com/1ce0ear?ref=blog.exploits.club) put together a **tweet of 3 different Imagination GPU bugs** that were disclosed this week. The bugs include some **invalid memory protections and a UAF.** -------------------------------------------------------------------------------- /A LibAFL Introductory Workshop.md: -------------------------------------------------------------------------------- 1 | tags: #fuzzing #LibAFL #learning_resource 2 | original link: [LibAFL workshop](https://www.atredis.com/blog/2023/12/4/a-libafl-introductory-workshop?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 01](https://blog.exploits.club/vuln-research-newsletter-01/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > If this talk sparks your interest in LibAFL like it did for us, Artedis released a [LibAFL workshop](https://www.atredis.com/blog/2023/12/4/a-libafl-introductory-workshop?ref=blog.exploits.club) earlier this month which can help bring you up to speed. 8 | 9 | 10 | --- 11 | backlinks: [[Fuzz Everything, Everywhere, All at Once]] -------------------------------------------------------------------------------- /A Trick, The Story Of CVE-2024-26230.md: -------------------------------------------------------------------------------- 1 | tags: #windows #uaf #XFG #lpe 2 | original link: [A Trick, The Story Of CVE-2024-26230](https://whereisk0shl.top/post/a-trick-the-story-of-cve-2024-26230?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 16](https://blog.exploits.club/exploits-club-weekly-newsletter-16/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Sticking to the Microsoft theme, [@KeyZ3r0](https://twitter.com/KeyZ3r0?ref=blog.exploits.club) released a post this week discussing a vuln he discovered, exploited and reported in **Windows Telephony Server.** The **UAF** vuln is relatively straight forward, in which there is no check to see if an object being freed is owned by the context handle. The write-up then details the **Heap Fengshui used to exploit the vuln, including a nice XFG bypass.** -------------------------------------------------------------------------------- /A journey through KiUserExceptionDispatcher.md: -------------------------------------------------------------------------------- 1 | tags: #windows #emulation 2 | original link: [A journey through KiUserExceptionDispatcher](https://momo5502.com/posts/2024-09-07-a-journey-through-kiuserexceptiondispatcher/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 38 - Linux Races, Blind Memory Corruption, LLM Java Fuzzing, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-38-linux-races-blind-memory-corruption-llm-java-fuzzing-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Who doesn't love a good emulator dev post? [@momo5502](https://x.com/momo5502?ref=blog.exploits.club) wrote up some of his **recent findings and struggles in this devlog-style post about his battles with Exceptions while building his user-space emulator.** This required quite a **bit of reversing of `KiUserExceptionDispatcher` to understand how to implement a proper stack layout.** It's a fun post that makes you want to break out your code editor and IDA. -------------------------------------------------------------------------------- /A review of zero-day in-the-wild exploits in 2023.md: -------------------------------------------------------------------------------- 1 | tags: #ITW #threat_intel 2 | original link: [A review of zero-day in-the-wild exploits in 2023](https://blog.google/technology/safety-security/a-review-of-zero-day-in-the-wild-exploits-in-2023/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 14](https://blog.exploits.club/exploits-club-weekly-newsletter-14/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > As is becoming a Google custom, the **Threat Analysis Group released their breakdown of the 97 ITW 0-days observed throughout 2023.** Roughly 60% of the observed exploits targeted end-user platforms such as mobile devices, OSes and browsers. In addition, TAG noted an increase in enterprise software targeting, up roughly 2% from last year. The team also commented on the **shift to targeting 3rd party components and the role commercial surveillance vendors played in the landscape**. A full report can be found [**here**](https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Year_in_Review_of_ZeroDays.pdf?ref=blog.exploits.club)**.** -------------------------------------------------------------------------------- /AMD Radeon DirectX 11 Driver Arbitrary Write.md: -------------------------------------------------------------------------------- 1 | tags: #OOB_write #gpu 2 | original link: [AMD Radeon DirectX 11 Driver Arbitrary Write](https://talosintelligence.com/vulnerability_reports/TALOS-2023-1848?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 16](https://blog.exploits.club/exploits-club-weekly-newsletter-16/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [**AMD Radeon DirectX 11 Driver Arbitrary Write**](https://talosintelligence.com/vulnerability_reports/TALOS-2023-1848?ref=blog.exploits.club) from [@TalosSecurity](https://twitter.com/TalosSecurity?ref=blog.exploits.club) -------------------------------------------------------------------------------- /ARLO - I'm Watching You.md: -------------------------------------------------------------------------------- 1 | tags: #iot #firmware #learning_resource #methodology #pwn2own 2 | original link: [ARLO: I'm Watching You](https://www.synacktiv.com/publications/arlo-im-watching-you?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 12](https://blog.exploits.club/exploits-club-weekly-newsletter-12/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > In this new [Synacktiv](https://www.synacktiv.com/index?ref=blog.exploits.club) blog post, the team details how to **get started doing vulnerability research on an Arlo Camera.** The write-up servers as a primer, looking to better understand the software and hardware of the camera, and start digging into hacking on it. More generally though, it's **a great primer for anyone looking to improve their IoT hacking methodology**, as it walks through each aspect of the attack surface and explains how to understand it in the context of VR. -------------------------------------------------------------------------------- /Accessory Authentication.md: -------------------------------------------------------------------------------- 1 | tags: #microcontroller #embedded #hardware_hacking 2 | original link: [Accessory Authentication](https://ioactive.com/accessory-authentication-part-1-3/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 18](https://blog.exploits.club/exploits-club-weekly-newsletter-18/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > In this 3 part blog series, [IOActive](https://ioactive.com/?ref=blog.exploits.club) does a deep dive into the **security processors on a consumer product vs an unlicensed clone.** The goal of the series is to **understand the similarities and differences between the two devices, and deduce how the clone is able to "extract the necessary IP to make a compatible solution".** -------------------------------------------------------------------------------- /Achieving Remote Code Execution in Steam - a journey into the Remote Play protocol.md: -------------------------------------------------------------------------------- 1 | tags: #steam #fuzzing 2 | original link: [Achieving Remote Code Execution in Steam: a journey into the Remote Play protocol](https://blog.thalium.re/posts/achieving-remote-code-execution-in-steam-remote-play/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 01](https://blog.exploits.club/vuln-research-newsletter-01/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > An interesting adventure in reversing, fuzzing and exploiting Steam's remote play protocol 8 | -------------------------------------------------------------------------------- /Address Sanitizer for Bare-metal Firmware.md: -------------------------------------------------------------------------------- 1 | tags: #firmware #android #learning_resource #fuzzing 2 | original link: [Address Sanitizer for Bare-metal Firmware](https://security.googleblog.com/2024/03/address-sanitizer-for-bare-metal.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 14](https://blog.exploits.club/exploits-club-weekly-newsletter-14/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Another post out of Google, **this one talks about how KASan can be applied to a wide range of bare-metal firmware targets.** The write-up starts with a broad overview of Address Sanitizers, before giving a **practical roadmap for enabling KASan on bare-metal firmware.** The post ends with some general reflections on **how this has enhanced the SDLC for the Android team at Google and then**...yep you guessed it...mentions **moving to Rust.** -------------------------------------------------------------------------------- /An Introduction to Chrome Exploitation - Maglev Edition.md: -------------------------------------------------------------------------------- 1 | tags: #chrome #v8 #maglev #learning_resource #methodology 2 | original link: [An Introduction to Chrome Exploitation: Maglev Edition](https://www.matteomalvica.com/blog/2024/06/05/intro-v8-exploitation-maglev/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 24](https://blog.exploits.club/exploits-club-weekly-newsletter-24/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@matteomalvica](https://x.com/matteomalvica?ref=blog.exploits.club) released a post this week which **may be one of the best introductions to the V8 pipeline currently available.** The post starts with an **introduction to Chromium and its security architecture,** before diving into the **V8 pipeline.** The post then takes a look at [CVE-2023-4069](https://nvd.nist.gov/vuln/detail/CVE-2023-4069?ref=blog.exploits.club), with a **full walkthrough, RCA, and exploit.** It's quite an impressive piece of work, we highly recommend checking it out -------------------------------------------------------------------------------- /Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials.md: -------------------------------------------------------------------------------- 1 | tags: #windows #threat_intel #ITW #lpe 2 | original link: [Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials](https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 18](https://blog.exploits.club/exploits-club-weekly-newsletter-18/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Microsoft Threat Intelligence](https://www.microsoft.com/en-us/security/blog/topic/threat-intelligence/?ref=blog.exploits.club) released their research into **a long running campaign from Russian Threat Actor, Forrest Blizzard.** The post dives into one of their tools, referred to as **"GooseEgg", which takes advantage of a Windows Print Spooler N-day to escalate privileges on a client machine.** The write-up does walks through the stages of compromise, before giving some IOCs and advice. -------------------------------------------------------------------------------- /Analyzing Modern DRMs.md: -------------------------------------------------------------------------------- 1 | tags: #drm 2 | original link: [Analyzing Modern DRMs](https://www.youtube.com/watch?v=AEvpYgzDATA&ab_channel=mr_phrazer&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 25](https://blog.exploits.club/exploits-club-weekly-newsletter-25/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | >  Now if it's not abundantly evident at this point, we are based out of the country known for large-portioned meals and an obesity problem (though they are not correlated, we swear). As such, we do not speak German, the language this talk on **DRM analysis from** [**@momo5502**](https://x.com/momo5502?ref=blog.exploits.club) is in. That said, the [**slides themselves can be found entirely in English**](https://docs.google.com/presentation/d/17TXl_pds6BC0Zm2gLUnIZK7BtlGc_TRt/edit?ref=blog.exploits.club#slide=id.p1)**, and provide an excellent overview into modern DRMs and techniques used to analyze them.** -------------------------------------------------------------------------------- /BadgeLife @ Off-By-One Conference 2024.md: -------------------------------------------------------------------------------- 1 | tags: #hardware_hacking #learning_resource 2 | original link: [#BadgeLife @ Off-By-One Conference 2024](https://starlabs.sg/blog/2024/07-badgelife-at-off-by-one-conference-2024/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 31](https://blog.exploits.club/exploits-club-weekly-newsletter-31/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Star Labs](https://starlabs.sg/?ref=blog.exploits.club) released a post this week detailing the Off-By-One conference badge. The post looks at **how the badge was designed** before jumping into the **hardware CTFs hidden in its little octopus layers.** The CTF ranged in difficulty, **starting with just checking the USB string descriptor and going all the way up to some basic voltage glitching.** The write-up serves as an official solution to all six challenges and could spark some inspiration or learning if you are getting into hardware hacking. -------------------------------------------------------------------------------- /Breaking Bitlocker - Bypassing the Windows Disk Encryption.md: -------------------------------------------------------------------------------- 1 | tags: #windows #hardware_hacking 2 | original link: [Breaking Bitlocker - Bypassing the Windows Disk Encryption](https://www.youtube.com/watch?v=wTl4vEednkQ&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 07](https://blog.exploits.club/exploits-club-weekly-newsletter-07/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > In his newest video, [@ghidraninja](https://twitter.com/ghidraninja?ref=blog.exploits.club) yet again brings hardware hacking and vuln research to the masses. This time he details his **research on stealing the Bitlocker Key from a modern Windows laptop** using his regular weapon of choice, **a Raspberry Pi Pico.** -------------------------------------------------------------------------------- /Breaking SIP with Apple-Signed Packages.md: -------------------------------------------------------------------------------- 1 | tags: #macos #sip #auth_bypass 2 | original link: [Breaking SIP with Apple-Signed Packages](https://www.l3harris.com/newsroom/editorial/2024/03/breaking-sip-apple-signed-packages?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 21](https://blog.exploits.club/exploits-club-weekly-newsletter-21/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [L3Harris](https://www.l3harris.com/?ref=blog.exploits.club) dropped a post this week discussing their research into bypassing Apple's System Integrity Protection (SIP). **The core idea of the vulnerability class revolves around finding command injection vulnerabilities present in installation scripts of Apple-signed packages with valid certificates.** If these packages have the `com.apple.rootless.install.heritables` entitlement, this allows them (and subsequently...attackers), to write to SIP protected locations. The post goes into some of the downsides of this bug class, before discussing the fixes implemented by Apple. -------------------------------------------------------------------------------- /Buffer Overflow in Via H264 Processing.md: -------------------------------------------------------------------------------- 1 | tags: #media_decoder #OOB_write 2 | original link: [Buffer Overflow in Via H264 Processing](https://bugs.chromium.org/p/project-zero/issues/detail?id=2512&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 16](https://blog.exploits.club/exploits-club-weekly-newsletter-16/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [**Buffer Overflow in Via H264 Processing**](https://bugs.chromium.org/p/project-zero/issues/detail?id=2512&ref=blog.exploits.club) from [@natashenka](https://twitter.com/natashenka?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor&ref=blog.exploits.club) -------------------------------------------------------------------------------- /Buffer-overflow in Skia.md: -------------------------------------------------------------------------------- 1 | tags: #heap_overflow #chrome #skia 2 | original link:  [buffer-overflow in Skia](https://x.com/r3tr074/status/1755204029553029427?s=20&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 07](https://blog.exploits.club/exploits-club-weekly-newsletter-07/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@r3tr074](https://twitter.com/r3tr074?ref=blog.exploits.club) disclosed a [**buffer-overflow in Skia**](https://x.com/r3tr074/status/1755204029553029427?s=20&ref=blog.exploits.club), and hinted that a write-up on a **novel cross-cache exploit technique may be coming soon**. 8 | 9 | 10 | --- 11 | backlinks: [[CVE-2024-1283 - Cross-{Cache, Bucket} Browser Exploit]] 12 | -------------------------------------------------------------------------------- /Bugs of Yore - A Bug Hunting Journey on VMware's Hypervisor.md: -------------------------------------------------------------------------------- 1 | tags: #vmware #hypervisor 2 | original link: [Bugs of Yore: A Bug Hunting Journey on VMware's Hypervisor](https://blackhat.com/us-24/briefings/schedule/?ref=blog.exploits.club#bugs-of-yore-a-bug-hunting-journey-on-vmwares-hypervisor-40085) 3 | newsletter link: [exploits.club Weekly Newsletter 34 - V8 Confusions, Smart Speaker Spying, Summer Camp Round-Up, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-34-v8-confusions-smart-speaker-spying-summer-camp-round-up-and-more-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Bugs of Yore: A Bug Hunting Journey on VMware's Hypervisor](https://blackhat.com/us-24/briefings/schedule/?ref=blog.exploits.club#bugs-of-yore-a-bug-hunting-journey-on-vmwares-hypervisor-40085) -------------------------------------------------------------------------------- /Bypassing ARM's Memory Tagging Extension with a Side-Channel Attack.md: -------------------------------------------------------------------------------- 1 | tags: #mte #android #mitigation 2 | original link: [Bypassing ARM's Memory Tagging Extension with a Side-Channel Attack](https://www.blackhat.com/us-24/briefings/schedule/?ref=blog.exploits.club#bypassing-arms-memory-tagging-extension-with-a-side-channel-attack-38669) 3 | newsletter link: [exploits.club Weekly Newsletter 34 - V8 Confusions, Smart Speaker Spying, Summer Camp Round-Up, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-34-v8-confusions-smart-speaker-spying-summer-camp-round-up-and-more-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Bypassing ARM's Memory Tagging Extension with a Side-Channel Attack](https://www.blackhat.com/us-24/briefings/schedule/?ref=blog.exploits.club#bypassing-arms-memory-tagging-extension-with-a-side-channel-attack-38669) -------------------------------------------------------------------------------- /Bypassing Veeam Authentication CVE-2024-29849.md: -------------------------------------------------------------------------------- 1 | tags: #auth_bypass #enterprise_app 2 | original link: [Bypassing Veeam Authentication CVE-2024-29849](https://summoning.team/blog/veeam-enterprise-manager-cve-2024-29849-auth-bypass/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 25](https://blog.exploits.club/exploits-club-weekly-newsletter-25/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Following up his post less than a week ago, [@SinSinology](https://x.com/sinsinology?ref=blog.exploits.club) is back again, this time taking a deep-dive into an auth bypass on Veeam. Similar to his first post, this one is exceptionally in-depth, **doing a complete walk-through of the authentication code-flow, before jumping into what makes it vulnerable.** In this case, the **vulnerability stems from the ability to use an attacker controlled URL to validate auth tokens,** so "we can tell "Veeam Enterprise Manager to ask our Rouge Server if the malicious token is valid or not". **Pretty cool bug, and the post wraps up with a small PoC.** -------------------------------------------------------------------------------- /C++ Unwind Exception Metadata - A Hidden Reverse Engineering Bonanza.md: -------------------------------------------------------------------------------- 1 | tags: #methodology #learning_resource #ida 2 | original link: [C++ Unwind Exception Metadata: A Hidden Reverse Engineering Bonanza](https://www.msreverseengineering.com/blog/2024/8/20/c-unwind-metadata-1?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 36 - Regex Fuzzing, C++ Metadata, Kernel Streaming, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-36-regex-fuzzing-c-metadata-kernel-streaming-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > An exceptionally well-written post from [@RolfRolles](https://x.com/RolfRolles?ref=blog.exploits.club) was released this week discussing how **C++ exception metadata is a wealth of information when it comes to reversing**. In particular, the post looks at `wind` and `unwind` metadata, which the compiler includes to ensure deconstructors are called in the case of an exception. This **metadata includes the deconstructor for each of the individual subobjects within the struct, which can be useful for type information, struct nesting recovery, and inheritance relationships.** -------------------------------------------------------------------------------- /CVE-2020-27786 (Race Condition + Use-After-Free).md: -------------------------------------------------------------------------------- 1 | tags: #linux #kernel #uaf #race_condition #rop 2 | original link: [CVE-2020-27786 (Race Condition + Use-After-Free)](https://ii4gsp.github.io/cve-2020-27786/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 37 - Juicy Overflows, The Art Of Exploitation, Rust in Firmware, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-37-juicy-overflows-the-art-of-exploitation-rust-in-firmware-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > We love a post that talks methodology, but we also love a post that gets right into the nitty details. This new one from [@ii4gsp](https://ii4gsp.github.io/cve-2020-27786/?ref=blog.exploits.club) is very much the latter, walking through **his exploit technique for** [**CVE-2020-27786**](https://nvd.nist.gov/vuln/detail/CVE-2020-27786?ref=blog.exploits.club)**, a use-after-free caused by a race condition in Linux's MIDI driver.** The post quickly discusses the root cause and the patch before diving into exploitation. **He bypassed KASLR with `msg_msg` and used `tty_struct` in combination with the spray of a ROP chain and fake function table to successfully escalate privileges.** -------------------------------------------------------------------------------- /CVE-2023-26322 - Xiaomi Pro 13 isUrlMatchLevel Permissive List of Allowed Inputs Remote Code Execution Vulnerability.md: -------------------------------------------------------------------------------- 1 | tags: #xiaomi #android 2 | original link: [CVE-2023-26322: Xiaomi Pro 13 isUrlMatchLevel Permissive List of Allowed Inputs Remote Code Execution Vulnerability](https://www.zerodayinitiative.com/advisories/ZDI-24-417/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 19](https://blog.exploits.club/exploits-club-weekly-newsletter-19/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [**CVE-2023-26322: Xiaomi Pro 13 isUrlMatchLevel Permissive List of Allowed Inputs Remote Code Execution Vulnerability**](https://www.zerodayinitiative.com/advisories/ZDI-24-417/?ref=blog.exploits.club) from Team Orca Of Sea Security -------------------------------------------------------------------------------- /CVE-2023-36049 - Microsoft .NET CRLF Injection Arbitrary File Write & Deletion Vulnerability.md: -------------------------------------------------------------------------------- 1 | tags: #.net #command_injection 2 | original link: [CVE-2023-36049: Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability](https://www.zerodayinitiative.com/blog/2024/3/6/cve-2023-36049-microsoft-net-crlf-injection-arbitrary-file-writedeletion-vulnerability?ref=blog.exploits.club) 3 | newsletter link: 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [ZDI's](https://www.zerodayinitiative.com/?ref=blog.exploits.club) new blog post walks through an RCE vuln in Microsoft's .NET Framework and Visual Studio. **The command injection vulnerability stems from "insufficient validation of FTP command parameters".** In particular, the framework implements an abstraction for interacting with FTP control connections, but **fails to validate if user supplied parameters contain CRLF characters.** -------------------------------------------------------------------------------- /CVE-2023-42942 - xpcroleaccountd Root Privilege Escalation.md: -------------------------------------------------------------------------------- 1 | tags: #macos #toctou #lpe 2 | original link: [CVE-2023-42942: xpcroleaccountd Root Privilege Escalation](https://jhftss.github.io/CVE-2023-42942-xpcroleaccountd-Root-Privilege-Escalation/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 11](https://blog.exploits.club/exploits-club-weekly-newsletter-10-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@patch1t](https://twitter.com/patch1t?ref=blog.exploits.club) released a write-up for an **PrivEsc he found and reported to Apple last month.** The **TOCTOU bug** was able to be exploited with a symbolic link. **The symbolic link initially points at a legitimate Apple-signed XPC bundle, but is swapped out after the signature verification.** -------------------------------------------------------------------------------- /CVE-2023-6345 - Integer overflow in Skia.md: -------------------------------------------------------------------------------- 1 | tags: #integer_overflow #ITW #chrome #skia 2 | original link: [CVE-2023-6345: Integer overflow in Skia MeshOp::onCombineIfPossible](https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2023/CVE-2023-6345.html?ref=blog.exploits.club) 3 | newsletter link: 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A new RCA on Google's [0-Days In The Wild](https://googleprojectzero.github.io/0days-in-the-wild?ref=blog.exploits.club) was posted this week covering an **int overflow in** [**Skia**](https://skia.org/?ref=blog.exploits.club)**.** When combining two `MeshOps`, there is a missing check to ensure that `int fVertexCount` won't overflow. Later this value is used in conjunction with others for allocation. -------------------------------------------------------------------------------- /CVE-2024-0204 - Fortra GoAnywhere MFT Authentication Bypass Deep-Dive.md: -------------------------------------------------------------------------------- 1 | tags: #java #enterprise_app #auth_bypass 2 | original link: [CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Deep-Dive](https://www.horizon3.ai/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-deep-dive/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 05](https://blog.exploits.club/exploits-club-weekly-newsletter-05/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > The team at [Horizon3.ai](https://www.horizon3.ai/?ref=blog.exploits.club) put out a **technical deep dive into** [**CVE-2024-0204**](https://nvd.nist.gov/vuln/detail/CVE-2024-0204?ref=blog.exploits.club)**.** The post goes through the process of **diffing the Java patch and identifying the auth bypass.** They also dropped a [**PoC on their GitHub**](https://github.com/horizon3ai/CVE-2024-0204?ref=blog.exploits.club)**.** -------------------------------------------------------------------------------- /CVE-2024-1212 - Unauthenticated Command Injection In Progress Kemp LoadMaster.md: -------------------------------------------------------------------------------- 1 | tags: #command_injection #enterprise_app #progress 2 | original link: [CVE-2024-1212: Unauthenticated Command Injection In Progress Kemp LoadMaster](https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command-injection-in-progress-kemp-loadmaster/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 13](https://blog.exploits.club/exploits-club-weekly-newsletter-12-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Sometimes, you don't need a complex fuzzing set-up, 6 bug chain, or stealthy deserialization tricks to pop high impact vulns. Maybe you just need to **search for some calls to "system".** That's exactly what Rhino Security Labs proved in their most recent blog post, which details a [command injection in Kemp LoadMaster.](https://support.kemptechnologies.com/hc/en-us/articles/23878931058445-LoadMaster-Security-Vulnerability-CVE-2024-1212?ref=blog.exploits.club) After reversing the web server binary, the team realized that the **Basic Auth header was just thrown into "system()", allowing them to exploit it for a pre-auth RCE.** -------------------------------------------------------------------------------- /CVE-2024-1283 - Cross-{Cache, Bucket} Browser Exploit.md: -------------------------------------------------------------------------------- 1 | tags: #chrome #cross_cache #heap_overflow 2 | original link: [CVE-2024-1283: Cross-{Cache, Bucket} Browser Exploit](https://twitter.com/r3tr074/status/1790112906664677740?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 21](https://blog.exploits.club/exploits-club-weekly-newsletter-21/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > ALLLLLL the way back in [newsletter 07](https://blog.exploits.club/exploits-club-weekly-newsletter-07/) , we included a bug from [@r3tr074](https://twitter.com/r3tr074?ref=blog.exploits.club) and have quietly been waiting to hear more about it after he [hinted at a novel exploitation](https://x.com/r3tr074/status/1755204029553029427?ref=blog.exploits.club) technique. Well, the wait is over and suffice to say that it was worth it. **The Chromium issue became unrestricted this week, and it includes initial discussions around the bug, some back and forth with the graphics team, and finally** [**a succinct write-up**](https://issues.chromium.org/issues/41494860?ref=blog.exploits.club#comment52) **which includes information on the "Cross-cache / Cross-bucket overflow" exploit strategy.** -------------------------------------------------------------------------------- /CVE-2024-20697 - Windows Libarchive Remote Code Execution Vulnerability.md: -------------------------------------------------------------------------------- 1 | tags: #windows #integer_overflow 2 | original link: [CVE-2024-20697: Windows Libarchive Remote Code Execution Vulnerability](https://www.zerodayinitiative.com/blog/2024/4/17/cve-2024-20697-windows-libarchive-remote-code-execution-vulnerability?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 17](https://blog.exploits.club/exploits-club-weekly-newsletter-17/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > -------------------------------------------------------------------------------- /CVE-2024-21115 - An Oracle VirtualBox LPE Used To Win Pwn2Own.md: -------------------------------------------------------------------------------- 1 | tags: #lpe #hypervisor #pwn2own #virtualbox #OOB_write 2 | original link: [CVE-2024-21115: An Oracle VirtualBox LPE Used To Win Pwn2Own](https://www.zerodayinitiative.com/blog/2024/5/9/cve-2024-21115-an-oracle-virtualbox-lpe-used-to-win-pwn2own?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 21](https://blog.exploits.club/exploits-club-weekly-newsletter-21/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [**ZDI**](https://www.zerodayinitiative.com/?ref=blog.exploits.club) hosted a blog post from Cody Gallagher, in which he discussed the **OOB write bug he used to pop VirtualBox in P20.** The **core bug stems from an incorrect calculation of a start address, which results in the ability to write outside of a fixed size buffer.** The exploit leverages this bug to **disable the critical sections and trigger a race condition.** The post does a fantastic job detailing all the specifics, including code, and digging into the VB internals - give it a read! -------------------------------------------------------------------------------- /CVE-2024-22058 Ivanti Landesk LPE.md: -------------------------------------------------------------------------------- 1 | tags: #ivanti #lpe #enterprise_app #heap_overflow 2 | original link:[CVE-2024-22058 Ivanti Landesk LPE](https://mantodeasecurity.de/en/2024/05/cve-2024-22058-ivanti-landesk-lpe/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 23](https://blog.exploits.club/exploits-club-weekly-newsletter-23/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > What's a good newsletter without doing a small bit of bashing on Ivanti? In this post, [Mantodea Security](https://mantodeasecurity.de/en/home/?ref=blog.exploits.club) walks through the **discovery and exploitation of an overflow in** [**Ivanti LanDesk**](https://www.ivanti.com/company/history/landesk?ref=blog.exploits.club)**.** The post starts with a **walk through of the vulnerability and the code path in which it can be triggered.** It then covers **exploitation of the bug, in which it uses a ROP chain to mark memory as executable and overwrites a function pointer to jump to it reliably.** -------------------------------------------------------------------------------- /CVE-2024-2389 - Command Injection Vulnerability In Progress Flowmon.md: -------------------------------------------------------------------------------- 1 | tags: #enterprise_app #command_injection #progress 2 | original link: [CVE-2024-2389: Command Injection Vulnerability In Progress Flowmon](https://rhinosecuritylabs.com/research/cve-2024-2389-in-progress-flowmon/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 18](https://blog.exploits.club/exploits-club-weekly-newsletter-18/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > These days, it feels like the newsletter wouldn't be complete if there wasn't at-least one unauthenticated command injection. Luckily, [Rhino Security Labs](https://rhinosecuritylabs.com/?ref=blog.exploits.club) has us covered this week, **coming in hot with a URL which will pop** [**Flowman**](https://www.flowmon.com/en?ref=blog.exploits.club) **from the login page.** -------------------------------------------------------------------------------- /CVE-2024-25938 - Foxit Reader Barcode widget Calculate event use-after-free vulnerability.md: -------------------------------------------------------------------------------- 1 | tags: #foxit #uaf #enterprise_app 2 | original link: [CVE-2024-25938: Foxit Reader Barcode widget Calculate event use-after-free vulnerability](https://talosintelligence.com/vulnerability_reports/TALOS-2024-1958?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 19](https://blog.exploits.club/exploits-club-weekly-newsletter-19/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [**CVE-2024-25938: Foxit Reader Barcode widget Calculate event use-after-free vulnerability**](https://talosintelligence.com/vulnerability_reports/TALOS-2024-1958?ref=blog.exploits.club) from [@TalosSecurity](https://twitter.com/TalosSecurity?ref=blog.exploits.club) -------------------------------------------------------------------------------- /CVE-2024-27815 - A Buffer Overflow in the XNU Kernel.md: -------------------------------------------------------------------------------- 1 | tags: #macos #XNU #heap_overflow 2 | original link: [CVE-2024-27815: A Buffer Overflow in the XNU Kernel](https://jprx.io/cve-2024-27815/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 27](https://blog.exploits.club/exploits-club-weekly-newsletter-27/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@0xjprx](https://x.com/0xjprx?ref=blog.exploits.club) just published an **overflow he found in the XNU kernel.** The bug manifests due to the **mixup of two, very similar-looking variable names (`MSIZE` and `MLEN`).** Apple introduced the bug by adding a size check on `MSIZE`, which actually is the size of an entire message buffer (header and data), and not just the buffer (which would be...you guessed it....`MLEN`). **The post includes a crash PoC and the patch released by Apple.** -------------------------------------------------------------------------------- /CVE-2024-27822 - macOS PackageKit Privilege Escalation.md: -------------------------------------------------------------------------------- 1 | tags: #macos #lpe 2 | original link: [CVE-2024-27822: macOS PackageKit Privilege Escalation](https://khronokernel.com/macos/2024/06/03/CVE-2024-27822.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 24](https://blog.exploits.club/exploits-club-weekly-newsletter-24/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A fun macOS privesc from [@khronokernel](https://twitter.com/khronokernel?ref=blog.exploits.club). The post is pretty **short and to the point, but boy is it effective.** The core idea is that P**ackageKit will load the users `.zshrc` as root, allowing malicious payloads to be embedded into it for an easy privesc.** The write-up also takes a look at Apple's fix by reversing the patch and understanding how it works. -------------------------------------------------------------------------------- /CVE-2024-28183 OTA Anti-Rollback Bypass via TOCTOU in ESP-IDF.md: -------------------------------------------------------------------------------- 1 | tags: #toctou #microcontroller #iot 2 | original link: [CVE-2024-28183 OTA Anti-Rollback Bypass via TOCTOU in ESP-IDF](https://github.com/elttam/publications/blob/master/writeups/CVE-2024-28183/CVE-2024-28183.md?ref=blog.exploits.club#cve-2024-28183-ota-anti-rollback-bypass-via-toctou-in-esp-idf) 3 | newsletter link: [exploits.club Weekly Newsletter 15](https://blog.exploits.club/exploits-club-weekly-newsletter-15/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A quick-hitter from [elttam](https://www.elttam.com/?ref=blog.exploits.club). The team found a way to **bypass the anti-rollback mechanism by leveraging a TOCTOU vulnerability.** The second-stage bootloader **does the final anti-rollback check prior to refetching the application image from flash.** The rest of the post dives into setting up a test environment and crafting a PoC. -------------------------------------------------------------------------------- /CVE-2024-29510 – Exploiting Ghostscript using format strings.md: -------------------------------------------------------------------------------- 1 | tags: #ghostscript #format_string #OOB_read #OOB_write 2 | original link: [CVE-2024-29510 – Exploiting Ghostscript using format strings](https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 28](https://blog.exploits.club/exploits-club-weekly-newsletter-28/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Codean Labs](https://codeanlabs.com/?ref=blog.exploits.club) released a post this week walking through a **format string bug in** [**Ghostscript**](https://www.ghostscript.com/?ref=blog.exploits.club), the document conversion toolkit first released in 1988. Based on the parameters of a particular output device, the author was inclined to peak at the source code and confirmed that **they were used in a format string improperly, leading to a classic vuln.** From there, the post goes into exploitation, **turning the heap-based bug into a read / write and escaping the sandbox** -------------------------------------------------------------------------------- /CVE-2024-30043 - Abusing URL Parsing Confusion To Exploit XXE On SharePoint Server And Cloud.md: -------------------------------------------------------------------------------- 1 | tags: #xxe #sharepoint 2 | original link: [CVE-2024-30043: Abusing URL Parsing Confusion To Exploit XXE On SharePoint Server And Cloud](https://www.zerodayinitiative.com/blog/2024/5/29/cve-2024-30043-abusing-url-parsing-confusion-to-exploit-xxe-on-sharepoint-server-and-cloud?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 24](https://blog.exploits.club/exploits-club-weekly-newsletter-24/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Now we weren't originally planning to include this write-up, since as the post notes **"in the vulnerability research world, you typically find [XXEs], report them, and forget about them."** However, **the post _also_ notes, "this is one of the craziest XXEs that I have ever seen",** and so we would be doing you a disservice not to bring it to your attention. The core issue stems from a prohibition **check being performed _after_ the parameter entries have been processed**, **allowing for an Out-Of-Band XXE**. The post then goes into exploitation and a nice demo. -------------------------------------------------------------------------------- /CVE-2024-37079 - VMware vCenter Server Integer Underflow Code Execution Vulnerability.md: -------------------------------------------------------------------------------- 1 | tags: #integer_overflow #vmware #heap_overflow 2 | original link: [**CVE-2024-37079: VMware vCenter Server Integer Underflow Code Execution Vulnerability**](https://www.zerodayinitiative.com/blog/2024/8/27/cve-2024-37079-vmware-vcenter-server-integer-underflow-code-execution-vulnerability?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 36 - Regex Fuzzing, C++ Metadata, Kernel Streaming, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-36-regex-fuzzing-c-metadata-kernel-streaming-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | >  ZDI released a write-up this week detailing [CVE-2024-37079](https://nvd.nist.gov/vuln/detail/CVE-2024-370791?ref=blog.exploits.club), a **integer underflow in VMware vCenter**. The post starts with a quick overview of the software and **some technical aspects that allow it to operate, namely DCERPC.** It then examines how a specially crafted DCERPC can lead to an integer underflow. It's a **technically heavy post,** but it's worth a read. -------------------------------------------------------------------------------- /CVE-2024-3832 - Object corruption on wasm functions installation.md: -------------------------------------------------------------------------------- 1 | tags: #wasm #chrome #v8 #type_confusion 2 | original link: [CVE-2024-3832: Object corruption on wasm functions installation](https://docs.google.com/document/d/e/2PACX-1vROOt_dzEYaoSbWsRbXRSP91d5fwsElH5-puqqB2X9zCq6y0qxgw_EIytGlD_a8VBVEp8TGZOd99O6Y/pub?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 18](https://blog.exploits.club/exploits-club-weekly-newsletter-18/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@buptdsb](https://twitter.com/buptdsb?ref=blog.exploits.club) put together some quick notes on [CVE-2024-3832](https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_16.html?ref=blog.exploits.club). The document **digs into some former research and related bugs, and includes links out to a handful of useful sources.** -------------------------------------------------------------------------------- /CVE-2024-3914 - V8 UAF.md: -------------------------------------------------------------------------------- 1 | tags: #uaf #chrome #v8 #pwn2own 2 | original link: [CVE-2024-3914: V8 UAF](https://x.com/zerodaytraining/status/1785265536819138569?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 19](https://blog.exploits.club/exploits-club-weekly-newsletter-19/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [**CVE-2024-3914: V8 UAF**](https://x.com/zerodaytraining/status/1785265536819138569?ref=blog.exploits.club) by [@0x10n](https://twitter.com/0x10n?ref=blog.exploits.club) -------------------------------------------------------------------------------- /CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js.md: -------------------------------------------------------------------------------- 1 | tags: #pdf.js #XSS #electron 2 | original link: [CVE-2024-4367: Arbitrary JavaScript execution in PDF.js](https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 22](https://blog.exploits.club/exploits-club-weekly-newsletter-22/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Okay, that's lots of Chrome bugs...tired of reading JS yet? Well too bad, because [Codean Labs](https://codeanlabs.com/?ref=blog.exploits.club) is coming with an interesting **vulnerability in PDF.js**, the pdf viewer maintained by Mozilla and used in Firefox. The core vulnerability stems from a **missing type check in the Glyph rendering code.** For applications that embed PDF.js, the **result is an XSS on the domain the PDF is viewed. For non-sandboxed electron apps....yikes.** 8 | -------------------------------------------------------------------------------- /CVE-2024-4947 - Type Confusion in V8.md: -------------------------------------------------------------------------------- 1 | 2 | tags: #ITW #chrome #type_confusion #v8 3 | original link: [CVE-2024-4947: Type Confusion in V8](https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html?ref=blog.exploits.club) 4 | newsletter link: [exploits.club Weekly Newsletter 21](https://blog.exploits.club/exploits-club-weekly-newsletter-21/) 5 | 6 | --- 7 | ## Exploits Club Summary: 8 | > [@oct0xor](https://twitter.com/oct0xor?ref=blog.exploits.club) and [@vaber_b](https://twitter.com/vaber_b?ref=blog.exploits.club) of Kaspersky identified a Chrome ITW 0-day. One of those Twitter handles look familiar? That's because **we _just_ talked about** [**@oct0xor**](https://twitter.com/oct0xor?ref=blog.exploits.club) **like 2 bullets above** when he was foiling Microsoft 0-days. Man is a machine. Anyways, in typical [**@xvonfers**](https://twitter.com/xvonfers?ref=blog.exploits.club) **fashion,** [**he linked what appear to be the bug fixes**](https://x.com/xvonfers/status/1790970182208291255?ref=blog.exploits.club) **in a pseudo-RCA while we wait for the Kaspersky team.** -------------------------------------------------------------------------------- /Chaining N-days to Compromise All - Part 1 — Chrome Renderer RCE.md: -------------------------------------------------------------------------------- 1 | tags: #chrome #type_confusion #v8 2 | original link: [Chaining N-days to Compromise All: Part 1 — Chrome Renderer RCE](https://medium.com/theori-blog/chaining-n-days-to-compromise-all-part-1-chrome-renderer-rce-1afccf56721b) 3 | newsletter link: [exploits.club Weekly Newsletter 13](https://blog.exploits.club/exploits-club-weekly-newsletter-12-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > As promised, Theori has published the **first blog post on their** [**1-day 6 bug full-chain**](https://twitter.com/theori_io/status/1764544922005430576?ref=blog.exploits.club). This post documents exploitation of [CVE-2023–3079](https://nvd.nist.gov/vuln/detail/CVE-2023-3079?ref=blog.exploits.club), a **type confusion bug in V8**. The team walks through the required browser background knowledge, before diving into an RCA of the bug and explaining **how the primitive can be escalated to an OOB memory access before eventually being turned into RCE.** We are looking forward to the next 5 posts! 8 | -------------------------------------------------------------------------------- /Chaining N-days to Compromise All - Part 2 — Windows Kernel LPE (a.k.a Chrome Sandbox Escape).md: -------------------------------------------------------------------------------- 1 | tags: #chrome #sbx #lpe #windows #uaf #alpc 2 | original link: [Chaining N-days to Compromise All: Part 2 — Windows Kernel LPE (a.k.a Chrome Sandbox Escape)](https://blog.theori.io/chaining-n-days-to-compromise-all-part-2-windows-kernel-lpe-a-k-a-chrome-sandbox-escape-44cb49d7a4f8?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 15](https://blog.exploits.club/exploits-club-weekly-newsletter-15/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Theori released the second write-up for their [1-day fullchain](https://twitter.com/theori_io/status/1764544922005430576?s=20&ref=blog.exploits.club). Following on from their Chrome Renderer RCE, the post **walks through escaping the Chrome Sandbox by exploiting a Windows Kernel vulnerability.** Specifically, the team was able to take advantage of **a UAF in Advanced Local Procedure Call (ALPC).** The post is exceptionally detailed, **walking through ALPC internals, an RCA of the original CVE, and the exploit strategy.** 8 | 9 | 10 | --- 11 | backlinks: 12 | [[Chaining N-days to Compromise All - Part 1 — Chrome Renderer RCE]] -------------------------------------------------------------------------------- /Chaining N-days to Compromise All - Part 4 — VMware Workstation Information leakage.md: -------------------------------------------------------------------------------- 1 | tags: #bluetooth #hypervisor #vmware 2 | original link: [Chaining N-days to Compromise All: Part 4 — VMware Workstation Information leakage](https://blog.theori.io/chaining-n-days-to-compromise-all-part-4-vmware-workstation-information-leakage-44476b05d410?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 17](https://blog.exploits.club/exploits-club-weekly-newsletter-17/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > It wouldn't be a newsletter these days if we didn't have a [Theori](https://theori.io/?ref=blog.exploits.club) post, and they are back with the **4th part of their N-day full chain.** The posts up to this point have detailed compromising the browser and privesc-ing on the virtual host. Now the team discusses **the first step in escaping from the virtual machine to the host.** If you have read the other 3 posts up to this point, you will be familiar with the format of this one, but the explanation walks you through the **necessary background knowledge on Virtual Bluetooth devices and USB Request Blocks. It then jumps into the vulnerability (and a botched patch resulting in a variant) followed by some notes on exploitation.** -------------------------------------------------------------------------------- /Chaining N-days to Compromise All - Part 6 — Windows Kernel LPE - Get SYSTEM.md: -------------------------------------------------------------------------------- 1 | tags: #windows #lpe #ITW #uaf 2 | original link: [Chaining N-days to Compromise All: Part 6 — Windows Kernel LPE: Get SYSTEM](https://medium.com/@vr-blog/chaining-n-days-to-compromise-all-part-6-windows-kernel-lpe-get-system-83cd756ce90a?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 22](https://blog.exploits.club/exploits-club-weekly-newsletter-22/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Long time exploit club readers will know we have been keeping close tabs on this series from [Theori](https://theori.io/?ref=blog.exploits.club). The team has been writing up each step of their [1-Day full-chain](https://x.com/theori_io/status/1764544922005430576?s=20&ref=blog.exploits.club), and we have finally reached the finale. **In their most recent blog post, the team describes exploiting CVE-2023-36802** (the same bug @chompie1337 wrote-up as well). The entry follows the same format as the others in the series, **first describing necessary background for the readers, before going into the vuln, patch, and exploit.** -------------------------------------------------------------------------------- /Chrome Exploitation - From Zero To Heap-Sandbox Escape.md: -------------------------------------------------------------------------------- 1 | tags: #chrome #methodology #learning_resource #sbx #v8 2 | original link: [Chrome Exploitation - From Zero To Heap-Sandbox Escape](https://github.com/uf0o/conference_talks/blob/main/bsides_oslo_2024_from_zero_to_heap_sandbox_escape.pdf?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 43 - Variant Analysis at Scale, SD Card Driver Bugs, TTE Trends, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-43-variant-anal/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@matteomalvica](https://x.com/matteomalvica?ref=blog.exploits.club) released his BSides Oslo slides **discussing Chrome exploitation.** The slides start with **a quick overview of the Chrome architecture and then discuss the V8 pipeline and it's various JIT compilers.** Afterwards, it takes a **look at type confusion bugs,** leveraging **three case studies from different time periods** to demonstrate how the meta has shifted along with the increase in mitigations. And if you have followed us for a while, you know we love a good slide-deck...this one comes decked out with diagrams, code snippets, and a concept art sketches for what would we assume would be a banger sci-fi hacker show. 8 | -------------------------------------------------------------------------------- /CodeQL zero to hero part 3 - Security research with CodeQL.md: -------------------------------------------------------------------------------- 1 | tags: #codeQL #static_analysis #learning_resource #methodology 2 | original link: [CodeQL zero to hero part 3: Security research with CodeQL](https://github.blog/2024-04-29-codeql-zero-to-hero-part-3-security-research-with-codeql/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 19](https://blog.exploits.club/exploits-club-weekly-newsletter-19/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Github Security Lab released a write-up this week as **part of their CodeQL series detailing how the tool can effectively be used for security research.** The post walks through crafting **queries which might be useful for certain research projects,** such as looking for specific library functions or analyzing data flow. There are also **hands-on challenges for each section to help solidify the concepts.** -------------------------------------------------------------------------------- /DJI - The ART of obfuscation.md: -------------------------------------------------------------------------------- 1 | tags: #android #java 2 | original link: [DJI - The ART of obfuscation](https://blog.quarkslab.com/dji-the-art-of-obfuscation.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 07](https://blog.exploits.club/exploits-club-weekly-newsletter-07/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Quarkslab makes yet another appearance in the newsletter this week for their new post on an **"Android Runtime hijacking mechanism for bytecode injection".** This post takes a look at the [**DJI Pilot application**](https://www.dji.com/downloads/djiapp/dji-pilot?ref=blog.exploits.club), and breaks down how it uses a packer to obfuscate its code. Well written and highly-detailed, this is **worth the read for anyone reversing Android apps.** -------------------------------------------------------------------------------- /Deep Dive into RCU Race Condition - Analysis of TCP-AO UAF (CVE-2024–27394).md: -------------------------------------------------------------------------------- 1 | tags: #race_condition #uaf #linux #lpe #kernel #rcu 2 | original link: [Deep Dive into RCU Race Condition: Analysis of TCP-AO UAF (CVE-2024–27394)](https://blog.theori.io/deep-dive-into-rcu-race-condition-analysis-of-tcp-ao-uaf-cve-2024-27394-f40508b84c42?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 38 - Linux Races, Blind Memory Corruption, LLM Java Fuzzing, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-38-linux-races-blind-memory-corruption-llm-java-fuzzing-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A new post out of [Theori](https://theori.io/?ref=blog.exploits.club) this week walks through a _different_ **Linux race-condition leading to UAF.** The bug happens during the **TCP Authentication Option connection initiation and stems from improper usage of the Read-Copy-Update API** (which the post covers at length). To reliably win the race, **the team leveraged** [**ExpRace**](https://www.usenix.org/conference/usenixsecurity21/presentation/lee-yoochan?ref=blog.exploits.club), which was initially presented at [USENIX '21](https://www.usenix.org/conference/usenixsecurity21?ref=blog.exploits.club). -------------------------------------------------------------------------------- /Deploying Rust in Existing Firmware Codebases.md: -------------------------------------------------------------------------------- 1 | tags: #rust #methodology #firmware #learning_resource #android 2 | original link: [Deploying Rust in Existing Firmware Codebases](https://security.googleblog.com/2024/09/deploying-rust-in-existing-firmware.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 37 - Juicy Overflows, The Art Of Exploitation, Rust in Firmware, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-37-juicy-overflows-the-art-of-exploitation-rust-in-firmware-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > The Android team over at Google released a **practical walkthrough for deploying Rust into existing firmware codebases.** The post walks through the **potential use cases** and challenges, what components might make good **candidates for replacement**, how to pick a well-maintained, `no_std` **compatible crate (or port one) for standard parsing operations**, and more. It then talks about **additional technical considerations** that should be reviewed when attempting to **create a 1-for-1 drop-in replacement where your C/C++ once stood** and some final comments on memory safety. -------------------------------------------------------------------------------- /Dissecting the CVE-2024-38106 Fix.md: -------------------------------------------------------------------------------- 1 | tags: #windows #uaf #race_condition #bindiff #uaf]], 2 | original link: [Dissecting the CVE-2024-38106 Fix](https://www.pixiepointsecurity.com/blog/nday-cve-2024-38106/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 37 - Juicy Overflows, The Art Of Exploitation, Rust in Firmware, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-37-juicy-overflows-the-art-of-exploitation-rust-in-firmware-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@b1thvn_](https://x.com/b1thvn_?lang=en&ref=blog.exploits.club) and [Pixiepoint Security](https://www.pixiepointsecurity.com/?ref=blog.exploits.club) rolled out a "just the facts" blog on the ITW vuln [CVE-2024-38106](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38106?ref=blog.exploits.club) which Microsoft patched last month. The post starts with a **quick bindiff to show the security relevant patches**, and gives a quick **overview of the race condition, which leads to a UAF**. It ends with a **crash PoC and a full crash dump** should anyone be interested in continuing their research and carrying out a full RCA or exploit. -------------------------------------------------------------------------------- /Diving into ADB protocol internals - Pt 1.md: -------------------------------------------------------------------------------- 1 | tags: #android 2 | original link: [Diving into ADB protocol internals: Pt 1](https://www.synacktiv.com/publications/diving-into-adb-protocol-internals-12) 3 | newsletter link: [exploits.club Weekly Newsletter 39 - bug.directory, Fuzzing Successes, SLUB Internals, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-39-bug-directory-fuzzing-successes-slub-internals-and-more-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Chances are pretty high that if you've done any work with Android, you've probably used ADB. But have you ever thought about how it works under the hood? Thankfully, Synacktiv jumped on their blog to answer that question for you. The first post in the series takes a detailed look at the protocol and the client-server relationship. The team then discusses how they implemented the protocol for their open-source Rust crate. Part 2 is expected to talk through useful improvements to their Rust implementation, which we will, of course, summarize here when it's available. -------------------------------------------------------------------------------- /Do a firmware update for your AirPods...now.md: -------------------------------------------------------------------------------- 1 | tags: #iot #bluetooth #auth_bypass 2 | original link: [Do a firmware update for your AirPods...now](https://blogs.gnome.org/jdressler/2024/06/26/do-a-firmware-update-for-your-airpods-now/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 28](https://blog.exploits.club/exploits-club-weekly-newsletter-28/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | >  A quick hitter blog post on a recent AirPods vulnerability. While **the post itself doesn't go too deep on the technicals** (though the author notes he will do a follow-up post), it does hit at the key points. Namely, **there is a proprietary protocol from Apple called "Fast Connect", which helps to simplify the connection process by only taking 4 back-and-forth messages**, as opposed to the complex process that takes place with regular Bluetooth devices. While trying to re-implement this protocol from his Linux machine, **the author noticed no authentication check for non-Apple devices over this protocol,** meaning that anyone can connect and listen to your AirPods as long as they know the fixed Bluetooth Mac Address. -------------------------------------------------------------------------------- /Emulating RH850 architecture with Unicorn Engine.md: -------------------------------------------------------------------------------- 1 | tags: #unicorn #emulation #fuzzing 2 | original link: [Emulating RH850 architecture with Unicorn Engine](https://blog.quarkslab.com/emulating-rh850-architecture-with-unicorn-engine.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 19](https://blog.exploits.club/exploits-club-weekly-newsletter-19/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Quarkslab released a post this week discussing how they were able to to **emulate RH850 architecture with Unicorn.** The post starts with explaining what Unicorn is and some details about its implementation, before **diving into how they wrote code to generate the Intermediate Representation (IR) for RH850 instructions.** It then jumps to **adding a new CPU, initializing its callbacks, and leveraging the Unicorn Bindings**. Finally, it wraps up with **building a harness and leveraging hooks to retrieve code coverage.** -------------------------------------------------------------------------------- /Etiquette for dropping PoCs in 2024 - A Linux LPE.md: -------------------------------------------------------------------------------- 1 | tags: #GSM #heap_overflow #linux #kernel 2 | original link: [Etiquette for dropping PoCs in 2024? A Linux LPE](https://x.com/roddux/status/1795392270616969653?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 23](https://blog.exploits.club/exploits-club-weekly-newsletter-23/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > What's the right way to drop a PoC? Well thankfully for us, the people on X decided that it was "full exploits with offsets", so that's exactly what [@roddux](https://x.com/roddux?ref=blog.exploits.club) did with his **Linux LPE,** [**germy**](https://github.com/roddux/germy?ref=blog.exploits.club)**.** The GitHub repo [includes a write-up](https://github.com/roddux/germy/blob/main/TECHNICAL_DETAILS.md?ref=blog.exploits.club) as well, complete with an **overview of the root cause, exploit strategy, and mitigation bypasses.** The bug stems from **3 seemingly inconsequential issues that, when taken in total, lead to an overflow.** -------------------------------------------------------------------------------- /Evernote RCE - From PDF.js font-injection to All-platform Electron exposed ipcRenderer with listened BrokerBridge Remote-Code Execution.md: -------------------------------------------------------------------------------- 1 | tags: #pdf.js #electron #ipc 2 | original link: [Evernote RCE: From PDF.js font-injection to All-platform Electron exposed ipcRenderer with listened BrokerBridge Remote-Code Execution](https://0reg.dev/blog/evernote-rce?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 29](https://blog.exploits.club/exploits-club-weekly-newsletter-29/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > -------------------------------------------------------------------------------- /Exploit Development - Windows Kernel Exploitation - Debugging Environment and Stack Overflow.md: -------------------------------------------------------------------------------- 1 | tags: #windows #kernel #learning_resource #stack_overflow #lpe #methodology 2 | original link: [Exploit Development: Windows Kernel Exploitation: Debugging Environment and Stack Overflow](https://connormcgarr.github.io/Kernel-Exploitation-1/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 19](https://blog.exploits.club/exploits-club-weekly-newsletter-19/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@33y0re](https://twitter.com/33y0re?ref=blog.exploits.club) posted a fantastic **primer on getting started with Windows Kernel Exploitation.** The post walks through **setting up a debugging environment and exploiting a straight forward stack overflow** using [HackSysExtremeVulnerableDriver](https://github.com/hacksysteam/HackSysExtremeVulnerableDriver?ref=blog.exploits.club) as an example. A great read for anyone looking to get into Windows Kernel Research but not sure where to start. -------------------------------------------------------------------------------- /Exploit GSM.md: -------------------------------------------------------------------------------- 1 | tags: #linux #lpe #GSM #race_condition #uaf 2 | original link: [Exploit GSM](https://github.com/YuriiCrimson/ExploitGSM/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 16](https://blog.exploits.club/exploits-club-weekly-newsletter-16/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > -------------------------------------------------------------------------------- /Exploitation 4011 - Windows Kernel Exploitation.md: -------------------------------------------------------------------------------- 1 | tags: #learning_resource #windows #kernel 2 | original link: [Exploitation 4011: Windows Kernel Exploitation](https://www.youtube.com/playlist?list=PLUFkSN0XLZ-nl4HEX4_LWG9H_d9vJKkYL&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 28](https://blog.exploits.club/exploits-club-weekly-newsletter-28/) 4 | 5 | 6 | --- 7 | ## Exploits Club Summary: 8 | > [**Open Source Security Training 2**](https://p.ost2.fyi/courses?ref=blog.exploits.club) continues to be one of the best free resources for budding vulnerability researchers and exploit developers. This week, they **uploaded their entire Windows Kernel Exploitation training on YouTube.** -------------------------------------------------------------------------------- /Exploited V8 Bugs in 2024.md: -------------------------------------------------------------------------------- 1 | tags: #ITW #v8 #chrome 2 | original link: [Exploited V8 Bugs in 2024](https://docs.google.com/document/d/1njn2dd5_6PB7oZGTmkmoihYnVcJEgRwEFxhHnGoptLk/edit?ref=blog.exploits.club#heading=h.1q56zf5othwu) 3 | newsletter link: [exploits.club Weekly Newsletter 25](https://blog.exploits.club/exploits-club-weekly-newsletter-25/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Trying to stay up to date with V8 exploitation? Be sure to bookmark this **little spreadsheet, which provides some key details about vulns that have been popped in the last year.** -------------------------------------------------------------------------------- /Exploiting American Conquest.md: -------------------------------------------------------------------------------- 1 | tags: #game_hacking #stack_overflow 2 | original link: [Exploiting American Conquest](https://www.synacktiv.com/publications/exploiting-american-conquest?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 17](https://blog.exploits.club/exploits-club-weekly-newsletter-17/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > As long time [Synacktiv](https://www.synacktiv.com/index?ref=blog.exploits.club) fans here at [exploits.club](https://exploits.club/?ref=blog.exploits.club), we were excited to see their new blog this week which dives back into everyone's favorite topic - finding bugs in old video games. This time, the team went after the **2003 game American Conquest, and identified and exploited a straight forward stack overflow in one of the "chat" components associated with the game's multiplayer.** -------------------------------------------------------------------------------- /Exploiting Android's Hardened Memory Allocator.md: -------------------------------------------------------------------------------- 1 | tags: #allocator #android #scudo 2 | original link: [Exploiting Android's Hardened Memory Allocator](https://www.usenix.org/system/files/woot24-mao.pdf?ref=blog.exploits.club) 3 | newsletter link: 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Exploiting Android's Hardened Memory Allocator](https://www.usenix.org/system/files/woot24-mao.pdf?ref=blog.exploits.club) -------------------------------------------------------------------------------- /Exploiting Issue-1472121.md: -------------------------------------------------------------------------------- 1 | tags: #chrome #OOB_write #v8 #type_confusion 2 | original link: [write-up exploiting Issue-1472121](https://cwresearchlab.co.kr/entry/Issue-1472121-Exploit-out-of-bound-CloneObjectIC-type-confusion?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 07](https://blog.exploits.club/exploits-club-weekly-newsletter-07/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [CW Research Lab](https://cwresearchlab.co.kr/?ref=blog.exploits.club) released a [**write-up on exploiting Issue-1472121**](https://cwresearchlab.co.kr/entry/Issue-1472121-Exploit-out-of-bound-CloneObjectIC-type-confusion?ref=blog.exploits.club)**.** This one is in Korean (which we don't read sadly), but the included images and diagrams are all in English. -------------------------------------------------------------------------------- /Exploiting V8 at openECSC.md: -------------------------------------------------------------------------------- 1 | tags: #v8 #CTF #chrome #learning_resource 2 | original link: [Exploiting V8 at openECSC](https://lyra.horse/blog/2024/05/exploiting-v8-at-openecsc/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 23](https://blog.exploits.club/exploits-club-weekly-newsletter-23/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | >  "CTFs don't help in the real world". Yeah, well tell that to this challenge, which requires going from a **V8 bug to shell**. The challenge from openECSC introduces some new functionality in the V8 engine via a buggy patch. After identifying the vulnerability, exploitation follows the common pattern of "read arbitrary addresses (`addrof`), create fake objects (`fakeobj`), and eventually reach arbitrary code execution." **If you are interested in getting started with V8 exploitation, this challenge and the subsequent write-up from** [**@rebane2001**](https://x.com/rebane2001?ref=blog.exploits.club) **are a great place to get your feet wet.** -------------------------------------------------------------------------------- /Exploiting a SpiderMonkey - From Integer Range Inconsistency to Bound Check Elimination then RCE.md: -------------------------------------------------------------------------------- 1 | tags: #firefox #OOB_read #OOB_write 2 | original link: [Exploiting a SpiderMonkey: From Integer Range Inconsistency to Bound Check Elimination then RCE](https://github.com/bjrjk/CVE-2024-29943/blob/main/Slides.pdf?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 28](https://blog.exploits.club/exploits-club-weekly-newsletter-28/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@bjrjk](https://x.com/bjrjk?ref=blog.exploits.club) published a set of slides this week walking through **the background, RCA, exploit for** [**CVE-2024-29943**](https://nvd.nist.gov/vuln/detail/CVE-2024-29943?ref=blog.exploits.club)**.** The bug was originally **used by** [**@_manfp**](https://x.com/_manfp?ref=blog.exploits.club) **in Pwn2Own** and later **analyzed by** [**@maxspl0it**](https://x.com/maxpl0it/status/1771258714541978060?ref=blog.exploits.club)**.** We also want to give a shout-out to the quality of the slides - this deck is "make-your-asshole-McKinsey-cousin-drool" type stuff. -------------------------------------------------------------------------------- /Exploiting the NT Kernel in 24H2 - New Bugs in Old Code & Side Channels Against KASLR.md: -------------------------------------------------------------------------------- 1 | tags: #windows #kernel #lpe #double_fetch 2 | original link: [Exploiting the NT Kernel in 24H2: New Bugs in Old Code & Side Channels Against KASLR](https://exploits.forsale/24h2-nt-exploit/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 19](https://blog.exploits.club/exploits-club-weekly-newsletter-19/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Sticking with the Windows theme, [@gabe_k](https://mastodon.social/@gabe_k?ref=blog.exploits.club) came through with a post about **multiple kernel vulns and an LPE in a version of Windows that's not even out yet.** He was able to take advantage of the public preview to identify **multiple double-fetches due to the broad changes intended to treat user-mode memory as volatile.** The post then moves on to talk about the **new KASLR changes, and how he was able to bypass them using a timing side channel.** -------------------------------------------------------------------------------- /Exploring AMD Platform Secure Boot.md: -------------------------------------------------------------------------------- 1 | tags: #secure_boot #UEFI 2 | original link: [Exploring AMD Platform Secure Boot](https://labs.ioactive.com/2024/02/exploring-amd-platform-secure-boot.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 07](https://blog.exploits.club/exploits-club-weekly-newsletter-07/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [IOActive Labs](https://labs.ioactive.com/?ref=blog.exploits.club) put together a detailed **write-up of the AMD PSB**. The post first delves into the **technical details of the architecture and boot process,** before discussing the way the PSB is configured. The team also **discloses misconfiguration** issues by popular vendors they came across during their research. -------------------------------------------------------------------------------- /Exploring Counter-Strike - Global Offensive Attack Surface.md: -------------------------------------------------------------------------------- 1 | tags: #source_engine #fuzzing #OOB_write 2 | original link: [EXPLORING COUNTER-STRIKE: GLOBAL OFFENSIVE ATTACK SURFACE](https://www.synacktiv.com/publications/exploring-counter-strike-global-offensive-attack-surface?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 03](https://blog.exploits.club/exploits-club-weekly-newsletter-03/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > This post walks through the attack surface of CS:GO, before diving into the team's bug hunting methodology, and ending with the **exploitation of an out-of-bounds write.** Overall, a fun post and CS:GO/Source Engine continues to yield interesting research. 8 | 9 | -------------------------------------------------------------------------------- /FAQ - The tragedy of low-level exploitation.md: -------------------------------------------------------------------------------- 1 | tags: #learning_resource #career 2 | original link: [FAQ: The tragedy of low-level exploitation](https://gynvael.coldwind.pl/?id=791&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 33 - CPU Vulns, Breaking Samsung Bootloaders, Tony Hawk Pro Skater, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-33-cpu-vulns-breaking-samsung-bootloaders-tony-hawk-pro-skater-and-more-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@gynvael](https://x.com/gynvael?ref=blog.exploits.club) took to his blog this week to discuss one of the most common questions he receives - **"how do I make a career out of low-level exploitation"**. The well-thought-out post **discusses the different career paths** available to those interested in low-level security, centering around the fact that there is no silver bullet, and one potentially has to make **certain trade-offs in either their specific focus area or their comfortability working at the hand of certain three-letter-agencies.** The post is worth a read for anyone, especially if you want to turn pwn-chals into a career. -------------------------------------------------------------------------------- /Finding Gadgets for CPU Side-Channels with Static Analysis Tools.md: -------------------------------------------------------------------------------- 1 | tags: #side_channel #static_analysis #graphQL #spectre 2 | original link: [Finding Gadgets for CPU Side-Channels with Static Analysis Tools](https://github.com/google/security-research/tree/master/pocs/cpus/spectre-gadgets?ref=blog.exploits.club#finding-gadgets-for-cpu-side-channels-with-static-analysis-tools) 3 | newsletter link: [exploits.club Weekly Newsletter 10](https://blog.exploits.club/exploits-club-weekly-newsletter-10/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@pwningsystems](https://twitter.com/pwningsystems?ref=blog.exploits.club) and [@fkaasan](https://twitter.com/fkaasan?ref=blog.exploits.club) released research this week into using s**tatic analysis tools to find** [**Spectre-V1**](https://docs.kernel.org/admin-guide/hw-vuln/spectre.html?ref=blog.exploits.club#id1) **gadgets.** The post walks through the [**CodeQL**](https://codeql.github.com/?ref=blog.exploits.club) **query** they put together, as well as the **two gadgets (**[**CVE-2023-0458**](https://nvd.nist.gov/vuln/detail/CVE-2023-0458?ref=blog.exploits.club)**,** [**CVE-2023-0459**](https://nvd.nist.gov/vuln/detail/CVE-2023-0459?ref=blog.exploits.club)**) they uncovered** -------------------------------------------------------------------------------- /FireFox OOB Read via clipboard component.md: -------------------------------------------------------------------------------- 1 | tags: #firefox #OOB_read 2 | original link: - [FireFox OOB Read via clipboard component](https://www.mozilla.org/en-US/security/advisories/mfsa2024-29/?ref=blog.exploits.club#CVE-2024-6606) 3 | newsletter link: [exploits.club Weekly Newsletter 29](https://blog.exploits.club/exploits-club-weekly-newsletter-29/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [FireFox OOB Read via clipboard component](https://www.mozilla.org/en-US/security/advisories/mfsa2024-29/?ref=blog.exploits.club#CVE-2024-6606) -------------------------------------------------------------------------------- /Fixing an Elgato HD60 S HDMI capture device with the help of Ghidra.md: -------------------------------------------------------------------------------- 1 | tags: #hardware_hacking #firmware 2 | original link: [Fixing an Elgato HD60 S HDMI capture device with the help of Ghidra](https://www.downtowndougbrown.com/) 3 | newsletter link: [exploits.club Weekly Newsletter 40 - iOS Kernel Exploitation, CET Bypasses, Elgato Hardware Repair, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-40-ios-kernel-exploitation-cet-bypasses-elgato-hardware-repair-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > If you like hardware, firmware, and hacking war stories, then [@dt_db](https://x.com/dt_db) has got an absolute banger of a post for you. The self-proclaimed lover-of-repair-videos decided to try his hand at restoring some non-working tech and picked up a 2nd hand, dysfunctional Elgato capture card off of Ebay. What followed is documented in his lengthy blog post, going through chip identification, hardware hacking, firmware dumping, and manual patching. It's a fun read, and one that spares no details about the journey to get the device and it's LEDs back in a working order. -------------------------------------------------------------------------------- /Flipping Pages - An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques.md: -------------------------------------------------------------------------------- 1 | tags: #linux #dirty_pagetable #double_free #nf_tables #lpe #methodology 2 | original link: [Flipping Pages: An analysis of a new Linux vulnerability in nf_tables and hardened exploitation techniques](https://pwning.tech/nftables/?ref=blog.exploits.club) 3 | newsletter link: exploits.club Weekly Newsletter 14](https://blog.exploits.club/exploits-club-weekly-newsletter-14/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Sticking with the Linux theme, [@notselwyn](https://twitter.com/notselwyn/?ref=blog.exploits.club) released a post detailing a **double free vuln in `nf_tables` (**[**CVE-2024-1086**](https://nvd.nist.gov/vuln/detail/CVE-2024-1086?ref=blog.exploits.club)**).** This post really shines when talking about exploitation techniques, **detailing a number mitigation bypasses and introducing "Dirty Pagedirectory", an iteration on** [**Dirty Pagetable**](https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html?ref=blog.exploits.club)**.** -------------------------------------------------------------------------------- /Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024.md: -------------------------------------------------------------------------------- 1 | tags: #enterprise_app #fortinet #format_string #bindiff 2 | original link: [Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024](https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-complex-vulnerability-in-a-super-secure-appliance-in-2024/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 43 - Variant Analysis at Scale, SD Card Driver Bugs, TTE Trends, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-43-variant-anal/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > -------------------------------------------------------------------------------- /From Pwn2Own Automotive - Taking Over the Autel Maxicharger.md: -------------------------------------------------------------------------------- 1 | tags: #pwn2own #car_hacking #stack_overflow 2 | original link: [From Pwn2Own Automotive: Taking Over the Autel Maxicharger](https://www.zerodayinitiative.com/blog/2024/8/22/from-pwn2own-automotive-taking-over-the-autel-maxicharger?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 36 - Regex Fuzzing, C++ Metadata, Kernel Streaming, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-36-regex-fuzzing-c-metadata-kernel-streaming-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A short post from ZDI which briefly touches on two vulnerabilities identified in the Autel Maxicharger firmware during Pwn2Own automotive earlier this year. The **first bug was a straightforward overflow in BLE message parsing, and the second was a hardcoded backdoor in the WiFi authentication.** The post does a bit of patch diffing to show the introduced fixes but doesn't touch on anything related to exploitation. -------------------------------------------------------------------------------- /Fuzz Everything, Everywhere, All at Once.md: -------------------------------------------------------------------------------- 1 | tags: #fuzzing #LibAFL 2 | original link: [Fuzz Everything, Everywhere, All at Once](https://media.ccc.de/v/37c3-12102-fuzz_everything_everywhere_all_at_once?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 01](https://blog.exploits.club/vuln-research-newsletter-01/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > This talk walks through how to fuzz binary-only targets with LibAFL and QEMU. It then introduces a new library for LibAFL which offers "APIs to hook the target using Rust". It includes a demo against an Android Library, as well as a demo showing off some built-in detections for non-memory corruption bugs, such as command injection and SQLi. If this talk sparks your interest in LibAFL like it did for us, Artedis released a [LibAFL workshop](https://www.atredis.com/blog/2023/12/4/a-libafl-introductory-workshop?ref=blog.exploits.club) earlier this month which can help bring you up to speed. 8 | 9 | -------------------------------------------------------------------------------- /Fuzzer Development - Sandboxing Syscalls.md: -------------------------------------------------------------------------------- 1 | tags: #fuzzing #methodology #emulation 2 | original link: [Fuzzer Development: Sandboxing Syscalls](https://h0mbre.github.io/Lucid_Context_Switching/?ref=blog.exploits.club#) 3 | newsletter link: [exploits.club Weekly Newsletter 09](https://blog.exploits.club/exploits-club-weekly-newsletter-09/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@hombre](https://twitter.com/h0mbre_?ref=blog.exploits.club) put out his **second part of the "Fuzzer Development"** series he is running on his [blog](https://h0mbre.github.io/?ref=blog.exploits.club). The **fuzzer sandboxes a** [**Bochs**](https://bochs.sourceforge.io/?ref=blog.exploits.club) **emulator for easy system emulation and snapshot fuzzing**. This post details the implementation of the **"Bochs-to-fuzzer context switch"**, which takes place in order to handle syscalls. -------------------------------------------------------------------------------- /Fuzzer Development 3 - Building Bochs, MMU, and File I0.md: -------------------------------------------------------------------------------- 1 | tags: #fuzzing #emulation #methodology 2 | original link: [Fuzzer Development 3: Building Bochs, MMU, and File I/0](https://h0mbre.github.io/Loading_Bochs/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 11](https://blog.exploits.club/exploits-club-weekly-newsletter-10-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Two weeks ago](https://blog.exploits.club/exploits-club-weekly-newsletter-09/), we covered the [@h0mbre_'s](https://twitter.com/h0mbre_?ref=blog.exploits.club) fuzzer development blog series. This week, he is back with another installment. In the post, he walks through some **changes he's made, such as changing the syscall Infrastructure, simplifying the context-switching calling convention, introducing a new error class, and sandboxing thread-local-storage.** He then dives into **building Bochs** and handling the subsequent syscalls this introduces into the project. 8 | 9 | 10 | 11 | 12 | --- 13 | backlinks: [[Fuzzer Development - Sandboxing Syscalls]] -------------------------------------------------------------------------------- /Fuzzer Development 4 - Snapshots, Code-Coverage, and Fuzzing.md: -------------------------------------------------------------------------------- 1 | tags: #methodology #fuzzing #emulation 2 | original link: [Fuzzer Development 4: Snapshots, Code-Coverage, and Fuzzing](https://h0mbre.github.io/Lucid_Snapshots_Coverage/?ref=blog.exploits.club#) 3 | newsletter link: [exploits.club Weekly Newsletter 27](https://blog.exploits.club/exploits-club-weekly-newsletter-27/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Long-time readers of the newsletter will know we have been closely following **@h0mbre's** **full-system snapshot fuzzer development.** This week, we got installment number 4 in the blog series, which covers "Snapshots, Code Coverage Feedback, and more". **The post is equal parts technical as it is reflective, walking through the issues encountered during development and the reason for resulting design decisions.** -------------------------------------------------------------------------------- /Fuzzware Goes Open-Source.md: -------------------------------------------------------------------------------- 1 | tags: #fuzzing #firmware 2 | original link: [Fuzzware Goes Open-Source](https://github.com/fuzzware-fuzzer/fuzzware?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 05](https://blog.exploits.club/exploits-club-weekly-newsletter-05/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Back in 2022, a paper named [Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing](https://www.usenix.org/system/files/sec22summer_scharnowski.pdf?ref=blog.exploits.club) was released and generated a bit of buzz. The general thesis was to **create a fuzzer which would be effective on bare metal firmwares by mapping the way MMIO is used** and configuring models accordingly. This week, it was [announced](https://twitter.com/ScepticCtf/status/1483931331490947073?s=20&ref=blog.exploits.club) Fuzzware and the [experiments from the paper](https://github.com/fuzzware-fuzzer/fuzzware-experiments?ref=blog.exploits.club) have been **open-sourced.** -------------------------------------------------------------------------------- /Gaining kernel code execution on an MTE-enabled Pixel 8.md: -------------------------------------------------------------------------------- 1 | tags: #android #mte #pixel #lpe #mali #gpu 2 | original link: [Gaining kernel code execution on an MTE-enabled Pixel 8](https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 13](https://blog.exploits.club/exploits-club-weekly-newsletter-12-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | >  If you have been anywhere near X this week, you probably came across this new post from the man, the myth, the legend, [@mmolgtm](https://twitter.com/mmolgtm?lang=en&ref=blog.exploits.club). This time, he is back for some **GPU hacking fun, popping** [**CVE-2023-6241**](https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities?ref=blog.exploits.club#Technical-Specifications) **to gain arbitrary kernel code execution from a malicious application context.** Even better, the post **demonstrates how MTE is completely useless against the bug** because the exploit flow requires no pointer dereferencing, and instead uses the GPU to access physical memory directly. -------------------------------------------------------------------------------- /Ghidra nanoMIPS ISA module.md: -------------------------------------------------------------------------------- 1 | tags: #decompilation #ghidra 2 | original link: [Ghidra nanoMIPS ISA module](https://research.nccgroup.com/2024/05/07/ghidra-nanomips-isa-module/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 21](https://blog.exploits.club/exploits-club-weekly-newsletter-21/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A quick hitter from NCC Group, intended to help get you spun up **reversing nanoMIPS in Ghidra using their** [**released plugin**](https://github.com/nccgroup/ghidra-nanomips?ref=blog.exploits.club)**.** The post walks through the steps the team followed on one of their projects, and uses the Moto Edge firmware as an example. The team notes that while the **project is in a working state, there is still more to be done and it is in active development.** -------------------------------------------------------------------------------- /Ghostrace - Exploiting and Mitigating Speculative Race Conditions.md: -------------------------------------------------------------------------------- 1 | tags: #spectre #race_condition #side_channel #uaf 2 | original link: [Ghostrace: Exploiting and Mitigating Speculative Race Conditions](https://www.vusec.net/projects/ghostrace/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 12](https://blog.exploits.club/exploits-club-weekly-newsletter-12/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [VUSec](https://www.vusec.net/?ref=blog.exploits.club) released a blog post with the key takeaways from their [recently released paper](https://download.vusec.net/papers/ghostrace_sec24.pdf?ref=blog.exploits.club) . The research they conducted centered around **synchronization primitives, and their behavior in speculatively executed code paths.** The team found that "**primitives implemented using conditional branches can be microarchitecturally bypassed on speculative paths using a Spectre-v1 attack**, turning all architecturally race-free critical regions into Speculative Race Conditions (SRCs), allowing attackers to leak information from the target software." -------------------------------------------------------------------------------- /Glitching in 3D - Low Cost EMFI Attacks.md: -------------------------------------------------------------------------------- 1 | tags: #glitching #hardware_hacking #methodology 2 | original link: [Glitching in 3D: Low Cost EMFI Attacks](https://voidstarsec.com/fi-resources/?ref=blog.exploits.club#1) 3 | newsletter link: [exploits.club Weekly Newsletter 10](https://blog.exploits.club/exploits-club-weekly-newsletter-10/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@wrongbaud](https://twitter.com/wrongbaud?ref=blog.exploits.club) slides from RingZer0. The talk starts with a [**fault injection overview**](https://en.wikipedia.org/wiki/Fault_injection?ref=blog.exploits.club), before **demonstrating these attacks on a STM32FX**. The research starts with typical **voltage fault injection, before moving to Electromagnetic Fault Injection**. Due to the expense of the EMFI tooling, **@wrongbaud shows how to replicate these tools cost-effectively using a PicoEMP and a 3D printer** -------------------------------------------------------------------------------- /Google And Arm - Raising The Bar on GPU Security.md: -------------------------------------------------------------------------------- 1 | tags: #gpu #android #fuzzing #mali #firmware #kernel 2 | original link: [Google & Arm - Raising The Bar on GPU Security](https://security.googleblog.com/2024/09/google-arm-raising-bar-on-gpu-security.html "Google & Arm - Raising The Bar on GPU Security") 3 | newsletter link: [exploits.club Weekly Newsletter 40 - iOS Kernel Exploitation, CET Bypasses, Elgato Hardware Repair, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-40-ios-kernel-exploitation-cet-bypasses-elgato-hardware-repair-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Another Google team got to check off that "blog post" OKR this week before the start of Q4. The Android Red Team released a write-up in collaboration with Arm Product Security detailing their assessment Mali GPU assessment. The team had the opportunity to poke at both the firmware and associated kernel driver, finding bugs in both. While the post doesn't go to technical on the bugs, it does link out to the associated advisories. The post starts with some broad generalities about why the attack surface is interesting, before talking about their approach to the assessment itself which consisted mainly of fuzzing and formal verification. -------------------------------------------------------------------------------- /Hacking Exchange from the Outside In.md: -------------------------------------------------------------------------------- 1 | tags: #fuzzing #afl #jackalope #exchange #supply_chain #uaf #OOB_read #OOB_write 2 | original link: [Hacking Exchange from the Outside In](https://www.atredis.com/blog/2024/4/22/hacking-exchange-from-the-outside-in?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 18](https://blog.exploits.club/exploits-club-weekly-newsletter-18/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Sticking with the Microsoft Theme, [**Atredis**](https://www.atredis.com/?ref=blog.exploits.club) **released a blog post this week digging into Oracle's "Outside in" libraries.** These libraries were **used in Microsoft Exchange 2019 up until a few months ago, and were used to parse specific file types if an attachment inspection mail flow had been enabled.** The write-up digs into the fuzzing set-up using AFL and Jackalope, before providing a crash-dump of the teams 3 finds (UAF, OOB read, OOB write) -------------------------------------------------------------------------------- /Heap Buffer Overflow In ANGLE.md: -------------------------------------------------------------------------------- 1 | tags: #ANGLE #chrome 2 | original link: [Heap Buffer Overflow In ANGLE](https://x.com/xvonfers/status/1778301253472141737?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 16](https://blog.exploits.club/exploits-club-weekly-newsletter-16/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [**Heap Buffer Overflow In ANGLE**](https://x.com/xvonfers/status/1778301253472141737?ref=blog.exploits.club) - from [@qriousec](https://twitter.com/qriousec?ref=blog.exploits.club) [@__suto](https://twitter.com/__suto?ref=blog.exploits.club) -------------------------------------------------------------------------------- /Heap exploitation, glibc internals and nifty tricks.md: -------------------------------------------------------------------------------- 1 | tags: #glibc #allocator #heap_overflow #uaf 2 | original link: [Heap exploitation, glibc internals and nifty tricks](https://blog.quarkslab.com/heap-exploitation-glibc-internals-and-nifty-tricks.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 32 - Popping Basebands, Pwnie Nominated PrivEscs, The Compiler Landscape, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-32-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Continuing on the CTF write-ups theme, [Quarkslab](https://www.quarkslab.com/?ref=blog.exploits.club) walks through a **heap challenge** in their most recent blog post, **using it as an opportunity to give a detailed rundown of internals and exploitation techniques.** It offers a **primer on GLIBC malloc internals, explaining heap implementation and common exploitation techniques**. It then builds on this foundational information, walking through the **HITCON qualifiers challenge which required a combination of techniques to be solved.** If you are looking to get up to speed quickly on heap exploitation, this is a great place to start. -------------------------------------------------------------------------------- /Hi, My Name Is Keyboard.md: -------------------------------------------------------------------------------- 1 | tags: #bluetooth 2 | original link: [Hi, My Name Is Keyboard](https://github.com/skysafe/reblog/tree/main/cve-2024-0230?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 04](https://blog.exploits.club/exploits-club-weekly-newsletter-04/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [SchmooCon](https://www.shmoocon.org/?ref=blog.exploits.club) took place this week, and one of the talks we found particularly fun detailed how **an emulated Bluetooth keyboard can be paired with most popular operating systems to inject keystrokes** without user confirmation. The [slides and exploit scripts](https://github.com/marcnewlin/hi_my_name_is_keyboard/tree/main?ref=blog.exploits.club) are also available now! -------------------------------------------------------------------------------- /How Low Can You Go - An Analysis of 2023 Time-to-Exploit Trends.md: -------------------------------------------------------------------------------- 1 | tags: #ITW #threat_intel 2 | original link: [How Low Can You Go - An Analysis of 2023 Time-to-Exploit Trends](https://cloud.google.com/blog/topics/threat-intelligence/time-to-exploit-trends-2023/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 43 - Variant Analysis at Scale, SD Card Driver Bugs, TTE Trends, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-43-variant-anal/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A bit more on the Threat Intel side of the house, but [Mandiant](https://www.mandiant.com/?ref=blog.exploits.club) released their **analysis regarding time-to-exploit trends in 2023.** The big takeaways from the report are nicely summarized in the cute infographic at the beginning, including that **70% of the vulnerabilities they analyzed were first exploited as zero-days**, and the average **time-to-exploit for n-days was 5 day**s. Soooo yeah...may want to revisit those SLA windows. -------------------------------------------------------------------------------- /How an old bug in Lighttpd gained new life in AMI BMC, including Lenovo and Intel products.md: -------------------------------------------------------------------------------- 1 | tags: #supply_chain #OOB_read #lighttpd 2 | original link: [How an old bug in Lighttpd gained new life in AMI BMC, including Lenovo and Intel products](https://www.binarly.io/blog/lighttpd-gains-new-life?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 17](https://blog.exploits.club/exploits-club-weekly-newsletter-17/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > -------------------------------------------------------------------------------- /Hunting Bugs in Nginx JavaScript Engine (njs).md: -------------------------------------------------------------------------------- 1 | tags: #type_confusion #OOB_read #codeQL #fuzzing 2 | original link: [Hunting Bugs in Nginx JavaScript Engine (njs)](https://0xbigshaq.github.io/2024/05/24/njs-vr-bugs/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 23](https://blog.exploits.club/exploits-club-weekly-newsletter-23/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@0x_shaq](https://x.com/0x_shaq?ref=blog.exploits.club) released a write-up this week on his research into the Nginx Javascript Interpreter. After some **initial fuzzing, he was able to identify two bugs: a type confusion and an OOB read.** He then was able to **codify the type confusion pattern into a CodeQL query,** which found two additional variants. -------------------------------------------------------------------------------- /Hyper-V 1-day Class - CVE-2024-38127.md: -------------------------------------------------------------------------------- 1 | tags: #hypervisor #OOB_read #bindiff 2 | original link: [Hyper-V 1-day Class: CVE-2024-38127](https://hackyboiz.github.io/2024/09/15/pwndorei/hyperv-1dayclass_CVE-2024-38127/) 3 | newsletter link: [exploits.club Weekly Newsletter 39 - bug.directory, Fuzzing Successes, SLUB Internals, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-39-bug-directory-fuzzing-successes-slub-internals-and-more-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A quick and fun RCA for a recent Hyper-V OOB read patched by Microsoft. The post starts with a quick overview of the vulnerability itself, which occurs in `vhdmp.sys` and results from the incorrect calculation of an output buffer size, resulting in the read out of bounds. The post then walks through a quick PoC for the bug, before discussing the patch put in place. As mentioned by the author, this was labeled as severe and potentially useable for an EoP which _might_ not quite be the case. -------------------------------------------------------------------------------- /IERAE CTF 2024 - Intel CET Bypass Challenge.md: -------------------------------------------------------------------------------- 1 | tags: #mitigation #CET #CTF #stack_overflow 2 | original link: [IERAE CTF 2024 - Intel CET Bypass Challenge](https://gist.github.com/sroettger/fe66f7eb0cb10a8ebd1454875a7131ea) 3 | newsletter link: [exploits.club Weekly Newsletter 40 - iOS Kernel Exploitation, CET Bypasses, Elgato Hardware Repair, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-40-ios-kernel-exploitation-cet-bypasses-elgato-hardware-repair-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > What do you have a straight forward overflow but you need to bypass CET? Well that was the question posed by the Intel CET Bypass Challenge written by [@hugeh0ge](https://x.com/hugeh0ge) for IERAE CTF. [@\_tsuro](https://x.com/_tsuro) decided to try his hand at answering that question, and lucky for us, decided to document his solution. The post talks through the approach to bypassing CET and some of the other solutions used in the challenge, both intended and unintended. It then talk through his, easier solution which involved a call to `signal` to re-run the main function inside a signal handler. The post then talks through the shortcomings of CET, and potential ways this bypass could have been mitigated. -------------------------------------------------------------------------------- /IPC Fuzzing with Snapshots.md: -------------------------------------------------------------------------------- 1 | tags: #firefox #fuzzing #ipc 2 | original link: [IPC Fuzzing with Snapshots](https://blog.mozilla.org/attack-and-defense/2024/06/24/ipc-fuzzing-with-snapshots/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 27](https://blog.exploits.club/exploits-club-weekly-newsletter-27/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@mozdeco](https://x.com/mozdeco?lang=en&ref=blog.exploits.club) from Mozilla released a post on the company's security blog **detailing the new IPC fuzzing technique they have implemented for Firefox.** The technical implementation uses **Nyx for full-vm snapshots and AFL++ as the frontend.** There is also an [**open-source**](https://github.com/MozillaSecurity/snapshot-fuzzing?ref=blog.exploits.club) **custom agent which handles a handful of things.** The write-up then details how this stack can effectively be used to **fuzz a single IPC message, and how code coverage is tracked.** -------------------------------------------------------------------------------- /Inside The iOS Bug That Made Deleted Photos Reappear.md: -------------------------------------------------------------------------------- 1 | tags: #iOS #bindiff 2 | original link: [Inside The iOS Bug That Made Deleted Photos Reappear](https://www.synacktiv.com/publications/inside-the-ios-bug-that-made-deleted-photos-reappear?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 23](https://blog.exploits.club/exploits-club-weekly-newsletter-23/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > If you were seeing pictures of your long forgotten ex back in your photo library last week, you weren't alone. Apparently, iOS 17.5 introduced this bug for users, and it was patched out a week later in 17.5.1. [**Synacktiv**](https://www.synacktiv.com/en?ref=blog.exploits.club) **decided to investigate by comparing the two updates and doing a bit of bindiffing on the photo-related libraries.** The blog starts with obtaining the two updates and then jumps into **identifying the interesting files, diffing them, and understanding the patch.** -------------------------------------------------------------------------------- /Inside the LogoFAIL PoC - From Integer Overflow to Arbitrary Code Execution.md: -------------------------------------------------------------------------------- 1 | tags: #fuzzing #UEFI #heap_overflow 2 | original link: [Inside the LogoFAIL PoC: From Integer Overflow to Arbitrary Code Execution](https://binarly.io/posts/inside_the_logofail_poc_from_integer_overflow_to_arbitrary_code_execution/index.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 06](https://blog.exploits.club/exploits-club-weekly/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > In early December, [Binarly.io](https://binarly.io/?ref=blog.exploits.club) presented the technical details on [**LogoFAIL**](https://binarly.io/posts/finding_logofail_the_dangers_of_image_parsing_during_system_boot/?ref=blog.exploits.club)**, a vulnerability class resulting from custom images being parsed during boot.** This week, the team **released a detailed write-up on creating a PoC for one-such vulnerability.** The blog post walks through identifying an integer overflow via fuzzing and escalating that primitive to a heap-overflow resulting in code execution. -------------------------------------------------------------------------------- /Introducing Java fuzz harness synthesis using LLMs.md: -------------------------------------------------------------------------------- 1 | tags: #java #fuzzing #llm #ai 2 | original link: [Introducing Java fuzz harness synthesis using LLMs](https://blog.oss-fuzz.com/posts/introducing-java-auto-harnessing/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 38 - Linux Races, Blind Memory Corruption, LLM Java Fuzzing, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-38-linux-races-blind-memory-corruption-llm-java-fuzzing-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > OSS-Fuzz is *back* to talk about their ongoing LLM harness generation project. This time, the team has been focusing on how the project has been extended to work with everyone's favorite language, Java. The post takes a look at a Java fuzz harness sample before walking through a number of challenges associated with auto-generation such as object construction and exception handling. The team then shows 4 reliability bugs caught with generated harnesses, and concludes with some thoughts and ideas for future work. -------------------------------------------------------------------------------- /Introducing LLM-based harness synthesis for unfuzzed projects.md: -------------------------------------------------------------------------------- 1 | tags: #llm #fuzzing 2 | original link: [Introducing LLM-based harness synthesis for unfuzzed projects](https://blog.oss-fuzz.com/posts/introducing-llm-based-harness-synthesis-for-unfuzzed-projects/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 23](https://blog.exploits.club/exploits-club-weekly-newsletter-23/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > **Ahhhh fuzzing and LLMs, a tale as old as 1-2 years ago.** This week OSS-Fuzz released a blog on some interesting work they are doing around automated harness creation via LLMs. **The goal is to end up with an OSS-Fuzz project, taking only a GitHub URL as input.** Magic? No, that's _the_ _power of AI, baby_. **The post wraps up with the results of the testing thus far, which includes 3 vulnerabilities found across 15 projects.** 8 | 9 | 10 | --- 11 | backlink: [[OSS-Fuzz Gen]] -------------------------------------------------------------------------------- /Introduction To Windows Secure Channel RCE - CVE-2024-28148.md: -------------------------------------------------------------------------------- 1 | tags: #methodology #dos #uaf #windows #secure_channel 2 | original link: [Introduction To Windows Secure Channel RCE: CVE-2024-28148](https://v-v.space/2024/08/19/CVE-2024-38148/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 35 - NPU exploits, Phrack 71, 2014 Tablet Hacks, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-35-npu-exploits-phrack-71-2014-tablet-hacks-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > In a new post this week, [**@vv474172261**](https://x.com/vv474172261?ref=blog.exploits.club) **shows us how a DOS bug may actually just be a skill issue.** **The post takes a look at a UAF in Windows Secure Channel (**[**CVE-2024-38148**](https://v-v.space/2024/08/19/CVE-2024-38148/?ref=blog.exploits.club)**), walking through a quick patch diff, running through an RCA, and explaining why Microsoft is wrong to think its not exploitable.** The most interesting part about the post, though, is what inspired Victor to look at the patch. Turns out, he had previously audited secure channel before and **includes some reflections on how he missed the vuln** and his takeaways moving forward. -------------------------------------------------------------------------------- /Ivan Frantic's MacOS Video Decoder Bugs.md: -------------------------------------------------------------------------------- 1 | tags: #macos #media_decoder #fuzzing 2 | original link: [Ivan Frantic's MacOS Video Decoder Bugs](https://twitter.com/ifsecure/status/1745494386517938639?ref=blog.exploits.club) 3 | newsletter link: 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Ivan Frantic posted this week on Twitter that he reported **15 video decoding bugs to Apple** in December. The Tweet thread linked both to the [issues](https://x.com/ifsecure/status/1745494386517938639?s=20&ref=blog.exploits.club) and the [fuzzing methodology](https://github.com/googleprojectzero/Jackalope/tree/main/examples/VideoToolbox?ref=blog.exploits.club) write-up (now included in the Jackalope examples). -------------------------------------------------------------------------------- /Jailbreaking The Apple HomePod - Fun With Checkm8 And Smart Speakers.md: -------------------------------------------------------------------------------- 1 | tags: #hardware_hacking #iot #firmware 2 | original link: [Jailbreaking The Apple HomePod: Fun With Checkm8 And Smart Speakers](https://www.youtube.com/watch?v=C04YXQk3zlE&ab_channel=nullcon&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 11](https://blog.exploits.club/exploits-club-weekly-newsletter-10-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Yes, yes we are late to this one. The recording was uploaded to YouTube two weeks ago and the presentation is from last year. But that doesn't make it any less fun. This talk given by [@Tihmstar](https://twitter.com/tihmstar?ref=blog.exploits.club) and [@LinusHenze](https://twitter.com/LinusHenze?ref=blog.exploits.club) **walks through the software and hardware of the Apple HomePod, before jumping into exploitation and discussing the different things you can do with a jailbroken HomePod.** -------------------------------------------------------------------------------- /Jailbreaking an Electric Vehicle in 2023.md: -------------------------------------------------------------------------------- 1 | tags: #glitching #car_hacking #tesla #hardware_hacking 2 | original link: [Jailbreaking an Electric Vehicle in 2023](https://www.youtube.com/watch?v=5tLNRk7mZXo&t=18s&ab_channel=BlackHat&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 02](https://blog.exploits.club/exploits-club-weekly-newsletter-02/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > -------------------------------------------------------------------------------- /Java Deserialization Tricks.md: -------------------------------------------------------------------------------- 1 | tags: #java #deserialization 2 | original link: [Java Deserialization Tricks](https://www.synacktiv.com/en/publications/java-deserialization-tricks.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 13](https://blog.exploits.club/exploits-club-weekly-newsletter-12-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Synacktiv](https://www.synacktiv.com/en?ref=blog.exploits.club) put together a list of helpful **tips and tricks for Java Deserialization, specifically focusing on "once a gadget chain leading to RCE has been identified".** The post centers around how to **make your exploit stealthier and avoid detections.** The post also links out to other posts Synacktiv has written on the topic, which would serve as a great primer on the topic for anyone unfamiliar with exploiting the vuln class. -------------------------------------------------------------------------------- /Keynote - Rust in the Linux kernel.md: -------------------------------------------------------------------------------- 1 | tags: #rust #linux #kernel #android #binder 2 | original link: [Keynote | Rust in the Linux kernel](https://www.youtube.com/watch?v=CEznkXjYFb4&t=1s&ab_channel=RustLabConference&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 08](https://blog.exploits.club/exploits-club-weekly-newsletter-08/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Alice Ryhl gave the Keynote at [RustLab Conference](https://rustlab.it/?ref=blog.exploits.club) on writing a complex Linux kernel driver in Rust. The premise of the talk details Alice's journey in rewriting **Android's Binder driver**, and has a number of great takeaways. -------------------------------------------------------------------------------- /LLM-based Fuzz Harness generation with OSS-Fuzz-gen.md: -------------------------------------------------------------------------------- 1 | tags: #fuzzing #llm #ai #learning_resource 2 | original link: [LLM-based Fuzz Harness generation with OSS-Fuzz-gen](https://www.youtube.com/watch?v=RR7CUyOtYXY&ab_channel=AdaLogics) 3 | newsletter link: [exploits.club Weekly Newsletter 39 - bug.directory, Fuzzing Successes, SLUB Internals, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-39-bug-directory-fuzzing-successes-slub-internals-and-more-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > If you've been following any of the OSS-Fuzz news we've covered over the last few months, you may be getting excited about the idea of leveraging LLMs to generate harnesses. This week, YouTube channel [AdaLogics](https://www.youtube.com/@adalogics7389) released a 30-minute video taking a detailed look at the [oss-fuzz-gen](https://github.com/google/oss-fuzz-gen) repo and demonstrating it's usage to generate a simple harness. -------------------------------------------------------------------------------- /LLVM's 'RFC - C++ Buffer Hardening' at Google.md: -------------------------------------------------------------------------------- 1 | tags: #compilers #mitigation 2 | original link: [LLVM's 'RFC: C++ Buffer Hardening' at Google](https://bughunters.google.com/blog/6368559657254912/llvm-s-rfc-c-buffer-hardening-at-google?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 08](https://blog.exploits.club/exploits-club-weekly-newsletter-08/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > This is an interesting post out of Google discussing **how the team approaches proposed memory safety mitigations** and their potential trade-offs in shipped products. In particular, it discusses LLVM's introduction of [C++ Buffer Hardening](https://discourse.llvm.org/t/rfc-c-buffer-hardening/65734?ref=blog.exploits.club) , and how **the RFC was evaluated and eventually adopted into Andromeda**, GCP's Network Virtualization Stack. -------------------------------------------------------------------------------- /Leveraging Binary Ninja IL To Reverse a Custom ISA - Cracking The Pot Of Gold 37C3.md: -------------------------------------------------------------------------------- 1 | tags: #CTF #binary_ninja #decompilation #stack_overflow #rop 2 | original link: [LEVERAGING BINARY NINJA IL TO REVERSE A CUSTOM ISA: CRACKING THE “POT OF GOLD” 37C3](https://www.synacktiv.com/publications/leveraging-binary-ninja-il-to-reverse-a-custom-isa-cracking-the-pot-of-gold-37c3?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 03](https://blog.exploits.club/exploits-club-weekly-newsletter-03/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A detailed write-up solving a **custom architecture PWN challenge from the 37C3 CTF**. This post does an excellent job highlighting the **Binary Ninja Plugin API**, and the solution ends up being relatively straight forward after just writing just a few 100 lines of Python. 8 | -------------------------------------------------------------------------------- /Linux - UAF in the tipc_buf_append().md: -------------------------------------------------------------------------------- 1 | tags: #uaf #linux #lpe #tipc 2 | original link: [Linux: UAF in the tipc_buf_append()](https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=080cbb890286cd794f1ee788bbc5463e2deb7c2b&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 19](https://blog.exploits.club/exploits-club-weekly-newsletter-19/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Linux: UAF in the tipc_buf_append()](https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=080cbb890286cd794f1ee788bbc5463e2deb7c2b&ref=blog.exploits.club) -------------------------------------------------------------------------------- /Linux Kernel - Vulnerability in the eBPF verifier register limit tracking.md: -------------------------------------------------------------------------------- 1 | tags: #kernel #linux #ebpf #lpe 2 | original link: [Linux Kernel: Vulnerability in the eBPF verifier register limit tracking](https://github.com/google/security-research/security/advisories/GHSA-hfqc-63c7-rj9f?ref=blog.exploits.club#event-251168) 3 | newsletter link: [exploits.club Weekly Newsletter 30](https://blog.exploits.club/exploits-club-weekly-newsletter-30/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@thatjiaozi](https://x.com/thatjiaozi?ref=blog.exploits.club) published an **interesting eBPF vulnerability on the** [**Google Security Research Github**](https://github.com/google/security-research?ref=blog.exploits.club) **repo earlier this week.** The bug itself was identified via a modified version of [buzzer](https://github.com/google/buzzer?ref=blog.exploits.club), and allows **"an attacker to trick the eBPF verifier into thinking a register has a value different from the one it takes when executing the program".** Essentially, the verifier attempts to keep track of the minimum and maximum value a specific register can hold, and this **bug allows that assumption to be broken, leading to arbitrary R/W in kernel memory.** -------------------------------------------------------------------------------- /Linux Kernel CodeQL Queries.md: -------------------------------------------------------------------------------- 1 | tags: #linux #kernel #static_analysis #codeQL #learning_resource 2 | original link: - [CodeQL queries for objects in the Linux Kernel](https://github.com/google/security-research/blob/master/analysis/kernel/heap-exploitation/README.md?ref=blog.exploits.club). 3 | newsletter link: [exploits.club Weekly Newsletter 05](https://blog.exploits.club/exploits-club-weekly-newsletter-05/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > CodeQL queries for objects in the Linux Kernel potentially relevant for exploitation. -------------------------------------------------------------------------------- /Linux Kernel GSM Multiplexing Race Condition Local Privilege Escalation Vulnerability.md: -------------------------------------------------------------------------------- 1 | tags: #linux #kernel #GSM #lpe #race_condition #uaf 2 | original link: [Linux Kernel GSM Multiplexing Race Condition Local Privilege Escalation Vulnerability](https://github.com/Nassim-Asrir/ZDI-24-020?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 04](https://blog.exploits.club/exploits-club-weekly-newsletter-04/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > This week, [@pikala](https://twitter.com/p1k4l4?ref=blog.exploits.club) released a **technical analysis and exploit for** [**CVE-2023-6546**](https://nvd.nist.gov/vuln/detail/CVE-2023-6546?ref=blog.exploits.club)**.** The write-up itself walks through the bug (**a race condition leading to a UAF**), discusses bypassing modern kernel protections, and ends with the exploit strategy. -------------------------------------------------------------------------------- /Linux Kernel Int Overflow Leading To Priv Esc.md: -------------------------------------------------------------------------------- 1 | tags: #linux #lpe #integer_overflow #kernel 2 | original link: [Linux Kernel Int Overflow Leading To Priv Esc](https://ssd-disclosure.com/ssd-advisory-linux-kernel-nft_validate_register_store-integer-overflow-privilege-escalation/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 24](https://blog.exploits.club/exploits-club-weekly-newsletter-24/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [SSD Secure Disclosure Team](https://ssd-disclosure.com/?ref=blog.exploits.club) released a Linux privesc write-up this week which was patched in July of 2023. **The bug is a straightforward int overflow which results in a OOB read and write primitive.** The post ends with a **full PoC which uses `nft_payload` to leak stack info and bypass KASLR, overwrite the return address, and ROP to overwrite modprobe.** -------------------------------------------------------------------------------- /Making Mojo Exploits More Difficult.md: -------------------------------------------------------------------------------- 1 | tags: #mitigation #mojo #edge #chrome 2 | original link: [Making Mojo Exploits More Difficult](https://microsoftedge.github.io/edgevr/posts/Making-Mojo-Exploits-More-Difficult/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 13](https://blog.exploits.club/exploits-club-weekly-newsletter-12-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > The Microsoft Browser Vulnerability Research Team put out a post last week discussing **new security mitigations being implemented in Chromium-based browsers.** The mitigation centers around Mojo and MojoJS, and **targets attacks which enable MojoJS as a means of using the Mojo interface** in a step to escape the browser sandbox. -------------------------------------------------------------------------------- /Mali GPU Kernel LPE.md: -------------------------------------------------------------------------------- 1 | tags: #mali #gpu #lpe #android #integer_overflow #info_leak 2 | original link: [Mali GPU Kernel LPE](https://github.com/0x36/Pixel_GPU_Exploit?ref=blog.exploits.club#mali-gpu-kernel-lpe) 3 | newsletter link: [exploits.club Weekly Newsletter 12](https://blog.exploits.club/exploits-club-weekly-newsletter-12/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | >  Babe, wake up - two new Mali GPU bugs just dropped. [@simo36](https://twitter.com/_simo36?ref=blog.exploits.club) dropped a [tweet](https://x.com/_simo36/status/1768047504979857500?s=20&ref=blog.exploits.club) on Wednesday, mentioning that he **reported over 10 kernel bugs to Google** and he was releasing his first exploit. The exploit takes advantage of an **integer overflow and an info leak,** and the post does an excellent job walking through each vulnerability before diving into exploitation. -------------------------------------------------------------------------------- /Mind the Patch Gap - Exploiting an io_uring Vulnerability in Ubuntu.md: -------------------------------------------------------------------------------- 1 | tags: #io_uring #linux #lpe #uaf 2 | original link: [Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu](https://blog.exodusintel.com/2024/03/27/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 14](https://blog.exploits.club/exploits-club-weekly-newsletter-14/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@XI_Research](https://twitter.com/XI_Research?ref=blog.exploits.club) put out a new post this week detailing exploitation of [CVE-2024-0582](https://nvd.nist.gov/vuln/detail/CVE-2024-0582?ref=blog.exploits.club), **a UAF in `io_uring`.** The blog notes the bug was **originally patched back in December of 2023**, but wasn't brought to the **Ubuntu kernel until late February.** The post then dives into a brief overview of `io_uring`, a root-cause analysis of the vulnerability, and the **data-only exploit written by the team.** -------------------------------------------------------------------------------- /Missing signs - how several brands forgot to secure a key piece of Android.md: -------------------------------------------------------------------------------- 1 | tags: #android #stack_overflow #compilers 2 | original link: [Missing signs: how several brands forgot to secure a key piece of Android](https://rtx.meta.security/exploitation/2024/01/30/Android-vendors-APEX-test-keys.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 06](https://blog.exploits.club/exploits-club-weekly/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > -------------------------------------------------------------------------------- /Modern Anti-Abuse Mechanisms in Competitive Video Games at Black Hat 2024.md: -------------------------------------------------------------------------------- 1 | tags: #game_hacking #mitigation 2 | original link: [Modern Anti-Abuse Mechanisms in Competitive Video Games at Black Hat 2024](https://dustri.org/b/modern-anti-abuse-mechanisms-in-competitive-video-games-at-black-hat-2024.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 34 - V8 Confusions, Smart Speaker Spying, Summer Camp Round-Up, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-34-v8-confusions-smart-speaker-spying-summer-camp-round-up-and-more-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Modern Anti-Abuse Mechanisms in Competitive Video Games at Black Hat 2024](https://dustri.org/b/modern-anti-abuse-mechanisms-in-competitive-video-games-at-black-hat-2024.html?ref=blog.exploits.club) -------------------------------------------------------------------------------- /Modern Cryptographic Attacks - A Guide For The Perplexed.md: -------------------------------------------------------------------------------- 1 | tags: #crypto #learning_resource 2 | original link: [Modern Cryptographic Attacks: A Guide For The Perplexed](https://research.checkpoint.com/2024/modern-cryptographic-attacks-a-guide-for-the-perplexed/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 28](https://blog.exploits.club/exploits-club-weekly-newsletter-28/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > You know that guy on your CTF team that does all the crypto, and you don't understand anything he's saying, but you just let him keep doing his thing? This new post from [Checkpoint Research](https://research.checkpoint.com/?ref=blog.exploits.club) is intended to close the language barrier a bit. **The post walks through a handful of modern cryptographic attacks in extreme detail, using analogies and abstractions along the way to ensure your "perplexed" mind can handle it.** It's a really cool resource; we aren't sure if there is anything else out there like it...but then again, we actively avoid crypto challenges and bugs. -------------------------------------------------------------------------------- /Molding Lies Into Reality - Exploiting CVE-2024-4358.md: -------------------------------------------------------------------------------- 1 | tags: #enterprise_app #NET #deserialization #auth_bypass 2 | original link: [Molding Lies Into Reality: Exploiting CVE-2024-4358](https://summoning.team/blog/progress-report-server-rce-cve-2024-4358-cve-2024-1800/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 24](https://blog.exploits.club/exploits-club-weekly-newsletter-24/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@SinSinology](https://x.com/SinSinology?ref=blog.exploits.club) released a post detailing a**n auth bypass he found in the** [**Telerick Report Server**](https://www.telerik.com/report-server?ref=blog.exploits.club)**, and how it could be combined with a deserialization vuln to achieve a full chain.** This research stemmed from an advisory for the deserialization issue which initially claimed to be reachable by an unauthenticated user, but was later updated to reflect permissions were needed. Thus, **he set out to find an auth bypass and then to exploit the 1-day deserialization vuln.** The post is extremely in depth, covering **the internals of the report server, concepts for advanced .NET deserialization, and his attacker thought process.** -------------------------------------------------------------------------------- /NVIDIA GPU Compiler Driver Shader Functionality out-of-bounds read vulnerability.md: -------------------------------------------------------------------------------- 1 | tags: #OOB_read #gpu 2 | original link: [NVIDIA GPU Compiler Driver Shader Functionality out-of-bounds read vulnerability](https://talosintelligence.com/vulnerability_reports/TALOS-2024-1956?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 32 - Popping Basebands, Pwnie Nominated PrivEscs, The Compiler Landscape, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-32-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [NVIDIA GPU Compiler Driver Shader Functionality out-of-bounds read vulnerability](https://talosintelligence.com/vulnerability_reports/TALOS-2024-1956?ref=blog.exploits.club) -------------------------------------------------------------------------------- /Nintendo Switch Game Hacking Resources.md: -------------------------------------------------------------------------------- 1 | tags: #console_hacking #nintendo #learning_resource #game_hacking 2 | original link: [Nintendo Switch Game Hacking Resources](https://github.com/nintendoSwitch12/NintendoSwitchGameHacking?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 01](https://blog.exploits.club/vuln-research-newsletter-01/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A GitHub repo to get you up to speed on security research for Nintendo Switch games. With some [interesting](https://hackerone.com/reports/1541273?ref=blog.exploits.club) recent reports coming out of the Nintendo's bug bounty program, this could serve as a good primer to get you into a potentially under-researched targets. -------------------------------------------------------------------------------- /Nintendo hacking 2023-2008.md: -------------------------------------------------------------------------------- 1 | tags: #console_hacking #glitching #nintendo #hardware_hacking 2 | original link: [Nintendo hacking 2023: 2008](https://events.ccc.de/congress/2023/hub/en/event/nintendo_hacking_2023_2008/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 01](https://blog.exploits.club/vuln-research-newsletter-01/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > It wouldn't be a C3 without a console hacking talk, and this breakdown on jailbreaking the Nintendo DSi certainly fills that role. Lots of interesting tidbits in this talk, ranging from advanced hardware hacking to binary exploitation to self-rolled crypto (yikes). -------------------------------------------------------------------------------- /No Way, PHP Strikes Again - CVE-2024-4577.md: -------------------------------------------------------------------------------- 1 | tags: #php #command_injection 2 | original link: [No Way, PHP Strikes Again: CVE-2024-4577](https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 25](https://blog.exploits.club/exploits-club-weekly-newsletter-25/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | >  Last week [**@orange_8361**](https://x.com/orange_8361?ref=blog.exploits.club) **tweeted that PHP had fixed an RCE vulnerability** he had reported. In the tweet, he included a [short write-up with a bit more information](https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html?ref=blog.exploits.club). That seemed enough for **the team over at** [**Watchtowr**](https://watchtowr.com/?ref=blog.exploits.club)**, who released a blog post a few hours later, complete with a full RCA and exploit.** The vulnerability itself **stems from a mix-up in the unicode handling for command line arguments**, resulting in an injection. -------------------------------------------------------------------------------- /OSS-Fuzz Gen.md: -------------------------------------------------------------------------------- 1 | tags: #fuzzing #llm 2 | original link: [OSS-Fuzz Gen](https://github.com/google/oss-fuzz-gen?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 06](https://blog.exploits.club/exploits-club-weekly/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > If you're like us, you have probably thought about how LLMs and fuzzing may play nicely together. **Google wrote about** [**some ideas**](https://security.googleblog.com/2023/08/ai-powered-fuzzing-breaking-bug-hunting.html?ref=blog.exploits.club) **in the space back in August of last year**, and **this week they** [**announced the open-sourcing**](https://x.com/infernosec/status/1752784915543019589?s=20&ref=blog.exploits.club) **of their LLM powered fuzzing framework.** -------------------------------------------------------------------------------- /OST2 Introductory Course To HyperDbg.md: -------------------------------------------------------------------------------- 1 | tags: #hypervisor #learning_resource 2 | original link: [OST2 Introductory Course To HyperDbg](https://www.youtube.com/playlist?list=PLUFkSN0XLZ-kF1f143wlw8ujlH2A45nZY&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 29](https://blog.exploits.club/exploits-club-weekly-newsletter-29/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Last week, we featured Open Source Security Training 2's Windows Kernel Exploitation Course. This week, **we wanted to acknowledge another free course they have been promoting recently. The intro course for** [**HyperDbg**](https://github.com/HyperDbg/HyperDbg?ref=blog.exploits.club) **consists of 65 video lessons, and a full Map Of Content can be viewed** [**here**](https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Dbg3301_HyperDbg+2023_v1/about?ref=blog.exploits.club)**!** -------------------------------------------------------------------------------- /One Year of Mobile VRP - Reward Increases and Lessons Learned.md: -------------------------------------------------------------------------------- 1 | tags: #android #google_VRP 2 | original link: [One Year of Mobile VRP: Reward Increases and Lessons Learned](https://bughunters.google.com/blog/5792192022577152/one-year-of-mobile-vrp-reward-increases-and-lessons-learned?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 19](https://blog.exploits.club/exploits-club-weekly-newsletter-19/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > The Google VRP team put out a s**hort post recapping the first year of the Mobile program's existence.** The post **highlights the most common vulnerabilities seen and the vulnerabilities which consistently had the highest payouts.** In addition, the post announces that **rewards are being upgraded, in some cases by 10x (RCE for a Tier one app is now $300k).** In addition, reports can **garner additional rewards based on their quality.** -------------------------------------------------------------------------------- /OpenSSH Backdoors.md: -------------------------------------------------------------------------------- 1 | tags: #openSSH #supply_chain 2 | original link: [OpenSSH Backdoors](https://blog.isosceles.com/openssh-backdoors/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 36 - Regex Fuzzing, C++ Metadata, Kernel Streaming, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-36-regex-fuzzing-c-metadata-kernel-streaming-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Everyone's favorite blogger, [**@benhawkes**](https://x.com/benhawkes?lang=en&ref=blog.exploits.club) **returned to the** [**Isosceles**](https://isosceles.com/?ref=blog.exploits.club) **blog this week to write about the OpenSSH backdoor...and maybe not the one you are thinking of.** The post examines a **backdoor attempt of the critical software back in 2002** and compares the **similarities and differences to the 2024 xz-util debacle**. The biggest takeaway? **Supply chain security is a real mess.** -------------------------------------------------------------------------------- /Operation Mango - Scalable Discovery of Taint-Style Vulnerabilities in Binary Firmware Services.md: -------------------------------------------------------------------------------- 1 | tags: #linux #firmware #static_analysis 2 | original link: [Operation Mango: Scalable Discovery of Taint-Style Vulnerabilities in Binary Firmware Services](https://wilgibbs.com/papers/mango_usenix24.pdf?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 14](https://blog.exploits.club/exploits-club-weekly-newsletter-14/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > This paper, which was just **accepted to USINEX '24**, walks through **"MangoDFA, a novel binary data-flow analysis leveraging value analysis and data dependency analysis on binary code"**. The key idea is a **scalable way to statically analyze Linux-based IoT firmware for common bugs.** The results showed that the tool was able to both **analyze binaries quicker and find more bugs** compared to the other solutions currently available. -------------------------------------------------------------------------------- /Oracle VM VirtualBox 7.0.10 r158379 Escape (CVE-2023-22098 PoC).md: -------------------------------------------------------------------------------- 1 | tags: #hypervisor #OOB_write #virtualbox 2 | original link: [Oracle VM VirtualBox 7.0.10 r158379 Escape (CVE-2023-22098 PoC)](https://github.com/google/security-research/tree/master/pocs/oracle/virtualbox/cve-2023-22098?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 09](https://blog.exploits.club/exploits-club-weekly-newsletter-09/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@theFlow0](https://twitter.com/theflow0?ref=blog.exploits.club) put out a tweet this week detailing his **research into virto-net for VirtualBox** last year. He released a "**100% reliable escape using an out-of-bounds-write (with ASLR defeat)**". The exploit was posted on the [Google Security Research Github repo](https://github.com/google/security-research/tree/master?ref=blog.exploits.club). -------------------------------------------------------------------------------- /Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400).md: -------------------------------------------------------------------------------- 1 | tags: #enterprise_app #command_injection #ITW #panw 2 | original link: [Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)](https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 17](https://blog.exploits.club/exploits-club-weekly-newsletter-17/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > More enterprise VPN issues and honestly who can be surprised at this point. As called out in this [Watchtowr](https://watchtowr.com/?ref=blog.exploits.club) post, [Volexity](https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/?ref=labs.watchtowr.com) identified the vulnerability and did a great initial write-up. Watchtowr then followed that post with a **deep dive into a root cause analysis and exploit of the vulnerability based on the CVE description.** Plus, its full of memes and we love memes. TL;DR it's a _very_ sophisticated...**command injection.** -------------------------------------------------------------------------------- /Pixel Tablet Dock (korlan) Secure Boot Bypass.md: -------------------------------------------------------------------------------- 1 | tags: #secure_boot #microcontroller #hardware_hacking 2 | original link: [Pixel Tablet Dock (korlan) Secure Boot Bypass](https://oddsolutions.github.io/Pixel-Tablet-Dock-Secure-Boot-Bypass/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 28](https://blog.exploits.club/exploits-club-weekly-newsletter-28/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A fun post from ODS Security Research covering the team's exploitation of the Google Pixel Tablet Dock. **The post discusses how they could get a u-boot shell on the device, extract the relevant boot images, and modify them to disable AML Secure Boot.** -------------------------------------------------------------------------------- /PixieFail - Nine vulnerabilities in Tianocore's EDK II IPv6 network stack..md: -------------------------------------------------------------------------------- 1 | tags: #UEFI #IPv6 2 | original link: [PixieFail: Nine vulnerabilities in Tianocore's EDK II IPv6 network stack.](https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 04](https://blog.exploits.club/exploits-club-weekly-newsletter-04/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > If you have been on Twitter this week, you likely came across this write-up from [Quarkslab](https://www.quarkslab.com/?ref=blog.exploits.club) detailing a handful of **vulnerabilities they found in EDK II**. The blog walks through what a Preboot Execution Environment is and how it works, before diving into the vulnerabilities themselves. -------------------------------------------------------------------------------- /PoC for CVE-2023-4427.md: -------------------------------------------------------------------------------- 1 | tags: #OOB_read #chrome #v8 2 | original link: [**PoC**](https://github.com/tianstcht/CVE-2023-4427?ref=blog.exploits.club) **for** [**CVE-2023-4427**](https://nvd.nist.gov/vuln/detail/CVE-2023-4427?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 07](https://blog.exploits.club/exploits-club-weekly-newsletter-07/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@tchght](https://twitter.com/tchght?ref=blog.exploits.club) **released a** [**PoC**](https://github.com/tianstcht/CVE-2023-4427?ref=blog.exploits.club) **for** [**CVE-2023-4427**](https://nvd.nist.gov/vuln/detail/CVE-2023-4427?ref=blog.exploits.club), an **OOB Memory Access** in V8 -------------------------------------------------------------------------------- /Potential One Click MMS RCE on Xiomi via Malicious GIF.md: -------------------------------------------------------------------------------- 1 | tags: #media_decoder #android #stack_overflow #messenger 2 | original link: [Potential One Click MMS RCE on Xiomi via Malicious GIF](https://bugs.chromium.org/p/apvi/issues/detail?id=149&q=&can=1&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 29](https://blog.exploits.club/exploits-club-weekly-newsletter-29/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Potential One Click MMS RCE on Xiomi via Malicious GIF](https://bugs.chromium.org/p/apvi/issues/detail?id=149&q=&can=1&ref=blog.exploits.club) -------------------------------------------------------------------------------- /PowerVR - integer overflows in DevmemXIntMapPages() and DevmemXIntUnmapPages(), exploitable as dangling GPU page table entries.md: -------------------------------------------------------------------------------- 1 | tags: #gpu #PowerVR #integer_overflow 2 | original link: [PowerVR: integer overflows in DevmemXIntMapPages() and DevmemXIntUnmapPages(), exploitable as dangling GPU page table entries](https://bugs.chromium.org/p/project-zero/issues/detail?id=2543&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 32 - Popping Basebands, Pwnie Nominated PrivEscs, The Compiler Landscape, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-32-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [PowerVR: integer overflows in DevmemXIntMapPages() and DevmemXIntUnmapPages(), exploitable as dangling GPU page table entries](https://bugs.chromium.org/p/project-zero/issues/detail?id=2543&ref=blog.exploits.club) -------------------------------------------------------------------------------- /Puckungfu 2 - Another NETGEAR WAN Command Injection.md: -------------------------------------------------------------------------------- 1 | tags: #router #pwn2own #command_injection 2 | original link: [Puckungfu 2: Another NETGEAR WAN Command Injection](https://research.nccgroup.com/2024/02/09/puckungfu-2-another-netgear-wan-command-injection/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 08](https://blog.exploits.club/exploits-club-weekly-newsletter-08/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [NCC Group](https://research.nccgroup.com/?ref=blog.exploits.club) released a follow up to their original [Puckungfu](https://research.nccgroup.com/2022/12/22/puckungfu-a-netgear-wan-command-injection/?ref=blog.exploits.club) post, detailing a **different command injection bug they were able to use in Pwn2Own 2022** after Netgear patched their original one just days before the competition. For this bug, the cron job which served as the entry to the buggy code path only triggered randomly between 1:00AM-4:00AM. For Pwn2Own, the team devised a **strategy to trigger the job by remotely altering the device's time zone and accurately predicting the cron job's 'random' timing within a minute.** -------------------------------------------------------------------------------- /Pumping Iron on the Musl Heap - Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap.md: -------------------------------------------------------------------------------- 1 | tags: #allocator #linux #learning_resource 2 | original link: [Pumping Iron on the Musl Heap: Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap](https://research.nccgroup.com/2024/06/11/pumping-iron-on-the-musl-heap-real-world-cve-2022-24834-exploitation-on-an-alpine-mallocng-heap/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 25](https://blog.exploits.club/exploits-club-weekly-newsletter-25/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A new post of [NCC Group](https://www.nccgroup.com/us/?ref=blog.exploits.club) this week, walking through the **exploitation of** [**CVE-2022-24834**](https://nvd.nist.gov/vuln/detail/CVE-2022-24834?ref=blog.exploits.club), a **heap overflow affecting the Lua cjson module in Redis Servers.** The team decided to target Alpine 13.8, which uses **musl libc**, rendering exploits targeting Ubuntu and other, similar distros based on GNU libc useless. The **post dives into musl's allocator (mallocng)** before walking through the exploit. The blog is highly in-depth and leaves no stone unturned, so read it. -------------------------------------------------------------------------------- /QNAP QTS - QNAPping At The Wheel (CVE-2024-27130 and friends).md: -------------------------------------------------------------------------------- 1 | tags: #iot #stack_overflow 2 | original link: [QNAP QTS: QNAPping At The Wheel (CVE-2024-27130 and friends)](https://labs.watchtowr.com/qnap-qts-qnapping-at-the-wheel-cve-2024-27130-and-friends/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 22](https://blog.exploits.club/exploits-club-weekly-newsletter-22/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > What do you get when you **take a NAS device and bolt on a custom web server which forwards commands to various CGI scripts written in C**? A **remotely exploitable stack overflow like it's 1999**. That's exactly what [watchTowr Labs](https://watchtowr.com/?ref=blog.exploits.club) demonstrated on the QNAP QTS in their most recent blog post. And in traditional watchtowr fashion, the post is just generally fun to read, so give it a read. 8 | -------------------------------------------------------------------------------- /QakBot attacks with Windows zero-day (CVE-2024-30051).md: -------------------------------------------------------------------------------- 1 | tags: #ITW #QakBot #lpe #windows 2 | original link: [QakBot attacks with Windows zero-day (CVE-2024-30051)](https://securelist.com/cve-2024-30051/112618/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 21](https://blog.exploits.club/exploits-club-weekly-newsletter-21/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Kaspersky](https://blog.exploits.club/exploits-club-weekly-newsletter-21/kaspersky.com) researchers accidentally **stumbled across an 0-day** (we hate it when that happens!) **being used together with** [**QakBot**](https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/qakbot?ref=blog.exploits.club)**.** While the team has not provided too many technical details at this time as they wait for users to patch their system, it was noted that the exploit is **very similar to** [**CVE-2023-36033**](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36033?ref=blog.exploits.club)**, which has a** [**nice RCA already as part of P0's ITW efforts.**](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2023/CVE-2023-36033.html?ref=blog.exploits.club) -------------------------------------------------------------------------------- /Qualys Releases Two glibc Bugs.md: -------------------------------------------------------------------------------- 1 | tags: #glibc #heap_overflow #OOB_write #OOB_read 2 | original link: [Qualys Releases Two glibc Bugs](https://www.qualys.com/research/security-advisories/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 06](https://blog.exploits.club/exploits-club-weekly/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Qualys released advisories for **two vulnerabilities they identified in glibc**. [The first](https://www.qualys.com/2024/01/30/qsort.txt?ref=blog.exploits.club) was an **OOB read and write in `qsort()`** due to a missing bounds check. [The second](https://www.qualys.com/2024/01/30/cve-2023-6246/syslog.txt?ref=blog.exploits.club) was a **heap-based buffer overflow affecting** `syslog()` -------------------------------------------------------------------------------- /RCE & SQLi for pre-auth RCE in IP.Board e-commerce plugin ‘nexus’.md: -------------------------------------------------------------------------------- 1 | tags: #enterprise_app #sqli #command_injection 2 | original link: [RCE & SQLi for pre-auth RCE in IP.Board e-commerce plugin ‘nexus](https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/?ref=blog.exploits.club)’ 3 | newsletter link: [exploits.club Weekly Newsletter 16](https://blog.exploits.club/exploits-club-weekly-newsletter-16/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [**RCE & SQLi for pre-auth RCE in IP.Board e-commerce plugin ‘nexus**](https://ssd-disclosure.com/ssd-advisory-ip-board-nexus-rce-and-blind-sqli/?ref=blog.exploits.club)’ 8 | -------------------------------------------------------------------------------- /RCE on Ollama.md: -------------------------------------------------------------------------------- 1 | tags: #path_traversal #ai 2 | original link: [RCE on Ollama](https://x.com/sagitz_/status/1805261557481312623?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 27](https://blog.exploits.club/exploits-club-weekly-newsletter-27/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > While we are on the topic of AI...how is the state of security for the AI products themself you might ask? **I think this small Twitter thread might provide some insight into that question.** -------------------------------------------------------------------------------- /ROPing Routers From Scratch - Step-By-Step TEnda Ac8v4 MIPs 0day Flow-Control ROP to RCE.md: -------------------------------------------------------------------------------- 1 | tags: #MIPs #rop #learning_resource 2 | original link: [ROPing Routers From Scratch: Step-By-Step TEnda Ac8v4 MIPs 0day Flow-Control ROP -> RCE](https://0reg.dev/blog/tenda-ac8-rop?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 25](https://blog.exploits.club/exploits-club-weekly-newsletter-25/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > We think [@retr0reg](https://x.com/retr0reg?ref=blog.exploits.club) summed up all of our thoughts nicely at the start of this post with the following line: **"Not sure why but I am always obsessed with assemblies, caller stacks, and glibc heaps and kinds of stuff."** The write-up takes a previous bug [@retr0reg](https://x.com/retr0reg?ref=blog.exploits.club) found and walks through the process for writing an exploit for it. The post **discusses testing environment set-up before writing a ROP chain on a MIPs device.** Whether you are interested in getting up to speed on MIPs specifically or writing real-world exploits for 1-days, this is a great primer. -------------------------------------------------------------------------------- /Race condition in 9p File System.md: -------------------------------------------------------------------------------- 1 | tags: #uaf #linux #kernel #race_condition 2 | original link: [Race condition in 9p File System](https://r00tkitsmm.github.io/fuzzing/2024/05/29/Race-into-9p.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 23](https://blog.exploits.club/exploits-club-weekly-newsletter-23/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A quick and dirty blog post from [@R00tkitSMM](https://x.com/R00tkitSMM?ref=blog.exploits.club) covering a **race condition leading to a UAF in the Linux kernel.** The blog comes complete with a **quick explanation, a rundown of the vulnerable code and the patch, as well as a PoC.** -------------------------------------------------------------------------------- /Race conditions in Linux Kernel perf events.md: -------------------------------------------------------------------------------- 1 | tags: #race_condition #page_reuse #lpe #kernel #linux 2 | original link: [Race conditions in Linux Kernel perf events](https://binarygecko.com/race-conditions-in-linux-kernel-perf-events/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 38 - Linux Races, Blind Memory Corruption, LLM Java Fuzzing, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-38-linux-races-blind-memory-corruption-llm-java-fuzzing-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Binary Gecko](https://binarygecko.com/?ref=blog.exploits.club) has been on a roll recently with the blog posts. We first covered their Chrome write-up just [two weeks ago](https://blog.exploits.club/exploits-club-weekly-newsletter-36-regex-fuzzing-c-metadata-kernel-streaming-and-more/), and now they are back with **a Linux bug they recently disclosed to the kernel security team**. The core issue (as the title suggests) is **a race condition in perf events that leads to a page reuse primitive.** The blog is highly technical, covering all the structs and code paths you need to understand the core issue and the team's exploit. -------------------------------------------------------------------------------- /Radek Domanski from FlashBack team on PWN2OWN.md: -------------------------------------------------------------------------------- 1 | tags: #methodology #interview #pwn2own 2 | original link: [Radek Domanski from FlashBack team on PWN2OWN](https://www.youtube.com/watch?v=qAn6B4l6y-A&ab_channel=SYSPWN&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 03](https://blog.exploits.club/exploits-club-weekly-newsletter-03/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A few months ago, a YouTube channel called SysPWN started doing interviews with researchers, having them walk through their typical methodology. The most recent interview with the **Radek Domanski** just went live, and **walks through his approach to Pwn2Own targets.** -------------------------------------------------------------------------------- /Reasons for the Unreasonable Success of Fuzzing.md: -------------------------------------------------------------------------------- 1 | tags: #fuzzing #methodology #learning_resource #llm 2 | original link: [Reasons for the Unreasonable Success of Fuzzing](https://www.youtube.com/watch?v=Jd1hItbf52k&ab_channel=InternationalFuzzingWorkshop) 3 | newsletter link: [exploits.club Weekly Newsletter 39 - bug.directory, Fuzzing Successes, SLUB Internals, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-39-bug-directory-fuzzing-successes-slub-internals-and-more-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > This week, the keynote from FUZZING'24 was made available on YouTube. The talk looks at the history of fuzzing in the community and some of the more memorable bugs that helped shape the modern sentiment around the technique. The presentation then attempts to answer why fuzzing continues to be such a successful method for finding bugs. It then ends with thoughts on the future of fuzzing, including everyone's favorite topic...AI. On that note, the same channel uploaded another talk from the conference aptly titled [Is "AI" Useful For Fuzzing](https://www.youtube.com/watch?v=4BPJXmrdmls&ab_channel=InternationalFuzzingWorkshop) -------------------------------------------------------------------------------- /Recovering an ECU firmware using disassembler and branches.md: -------------------------------------------------------------------------------- 1 | tags: #firmware #car_hacking #iot 2 | original link: [Recovering an ECU firmware using disassembler and branches](https://blog.quarkslab.com/recovering-an-ecu-firmware-using-disassembler-and-branches.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 26](https://blog.exploits.club/exploits-club-weekly-newsletter-26/) 4 | 5 | 6 | --- 7 | ## Exploits Club Summary: 8 | > A new post out of [Quarkslab](https://www.quarkslab.com/?ref=blog.exploits.club) this week walks through an i**nteresting challenge the team recently faced on a black box assessment while trying to dump the firmware.** After your typical `binwalk` failed, the team ended up **digging deep into the internals of the FAT filesystem.** They then whipped up a **Python script to identify function prologues, which helped identify some valid firmware chunks.** Iterating on this idea, they added some script improvements by analyzing branch instructions, **allowing them to slowly put the clusters of valid ARM functions into the correct order and export it to a new binary, recovering most of the firmware.** -------------------------------------------------------------------------------- /Relution Remote Code Execution via Java Deserialization Vulnerability.md: -------------------------------------------------------------------------------- 1 | tags: #java #deserialization #enterprise_app #methodology 2 | original link: [Relution Remote Code Execution via Java Deserialization Vulnerability](https://www.praetorian.com/blog/relution-remote-code-execution-java-deserialization-vulnerability/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 06](https://blog.exploits.club/exploits-club-weekly/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | >  [Praetorian](https://www.praetorian.com/?ref=blog.exploits.club) released a post this week **detailing** [**CVE-2023-48178**](https://nvd.nist.gov/vuln/detail/CVE-2023-38178?ref=blog.exploits.club)**, a Java deserialization vulnerability in a** [**Relution**](https://relution.io/en?ref=blog.exploits.club)**.** The post is extremely detailed, **and walks through the software architecture, the vulnerability, and the methodology for hunting deserialization gadget chains.** -------------------------------------------------------------------------------- /Remote, One-Click, Breaking through Smartphones via a Non Well-Known Remote Attack Surface.md: -------------------------------------------------------------------------------- 1 | tags: #android #iOS #messenger 2 | original link: [Remote, One-Click, Breaking through Smartphones via a Non Well-Known Remote Attack Surface](https://www.blackhat.com/us-24/briefings/schedule/?ref=blog.exploits.club#remote-one-click-breaking-through-smartphones-via-a-non-well-known-remote-attack-surface-39721) 3 | newsletter link: [exploits.club Weekly Newsletter 34 - V8 Confusions, Smart Speaker Spying, Summer Camp Round-Up, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-34-v8-confusions-smart-speaker-spying-summer-camp-round-up-and-more-2/) 4 | 5 | 6 | --- 7 | ## Exploits Club Summary: 8 | > [Remote, One-Click, Breaking through Smartphones via a Non Well-Known Remote Attack Surface](https://www.blackhat.com/us-24/briefings/schedule/?ref=blog.exploits.club#remote-one-click-breaking-through-smartphones-via-a-non-well-known-remote-attack-surface-39721) -------------------------------------------------------------------------------- /Resurrecting Internet Explorer - Threat Actors Using Zero-Day Tricks In Internet Shortcut File To Lure Victims.md: -------------------------------------------------------------------------------- 1 | tags: #ITW #internet_explorer 2 | original link: [Resurrecting Internet Explorer: Threat Actors Using Zero-Day Tricks In Internet Shortcut File To Lure Victims](https://research.checkpoint.com/2024/resurrecting-internet-explorer-threat-actors-using-zero-day-tricks-in-internet-shortcut-file-to-lure-victims-cve-2024-38112/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 29](https://blog.exploits.club/exploits-club-weekly-newsletter-29/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Check Point Research](https://research.checkpoint.com/?ref=blog.exploits.club) was busy this week. In addition to the V8 bytecode tooling, they also released a post on a **trick threat actors have been employing against windows users.** This attack leverages the **`.url` extension on a fake PDF file, which is opened by the decommissioned browser Internet Explorer.** Sooo they just pop an 0-day in the inherently less secure browser? Nope, not even that complex - instead, they **force the download of a `.hta` file on the victim, resulting in code exec on the victim's machine.** -------------------------------------------------------------------------------- /Return of the JIT.md: -------------------------------------------------------------------------------- 1 | tags: #v8 #JIT #chrome 2 | original link: [Return of the JIT](https://lampreylabs.com/posts/return-of-the-jit/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 30](https://blog.exploits.club/exploits-club-weekly-newsletter-30/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A short fun and short post from [@_winterknife_](https://x.com/_winterknife_?ref=blog.exploits.club) discussing **recent changes to the behavior of the V8 optimizer toggle in Chrome.** Previously, individuals were using this toggle as a means disabling JIT and switching V8 to interpreter-only mode. However, **since late June, the behavior of this toggle was changed to only disable the 2 higher tiers of JIT compilation, leaving** [**Sparkplug**](https://v8.dev/blog/sparkplug?ref=blog.exploits.club) **enabled.** The theory is this may have been introduced to not break WASM, but if its **something you're worried about, the blog offers a workaround using the `jitless` command-line flag.** -------------------------------------------------------------------------------- /Reverse Engineering The XZ Backdoor.md: -------------------------------------------------------------------------------- 1 | tags: #ITW #supply_chain 2 | original link: [Reverse Engineering The XZ Backdoor](https://x.com/amlweems/status/1774819428208689241?s=20&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 15](https://blog.exploits.club/exploits-club-weekly-newsletter-15/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > We won't bury the lead. With over half a million impressions, it seems like everyone and their mother has seen this **tweet from** [**@amlweems**](https://twitter.com/amlweems?ref=blog.exploits.club) **detailing the XZ backdoor.** The repo **includes a honeypot and a walkthrough for triggering the backdoor.** -------------------------------------------------------------------------------- /Review of the SAILR paper.md: -------------------------------------------------------------------------------- 1 | tags: #decompilation #compilers 2 | original link: [Review of the SAILR paper](https://pad.rev.ng/s/**T3RdsvKNx?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 07](https://blog.exploits.club/exploits-club-weekly-newsletter-07/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [rev.ng](https://rev.ng/?ref=blog.exploits.club) released an interesting blog post detailing **their thoughts on the recent** [**SAILR paper**](https://www.zionbasque.com/files/publications/sailr_usenix24.pdf?ref=blog.exploits.club)**.** The post **highlights points made in the paper and presents counter-arguments** or alternate thoughts. Apparently the whole thing was originally supposed to be a thread of tweets, so the format is super easy to follow. **Each point from the original paper is screenshotted and the rev team presents their thoughts on the point in just a few short sentences.** -------------------------------------------------------------------------------- /Robots Dream of Root Shells.md: -------------------------------------------------------------------------------- 1 | tags: #ai #llm #darpa #methodology 2 | original link: [Robots Dream of Root Shells](https://blog.isosceles.com/robots-dream-of-root-shells/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 12](https://blog.exploits.club/exploits-club-weekly-newsletter-12/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > After a brief break, [@benhawkes](https://twitter.com/benhawkes?ref=blog.exploits.club) is back with a new blog. This time, he explores ideas around **the upcoming AIxCC DARPA competition**, specifically keying in on his thoughts about the **feasibility of using LLMs to find software bugs.** The post has some interesting tidbits that discuss the **fundamental limitations of our current tech,** and potential issues to be on the lookout for in the future. -------------------------------------------------------------------------------- /SLUB Internals for Exploit Developers.md: -------------------------------------------------------------------------------- 1 | tags: #linux #lpe #kernel #allocator #learning_resource 2 | original link: [SLUB Internals for Exploit Developers](https://x.com/andreyknvl/status/1836027086974157164) 3 | newsletter link: [exploits.club Weekly Newsletter 39 - bug.directory, Fuzzing Successes, SLUB Internals, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-39-bug-directory-fuzzing-successes-slub-internals-and-more-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > The best resource to date on SLUB internals released this week. [@andreyknvl](https://x.com/andreyknvl) (maintainer of the [Linux Kernel Exploitation](https://github.com/xairy/linux-kernel-exploitation#linux-kernel-exploitation)GitHub) released the slides and recording from his talk at Linux Security Summit Europe 2024. He states the talk's goal is to "fill the void" on SLUB internals, as no exploit write-ups cover it in-depth and no developer articles discuss exploitation. It certainly seems to achieve that goal, walking through the internals and then turning around to explain how they are used and abused within typical bug classes. This is one you're sure to want to bookmark, as you'll probably return to it a few times. -------------------------------------------------------------------------------- /SSD ADVISORY - D-LINK DIR-X4860 Security Vulnerabilities.md: -------------------------------------------------------------------------------- 1 | tags: #iot #auth_bypass #command_injection #d-link #router 2 | original link: [SSD ADVISORY: D-LINK DIR-X4860 Security Vulnerabilities](https://ssd-disclosure.com/2024/05/14/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 22](https://blog.exploits.club/exploits-club-weekly-newsletter-22/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Sticking with the IoT bug theme, this SSD advisory demonstrates how to chain **an auth bypass with a command execution to pop a D-Link device**. The auth bypass results from an undocumented parameter which can be used to **generate a PrivateKey based on the known username parameter**. The **command injection results from an attacker controlling the IP address when setting up the Virtual Server settings on the device, which is thrown straight into a `FCGI_popen` function.** -------------------------------------------------------------------------------- /SSD Advisory - Google Chrome RCE.md: -------------------------------------------------------------------------------- 1 | tags: #type_confusion #wasm #chrome #sbx 2 | original link: [SSD Advisory: Google Chrome RCE](https://ssd-disclosure.com/ssd-advisory-google-chrome-rce/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 34 - V8 Confusions, Smart Speaker Spying, Summer Camp Round-Up, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-34-v8-confusions-smart-speaker-spying-summer-camp-round-up-and-more-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > An RCA and exploit for a **type confusion bug identified during TyphoonPWN 2024.** The post walks through the vulnerability, which is a **type confusion between canonicalized type id and `wasm::HeapType`.** This bug can be elevated to arbitrary type confusion between WASM objects. The post goes on to say that leveraging this into **basic exploit constructs was very similar to that of** [**@\_manfp**](https://x.com/_manfp?ref=blog.exploits.club) [**Pwn2Own winning exploit**](https://www.zerodayinitiative.com/blog/2024/5/2/cve-2024-2887-a-pwn2own-winning-bug-in-google-chrome?ref=blog.exploits.club)**.** The last step is the **escape the V8 sandbox, which was successfully done by abusing abusing `PartitionAlloc`** -------------------------------------------------------------------------------- /SSD Advisory - Linux Kernel taprio OOB.md: -------------------------------------------------------------------------------- 1 | tags: #linux #kernel #lpe 2 | original link: [SSD Advisory: Linux Kernel taprio OOB](https://ssd-disclosure.com/ssd-advisory-linux-kernel-taprio-oob/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 36 - Regex Fuzzing, C++ Metadata, Kernel Streaming, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-36-regex-fuzzing-c-metadata-kernel-streaming-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > We have covered a few of the bugs from TyphoonPWN 2024, and this week we got a write-up for a Linux LPE entry. **The vulnerability manifests from a logic bug, eventually leading to an OOB access.** An attacker **can pass an arbitrary `mqprio` to the kernel,** which begs the question...**what can we do with that?** The post walks through a code path **where the the value will be propagated for "direct PC-control", so that's pretty cool.** As usual with [SSD Advisories](https://ssd-disclosure.com/?ref=blog.exploits.club), **complete exploit code** is included. -------------------------------------------------------------------------------- /SSD Advisory - TP-LINK VIGI onvif_discovery Overflow.md: -------------------------------------------------------------------------------- 1 | tags: #iot #router #tp-link #stack_overflow #rop 2 | original link: [SSD Advisory: TP-LINK VIGI onvif_discovery Overflow](https://ssd-disclosure.com/ssd-advisory-tp-link-vigi-onvif_discovery-overflow/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 26](https://blog.exploits.club/exploits-club-weekly-newsletter-26/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [SSD Secure Disclosure](https://ssd-disclosure.com/?ref=blog.exploits.club) team released a write-up for a **buffer overflow on TP-Link's VIGI security camera.** The vulnerability resides in `onvif_discovery`, which listens on port 5001 and is reachable while unauthenticated. The root cause for the vulnerability here is pretty straightforward, **as attacker-controlled data is copied from one stack buffer to another, smaller buffer without performing any sort of bounds checking.** The advisory walks through the call stack and shows the RE where the vulnerability resides. **While it doesn't go in-depth on the exploitation, it provides a full PoC, which looks to do some standard ROP.** -------------------------------------------------------------------------------- /SSD Advisory – Foscam R4M UDTMediaServer Buffer Overflow.md: -------------------------------------------------------------------------------- 1 | tags: #stack_overflow #iot 2 | original link: [Foscam R4M UDTMediaServer BOF](https://ssd-disclosure.com/ssd-advisory-foscam-r4m-udtmediaserver-buffer-overflow/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 29](https://blog.exploits.club/exploits-club-weekly-newsletter-29/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Foscam R4M UDTMediaServer BOF](https://ssd-disclosure.com/ssd-advisory-foscam-r4m-udtmediaserver-buffer-overflow/?ref=blog.exploits.club) -------------------------------------------------------------------------------- /Safer with Google - Advancing Memory Safety.md: -------------------------------------------------------------------------------- 1 | tags: #mitigation #rust #google_VRP #methodology 2 | original link: [Safer with Google: Advancing Memory Safety](https://security.googleblog.com/2024/10/safer-with-google-advancing-memory.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 43 - Variant Analysis at Scale, SD Card Driver Bugs, TTE Trends, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-43-variant-anal/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Google continues to push their **memory safety blog posts** on a semi-regular cadence these days, and this week has proven to be no different. In their newest post, the team recounts **progress made thus** far towards mitigating memory corruption bugs and **discusses what the future holds -** including areas where re-writes in Rust may make sense and how they plan to **continue improving code safety in non-memory safe codebases**. They conclude by mentioning this is the f**irst in a series of blog posts that will go deeper on the logistics,** so we are looking forward to future entries. -------------------------------------------------------------------------------- /Say Friend and Enter - Digitally lockpicking an advanced smart lock (Part 2).md: -------------------------------------------------------------------------------- 1 | tags: #iot #firmware 2 | original link: [Say Friend and Enter: Digitally lockpicking an advanced smart lock (Part 2)](https://alephsecurity.com/2024/03/07/kontrol-lux-lock-2/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 12](https://blog.exploits.club/exploits-club-weekly-newsletter-12/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A few weeks ago, we covered part 1 of this series, in which [Aleph Security](https://alephsecurity.com/?ref=blog.exploits.club) began analysis on a smart lock, taking a look at the Android app, firmware, BLE, and other potential attack vectors. In the follow up to that post, the team **details a metric ton of vulnerabilities they identified during the next phase of their research.** This ranges from things like **protocol downgrade to "unauthenticated update leading to complete takeover."** The biggest takeaway? Don't put a Kontrol Lux Lock on your front door...or any door for that matter. 8 | 9 | --- 10 | backlinks: [[Say Friend and Enter - Digitally lockpicking an advanced smart lock]] -------------------------------------------------------------------------------- /Say Friend and Enter - Digitally lockpicking an advanced smart lock.md: -------------------------------------------------------------------------------- 1 | tags: #iot #android #bluetooth #methodology #firmware 2 | original link: [Say Friend and Enter: Digitally lockpicking an advanced smart lock](https://alephsecurity.com/2024/02/20/kontrol-lux-lock-1/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 09](https://blog.exploits.club/exploits-club-weekly-newsletter-09/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [**Aleph Research**](https://alephsecurity.com/?ref=blog.exploits.club) put out part-1 of their **security research into a smart-door lock.** The post details the attack surface of the lock, and goes through the team's approach to hacking on it. This includes all the fun IoT-isms, such as **decompiling the Android app, reversing the device firmware, doing a little bit of bluetooth analysis, and more.** A great primer for anyone looking to get started with prodding at IoT targets. 8 | 9 | 10 | --- 11 | backlinks: [[Say Friend and Enter - Digitally lockpicking an advanced smart lock (Part 2)]] -------------------------------------------------------------------------------- /Secure by Design - Google’s Perspective on Memory Safety.md: -------------------------------------------------------------------------------- 1 | tags: #mitigation 2 | original link: [Secure by Design: Google’s Perspective on Memory Safety](https://research.google/pubs/secure-by-design-googles-perspective-on-memory-safety/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 11](https://blog.exploits.club/exploits-club-weekly-newsletter-10-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Google is aiming to be President Biden's favorite child. Just a week after the [White House's cry for memory safety](https://www.whitehouse.gov/oncd/briefing-room/2024/02/26/memory-safety-statements-of-support/?ref=blog.exploits.club), the tech giant released a **12 page paper detailing the company's approach to mitigating memory corruption bugs.** The paper includes a brief history on the bug class, before jumping into Google's thoughts on how to irradiate it. **The approach involves adapting their** [**Safe Coding**](https://github.com/google/safe-html-types/blob/main/doc/index.md?ref=blog.exploits.club#introduction-to-safe-coding) **strategy to low-level languages, employing better exploit mitigations, and using static analysis and fuzzing to identify bugs ahead of deployment.** Don't worry fanboys, they do talk about **Rust**. -------------------------------------------------------------------------------- /Security research without ever leaving GitHub - From code scanning to CVE via Codespaces and private vulnerability reporting.md: -------------------------------------------------------------------------------- 1 | tags: #methodology #static_analysis #learning_resource #codeQL 2 | original link: [Security research without ever leaving GitHub: From code scanning to CVE via Codespaces and private vulnerability reporting](https://github.blog/2024-04-03-security-research-without-ever-leaving-github-from-code-scanning-to-cve-via-codespaces-and-private-vulnerability-reporting/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 15](https://blog.exploits.club/exploits-club-weekly-newsletter-15/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Github Security Lab released a **methodology post this week**, essentially walking through the **workflow of performing vulnerability research entirely within the Github ecosystem** (huh..convenient). The blog walks through **forking a repository, setting up CodeQL to run via Github Actions, and using Codespaces for debugging and exploitation.** While probably a bit more reasonable for for small web projects, this could come in helpful for a cursory look before fully diving into your next VR project. -------------------------------------------------------------------------------- /Shuffle Up and Deal - Analyzing the Security of Automated Card Shufflers.md: -------------------------------------------------------------------------------- 1 | tags: #prng #bluetooth #hardware_hacking 2 | original link: [Shuffle Up and Deal: Analyzing the Security of Automated Card Shufflers](https://www.youtube.com/watch?v=QrwlzoU1bQw&t=35s&ab_channel=BlackHat&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 02](https://blog.exploits.club/exploits-club-weekly-newsletter-02/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > You may have come across the [whitepaper](https://act-on.ioactive.com/acton/attachment/34793/f-4f681dfb-41e6-4160-9057-3481c4552a98/1/-/-/-/-/IOActive-card-shuffler-security.pdf?ref=blog.exploits.club) associated with this talk back in August of last year. The corresponding talk has now been released on YouTube, and it is filled with reverse-engineering fun. As the abstract mentions, **"Ultimately, we will show how these devices can be compromised, allowing us to cheat in a live poker game".** Who wouldn't want to see that? -------------------------------------------------------------------------------- /Sky's the Limit - Quick Analysis and Exploitation of a Chrome ipcz TOCTOU Vulnerability.md: -------------------------------------------------------------------------------- 1 | tags: #toctou #chrome #heap_overflow 2 | original link: [Sky's the Limit: Quick Analysis and Exploitation of a Chrome ipcz TOCTOU Vulnerability](https://binarygecko.com/skys-the-limit-quick-analysis-and-exploitation-of-a-chrome-ipcz-toctou-vulnerability/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 36 - Regex Fuzzing, C++ Metadata, Kernel Streaming, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-36-regex-fuzzing-c-metadata-kernel-streaming-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > -------------------------------------------------------------------------------- /Smoke and Mirrors - Driver Signatures Are Optional.md: -------------------------------------------------------------------------------- 1 | tags: #windows #lpe #kernel 2 | original link: [Smoke and Mirrors: Driver Signatures Are Optional](https://www.youtube.com/@microsoftrndIsrael?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 31](https://blog.exploits.club/exploits-club-weekly-newsletter-31/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@GabrielLandau](https://x.com/GabrielLandau?ref=blog.exploits.club)'s talk from BlueHat IL 2024 was just released on YouTube, in which he **discusses a "previously unnamed vulnerability class" in Windows.** The talk starts by **recapping some of the research Gabriel had previously done and presented at BlackHat**, in which he could jump from Admin to Kernel due to false file immutability. In his new research, **he takes roughly the same idea but can translate it to a different security check (security catalogs) and leverage it to load an unsigned driver from userspace.** -------------------------------------------------------------------------------- /So You Wanna Find Bugs In The Linux Kernel.md: -------------------------------------------------------------------------------- 1 | tags: #linux #kernel #learning_resource #methodology 2 | original link: [So You Wanna Find Bugs In The Linux Kernel](https://github.com/sam4k/talk-slides/blob/main/so_you_wanna_find_bugs_in_the_linux_kernel.pdf?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 26](https://blog.exploits.club/exploits-club-weekly-newsletter-26/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@sam4k1](https://x.com/sam4k1?ref=blog.exploits.club) uploaded his [TyphoonCon 24](https://typhooncon.com/?ref=blog.exploits.club) slides on attacking the Linux Kernel. **The slides first provide a wealth of knowledge on the state of the kernel VR before diving into specifics.** It covers w**hat makes a good subsystem to target, auditing workflow, and the use of tooling like syzcaller and CodeQL.** The presentation ends with a case study, demonstrating the outlined process in action. Sam picked an interesting subsystem, performed a code audit, identified limitations in the current fuzzing coverage, modified syzcaller, and dropped a bug. -------------------------------------------------------------------------------- /SolarWinds Security Event Manager AMF deserialization RCE (CVE-2024-0692).md: -------------------------------------------------------------------------------- 1 | tags: #solarwinds #enterprise_app #deserialization #java 2 | original link: [SolarWinds Security Event Manager AMF deserialization RCE (CVE-2024-0692)](https://exp10it.io/2024/03/solarwinds-security-event-manager-amf-deserialization-rce-cve-2024-0692/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 11](https://blog.exploits.club/exploits-club-weekly-newsletter-10-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > If you aren't a Chinese speaker, you may have to whip out Google Translate for this one. That said, this **detailed write-up from** [**@X1r0z**](https://twitter.com/X1r0z?ref=blog.exploits.club) **documents the process of identifying the AMF Deserialization Vulnerability, and then walks through two different ways to leverage it into RCE.** The bug was disclosed by [ZDI](https://www.zerodayinitiative.com/advisories/ZDI-24-215/?ref=blog.exploits.club) on the 1st of this month. -------------------------------------------------------------------------------- /Stardew Valley PRNG Seed Cracking.md: -------------------------------------------------------------------------------- 1 | tags: #crypto #game_hacking #nintendo #prng 2 | original link: [Stardew Valley PRNG Seed Cracking](https://www.interruptlabs.co.uk/articles/stardew-valley-prng-seed-cracking?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 30](https://blog.exploits.club/exploits-club-weekly-newsletter-30/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Interrupt Labs](https://www.interruptlabs.co.uk/?ref=blog.exploits.club) shared a post this week walking through the process of **cracking the PRNG seed used in the Switch version of** [**Stardew Valley**](https://www.stardewvalley.net/?ref=blog.exploits.club)**.** The post is heavy on reverse engineering, first **locating the PRNG functionality by comparing the PC and Switch binary, before giving a detailed walkthrough of the code.** **The post then uses this RE to develop a seed cracker based on the random "Traveling Cart stock".** It finishes with the code **release for both a Seed Cracker and a generator.** -------------------------------------------------------------------------------- /Start Your Engines - Capturing the First Flag in Google's New v8CTF.md: -------------------------------------------------------------------------------- 1 | tags: #v8 #google_VRP 2 | original link: [Start Your Engines: Capturing the First Flag in Google's New v8CTF](https://www.madstacks.dev/posts/Start-Your-Engines-Capturing-the-First-Flag-in-Google's-New-v8CTF/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 03](https://blog.exploits.club/exploits-club-weekly-newsletter-03/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > In early October, Google [expanded their rewards program](https://security.googleblog.com/2023/10/expanding-our-exploit-reward-program-to.html?ref=blog.exploits.club) and launched the v8CTF, "a CTF focused on V8, the JavaScript engine that powers Chrome". This week, **the program saw it's first report go public**, and the write-up by madstacks is worth the read. Even if you aren't well versed in browser exploitation, this post is still relatively accessible. -------------------------------------------------------------------------------- /Strengthening the Shield - MTE in Heap Allocators.md: -------------------------------------------------------------------------------- 1 | tags: #mte #allocator #PartitionAlloc #Ptmalloc #scudo 2 | original link: [Strengthening the Shield: MTE in Heap Allocators](https://www.darknavy.org/blog/strengthening_the_shield_mte_in_memory_allocators/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 02](https://blog.exploits.club/exploits-club-weekly-newsletter-02/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Want to worry about your 2024 job security? Check out this write-up which takes an **in-depth look at MTE in various heap allocators.** -------------------------------------------------------------------------------- /Super Hat Trick - Exploit Chrome and Firefox Four Times.md: -------------------------------------------------------------------------------- 1 | tags: #chrome #firefox 2 | original link: [Super Hat Trick: Exploit Chrome and Firefox Four Times](https://www.blackhat.com/us-24/briefings/schedule/index.html?ref=blog.exploits.club#super-hat-trick-exploit-chrome-and-firefox-four-times-40037) 3 | newsletter link: [exploits.club Weekly Newsletter 34 - V8 Confusions, Smart Speaker Spying, Summer Camp Round-Up, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-34-v8-confusions-smart-speaker-spying-summer-camp-round-up-and-more-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Super Hat Trick: Exploit Chrome and Firefox Four Times](https://www.blackhat.com/us-24/briefings/schedule/index.html?ref=blog.exploits.club#super-hat-trick-exploit-chrome-and-firefox-four-times-40037) -------------------------------------------------------------------------------- /Surviving MiraclePtr Navigating of Webp and Beyond by Kira.md: -------------------------------------------------------------------------------- 1 | tags: #mitigation #chrome 2 | original link: [Surviving MiraclePtr Navigating of Webp and Beyond by Kira](https://www.youtube.com/watch?v=T9Ek_TdVZ5c&t=1s&ab_channel=GEEKCON&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 30](https://blog.exploits.club/exploits-club-weekly-newsletter-30/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A new talk went up on the [GEEKCON](https://www.youtube.com/channel/UCcsv_kEEWsIgpUQV3RsDoxQ?ref=blog.exploits.club) YouTube channel earlier this week which will be sure to please the Chrome fans. The talk firs**t opens with discussion of the webp bug and its exploitation in Chrome.** After that, the [@0xKira123](https://twitter.com/@0xKira233?ref=blog.exploits.club) discusses the **state of mitigations across the Chrome landscape.** He notes a handful of places where **exploitation has gotten drastically harder but demonstrates three bugs found over the last year to prove that "memory corruption is not dead."** -------------------------------------------------------------------------------- /TIKTAG - Breaking ARM’s Memory Tagging Extension with Speculative Execution.md: -------------------------------------------------------------------------------- 1 | tags: #mte #mitigation #kernel #pixel #spectre 2 | original link: [TIKTAG: Breaking ARM’s Memory Tagging Extension with Speculative Execution](https://arxiv.org/pdf/2406.08719?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 26](https://blog.exploits.club/exploits-club-weekly-newsletter-26/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Speaking of "mitigations" and "novel exploitation," a paper released this week **demonstrating how to break MTE via speculative execution.** The team identified **two new gadgets they deemed "TikTag-v1" and "TikTag-v2,"** which can "**leak the MTE tag of an arbitrary memory address."** The team demonstrated the vulnerability on **Google Chrome and the Linux kernel via a Pixel 8 device.** The paper's second half evaluates these experiments, **discussing reliability, feasibility, and potential mitigations.** -------------------------------------------------------------------------------- /Telegram for Android - Use-after-free in Connection onReceivedData.md: -------------------------------------------------------------------------------- 1 | tags: #android #messenger #telegram #uaf 2 | original link: [Telegram for Android: Use-after-free in Connection::onReceivedData](https://bugs.chromium.org/p/project-zero/issues/detail?id=2547&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 32 - Popping Basebands, Pwnie Nominated PrivEscs, The Compiler Landscape, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-32-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Telegram for Android: Use-after-free in Connection::onReceivedData](https://bugs.chromium.org/p/project-zero/issues/detail?id=2547&ref=blog.exploits.club) -------------------------------------------------------------------------------- /The Boom, the Bust, the Adjust and the Unknown.md: -------------------------------------------------------------------------------- 1 | tags: #industry #commentary 2 | original link: [The Boom, the Bust, the Adjust and the Unknown](https://x.com/malltos92/status/1777506009000583478?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 16](https://blog.exploits.club/exploits-club-weekly-newsletter-16/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Slides from [@malltos92](https://twitter.com/malltos92?ref=blog.exploits.club) Zer0con talk are online now. While not overly technical, the post **details the history and potential future of the offensive cyber industry.** -------------------------------------------------------------------------------- /The FloW Drops PPW.md: -------------------------------------------------------------------------------- 1 | tags: #console_hacking #heap_overflow #playstation 2 | original link: [The FloW Drops PPW](https://github.com/TheOfficialFloW/PPPwn?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 19](https://blog.exploits.club/exploits-club-weekly-newsletter-19/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Last week, famous **Playstation hacker** [**@theFlow0**](https://twitter.com/theflow0?ref=blog.exploits.club) posted that he had **popped the PS4 with a CVE from 2006.** Originally he was planning on dropping all the spicy details at [TyphoonCon24](https://typhooncon.com/?ref=blog.exploits.club), but he decided to **drop the** [**PoC**](https://github.com/TheOfficialFloW/PPPwn?ref=blog.exploits.club) **early, much to the delight of the 12 year olds blasting his replies.** -------------------------------------------------------------------------------- /The V8 Heap Sandbox.md: -------------------------------------------------------------------------------- 1 | tags: #sbx #v8 #learning_resource #chrome 2 | original link: [The V8 Heap Sandbox](https://saelo.github.io/presentations/offensivecon_24_the_v8_heap_sandbox.pdf?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 22](https://blog.exploits.club/exploits-club-weekly-newsletter-22/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > We are still eagerly awaiting YouTube uploads from OffensiveCON, but in the meantime [**@5aelo**](https://twitter.com/5aelo?ref=blog.exploits.club) **released his V8 Sandbox slides.** The talk starts with a brief overview of the sandbox, before going into its design and implementation. -------------------------------------------------------------------------------- /The Way to Android Root - Exploiting Your GPU on Smartphone.md: -------------------------------------------------------------------------------- 1 | tags: #android #gpu #adreno #kernel 2 | original link: [The Way to Android Root: Exploiting Your GPU on Smartphone](https://blackhat.com/us-24/briefings/schedule/?ref=blog.exploits.club#the-way-to-android-root-exploiting-your-gpu-on-smartphone-40234) 3 | newsletter link: [exploits.club Weekly Newsletter 34 - V8 Confusions, Smart Speaker Spying, Summer Camp Round-Up, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-34-v8-confusions-smart-speaker-spying-summer-camp-round-up-and-more-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [The Way to Android Root: Exploiting Your GPU on Smartphone](https://blackhat.com/us-24/briefings/schedule/?ref=blog.exploits.club#the-way-to-android-root-exploiting-your-gpu-on-smartphone-40234) -------------------------------------------------------------------------------- /The Windows Registry Adventure 3 - Learning resources.md: -------------------------------------------------------------------------------- 1 | tags: #windows #learning_resource #methodology 2 | original link: [The Windows Registry Adventure #3: Learning resources](https://googleprojectzero.blogspot.com/2024/06/the-windows-registry-adventure-3.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 28](https://blog.exploits.club/exploits-club-weekly-newsletter-28/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Project Zero](https://googleprojectzero.blogspot.com/?ref=blog.exploits.club) makes an appearance for the third time in a row, this time with the **third installment in the running "Windows Registry Adventures series ."** As a quick recap, the **series started with an introduction**, which explained the target subsystem, the research P0 performed, and the resulting bugs. **The team then followed it up with a post outlining a brief history of the Registry.** The **newest post in the series looks specifically at learning resources and tools one should use to get up to speed on the Registry.** It serves as an excellent blueprint for someone looking to replicate P0's work and, more broadly, shows a methodology for researching and learning about a specific subsystem on a target. -------------------------------------------------------------------------------- /The Windows Registry Adventure.md: -------------------------------------------------------------------------------- 1 | tags: #windows #registry #learning_resource #fuzzing 2 | original link: [The Windows Registry Adventure](https://googleprojectzero.blogspot.com/2024/04/the-windows-registry-adventure-1.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 18](https://blog.exploits.club/exploits-club-weekly-newsletter-18/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Google Project Zero](https://googleprojectzero.blogspot.com/?ref=blog.exploits.club), aka the hackers you're probably jealous of, are back and better than ever. The first post in this new series outlines the premise of the research, which focused on **fuzzing the** [**Window's registry**](https://en.wikipedia.org/wiki/Windows_Registry?ref=blog.exploits.club)**.** The campaign **resulted in just a measly 44 CVEs**. [The follow-up post](https://googleprojectzero.blogspot.com/2024/04/the-windows-registry-adventure-2.html?ref=blog.exploits.club) **goes into the history of the registry explaining it's original intention, implementation, and short comings.** We are eagerly awaiting the next installment! -------------------------------------------------------------------------------- /Tianfu Cup 2023 Chrome use-after-free.md: -------------------------------------------------------------------------------- 1 | tags: #chrome #uaf #WebAudio 2 | original link: ["Tianfu Cup 2023" Chrome use-after-free](https://twitter.com/hosselot/status/1757049551888719973?s=20&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 08](https://blog.exploits.club/exploits-club-weekly-newsletter-08/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A [PoC](https://issues.chromium.org/issues/40075943?ref=blog.exploits.club) for the **Web Audio bug used in the** [**Tianfu Cup**](https://www.tianfucup.com/?ref=blog.exploits.club) was released this week. -------------------------------------------------------------------------------- /Tony Hawk's Pro Strcpy.md: -------------------------------------------------------------------------------- 1 | tags: #stack_overflow #game_hacking #console_hacking 2 | original link: [Tony Hawk's Pro Strcpy](https://www.youtube.com/watch?v=Pjqw1Gwk0jg&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 33 - CPU Vulns, Breaking Samsung Bootloaders, Tony Hawk Pro Skater, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-33-cpu-vulns-breaking-samsung-bootloaders-tony-hawk-pro-skater-and-more-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Look, we have some fond memories associated with the Tony Hawk pro skater series. We also have some fond memories with the PS2 which [GrimDoesStuff](https://www.youtube.com/@Grimdoomer?ref=blog.exploits.club) clearly does _not_ share. But in his recent upload, **Grim walks us through a vulnerability he found and exploited in Tony Hawk Pro Skater.** The bug is an **overflow stemming from an unchecked strcpy when naming a super sick gap you created.** He demonstrates how this can be **used to jailbreak the console remotely** by playing with friends who have a modified version of the game set-up. While the video primarily focuses on the uses for the exploit, **the full write-up can be found** [**here**](https://icode4.coffee/?p=954&ref=blog.exploits.club)**.** -------------------------------------------------------------------------------- /Trail Of Bits Handbook - Fuzzing.md: -------------------------------------------------------------------------------- 1 | tags: #methodology #learning_resource #fuzzing 2 | original link: [Trail Of Bits Handbook - Fuzzing](https://appsec.guide/docs/fuzzing/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 10](https://blog.exploits.club/exploits-club-weekly-newsletter-10/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A little late to this party, but [Trail Of Bits](https://trailofbits.com/?ref=blog.exploits.club) updated their testing handbook to include a **new chapter on fuzzing**. It goes in depth on the **tactics and methodologies, before providing actionable walkthroughs** for each of the major fuzzers in the space. A **great primer** for anyone looking to get spun up or improve their fuzzing skills. 8 | 9 | 10 | 11 | --- 12 | backlinks: [[Trail of Bits Testing Handbook]] -------------------------------------------------------------------------------- /Trail of Bits Testing Handbook.md: -------------------------------------------------------------------------------- 1 | tags: #static_analysis #dynamic_analysis #learning_resource #graphQL #fuzzing 2 | original link: [Trail Of Bits Add's CodeQL To Testing Handbook](https://appsec.guide/docs/static-analysis/codeql/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 01](https://blog.exploits.club/vuln-research-newsletter-01/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > A few months ago, Trail of Bits introduced their testing handbook with it's first chapter on Semgrep. This month, they have gone ahead and added a second chapter detailing CodeQL. This is a perfect place to get started with CodeQL or sharpen your skills if you have already had it in your toolkit for a while now. 8 | -------------------------------------------------------------------------------- /UAF in PowerVR.md: -------------------------------------------------------------------------------- 1 | tags: #uaf #PowerVR 2 | original link: [UAF in PowerVR](https://bugs.chromium.org/p/project-zero/issues/detail?id=2525&ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 16](https://blog.exploits.club/exploits-club-weekly-newsletter-16/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [**UAF in PowerVR**](https://bugs.chromium.org/p/project-zero/issues/detail?id=2525&ref=blog.exploits.club) from [@tehjh](https://twitter.com/tehjh?lang=en&ref=blog.exploits.club) -------------------------------------------------------------------------------- /UEFI is the new BIOS.md: -------------------------------------------------------------------------------- 1 | tags: #UEFI #mitigation #secure_boot 2 | original link: [UEFI is the new BIOS](https://www.leviathansecurity.com/blog/uefi-is-the-new-bios?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 41 - Exploit Dev Lifecycle, Binder Internals, UEFI Deep-Dive, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-41-exploit-dev-lifecycle-binder-internals-uefi-deep-dive-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@LeviathanSec](https://x.com/leviathansec?ref=blog.exploits.club) released their **first in an 8 part series detailing UEFI RE, VR, and exploit development.** This introductory post **starts with a brief history of the technology** and the move from Legacy BIOS. It then takes a detailed look at the **UEFI boot process, discussing the first 4 phases (SEC, PEI, DXE and BDS)** and providing all the requisite knowledge to understand the flow. It concludes with a quick look at **Secure Boot and some additional protections such as Boot Guard and BIOS Guard**, and then some context around the **UEFI shell.** We are looking forward to the next installments in the series!n -------------------------------------------------------------------------------- /Unauthenticated Command Execution on Tp-Link AC1350.md: -------------------------------------------------------------------------------- 1 | tags: #command_injection #iot #router 2 | original link: [Unauthenticated Command Execution on Tp-Link AC1350](https://talosintelligence.com/vulnerability_reports/TALOS-2023-1862?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 16](https://blog.exploits.club/exploits-club-weekly-newsletter-16/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [**Unauthenticated Command Execution on Tp-Link AC1350**](https://talosintelligence.com/vulnerability_reports/TALOS-2023-1862?ref=blog.exploits.club) from [@TalosSecurity](https://twitter.com/TalosSecurity?ref=blog.exploits.club) -------------------------------------------------------------------------------- /Understanding AddressSanitizer - Better memory safety for your code.md: -------------------------------------------------------------------------------- 1 | tags: #learning_resource #fuzzing #compilers 2 | original link: [Understanding AddressSanitizer: Better memory safety for your code](https://blog.trailofbits.com/2024/05/16/understanding-addresssanitizer-better-memory-safety-for-your-code/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 23](https://blog.exploits.club/exploits-club-weekly-newsletter-23/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Trail Of Bits](https://blog.trailofbits.com/?ref=blog.exploits.club) recently released a post covering ASan. While the write-up's main goal appears to be a **primer for getting set-up with the tool**, it goes well above and beyond that, c**overing the internals in-depth.** Whether you spend hours reading ASan outputs, or you're lucky, **we bet there is something new here for you to learn.** -------------------------------------------------------------------------------- /Underutilized Fuzzing Strategies for Modern Software Testing.md: -------------------------------------------------------------------------------- 1 | tags: #fuzzing #LibAFL #methodology 2 | original link: [Underutilized Fuzzing Strategies for Modern Software Testing](https://www.trailofbits.com/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 08](https://blog.exploits.club/exploits-club-weekly-newsletter-08/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [Trail Of Bits](https://www.trailofbits.com/?ref=blog.exploits.club) posted a great talk by [@AddisonCrump_vr](https://twitter.com/addisoncrump_vr?ref=blog.exploits.club) on their YouTube channel. The [slides](https://docs.google.com/presentation/d/1nWPZLKMlKUcjsC-YQD703ZpoaAcBDXHw3Vo9DNRXL3o/?ref=blog.exploits.club) if that is more your thing. **The talk goes through the basic methodology of fuzzing, how it has changed overtime, and you can use LibAFL to approach the problem differently.** -------------------------------------------------------------------------------- /Vanguard x VALORANT.md: -------------------------------------------------------------------------------- 1 | tags: #game_hacking #anticheat 2 | original link: [Vanguard x VALORANT](https://x.com/VALORANT/status/1837162362282946893) 3 | newsletter link: [exploits.club Weekly Newsletter 40 - iOS Kernel Exploitation, CET Bypasses, Elgato Hardware Repair, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-40-ios-kernel-exploitation-cet-bypasses-elgato-hardware-repair-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > I know a handful of you RE nerds got your start in game hacking. Well, this week the team at Vanguard (anti-cheat for Valorant) released a very minimal peek behind the curtain at what they have been working on recently - the post talks through metrics the team keeps track of, trends in bans, and approaches to new attack surfaces. Specifically, it looks at the rise in DMA tools and talks through how IOMMU appears to be the most viable path forward. The post ends with some of the challenges associated with Valorants move to console in 2024, keying in on some internal testing the team did to [prevent M&K on console](https://youtube.com/shorts/0nmsurXDqPI?si=JNTquDDc-1sP6uxP). -------------------------------------------------------------------------------- /VirtualBox Vuln Research Set-Up.md: -------------------------------------------------------------------------------- 1 | tags: #hypervisor #virtualbox #learning_resource 2 | original link: [VirtualBox Vuln Research Set-Up](https://github.com/farazsth98/hypervisor_research_notes/blob/master/virtualbox/README.md?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 11](https://blog.exploits.club/exploits-club-weekly-newsletter-10-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@farazsth98](https://twitter.com/farazsth98?ref=blog.exploits.club) put together a **collection of notes on getting started with building and debugging VirtualBox**. -------------------------------------------------------------------------------- /Vulnerabilities found in VMWare by me.md: -------------------------------------------------------------------------------- 1 | tags: #vmware #hypervisor #dos #OOB_read 2 | original link: [Vulnerabilities found in VMWare by me](https://gabrieldurdiak.github.io/vmwarevuln/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 17](https://blog.exploits.club/exploits-club-weekly-newsletter-17/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@la300588](https://twitter.com/la300588?ref=blog.exploits.club) shared a post this week on 2 vulnerabilities he found in VMware's virtual printing component. The first ([CVE-2022-22938](https://nvd.nist.gov/vuln/detail/CVE-2022-22938?ref=blog.exploits.club)) is a **DOS bug stemming from an invalid size check**. The second ([CVE-2021-21987](https://nvd.nist.gov/vuln/detail/CVE-2021-21987?ref=blog.exploits.club)) is an **OOB read which results from a value in the attacker controlled header being used as an offset.** -------------------------------------------------------------------------------- /Vulnerabilities of Realtek SD card reader driver, part 1.md: -------------------------------------------------------------------------------- 1 | tags: #windows #info_leak #OOB_write #OOB_read #kernel 2 | original link: [Vulnerabilities of Realtek SD card reader driver, part 1](https://zwclose.github.io/2024/10/14/rtsper1.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 43 - Variant Analysis at Scale, SD Card Driver Bugs, TTE Trends, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-43-variant-anal/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@zwclose](https://x.com/zwclose?ref=blog.exploits.club) decided to take a look at the **Realtek SD card reader driver running on their Windows machine and...well lets just say it was particularly fruitful**. The blog covers the **6 vulnerabilities** identified and reported, **ranging info leaks to arbitrary kernel read/write.** It walks through each vulnerability, covering t**he basic necessary information required to understand the data flow and pinpoint the bug.** The conclusion mentions **a 7th vulnerability allowing access to physical memory with the card reader's DMA capability, which will be covered in a future entry.** -------------------------------------------------------------------------------- /Welcome To 2024 - The SSLVPN Chaos Continues.md: -------------------------------------------------------------------------------- 1 | tags: #iot #ivanti #vpn #auth_bypass #command_injection #firmware #enterprise_app 2 | original link: [Welcome To 2024: The SSLVPN Chaos Continues](https://labs.watchtowr.com/welcome-to-2024-the-sslvpn-chaos-continues-ivanti-cve-2023-46805-cve-2024-21887/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 04](https://blog.exploits.club/exploits-club-weekly-newsletter-04/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > It's been a **tough few days for** [**Ivanti**](https://www.ivanti.com/?ref=blog.exploits.club). After it was [reported](https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/?ref=blog.exploits.club) that two vulnerabilities were being used in the wild to achieve unauthenticated RCE against their Ivanti Connect Secure (ICS) VPN Appliance, [watchtowr](https://watchtowr.com/?ref=blog.exploits.club) released this post **detailing the vulnerabilities and exploitation**. Following that, [Synacktiv](https://synacktiv.com/?ref=blog.exploits.club) released a report detailing **multiple additional vulnerabilities** they had discovered in ICS. Yikes. -------------------------------------------------------------------------------- /Why Code Security Matters - Even in Hardened Environments.md: -------------------------------------------------------------------------------- 1 | tags: #rop #arbitrary_file_write #javascript #nodejs 2 | original link: [Why Code Security Matters - Even in Hardened Environments](https://www.sonarsource.com/blog/why-code-security-matters-even-in-hardened-environments/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 42 - Glitching With A Lighter, Pixel 9 Baseband Security, Node.js Pipe Madness, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-42-glitching-with-a-lighter-pixel-9-baseband-security-node-js-pipe-madness-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > **This post is a banger front to back... half-tempted to just leave it at that and force you to go read it for yourself.** The premise is this: y**ou have an arbitrary file write via a Node.js server on a Linux read-only filesystem. Can you get RCE?** These researchers figured out that the answer is yes, by **abusing the pipes that Node's async capabilities are built on top of.** The strategy involves a **custom fake-object/rop gadget finder, and a handful of thoughtful restriction bypasses. Intrigued yet?** You should be. -------------------------------------------------------------------------------- /You Can't Spell WebRTC without RCE - Part 1.md: -------------------------------------------------------------------------------- 1 | tags: #messenger #signal #learning_resource #android #iOS #webrtc 2 | original link: [You Can't Spell WebRTC without RCE: Part 1](https://margin.re/2024/07/you-cant-spell-webrtc-without-rce-part-1/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 31](https://blog.exploits.club/exploits-club-weekly-newsletter-31/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Ah the **zero-click IM RCE** - everyone's dream. This week, [Margin Research](https://margin.re/?ref=blog.exploits.club) took to their blog to start an exciting **new series revolving around security research on Signal.** The first entry takes a look at WebRTC. It starts with a **deep dive into the underlying protocols** before discussing how to set up a research environment. This involves using an iOS target phone and an Android thrower. Finally, the iOS app is **injected with vulnerabilities** [**previously discovered by Natalie Silvanovich**](https://googleprojectzero.blogspot.com/2020/08/exploiting-android-messengers-part-1.html?ref=margin.re) **to demonstrate how they can be triggered from the thrower.** A great primer for anyone looking to start attacking IMs, and we look forward to future entries in the series! -------------------------------------------------------------------------------- /ZDI Discloses Lexmark Pwn2Own Bugs.md: -------------------------------------------------------------------------------- 1 | tags: #iot #pwn2own #auth_bypass 2 | original link: [ZDI Discloses Lexmark Pwn2Own Bugs](https://www.zerodayinitiative.com/advisories/published/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 06](https://blog.exploits.club/exploits-club-weekly/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [ZDI](https://www.zerodayinitiative.com/?ref=blog.exploits.club) published **disclosures this week for the Lexmark Printer bugs used in** [**Pwn2Own IoT/Mobile**](https://www.zerodayinitiative.com/blog/2023/7/12/the-soho-smashup-returns-for-pwn2own-toronto-2023?ref=blog.exploits.club) back in November of 2023. While the **disclosures themselves only give a small insight into the bugs used, we should hopefully see contestants releasing write-ups in the near future.** -------------------------------------------------------------------------------- /Zero-Click Calendar invite - Critical zero-click vulnerability chain in macOS.md: -------------------------------------------------------------------------------- 1 | tags: #macos #path_traversal 2 | original link: [Zero-Click Calendar invite — Critical zero-click vulnerability chain in macOS](https://mikko-kenttala.medium.com/zero-click-calendar-invite-critical-zero-click-vulnerability-chain-in-macos-a7a434fc887b) 3 | newsletter link: [exploits.club Weekly Newsletter 39 - bug.directory, Fuzzing Successes, SLUB Internals, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-39-bug-directory-fuzzing-successes-slub-internals-and-more-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > What do you get when you don't sanitize the file path associated with Calendar invites? Well, as it turns out, 0-click RCE. This new post from [@Turmio_](https://x.com/Turmio_) demonstrates how he was able to do just that, walking through the initial vulnerabilities and all the shenanigans required to escalate it to code exec, bypassing GateKeeper and TCC along the way. It's a quick read, but certainly one you want to add to your backlog if you plan on doing MacOS research. -------------------------------------------------------------------------------- /angr for real-world use cases.md: -------------------------------------------------------------------------------- 1 | tags: #angr #static_analysis #learning_resource #windows 2 | original link: [angr for real-world use cases](https://plowsec.github.io/angr-introspection-2024.html?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 38 - Linux Races, Blind Memory Corruption, LLM Java Fuzzing, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-38-linux-races-blind-memory-corruption-llm-java-fuzzing-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > Chances are pretty high that you've encountered a CTF write-up where the author did some [**angr**](https://angr.io/?ref=blog.exploits.club)**-fu** and blew you away. However, there are **some limitations when leveraging the tool in real-world research**. Thankfully, [@volodiyah](https://x.com/volodiyah?ref=blog.exploits.club) is here to help you overcome some of those hurdles so you can add a new tool to your tool belt. Ignoring the Vim slander, you will find a handful of **helpful tips in this post, from how to use angr to collect accurate time code coverage, how to improve your debugging workflow, and how to add support for Window's debugging symbols.** -------------------------------------------------------------------------------- /bug.directory_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/exploits-club/bug.directory/3cd519fe5bdf1c615837163dd217cffa8f91796c/bug.directory_logo.png -------------------------------------------------------------------------------- /corCTF 2024 - trojan-turtles writeup.md: -------------------------------------------------------------------------------- 1 | tags: #ctf #kvm #hypervisor 2 | original link: [corCTF 2024: trojan-turtles writeup](https://zolutal.github.io/corctf-trojan-turtles/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 32 - Popping Basebands, Pwnie Nominated PrivEscs, The Compiler Landscape, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-32-2/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > We love a good CTF write-up and this post from [@zolutal](https://x.com/zolutal?ref=blog.exploits.club) is just that. The [Shellphish](https://shellphish.net/?ref=blog.exploits.club) member detailed his solution for trojan-turtles, a **KVM challenge featured in corCTF 2024**. The write-up begins with an o**verview of KVM, providing a great primer for those unfamiliar**. It then details the solution itself, starting **with a diff of the two provided kernel modules, identifying the backdoor, and hitting the vulnerable code path.** The post ends with a deep-dive on exploitation, in which the **Extended Page Table is modified to map the host's address space into the guest.** -------------------------------------------------------------------------------- /gaining access to anyones browser without them even visiting a website.md: -------------------------------------------------------------------------------- 1 | tags: #browser #arc 2 | original link: [gaining access to anyones browser without them even visiting a website](https://kibty.town/blog/arc/) 3 | newsletter link: [exploits.club Weekly Newsletter 40 - iOS Kernel Exploitation, CET Bypasses, Elgato Hardware Repair, And More](https://blog.exploits.club/exploits-club-weekly-newsletter-40-ios-kernel-exploitation-cet-bypasses-elgato-hardware-repair-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > When we think browser 0day, we typically do not think Firebase...and maybe thats our problem. In a new post, [@xyz3va](https://x.com/xyz3va) talks through a crazy vuln she found in [Arc browser](https://arc.net/). Essentially, with Frida and some ObjectiveC, she was able to identify the browser seemed to be using Firestore. From there, she realized these things called "Arc boosts" (basically just ways to customize certain websites inside Arc) are also stored in Firestore for each user, and can contain arbitrary Javascript. These are retrieved via userId and....yep you can just change your own userId. So she created a "malicious" Arc boost, and then changed her userId to a victim Id and boom, popped the victims browser. -------------------------------------------------------------------------------- /iMessage with PQ3 -The new state of the art in quantum-secure messaging at scale.md: -------------------------------------------------------------------------------- 1 | tags: #crypto #mitigation #iOS 2 | original link: [iMessage with PQ3: The new state of the art in quantum-secure messaging at scale](https://security.apple.com/blog/imessage-pq3/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 09](https://blog.exploits.club/exploits-club-weekly-newsletter-09/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > **I've read it twice**...still can't say I really understand all the big-brain things that are going on here, but "the new PQ3 cryptographic protocol for iMessage combines post-quantum initial key establishment with three ongoing ratchets for self-healing against key compromise, defining the global state of the art for protecting messages against _Harvest Now, Decrypt Later_ attacks and future quantum computers"...**obviously** -------------------------------------------------------------------------------- /iOS - A Journey In The USB Networking Stack.md: -------------------------------------------------------------------------------- 1 | tags: #iOS 2 | original link: [iOS: A Journey In The USB Networking Stack](https://www.synacktiv.com/publications/ios-a-journey-in-the-usb-networking-stack?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 19](https://blog.exploits.club/exploits-club-weekly-newsletter-19/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > In true Linux-enthusiast fashion, this entire post from Synactiv seems to stem from the fact that **someone was willing to reverse engineer an entire proprietary protocol just to avoid having to use a Macbook.** Anyways, the post dives into the **history of tethering and reverse tethering on iOS devices.** It then jumps into an **explanation of how the process works under the hood and discusses some of the major changes in iOS 16 and 17.** -------------------------------------------------------------------------------- /ioxide - N_GSM 0 day.md: -------------------------------------------------------------------------------- 1 | tags: #linux #kernel #race_condition #uaf #GSM 2 | original link: [ioxide: N_GSM 0 day](https://github.com/roddux/ixode/blob/main/notes.md?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 35 - NPU exploits, Phrack 71, 2014 Tablet Hacks, and More](https://blog.exploits.club/exploits-club-weekly-newsletter-35-npu-exploits-phrack-71-2014-tablet-hacks-and-more/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > [@roddux](https://x.com/roddux?ref=blog.exploits.club) dropped a what _was_ a second 0day in n_gsm. Following just a **few months after his release of** [**germy**](https://github.com/roddux/germy?ref=blog.exploits.club)**,** the new repo published this week **includes a crash PoC and some notes on the bug itself.** The core issue revolves around a **race condition leading to a UAF.** The notes also include a KASAN splat an**d some ideas on how a full exploit for this might be written.** (Un)fortunately, this was mitigated in a [patch](https://github.com/torvalds/linux/commit/67c37756898a5a6b2941a13ae7260c89b54e0d88?ref=blog.exploits.club) released this month. -------------------------------------------------------------------------------- /kfd write-ups.md: -------------------------------------------------------------------------------- 1 | tags: #iOS #kernel #uaf #integer_overflow 2 | original link: [kfd write-ups](https://github.com/felix-pb/kfd/tree/main/writeups?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 02](https://blog.exploits.club/exploits-club-weekly-newsletter-02/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > In the wake of the Operation Triangulation craze of last week, some people stumbled across the [smith](https://github.com/felix-pb/kfd/blob/main/writeups/smith.md?ref=blog.exploits.club) write-up from the kfd Github repo, **which details one of the vulns used for priv-esc in the now infamous attack chain.** While this post was originally authored 6 months ago, on Jan 1st the researcher released [another write-up and PoC](https://github.com/felix-pb/kfd/blob/main/writeups/landa.md?ref=blog.exploits.club) **detailing** [**CVE-2023-41974**](https://support.apple.com/en-us/HT213938?ref=blog.exploits.club)**, a use-after-free affecting the kernel.** 8 | -------------------------------------------------------------------------------- /local_demo.mp4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/exploits-club/bug.directory/3cd519fe5bdf1c615837163dd217cffa8f91796c/local_demo.mp4 -------------------------------------------------------------------------------- /mistymntncop - CVE-2022-4262 PoC.md: -------------------------------------------------------------------------------- 1 | tags: #v8 #type_confusion #ITW 2 | original link: [mistymntncop: **CVE-2022-4262 PoC**](https://github.com/mistymntncop/CVE-2022-4262?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 05](https://blog.exploits.club/exploits-club-weekly-newsletter-05/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > -------------------------------------------------------------------------------- /nix libX11 - Uncovering and Exploiting a 35-year-old Vulnerability.md: -------------------------------------------------------------------------------- 1 | tags: #heap_overflow #linux 2 | original link: [nix libX11: Uncovering and Exploiting a 35-year-old Vulnerability](https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-one/?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 06](https://blog.exploits.club/exploits-club-weekly/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | >  JFrog released Part Two of their **two-part blog series covering** [**CVE-2023-43786 and CVE-2023-43787**](https://lists.x.org/archives/xorg-announce/2023-October/003424.html?ref=blog.exploits.club)**.** These posts discuss the discovery and subsequent exploitation of two **vulnerabilities in popular graphics library X.Org libX11** - one of which resulted in RCE via a heap-overflow. -------------------------------------------------------------------------------- /regreSSHion - RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387).md: -------------------------------------------------------------------------------- 1 | tags: #glibc #openSSH #linux #race_condition 2 | original link: [regreSSHion: RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387)](https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt?ref=blog.exploits.club) 3 | newsletter link: [exploits.club Weekly Newsletter 28](https://blog.exploits.club/exploits-club-weekly-newsletter-28/) 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > The only way you haven't heard about this is if you have been living under a rock or inside your debugger. Earlier this week, **Qualys' Threat Research Unit identified an RCE vulnerability within OpenSSH, specifically impacting glibc-based Linux systems.** For many of you who work on the blue side of the house, that may be as far as you made it in the advisory before you had a panic attack and started patching systems. However, **the write-up is exceptionally detailed, walking through the signal handler race condition, the history of the bug (a regression to** [**CVE-2006-5051**](https://nvd.nist.gov/vuln/detail/CVE-2006-5051?ref=blog.exploits.club)**, originally reported by** [**@mdowd**](https://twitter.com/mdowd?ref=blog.exploits.club)**) and the exploit strategy.** -------------------------------------------------------------------------------- /templates/EC Entry.md: -------------------------------------------------------------------------------- 1 | tags: 2 | original link: 3 | newsletter link: 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > -------------------------------------------------------------------------------- /templates/Submission.md: -------------------------------------------------------------------------------- 1 | tags: 2 | original link: 3 | 4 | --- 5 | ## Summary: 6 | > -------------------------------------------------------------------------------- /“To live is to fight, to fight is to live! - IBM ODM Remote Code Execution.md: -------------------------------------------------------------------------------- 1 | tags: #enterprise_app #java #deserialization 2 | original link: [“To live is to fight, to fight is to live! - IBM ODM Remote Code Execution](https://labs.watchtowr.com/double-k-o-rce-in-ibm-operation-decision-manager/?ref=blog.exploits.club) 3 | newsletter link: 4 | 5 | --- 6 | ## Exploits Club Summary: 7 | > **Watchtowr labs** released a write-up on their research into the [IBM Operational Decision Manager](https://www.ibm.com/products/operational-decision-manager?utm_content=SRCWW&p1=Search&p4=43700074487969878&p5=e&gad_source=1&gclid=Cj0KCQiA84CvBhCaARIsAMkAvkKpBPPnJkG5gNPR-f1b1wm9EPrN29xXGdDHSjjGXcpja-PJJQRCLMoaAlCwEALw_wcB&gclsrc=aw.ds&ref=blog.exploits.club). The post details the **two bugs they found, a deserialization vuln and a JNDI injection.** The team was able to take the **JNDI injection all the way to RCE**, and both vulns were given CVEs ([CVE-2024-22319](https://nvd.nist.gov/vuln/detail/CVE-2024-22319?ref=blog.exploits.club), [CVE-2024-22320](https://nvd.nist.gov/vuln/detail/CVE-2024-22320?ref=blog.exploits.club)). --------------------------------------------------------------------------------