Analysis on CVE-2017-3000

August 26, 2018dangokyo 1 Comment

Introduction

In this post, I will introduce CVE-2017-3000, a CVE assigned to us last year. We analyse the weak implementation of the PRNG in Flash Player, which is used for constant blinding in its JIT compiler. We find two methods circumventing the constant blinding. Furthermore, we give a detailed exploitation plan on how to insert desired value into JIT code even if constant blinding is in place as demonstrated on the cover page. In this post, I will give details on the design of the PRNG and full exploit based on CVE-2015-5122.
Continue reading “Analysis on CVE-2017-3000” →

Analysis on CVE-2015-5119

August 21, 2018August 22, 2018dangokyo Leave a comment

Introduction

In this post, I will give a full COOP-like exploit based on CVE-2015-5119 as demonstrated on cover page. This post will contain two parts. The first part is about how to achieve arbitrary read/write primitive in 64-bit Flash. This part is based on [1][2] with some extra my own explanations. The second part is about how to achieve a COOP-like exploit with virtual function gadgets. I will discuss the dispatcher gadget, argument loading gadget and invoking gadget used in the exploit and pop up the calculator in the end. So I will skip the analysis of root cause of the vulnerability and focus on exploit development.
Continue reading “Analysis on CVE-2015-5119” →

Analysis on CVE-2016-9079

July 29, 2018dangokyo 1 Comment

Introduction

This is a use-after-use vulnerability in the firefox before 50.2 [1]. In this post, the exploit is a routine browser exploitation process. Since exploit [1] is a working exploit on windows platform, I rewrite the exploit to make it work on Linux platform and test some ideas on vtable reuse attacks. I use a chain of multiple virtual function gadgets to change memory protection and open a listening port or popping up calculator. The final exploit can be found on my github repo[3].
Continue reading “Analysis on CVE-2016-9079” →

MeePwnCTF 2018 Qual Pwn Coin Write-up

July 26, 2018dangokyo Leave a comment

Introduction

This is a very interesting challenge. Generally speaking, this is not a very hard challenge because its vulnerability is very obvious. However, this challenge is not that easy to exploit. First of all, the logic of the programme is very complicated and hard to reverse. Secondly, the exploitation involves multiple exploitation tricks in the end. Thirdly, the exploitation involves many double-to-integer conversion. Continue reading “MeePwnCTF 2018 Qual Pwn Coin Write-up” →

MeePwnCTF 2018 Qual Web+PWN 0xBADMINTON Write-up

July 18, 2018dangokyo Leave a comment

Introduction

As an enthusiast badminton player, I decide to add a cover page for this write-up. As a CTF player, I think it’s necessary to write a wp for this challenge. This challenge is not hard after reading the write-up given on [1]. But I think there are still a lot of things to learn in the field of web security.
Continue reading “MeePwnCTF 2018 Qual Web+PWN 0xBADMINTON Write-up” →