Post List

Vulnerability Analysis

Analysis on CVE-2017-14489 (Linux Kernel)
Analysis on CVE-2016-9793 (Linux Kernel)
Analysis on CVE-2013-2551 (Internet Explorer)
Analysis on CVE-2015-5165 (QEMU)
Analysis on CVE-2015-7504 (QEMU)

Academic Paper

[CCS2017] Semfuzz: Semantics-based automatic generation of proof-of-concepts exploits
[CCS2017] The Dynamics of Innocent Flesh on The Bone: Code Reuse Ten Years Later
[CCS2015] Per-Input Control Flow Integrity
[USENIX2014] Enforcing Forward-Edge Control-Flow Integrity in GCC & LLVM
[NDSS2018] CFIXX: Object Type Integrity for C++
[DIMVA2016] Rowhammer.js: A Remote Software-Induced Fault Attack in JavaScript

Tutorial

Exploit Tutorial Plan フラグが立った
Series 1 Lecture 01: ELF file format and Dynamic Link
Series 1 Lecture 02: Virtual Function and Virtual Function Call Hijacking
Series 1 Lecture 03: Shellcode, Stack Buffer Overflow and Return Oriented Programming
Series 2 Lecture 01: Ptmalloc Introduction: Memory Management and Malloc Internal
Series 2 Lecture 02: Ptmalloc Introduction: Free/Realloc Internal and Security Checks
Series 3 Lecture 01: Heap Exploitation: House of Spirit and House of Force
Series 3 Lecture 02: Heap Exploitation: Unsafe unlink and Fastbin Corruption
Series 4 Lecture 01: Advanced Heap Exploitation: Unsorted bin attack and Overlapping chunk
Series 4 Lecture 02: Advanced Heap Exploitation: File Stream Oriented Programming
Series 4 Lecture 03: Advanced Heap Exploitation: House of Mind and House of Orange
New exploitation tutorial plan
Extra Heap Exploitation 1: House of Lore
Extra Heap Exploitation 2: TCache and Potential Exploitation
Extra Heap Exploitation 3: A Revisit to Large Bin in Glibc
Extra Exploitation Technique 1: _dl_open
Extra Exploitation Technique 2: Implicit Malloc and Free in glibc
Extra Exploitation Technique 3: Return-to-dl_resolve
Go for VM escape!
QEMU escape: Part 1 Environment Set-up
QEMU escape: Part 2 Debugging Environment Set-up
QEMU escape: Part 3 Information Leakage (CVE-2015-5165)
QEMU Escape: Part 4 Hijack Control Flow (CVE-2015-7504)
QEMU Escape: Part 5 Put Everything Together (nographic mode)
QEMU Escape: Part 6 Put Everything Together (another trial)
QEMU Internal: PCNET
QEMU Internal: RTL8139
QEMU Internal: MemoryRegion, AddressSpace and QEMU IO
QEMU Internal: PCI Device

CTF Challenge

[2017-08-26] HITB XCTF 2017 PWN 1000level Write-up
[2017-08-26] HITB XCTF 2017 PWN Sentosa Write-up
[2017-08-29] HITB XCTF 2017 PWN Simplefmt Write-up
[2017-10-13] CSAW CTF 2017 Qual PWN Zone Write-up
[2017-11-01] TokyoWestern CTF 2017 Quals PWN ASCII ART Write-up
[2017-11-10] GOOGLE CTF 2017 Quals PWN CFI Write-up
[2017-11-24] TokyoWestern CTF 2017 Quals PWN SIMPLE NOTE1 Write-up
[2017-11-29] CodeBlue CTF 2017 PWN NONAMESTILL Write-up
[2017-12-04] Hack.Lu CTF 2014 PWN Oreo Write-up
[2017-12-09] CodeBlue CTF 2017 PWN DEMOSCENEDB Write-up (House of Mind, seemingly wrong at now)
[2017-12-11] 0CTF 2017 Quals PWN Babyheap Write-up
[2017-12-13] HICTON 2016 Quals PWN House-of-Orange Write-up
[2017-12-14] 0CTF 2016 Quals PWN Zerostorage Write-up
[2017-12-16] HITCON 2017 Quals PWN Ghost-in-The-Heap Write-up
[2017-12-27] X-MAS CTF 2017 PWN Bookstore Write-up
[2017-12-30] 34C3 CTF PWN SimpleGC Write-up
[2017-12-30] 34C3 CTF PWN Readme-revenge Write-up
[2018-01-15] SECCON CTF 2017 Online Candy Store Write-up
[2018-01-19] CodeBlue CTF 2017 PWN DEMOSCENEDB Write-up (House of Lore)
[2018-01-22] 0CTF 2017 Quals PWN EasiestPrintf Write-up
[2018-01-26] HITCON 2015 Quals PWN BlinkRoot Write-up
[2018-02-28] CodeGate 2018 PWN BaskinRobins Write-up
[2018-03-05] SECCON 2017 QUAL PWN VM_NO_FUN Write-up
[2018-03-07] X-MAS CTF 2017 PWN ChildVM Write-up
[2018-03-12] N1CTF 2018 PWN Beeper Write-up
[2018-03-12] N1CTF 2018 Pwn Vote Write-up
[2018-03-17] N1CTF 2018 PWN NULL Write-up
[2018-03-25] HITB XCTF 2017 BabyQEMU Write-up
[2018-04-02] 0CTF 2018 PWN Babyheap Write-up
[2018-04-07] 0CTF 2018 PWN HeapStorm2 Write-up