Analysis of public exploits or my 1day exploits
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.

README.md

About

This is where I will post analysis of Public Exploits, or some of my 1day exploits.

[ Public exploit analysis ]

  • Personally I think the best way to learn a public exploit is by understanding it line-by-line until I can understand the exploit to the fullest. I will post some of these (overly-commented ;) ) exploits so hopefully others can learn from it, and as an attempt to give something back to the community. Also for documenting purposes, cause these things kind of fade away from my head as time passes.

CVE-2016-8655

  • This is a detailed analysis of rebel's exploit.
  • Thanks rebel for the awesome exploit! :D

CVE-2016-5342

mp3 version

  • This is a commented version of freener's android LPE exploit
  • arm32
  • Heap overflow
  • This exploit directly overwrites a function pointer of another object

tty version

  • This is a commented version of freener's android LPE exploit
  • arm32
  • Heap overflow
  • This exploit overwrites an object pointer in another object. It uses ret2dir attack to make the corrupted pointer point to a predictable fixed address in kernel which holds the exploit payload. This exploit technique bypasses PXN & PAN.

CVE-2016-2434

  • This is a commented version of Jianqiang Zhao's android LPE exploit
  • arm64
  • Zero-out 16 bytes at an arbitrary address
  • This exploit wipes out 16 bytes of a useful global object, which is located at a fixed address in kernel.
  • A corrupted object pointer within the global object references exploit payload from userland. This kind of attack will not work on devices/kernels with PAN(or PAN emulation).

extra_recipe

  • My attempt to understand the extra_recipe jailbreak
  • I was especially interested in the kpp bypass part. Although there were a couple slides on the subject where I could glean a vague image of the bypass, I really wanted to dig into the fine details and see what is actually going on inside the code
  • I also wanted to understand the final ingredients for a jailbreak(Installing Cydia, etc.)

yalu102 (ViewController.m)

  • I commented the part relevant to the actual bug, and how it was exploited.
  • The reason why I looked into yalu102 instead of the original exploit is because the port-feng-shui technique looked more cleaner and straightforward to understand.
  • The analysis stops right before the kpp bypass

xerub's extra_recipe-master (jailbreak.c, unjail.m, patchfinder64.c, pte_stuff.h)

  • I jump here because it had a little more information on the various numeric offsets.
  • Also, the patchfinder.c is intact, as opposed to yalu102 which there is only an object file.
  • The cydia part is kind of incomplete so I jump to the cydia branch after kpp

xerub's extra_recipe-cydia (unjail.m)

  • Trying to understand the ingredients for a jailbreak after tfp0 and post-exploitation

empty_list (sploit.c)

  • A detailed breakdown of Ian Beer's empty_list kernel exploit.
  • It uses amazing techniques to start from really weak primitives, to build a stronger AAR, and finally build a full-fledged task port. The port magic behind the exploit code is unbelievable. All of this with an 8 NULL byte heap overflow. Absolutely mindblowing.
  • I've scribbled some naive ideas to improve the reliability. Hopefully someone will release a more reliable version of the exploit in the future. :)
  • Thanks Ian Beer for the amazing exploit!

CVE-2018-4233

  • This is a commented version of @niklas_b's iOS Webkit exploit.
  • A huge thanks to kudima(@begger_dd) to the very clear and concise, thoroughly annotated writeup! :)
  • The writeup explains the JIT type confusion bug, some limitations on conversions of boxing/unboxing(which could introduce unreliability), and a detailed walkthrough of how the early/late AAR/AAW primitives are constructed. He also provides insight on the changes in exploitation techniques after the recent round of mitigations(index masking, ArrayBuffer backing store poisoning, Some changes on the mechanism of W^X JIT, changes in the JSObject structure, etc)

jsc_ConcatMemcpy_infoleak

  • This is a commented version of kudima's WebKit infoleak exploit(fixed in 2018.8.27).
  • It stems from an incomplete fix from one of the bugs reported by lokihardt. The patch from lokihardt's report fixed the Double -> Object type confusion primitive, but didn't fix it the other way around; Object -> Double.
  • It sprays the webkit heap with butterflies containing a single object and a marker, and later on triggers the concat bug and fills a large portion of several double arrays with uninitialized heap data. It iterates through the uninitialized, buggy concat produced, double arrays until it finds the previously sprayed object's address, and leaks it.
  • Thanks again kudima(@begger_dd) for the nice exploit and writeup! :)

[ 1Day ]

CVE-2017-2547

  • One day I looked at singi's exploit after it was presented at Zer0con 2018, and decided to improve it.
  • This is a standalone version of the exploit, before I integrated it into pwnjs.
  • The improvements include
    • Increased reliability(works flawlessly after extensive browsing sessions with contaminated memory)
    • Removed all hardcoded offsets to make it compatible with various browser versions
    • Used a different exploitation technique(the standard misalign technique)
    • Eventually integrated it into the pwnjs framework by creating a webkit prototype
    • Made the code a lot more readible, and added lots of comments
  • Special Thanks
    • qwertyoruiop & Samuel Grob for the amazing phrack article and public exploits
    • Brian Pak & Andrew Wesie for the awesome pwnjs framework!