Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap
Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap Lua 5.1 Musl’s Next Generation Allocator – aka mallocng mallocng Cycling Offset Exploiting CVE-2022-24834 on the mallocng heap mallocng Heap Shaping Ensuring Correct Target Table->Array Distance Lua Table Confusion redis-server/libc ASLR Bypass and Code Execution Conclusion Resources Tools This […]
HITB Phuket 2023 – Exploiting the Lexmark PostScript Stack
Aaron Adams presented this talk at HITB Phuket on the 24th August 2023. The talk detailed how NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto was able to exploit two different PostScript vulnerabilities in Lexmark printers. The presentation is a good primer for those interested in further researching the Lexmark PostScript stack, and also […]
CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a better read/write primitive
The fifth and final blog posts exploring the detailed exploitation of CVE-2018-8611.
CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive
The fourth of five blog posts exploring the detailed exploitation of CVE-2018-8611.
CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks
The third of five blog posts exploring the detailed exploitation of CVE-2018-8611.
CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering
The second of five blog posts exploring the detailed exploitation of CVE-2018-8611.
CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
The first of five blog posts exploring the detailed exploitation of CVE-2018-8611.
libtalloc: A GDB plugin for analysing the talloc heap
tl;dr This post is about a GDB plugin I wrote while researching the Samba exploitation earlier in 2015. There is a python script available. See the README for usage examples. Note that the plugin was thrown together while hacking on bugs. Introduction The Samba project developed a custom heap dubbed the “trivial allocator” aka talloc. A […]
Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit
tl;dr Earlier this year I worked on an exploit for an interesting use-after-free vulnerability in win32k.sys (CVE-2015-0057) and was able to develop a reliable exploit on both 32-bit and 64-bit, affecting XP through Windows 8.1 (with a few exceptions). This writeup describes in detail how I approached exploitation on both architectures, which ended up being […]
Some Notes About the Xen XSA-122 Bug
tl;dr; This is a summary of a vulnerability in Xen I found earlier in 2015, and why it’s not very useful in practice. Basically you can leak small amounts of memory from the hypervisor stack, but due to the way the associated hypercall is compiled, it turns out you can’t reliably leak very useful information. […]