-
What's New in Tenet v0.2
Quality-of-life improvements, cell-based trace visualization, and more...
Tenet is an IDA Pro plugin which enables reverse engineers to explore execution traces of native code. It is a testbed for evaluating how omniscient traces might facilitate new and innovative debugging experiences, improving the speed of software comprehension in reverse engineers and developers alike.
In this post, we’ll be covering some of the updates that made their way into the v0.2 release of Tenet. As the first ‘major’ update to Tenet, the goal was to fix several quality-of-life issues and improve its general usability. Like any new project, there will be some growing pains as the project begins to find its feet.
For more background information about Tenet, please see the post about its initial release.
Tenet is an execution trace explorer for reverse engineers
Continue Reading →
-
Snapcraft Packages Come With Extra Baggage
Exploiting Ubuntu's Snapcraft Apps with CVE-2020-27348
Several months ago I found an issue (now CVE-2020-27348) with Ubuntu’s new package management system, Snapcraft. This bug introduced a classic pattern of insecurity to these ‘Snap’ managed applications which is analogous to DLL sideloading issues on Windows (a form of dynamic library injection).
In this post, I’ll discuss how this issue was discovered while playing in a CTF and how it can be leveraged to get code execution via these packages. Some of the affected packages included Chromium, VLC, Docker, Audacity, and many others available through the new package manager.
Continue Reading →
-
All Your Base Are [Still] Belong To Us
Fuzzing Modern UDP Game Protocols With Snapshot-based Fuzzers
Axel ‘0vercl0k’ Souchet recently open-sourced a promising new snapshot-based fuzzer. In his own words: ”what the fuzz or wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and or kernel-mode targets running on Microsoft Windows.”
In this post we will walk through the process of creating a fuzzer module for what the fuzz, allowing us to fuzz the packet parsing code of a popular triple-A multiplayer game title enjoyed by millions of active players. Complemented by Tenet, we show how these two technologies can be used to discover and then analyze critical real-world vulnerabilities.
Fuzzing using what the fuzz, a snapshot-based fuzzer for Windows
Continue Reading →
The Oddest Place You Will Ever Find PAC
Exploiting the notoriously unsafe gets() on a PAC-protected ARM64 binary
32 bits, 32 gigs, 1 click...
Exploitation of a JavaScriptCore WebAssembly Vulnerability
Tenet: A Trace Explorer for Reverse Engineers
Conventional Debuggers Are Crumbling to Software Complexity, Now What?
Lucid: An Interactive Hex-Rays Microcode Explorer
Studying decompiler internals has never been so easy...
7 Days to Lift: A Mission in Microcode
Extending the Hex-Rays Decompiler to Support Intel AVX Instructions
What's New in Lighthouse v0.9
Python 3, custom coverage formats, coverage cross-refs, themes & more
A Cryptocurrency Heist, Starring Your Web Browser
Abusing well-defined web standards to exploit localhost services
In Transactional Memory, No One Can Hear You Scream
Attacking Intel's Transactional Synchronization Extensions
What's New in Lighthouse v0.8
Binary Ninja support, HTML coverage reports, consistent styling
Scaling up Binary Exploitation Education
Augmenting Esoteric Security Subjects with Gamification & Accessibility
Exploiting the macOS WindowServer for root
Four Heap Sprays, Two Dangling Pointers, One Bitflip
Cracking the Walls of the Safari Sandbox
Fuzzing the macOS WindowServer for Exploitable Vulnerabilities
Weaponization of a JavaScriptCore Vulnerability
Illustrating the Progression of Advanced Exploit Primitives In Practice
Timeless Debugging of Complex Software
Root Cause Analysis of a Non-Deterministic JavaScriptCore Bug
Vulnerability Discovery Against Apple Safari
Evaluating Complex Software Targets for Exploitable Vulnerabilities
A Methodical Approach to Browser Exploitation
The Exploit Development Lifecycle, From A to Z(ero Day)
Building up from the Ethereum Bytecode
Practical Decompilation of Ethereum Smart Contracts
What's New in Lighthouse v0.7
Frida, C++ demangling, context menu, function prefixing, bugfixes
Dangers of the Decompiler
A Sampling of Anti-Decompilation Techniques
What's New in ripr v1.1
Function Arguments, Basic Block Mode, and more
Untangling Exotic Architectures with Binary Ninja
Supplementing Flare-On 2017 with some sanity
What's New in Lighthouse v0.6
Intel pintool, cyclomatic complexity, batch load, bugfixes
Hello World
Compiling Executables for the Classic POSIX Subsystem on Windows