|
maxpl0it
@
maxpl0it
England, United Kingdom
|
|
Cyber security researcher focusing on low-level exploitation and world domination. Resident pwn tutor at @the_hacker_lab and researcher at @fsecure
|
|
|
73
Tweetovi
|
260
Pratim
|
159
Osobe koje vas prate
|
| Tweetovi |
|
maxpl0it
@maxpl0it
|
50 min |
|
Remember, there are no compiler protections against data segment buffer overflows except reordering variables to place higher risk variables (such as pointers) before arrays. pic.twitter.com/YXaIXm7soX
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
54 min |
|
Also re-discovered my old paper from 2015 which was a primer on data segment buffer overflows. Unfortunately it got ignored when attempting to share it so it's only been seen by a few. Might tweak it and re-publish. pic.twitter.com/i55aFi2ciQ
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
1 h |
|
BSS buffer overflows are incredibly interesting. This latest sudo bug (CVE-2019-18634) was exactly this.
I created a github repo last year to introduce people to this concept: github.com/maxpl0it/how2b… twitter.com/saleemrash1d/s…
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
11 h |
|
Any time! We’ll have to arrange an exploit dev training session at some point too
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
12 h |
|
First teaching session for router bugs. Covered some binary exploit techniques on MIPS! twitter.com/vicharkness/st…
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
23. sij |
|
That’s very true! Is it teams or solo?
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
23. sij |
|
I would but I did just buy a new router to keep me busy a while...
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
22. sij |
|
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
30. pro |
|
Don’t forget Radare2 if you want to actually patch anything on ARM!
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
30. pro |
|
A compiler choosing to use the CVTTSD2SI instruction to cast a float to an int has made it so my exploit primitives can only r/w up to 0x7fffffff on a 64-bit system. I miss non-optimised code...
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
28. pro |
|
Update:
JS Engine:
1x Integer Overflow leading to OOB write
1x Additional BoF
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
27. pro |
|
You're right, writing IE-comptaible CSS is work for the gods
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
27. pro |
|
12 0days of Christmas progress:
Router: 1x Full LAN, 1x BoF.
JS Engine: 2x Null Pointer Dereference, 2x BoF, 1x DoS, 1x Memory Leak.
Total: 7
So far so good!
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
23. pro |
|
Pfft, have you TRIED running the crap that this thing spews out?!
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
23. pro |
|
AI is on the verge of replacing you mate ;)
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
23. pro |
|
Maybe in time, but for now this will be my own personal project.
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
22. pro |
|
JavaScript fuzzer built and working well. Constantly adding new features. pic.twitter.com/2uPTX262jg
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
20. pro |
|
Thanks for hosting the night!
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
30. stu |
|
Dove head first into WebKit internals. Found a patched bug without a public exploit and wrote the addrof and fakeobj primitives, as well as the arbitrary R/W primitives.
Time to experiment with this in Safari! pic.twitter.com/blrKYs6su7
|
||
|
|
||
|
maxpl0it
@maxpl0it
|
20. stu |
|
For anybody in/around Brighton, this is the place to be! twitter.com/the_hacker_lab…
|
||
|
|
||