- Linux userspace exploitation by parsing ELF for symbol addresses with an arbitrary read
tl;dr Linux client-server application heap exploitation
Writeup from InCTFi 2019 bartender
tl;dr Windows 32-bit SEH exploitation
tl;dr 2 element overflow in Array when jit compiled
Uint8Arrayto get a overflow in an
ArrayBufferand proceed to convert this to arbitrary read-write and execute shellcode.
This post will describe how I exploited CVE-2019-14378, which is a pointer miscalculation in network backend of QEMU. The bug is triggered when large IPv4 fragmented packets are reassembled for processing. It was found by code auditing.
Out of bounds write in trustlet ‘1’, allows us to write random bytes at an address of
our choice. We can write our shellcode to an rwx region with this, without any bruteforce.
Note: During the CTF we used a 1 byte brute-force to get write shellcode in the rwx segment and get shell. It was only afterwards that we realised that no bruteforce was required!
1 / 2