HITB Phuket 2023 – Exploiting the Lexmark PostScript Stack
Aaron Adams presented this talk at HITB Phuket on the 24th August 2023. The talk detailed how NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto was able to exploit two different PostScript vulnerabilities in Lexmark printers. The presentation is a good primer for those interested in further researching the…
CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a better read/write primitive
The fifth and final blog posts exploring the detailed exploitation of CVE-2018-8611.
CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive
The fourth of five blog posts exploring the detailed exploitation of CVE-2018-8611.
CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks
The third of five blog posts exploring the detailed exploitation of CVE-2018-8611.
CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering
The second of five blog posts exploring the detailed exploitation of CVE-2018-8611.
CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
The first of five blog posts exploring the detailed exploitation of CVE-2018-8611.
libtalloc: A GDB plugin for analysing the talloc heap
tl;dr This post is about a GDB plugin I wrote while researching the Samba exploitation earlier in 2015. There is a python script available. See the README for usage examples. Note that the plugin was thrown together while hacking on bugs. Introduction The Samba project developed a custom heap dubbed…
Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit
tl;dr Earlier this year I worked on an exploit for an interesting use-after-free vulnerability in win32k.sys (CVE-2015-0057) and was able to develop a reliable exploit on both 32-bit and 64-bit, affecting XP through Windows 8.1 (with a few exceptions). This writeup describes in detail how I approached exploitation on both…
Some Notes About the Xen XSA-122 Bug
tl;dr; This is a summary of a vulnerability in Xen I found earlier in 2015, and why it’s not very useful in practice. Basically you can leak small amounts of memory from the hypervisor stack, but due to the way the associated hypercall is compiled, it turns out you can’t…
Xen SMEP (and SMAP) Bypass
Introduction In a previous blog post  I talked about my experience exploiting the SYSRET bug on Xen. I noted that I was able to bypass SMEP, but was leaving the information for a future blog post because I wanted to do some additional research — I thought the technique…
Exploiting Samba CVE-2015-0240 on Ubuntu 12.04 and Debian 7 32-bit
tl;dr It was found that Ubuntu 12.04 32-bit and Debian 7 Samba binaries contained a stack layout that was suitable for exploiting the recent _netr_ServerPasswordSet bug. I was able to develop a reliable exploit that grants pre-authenticated remote root against both systems. Introduction On March 2, 2015 I posted a…
Adventures in Xen Exploitation
tl;dr This post is about my experience trying to exploit the Xen SYSRET bug (CVE-2012-0217). This issue was patched in June 2012 and was disclosed in Xen Security Advisory 7 . The bug was found by Rafal Wojtczuk and Jan Beulich. Rafal gave a talk about it at BlackHat USA…