Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Cryptogenic/Exploit-Writeups
A collection where my current and future writeups for exploits/CTF will go
https://github.com/Cryptogenic/Exploit-Writeups
capture-the-flag exploit-development exploitation vulnerabilities
Last synced: about 2 months ago
JSON representation
A collection where my current and future writeups for exploits/CTF will go
- Host: GitHub
- URL: https://github.com/Cryptogenic/Exploit-Writeups
- Owner: Cryptogenic
- License: wtfpl
- Created: 2017-04-05T21:04:18.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2021-05-09T00:40:45.000Z (over 3 years ago)
- Last Synced: 2024-07-31T13:15:09.650Z (4 months ago)
- Topics: capture-the-flag, exploit-development, exploitation, vulnerabilities
- Size: 122 KB
- Stars: 744
- Watchers: 83
- Forks: 116
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-hacking-lists - Cryptogenic/Exploit-Writeups - A collection where my current and future writeups for exploits/CTF will go (Others)
README
# Exploit Writeups
Welcome to my collection of exploit writeups. This repo is where my current and future writeups for public exploits, vulnerability research, and CTF challenge solves will go. Below is a directory of the current writeups that I've published.## FreeBSD / PS4 Kernel
[PS4 4.05 Kernel Exploit Overview](https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/NamedObj%20Kernel%20Exploit%20Overview.md)An overview of the PS4 kernel exploit codenamed "namedobj", which targets a type confusion vulnerability in the `sys_namedobj_*` Sony system calls. This overview covers the basic exploit strategy required to leverage the type confusion bug into a fully fledged exploit.
[PS4 4.05 Kernel Exploit Writeup](https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/%22NamedObj%22%204.05%20Kernel%20Exploit%20Writeup.md)
A full writeup on how the "namedobj" type confusion vulnerability can be leveraged to achieve arbitrary code execution in kernel mode, via a targetted use-after-free (UAF).
[PS4 4.55 / FreeBSD BPF Kernel Exploit Writeup](https://github.com/Cryptogenic/Exploit-Writeups/blob/master/FreeBSD/PS4%204.55%20BPF%20Race%20Condition%20Kernel%20Exploit%20Writeup.md)
A writeup containing the technical details behind a kernel exploit targetting the Berkely Packet Filter (BPF) system shipped on standard FreeBSD systems, but specifically targetting the Playstation 4 on 4.55FW. The bug is a race condition leading to a stack out-of-bounds (OOB) write. The writeup shows how this can easily be leveraged to escalate privileges to execute arbitrary code in kernel mode.
[PS4 5.05 / FreeBSD BPF 2nd Kernel Exploit Writeup](https://github.com/Cryptogenic/Exploit-Writeups/blob/master/FreeBSD/PS4%205.05%20BPF%20Double%20Free%20Kernel%20Exploit%20Writeup.md)
A writeup targetting another BPF vulnerability - another, very similar race condition, but a different approach. Rather than targetting the use-after-free(), this exploit targets a double free() in order to obtain heap corruption on a target object. Again, the writeup shows that this can be leveraged to obtain code execution in kernel mode, however it also contains details on bypassing an SMAP-like implementation developed by Sony.
## WebKit
[Breaking Down Qwerty's PS4 4.0x WebKit Exploit](https://github.com/Cryptogenic/Exploit-Writeups/blob/master/PS4/4.0x%20WebKit%20Exploit%20Writeup.md)This writeup contains a technical analysis on [qwertyoruiopz](https://twitter.com/qwertyoruiopz)'s WebKit exploit targetting the PS4 on 4.0x firmwares. The writeup details how a stack uninitialized read can be leveraged to obtain arbitrary R/W, and eventually code execution.
[setAttributeNodeNS Use-After-Free WebKit Exploit](https://github.com/Cryptogenic/Exploit-Writeups/blob/master/WebKit/setAttributeNodeNS%20UAF%20Write-up.md)
A writeup detailing the setAttributeNodeNS() use-after-free (UAF) vulnerability discovered by lokihardt from Google's Project Zer0 (p0). It contains technical details about how an attacker can combine it with an information disclosure (infoleak) to misalign JSValues to establish an arbitrary R/W primitive, which again will eventually lead to code execution.