Boot Newer iOS with QEMU Step by Step
Boot Newer iOS with QEMU Step by Step
I decided to update my QEMU fork to support newer iOS versions for security research and some CTFs. Just note down how I did it here.
First attempt
Build D22-QEMU and load the iOS 14 kernel and we got
1234567891011121314./qemu-system-aarch64 -M d22-idevice,kernelcache='ios14/kcache.patched',devicetree='ios14/dtre.bin',ramdisk='ios14/rdsk.dmg',trustcache='ios14/trustcache',bootargs='debug=0x14e kextlog=0xffff cpus= ...
鼠鼠一事无成之2023
鼠鼠一事无成之2023
CTF
线上
D^3CTF 打了;justCTF 打了;UIUCTF 打了;SCTF 打了;*CTF 打了;WMCTF 打了;SekaiCTF 打了;MapleCTF 打了;Balsn CTF 打了;N1CTF 打了;ACTF 打了;0CTF 打了。还有很多没记的,打了。
线下
桂林去了;合肥去了;ycb去了。S1uM4i 的家人们见了。爽。再多搞点线下旅游。
洞
一个屁用没有之 OOB read 和几个不痛不痒之 NULL dereference,没了。
上学
本科鼠
纯混,在床上躺的时间比上课的还多,没了。
研究鼠
在搞跟 JIT 有关的东西,也不知道成不成全靠组里的各位大哥,各位👴带带,有无 SpiderMonkey 哥教一下。
特别记录,如果你为了去往你所认为的天堂那多半会翻车,但是如果是为了逃离某些东西一般会有好结果。
工作
找不到。
其他
谢谢 W4terDr0p 的家人们让本鼠有机会跟校队一起打比赛,谢谢 S1uM4i 的家人们让本鼠有机会混点排名,谢谢 r3kapig 的家人们让本鼠见见世面。2024, keep hacking!
From JavaScript to Objective-C: iOS Userland Exploitation, pwn1OS in N1CTF
From JavaScript to Objective-C: iOS Userland Exploitation, pwn1OS in N1CTF
Thank the author for the great challenge. We S1uM4i got the first blood of this challenge and we are the only team that solved it. The challenge is very interesting and I learned a lot from it. I will try to explain the exploitation in detail.
Analysis
The application registers a URL Scheme, you can find it in Info.plist
1234<key>CFBundleURLSchemes</key><array> <string>n1ctf</string></arra ...
SDCTF 2023 Writeup
SDCTF 2023 Writeup
I was so excited to participate in my first SDCTF event as an incoming student of UC San Diego. :-) It was a great opportunity to learn new skills, meet awesome people and have fun solving challenges. I really enjoyed the experience and I can’t wait for the next one!
SDCTF 2023 Writeup
PWN
Turtle Shell
tROPic-thunder
money-printer
money-printer2
rtld_global
Canary
Misc
Secure Runner
Fork bomb protector
Crypto
Jumbled snake
Lake of Pseudo Random Fire
PWN
Turt ...
CVE-2020-11102: Escape from the Earth
CVE-2020-11102: Escape from the Earth
Introduction
I participated in the Aliyun CTF competition recently and solved an interesting challenge based on CVE-2020-11102, which is a vulnerability in qemu that allows guest OS to escape and execute arbitrary code on the host OS. In this article, I would like to share some detail about the challenge and what I learned from it.
The vulnerability
123456789101112131415161718static void tulip_copy_tx_buffers(TULIPState *s, struct tulip_descriptor *desc) ...
CVE-2022-46702: Remember to Clean Up the Memory
CVE-2022-46702: Remember to Clean Up the Memory
As I tinkered with my first iPhone and jailbroke it, I was struck by the endless possibilities for customization and exploration. That’s when my interest in security research truly took off. I immersed myself in the study of reverse engineering and even became an iOS tweak developer. My curiosity and passion for software security only continued to grow as I delved deeper into this field. And I am excited to share the details of my first CVE, CVE-20 ...
evilCallback: CVE-2021-21225
evilCallback: CVE-2021-21225
CVE-2016-1646
在进行这个分析中,可以先看一个比较旧的漏洞 CVE-2016-1646,在执行
1a = [1].concat([2, 3]);
的时候,v8会使用
1234for (int i = 0; i < argument_count; i++) { Handle<Object> object = args‑>at(i); IterateElements(isolate, object, &visitor))}
遍历concat()的每一个对象并且传入IterateElements,对于一个只有double元素的数组,它的elementsKind属于FAST_DOUBLE_ELEMENTS这时,在IterateElements会进入如下分支
12345678910111213141516171819switch (array‑>GetElementsKind()) { case FAST_DOUBLE_ELEMENTS: { ...
Analyze CVE-2022-32792: Faster Than Light, but at What Cost?
Analyze CVE-2022-32792: Faster Than Light, but at What Cost?
Introduction
Before we jump right into the vulnerability, let’s review the patch of it first.
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103From 6983e76741a1bad811783ceac0959ff9953c175d Mon Sep 17 00:00:00 2001From: Mark Lam <mark.lam@apple.com>Date: Fri, 20 May 2022 18:33:04 + ...
Code Execution by Faking IO_FILE->vtable in GLIBC 2.36 [0x1]
Code Execution by Faking IO_FILE->vtable in GLIBC 2.36 [0x1]
Code Execution by Faking IO_FILE->vtable in GLIBC 2.36 [0x1]
invalid vtable
TCTF 2022 ezvm
Conclusion
In the first part, I showed a new method to completely control the vtable of IO_FILE. In this chapter I would like to present a much more stable way to gain arbitrary code execution and use this way to solve a CTF challenge.
invalid vtable
In first chapter we focus on bypassing the checking in _IO_vtable_check.
12345678910 ...
Code Execution by Faking IO_FILE->vtable in GLIBC 2.36 [0x0]
Code Execution by Faking IO_FILE->vtable in GLIBC 2.36 [0x0]
Since vtables were added to a specific read-only segment in GLIBC and IO_validate_vtable() will verify the vtable of IO_FILE structure, exploitation of IO_FILE->vtable is becoming much more complex than before. Although we have some great exploitation chains such as House of banana or House of apple, some of them require a series of complex structure construction. So I would like to put forward another way to exploit IO_FILE-> ...