/exploit_playground

Analysis of public exploits or my 1day exploits

Primary LanguageC

About

This is where I will post analysis of Public Exploits, or some of my 1day exploits.

About public exploit analysis :

  • Personally I think the best way to learn a public exploit is by understanding it line-by-line until I can understand the exploit to the fullest. I will post some of these (overly-commented ;) ) exploits so hopefully others can learn from it, and as an attempt to give something back to the community. Also for documenting purposes, cause these things kind of fade away from my head as time passes.

CVE-2016-8655

  • This is a detailed analysis of rebel's exploit.
  • Thanks rebel for the awesome exploit! :D

CVE-2016-5342

mp3 version

  • This is a commented version of freener's android LPE exploit
  • arm32
  • Heap overflow
  • This exploit directly overwrites a function pointer of another object

tty version

  • This is a commented version of freener's android LPE exploit
  • arm32
  • Heap overflow
  • This exploit overwrites an object pointer in another object. It uses ret2dir attack to make the corrupted pointer point to a predictable fixed address in kernel which holds the exploit payload. This exploit technique bypasses PXN & PAN.

CVE-2016-2434

  • This is a commented version of Jianqiang Zhao's android LPE exploit
  • arm64
  • Zero-out 16 bytes at an arbitrary address
  • This exploit wipes out 16 bytes of a useful global object, which is located at a fixed address in kernel.
  • A corrupted object pointer within the global object references exploit payload from userland. This kind of attack will not work on devices/kernels with PAN(or PAN emulation).

extra_recipe

  • My attempt to understand the extra_recipe jailbreak
  • I was especially interested in the kpp bypass part. Although there were a couple slides on the subject where I could gain a vague image of the bypass, I really wanted to dig into the fine details and see what is actually going on inside the exploit
  • I also wanted to understand the final ingredients for a jailbreak(Installing Cydia, etc.)

yalu102 (ViewController.m)

  • I commented the part relevant to the actual bug, and how it was exploited.
  • The reason why I looked into yalu102 instead of the original exploit is because the port-feng-shui technique looked more cleaner and easier to understand.
  • The analysis stops right before the kpp bypass

xerub's extra_recipe-master (jailbreak.c, unjail.m, patchfinder64.c, pte_stuff.h)

  • I jump here because it had a little more information on the various numeric offsets.
  • Also, the patchfinder.c is intact, as opposed to yalu102 which there is only an object file.
  • The cydia part is kind of incomplete so I jump to the cydia branch after kpp

xerub's extra_recipe-cydia (unjail.m)

  • Trying to understand the requirements for a jailbreak after post-exploitation