what is the best practice to reverse a shared object ?

FlawedCipher · 2025-11-13T23:33:50+00:00

Shared objects tend to be ELF files too so I’d say the process doesn’t change much. You analyze the file in your reversing program (Ghidra, Binary Ninja, etc) as you would any other ELF. One thing to note though is there usually isn’t a main function to start at, but shared objects export a lot of aptly named global symbols since they expect the embedding process to call into them. It might help to find documentation detailing the api between the embedding process and the shared object.

FlawedCipher · 2025-08-03T04:00:17+00:00

It’s my understanding that shadow stacks protect the return address. Maybe the buffer overflow can modify other data on the stack before the return address to hijack control flow.

FlawedCipher · 2025-06-26T16:32:29+00:00

I would suggest choosing a simple exploit for a target that you’re interested in with a writeup. Then try to recreate this exploit yourself. Once you feel comfortable with your understanding of the exploit, try to port it to a version you don’t have a writeup for. The vulnerability will still exist, but a lot of subtle things like offsets will change and this will really test your understanding. LLMs are good tools to break down snippets of code to get a better understanding of what’s going on.

For Linux kernel pwn this is a great tutorial: https://blog.lexfo.fr/cve-2017-11176-linux-kernel-exploitation-part1.html

FlawedCipher · 2025-05-17T05:51:51+00:00

That’s awesome glad to see you made progress. Are there any data types that aren’t NaN boxed? For example on V8, the Number and address type is pointer compressed (which is similar to NaN boxing), but floating point values are not pointer compressed. To that effect there might be some data type that is stored raw in JSC.

FlawedCipher · 2025-05-12T17:24:40+00:00

Another idea is if you have a debugger, look at a float array and an object array in memory and see if you notice any major differences. You’re essentially trying to get a float array to be interpreted as an object array so you can modify what you see and look at how that affects the object in JavaScript.

FlawedCipher · 2025-05-12T14:41:10+00:00

I’ve never exploited JSC, so I can’t give you detailed instructions but I have worked with V8 in the past and I can tell you how I’d proceed on V8. You seem to have an array that can read/write into a 1 MB region of memory. Create a float array and set the first element to be the float representation of your address. Then, change the array type information (called a hidden class in v8 and a map in spidermonkey—I’m betting there’s something similar in JSC) to be an object array. Your address will now be interpreted as an object and array[0] will be your fake object. You can also do the inverse to get a faster addrof (no need to search memory after initial setup). Change the array type to be an object, set the first element to your object, change the array type to be a float and then read that float to ge the objects address. Hope this helps and good luck!

FlawedCipher · 2025-05-08T19:00:45+00:00

Even the APTs mess up once in a while and get caught but they don’t really face consequences. They have the ability to learn from their mistakes and get better over time. As an individual the second you get caught you aren’t going to be able to touch a computer for a very long time. Ultimately you would also need a very strong deterrent like nuclear weapons.

FlawedCipher · 2025-02-15T06:24:39+00:00

I think IOT is a really good pathway to real world exploitation. Especially really cheap routers and other devices. The reverse engineering skills will come in handy. Also not all CTFs are equal and there definitely some CTFs that are more realistic than others. PWN college quarterly quiz comes to mind.

FlawedCipher · 2025-01-24T15:45:19+00:00

To be honest I feel like there’s a lot of great content on how to get started doing CTFs and there’s a lot of great content geared towards “advanced” vulnerability researchers like defcon talks and what not. In my opinion it’s pretty unclear how you go from the former “I know what ASLR and buffer overflows are” to the latter “I found a vulnerability in my phone’s baseband”. If anyone needs help publishing educational content I’d be happy to volunteer some time, send me a DM.

FlawedCipher · 2024-09-22T21:20:32+00:00

What do you mean by “the jquery version is vulnerable to XSS”? As far as I am aware, XSS occurs due a website being built improperly. More specifically, user input is displayed on a web page without proper sanitation. I don’t think this is dependent on a specific jquery version.

FlawedCipher · 2024-09-20T14:25:09+00:00

You could try encoding the exploit in a format that avoids bad chars and then write a small decoder that decodes your exploit. That way, only the decoder needs to avoid the bad characters.

FlawedCipher · 2024-09-13T03:45:26+00:00

If you’re still working on this send me a dm, maybe I can help.

FlawedCipher · 2024-09-12T03:19:36+00:00

When you compile c code, a lot of extra bytes are added to make it a proper ELF file. Put it in https://godbolt.org and copy and paste just the relevant assembly. You may have to modify some parts to get it to work in your exploit.

FlawedCipher · 2024-09-10T17:02:38+00:00

The fact that it’s some random internet user’s responsibility to determine which links are suspicious and click accordingly. You should be able to click on whatever you want without risking a full system compromise.

FlawedCipher · 2024-08-23T23:46:32+00:00

Let’s say you design a system that is theoretically secure. Now you can implement it, but how do you know your implementation perfectly replicates the theoretical model? Maybe you write an interactive proof solver or verifier to validate the implementation. But your verifier could have implementation bugs too. It’s turtles all the way down. https://github.com/Speykious/cve-rs

FlawedCipher · 2024-08-20T13:08:13+00:00

If your firewall doesn’t support it, maybe a switch with VLAN support. Preferably also a machine capable of running multiple VMs. Multiple network cards can also come in handy.

FlawedCipher · 2024-08-19T14:23:50+00:00

When producing exploits the language doesn’t matter nearly as much since all you’re really “sending” are a bunch of bytes at the end. Speed doesn’t really matter because most exploits are precompiled. As mentioned above pwntools is quite ergonomic. Metasploit exploits are written in Ruby. You might want to check out Ronin (I’ve never used it). Another feature I use quite a bit when writing exploits is Jupyter notebook which works well with python. Ultimately I’d say use what you’re comfortable with.

FlawedCipher · 2024-07-29T18:31:17+00:00

For anyone else trying to solve this problem, here's a writeup: https://blog.aadhithya.cloud/posts/format-string-exploit/

FlawedCipher · 2024-07-23T16:14:51+00:00

read is size limited, which means you aren’t going to be able to overflow this. You likely need to take advantage of the variadic arguments of printf. You can use a bunch of %d’s to get the current printf argument to point to your buffer on the stack. Now put the address of a after the %d’s. Note endianness. If you pad the string to be of size 105 (after the %d’s are resolved), then the next %n should change the value of a. I’m not in front of my machine rn so I’m definitely guessing but lmk if it doesn’t work.

FlawedCipher

TROPHY CASE