Kenny P.B. | The Blog Pros

February 2, 2021

Understand the Powerful ROP Attack From Zero!

What Is ROP?

First, let's describe a gadget. A gadget is a sequence of assembly code that ends with a jump instruction: for example, pop rax; ret;. Jump instructions include ret, jmp, call, etc. If you use the last jump instruction of each gadget to execute many gadgets one by one, that’s return-oriented programming (ROP): gadget1 -(jump)> gadget2 -(jump)> gadget3 -(jump)>… Gadgets extensively exist in the vulnerable binary executable. You need to scan the binary executable, find its gadgets, exploit a vulnerability to execute some useful gadgets, and eventually finish your attack.

Implement a Real ROP Attack

Environment

Download the necessary files from here. Bug is the vulnerable binary executable. exploit_gen.c generates a binary data file called “exploit." The data file is the input of bug. exploit_gen.c may not be able to exploit the bug on your machine. Follow the steps in the next section. Do your experiments and modify exploit_gen.c.

December 30, 2020

Novel Points: Exploit the Heap Overflow Bug *CTF 2019 oob-v8

1. Contents

2. Many Heap Overflow Bugs Can Be Exploited in a Similar Way

I have introduced a v8 heap overflow bug before: V8 Array Overflow Exploitation: 2019 KCTF Problem 5 小虎还乡 – Pwn By Kenny. This is another one: *CTF 2019 oob-v8. The interesting things I’m going to show you in this post are: 1) This bug only allows you to read or overwrite specific 8 bytes. But you can use it to achieve arbitrary reads and writes. 2) This is a different heap overflow bug. But you can exploit it in a very similar way to the 2019 KCTF Problem 5. In fact, many heap overflow bugs can all be exploited in such a similar way. To show you this, I will use the same headings as the 2019 KCTF Problem 5 post. Feel free to compare the two posts!

3. PoC of the V8 Heap Overflow Vulnerability – *CTF 2019 oob-v8

PoC code is what triggers a bug. For this *CTF 2019 oob-v8 bug, we are able to read out-of-bounds with “JSArray.oob();”, and write out-of-bounds with “JSArray.oob(value);”. JSArray is a v8 object used to represent an array. For example, if you write code like “var arr = [1.1];”, you will have a JSArray object in the memory. And “arr.oob();” allows you to read the next 8 bytes beyond the array’s element area. “arr.oob(2.2);” allows you to overwrite the 8 bytes with 2.2. For more information about JSArray, please visit V8 Objects and Their Structures – Pwn By Kenny

November 30, 2020

JavaScript Parser To Create Abstract Syntax Tree(AST): Acorn

0. Preface

JavaScript parser — Acorn and AST are useful things. They help us automatically and efficiently edit source code. This post shows you how to build and edit the AST of JavaScript code.

1. Content

2. Install the JavaScript Parser — Acorn

To quote from the github repository, Acorn is a tiny, fast JavaScript parser, written completely in JavaScript, released under a MIT license. Acorn can generate abstract syntax trees for JavaScript codes. It has 3 modules: the main JavaScript parser named “acorn”, the error-tolerant parser named “acorn-loose”, the syntax tree walker named “acorn-walk”. This post focuses on the main parser. In this section, we introduce its installation.