Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   0-day Exploit Code used by by Ret2 Systems at PWN2OWN 2018 And Blog Post (https://forum.exetools.com/showthread.php?t=18916)

TechLord 08-30-2018 08:03
0-day Exploit Code used by by Ret2 Systems at PWN2OWN 2018 And Blog Post
 
PWN2OWN 2018 - Safari + Root:

Exploit Code released today.

This repo contains exploit code as used by Ret2 Systems at PWN2OWN 2018. It has been released for educational purposes, detailed by a series of blogposts.

These were used as zero-day exploits against macOS 10.13.3 & Safari/JSC for PWN2OWN 2018.

They exploited two previously unknown vulnerabilities in Apple software to achieve remote code execution as root through a single click in the Safari Web Browser.

Contents:
  • /jsc - JavaScriptCore Exploit & PoC for CVE-2018-4192
  • /windowserver - WindowServer Exploit & PoC for CVE-2018-4193

Repo:
Quote:
https://github.com/ret2/P2O_2018
Blog Post:
Quote:
https://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/

chants 08-31-2018 08:49
Part 2 of the blog post:
Quote:
https://blog.ret2.io/2018/06/13/pwn2own-2018-vulnerability-discovery/
But there are several more relevant blog posts for those interested:

Timeless Debugging of Complex Software: Root Cause Analysis of a Non-Deterministic JavaScriptCore Bug
Quote:
https://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-analysis/
Weaponization of a JavaScriptCore Vulnerability: Illustrating the Progression of Advanced Exploit Primitives In Practice
Quote:
https://blog.ret2.io/2018/07/11/pwn2own-2018-jsc-exploit/
Cracking the Walls of the Safari Sandbox: Fuzzing the macOS WindowServer for Exploitable Vulnerabilities
Quote:
https://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/
Exploiting the macOS WindowServer for root: Four Heap Sprays, Two Dangling Pointers, One Bitflip
Quote:
https://blog.ret2.io/2018/08/28/pwn2own-2018-sandbox-escape/
Apple's browser has its fair share of exploits too! That goes to the sixth and final post of the PWN2OWN series.

TechLord 08-31-2018 10:19
The blog post that I quoted there was only mentioned in relation to the exploit code being released yesterday.

The actual code used in the exploit was not released earlier, and thus I'd quoted the blog post so that one could see the exploit code itself in context to the blog post article.

Otherwise the rest of the blog posts (part 2 etc) were not relevant to the exploit code released yesterday. That was why I intentionally did not post the links to them there.

chants 08-31-2018 13:56
If one were to care to read the post it is more about discussing the process the authors went through not any mere code dump. In fact the code is not referenced on the blog but plans for the other 5 blog entries is. And that is merely the overview and introductory post. That is why it looks very incomplete to only post the first post. However, in the flurry of formatting and cut-and-paste from a PR anything is possible.

A very interesting and informative read by the way, if one were to sit back and give it a close eye.


All times are GMT +8. The time now is 11:50.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX