EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 08-30-2018, 08:03
TechLord TechLord is offline
Banned User
 
Join Date: Mar 2005
Location: 10 Steps Ahead of You
Posts: 786
Rept. Given: 389
Rept. Rcvd 247 Times in 112 Posts
Thanks Given: 806
Thanks Rcvd at 1,800 Times in 478 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
0-day Exploit Code used by by Ret2 Systems at PWN2OWN 2018 And Blog Post

PWN2OWN 2018 - Safari + Root:

Exploit Code released today.

This repo contains exploit code as used by Ret2 Systems at PWN2OWN 2018. It has been released for educational purposes, detailed by a series of blogposts.

These were used as zero-day exploits against macOS 10.13.3 & Safari/JSC for PWN2OWN 2018.

They exploited two previously unknown vulnerabilities in Apple software to achieve remote code execution as root through a single click in the Safari Web Browser.

Contents:
  • /jsc - JavaScriptCore Exploit & PoC for CVE-2018-4192
  • /windowserver - WindowServer Exploit & PoC for CVE-2018-4193

Repo:
Quote:
https://github.com/ret2/P2O_2018
Blog Post:
Quote:
https://blog.ret2.io/2018/06/05/pwn2own-2018-exploit-development/
Reply With Quote
The Following 6 Users Say Thank You to TechLord For This Useful Post:
chessgod101 (08-30-2018), dila (08-31-2018), nimaarek (09-08-2018), p4r4d0x (08-30-2018), Ragnarok (08-31-2018), tonyweb (08-31-2018)
  #2  
Old 08-31-2018, 08:49
chants chants is offline
Friend
 
Join Date: Jul 2016
Posts: 336
Rept. Given: 0
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 265
Thanks Rcvd at 304 Times in 171 Posts
chants Reputation: 12
Part 2 of the blog post:
Quote:
https://blog.ret2.io/2018/06/13/pwn2own-2018-vulnerability-discovery/
But there are several more relevant blog posts for those interested:

Timeless Debugging of Complex Software: Root Cause Analysis of a Non-Deterministic JavaScriptCore Bug
Quote:
https://blog.ret2.io/2018/06/19/pwn2own-2018-root-cause-analysis/
Weaponization of a JavaScriptCore Vulnerability: Illustrating the Progression of Advanced Exploit Primitives In Practice
Quote:
https://blog.ret2.io/2018/07/11/pwn2own-2018-jsc-exploit/
Cracking the Walls of the Safari Sandbox: Fuzzing the macOS WindowServer for Exploitable Vulnerabilities
Quote:
https://blog.ret2.io/2018/07/25/pwn2own-2018-safari-sandbox/
Exploiting the macOS WindowServer for root: Four Heap Sprays, Two Dangling Pointers, One Bitflip
Quote:
https://blog.ret2.io/2018/08/28/pwn2own-2018-sandbox-escape/
Apple's browser has its fair share of exploits too! That goes to the sixth and final post of the PWN2OWN series.
Reply With Quote
The Following User Says Thank You to chants For This Useful Post:
tonyweb (08-31-2018)
  #3  
Old 08-31-2018, 10:19
TechLord TechLord is offline
Banned User
 
Join Date: Mar 2005
Location: 10 Steps Ahead of You
Posts: 786
Rept. Given: 389
Rept. Rcvd 247 Times in 112 Posts
Thanks Given: 806
Thanks Rcvd at 1,800 Times in 478 Posts
TechLord Reputation: 200-299 TechLord Reputation: 200-299 TechLord Reputation: 200-299
The blog post that I quoted there was only mentioned in relation to the exploit code being released yesterday.

The actual code used in the exploit was not released earlier, and thus I'd quoted the blog post so that one could see the exploit code itself in context to the blog post article.

Otherwise the rest of the blog posts (part 2 etc) were not relevant to the exploit code released yesterday. That was why I intentionally did not post the links to them there.
Reply With Quote
  #4  
Old 08-31-2018, 13:56
chants chants is offline
Friend
 
Join Date: Jul 2016
Posts: 336
Rept. Given: 0
Rept. Rcvd 11 Times in 10 Posts
Thanks Given: 265
Thanks Rcvd at 304 Times in 171 Posts
chants Reputation: 12
If one were to care to read the post it is more about discussing the process the authors went through not any mere code dump. In fact the code is not referenced on the blog but plans for the other 5 blog entries is. And that is merely the overview and introductory post. That is why it looks very incomplete to only post the first post. However, in the flurry of formatting and cut-and-paste from a PR anything is possible.

A very interesting and informative read by the way, if one were to sit back and give it a close eye.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Interesting blog from Endgame on disarming Control Flow Guard in exploits MOV_EDI_EDI General Discussion 0 04-27-2017 07:57
Numbering Systems TmC General Discussion 1 08-02-2006 14:16
Reverse Engineering WMF Exploit Code lownoise General Discussion 0 01-19-2006 20:09
Matt Pietrek's blog disrupt0r General Discussion 1 07-11-2004 14:55


All times are GMT +8. The time now is 00:53.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX