Blog Entries

Dissecting the Android Bouncer

June 21st, 2012

At SummerCon this year, Charlie Miller and I gave a talk on Android’s Bouncer. Our presentation materials are now publicly available.

Read the rest of this entry »


ASLR in Android Ice Cream Sandwich 4.0

February 27th, 2012

When I first saw the release notes for the new Android Ice Cream Sandwich (ICS) platform, I was excited to see that Google mentioned that “Android 4.0 now provides address space layout randomization”:

Read the rest of this entry »


CSAW CTF 2011 Kernel Exploitation Challenge

November 27th, 2011

My challenge for this year’s NYU Poly CSAW CTF finals was a Linux kernel exploitation challenge disguised as a crypto challenge. The challenge and solution are described below.

Read the rest of this entry »


Tool releases: ksymhunter and kstructhunter

September 8th, 2011

I’m releasing a couple tools I use internally for Linux kernel exploit development: ksymhunter and kstructhunter. They’re probably only useful for like ten people on the planet, but oh well, enjoy!

Read the rest of this entry »


Stackjackin’ 2: Electric Boogaloo

July 6th, 2011

Last month at SummerCon, Dan Rosenberg and I talked about our stackjacking technique for exploiting kernel vulnerabilities on grsecurity/PaX-hardened Linux kernels, in a presentation titled “Stackjacking and Other Kernel Nonsense.”

Read the rest of this entry »


When Angry Birds Attack: Android Edition

May 28th, 2011

It’s been about six months since I reported a vulnerability in the Android mobile platform that allowed the unprompted installation of arbitrary applications with arbitrary permissions on a victim’s device. While the vulnerability has long been fixed on Android handsets around the world, I’ve yet to write up any technical details about it, and it’s unlikely you’ve heard of it unless you were present at our ShmooCon presentation earlier this year. So without further ado, let’s dive into “When Angry Birds attack: Android edition.”

Read the rest of this entry »


Stackjacking Your Way to grsec/PaX Bypass

April 20th, 2011

This April at Hackito Ergo Sum in Paris and Immunity’s Infiltrate in Miami, Dan Rosenberg and I presented on a technique to exploit grsecurity/PaX-hardened Linux kernels.  Read on for a brief overview of our presentation and a link to the full slides and PoC code.

Read the rest of this entry »


How I Almost Won Pwn2Own via XSS

March 7th, 2011

No, seriously.

Read the rest of this entry »


Exploiting Stack Overflows in the Linux Kernel

November 29th, 2010

In this post, I’ll introduce an exploitation technique for kernel stack overflows in the Linux kernel.  Keep in mind this does not refer to buffer overflows on the kernel stack (whose exploitability is well understood), but rather the improper expansion of the kernel stack causing it to overlap with critical structures which may be subsequently corrupted.  This is a vulnerability class in the Linux kernel that I do not believe have been exploited publicly in the past, but is relevant due to a recent vulnerability in the Econet packet family.

Read the rest of this entry »


CSAW CTF 2010 Kernel Exploitation Challenge

November 2nd, 2010

The finals for NYU Poly’s CSAW CTF was this past weekend in New York City.  I thought I would post the kernel exploitation challenge I developed for the final round.  Feel free to try your hand at solving it!

Read the rest of this entry »


« Previous Entries