/ Recent content on EvilCode Hugo -- gohugo.io en-us Thu, 07 Dec 2023 08:32:49 +0000 /posts/2023/msctf-2023-hfsanticheat/ Thu, 07 Dec 2023 08:32:49 +0000 /posts/2023/msctf-2023-hfsanticheat/ HFS is getting into the anti-cheat biz! Submit game cheats to help us BETA test our anti-cheat engine. The flag is in C:\Windows\System32\flag.txt HFSAntiCheat Intro HFSAntiCheat was an homage to the collection of vulnerable drivers at LOLdrivers. A common vulnerability for these drivers was arbitrary physical memory read-and-write. This could be due to copy-paste from WinIO. The players were able to submit a “game cheat” as a custom Portable Executable (PE) file to a remote Windows system. /posts/2023/msctf-2023-hfshyperram/ Thu, 07 Dec 2023 08:32:49 +0000 /posts/2023/msctf-2023-hfshyperram/ HFSHyperRAM provides anti-cheat features including secure storage within the hypervisor. To capture the flag, simply execute the ‘flag’ command on the host operating system! HFSHyperRam Intro HFSHyperRAM was an emulated device for VirtualBox that provided “secure” storage in the host Operating System (OS) of the challenge Virtual Machine (VM). This was part two of my previous HFSAntiCheat challenge. The players could submit a “game cheat” via a Portable Executable (PE) file. /posts/2019/freebsd-2019/ Thu, 31 Oct 2019 20:49:03 +0100 /posts/2019/freebsd-2019/ CVE-2019-5602 Analysis Source: https://packetstormsecurity.com/files/153522/FreeBSD-Security-Advisory-FreeBSD-SA-19-11.cd_ioctl.html In short, the CDIOCREADSUBCHANNEL_SYSSPACE ioctl was erroneously made accessible to userland. It’s reachable if a user is able to read the /dev/cd0, any user of the group operators can do this currently. A requirement for this to work is that a media is inserted into the cd-device, however this might not be true when FreeBSD is virtualized f.ex. via VMWare. The ioctl trusts the user-controlled input and writes “arbitrary” data to a kernel-address of the attackers choice. /posts/2019/sect-2019-mirc2077/ Mon, 23 Sep 2019 00:00:00 +0000 /posts/2019/sect-2019-mirc2077/ Intro I made this challenge for the SEC-T CTF 2019. It has two parts and is meant to be a minimal ‘browser-pwnable’. The javascript engine used is Duktape (https://duktape.org). A custom bug was introduced to it which can be used to get code-execution in the JS-interpreter-process. This process is heavily sandboxed with Seccomp and the second part of the challenge is about escaping it by exploiting an IPC-bug in the main-process.