sroettger

IERAE CTF 2024 - Intel CET Bypass Challenge

IERAE CTF had one of the coolest pwn challenges I've done in the while. It was written by hugeh0ge.

Here's the full source:

// gcc chal.c -fno-stack-protector -static -o chal
#include <stdio.h>
#include 

theevilbit

#!/bin/bash

# Run the lsregister command and store the output in a variable
output=$(/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump)

# Use awk to parse the relevant sections
echo "$output" | awk '
    # When "CFBundleDisplayName" is found, store the app name
    /CFBundleDisplayName/ {
        app_name = substr($0, index($0, "=") + 2)

mistymntncop

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdbool.h>
#include <windows.h>

#include "nt_crap.h"

#define ArrayCount(arr) (sizeof(arr)/sizeof(arr[0]))
#define assert(expr) if(!(expr)) { *(char*)0 = 0; }

DavidBuchanan314

"""
31-round sha256 collision.

Not my research, just a PoC script I put together with numbers plugged in from the slide at
https://twitter.com/jedisct1/status/1772647350554464448 from FSE2024

SHA256 impl follows FIPS 180-4
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
"""

syneart

### Test on https://github.com/yousseb/meld/releases/tag/osx-20
### OSX - 3.21.0 (r4) Sonoma
### !!! Note: You need put the Meld.app r4 build to the /Applications path first.

#!/bin/zsh

#Fix libpng16.16.dylib not found
install_name_tool -change /usr/local/opt/libpng/lib/libpng16.16.dylib @executable_path/../Frameworks/libpng16.16.dylib /Applications/Meld.app/Contents/Frameworks/libfreetype.6.20.0.dylib

#Fix libbrotlidec.1.dylib not found

saagarjha

// Sometimes you have a large file on a small disk and would like to "transform"
// it in some way: for example, by decompressing it. However, you might not have
// enough space on disk to keep both the the compressed file and the
// decompressed results. If the process can be done in a streaming fashion, it
// would be nice if the file could be "drained"; that is, the file would be
// sequentially deleted as it is consumed. At the start you'd have 100% of the
// original file, somewhere in the middle you'd have about half of the original
// file and half of your output, and by the end the original file will be gone
// and you'll be left with just the results. If you do it this way, you might
// be able to do the entire operation without extra space!

MaxBWMinRTT

Some quick notes about the CVE-2023-3079(V8 type confusion), no PoC yet.

Official patch: https://chromium-review.googlesource.com/c/v8/v8/+/4584248

Patch come from KeyedStoreIC::StoreElementHandler(), it returns fast path code(Turbofan builtin) for keyed store depends on "receiver_map" and "store_mode". Based on the content of this function is all about element STORE, I personally believe that this is an OOB writes vulnerability.

If we divide the PoC exploration into two parts based on this func, they are:

kconner

macOS Internals

Understand your Mac and iPhone more deeply by tracing the evolution of Mac OS X from prelease to Swift. John Siracusa delivers the details.

Starting Points

How to use this gist

You've got two main options:

NyaMisty

How to Use

1. In Ghidra's Project Tool, Go to Tools -> Import Tool..., select mistyCodeBrowser.tool
2. Dragging file onto the new CodeBrowser_1 in ToolChest

coolaj86

Chat GPT "DAN" (and other "Jailbreaks")

• https://chat.openai.com/
• Is ChatGPT "DAN" Real? Gonna find out [Part 1]
  (https://www.youtube.com/watch?v=-q8woRG9FrI)
• Part 2: I thought ChatGPT DAN was a hoax, but...
  (https://www.youtube.com/watch?v=rHZRrDu3A2U&lc=UgxfrxX8aK7gnCzkend4AaABAg)