Publications

Exploiting a Blind Format String Vulnerability in Modern Binaries: A Case Study from Pwn2Own Ireland 2024

30/10/2024
Exploit
Reverse-engineering
In October 2024, during the Pwn2Own event in Cork, Ireland, hackers attempted to exploit various hardware devices such as printers, routers, smartphones, home automation systems, NAS devices, security cameras, and more. This blog post highlights a challenging vulnerability that was patched just before the competition. Although it was fixed in time, it deserved more attention than simply being discarded.

Inside the iOS bug that made deleted photos reappear

23/05/2024
Reverse-engineering
Last week, Apple released iOS 17.5. Since then multiple people reported seeing photos on their phone they had previously deleted. The bug was fixed in 17.5.1. In this blogpost we will dive into how the bug appeared and how it was fixed by Apple.

Exploiting American Conquest

16/04/2024
Exploit
Reverse-engineering
Back in 2023, we looked for vulnerabilities in American Conquest as a side research project. We found and reported multiple stack buffer overflow. Despite the publisher will not fix the bugs because the game is too old, we share today the details of our research. This is an interesting article for those who want to get started in researching and exploiting vulnerabilities.

Arlo: I'm watching you

08/03/2024
Reverse-engineering
The consumer-focused Pwn2Own competition returned in Toronto in 2023 with the "SOHO smashup" category, but also added cameras under a new "Surveillance Systems" category. While we already had success with the Wyze Cam v3 and Synology BC500 in this category, other targets were also looked at. Therefore, this blog post aims at bootstrapping vulnerability research on Arlo cameras.

Exploring Counter-Strike: Global Offensive Attack Surface

08/01/2024
Exploit
Reverse-engineering
Back in 2021, we studied the attack surface of Counter-Strike: Global Offensive as a side research project. We found and reported a relative heap out-of-bounds write vulnerability triggerable remotely, impacting code that is no longer present with the release of Counter-Strike 2. In fact, no patch was released in the meantime despite multiple follow-ups. We share today the details of this bug and our research about the attack surface and generic exploitation primitives.

Leveraging Binary Ninja IL to Reverse a Custom ISA: Cracking the “Pot of Gold” 37C3

05/01/2024
Challenges
Exploit
Reverse-engineering
This article explores the process of reversing a custom instruction set architecture (ISA) of the Pot of Gold CTF challenge (37C3 CTF) using Binary Ninja Intermediate Language (IL) to decompile the challenge code. Next, it describes the exploitation part, first getting code execution in the emulator, then pivoting to a second process and ultimately exploiting the opcode emulation to retrieve the flag.

Frinet: reverse-engineering made easier

18/12/2023
Outils
Reverse-engineering
By combining Frida with an enhanced version of Tenet, Frinet facilitates the study of large programs, vulnerability research and root-cause analysis on iOS, Android, Linux, Windows, and most architectures.

Pcapan: a PCAP analysis helper

22/11/2023
Outils
Reverse-engineering
This post showcases a small but very useful tool that can be used to classify expected and suspicious traffic in a network capture file, and, more importantly, what the process is for writing such a tool.

Behind the Shield: Unmasking Scudo's Defenses

05/10/2023
Exploit
Reverse-engineering
When writing an exploit for a memory corruption vulnerability, knowing the heap allocator internals is often required to shape the heap as desired. Following our previous blogpost focusing on jemalloc (new), this article will dive into another one of Android libc allocators: Scudo.

Exploring Android Heap allocations in jemalloc 'new'

30/05/2023
Exploit
Reverse-engineering
When writing an exploit for a memory corruption vulnerability, knowing the heap allocator internals is often required to shape the heap as desired. This article will dive into one of Android libc allocators: jemalloc 'new' (jemalloc version 5 and superior). Whereas scudo is the latest allocator introduced in the platform, jemalloc 'new' is still very used today but not well documented.