В «Руководстве для неспециалистов по инженерии нулевого дня» Маркус и Эми из Ret2Systems подчеркнули важность создания собственной библиотеки закладок по литературе по безопасности и архитектуре для цели, под которую вы хотите писать эксплойты. Мы всегда серьезно относились к этому моменту и некоторое время поддерживаем наш собственный список закладок в Trello. Сегодня мы публикуем этот список для всеобщего ознакомления.
Хотите узнать, как взломать браузеры и в частности, JavaScript-движки? Путешествуете и у вас есть время для чтения? Посмотрите эти выступления с конференций или прочтите эти статьи, чтобы узнать больше об исследованиях и эксплуатации уязвимостей браузера.
Видео
Источник: https://zon8.re/posts/javascript-engine-fuzzing-and-exploitation-reading-list/
Хотите узнать, как взломать браузеры и в частности, JavaScript-движки? Путешествуете и у вас есть время для чтения? Посмотрите эти выступления с конференций или прочтите эти статьи, чтобы узнать больше об исследованиях и эксплуатации уязвимостей браузера.
Видео
- Attacking Client Side JIT Compilers - Samuel Groß - Black Hat USA 2018 - This talk explains what are JIT compilers, and what types of bugs can occur in them. Saelo uses his Pwn2Own bugs as a case study.
- Attacking Client Side JIT Compilers BlackHat USA 2011 - Many of the components discussed have are outdated but never the less this is worth a watch.
- Black Hat USA 2018 - WebAssembly A New World of Native Exploits on the Browser
- OffensiveCon19 - Samuel Groß - FuzzIL: Guided Fuzzing for JavaScript Engines - Samuel Groß - OffensiveCon19
- Modern Source Fuzzing - Ned Williamson - OffensiveCon19
- FuzzIL: Guided Fuzzing for JavaScript Engines - Samuel Groß - OffensiveCon19
- 35C3 - The Layman’s Guide to Zero-Day Engineering - The Ret2 team discuss the engineering process behind a zero-day that was used to exploit Apple Safari at PWN2OWN 2018.
- Fuzzing Javascript Engines for Fun and Pwnage - Areum Lee & Jeonghoon Shin
- Exploring the Safari Just In Time Exploitation - Jasiel Spelman - TenSec 2018 - Jasiel Spelman (ZDI) presents the latest research in JIT exploitation.
- Attacking Chrome IPC
- OffensiveCon19 - Niklas Baumstark - IPC You Outside the Sandbox: One bug to Rule the Chrome Broker
- 35C3 - From Zero to Zero Day
- Browser Exploitation - Max Zinkus - Whitehat
- 2017 LLVM Developers’ Meeting: K. Serebryany “Structure-aware fuzzing for Clang and LLVM with …” - Not specifically about browser exploitation, this talk discusses the concept of structure aware fuzzing, which can be useful when fuzzing JS engines.
- The ECMA And The Chakra - Natalie Silvanovich
- Attacking ECMAScript Engines With Redefinition
- $Hell on Earth: From Browser to System Compromise
- A tale of Chakra bugs through the years - By bkth
- The Secret Of Chakracore: 10 Ways To Go Beyond The Edge - Linan Hao and Long Liu - HITB 2017
- Browser Fuzzing with a Twist (and a Shake) - Jeremy Brown — Zeronights 2015
- The Power of Pair: One Template that Reveals 100+ UAF IE Vulnerabilities
- The State Of Web Browsers Vs DOM Fuzzing In 2017 - Ivan Fratric - FSec2017
- Forget the Sandbox Escape: Abusing Browsers from Code Execution - Amy Burnett Bluehat IL 2020
- Adventures on Hunting for Safari Sandbox Escapes - Ki Chan Ahn - OffensiveCon 2020
- A Methodical Approach to Browser Exploitation
- Vulnerability Discovery Against Apple Safari
- Timeless Debugging of Complex Software
- Weaponization of a JavaScriptCore Vulnerability
- Cracking the Walls of the Safari Sandbox
- Exploiting the macOS WindowServer for root
- Attacking JavaScript Engines
- Pwn2Own 2018: Safari + macOS Writeup
- WebKit Exploitation Tutorial
- FuzzIL: Coverage Guided Fuzzing for JavaScript Engines (Thesis)
- CVE-2018-4441: OOB R/W via JSArray::unshiftCountWithArrayStorage (WebKit)
- Commented Instanceof exploit
- Exploiting Chrome V8: Krautflare (35C3 CTF 2018)
- Introduction to SpiderMonkey exploitation
- CVE-2017-2446 or JSC::JSGlobalObject::isHavingABadTime Writeup
- Introduction to Turbofan
- Circumventing Chrome’s Hardening of Typer Bugs
- Journey Into IonMonkey Root Causing CVE-2019-9810
- The Apple Bug That Fell Near the WebKit Tree
- Inverting Your Assumptions: A Guide to JIT Comparisons
- Deconstructing a Winning WebKit Pwn2Own Entry
- V8 CVE-2019-5790 Writeup - This blogpost is an analysis of vulnerability reported by Dimitry Fourny from Blue Frost Security which was already fixed in repository but no poc has been released yet.
- Microsoft Edge Chakra JIT Type Confusion: CVE-2019-0539 Root Cause Analysis.
- Microsoft Edge Chakra JIT Type Confusion: CVE-2019-0539 Exploitation
- CVE-2019-5786: Analysis & Exploitation of the Recently Patched Chrome Vulnerability - This post provides detailed analysis and an exploit achieving remote code execution for a fixed Chrome vulnerability that was observed by Google to be exploited in the wild.
- Patch Gapping Google Chrome - Patch-gapping is the practice of exploiting vulnerabilities in open-source software that are already fixed (or are in the process of being fixed) by the developers before the actual patch is shipped to users.
- A Window of Opportunity: Exploiting a Chrome 1 Day Vulnerability
- Microsoft Edge Renderer Exploitation
- The Story of Two Winning Pwn2Own JIT Vulnerabilities in Firefox
- Regular Exploitation of a Tesla Model 3 Through Chromium Regexp
- Chrome Turbofan Remote Code Execution SSD - August 2017
- Attacking Turbofan TyphoonCon (Slides)
- Fuzzing WebKit
- JavaScriptCore CSI: A Crash Site Investigation Story - Mark Lam - June 2016 - This article describes some of these tools that WebKit engineers use by telling the story of how they diagnosed a real bug in the JSC virtual machine.
- JSC: Bypassing StructureID Randomisation
- Hack The Real: An exploitation chain to break the Safari browser
- The Most Secure Browser? Pwning Chrome from 2016 to 2019
- Exploiting v8: *CTF 2019 oob-v8
- Exploiting the Math.expm1 typing bug in V8
- Exploiting TurboFan Through Bounds Check Elimination
- Analysis of a use-after-unmap vulnerability in Edge: CVE-2019-0609
- JSC Exploits - Google Project Zero
- Google CTF justintime exploit - By EternalSakura13
- 34c3 v9 writeup - By EternalSakura19 - Write up of “v9” CTF challenge. A exploit writeup of a v8 style bug.*
- Case Study V8cve-2016-5198 - (By EternalSakura19 - Translate required)
- Redundancy Elimination Reducer in V8 and 34C3 CTF V9 - By Mem2019
- Real World CTF 2019 Accessible Write-up - By Mem2019
- Roll a D8 - By Mem2019
- advent-browserpwn 2018
- Pwn2Own 2017: UAF in JSC::CachedCall (WebKit) - By Niklasb and Saelo
- Exploiting an integer overflow with array spreading (WebKit) - By Niklasb and Saelo
- Pwn2Own: Safari sandbox part 1 – Mount yourself a root shell - By Niklasb
- Share with care: Exploiting a Firefox UAF with shared array buffers - By bkth, eboda
- Pwn2Own: Safari sandbox part 2 – Wrap your way around to root - By niklasb, saelo
- Exploiting a Safari information leak - By bkth
- Non JIT Bug, JIT Exploit - By bkth, S0rryMyBad
- Attribution is hard — at least for Dock: A Safari sandbox escape & LPE - By niklasb
- Ten months old tweetable bug leads to RCE - By bkth
- Exploiting a V8 OOB write - HalbeCaf
- Don’t Follow The Masses: Bug Hunting in JavaScript Engines - BlueFrostSecurity
- Mobile PWN2OWN Autumn 2013 - Chrome on Android - Exploit Writeup
- Chrome V8 CVE-2019-5782 Tianfu Cup - By S0rrymybad
- Chrome Oilpan - Meta Data, Freelists and more - Chris Rohlf
- OR’LYEH? The Shadow over Firefox - By argp
- Playing around with Spidermonkey
- Learning browser exploitation via 33C3 CTF feuerfuchs challenge
- Chakrazy – exploiting type confusion bug in ChakraCore engine
- blazefox (Firefox) - Blaze CTF 2018
- Exploiting a Cross-mmap Overflow in Firefox - By saelo
- WebKid (WebKit) 35C3CTF Writeup - By LinusHenze
- Trend Micro CTF 2019 libChakraCore.so
- 1-Day Browser & Kernel Exploitation - (Slides) Slides
- Fuzzing JavaScript Engines - (Slides) - Slides
- Pwning Microsoft Edge Browser: From Memory Safety Vulnerability to Remote Code Execution (Slides) - Jin Liu, Chong Xu
- Safari Adventure: A Dive into Apple Browser Internals (Slides) - Zhiyang Zeng
- Chrome Exploitation (Slides) - Gengming Liu, Jianyu Chen
- 365 Days Later: Finding and Exploiting Safari Bugs using Publicly Available Tools
- Pwn4Fun Safari
- The Problems and Promise of WebAssembly
- The Great DOM Fuzz off of 2017
- Trashing the Flow of Data
- Virtually Unlimited Memory: Escaping the Chrome Sandbox
- Attacking ECMAScript Engines with Redefinition
- Exploiting Logic Bugs in JavaScript JIT Engines
- OSX Heap Exploitation Techniques (Safari/Webkit Writeup)
- Apple Safari –PWN2OWN Desktop Exploit
- Polishing Chrome for Fun and Profit
- Escaping the Chrome Sandbox via an IndexedDB Race Condition
- WebKit Exploitation Tutorial
- Exploiting WebKit on Vita 3.60
- JavaScript engine exploit 191731
- JavaScript engine exploit Webkit CVE 2016 4622
- JavaScript engine exploitation - Anquanke
- Diving Deep into a Pwn2Own Winning Bug
- Chrome Vulnerability Debugging Notes CVE-2019-5768
- Chakra vulnerability debugging notes 2-OpCode Side Effect
- Chakra vulnerability debugging notes 3-MissingValue
- Chakra vulnerability debugging notes 4-Array OOB
- Chakra vulnerability debugging note 5-CVE-2019-0861 reappears
- Chakra OP_NewScObjArray Type Confusion Remote Code Execution Vulnerability Analysis and Exploitation
- Edge Inline Segment Use After Free vulnerability analysis
- Chakra JIT Loop LandingPad ImplicitCall Bypass
- Attacking the Webkit Heap
- 35c3ctf 2018 krautflare
- Browser Security Beyond Sandboxing
- Intro to Chromes V8 from an Exploit Development Angle
- A Eulogy for Patch Gapping
- Browser Exploitation: CVE-2019-11707 Writeup
- Pointer Compression in V8
- Firefox Spidermonkey JS Engine Exploitation
- Chainspotting - Building Exploit Chains with Logic Bugs
- JSC TypedArray.slice infoleak
- Exploiting NVMAP to escape Chrome Sandbox
- CVE-2020-0041 Chrome Sandbox Escape
- The hunt for Chromium issue 1072171
- FF Sandbox Escape (CVE-2020-12388)
- Cleanly Escaping The Chrome Sandbox
- Exploiting an Accidentally Discovered V8 RCE
Источник: https://zon8.re/posts/javascript-engine-fuzzing-and-exploitation-reading-list/