Murmus CTFWay back in April I did the first of our series of "0-day live streams" where we found brand new 0-day vulnerabilities in a piece of software called PDFCrack and exploited one of them. This video is a condensed explanation of the vulnerabilities and the process we used to find them, as well as a discussion about why AFL was able to find one much more easily than the other.
For more content like this, the normal schedule for live streams are Mondays at 7 PM and Wednesday at 4 PM, both times Eastern, although the most up to date schedule is available on Twitter.
Life of an Exploit: Fuzzing PDFCrack with AFL for 0daysMurmus CTF2017-09-01 | Way back in April I did the first of our series of "0-day live streams" where we found brand new 0-day vulnerabilities in a piece of software called PDFCrack and exploited one of them. This video is a condensed explanation of the vulnerabilities and the process we used to find them, as well as a discussion about why AFL was able to find one much more easily than the other.
For more content like this, the normal schedule for live streams are Mondays at 7 PM and Wednesday at 4 PM, both times Eastern, although the most up to date schedule is available on Twitter.
Links:
Ropper: github.com/sashs/Ropper Twitter: twitter.com/MurmusCTF Github: github.com/murmusRadare 0-Days - Part 2 - Crash TriageMurmus CTF2020-09-09 | In this episode, we start going through the pile of crashes we got for our AFL fuzzing. It's a bit of a shorter episode due to getting interrupted by a sleeping baby, but we get to talk through a lot of the principals related to what exactly to do when you have 1000 crashes to go through.
If you appreciate these videos, you can support me over on Patreon: patreon.com/Murmus . I've got reward tiers there for everything from Monthly Newsletters (where I've been updating patrons on the project status), early access and music free videos, all of my notes and files from the project, or even hire me to do some consulting!Radare 0-Days - Part 1 - Building With InstrumentationMurmus CTF2020-08-26 | We're back hunting for some 0-days, this time in the Radare disassembler. In part one of this series, we pull down the source code, pick an attack surface, and get it built for fuzzing.
If you appreciate these videos, you can support me over on Patreon: patreon.com/Murmus . I've got reward tiers there for everything from Monthly Newsletters (where I've been updating patrons on the project status), early access and music free videos, all of my notes and files from the project, or even hire me to do some consulting!Rode0Day Fuzzing Competition - The Final ResultsMurmus CTF2019-07-23 | This is the final episode in our Rode0Day Fuzzing Competition series, at least for the May challenge. In this final episode, we get our fuzzers up and running against the 3rd target application, and do a bunch of troubleshooting to try and figure out why it is failing to run on the modified SQLite binary.
Thanks again everyone for taking the time to watch this series, and I definitely hope they've been entertaining and useful for everyone. I know I certainly enjoyed making them.
You've also got 1 more week until the end of the triaging competition, if you want to get a pile of eBook to triaging the crashes I got out of all of this fuzzing: github.com/murmus/Rode0TriageRode0Day Fuzzing Competition - Finally Fuzzing BinariesMurmus CTF2019-07-16 | In part 4 of the May Rode0Day Fuzzing competition, we finally get up and running fuzzing some binaries. After all the work we did in episode 3 only to have none of it work, being able to sit down and have things actually go my way in this episode was great. You can definitely hear in my voice at the start of this episode the lingering frustration at things not working.
You've also got 2 more weeks until the end of the triaging competition, if you want to get a pile of eBook to triaging the crashes I got out of all of this fuzzing: github.com/murmus/Rode0TriageRode0Day Fuzzing Competition - The Episode of FailuresMurmus CTF2019-07-09 | In part 3 of our 5 part series, we start on the task of fuzzing the binaries included in the competition. The targets distributed as source in Episode 1 were easy; compile with AFL and get your instrumentation. Now, we're trying to get that instrumentation on some targets that are binary only.
As we'll see in this episode, that's both somewhat tricky, given the performance costs, as well as something that requires paying attention to exactly what you're trying to do. I manage to get things set up twice, just about ready to start fuzzing, only realizing at the very end I've screwed things up and need to start all over again.
We're including this as part of the series because I think it's an important thing to show. It represents nearly 25% of the total time spent working on the May competition (potentially more, if you count the time spent building VMs off recording), so including these failures as part of the series means everyone watching gets a better idea of what actually went on.
And don't forget about the Triaging competition we're running through the end of the series (tentatively ending July 30th). If you're interested in triaging the crashes I got from this fuzzing, head over to the github repo I set up for it and enter the contest: github.com/murmus/Rode0Triage. We've still got all 3 Hacking 2.0 Humble eBook Bundles up for grabs for individuals who enter writeups and/or exploits for their triaging.Rode0Day Fuzzing - Ep2 - What to do with 100 fuzzing crashes?Murmus CTF2019-07-02 | In part 2 of our 5 part series, we've finally started getting crashes (roughly a dozen unique ones) out of AFL, and we need to start automating what to do with them. For the purposes of the Rode0Day competition, that's pretty easy: we just need to package them up and send them in to their submission API so that we can get crashes for all the bugs we find. In this episode, we build the first draft of our submission script, using a bunch of python+requests.
And don't forget about the Triaging competition we're running through the end of the series (tentatively ending July 30th). If you're interested in triaging the crashes I got from this fuzzing, head over to the github repo I set up for it and enter the contest: github.com/murmus/Rode0Triage. We've still got all 3 Hacking 2.0 Humble eBook Bundles up for grabs for individuals who enter writeups and/or exploits for their triaging.Rode0Day Fuzzing Competition - Episode 1 - Getting StartedMurmus CTF2019-06-25 | We're kicking off a new 5-part series of videos where I compete in the Rode0Day fuzzing competition. In this episode, we start things off by setting up AFL to fuzz a version of libjpeg that has several bugs injected into it.
At the end of the video, I'm also announcing a new competition I'll be running for the length of this series, with some Hacking 2.0 Humble eBook Bundles for prizes for participants. Make sure to stick around so that you too can join.Building a display for JPEG Fuzzing with AFLMurmus CTF2019-05-07 | In this episode, we build a some tools to take a look at the status of my ongoing attempts to fuzz for the Rode0Day competition. We build a bit of an OBS overlay, put together a web page to display some of the fuzzer outputs, and set up a monitoring script to watch for new crashes.Recording: ImageMagick CVE-2019-9956 Exploitation 2Murmus CTF2019-04-30 | In this episode, we pick back up and try to exploit the ImageMagick CVE we were looking at previously, including some RE with Ghidra, some more source diving, and a bit of gdb debugging.Recording: ImageMagick CVE-2019-9956 ExploitationMurmus CTF2019-04-02 | In this episode, we've got a recording of me working on validating a CVE in ImageMagick: CVE-2019-9956. It's a stack buffer overflow, and in this episode we go from the description and PoC to a built environment on two different Operating Systems, plus validating the crash and starting to do analysis of exploitability.Live Stream - VirtualBox Vulnerability Research #4Murmus CTF2019-03-19 | Support the stream: streamlabs.com/murmusctf In this episode, we're going to be using the test environment from episode 3 to hopefully start working on some VirtualBox CVE crashes.Live Stream - VirtualBox Vulnerability Research #3Murmus CTF2019-02-26 | Support the stream: streamlabs.com/murmusctf In this episode, we have a test environment (mostly) set up, and we'll be trying to get some crashes in virtualbox and try to land them.Stream Recording - VirtualBox Vulnerability Research #2Murmus CTF2019-02-12 | Support the stream: streamlabs.com/murmusctf In this episode, we'll be diving into more VirtualBox CVEs and learning about some of the interfaces exposed to a guest.Virtual Box #1 - The First Few CVEsMurmus CTF2019-02-11 | Starting off a new stream series, we took a look at some VirtualBox CVEs, to get an idea of what an exploitable vulnerability might look like. The purpose of this is to do, on stream, the initial research that would go into finding determining where in a target to look for bugs.
In particular, we set up an environment to look at the source code, and looked at CVE-2018-2698 - one of Niklas B's old bugs - and CVE-2019-2526.Garage Door Opener #2 - Finding new interfacesMurmus CTF2019-02-06 | In this recap video, we talk about part 2 of my streams trying to find bugs in my Garage Door Opener. We look at the web interface, do some nmap-ing, and even some dirbuster-ing.Stream Recording - VirtualBox Vulnerability Research #1Murmus CTF2019-02-06 | The start of a new series, we're taking a look at how to start looking for Vulnerabilities in a Pwn2Own target: VirtualBox. In the first stream, we started by getting a grip on the code base itself: pulling down the source code in a few different versions, finding a bunch of recent CVEs, and reading through a few of them to understand what we would be looking for in new vulnerabilities.
As a huge plus, we had NiklasB join us in the chat, who as someone who has quite a few VirtualBox CVEs to his name was a MASSIVE help in getting started.Stream Recording: Garage Door Opener Part 2 - Android app and the web interfaceMurmus CTF2019-02-01 | Support the stream: streamlabs.com/murmusctf This time around, we've finished up most of our attack surface analysis, and it's time to jump in and look at some of those areas. In the last stream, we found most of the surface looks like it will be through a web interface, so with it set up we'll look at it.Garage Door Opener #1 - Attack Surface AnalysisMurmus CTF2019-01-14 | This is the first recap video I've done for a single stream. While the streams are great for diving deep into the technical content, they're a lot of time to watch for not much in the way of information density. To help solve that, I put together this recap video going through all the important bits from the stream.Stream Recording: Garage Door Opener Part 1 - Attack Surface AnalysisMurmus CTF2019-01-08 | We're starting off the year by figuring out just how bad some IoT devices actually are. The first of these is going to be the Garage Door Opener that came with my house, and to start that off we'll be doing some proper attack surface analysis to find out what all it's actually doing.Stream Solving: NumbersMurmus CTF2018-10-02 | ...Livestream Binary Analysis MicroservicesMurmus CTF2018-06-05 | Docker, python, and binja, Oh MY!Live Stream: Exploit Payload Development #3Murmus CTF2018-04-24 | For the next few streams, we'll be writing a set of payloads for some x86_64 Linux exploitation. In this episode, that'll be building a stage-0 for it: a payload optimized for size that sets up a socket back to a python backend. If we have time, we'll start writing a crypto layer for it.Live Stream: Exploit Payload Development #2Murmus CTF2018-04-17 | For the next few streams, we'll be writing a set of payloads for some x86_64 Linux exploitation. In this episode, that'll be building a stage-0 for it: a payload optimized for size that sets up a socket back to a python backend. If we have time, we'll start writing a crypto layer for it.Live Stream: Exploit Payload Development #1Murmus CTF2018-04-03 | For the next few streams, we'll be writing a set of payloads for some x86_64 Linux exploitation. In this episode, that'll be building a stage-0 for it: a payload optimized for size that sets up a socket back to a python backend. If we have time, we'll start writing a crypto layer for it.Stream Recording: Ubuntu TCache Pwnable DevelopmentMurmus CTF2018-03-13 | Building a CTF pwnable challenge using the new Ubuntu Thread local cache heap implementation. We take a fairly hacker-y approach to it: I vaguely knew how the TCache worked, and that it was different from the older free bins implementations, so we just banged out code and made something that worked.
@str8outtaheap did a good writeup about some of the specifics of how it works, if you want to brush up on the specifics of how it actually works: 0x00sec.org/t/heap-safari-thread-local-caching/5054Live Stream: Civilization 6 Lua Interpreter Bug Hunting #3Murmus CTF2018-01-24 | Function hooking, to start with. Hopefully a working debugger after we can use one.Stream Recording: Civilization 6 Lua Interpreter Bug Hunting #2Murmus CTF2018-01-10 | We'll be continuing our work trying to find bugs in the Civ6 Lua interpreter.Recorded Stream: Civilization 6 Lua Interpreter Bug HuntingMurmus CTF2018-01-04 | We're kicking off 2018 in style: hunting for bugs in the Civilization 6 Lua interpreter. This interpreter is one of the way custom mods are written, and is apparently buggy enough they warn "improper use may cause crashes," so we'll be hunting for a way to get arbitrary code execution.Livestream Recording: Modern WebDev for hackersMurmus CTF2017-11-30 | We're finally diving into building a real web frontend for crash analysis. We'll be using Flask for our backend, serving up a JSON API, and using React+some sort of CSS frontend (probably defaulting to Bootstrap, but may try out Foundation).Live stream: Fuzzer Web DevMurmus CTF2017-11-09 | ...Live Stream: More fuzzer developmentMurmus CTF2017-10-25 | ...Live Stream: Building a Streamable FuzzerMurmus CTF2017-10-11 | We're extending the initial work for "Always Be Fuzzing" from previous streams, since my hardware will hopefully be in soon to have that running full time.Live Stream: IE 5.5 Crash Dump AnalysisMurmus CTF2017-10-04 | After running a couple different fuzzers, we have some minidumps from IE 5.5 to go through. We'll start off the stream digging through those looking for interesting things.
Depending on time and how much is interesting, we'll continue by either going back to the Lua pwnable library or improving the fuzzing setup, or potentially a surprise new topic.Stream Recording: Lua CTF Challenge Writing and IE 5.5 Bug FindingMurmus CTF2017-09-21 | Today we'll be doing the first of the dual topic streams. We'll start out by writing some wrappers for the Lua C bindings to make it easier to write Pwnable CTF challenges, and then at some point transition back to doing some IE 5.5 bug finding.CTF Tips: Bespoke Gadgets for PwnablesMurmus CTF2017-09-10 | Better late than never, here is this week's video with a simple method for doing ctf exploitation: the bespoke gadget. We dig into both the history of the bespoke gadgets, as well as how to find them and why they fail.
Towards the end, we start up an old fuzzer by lcamtuf that *isn't* AFL, and let it run against IE.Stream Recordings: Old School Vulns: IE 5.5 bug hunting #4Murmus CTF2017-09-04 | After quite a long break, we're going to be going back to hunting for some IE 5.5 vulnerabilities, this time trying to set up a Windows XP environment with it.Stream Recording: Windows 95 Bug Finding #3 - Crash AnalysisMurmus CTF2017-08-15 | In this episode, we get ollydbg up and running, and take a look at the crash we have.
Spoiler alert: unfortunately, at the end of the stream I come to the conclusion that this particular crash is probably non-exploitable.Stream Recording: Windows 95 Bug Finding #2 - Testing IE 5.5Murmus CTF2017-08-10 | Now that we have a VM up and running, we're going to go after some old-school Windows 95 bugs, starting with landing an exploit for IE 5.5.Stream Recording: Windows 95 Bug Finding #1 - SetupMurmus CTF2017-08-08 | Going to be setting up a test environment to start looking for Windows 95 "0-day"Stream Recording: Intel CPU Errata analysis #7Murmus CTF2017-07-25 | In the final episode of the series, we finally got the code working to test the SKL150 bug and made it repro.Stream Recording: Intel CPU Errata analysis #6Murmus CTF2017-07-20 | In this episode, we finally got all the code working an triggered the CPU errata from assembly.Stream Recording: Intel CPU Errata analysis #5Murmus CTF2017-07-13 | A short, aborted stream. Technical difficulties meant this was cut short at only half an hour.Stream Recording: Intel CPU Errata analysis #4Murmus CTF2017-07-11 | ...Stream Recording: Intel CPU Errata analysis #3Murmus CTF2017-07-04 | I got the ocaml PoC reproducing, so we'll be building a test harness to get cores out of that and trying to dig in and find out what we were doing wrong.Stream Recording: Intel CPU Errata analysis #2Murmus CTF2017-06-29 | ...Stream Recording: Intel CPU Errata analysis #1Murmus CTF2017-06-27 | The debian report: lists.debian.org/debian-devel/2017/06/msg00308.html
The oCAML report: https://caml.inria.fr/mantis/view.php?id=7452Stream Recording: numpy 0-day hunting with custom fuzzer #8Murmus CTF2017-06-13 | In this episode, we'll be trying to write a patch to fix the vulnerability we exploited in all the other episodes.Stream Recording: numpy 0-day hunting with custom fuzzer #7Murmus CTF2017-06-08 | Tonight we should be landing our exploit. The plan is to start by diving into the way python objects get represented on the heap, and hopefully turning a string into something much more useful.