<html lang="en">

<head>

<meta charset="utf-8">

<title>Diary of a reverse-engineer</title>

<meta name="viewport" content="width=device-width, initial-scale=1.0">

<meta name="description" content="">

<meta name="author" content="Axel '0vercl0k' Souchet">

<link rel="stylesheet" href="./theme/css/bootstrap.min.css" type="text/css" />

<style type="text/css">

body {

padding-top: 60px;

padding-bottom: 40px;

}

.sidebar-nav {

padding: 9px 0;

}

.tag-1 {

font-size: 13pt;

}

.tag-2 {

font-size: 10pt;

}

.tag-2 {

font-size: 8pt;

}

.tag-4 {

font-size: 6pt;

}

</style>

<link href="./theme/css/bootstrap-responsive.min.css" rel="stylesheet" />

<link href="./theme/css/font-awesome.css" rel="stylesheet" />

<link href="./theme/css/pygments.css" rel="stylesheet" />

<!--[if lt IE 9]>

<link href="./feeds/atom.xml" type="application/atom+xml" rel="alternate" title="Diary of a reverse-engineer ATOM Feed" />

<link href="./feeds/rss.xml" type="application/atom+xml" rel="alternate" title="Diary of a reverse-engineer RSS Feed" />

<script async src='https://www.googletagmanager.com/gtag/js?id=G-MRPDMQ259W'></script>

window.dataLayer = window.dataLayer || [];

function gtag(){dataLayer.push(arguments);}

gtag('js', new Date());

gtag('config', 'G-MRPDMQ259W');

</head>

<body>

<div class="navbar navbar-fixed-top">

<div class="navbar-inner">

<div class="container-fluid">

<a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">

<span class="icon-bar"></span>

<span class="icon-bar"></span>

<span class="icon-bar"></span>

</a>

<a class="brand" href="./index.html">Diary of a reverse-engineer </a>

<div class="nav-collapse">

<ul class="nav">

<ul class="nav">

<li><a href="./archives.html"><i class="icon-th-list"></i>Archives</a></li>

</ul>

<li >

<a href="./category/debugging.html">

<i class="icon-folder-open icon-large"></i>debugging

</a>

</li>

<li >

<a href="./category/exploitation.html">

<i class="icon-folder-open icon-large"></i>exploitation

</a>

</li>

<li >

<a href="./category/misc.html">

<i class="icon-folder-open icon-large"></i>misc

</a>

</li>

<li >

<a href="./category/obfuscation.html">

<i class="icon-folder-open icon-large"></i>obfuscation

</a>

</li>

<li >

<a href="./category/reverse-engineering.html">

<i class="icon-folder-open icon-large"></i>reverse-engineering

</a>

</li>

<li><a href="./pages/about.html">About</a></li>

<li><a href="./pages/presentations.html">Presentations</a></li>

</ul>

</div><!--/.nav-collapse -->

</div>

</div>

</div>

<div class="container-fluid">

<div class="row">

<div class="span9" id="content">

<div class="article">

<h1><a href="./blog/2023/05/05/competing-in-pwn2own-ics-2022-miami-exploiting-a-zero-click-remote-memory-corruption-in-iconics-genesis64/">Competing in Pwn2Own ICS 2022 Miami: Exploiting a zero click remote memory corruption in ICONICS Genesis64</a></h1>

<div class="well small"><footer class="post-info">

<span class="label">Date</span>

<abbr class="published" title="2023-05-05T08:00:00-07:00">

<i class="icon-calendar"></i>Fri 05 May 2023

<span class="label">By</span>

<a href="./author/axel-0vercl0k-souchet.html"><i class="icon-user"></i>Axel "0vercl0k" Souchet</a>

<span class="label">Category</span>

<a href="./category/exploitation.html"><i class="icon-folder-open"></i>exploitation</a>

<span class="label">Tags</span>

<a href="./tag/pwn2own-miami.html"><i class="icon-tag"></i>Pwn2Own Miami</a>

<a href="./tag/pwn2own-2022.html"><i class="icon-tag"></i>Pwn2Own 2022</a>

<a href="./tag/ics.html"><i class="icon-tag"></i>ICS</a>

<a href="./tag/paracosme.html"><i class="icon-tag"></i>Paracosme</a>

<a href="./tag/iconics.html"><i class="icon-tag"></i>ICONICS</a>

<a href="./tag/iconics-genesis64.html"><i class="icon-tag"></i>ICONICS Genesis64</a>

<a href="./tag/genesis64.html"><i class="icon-tag"></i>Genesis64</a>

<a href="./tag/0-click-remote-code-execution.html"><i class="icon-tag"></i>0-click remote code execution</a>

<a href="./tag/cve-2022-33318.html"><i class="icon-tag"></i>CVE-2022-33318</a>

<a href="./tag/zdi-22-1041.html"><i class="icon-tag"></i>ZDI-22-1041</a>

<a href="./tag/icsa-22-202-04.html"><i class="icon-tag"></i>ICSA-22-202-04</a>

<a href="./tag/genbroker64exe.html"><i class="icon-tag"></i>GenBroker64.exe</a>

<a href="./tag/exploitation.html"><i class="icon-tag"></i>exploitation</a>

<a href="./tag/memory-corruption.html"><i class="icon-tag"></i>memory-corruption</a>

<div class="summary"><h1 id="introduction">🧾 Introduction</h1>

<p>After participating in Pwn2Own Austin in 2021 and failing to land my <a href="https://github.com/0vercl0k/zenith">remote kernel exploit Zenith</a> (which you can read about <a href="https://doar-e.github.io/blog/2022/03/26/competing-in-pwn2own-2021-austin-icarus-at-the-zenith/">here</a>), I was eager to try again. It is fun and forces me to look at things I would never have looked at otherwise. The one thing I …</p>

<a class="btn primary xsmall" href="./blog/2023/05/05/competing-in-pwn2own-ics-2022-miami-exploiting-a-zero-click-remote-memory-corruption-in-iconics-genesis64/">more ...</a>

</div>

</div>

<hr />

<div class="article">

<h1><a href="./blog/2022/06/11/pwn2own-2021-canon-imageclass-mf644cdw-writeup/">Pwn2Own 2021 Canon ImageCLASS MF644Cdw writeup</a></h1>

<div class="well small"><footer class="post-info">

<span class="label">Date</span>

<abbr class="published" title="2022-06-11T08:00:00-07:00">

<i class="icon-calendar"></i>Sat 11 June 2022

<span class="label">By</span>

<a href="./author/nicolas-nk-devillers-jean-romain-jromaing-garnier-raphael-_trou_-rigo.html"><i class="icon-user"></i>Nicolas "NK" Devillers & Jean-Romain "JRomainG" Garnier & Raphaël "_trou_" Rigo</a>

<span class="label">Category</span>

<a href="./category/exploitation.html"><i class="icon-folder-open"></i>exploitation</a>

<span class="label">Tags</span>

<a href="./tag/pwn2own-austin.html"><i class="icon-tag"></i>Pwn2Own Austin</a>

<a href="./tag/printers.html"><i class="icon-tag"></i>printers</a>

<a href="./tag/canon.html"><i class="icon-tag"></i>canon</a>

<a href="./tag/mf644cdw.html"><i class="icon-tag"></i>MF644Cdw</a>

<a href="./tag/imageclass.html"><i class="icon-tag"></i>ImageCLASS</a>

<a href="./tag/cve-2022-24674.html"><i class="icon-tag"></i>CVE-2022-24674</a>

<a href="./tag/zdi-22-516.html"><i class="icon-tag"></i>ZDI-22-516</a>

<a href="./tag/exploitation.html"><i class="icon-tag"></i>exploitation</a>

<a href="./tag/memory-corruption.html"><i class="icon-tag"></i>memory-corruption</a>

<div class="summary"><h1 id="introduction">Introduction</h1>

<p><a href="https://www.zerodayinitiative.com/blog/2021/8/11/pwn2own-austin-2021-phones-printers-nas-and-more">Pwn2Own Austin 2021</a> was announced in August 2021 and introduced new categories, including printers. Based on our previous experience with printers, we decided to go after one of the three models. Among those, the <a href="https://www.usa.canon.com/internet/portal/us/home/products/details/printers/color-laser/color-imageclass-mf644cdw">Canon ImageCLASS MF644Cdw</a> seemed like the most interesting target: previous research was limited (mostly targeting …</p>

<a class="btn primary xsmall" href="./blog/2022/06/11/pwn2own-2021-canon-imageclass-mf644cdw-writeup/">more ...</a>

</div>

</div>

<hr />

<div class="article">

<h1><a href="./blog/2022/03/26/competing-in-pwn2own-2021-austin-icarus-at-the-zenith/">Competing in Pwn2Own 2021 Austin: Icarus at the Zenith</a></h1>

<div class="well small"><footer class="post-info">

<span class="label">Date</span>

<abbr class="published" title="2022-03-26T08:00:00-07:00">

<i class="icon-calendar"></i>Sat 26 March 2022

<span class="label">By</span>

<a href="./author/axel-0vercl0k-souchet.html"><i class="icon-user"></i>Axel "0vercl0k" Souchet</a>

<span class="label">Category</span>

<a href="./category/exploitation.html"><i class="icon-folder-open"></i>exploitation</a>

<span class="label">Tags</span>

<a href="./tag/pwn2own-austin.html"><i class="icon-tag"></i>Pwn2Own Austin</a>

<a href="./tag/pwn2own.html"><i class="icon-tag"></i>Pwn2Own</a>

<a href="./tag/routers.html"><i class="icon-tag"></i>routers</a>

<a href="./tag/tp-link.html"><i class="icon-tag"></i>TP-Link</a>

<a href="./tag/archer-c7.html"><i class="icon-tag"></i>Archer C7</a>

<a href="./tag/tp-link-archer-c7-v5.html"><i class="icon-tag"></i>TP-Link Archer C7 V5</a>

<a href="./tag/zenith.html"><i class="icon-tag"></i>Zenith</a>

<a href="./tag/remote-kernel.html"><i class="icon-tag"></i>remote kernel</a>

<a href="./tag/netusb.html"><i class="icon-tag"></i>NetUSB</a>

<a href="./tag/cve-2022-24354.html"><i class="icon-tag"></i>CVE-2022-24354</a>

<a href="./tag/exploitation.html"><i class="icon-tag"></i>exploitation</a>

<a href="./tag/memory-corruption.html"><i class="icon-tag"></i>memory-corruption</a>

<div class="summary"><h1 id="introduction">Introduction</h1>

<p>In 2021, I finally spent some time looking at a consumer router I had been using for years. It started as a weekend project to look at something a bit different from what I was used to. On top of that, it was also a good occasion to play …</p>

<a class="btn primary xsmall" href="./blog/2022/03/26/competing-in-pwn2own-2021-austin-icarus-at-the-zenith/">more ...</a>

</div>

</div>

<hr />

<div class="article">

<h1><a href="./blog/2021/07/15/building-a-new-snapshot-fuzzer-fuzzing-ida/">Building a new snapshot fuzzer & fuzzing IDA</a></h1>

<div class="well small"><footer class="post-info">

<span class="label">Date</span>

<abbr class="published" title="2021-07-15T08:00:00-07:00">

<i class="icon-calendar"></i>Thu 15 July 2021

<span class="label">By</span>

<a href="./author/axel-0vercl0k-souchet.html"><i class="icon-user"></i>Axel "0vercl0k" Souchet</a>

<span class="label">Category</span>

<a href="./category/misc.html"><i class="icon-folder-open"></i>misc</a>

<span class="label">Tags</span>

<a href="./tag/ida.html"><i class="icon-tag"></i>IDA</a>

<a href="./tag/bug-bounty.html"><i class="icon-tag"></i>bug-bounty</a>

<a href="./tag/snapshot-fuzzing.html"><i class="icon-tag"></i>snapshot fuzzing</a>

<a href="./tag/kvm.html"><i class="icon-tag"></i>kvm</a>

<a href="./tag/winhv.html"><i class="icon-tag"></i>winhv</a>

<a href="./tag/whv.html"><i class="icon-tag"></i>whv</a>

<a href="./tag/bochs.html"><i class="icon-tag"></i>bochs</a>

<a href="./tag/fuzzing.html"><i class="icon-tag"></i>fuzzing</a>

<a href="./tag/bochscpu.html"><i class="icon-tag"></i>bochscpu</a>

<div class="summary"><h1 id="introduction">Introduction</h1>

<p>It is January 2020 and it is this time of the year where I try to set goals for myself. I had just come back from spending Christmas with my family in France and felt fairly recharged. It always is an exciting time for me to think and plan …</p>

<a class="btn primary xsmall" href="./blog/2021/07/15/building-a-new-snapshot-fuzzer-fuzzing-ida/">more ...</a>

</div>

</div>

<hr />

<div class="article">

<h1><a href="./blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/">Reverse-engineering tcpip.sys: mechanics of a packet of the death (CVE-2021-24086)</a></h1>

<div class="well small"><footer class="post-info">

<span class="label">Date</span>

<abbr class="published" title="2021-04-15T08:00:00-07:00">

<i class="icon-calendar"></i>Thu 15 April 2021

<span class="label">By</span>

<a href="./author/axel-0vercl0k-souchet.html"><i class="icon-user"></i>Axel "0vercl0k" Souchet</a>

<span class="label">Category</span>

<a href="./category/reverse-engineering.html"><i class="icon-folder-open"></i>reverse-engineering</a>

<span class="label">Tags</span>

<a href="./tag/tcpipsys.html"><i class="icon-tag"></i>tcpip.sys</a>

<a href="./tag/cve-2021-24086.html"><i class="icon-tag"></i>CVE-2021-24086</a>

<a href="./tag/ipv6preassembledatagram.html"><i class="icon-tag"></i>Ipv6pReassembleDatagram</a>

<a href="./tag/fragmentation.html"><i class="icon-tag"></i>fragmentation</a>

<a href="./tag/recursive-fragmentation.html"><i class="icon-tag"></i>recursive-fragmentation</a>

<div class="summary"><h1 id="introduction">Introduction</h1>

<p>Since the beginning of my journey in computer security I have always been amazed and fascinated by <em>true</em> remote vulnerabilities. By <em>true</em> remotes, I mean bugs that are triggerable remotely without any user interaction. Not even a single click. As a result I am always on the lookout for …</p>

<a class="btn primary xsmall" href="./blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/">more ...</a>

</div>

</div>

<hr />

<div class="article">

<h1><a href="./blog/2020/11/17/modern-attacks-on-the-chrome-browser-optimizations-and-deoptimizations/">Modern attacks on the Chrome browser : optimizations and deoptimizations</a></h1>

<div class="well small"><footer class="post-info">

<span class="label">Date</span>

<abbr class="published" title="2020-11-17T00:00:00-08:00">

<i class="icon-calendar"></i>Tue 17 November 2020

<span class="label">By</span>

<a href="./author/jeremy-__x86-fetiveau.html"><i class="icon-user"></i>Jeremy "@__x86" Fetiveau</a>

<span class="label">Category</span>

<a href="./category/exploitation.html"><i class="icon-folder-open"></i>exploitation</a>

<span class="label">Tags</span>

<a href="./tag/chrome.html"><i class="icon-tag"></i>chrome</a>

<a href="./tag/v8.html"><i class="icon-tag"></i>v8</a>

<a href="./tag/turbofan.html"><i class="icon-tag"></i>turbofan</a>

<a href="./tag/exploitation.html"><i class="icon-tag"></i>exploitation</a>

<div class="summary"><h2 id="introduction">Introduction</h2>

<p>Late 2019, I presented at an internal Azimuth Security conference some work on hacking Chrome through it's JavaScript engine. </p>

<p>One of the topics I've been playing with at that time was deoptimization and so I discussed, among others, vulnerabilities in the deoptimizer. For my talk at <a href="https://www.infiltratecon.com/conference/briefings/attacking-chrome-in-2020-a-journey-through-v8s-optimizing-compiler.html">InfiltrateCon 2020</a> in …</p>

<a class="btn primary xsmall" href="./blog/2020/11/17/modern-attacks-on-the-chrome-browser-optimizations-and-deoptimizations/">more ...</a>

</div>

</div>

<hr />

<div class="article">

<h1><a href="./blog/2019/06/17/a-journey-into-ionmonkey-root-causing-cve-2019-9810/">A journey into IonMonkey: root-causing CVE-2019-9810.</a></h1>

<div class="well small"><footer class="post-info">

<span class="label">Date</span>

<abbr class="published" title="2019-06-17T08:00:00-07:00">

<i class="icon-calendar"></i>Mon 17 June 2019

<span class="label">By</span>

<a href="./author/axel-0vercl0k-souchet.html"><i class="icon-user"></i>Axel "0vercl0k" Souchet</a>

<span class="label">Category</span>

<a href="./category/exploitation.html"><i class="icon-folder-open"></i>exploitation</a>

<span class="label">Tags</span>

<a href="./tag/ion.html"><i class="icon-tag"></i>ion</a>

<a href="./tag/ionmonkey.html"><i class="icon-tag"></i>ionmonkey</a>

<a href="./tag/spidermonkey.html"><i class="icon-tag"></i>spidermonkey</a>

<a href="./tag/exploitation.html"><i class="icon-tag"></i>exploitation</a>

<a href="./tag/firefox.html"><i class="icon-tag"></i>firefox</a>

<div class="summary"><h1 id="a-journey-into-ionmonkey-root-causing-cve-2019-9810">A journey into IonMonkey: root-causing CVE-2019-9810.</h1>

<h2 id="introduction">Introduction</h2>

<p>In May, I wanted to play with <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt">BigInt</a> and evaluate how I could use them for browser exploitation. The exploit I wrote for the <a href="https://github.com/0vercl0k/blazefox">blazefox</a> relied on a Javascript library developed by <a href="https://twitter.com/5aelo">@5aelo</a> that allows code to manipulate 64-bit integers. Around the same …</p>

<a class="btn primary xsmall" href="./blog/2019/06/17/a-journey-into-ionmonkey-root-causing-cve-2019-9810/">more ...</a>

</div>

</div>

<hr />

<div class="article">

<h1><a href="./blog/2019/05/09/circumventing-chromes-hardening-of-typer-bugs/">Circumventing Chrome's hardening of typer bugs</a></h1>

<div class="well small"><footer class="post-info">

<span class="label">Date</span>

<abbr class="published" title="2019-05-09T08:00:00-07:00">

<i class="icon-calendar"></i>Thu 09 May 2019

<span class="label">By</span>

<a href="./author/jeremy-__x86-fetiveau.html"><i class="icon-user"></i>Jeremy "__x86" Fetiveau</a>

<span class="label">Category</span>

<a href="./category/exploitation.html"><i class="icon-folder-open"></i>exploitation</a>

<span class="label">Tags</span>

<a href="./tag/v8.html"><i class="icon-tag"></i>v8</a>

<a href="./tag/turbofan.html"><i class="icon-tag"></i>turbofan</a>

<a href="./tag/chrome.html"><i class="icon-tag"></i>chrome</a>

<a href="./tag/exploitation.html"><i class="icon-tag"></i>exploitation</a>

<div class="summary"><h1 id="introduction">Introduction</h1>

<p>Some <a href="http://eternalsakura13.com/2018/11/19/justintime/">recent</a> <a href="https://abiondo.me/2019/01/02/exploiting-math-expm1-v8">Chrome</a> <a href="https://www.jaybosamiya.com/blog/2019/01/02/krautflare/">exploits</a> were taking advantage of <a href="https://en.wikipedia.org/wiki/Bounds-checking_elimination">Bounds-Check-Elimination</a> in order to get a R/W primitive from a TurboFan's typer bug (a bug that incorrectly computes type information during code optimization). Indeed during the simplified lowering phase when visiting a CheckBounds node if the engine can guarantee that …</p>

<a class="btn primary xsmall" href="./blog/2019/05/09/circumventing-chromes-hardening-of-typer-bugs/">more ...</a>

</div>

</div>

<hr />

<div class="article">

<h1><a href="./blog/2019/01/28/introduction-to-turbofan/">Introduction to TurboFan</a></h1>

<div class="well small"><footer class="post-info">

<span class="label">Date</span>

<abbr class="published" title="2019-01-28T08:00:00-08:00">

<i class="icon-calendar"></i>Mon 28 January 2019

<span class="label">By</span>

<a href="./author/jeremy-__x86-fetiveau.html"><i class="icon-user"></i>Jeremy "__x86" Fetiveau</a>

<span class="label">Category</span>

<a href="./category/exploitation.html"><i class="icon-folder-open"></i>exploitation</a>

<span class="label">Tags</span>

<a href="./tag/v8.html"><i class="icon-tag"></i>v8</a>

<a href="./tag/turbofan.html"><i class="icon-tag"></i>turbofan</a>

<a href="./tag/exploitation.html"><i class="icon-tag"></i>exploitation</a>

<div class="summary"><h1 id="introduction">Introduction</h1>

<p>Ages ago I wrote a blog post here called <a href="https://doar-e.github.io/blog/2014/03/11/first-dip-into-the-kernel-pool-ms10-058/">first dip in the kernel pool</a>, this year we're going to swim in a sea of nodes!</p>

<p>The current trend is to attack JavaScript engines and more specifically, optimizing JIT compilers such as <a href="https://v8.dev/">V8</a>'s <a href="https://v8.dev/docs/turbofan">TurboFan</a>, SpiderMonkey's IonMonkey, JavaScriptCore's Data …</p>

<a class="btn primary xsmall" href="./blog/2019/01/28/introduction-to-turbofan/">more ...</a>

</div>

</div>

<hr />

<div class="article">

<h1><a href="./blog/2018/11/19/introduction-to-spidermonkey-exploitation/">Introduction to SpiderMonkey exploitation.</a></h1>

<div class="well small"><footer class="post-info">

<span class="label">Date</span>

<abbr class="published" title="2018-11-19T08:25:00-08:00">

<i class="icon-calendar"></i>Mon 19 November 2018

<span class="label">By</span>

<a href="./author/axel-0vercl0k-souchet.html"><i class="icon-user"></i>Axel "0vercl0k" Souchet</a>

<span class="label">Category</span>

<a href="./category/exploitation.html"><i class="icon-folder-open"></i>exploitation</a>

<span class="label">Tags</span>

<a href="./tag/spidermonkey.html"><i class="icon-tag"></i>spidermonkey</a>

<a href="./tag/blazefox.html"><i class="icon-tag"></i>blazefox</a>

<a href="./tag/exploitation.html"><i class="icon-tag"></i>exploitation</a>

<a href="./tag/windows.html"><i class="icon-tag"></i>windows</a>

<a href="./tag/ttd.html"><i class="icon-tag"></i>ttd</a>

<div class="summary"><h1 id="introduction">Introduction</h1>

<p>This blogpost covers the development of three exploits targeting SpiderMonkey JavaScript Shell interpreter and Mozilla Firefox on Windows 10 RS5 64-bit from the perspective of somebody that has never written a browser exploit nor looked closely at any JavaScript engine codebase.</p>

<p>As you have probably noticed, there has been …</p>

<a class="btn primary xsmall" href="./blog/2018/11/19/introduction-to-spidermonkey-exploitation/">more ...</a>

</div>

</div>

<hr />

<div class="pagination">

<ul>

<li class="prev disabled"><a href="#">&larr; Previous</a></li>

<li class="active"><a href="./index.html">1</a></li>

<li class=""><a href="./index2.html">2</a></li>

<li class=""><a href="./index3.html">3</a></li>

<li class="next"><a href="./index2.html">Next &rarr;</a></li>

</ul>

</div>

</div><!--/span-->

</div><!--/row-->

<hr>

<footer style='background-color:#00000000'>

<center>

<address id="about">

Proudly powered by <a href="http://pelican.notmyidea.org/">Pelican <i class="icon-external-link"></i></a>,

which takes great advantage of <a href="http://python.org">Python <i class="icon-external-link"></i></a>.

</address><!-- /#about -->

<p>The theme is from <a href="http://twitter.github.com/bootstrap/">Bootstrap from Twitter <i class="icon-external-link"></i></a>,

and <a href="http://fortawesome.github.com/Font-Awesome/">Font-Awesome <i class="icon-external-link"></i></a>, thanks!</p>

</center>

</footer>

</div><!--/.fluid-container-->

<script src="./theme/js/jquery-1.7.2.min.js"></script>

<script src="./theme/js/bootstrap.min.js"></script>

</body>