By David Buchanan, 7th October 2024 Spoiler alert: Yes. the elite hacking tool they don't want you to know you already own Before you can write an exploit, you need a bug. When there are no bugs, we have to get creative—that's where Fault Injection comes in. Fault injection can take many forms, including software-controlled data...
By David Buchanan, 16th July 2024 I assume by now that most people have heard of the Rabbit R1. Critics unanimously agree
By David Buchanan, 4th January 2024 First of all, this article is an exercise in recreational "because I can" programming. If you just want to make your Python code go fast, this is perhaps not the article for you. And perhaps Python is not the language you want, either! By the end, I'll explain how I implemented Game of Life in pure Python (plus pysdl2...
By David Buchanan, 2nd January 2024 This is a rant. You have been warned! I'd like text editors to be worse. Specifically, I'd like their default behaviour to be as close as possible to the median text input box you'd find in any piece of software, like the humble HTML <textarea>. More realistically, I'd like a configuration preset that lets me opt in to the same, without having to hunt for a thousand...
By David Buchanan, 31th December 2023 ...or at least, it will be for mine! Social media platforms come and go, but the one constant for me has been my blog. Same domain. Same URLs. Almost the same web design. It's been here since I started writing in 2018, and for that year I updated it regularly with CTF write-ups. Between 2019 and 2022 however, I neglected it, with only 2 posts for the whole duration. The "death" of my blog was...
By David Buchanan, 27th December 2023 Signing JSON sucks. Don't do it. But if you must, you have two main options: Serialize your JSON to bytes, sign the bytes, and transmit the bytes+signature. Serialize your JSON to a canonical byte representation, sign those bytes, and transmit your JSON+signature. 1 is the most straight-forward option, but now you need to ship those bytes around...
By David Buchanan, 26th December 2023 In my previous blog post, I mentioned some big-O notation and simple math expressions like 264. My blog engine didn't have proper math syntax support, so I was stuck writing things like 2<sup>64</sup>, and leaving my big-O functions in plaintext, e.g. O(nlogn). Not anymore! After a very simple patch to my markdown renderer, I can now write 264 as...
By David Buchanan, 18th December 2023 At this point, it's well known that hash functions like MD5 and SHA1 have cryptographic weaknesses, allowing collisions (a pair of distinct inputs that produce identical outputs) to be engineered using much less computation than the designers...
By David Buchanan, 28th September 2023 If you don't live under a rock, you might've heard of Bluesky, a decentralised social microblogging app built on top of the AT Protocol. In early June 2023, I identified a vulnerability in Bluesky's core user identity mechanism, did:plc, which allowed me to modify the identity information...
By David Buchanan, 13th September 2023 I've been thinking I should do more "short form" blogging. Something between microblogging and regular blogging. This is me doing that! Anyway, I was thinking about ways to visualise the year 2038 problem, and this is what I came up with: https://retr0.id/stuff/2038/ (go check it out, it looks much better in motion) It's pretty...
By David Buchanan, 18th March 2023 This article assumes you’ve already heard about the aCropalypse vulnerability, aka CVE-2023-21036. If not, go read about it here (oops, this page doesn't exist yet. Read this tweet in the meantime). For me, it all started with the following...
By David Buchanan, 9th March 2023 "do not violate the DMCA challenge 2023" Note: If you're here because you just want to watch Netflix on Asahi, install this (Edit: for Arch users, grab this. Fedora users can install the
By David Buchanan, 16th January 2023 PNG is my favourite file format of all time. Version 1.0 of the specification was released in 1996 (before I was born!) and the format remains widely used to this day. I think the main reasons it stuck around for so long are: It's "Good enough" at lossless image compression. It builds on existing technologies...
Retr0id's journey to a 20-byte emulator escape. 2022-07-30 Late one night, I read the Binary Golf Grand Prix 3 announcement, and was immediately itching to get started. In summary, the challenge is to create the shortest input file that crashes a program of your choice. Bonus points are awarded for: ○ +1024 pts, if you submit a writeup about your process and ...
By David Buchanan, 28th December 2021 This is a writeup for my latest WebOS local root exploit chain, which I'm calling WAMpage. I'm very proud of it, and very impatient, which is why I'm dropping it as an 0day so I can show it off ASAP. A screenshot of the exploit in action This exploit is mainly of interest to other researchers - if you just want...
By David Buchanan, 30th December 2018 The challenge provided the following files: dist/ dist/server.py dist/Collection.cpython-36m-x86_64-linux-gnu.so dist/test.py dist/python3.6 dist/libc-2.27.so server.py is a python script which accepts some user input. It also opens the flag for you and uses dup2 to duplicate the file descriptor to fd 1023. Then, it executes your input with the provided...
By David Buchanan, 15th April 2018 Apparently I was the only person to solve this challenge, which genuinely surprised me - It really isn't that hard! But since I was the only solver, I guess I have to do a writeup now... jay-peg - 400pts https://drive.google.com/file/d/1qIe4QkUBzXKmFeqEwIVodFp3h2pb-umd/view?usp=sharing Hint: Parity made by awg Here's the image: Note,...
By David Buchanan, 15th April 2018
Forker was a series of 4 challenges, each with minor changes. Here's a summary:
Forker1: Linux x86-64, basic stack smash, no NX, no ASLR, no PIE, no stack canary
Forker2: NX on, ASLR on, stack canary on
Forker3: PIE on
Forker4: No binary or libc provided
Just a quick note, the points given for each challenge were higher than most CTFs.
By David Buchanan, 13th April 2018 The only information provided with this challenge was an IP address and port number. No binaries to download! Of course, my first idea was to use netcat to see what it did. $ nc 47.75.182.113 9999 hello hello %08x 00000000 Typing hello just resulted in the same input being echoed back. There's only a limited number of possibilities for this kind of challenge, so I thought I'd check if...
By David Buchanan, 3rd April 2018 There were two files provided with the challenge: linked Linux ELF binary, stripped of symbols. babystack, a 32-bit dynamically pow.py, a simple python program which wraps babystack, requiring a proof-of-work calculation to be performed, and also ensuring that only 0x100 bytes of input can be sent to the program, in a single...
By David Buchanan, 7th January 2018
Disclaimer: No exciting VM escapes, only DoS.
This post is part of a series of posts discussing QEMU bugs. In this post, I describe
the results of (accidental) manual bug testing. The second post will describe
my primitive fuzzing setup which found a second bug.
I actually found the first bug completely by chance when I wasn't even looking
for it. It all started when I was playing
By David Buchanan, 6th January 2018 For this challenge, we were provided with two files: tamagotchi and libc-2.26.so (Both ELF files), along with the address of a remote service running the same program. This is a typical setup for an exploitation...
By David Buchanan, 6th January 2018
This challenge was a highly obfuscated perl script. So much so, that it contained
a lot of non-ASCII printable characters. (You can download the original file from
here). When run with perl, it prompts the user for a
password, prints some gibberish, and then says "Decryption done, are you happy now?".