$900 of $5870: From Path-traversals to RCE.

Recently, I been dedicating my time to bug hunting of large OSS Projects, which is both a time and brain consuming job with these complex architecture and these intricating X-referencing and API calls. Nevertheless, these hardworks paid off (In my wo...

March 26, 2024 by Patrick Peng

Injecting customgpt.ai demo: How to jailbreak a strictly prompt-engineered GPT-4 in wild?

Starting point Recently a really cool LLM Application really catched my eyes, called https://customgpt.ai/： CustomGPT seemed like a commerical GPT-4 Chatbot allowed user interaction to custom services! seemed like a really innovating application. I...

February 21, 2024 by Patrick Peng

MFKeyAttack: MIFARE Classic Protocols Analyzing && LFSR + CRYPTO1 Exploitations

💡 This paper describes the reverse engineering of the mifare Classic chip. We do so by recording and studying traces from communication between tags and readers. We recover the encryption algorithm and the authentication protocol. It also unveils se...

February 16, 2024 by Patrick Peng

Hacking a Router: Tenda AC8 V4 Stack Overflow & PoCs

Recently, I found the firmware of Tenda is available to the public, thus I started to seek vulnerabilities in it, mostly focused on buffer overflow & rce. After hours and days of searching, examining, and reproducing; I was finally able to find 7 0da...

February 15, 2024 by Patrick Peng

Analysis: Tcache under glibc 2.27 && Bypass double free

Tcache Struct To begin with，InGlibc 2.29， Tcache bin controlled by tcache_entry and tcache_perthread_struct: tcache_entry Glibc2.29Added Key，Which can help us finds out about Double Free typedef struct tcache_entry { struct tcache_entry *next; ...

February 14, 2024 by Patrick Peng