Evernote RCE: From PDF.js font-injection to All-platform Electron exposed ipcRenderer with listened BrokerBridge Remote-Code Execution
https://www.youtube.com/watch?v=IfiHw5mVDrk Just this week, I discovered a critical Javascript Injection -> Remote-Code Execution in the Evernote app. By simply clicking the shared sugar-coated note with embedded font-injection malicious PDF, the a...
July 10, 2024 by Patrick Peng
ROPing Routers from scratch: Step-by-step Tenda Ac8v4 Mips 0day Flow-control ROP -> RCE
Recently, my passion for binary-exploitation had been triggered unconsciously after learning new fun stuff on CEs and DLLs; Not sure why but I am always obsessed with assemblies, caller stacks, and glibc heaps and kinds of stuff. Thus I decided to lo...
June 12, 2024 by Patrick Peng
Electron Math: 8 Million User Note App Stored XSS -> RCE bypassing nodeintegration via preload.js in electron
This very interesting finding actually start on a Youtube Video -> How Microsoft Accidentally Backdoored 270 MILLION Users. it seem like a clickbait hacking related video (invoking people's anger to Microsoft && try to teach kids how to hack). Nevert...
May 26, 2024 by Patrick Peng
Supply-Chain Attacks in LLMs: From GGUF model format metadata RCE, to State-of-The-Art NLP Project RCEs
https://www.youtube.com/watch?v=xcG2vcMRjk4 In this article, I will talk about how I managed to find a 0-day RCE vector hidden in .gguf Metadata of one of the most use LLM dependency - llama-cpp-python, and how it sets the some worldclass NLP appli...
May 10, 2024 by Patrick Peng
OSS Sec: From Path-traversals to RCE.
Recently, I been dedicating my time to bug hunting of large OSS Projects, which is both a time and brain consuming job with these complex architecture and these intricating X-referencing and API calls. Nevertheless, these hardworks paid off (In my wo...
March 26, 2024 by Patrick Peng
Injecting customgpt.ai demo: How to jailbreak a strictly prompt-engineered GPT-4 in wild?
Starting point Recently a really cool LLM Application really catched my eyes, called https://customgpt.ai/: CustomGPT seemed like a commerical GPT-4 Chatbot allowed user interaction to custom services! seemed like a really innovating application. I...
February 21, 2024 by Patrick Peng
MFKeyAttack: MIFARE Classic Protocols Analyzing && LFSR + CRYPTO1 Exploitations
💡 This paper describes the reverse engineering of the mifare Classic chip. We do so by recording and studying traces from communication between tags and readers. We recover the encryption algorithm and the authentication protocol. It also unveils se...
February 16, 2024 by Patrick Peng
Hacking a Router: Tenda AC8 V4 Stack Overflow & PoCs
Recently, I found the firmware of Tenda is available to the public, thus I started to seek vulnerabilities in it, mostly focused on buffer overflow & rce. After hours and days of searching, examining, and reproducing; I was finally able to find 7 0da...
February 15, 2024 by Patrick Peng
Analysis: Tcache under glibc 2.27 && Bypass double free
Tcache Struct To begin with,InGlibc 2.29, Tcache bin controlled by tcache_entry and tcache_perthread_struct: tcache_entry Glibc2.29Added Key,Which can help us finds out about Double Free typedef struct tcache_entry { struct tcache_entry *next; ...
February 14, 2024 by Patrick Peng