1. # Ghost in the Shellcode 2014 - fuzzy

tl;dr - fuzzy is a "super secure parsing engine", that includes a histogram function. The histogram ascii text uses a buffer on the stack, but will increment buckets past the end of the buffer if non ascii text is provided, allowing us to rop. Binary and exploit available here. Cross …

2. # Ghost in the Shellcode 2014 - gitsmsg

tl;dr - gitsmsg is a messaging server. A heap overflow led to arbitrary read / write and eventual code exec after circumventing RELRO. Binary and exploit available here. Cross post from PPP blog.

## The program

First, we reverse engineered much of the binary. You "login" as a user, then can compose …

3. # A brief introduction to x86 calling conventions

To support some of my other tutorials, I prepared a brief introduction to x86 calling conventions.

4. # Exploiting a Go Binary

Earlier this year, tylerni7 showed us a proof of concept for a 32 bit Go exploit using this issue. geohot and I had a wager over who could get the first remote code execution on play.golang.org: he won, but just barely ;-). Props also to ricky for helping to find the underlying cause/writing the patch. Here is a summary of how we did it.