CTurt
@CTurtE
Followers
16K
Following
3K
Media
16
Statuses
264
Interesting FreeBSD advisory: It’s the first path traversal I’ve seen where the kernel itself is returning filenames with . / (normally path traversal bugs are at the application-level). ‘Universal Path Traversal’ (akin to UXSS) could be a new bug class?.
6
14
125
RT @carrot_c4k3: i'm excited to share Collateral Damage, a kernel exploit for SystemOS on Xbox One/Series consoles! this initial release i….
0
302
0
RT @MrMario2011: This is big! New original Xbox exploit has been released, working on stock consoles with just a save. Can be triggered f….
0
484
0
Part 2 - Attacking the compiler process: Ultimately I didn't finish the exploit, but hopefully it's still interesting, and maybe we will see a full exploit implementation from someone else in the future.
39
92
370
Working with the PlayStation team through the bug bounty program and successfully being awarded several $10k bounties.
6 months later and I’m still receiving new bounties from PlayStation. Just wanted to say: I’m very happy with my interactions with this team, and I can’t wait to disclose some of the findings!.
2
1
107
mast1c0re: The first public PS4/5 userland exploit targeting a game instead of part of the operating system, making it the only one still unpatched on the latest firmware versions.
New blog post!. Part 1 in my new PlayStation hacking series: An **unpatched** PS4 / PS5 userland exploit that also allows pirating PS2 games. mast1c0re: Hacking the PS4 / PS5 through the PS2 emulator - Part 1 - Escape: Video demo:
2
0
105
FreeDVDBoot: Defeating the copy protection of my childhood console, the PS2, to allow unmodified consoles to run burned discs (of either retail games or unofficial homebrew games).
FreeDVDBoot: an exploit for the PlayStation 2 DVD player which allows burning your own homebrew games and running them on an unmodified console as though they were official discs: Demo:
1
1
125
For a variety of reasons, it’s time for me to move on from the PlayStation hacking scene. I’m very thankful to have met some great people through this hobby over the years, and for the boost it’s given my security career. Some of the highlights for me were:.
124
53
691
This will be my last month at Google! (my decision was unrelated to layoffs). So thankful to have had the opportunity to work with such incredible colleagues, and contribute to such an impactful mission. Looking forward to starting my next adventure.
38
7
281
Very cool to see public reimplementations of the first part of my mast1c0re exploit chain, especially when tested on the latest PS5 firmware.
PS5 (latest firmware) PoC for mast1c0re vulnerabilities. Arbitrary PS2 code execution and native PS5 ROP chain execution. Technical details on .@CTurtE's blog post:
27
73
494
New blog post!. Part 1 in my new PlayStation hacking series: An **unpatched** PS4 / PS5 userland exploit that also allows pirating PS2 games. mast1c0re: Hacking the PS4 / PS5 through the PS2 emulator - Part 1 - Escape: Video demo:
62
316
1K
3/ These YAML injection vulnerabilities can have impact as severe as Remote Code Execution!. In these instances, safetext/yamltemplate can instead be used as a drop-in-replacement for text/template, that will refuse to return results where a YAML injection would have occurred.
0
0
13
2/ It's a common pattern in Go code to use text/template from the standard library to produce YAML. Since text/template is just intended for plaintext manipulation and has no awareness of YAML syntax, this pattern is at high risk of injections. Example:
1
0
14
1/ Last week I open sourced a library I wrote at Google to mitigate a class of YAML injection vulnerabilities (.
1
13
109
Some unexpected PS2 hacking news: DVD player loading support for PCSX2 emulator has finally been developed thanks to @balika011 and Florin9doi: This would greatly simplify porting/developing ‘FreeDVDBoot’ DVD player exploits for all the different BIOSes.
10
50
252
Getting some notifications on this old tweet, which aged pretty well. It’s very satisfying to have an answer for something I’ve been wondering about for years. Congrats again to @theflow0 for such an epic chain :).
@tihmstar @marcograss Regarding PS3/4, Blueray BD-J is what I’d attack. You can run arbitrary Java code by-design and can some native methods with controlled arguments which could be pretty nice attack surface. ASLR can be defeated in this scenario with some info leak bug, like in WebKit scenario.
10
31
229