Wow!! Thank you ALL for so much support on my first
#Pwn2Own
win!! I’m very lucky to have a team and leadership that believes in me. I’m really proud of this bug; this is one of hardest exploits I’ve ever written. I can’t wait to share the details with you once it’s patched!
Demonstrating CVE-2022-37958 RCE Vuln. Reachable via any Windows application protocol that authenticates. Yes, that means RDP, SMB and many more. Please patch this one, it's serious!
@Dixie3Flatline
a girl in front of me asked for one on my flight the other day and the pilot said “ask for one after we land, ever since that girl blew it up on TikTok we never have any 🙄”
Remotely exploiting CVE-2022-34718, TCP/IP RCE bug
#EvilEsp
for DoS. This is a bug in Ipv6 fragmentation/IpSec, which allows OOB write if an Ipv6 fragment is contained inside an IpSec ESP payload.
Thrilled to share my new blog post: Put an io_uring on it: Exploiting the Linux kernel. Follow me while I learn a new kernel subsystem + its attack surface, find an 0day, build an exploit, + come up with some new tricks. I go deep and demystify the process
5 years ago today I had never used Linux, thought CLI was type of makeup brand, and the word “exploit” was not in my vocabulary. This Friday at 2pm I’ll be giving a talk
@reconmtl
on sandbox escape bugs in the Linux kernel. Time flies, trying to enjoy every moment 😌
tried something new and wrote an LPE exploit for CVE-2021-3490, a bug in the Linux Kernel eBPF verifier. was fun and learned a lot - blog post + PoC coming soon. happy memorial day!
So excited to finally release my blog post- Kernel Pwning with eBPF: a Love Story. I cover eBPF, the verifier, debugging, exploitation, mitigations and other cool findings! I do root cause analysis and exploit CVE-2021-3490 for LPE with PoC included.
Curious about exploiting VMs or memory bugs in a safe language? Read my new blog post, where I attack Firecracker, AWS' VMM written in Rust. Learn about the various layers of virtualization + the attack surface, and how design decisions impact security.
i'll admit - when i found it, i wasn't totally sure if i could get LPE with this strange little kernel bug alone. it took triggering the vuln 4x to do a full privesc with
#CVE
-2021-41073, a vuln in io_uring. blog post soon :)
I’m usually pretty private on here, but it’s not everyday I get to brag about marrying the most amazing person I’ve ever met. I’m filled with love, happiness, and gratitude 🥰
still thinking about the time i asked my then boss for a Sublime Text license because I was sick of clicking the popup and his only reply was instructions on how to install vim
In case you aren’t following along, Microsoft is trying to get employees to quit (so they don’t have to pay severance) by creating bad working conditions and skipping yearly raises. This follows other great moves such as switching to “unlimited” vacation right before mass layoffs
I don’t think I’ll ever forgive Microsoft for hiring the single greatest group of humans I’ll most likely ever work with and then making it impossible for us to stay.
My new blog post! Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”. Reverse engineering CVE-2022-34718 + write a remote Denial of Service exploit. Covers IPsec and IPv6 fragmentation in the Windows kernel, bin-diffing, and making weird packets
Pleased to announce I’ve joined the
@xforcered
Adversary Simulation team. I’ll be focusing on exploit development and offensive security research. Stay tuned for new things ahead :)
learned a ton about userland heap exploitation in Windows + DNS protocol writing an RCE exploit for
#SigRed
CVE-2020-1350. detailed technical writeup + PoC coming soon (sans rickroll 😇)
did you know? the syscall for WinAPI function GetAsyncKeyState queries the global keymap gafAsyncKeyState (exported) in the kernel. you can poll for keystrokes w/o registering a hook, installing a filter driver, or calling the WinAPI func- bypassing like 100% of A/Vs and ACs lol
Since hacker conference szn is upon us, I’m taking the opportunity to remind everyone that neurodiversity looks different on everyone. I’m not a bitch , I’m just autistic and shy. please do say hi lol 💞
Many have asked about the process of doing security research. Mostly it's a lot of troubleshooting and getting bullied online. Join me for my new blog post which details the process of exploring an attack surface, finding 0day, and exploit dev. PoC inside
CVE-2021-41073 loop_rw_iter in fs/io_uring.c in the Linux kernel through 5.14.6 allows local users to gain privileges by using IORING_OP_PROVIDE_BUFFERS to trigger a free of a kernel buffer, as demonstrated by using /proc/<pid>/maps for exploitation.
SandboxEscaper (Essbee) found her cryptographic memory corruption bugs ☺️ (she discovered the recent OpenSSL bugs). Was determined to go from logic LPE bugs to remote memory corruption; found both kernel and user 0click in < 3mo. One of the most prolific bug hunters of all time
At Black Hat tomorrow!! "Close Encounters of the Advanced Persistent Kind: Leveraging Rootkits for Post-Exploitation" by
@FuzzySec
and I. Come if you want to learn cool kernel techniques and evade those pesky mitigations. Sneak peak demo: leveraging 0-day to load our rootkit 😎
Officially been in the security industry for 5 years! Sounds like a long time, but still feel like a noob. The feeling will probably never leave; all I can do is challenge myself and grow. Thankful to the cool people I’ve met + being able to afford bills on autopay lol
You don’t FIND exploits. You build them. You FIND vulnerabilities and exploit them. As an exploit developer that has failed to exploit lots of bugs that look good, the distinction is important 😭
“but…but… the developers of the world’s most popular encryption framework were simply not experienced enough and did not possess the skill to code in an advanced programming language like C”, he said to himself, while crying
Finally get to release the video for my Recon2022 talk: Breaking the Glass Sandbox - Find Linux Kernel Bugs and Escape. It's awkward - A/V issues with slides. But, I expand on much more than what my slides contain. And the slides are edited back in 😎😌
My first ever blog post: Anatomy of an Exploit: RCE CVE-2020-1350
#SIGRed
. RCE PoC included, for research purposes. This was my first userland Windows heap exploit and I hope a deep dive into the process will help others. Patch or apply the workaround.
New blogpost by
@FuzzySec
and I! Patch Tuesday -> Exploit Wednesday: Pwning Windows afd.sys in 24 Hours. We reverse engineer a bug + write an exploit using a cool new primitive. We also find out that it's been exploited in the wild (previously unknown).
Another Linux Kernel vuln with no CVE: “…can lead to a negative value
that will later be passed to access_remote_vm(), which can cause unexpected behavior.” In my culture we call that a buffer overflow
Just saw that this vulnerability I reported to Microsoft was found to be exploited in the wild. Guess we are looking in the right places. Blog and exploit code to be released soon.
If an open source project supports building on Windows and Linux, I build it with Linux. The number of times I've successfully compiled someone else's code on Windows on the first try is approximately zero
them: “what tools do you use to do advanced kernel hacking?”
me, pasting printk(“lol”) for the 12th time that day: “well you see… it’s quite complicated…”
I use Ghidra, Binary Ninja, and IDA - usually all at once. The performance of the first two is good enough that the price tag of IDA just isn’t warranted.
Sorry. Binja is my daily driver because it’s the only one of the that’s not a pain in the ass to use.
I don’t like it when (well intentioned) ppl tell me to “ignore the haters”, as if some random twitter troll is causing me distress, like I give a shit. I highlight it bc otherwise no one believes it happens. I find the older gen doesnt think there are barriers for women in tech
Almost a year and a half since I posted this, and it’s more true than ever.
It’s an especially lonely feeling when things seem to be going well. Feels like a dirty secret I’m hiding. Sure that bug/exploit was cool or whatever, but it’s the last one I’ll ever find!
A lot of tradecraft being burned here. Generally, good backdoor OpSec means shipping the least code possible. Later on, deploy additional stages to the desired targets.
Not only bc you risk burning less, but because more code samples means more “DNA” left behind for attribution
the xz sshd backdoor rabbithole goes quite a bit deeper. I was just able to trigger some harder to reach functionality of the backdoor. there's still more to explore.. 1/n
I often get asked for advice about break ing into Infosec, or how to start doing security research, in particular exploit development or vulnerability research. I’m no longer able to keep up with everyone that reaches out, but I want to give back to the community.