kylebot
@ky1ebot
Followers
5,310
Following
319
Media
9
Statuses
208
CTF player @Shellphish | PhD Student @ASU | @angrdothorse dev | Author of how2heap | Vulnerability Research Hobbyist | @kylebot @infosec .exchange
Tempe, AZ
Joined September 2018
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Elon
• 581064 Tweets
Congreso
• 470068 Tweets
Garland
• 238127 Tweets
Colômbia
• 219524 Tweets
FANDOMS CONTRA A PL 1904
• 108804 Tweets
Brazil
• 96718 Tweets
Estados Unidos
• 89945 Tweets
$COOKIE
• 88081 Tweets
イーロン
• 78625 Tweets
欄非公開
• 69947 Tweets
#CriançaNãoÉMãe
• 66126 Tweets
Seleção
• 65342 Tweets
プライバシー
• 59652 Tweets
自分のポスト
• 54580 Tweets
自分の投稿
• 54389 Tweets
自分のツイート
• 50649 Tweets
DISCORDO TOTALMENTE
• 45294 Tweets
Blade
• 40852 Tweets
生存確認
• 28724 Tweets
#AEWDynamite
• 26190 Tweets
Midori
• 25874 Tweets
ブックマーク
• 25137 Tweets
Alisson
• 21468 Tweets
VENDETTA FURIOSA
• 20049 Tweets
#いいね非公開
• 20045 Tweets
Rodrygo
• 18718 Tweets
仕様変更
• 16260 Tweets
Mayans
• 14921 Tweets
Endrick
• 14622 Tweets
Irving
• 14026 Tweets
バイエルン
• 13293 Tweets
Pulisic
• 12382 Tweets
Vini Jr
• 11389 Tweets
Pinned Tweet
I did it again! It was fun to work on exploit one night before the event and one shot it at the demonstration!
And thank you
@thezdi
and
@ubuntu
for making the report process painless!
Validated! Kyle Zeng from ASU SEFCOM brought a race condition to
#Pwn2Own
and successfully used it to escalate privileges on
#Ubuntu
desktop. He earns $20,000 and 2 Master of Pwn points.
#P2OVancouver
0
7
39
13
8
169
Finally, here is the blog documenting the crazy 7 days that I spent on CVE-2022-1786 to pwn kCTF (and won a lot of cash)! Let me know what you think of the blog!
5
228
772
I just pwned Google's Container-Optimized OS with a 0day, *again*! The vulnerability lies in a hot cache in Linux kernel thus extremely hard to exploit in the remote server. Thanks to
@sirdarckcat
's help in resetting the servers, I was finally able to make it work!
7
97
625
I just performed local privilege escalation and docker escape on Google's GKE engine yet again with yet another 0day! Fun fact, Google hasn't finished processing my last report :P
14
100
573
Wanna learn heap exploitation in the post-safe-linking era? A new release of how2heap is here to help! Check it out!
1
130
477
I just pwned the latest Ubuntu at Pwn2Own despite the unexpected release yesterday! This is my first in-person Pwn2Own event! And I'm so grateful to
@thezdi
for this amazing event!
Success! Kyle Zeng from ASU SEFCOM used a double free bug to exploit Ubuntu Desktop. He earns $30,000 and 3 Master of Pwn points.
#Pwn2Own
#P2OVancouver
1
16
132
16
27
453
I did it! I just pwned Ubuntu 22.04 at
@typhooncon
! I'm thrilled to have achieved this! // Excitement aside, I'd like to thank
@amatcama
for encouraging me to attend
#TyphoonPWN
, all my professors for the support, and
@SecuriTeam_SSD
for hosting the amazing event!
It looks like Linux was PWNed with a PE! Were now looking into the details and verifying everything.
#TyphoonPWN
0
5
21
17
71
430
I played DiceCTF this weekend and solved a V8 challenge. I bypassed the latest "Virtual Memory Cage" protection in V8 and here is how I achieved it XD
2
102
369
Just found a bypass to the vtable checks in glibc file structures. And it turned out the answer to the universe is not 42, it's angr :D. Enjoy!
10
102
358
My paper: "Playing for K(H)eaps: Understanding and Improving Linux Kernel Exploit Reliability" just got listed in USENIX Sec 22 recently. The systematic study was the key to my recent success in kctf. Check it out!
1
64
342
Found a V8 sandbox bypass during
@PlaidCTF
. Let's see whether I will be the first one claiming the bounty 👀
The V8 Sandbox is now in scope for Chrome VRP for bypass submissions, meeting specific criteria, with rewards up to $5,000!
Please see the Chrome VRP rules [] for full submission criteria and eligibility details.
0
10
100
8
15
280
I'm so excited seeing the hard copy of the Kernel Exploit Recipes booklet from Google! I feel so proud that my work is part of it! It will stay in my collection forever. Thank you for making it happen!
@sirdarckcat
14
38
264
Just confirmed that I first blooded the bounty! Will write a blog about it when Google allows it :)
The V8 Sandbox is now in scope for Chrome VRP for bypass submissions, meeting specific criteria, with rewards up to $5,000!
Please see the Chrome VRP rules [] for full submission criteria and eligibility details.
0
10
100
9
5
165
It's such an honor to be a recipient of Google PhD Fellowship.
Thank you,
@GoogleAI
, for this opportunity.
And I'd like to thank my advisor,
@___tiffanyb___
, for her great support in this application and in my PhD study!
In 2009, Google created the PhD Fellowship Program to recognize and support outstanding graduate students pursuing exceptional research in computer science and related fields. Today, we congratulate the recipients of the 2023 Google PhD Fellowship!
23
94
585
6
2
119
Just learnt that my bug CVE-2022-1786 got fixed recently on Android. This is the bug that earned me the first full bounty in kctf's history (before the bounty raise in Aug). A blog on this bug is on the way :)
1
12
112
I'm excited that P0 is referencing my cpu_entry_area exploit technique. The blog mentioned that users can put controlled data using hardware breakpoint. Well, it is actually easier than that :). Will write up how to completely break SMAP using cpu_entry_area in a bit.
Excited to announce my first ever P0 blogpost is now public! It details a new exploit strategy on Linux kernel that Jann and I worked together to invent. Thanks to everyone on the P0 team for giving me the opportunity to achieve this dream!
1
97
307
1
11
103
Link to how2heap:
Link to a playable technique:
1
33
98
My favorite fuzzing paper in recent years:
SoK: Prudent Evaluation Practices for Fuzzing
0
19
97
Some time ago, I solved a Linux kernel challenge on VULNCON 2021 and promised to provide a writeup. But my procrastination (in fact kctf) stopped me from doing so. But anyway, here is how I first-blooded the IPS linux kernel challenge from VULNCON 2021
1
15
83
I feel honored that my research is used in this insane exploit and stabilizes the exploit! And thanks for the awesome and detailed writeup!
🔥 1/ As promised here is the long blog write-up of a 6 year old Linux kernel UAF vulnerability (CVE-2022-32250) which we exploited multiple times to gain reliable priv esc on Ubuntu 22.04.
@nccgroupinfosec
EDG
@saidelike
@fidgetingbits
@alexjplaskett
🧵
7
126
303
0
9
72
Great. Now memory leaks, warnings, bugs in components not exposed to non-root users (CVE-2021-46957), even performance issue patches ( CVE-2024-26602) are "security bugs"
Happy Wednesday! Hope you're all enjoying the 86 CVEs assigned by the Linux CNA today:
6
11
59
3
5
61
I recently collaborated with
@Markak_
and pwned Google's Container-Optimized OS. We developed two completely different exploits independently. My exploit has some previously unknown techniques but less reliable compared with
@Markak_
's. I'll release my exploit later as well. :D
Got the root shell and escaped from the container on Google's Container-Optimized OS. Used a 1-day, but indeed a 0-day in many vendors' kernel. I will release the code if possible, it might be the first public exploit applying corss-cache technique in Linux kernel.
#kctf
10
179
792
0
3
52
After a week, here comes my writeup for the mooosl challenge from DEFCON qual 2021:
0
8
48
Let's do this again, Shellphishers!
1
1
41
I'm so proud to have attended the event with the best hackers in the world! (And appeared for 0.5s in the cool video! :) ) It was really fun! Thanks Google! And
@sirdarckcat
!
bugSWAT live hacking 📣: We are planning two events this year, one in the US and one in Europe. Invites based on recent submissions and past bugSWAT performance. More details soon - keep those bug reports coming!
Here's a peek into our last bugSWAT:
5
16
89
0
4
41
I learnt so much during corCTF when trying to solve the two fun and hard Linux kernel challenges. Thanks to
@cor_ctf
. I'll definitely play the CTF next year.
Check out corCTF kernel writeups!
FizzBuzz101's challenge shows a novel leakless + data-only technique to pwn Linux with a 6 byte overflow:
D3v17's CoRJail shows a novel technique used on kctf to achieve arb free with poll_list :
0
73
215
0
2
39
I just performed AdamTest on a scammer with... with a bug in their knowledge base? The proposed patch is to learn angr
@angrdothorse
lol
5
3
39
I just wrote a script to find position-invariant gadgets in linux kernel compiled with FG-KASLR. Enjoy:)
0
11
32
Sadly, one of our bugs was known, but still, the exploit chain is cool. Still a good start for a Pwn2Owner first timer like us. We will be back next year. (And I will write a blog on how I heap-ed it :) )
0
1
28
@InsanityBit
@sirdarckcat
I do plan to write a blog about this exploitation after the bug is patched and google finishes processing the report. This is a very interesting story.
2
2
26
I'm serving as a WOOT PC this year. Found anything insane in offensive security? Write it up and submit to WOOT! :P
📢Thrilled to announce the AMAZING PC members of WOOT 2023! 🤯
They are ready, and waiting to see your submissions!
Submission deadline: Friday, January 27 - Very soon!😱
Check our website:
More updates are coming soon! Stay tuned!
0
10
36
1
3
24
I didn't expect
@asisctf
to be hard this year. I planned to play *casually* and ended up solving a kernel and a chrome challenges. I spent one more day on the second chrome challenge after the ctf ended and finally solved it with the author's
@harsh_khuha
's help.
1
0
24
@0xCrashX
@sirdarckcat
I wrote a fuzzer a few months ago. For some reason, I only set it up about 2 weeks ago. It found the bug in 1 week. It took me about 2days to have an exploit ready locally and 5 more days to actually pwn the remote server because of many obstacles.
3
2
24
@pagabuc
@seanhn
@lazytyped
@h0mbre_
I'd recommend all the linux kernel challenges (there are four) from corCTF in 2021 and 2022. The one that learnt the most is Wall of Perdition
0
5
19
Here is my writeup about the macOS challenge "machbooks" from WCTF 2020. Enjoy.
1
2
17
Even with a small step size (no time to run it overnight), angr found 3 different chains quickly. (my solve used the chain starting from _IO_new_file_finish) The updated script can be found here (2/2):
1
6
16
And CVE-2021-46940 is even for tools. I'm sorry, it is not even in the kernel. And "it must be run be run as root". And the direct impact is "prevents the timer from update the stat". I'm not sure why this is a security bug.
2
1
15
@ScepticCtf
made an amazing challenge, byor, for CTF that challenges angr to find a chain in file structures without relying on wide_data. And ofc, with some minor changes to my original angry-FSROP script, angr is able to solve it! (1/2)
1
2
13
Impressive collection of Linux kernel security resources
🔥 1/ In the last 6 months working on Linux kernel bug hunting/exploitation there has been a number of key resources which have been super useful (coming from a macOS/Windows background) to understand the state of things in 2022 🚀.
Here's a short🧵 to recognise this + thoughts:
8
198
596
0
3
12
@0xCrashX
@sirdarckcat
Looking for 0days is not what we usually do in CTFs. But I did benefit a lot from then. Many techniques that I used in the exploit were learnt when playing CTFs.
0
0
10
@moyix
@saleemrash1d
Funny enough, a similar thing happened once. During linectf 2020 or 2021, they had a v8 challenge, where they introduced a bug right next to a 0day vuln. So, during the ctf, a bunch of people audited v8 source and found the 0day :)
0
1
10
More specifically, it is the reason why I could make the exploit reliable, despite the fact that it is a race condition on a busy cache.
0
0
9
It may be a bit late.
But here is my writeup for one_line_js from 0CTF 2020:
0
3
9
For clarification, I didn't come up with the technique the P0 blog demonstrates. What I did was using it as a KASLR/SMAP bypass, which I assume inspired the technique in the P0 blog. (the blog mentions kCTF exploit, and my exploit is the only one using cpu_entry_area so far)
1
0
7
And also, the safe-linking patch also ensures the chunk returned by tcache is properly aligned. I didn't find a bypass to that. Gonna miss the days when ptmalloc can be manipulated to return any wacky addresses :(
0
0
7
@ScepticCtf
It turns out I was wrong in the followup section (in my blog). angr can find more than just wide_data shenaigans. After changing my script to fit your challenge, angr found new techniques quickly. (This time, it is codecvt,which surprises me because I thought they are encrypted)
1
0
6
Markak is on fire
The latest Google Pixel 6 pwned with a 0day in kernel! Achieved arbitrary read/write to escalate privilege and disable SELinux without hijacking control flow. The bug also affects Pixel 6 Pro, other Pixels are not affected :)
42
281
1K
0
0
6
@_saagarjha
@PlaidCTF
And we did! Second blood! Could've solved it earlier if I didn't forget to insert a while(1) at the end of the script...
0
0
6
@lolzareverser
@ShuntIsReal
@rajxnull
@offsectraining
@jinmo123
@c2w2m2
Just saying, there are more and more browser/kernel/hypervisor pwn challenges in ctfs and ctfers find 0days during ctfs all the time. If that is not realworld, I don't know what is :)
0
0
5
We even made unsafe_unlink work on glibc-2.31. It's crazy.
Hey hackers! We just released a brand new how2heap @ with many new exploitation techniques! Check it out!
2
162
415
0
0
5
In short, tcache poisoning requires a heap leak now, which is not a big deal. This is because modern heap exploitation techniques aim to achieve chunk overlapping, which provides heap leak. And safe-linking fails to prevent it.
1
0
5
@ScepticCtf
I can't believe you build your own libc just to mitigate this trick lol. Feeling honored.
0
0
4
1
0
4
@_saagarjha
@acm_ccs
Then we use the a search algorithm to take a VM snapshot at the syscall that grants PC-control for analysis. You can think we take snapshots at each syscall candidates (this won't work in fact, just for the ease of understanding).
1
0
2
@BitFriends1
@Kileak99
I was the guy solving it with unintended solution. I'll write a blog post about it as well :D
0
0
3
@spendergrsec
So, the root cause of the bug is in the goto_chain infinite loop handling logic . When it returns, tcf_result is not cleared. Later cbq_classify casts res.class into a cbq_class pointer, but in reality, it is a pointer of something else => type confusion.
2
0
3
@mystiz613
CUHK cannot even send a full team now? So sad... I miss the old days when CU can compete with HKUST.
2
0
3
@oooverflow
@defcon
@thedarktangent
I like how our team
@shellphish
slowly climbed from the last place to the 7th place.
And good job
@oooverflow
for the amazing CTF.
0
0
3
@_saagarjha
@acm_ccs
That's a great question. We first run the poc to crash the vanilla kernel once so we know the syscall number that grants PC-control. Then we instrument the kernel to filter out irrelevant syscalls (not the same number and not from the poc) --
1
0
2
@sirdarckcat
Same, I'll leave my mastodon username in my profile and see whether I'll be banned
0
0
2
@AmarSaar
Oh wow, I thought this was not exploitable. Nice writeup. And here is my writeup for the FD_SET vuln:
0
0
2
@spendergrsec
Oh. I think you are right, that's a bug there. I didn't notice "return NULL" is moved.
0
0
2
@___tiffanyb___
Thank you tiffany for all the help along the you. I can never get it without your help.
0
0
2