Tomer Harpaz just released FunctionInliner, a new Hex-Rays SA IDA plugin that solves the pains of reversing binaries with function outlining optimization enabled. Looking forward for the 2021 Plugin Contest. github.com/cellebrite-srl…

Here is a follow-up blogpost detailing how we attacked Samsung RKP. We reveal 3 vulnerabilities we have used to compromise the security hypervisor and its assurances. We also explain our exploitation paths and look at the patches released by Samsung. blog.impalabs.com/2111_attacking…

Writeup finished, thank you to everyone that gave me feedback 🙂 jsherman212.github.io/2021/11/28/pop…

Today we're publishing a detailed technical writeup of FORCEDENTRY, the zero-click iMessage exploit linked by Citizen Lab to the exploitation of journalists, activists and dissidents around the world. googleprojectzero.blogspot.com/2021/12/a-deep…

I decided to upload the slides of the talk already: github.com/TheOfficialFlo…

This is probably the most complex exploit I've done so far. A UAF in Android kernel freed by kfree_rcu (introduces a delay) in a tight race + kCFI + Samsung RKP. Yet its still possible to gain arbitrary kernel RW, disable SE and root from untrusted app. github.blog/2022-06-16-the…

Here are the slides of our Hexacon talk about breaking the privileged components of Huawei's mobile devices. Thanks to everyone who attended, we hoped you liked it, and stay tuned for the upcoming blog posts! github.com/Impalabs/confe…

A detailed analysis of a Samsung in-the-wild exploit, attributed by TAG to a commercial surveillance vendor. All 3 bugs were 0-day at the time of the discovery of the sample. 1/3 googleprojectzero.blogspot.com/2022/11/a-very…

CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent qualys.com/2023/07/19/cve…

Better late than never! The slides of our talk "Attacking Samsung Galaxy A* Boot Chain" at offensivecon can be found here: github.com/quarkslab/conf… The video is also available: youtube.com/watch?v=WJ7wkJ…

My new Project Zero blog post, Driving Forward in Android Drivers is live! 🥳 googleprojectzero.blogspot.com/2024/06/drivin…

The award-winning Qualys Threat Research Unit (TRU) has discovered a critical vulnerability in OpenSSH, designated CVE-2024-6387 and aptly named "regreSSHion." This Remote Code Execution bug grants full root access, posing a significant exploitation risk. blog.qualys.com/vulnerabilitie…

"Invariant inversion" in memory-unsafe languages pacibsp.github.io/2024/invariant…

RULECOMPILE - Undocumented Ghidra decompiler rule language. A blog post about how frustration with poor decompilation led me to dive deep into Ghidra's decompiler to discover (and reverse-engineer) - an obscure, undocumented DSL msm.lt/re/ghidra/rule… #reverseengineering #ghidra

I tried my hand at exploiting an nday on the Google Container Optimized OS instance in kCTF but sadly was very late to the party. Here is my exploit write-up for it. I learned a lot during the process, let me know what you think. I'll post TL;DR in thread h0mbre.github.io/Patch_Gapping_…

🤯 The depth of our core team's debugging skills never ceases to amaze us. ClickHouse Cloud instances on GCP were freezing with maxed-out CPU—but only in GCP?! 🧩 buff.ly/4jB8hGX 🔍 To fix it, Sergei Trifonov had to go deep into the Linux kernel with eBPF tracing &

In 2020, I solved a gnarly reverse engineering challenge in PlaidCTF. Only 9 teams solved. It's a huge pile of Typescript. Everything is named after a fish. The catch? There's no code, only types. How do they perform computation using just the type system? (Spoiler: Circuits!)

Just saw it mentioned on LWN, handy site for checking which distros enable a certain config option: oracle.github.io/kconfigs/?conf…... Just replace UTS_RELEASE with whatever config option name minus CONFIG_, for example: oracle.github.io/kconfigs/?conf…...

[CVE-2025-37752] Two Bytes Of Madness: Pwning The Linux Kernel With A 0x0000 Written 262636 Bytes Out-Of-Bounds Great article by D3vil about exploiting a type confusion in the network scheduler subsystem and pwning all kernelCTF instances. syst3mfailure.io/two-bytes-of-m…

this is so insane. kCTF has a first-come-first-serve policy when it comes to 0day bounties when an instance releases. this team hand crafted a proof of work solver with avx-512 instructions to beat everyone else with an 0day to the flag: anemato.de/blog/kctf-vdf