Leaking Host KASLR from Guest VMs Using Tagged TLB by renorobert Article Highlight #14 - check it out in Paged Out! #4 page 58 pagedout.institute/download/Paged…

It's time to take a closer look at CVE-2024-38063 (Windows TCPIP RCE). I usually don't post partial analysis but since most available info is unreliable I'll do my best to try and shed some light. This time I'll focus on my workflow and thought process as we go. 🧵

The time has come, and with it your reading material for the week. Phrack #71 is officially released ONLINE! Let us know what you think! phrack.org/issues/71/1.ht…

Excited to share our research on Kernel Streaming! We discovered several vulnerabilities in it that we used at Pwn2Own this year. Check it out: devco.re/blog/2024/08/2…

Well written blog post on exploiting a Use-after-Free (UaF) in Linux kernel (CVE-2024-0582, io_uring) blog.exodusintel.com/2024/03/27/min… Credits Oriol Castejón (Exodus Intelligence) #iouring #infosec

✍️ Bugs of Yore: A Bug Hunting Journey on VMware's Hypervisor by Zisis i.blackhat.com/BH-US-24/Prese…

A few months ago, the FreeBSD Foundation appointed us to audit two #FreeBSD critical components: the Bhyve hypervisor and the Capsicum sandboxing framework. Today, related advisories and patches have come out 🧵 1. Multiple vulnerabilities in libnv freebsd.org/security/advis…

When GCC tries to offer help, but you’re just not in the mood 😵‍💫

Android Virtualization Framework - runs the "host" (Android and Linux kernel) in a VM and launches isolated envs. (= pVMs). Based on KVM but offloads complex code to the host VM. pVM firmware is in Rust - youtube.com/watch?v=K24dmA… - source.android.com/docs/core/virt… - android.googlesource.com/platform/packa…

I didn't know about VMware vprobes, I discovered it accidentally. We can instrument the VM from the host with lots of probe points and globals. I used it to locate the TR.base address, as the TR register is not exposed to GDB, not even with the monitor command. This URL is old

Blog post coming soon with an in-depth analysis and exploit development for CVE-2023-22098, discovered by the incredible Andy Nguyen! Stay tuned, VM wizards!

Excited to be mentioned in the new exploits.club Newsletter! 🎉 It’s an honor to be featured alongside such skilled hackers, including my friend Klecko. If you haven’t checked out the posts yet, don’t miss out!

zeroclick.sh/blog/rsactftoo…

Need a fuzzing harness? No time to write one? Tired of false-positives? Let OGHarn lead the way to bug discovery!🐞 I'm excited to share my first paper(with Stefan Nagy)"No Harness, No Problem: Oracle-guided Harnessing for Auto-generating C API Fuzzing Harnesses" at ICSE 2025!

I find myself repeating this a bit, so fuck it, here's how to get into an unprivileged namespace on Ubuntu 24.04/24.10. PSA: linux is stupid and for nerds, and Canonical/Ubuntu suck at security. $ busybox sh -c "unshare -Urmin" too embarassing to even call it a bypass

woooow rad! tmp.0ut accepted my polyglottar paper! tmpout.sh/4/16.html

We are back😎 Say hello to our kernelCTF submission for CVE-2025-37752🩸 Who would have thought you could pwn a kernel with just a 0x0000 written 262636 bytes out of bounds? Read the full writeup at: syst3mfailure.io/two-bytes-of-m… 👀

Outstanding! Nguyen Hoang Thach (Thach Nguyen Hoang 🇻🇳) of STARLabs SG used a single integer overflow to exploit #VMware ESXi - a first in #Pwn2Own history. He earns $150,000 and 15 Master of Pwn points. #P2OBerlin

⚠última llamada!!! Mañana tenemos las Criptored Cybersecurity Talks en Fuenlabrada, a las 17:00 Los alumnos de la URJC pueden solicitar créditos RAC :) plz RT