I've improved my blog with articles and my conference talks about OS kernel development and security: -> Vulnerability discovery, -> Exploitation techniques, -> Defensive technologies. a13xp0p0v.github.io

The slides for the offensivecon talk “Bug Hunting S21's 10ADAB1E FW” of ffmenarini and myself can be found here: dropbox.com/s/2f14ga52jguu… Enjoy! We are still around at the conference so stop by and say hi.

Okay Brandon Falk just blew my mind with this knowledge that x86 is an octal machine. How is this not more commonly understood. The opcode mods use values that are obvious enums when you see them displayed as octal. gist.github.com/seanjensengrey…

Dirty Pipe is a nasty upstream Linux kernel vulnerability affecting Linux >= 5.8, found by Max Kellermann: dirtypipe.cm4all.com It allows writing to arbitrary read-only files, similar to DirtyCoW. #grsecurity backported the silent fix in all patches after February 22nd.

RCE in MediaTek basebands: in today's blogpost, we explore more CSN1 parsing bugs, this time in MTK's basebands running on MIPS16e2, and analyze how to exploit heap overflows in this baseband OS! labs.taszk.io/articles/post/…

Our baseband analysis platform FirmWire is FINALLY open sourced! Happy bug hunting🪲github.com/FirmWire/FirmW…

not-fun fact: Iterating through the bits of a python bigint "the obvious way", via shifting, is O(n^2) - because each bigint shift is O(n). funner fact: if you convert the int to bytes first (O(n)), you can index them in O(1), making the overall iteration O(n).

Happy to release a neat little plugin for IDA Pro! Bitfield and bitflag accesses have been an annoyance that requires another window open and constant fiddling. You can now fix that with just a few key presses! github.com/JustasMasiulis…

Had a blast presenting together with Grant H at #CanSecWest. Here are our slides on FirmWire, our baseband emulation tool which allowed us to find several critical bugs: docs.google.com/presentation/d… - Lot's of practical examples on how to use parts of the framework in there!

I've just discovered this amazing document showing super clearly the relation between the opcode and the instruction 🤯 pnx.tf/files/x86_opco…

Since we demo'ed our attack on Tesla Model 3, we are more than eager to explain to everyone how we did it. Hexacon will be the perfect setting for this! Get ready for David B and vdehors presentation. hexacon.fr/conference/spe…

New Blog Post: jhftss.github.io/CVE-2022-26712… PoC in One Line: sudo /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/shove -X /tmp/crafted.db /Library/Application\ Support/com.apple.TCC/TCC.db

Log4Harmony: we've heard that vulns in Android log device drivers are cool, so here are some UAF, race condition, and KASLR leak bugs in Huawei's hwlog from Gyorgy Miru (Gym), reachable from untrusted and isolated app: labs.taszk.io/blog/post/78_h… labs.taszk.io/blog/post/77_h… labs.taszk.io/blog/post/79_h…

Working on a huge function and the pseudocode listing is too long? Learn how to hide away parts you've already analyzed and not spend time reading it again. hex-rays.com/blog/igors-tip… #IgorsTipOfTheWeek #IDAtips #IDAPro #HexraysDecompiler

This Thursday Black Hat , I will be presenting our research on a kernel exploitation method named #DirtyCred. With DirtyCred, you could write an #DirtyPipe liked exploit that works on different kernels and ARCHs without code changes. Check it out tinyurl.com/DirtyCred

The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I) 1ce0ear published an article describing the root cause of a race condition in the garbage collection for SCM_RIGHTS. This bug is used for Android exploitation in the wild. googleprojectzero.blogspot.com/2022/08/the-qu…

Attacking Titan M with Only One Byte Code execution and exfiltration of encryption keys from Google Pixel phone's Secure Element now being presented by Damiano Melotti and Maxime Rossi Bellom at Black Hat #BHUSA Full details are now public in their blog post: blog.quarkslab.com/attacking-tita…

Here are the resources for my talk "Racing Against the Lock: Exploiting Spinlock UAF in the Android Kernel" at offensivecon today. Write-up: 0xkol.github.io/assets/files/R… Slides: 0xkol.github.io/assets/files/O… PoC for CVE-2022-20421: github.com/0xkol/badspin #OffensiveCon2023

I decided to analyze a VirtualBox VM Escape Vulnerability I found a few years ago - and walk through my younger self's research process! Interesting insights and a cute bug! :) j0nathanj.github.io/Dusting-off-th…