After 7 years of external circumstances getting in the way, I finally managed to sit down with @jackrhysider and record a Darknet Diaries episode. Check it out here! :D

https://darknetdiaries.com/episode/158/

Me and the homies are dropping browser exploits on the red team engagement 😎. Find out how to bypass WDAC + execute native shellcode using this one weird trick -- exploiting the V8 engine of a vulnerable trusted application.

https://www.ibm.com/think/x-force/operationalizing-browser-exploits-to-bypass-wdac

@dbarros nope I’ll have to write a book some day

@osxreverser @chort actually the point was that Ubuntu turned off unprivileged namespaces but you can still create one using busybox (and other binaries). this wasn’t meant to show LPE, but that you can still create a namespace as an unprivileged user (and touch more kernel attack surface as a result)

@chort @osxreverser my exact reaction when I saw

Exciting news! I’m starting X-Force’s new offensive research team (XOR) and hiring a security researcher. Want to work with myself and other researchers to find bugs, exploit popular targets, and share your work? Apply for this unique (remote) role 😊 (US or Canada only, but stay on the lookout for Europe based positions in the future) https://careers.ibm.com/job/21219320/security-researcher-san-jose-ca/

Here are the slides from my BSides Canberra Keynote @bsidescbr

The Exploit Development Lifecycle: From Concept To Compromise https://drive.google.com/file/d/1jHnVdjAcPGkuVPiakZBAOTp8uzMej6LY/view

@http it’s open internationally. disregard location in listing

Winners have been notified! It was a very difficult decision with many deserving applicants. So, if you weren’t selected don’t be discouraged. I plan to provide more scholarship opportunities in the future working with sponsors. If you or your company is interested, pls reach out

@malwaretech true, but that also wasn’t targeting a modern OS. exploit mitigations will continue to make things more difficult and labor intensive

@malwaretech full RCE but only works on specific versions/configurations etc or not fully stable

@malwaretech As someone who has been that asshole security researcher u speak of, and dropped full RCE exploits for crit vulns - there is a big difference between a PoC to prove it can be done, and a fully productized exploit that allows for blind mass exploitation. And tbh, even the more sophisticated cybercriminals don’t really possess the skills to fully weaponize a PoC that’s already been mostly constructed for them, lol.

At the same time, there is very little public insight into what mature exploit dev looks like outside of what a handful of security researchers publish. It’s subjective of course, but I do believe there’s a benefit to defenders and others wanting to learn more about an area that has been traditionally shrouded in mystery.

@malwaretech yeah, I’m actually not sure about that either. the structure isn’t supposed to be used after sending the error. might be one of those things where it felt “right” for the dev to do during cleanup but serves no actual purpose (and inadvertently worsens a bug) lol

@malwaretech nice work!!my only nit is that what you’re calling packet_size really represents the packet “cursor”, like place in packet that has been processed thus far. that’s why it gets reset back to 0 in IppSendError.

great blog post 😊

Analyzing and Exploiting CVE-2024-38063, an RCE Vulnerability In the Windows TCP/IP Stack

https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.html

Feel free to share the link! Applications will be reviewed by myself and a review team consisting of my faves

Application Deadline August 31, 2024 at 11:59 PM Eastern Time

The past year has been amazing. From marriage, to Pwn2Own to a Pwnie Award, I'm so grateful. I'm using the money I've won from hacking competitions, bounties, & RB for two ppl to travel & attend Hexacon, the premier offensive security con in Paris, France.

https://forms.gle/zt9RaR7EEvTxWGCe7

@sha1lan @HalvarFlake @chompie1337 link is broken
correct one: https://pacibsp.github.io/2024/why-exploits-prefer-memory-corruption.html

I’m thrilled to share my latest blog post! This one focuses on the bug hunting process: inspiration, approach, and execution. I also provide a retrospective on how the bug was introduced and analyze the insufficient “patch”. Check it out: https://securityintelligence.com/x-force/little-bug-that-could