Niklas B

@_niklasb

Security research & CTF . Pwn2Own '17 & '18.

ring -1
github.com/niklasb
Joined December 2016
24 Photos and videos Photos and videos

Tweets

You blocked @_niklasb

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @_niklasb

  1. Pinned Tweet
    Mar 23

    My Insomni'hack slides about VirtualBox hacking: There will be video on YouTube next week.

    6 replies 254 retweets 477 likes
    Show this thread
    Show this thread
    Undo
  2. 18 hours ago

    In the decomp output I have it looks to me like balance is not set to 0 by the withdraw function, but I have no time to test it now :) Also, if you can share the exploit that would be even cooler.

    1 reply 1 like
    Show this thread
    Show this thread
    Undo
  3. Retweeted
    21 hours ago
    Replying to

    I dumped my own exploit (& sources) at , but that's only some short comments in the exploit code so far. I'm just overwriting PrevSize, but it's quite painful to get the right data into the chunks under the constraints given by the driver.

    1 reply 8 retweets 25 likes
    Undo
  4. Retweeted
    24 hours ago

    Arm registered to shit on RISC-V, so I just registered to host my ARM exploit mitigation bypass tutorials on. 🤓😈

    Looks like ARM is so scared about RISC-V that they started a FUD campaign. Wow.
    18 replies 213 retweets 564 likes
    Show this thread
    Show this thread
    Undo
  5. Jul 8

    It’s a 1-byte pool overflow in the paged pool, which can be turned into overlapping allocations, WWW and the token privilege corruption for privesc. Apparently it can also be turned into an (easier?) type confusion

    1 reply 6 likes
    Show this thread
    Show this thread
    Undo
  6. Jul 8

    I removed an unintended bug, updated my exploit to RS4 and brought my elgoog challenge from 34c3ctf back to life for WCTF. managed to solved it without the intended pool metadata corruption, nice

    5 replies 2 retweets 51 likes
    Show this thread
    Show this thread
    Undo
  7. Jul 6

    Now that’s a legit threat model if I’ve ever seen one

    Replying to @CyberSweatshop @MalwareJake
    How about this scenario we guard against? You're sitting in the bathroom, reading Reddit on your phone. You hear a noise in your house and it turns out to be an APT attacking you in person. As the nationstate actor begins to open the door, one of our cyborgs captures them
    2 replies 1 retweet 8 likes
    Undo
  8. Retweeted
    Jul 6

    Toys for red teams! Headache for blue teams? LethalHTA - a new lateral movement technique brought to you by and of Code White. Check out our new blog post at

    7 replies 211 retweets 336 likes
    Undo
  9. Retweeted
    Jul 5

    OH: "Free as in free beer or as in free audit for Apple products by ?"

    1 reply 3 retweets 13 likes
    Undo
  10. Jul 4

    iOS "dev" community in a nutshell

    This Tweet is unavailable.
    7 replies 6 retweets 63 likes
    Undo
  11. Retweeted
    Jul 4

    Hey look it’s CIG and ACG and PPL for macOS. If only Windows would allow “library validation for same team identifier”... (without manually having to enable CI for the whole system — at which point per-App policies CAN be used).

    3 replies 12 retweets 50 likes
    Undo
  12. Retweeted
    Jun 29

    Slides from my talk "build your own iOS kernel debugger":

    34 replies 329 retweets 1,057 likes
    Undo
  13. Retweeted
    Jul 2

    "I'm my own harshest critic," he said. But then he found the internet.

    12 replies 1,107 retweets 5,259 likes
    Undo
  14. Jul 3

    (German) Habe bei einen Vortrag über C++-Exploitation gegeben: Live-Exploit-Demo ist leider abgeschnitten :/

    1 reply 10 retweets 51 likes
    Show this thread
    Show this thread
    Undo
  15. Retweeted
    Jul 2

    Coming back from playing with ESPR in Tunis. Had a lot of fun. Thank you and for inviting me. Also thanks to for organizing the event and the great weekend! : See you in Vegas

    4 retweets 20 likes
    Undo
  16. Retweeted
    Jun 30

    Just published my write-up for the for your reading and commenting pleasure.

    5 replies 55 retweets 132 likes
    Undo
  17. Retweeted
    Jun 30
    Replying to

    If you’re in a abuse relationship with an RE tool, early signs to look for are blaming yourself for its failures “it doesn’t have undo because I shouldn’t have made mistakes!” ...

    2 replies 9 retweets 35 likes
    Undo
  18. Jun 28

    This is some really cool research (paper at ): Essentially a man-in-the-middle attack on LTE enabled by the use of unauthenticated AES-CTR. I bet the setup was quite painful to get right.

    Details of our attacks against LTE on layer 2 are now available at . We identify three attack vectors: an active attack to redirect network packets, a passive identity mapping attack, and website fingerprinting based on resource allocation
    2 replies 19 retweets 55 likes
    Undo
  19. Retweeted
    Jun 26

    I will give a talk on Thursday at the about how and myself tried to find the Switch Boot ROM bug. Topics are Tegra X1 fundamentals, Glitching the ROM out and the RCM bug. The talk will be streamed and recorded as well.

    27 retweets 57 likes
    Undo
  20. Jun 26

    a useful response to most infosec problems: "have you tried qira?"

    2 replies 1 retweet 34 likes
    Undo
  21. Retweeted
    Jun 26

    Another WebKit RCE found&analyzed in a team effort 1c8ab12ca79ae56f10cd5d7cab7f1bdc82b9f3c1582e97f67f57dc441301b328

    3 replies 19 retweets 86 likes
    Undo

@_niklasb hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·