My new blog post! Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”. Reverse engineering CVE-2022-34718 + write a remote Denial of Service exploit. Covers IPsec and IPv6 fragmentation in the Windows kernel, bin-diffing, and making weird packets
Angelboy’s Tweets
Our second #Pwn2Own champion and Master of Pwn! 🏆🏆🏆
This couldn't be done without the hard work of my superb teammates (, and our new blood )! Also, big thanks to for this great event 🎉
Quote Tweet
And that's a wrap! Congrats to DEVCORE and @orange_8361 for winning Master of Pwn for Toronto 2022. Thanks to all who participated and special thanks to #Google and #Synology for co-sponsoring the event.
26
37
443
9
255
654
New blog post released!
Windows Segment Heap: Attacking the VS Allocator by labs.bluefrostsecurity.de/blog.html/2022
2
93
246
🔥 Like Windows Kernel exploitation? Your in luck! 10 items of Windows kernel exploit research from 2020/2021 🧵
4
146
430
Show this thread
🔥 1/ In the last 6 months working on Linux kernel bug hunting/exploitation there has been a number of key resources which have been super useful (coming from a macOS/Windows background) to understand the state of things in 2022 🚀.
Here's a short🧵 to recognise this + thoughts:
8
213
615
Show this thread
【 HITCON PEACE 2022 Call For Papers!】
Theme: 𝐒𝐮𝐫𝐯𝐢𝐯𝐚𝐥 𝐆𝐮𝐢𝐝𝐞 𝐟𝐨𝐫 𝐭𝐡𝐞 𝐂𝐲𝐛𝐞𝐫 𝐖𝐚𝐫
Detail: blog.hitcon.org/2022/05/call-f
・Call for Papers Closed: June 3, 2022 (Any Time Zone)
・Event Dates: August 19 - August 20, 2022
See you guys on #HITCONPEACE2022 !
19
30
1/10 - I've been doing offensive security source code review for a long time now, and along the way I've learnt a lot of lessons that can make you more effective. Some of them include:
34
395
1,313
Show this thread
Here is the blogpost on the work we did to randomize the SharedUserData structure in Windows! :)
msrc-blog.microsoft.com/2022/03/30/ran
3
70
161
Thrilled to share my new blog post: Put an io_uring on it: Exploiting the Linux kernel. Follow me while I learn a new kernel subsystem + its attack surface, find an 0day, build an exploit, + come up with some new tricks. I go deep and demystify the process
graplsecurity.com/post/iou-ring-
50
716
2,480
Show this thread
6
174
500
Here are the slides from the "Attacking JavaScript Engines in 2022" talk by and myself . It's a high-level talk about JS, JIT, various bug classes, and typical exploitation flows but with lots of references for further digging! saelo.github.io/presentations/
6
282
763
A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution googleprojectzero.blogspot.com/2021/12/a-deep
6
570
1,378
This shouldn't have happened: A vulnerability postmortem googleprojectzero.blogspot.com/2021/12/this-s
10
294
675
The registration of HITCON CTF 2021 is OPEN. Go for it and see you this weekend! ctf.hitcon.org
#HITCON #CTF
2
25
122
New blog post. I hope it will be a beginner-friendly tutorial.
16
297
1,075
Show this thread
I'm very glad to announce that we'll hold ACSC(Asian Cyber Security Challenge), a new international CTF for the young! This is a kind of qualification round, where the high achievers will be selected as the Asian representatives and compete in World Final!
1
8
44
Show this thread
Released a new blog post describing how AppContainer network restrictions are implementing using the Windows Filtering Platform and an overview of how to use NtObjectManager to analyze the current low-level firewall configuration for issues. googleprojectzero.blogspot.com/2021/08/unders (fixed link)
1
93
216
In a new guest blog, provides details on how he used 3 bugs to get code execution on #Microsoft #Exchange during #Pwn2Own. He calls it ProxyShell. We call it amazing. Read the details a
3
111
243
Blog: CVE-2021-31956 - Exploiting the Windows Kernel via NTFS with WNF – Part 1 by - research.nccgroup.com/2021/07/15/cve
3
148
311
The 2nd Tuesday of the month is here, which means the latest security patches from #Adobe and #Microsoft are here. More than 100 CVEs got addressed, include 4 critical #Exchange bugs. Join as he breaks down the full release.
15
39
Although I did not find useful vulnerabilities in other targets and other attacker surface, it was a good experience for me.
The most important thing is that I learned a lot during the research. Hope I can find more vulnerabilities in the future.
Quote Tweet
I am surprised that we won the #Pwn2Own 2021 because we only registered for one entry. But we are actually the only team (out of 3 teams) got the full-win on Exchange Server! Thanks to the lucky draw results and my awesome @d3vc0r3 research team member @mehqq_ and @scwuaptx! twitter.com/thezdi/status/…
60
Coming up at 1130, the Devcore team will targeting #Microsoft #Exchange in the Server category. $200K and 20 Master of Pwn points are on the line.
10
66
One cool trick to raise your token's integrity level with only an API call and an arbitrary increment: windows-internals.com/exploiting-a-s
Cool stuff from as always :D
3
105
234
I know there are lots of people waiting for the recent Microsoft Exchange pre-auth RCE on our side. This is a short advisory and detailed timeline. proxylogon.com
#proxylogon
10
480
997
My first ever blog post: Anatomy of an Exploit: RCE CVE-2020-1350 #SIGRed. RCE PoC included, for research purposes. This was my first userland Windows heap exploit and I hope a deep dive into the process will help others. Patch or apply the workaround. graplsecurity.com/post/anatomy-o
14
289
709
Show this thread
Most of my public presentation slides are on GitHub now!
5
382
1,143
learned a ton about userland heap exploitation in Windows + DNS protocol writing an RCE exploit for #SigRed CVE-2020-1350. detailed technical writeup + PoC coming soon (sans rickroll 😇)
19
231
983
Show this thread
Announcing #Pwn2Own Vancouver 2021! Over $1.5 million available across 7 categories. #Tesla returns as a partner, and we team up with #Zoom for the new Enterprise Communications category. Read all the details at bit.ly/3ooKM6J #P2O
1
62
144
Just released a new blog post in my exploitation tricks series about research I did to implement a virtual memory access trap on Windows to make exploitation of certainly classes of vulnerabilities deterministic googleprojectzero.blogspot.com/2021/01/window
3
145
307
Having discovered various issues with Windows mini-filter drivers lately I found public information about how to analyze such drivers for security issues somewhat lacking. Therefore today I've put out a blog post to try and fix that glitch :-) googleprojectzero.blogspot.com/2021/01/huntin
5
246
492
😃I public the writeup about CVE-2020-17140 at our blog, more detail about this SMB use after free info leak you can find at:
1
133
331
I organized my notes and made it into slides when I learn about segment heap .
If you find something wrong, please let me know.
Hope it can be helpful fo those who want to learn segment heap in windows kernel.
2
186
500
Excited to finally publish my lockdown project from earlier this year: an iOS zero-click radio proximity exploit odyssey.
googleprojectzero.blogspot.com/2020/12/an-ios
61
1,163
2,874
Show this thread
About lucifer challenge you can reference : sstic.org/media/SSTIC202
and Alex’s blog : alex-ionescu.com/?p=231
1
14
Show this thread
My exploit for my challenges at HITCON CTF 2020 github.com/scwuaptx/CTF/t
Lucifer challenge is a segment heap challenge in windows kernel.
You need to use named pipe to spray in nonpaged pool and use it to do arbitrary memory reading.
Hope everyone can learn more from our CTF.
30
125
Show this thread
📢🚨 ATTENTION HACKERS 🚨📢
As the road to CTF begins, we are very happy to announce that CTF will be the first DC29 CTF pre-qualifier
ctftime.org/event/1136
More deets:
oooverflow.io/dc-ctf-2021-qu
More pre-qualifiers TBA
Cap flags 🚩 and learn things 💻
1
27
102
😖
Quote Tweet
Confirmed! The DEVCORE team of @orange_8361, @scwuaptx and @mehqq_ used an elegant heap overflow to get code execution on the #Synology NAS during their 2nd attempt. They earn themselves $20,000 and 2 Master of Pwn points.
GIF
read image description
ALT
1
14