Reading view
Trying To Exploit A Windows Kernel Arbitrary Read Vulnerability
Adventures in Hypervisor: Oracle VirtualBox Research
I have been into the vulnerability research field for a while now, and VirtualBox is my very first target. I have learned a lot along the way and I hope that anyone who are interested in escaping hypervisors can find something useful from these notes. I assume that you have some basic knowledge on memory corruption, hypervisor architecture and device I/O.
TianFu Cup 2019: Adobe Reader Exploitation
Last year, I participated in the TianFu Cup competition in Chengdu, China. The chosen target was the Adobe Reader. This post will detail a use-after-free bug of JSObject. My exploit is not clean and not an optimal solution. I have finished this exploit through lots of trial and error. It involves lots of heap shaping code which I no longer remember exactly why they are there. I would highly suggest that you read the full exploit code and do the debugging yourself if necessary. This blog post was written based on a Windows 10 host with Adobe Reader.
Oracle VirtualBox VHWA Use-After-Free Privilege Escalation Vulnerability
As part of my month-long internship at STAR Labs, I was introduced to VirtualBox and learnt much about bug hunting and triaging, root-cause analysis and exploitation. This post will detail a use-after-free bug I found during the duration of the internship, and specifics on the VM escape exploit that I wrote utilising the bug. The latest version at the point of reporting was VirtualBox 6.1.2 r135662.
ASUSWRT URL Processing Stack Buffer Overflow
This Font is not Your Type
Pwn2Own 2020: Oracle VirtualBox Escape
In this post, we will cover the vulnerabilities used at Pwn2Own 2020 for the Oracle VirtualBox escape. These two vulnerabilities affect Oracle VirtualBox 6.1.4 and prior versions.
Analysis & Exploitation of a Recent TP-Link Archer A7 Vulnerability
Instrumenting Adobe Reader with Frida
Frida is an open-source dynamic instrumentation toolkit that has become popular in recent years, and its use in mobile security is especially prevalent.
In this post, I would like to provide a general introduction to the tool and show some examples of how it can also be used on the Windows platform.
Chrome 1-Day Hunting - Uncovering and Exploiting CVE-2020-15999
You Talking To Me?
Simple Vulnerability Regression Monitoring with V8Harvest
Identifying Bugs in Router Firmware at Scale with Taint Analysis
Analysis of CVE-2021-1758 (CoreText Out-Of-Bounds Read)
Diving into Open-source LMS Codebases
The Cat Escaped from the Chrome Sandbox
New Wine in Old Bottle - Microsoft Sharepoint Post-Auth Deserialization RCE (CVE-2022-29108)
Trying To Exploit A Windows Kernel Arbitrary Read Vulnerability
io_uring - new code, new bugs, and a new exploit technique
Adventures in Hypervisor: Oracle VirtualBox Research
I have been into the vulnerability research field for a while now, and VirtualBox is my very first target. I have learned a lot along the way and I hope that anyone who are interested in escaping hypervisors can find something useful from these notes. I assume that you have some basic knowledge on memory corruption, hypervisor architecture and device I/O.
TianFu Cup 2019: Adobe Reader Exploitation
Last year, I participated in the TianFu Cup competition in Chengdu, China. The chosen target was the Adobe Reader. This post will detail a use-after-free bug of JSObject. My exploit is not clean and not an optimal solution. I have finished this exploit through lots of trial and error. It involves lots of heap shaping code which I no longer remember exactly why they are there. I would highly suggest that you read the full exploit code and do the debugging yourself if necessary. This blog post was written based on a Windows 10 host with Adobe Reader.
Oracle VirtualBox VHWA Use-After-Free Privilege Escalation Vulnerability
As part of my month-long internship at STAR Labs, I was introduced to VirtualBox and learnt much about bug hunting and triaging, root-cause analysis and exploitation. This post will detail a use-after-free bug I found during the duration of the internship, and specifics on the VM escape exploit that I wrote utilising the bug. The latest version at the point of reporting was VirtualBox 6.1.2 r135662.
ASUSWRT URL Processing Stack Buffer Overflow
This Font is not Your Type
Pwn2Own 2020: Oracle VirtualBox Escape
In this post, we will cover the vulnerabilities used at Pwn2Own 2020 for the Oracle VirtualBox escape. These two vulnerabilities affect Oracle VirtualBox 6.1.4 and prior versions.
Analysis & Exploitation of a Recent TP-Link Archer A7 Vulnerability
Instrumenting Adobe Reader with Frida
Frida is an open-source dynamic instrumentation toolkit that has become popular in recent years, and its use in mobile security is especially prevalent.
In this post, I would like to provide a general introduction to the tool and show some examples of how it can also be used on the Windows platform.