SorryMybad
@S0rryMybad
Followers
14,657
Following
279
Media
56
Statuses
778
Explore trending content on Musk Viewer
Ohio
• 419807 Tweets
Springfield
• 289277 Tweets
#JACKANDJOKEREP1
• 268221 Tweets
Haitians
• 240602 Tweets
EP1 U STEAL MY HEART
• 220352 Tweets
Wayne
• 168812 Tweets
#AppleEvent
• 128551 Tweets
iPhone 16
• 69830 Tweets
Tim Cook
• 55419 Tweets
Jets
• 45997 Tweets
Draghi
• 37598 Tweets
Namaz
• 35095 Tweets
Catherine
• 21851 Tweets
#GreenandWhiteSweepstakes
• 19928 Tweets
Princess of Wales
• 19876 Tweets
Culiacán
• 17765 Tweets
Niger
• 14715 Tweets
$INSDR
• 13392 Tweets
Dreamcast
• 12824 Tweets
#TransferideSizideİstemiyoruz
• 12244 Tweets
対象作品
• 11871 Tweets
Grenzkontrollen
• 11501 Tweets
#HappyPrukPrukDay
• 11407 Tweets
PS5 Pro
• 11390 Tweets
CMAs
• 10932 Tweets
Fassi
• 10127 Tweets
Pinned Tweet
Is the first time in public competition after PAC introduced? 😈😈😈
Applause to another big winner on target iPhone 11 pro+iOS14. $180,000 granted!
@S0rryMybad
@realBrightiup
👏
1
12
54
1
3
66
Here is the PoC of the bug I used to jailbreak can work before 12.1.2..The blog post about exploit on A12 will come soon.😀
94
270
976
Jailbreak on the latest iOS 11.3🙂
And the bounty of Edge Bounty Program
Feel lucky
52
240
787
The Jailbreak on iOS 11.3.1 :)
Very thanks to Qihoo 360 Vulcan Team and
@Morpheus______
books and tools.I can not finish it without them.
111
234
730
Will be release information after fix.If you want a research iPhone.Stay 12.1
Successful exploit again!
#360Security
gained full access to iPhoneX through a type confusion jit bug in
#Safari
and a UaF bug in iOS
#kernel
. It's the
#first
iPhone
#jailbreak
record in pwn contest in the world, wining the highest reward of
#TianfuCup
.
@S0rryMybad
15
175
459
95
136
571
Update: I will release information once the patch release, please note that this bug still not fix in the latest iOS version now(12.1.2)(I think because the vocation of Christmas and New Year), so please wait.On the other hand, this bug can work under A12.
Will be release information after fix.If you want a research iPhone.Stay 12.1
95
136
571
70
131
487
English version: (NOT Google translate this time :) )
IPC Voucher UaF Remote Jailbreak Stage 2 (Chinese, English may be later) and demo :
34
119
349
27
163
468
iOS 12.0 beta REMOTE Jailbreak demo at the
#mosec2018
Thanks the help of pangu team and
@Morpheus______
20
114
409
IPC Voucher UaF Remote Jailbreak Stage 2 (Chinese, English may be later) and demo :
34
119
349
@_niklasb
@revskills
@NedWilliamson
I will release the iOS full chain information(Safari + LPE) after the bugs fixed
4
17
200
AAPL fixed one of my kernel bug which I reported to them in iOS 12.2 . And it can trigger from any sandbox. But I can't find the CVE in their advisories. So am I the only one or not? Because there are too few kernel bugs this patch.
11
20
166
The bug I prepared for tfc iPhone Safari RJB was fixed in 13.2 before TFC :(
8
25
159
After MSRC merged, there are still 11 CVEs I got in May Patch.
They are ALL easy to exploit and RCE under Edge Process.
Even you are not focus on Edge but other browsers, I hope these bugs can help you as I always find browsers bug with inspiration from another browsers.
3
21
155
I want to see how many bugs can I find if I focus on the same thing for a month as I never tried to. Recently I am addicted to ChakraCore JIT compiler. Can't wait to share many interesting bugs.
5
3
141
Got a medal, pwned four main browsers (chrome ff edge safari)in tianfucup
@S0rryMybad
@n_b1a
from 360 ESG Vulnerability Research Institute only used 6 seconds to crack
#FireFox
. Bravo! We will udpate the final verification result and bug info later.
0
2
24
7
6
146
haha sorry for the delay blog post because I am on the vacation of Spring Festival
I exploited
@S0rryMybad
's CVE-2019-5782 vulnerability.
I will also write description about this interesting vulnerability as soon as possible :)
1
13
78
10
9
118
The ack information was corrected now. This is an interesting bug as the patch was commited and reverted and commited and reverted. I used it in the TianfuCup to get Chrome RCE. It is a bit similar to
@_tsuro
's Math.expm1. The bolg post will be as soon as possible.
4
16
110
I never debate with vendor
@msftsecresponse
public. But I have to now because I can't get reply from your emails. This is the first question.
4
10
93
I hope some "PR researchers" DON'T use my stuff to PR.If you don't stop, I will @ you.
8
6
79
The bug is patched. Very quickly…
@S0rryMybad
@n_b1a
from 360 ESG Vulnerability Research Institute only used 6 seconds to crack
#FireFox
. Bravo! We will udpate the final verification result and bug info later.
0
2
24
0
14
82
|MACH_MSG_TYPE_MOVE_SEND| means it drop send right and transfer it to receiver, it must hold send right from |host_get_atm_notification_port| before send. So it don't need to get a reference to the port in copyin as it drop the one belong to itself and the sum not change
a POC of an iOS kernel UAF I found last year, CVE-2018-4420 fixed in 12.1, this requires host_priv port to be triggered. more bugs soon
6
128
336
3
9
74
Really want to talk with every nice guys. But language is a big barrier😅
8
0
76
Recently my two good exploitable safari bugs were collision with others. But I can't see any public analysis blog post about them. So the bugs were found by AAPL themself?
5
3
76
I think don't need to care which engine it is, because all the JS JIT compiler are similar, when you very good at one of them, you will very easy move to another one.
2
4
76
I released some V8 vuls cases which they were fixed in about November 2017 to study.
0
53
75
One of my favourite bugs
4
7
70
If you report the bugs at one time,they will merge it and you only have one CVE. But if you report one case and wait for the patch release, at that moment you report another case, the result you will get two cases and CVEs.😓😓😓
4
3
65
I find the same bug with
@5aelo
.This is the exploit code of CVE-2017-7092.It works on the Safari 10.12.3.
3
38
70
Another bug that become non-exploitable as disable unboxed-object :(
0
7
69
one of my not interesting bug was fixed(also unexploitable with the introduce of os_ref_retain)
6
9
59
I suggest v8 dev consider to refactor part of the typer system. It seems like hard to kill all typer bugs and system is very friendly for exploitation. I've thought about it and have some ideas. Welcome everyone to discuss.
@v8js
1
6
67
No CVE, No PoC, No speech, No blog post, only picture or video == real wild attacker or faker, but if he is very active in twitter => 99% faker
0
7
62
Lucky November.
Mobile Pwn2Own Safari
Chrome Bounty
Edge Bounty CVE-2017-11837
A little unlucky is that CVE-2017-11873 I miss the bounty because I report the case just a day late : (
8
4
54
Good Exploit
Chrome: V8: incorrect type information on Math.expm1
0
32
92
1
10
46
🙂🙂🙂😀😀😀
New blog post written together with my friend
@S0rryMybad
about using the JIT to abuse a non-JIT bug in Chakra (CVE-2019-0812)
1
111
246
0
6
43
当你觉得快追上别人的时候,别人早就不在那个位置
An iOS zero-click radio proximity exploit odyssey
2
163
446
2
2
47
These bugs are interesting and will be release the detail(may be in Chinese) after it fixed.Why I choosed these bugs because they are almost can be exploited for RCE and conver different ideas of JIT.I think they are helpful for looking for JIT inspiration.
2
8
45
17
As we are wrapping up 2021, the Chrome VRP is pleased to announce the Top 20 Chrome VRP Researchers for this year. Congratulations and great work!
Thank you for your contributions and efforts over this past year in helping us make Chrome Browser and Chrome OS safe for all users!
5
49
287
1
2
46
It seems like the "necp_session_action" staff was copied from our blog here: by
@realBrightiup
(And I think it is not wrong, it indeed can casue panic)
Your regular dose of jailbreak drama:
Calling out
@userlandkernel
on his shit:
The worst part is he's not even a convincing faker, smh.
9
12
126
5
5
40
Recently I came back to browsers and
reported some bugs about Edge, and I will write some blogs about
them after the is the first one(in Chinese):
If you feel these stuffs are helpful for you, please RT or like.
2
14
45
CVE-2018-8367
Edge Inline Segment Use After Free(Chinese): (Google translate in English):
1
23
48
0
6
44
🤣🤣🤣
Bravo! Anotehr successful entry on
#iPHone11Pro
+
#iOS14
is from
@S0rryMybad
@realBrightiup
They nailed it also with a REC + sandbox bug. Let's wait for the verification.
1
8
52
0
1
42
A case which MSRC said it is not exploitable and I need to prove it is exploitable...😅😅
1
2
37
@K3vinLuSec
I think root cause is not the overflow problem, is in the decode_colorspace trust the "evil" buffer data from others.
1
1
39
Miss Lokihardt
JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
0
11
32
0
3
38
compare to the similar stuff in iOS: ..............
Linux kernel 4.20 included the KSMA mitigation completed by C0RE Team
@_2freeman
. Here's a post in Chinese:
1
23
40
3
8
32
Seems like a great workshop from pangu…Want to attend it🙂
We are proud to announce our second Workshop - iOS Sandbox Escape Vulnerability and Exploitation by Pangu (
@PanguTeam
) -
2
42
93
5
4
33
@tihmstar
I didn't deep into look this way and found another exploit way(in my blog post), may be you can try.I think someone will write a better exploit way than I used.
4
4
27
When to start an rce requires three blogs to explain
New blog post series "JITSploitation" about a fun WebKit JIT bug and how it can be exploited on iOS despite StructureID randomization, the Gigacage, and PAC+APRR!
1
159
451
1
1
33
IMO, the difficulty of JS engines is: SpiderMonkey == V8 > ChakraCore == JSC. Which one is the most difficult in your opinion?
V8
150
SpiderMonkey
62
ChakrCore
20
JSC
39
2
7
31
May be you can try add a big "try catch" to all the |exploit.js| code, I think this may be reslove your problem(you can use loop to push staff) as try catch will disable the global JIT.
@S0rryMybad
@bkth_
@5aelo
@teambi0s
@sherl0ck__
@SpiderMonkeyJS
Thanks very much. BTW, if you want to take a look, try this commit 🤩
0
0
5
2
0
31
Just found twitter has been updated. And now is similar with weibo
2
2
31
Prepare some stuffs may be bypass the future patch.For more detail, stay tuned for
@ProjectMoonPwn
1
3
30
I have reported a case of Edge to MSRC which can reproduce on the lastest ChakraCore code(2018-07-04 on github) and lastest WIP Edge version.And MSRC said this is a duplicate of an CVE which was fixed two months ago.
How do you think?
4
2
27
ChakraCore has many opt measures to eliminite the BoundsCheck.But with the introduction of protection against Spectre:
The measures become no sense because protection lower more native code and it only has few opt even for loop hoist.
0
2
28
I meet that before. I have a bugs which can trigger from different browsers
So .. new life goal.. report a valid chrome bug and have the report trigger a separate exploitable bug in another browser.
1
0
10
2
0
27
I think this bug is interesting :)
1
4
27
I think the difficulty of SpiderMonkey was improve about 30% after it disabled the UnboxedObjects feature
0
2
27
It seems like many CVE items which were fixed in iOS12/macOS 14 but they were addressed in 12.1/14.1.It is too weird.
1
2
24
If the roles interchange, I think the |retweets| will overflow.
5
4
20
Although study for jailbreak last few months. But feel lucky to get this
Our Q4 Top 5 Bounty Hunter list is live: . Congratulations to all the leaders -
@mtowalski1
@S0rryMybad
@irsdl
@soaj1664ashar
@SecretlyHidden1
@netfuzzer
0
8
17
2
3
22
I thought one of my chrome bug was reintroduced when I saw the title😅: but it is not
0
0
24
@pattern_F_
I see a local app was installed at first, did your rce exploit used to start the app? If it is, this is not a "remote jailbreak".
6
0
23
