j j
@mistymntncop
Followers
2,282
Following
5,274
Media
71
Statuses
1,220
Explore trending content on Musk Viewer
Yankees
• 143306 Tweets
Steelers
• 100981 Tweets
#WorldSeries
• 86265 Tweets
Giants
• 75663 Tweets
XCROSSOVER WITH ORM
• 73281 Tweets
INI THE VIEW
• 56698 Tweets
Mehdi
• 54501 Tweets
#Dhanteras
• 53951 Tweets
新シナリオ
• 41963 Tweets
LeBron
• 39932 Tweets
Girdusky
• 38992 Tweets
Russ
• 37895 Tweets
Payet
• 33451 Tweets
#धनतेरस
• 29022 Tweets
ワイルズ
• 28872 Tweets
Stanton
• 27319 Tweets
Fat Joe
• 22134 Tweets
Coty
• 20524 Tweets
Suns
• 20204 Tweets
ヤンキース
• 18369 Tweets
Boone
• 15936 Tweets
Daniel Jones
• 14304 Tweets
無料10連
• 12709 Tweets
バチカン
• 12341 Tweets
उत्तम स्वास्थ्य
• 11086 Tweets
朝ドラヒロイン
• 10987 Tweets
ルーチェ
• 10832 Tweets
Flattered that someone did a writeup for the 2nd hole exploitation technique I used for my CVE-2023-2033 exploit (Korean). Shoutout to the author "Rotiple_"
4
70
266
Exploit for CVE-2022-4262. Fukin finally! Shoutout to
@_clem1
for finding the ITW exploit. And shoutout to
@5aelo
,
@bjrjk
,
@alisaesage
for their RCA's and prior analysis of the vuln :).
17
62
232
My recreation of the ITW exploit for CVE-2023-3079. Has a bit of a explanation of the vuln in the comments. Uses the same hole technique as CVE-2023-2033.
#V8
9
64
204
My DM with the North Korean threat actor "Paul". He had figured out CVE-2023-2033 (which was closed at the time) based on the report for similar issue 1433211. He was interested in a new technique for exploiting the hole.
5
26
198
Holy cow! New debugger just dropped 👀!
3
39
181
Finally figured out how to exploit CVE-2023-2033 using the "new" (patched) hole technique. Ended up being a typer bypass (also, patched).
10
35
151
Everyone please checkout Ben's new blog about CVE-2023-4863/CVE-2023-41064 which I collaborated with him on. It's a very difficult vuln to figure out how to trigger. Super interesting vuln.
"The WebP 0day" -- a full technical analysis the recently patched vulnerability in the WebP image library that was exploited in the wild (CVE-2023-4863).
15
332
837
4
17
141
Oh wow, I didn't realize that the Lazarus Group's (old) Chrome SBX had been captured.
1
38
115
My reproduction of the ITW CVE-2022-26485 exploit.
5
41
98
good writeup on Lua exploitation here
1
20
96
I found this thread discussing the mysterious TrueType ADJUST instructions (0x8F and 0x90)
2
17
92
Correction to my last post. The author of the hole exploitation writeup was
@h0meb0dysj
. You can find another version of the writeup on his personal blog (Korean). Good stuff!
1
21
91
CVE-2023-3079 is tweetable :-).
function set(arr, key, val) {
arr[key] = val;
}
function leak_hole() {
for(let i = 0; i < 10; i++) {
set(arguments, "foo", 1);
}
set([], 0, 1);
set(arguments, 0, 1);
return arguments[1];
}
%DebugPrint(leak_hole());
3
16
80
Oh Cool. Glazunov released a writeup on CVE-2023-4427 on packetstorm.
3
13
79
My friend bjrjk's writeup (English) on my exploit technique for CVE-2022-4262. Please check it out!
Full chain analysis for CVE-2022-4262 to commemorate my time spent on this non-trivial type confusion! Shoutout to
@mistymntncop
for his crafted artful exploit and discussion with me! And shoutout to
@_clem1
,
@5aelo
,
@alisaesage
for their prior work :).
5
54
166
1
13
75
Shoutout to Bupbst for his brilliant discovery - an exploit technique for CVE-2024-4947. As a bonus it turns out this technique is also applicable to CVE-2024-4761 :-).
Blog CVE-2024-4947: v8 incorrect AccessInfo for module namespace object causes Maglev type confusion, we have a oob read/write inside of sandbox.
By
@mistymntncop
and me
4
38
146
1
20
72
Shoutout to "caoweiquan322", who managed to modify Mark Adler's "enough" tool to calculate a 538 sized table for the 40 symbol table for the webp vuln (CVE-2023-4863/CVE-2023-41064).
2
10
68
Some crappy POC code I wrote to demonstrate how it is possible to use NtWaitForDebugEvent + WaitForMultipleObjects together to wait for debug events from multiple debugees at once (and other waitable too). Hopefully helpful to someone.
1
13
68
Sometimes I regret not getting in browser exp sooner. Back then it was easier, the obstacles to exploitation were less. But then I appreciate the true creativity it takes to craft an exploit these days. There's a beauty to it.
5
4
65
I would like to give a shoutout to
@ret2eax
. This guy did a super in-depth writeup on CVE-2020-16040 but I think perhaps many didn't see it. Please give it a read and perhaps give him a follow!!
CVE-2020-16040
#GoogleChromeBug
analysis.
#Google
#Chrome
's V8 JIT compiler's SL VisitSpeculativeIntegerAdditiveOp was setting Signed32 as restriction type, even when relying on a Word32 truncation, skipping an overflow check.
🔗
#infosec
#exploitdev
2
19
58
0
12
66
I recently discovered
@bjrjk
's excellent RCA writeup of CVE-2022-4262. Super interesting and complex vulnerability.
2
15
63
Full code and sample for reproducing is available here:
1
13
58
I didn't realize
@mmolgtm
's POC 2022 presentation had been made public. Cool! "Controlled chaos: Predicting object addresses in Chrome (without breaking a sweat)"
0
10
54
Brilliant! Buptsb figured out how to trigger CVE-2023-4762! Everyone please give him some love!
CVE-2023-4762 yet another v8 HOLE leak during element access reducing, poc:
2
18
107
3
3
45
Wow!! So great to finally learn the secrets of BLASTPASS. I'd been wondering about how they worked around the error path of the webp parsing. Hope to learn the rest of their secrets. Thanks
@i41nbeer
:) !
0
7
41
Here's something fun. Forget 0days! How about a 15 year old CSRF/XSS exploit for myspace lol (no longer works obvs). I didn't really know what I was doing back then. But it's fun to look back and see how far I've come since then.
1
5
38
What ever happened to Mariusz Mlynski? He had some of the most interesting Firefox exploits. Quite different from the usual memory corruption game.
3
4
37
If you are interested in learning how the PDB/DWARF debug file formats work I highly recommend reading the SymsLib library from UnrealEngine. Annoyingly u have 2 join the EpicGames organization on github to view it (free).
4
6
35
Made an attempt at renaming the variables from the leaked 2012 Kidicarus Firefox exploit. Vuln is a type confusion in E4X - which I suspect might be the same as EGOTISTICALGOAT.
#exploithistory
4
5
34
@halvarflake
Here's an interesting mention of "buffer overflow" from a 1987 penetration test of NASA systems.
0
7
32
Forget coding... They should build an AI that can build any old version of software...
4
4
28
The oldskool mid 2000s "heap spray" browser exploits were kinda boring compared to the wealth of creativity we have today. With evolutionary pressure comes adaptability and creativity to overcome the obstacles.
1
1
23
@XenonOracle
@jadnam009
@jack_halon
's Chrome (V8) series is good.
Bit old but this is good to for Firefox (Spidermonkey)
1
9
23
@alisaesage
I would also like the give credit to
@buptsb
for his notes on the bug and his back and forth with me in the twitter threads :).
1
4
21
Here's a fun one. Sergei Glazunov finds an issue the JS ReadableStream implementation for Chrome. Then he finds basically the same issue in Firefox!
1
3
21
Cheat Engine's pointer scan is pretty cool. DS is a trie keyed by a given ptr value - bottom layer contains list of addresses with that value. Each level of the trie is indexed by a nibble of the ptr value starting from msb.
1
3
18
Actually I wonder if the hole is even still exploitable on current version given the recent mitigations for it. E.g.
1
2
19
Is there any technique in V8 exploitation for allocating controlled data in the OldSpace such that it would overlap with the map field of a JSObject ?
3
0
18
Really curious how CVE-2023-2033 can be exploited. Error.captureStackTrace can place a "stack" getter and private property on the JSGlobalObject. But then what ?
2
0
16
0
3
17
I would like to give credit to
@alisaesage
for her prior patch analysis attempt
Looked at security patch for CVE-2023-3079, the latest zero day exploit for Chrome/v8 (JavaScript), patched in v114.0.5735.106-110. My quick reverse engineering notes in thread (root cause analysis)
4
70
334
1
1
16
A charming self contained (dwarf symbol parsing, ptrace program control) mini linux debugger that doesn't just piggyback on gdb (lol). Great for educational purposes.
1
5
15
Fascinating.
CVE-2022-4262 - Variston
CVE-2023-2033 - Intellexa
CVE-2023-3079 - Intellexa
But who was behind CVE-2023-4762 (CVE-2023-3079 variant) I wonder?
But first check out the full 50 page report pulling together years of work by on understanding and countering these threats.
Thanks
@auroracath
@billyleonard
@_clem1
@maddiestone
@az_matazz
@t_gidwani
@charley_snyder_
+ others for the tireless work.
1
3
49
1
0
16
Myself and others have been accused of being agents of the North Korean state. I plead not NK 🙀. How do my fellow co-accused plead😂?
#WithThanksToTheGloriousLeader
#KimJongUn4President
5
0
15
The recent(ish) ITW exploits for CVE-2023-2033, CVE-2023-3079 - both hole leakers, really makes you wonder how "the hole" is now being exploited since the old technique was patched. It eludes me and others...
1
1
16
Spidermonkey's "dumpObject" is woeful inadequate compared to V8's "%DebugPrint"...
0
0
16
@evanslify
"the hole" is a V8 specific sentinel value that represents an empty slot in an array. See:
0
1
16
Really neat presentation on CVE-2016-4657 here. Shoutout to whomever runs the website :)
1
3
14
Mark Dowd's classic flash exploit. Tldr: an ostensibly "unexploitable" null ptr deref turns out to be a (constrained) relative write. Corruption is used to create a parser diff between bytecode verifier and interpreter.
0
1
14
If you are interested in practical software research for low level native programming then please consider supporting Allen Webster. More details here:
1
1
13
I've recommended this tool to a few ppl. Shoutout to Remedybg. It's is a small lightweight source debugger - an alternative to Visual Studio. I use it all the time. It's very affordable, only $30 USD.
2
2
11
"we obtained the malicious .watchface attachment that was sent by the attackers – that was the beginning of the exploit chain used to compromise the devices."
But how does this result in JS execution :S? And what CVE is it ?
A technical breakdown of
#iOSTriangulation
via
@kucher1n
@bzvr_
@2igosha
@oct0xor
& Valentin Pashkov
#TheSAS2023
2
22
57
1
0
12
Browser fingerprinting via comparing differing api behavior between browsers and parser differentials seem related. Namely, spotting differences between 2 differing implementations of the same specification. Just a loose thought...
1
0
11
tbh I kinda feel as if Turbolizer's graph layout of nodes is kinda visually unhelpful (especially for large graphs). I would be interested if anyone has any ideas for alternate graph layouts that would be helpful?
1
0
11
Could the 3rd hole exploitation technique be related to the introduction of the new hole type ?
1
0
11
CVE-2023-4762 seems to be another hole leaker. A variant of CVE-2023-3079 infact. But the question is how do you actually add the right feedback to the function given the patch for CVE-2023-3079 ??
Based on the patch comment, this appears to be yet another TheHole value leak vulnerability which is trending now and will keep coming despite recent hardening around TheHole value leak:
1
0
28
1
2
11
Does anyone know of any oracle's that tell whether a Maglev compilation (v8) has completed or not ? I.e. different behaviour between compiled and interpreter ?
2
1
11
@deryilz
Yes! Lokihardt. Beautiful exploit.
Theori researcher, Junghoon Lee (
@lokihardt
), reported ASLR bypass for Chrome and Safari that utilize conservative GC. The runtime is greatly improved compared to similar techniques, making it more feasible. Blog post coming soon!
4
38
178
2
0
10
Rust is not C. Programming styles are not necessarily interchangeable/fungible across languages ... Contorting yer style to the constraints imposed by a language can destroy the qualities that made that style appealing in the first place...
2
1
10
@BonusPlay3
It's in alpha at the moment. See the readme:
"In the future we'll expand to also support native Linux debugging and DWARF debug info."
They already have Linux process control and dwarf figured out.
1
0
6
he's fast!!
1
0
9
@buptdsb
Don't be too hard on yerself. Consider that even the devs didnt realize this at first.
1
0
9
Re: CVE-2024-4947 & CVE-2024-4761. The exploit technique
@buptsb
discovered is elegant and beautiful. But how did the original exploit author's exploit them I wonder =/ ?...
1
0
9
Re: CVE-2023-3079 - I'm a little confused as u can see in all the uses of StoreInArrayLiteral uses CreateEmptyArrayLiteral/CreateArrayLiteral as the array but u need to change the reciever to JSArgumentsObject ?
1
0
9
Really appreciate
@AlgorithmicSimp
's ability to explain the big picture of how NN model's work. Other explanation's miss the forest for the trees.
0
2
8
Oh, so u set the stack "configurable" attribute to false, JIT code makes assumptions based on this, then the attribute gets set back to true because we are doing this in the JS callback (prepareStackTrace). Clever!
1
0
7
Fact check: The packetstorm page for CVE-2023-2724 (1433211) was only created on 27/6/23 whereas the his message was on 8/6/23. So perhaps I was deceived...
1
0
7
@ajxchapman
A bit crude but I wrote some rough notes on how I approached answering this question
2
0
7
You can find the string "richard's secret instruction" in the FTX binary there.
0
1
6
@__suto
@lanleft_
@trichimtrich
I think you are mistaken. The V8 SBX writeup is by
@r3tr074
not
@Din3zh
I'm published the paper about the technique used in my talk in
#H2HC2023
:
The presentation is about browser exploitation and the future of v8 pwn. I'm very grateful for
@bsdaemon
,
@filipebalestra
,
@gabrielnb
and all
@h2hconference
staff
8
64
246
1
2
7
Curious what objects NK used for exploitation of CVE-2022-0609 (iterator invalidation)? Seems like an awkward primitive (virtual method call) given the constraints (dedicated heap space).
1
0
6
@udunadan
I agree. When you are just starting out consuming lots of research can be very inspiring however as you become more experienced it quickly becomes overwhelming. More in-depth research is super specialized to the point it is only accessible to practitioners.
1
0
5