Richard Johnson
@richinseattle
Followers
16,738
Following
2,883
Media
490
Statuses
11,205
Computer Security, Reverse Engineering, and Fuzzing; Training & Publications @ ; hacking the planet since 1995; Undercurrents BOFH
uninformed.org // undercurrents.io
https://github.com/richinseattle
https://github.com/moflow
https://github.com/fuzzing-io
Joined October 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Afghanistan
• 454593 Tweets
Arlington
• 282244 Tweets
Macron
• 275958 Tweets
Biden and Harris
• 259878 Tweets
Tulsi
• 205898 Tweets
فياريال
• 186161 Tweets
سيلتا
• 185571 Tweets
Taliban
• 123920 Tweets
Chiesa
• 63306 Tweets
#كاريزما51
• 43614 Tweets
CeeDee
• 39502 Tweets
Steven
• 36967 Tweets
Celta
• 36182 Tweets
#NationalDogDay
• 35721 Tweets
Mercadona
• 35153 Tweets
Jack Smith
• 33398 Tweets
#شاعر_القمه1
• 31599 Tweets
Christensen
• 30346 Tweets
RIP Sid
• 21031 Tweets
TODA CON FURIA
• 19258 Tweets
Sid Eudy
• 16684 Tweets
#LoveIsBlindUK
• 15696 Tweets
Pemex
• 15525 Tweets
ニンダイ
• 12881 Tweets
Mariah Carey
• 12495 Tweets
Motta
• 12200 Tweets
Pinned Tweet
Advanced Fuzzing and Crash Analysis early bird registrations are now available at the listed prices!
4
11
59
WARNING! I can confirm this is true and I got hit by
@z0x55g
who sent me a Windows kernel PoC trigger. The vulnerability was real and complex to trigger. Fortunately I only ran it in VM.. in the end the VMDK I was using was actually corrupted and non-bootable, so it self-imploded
New blog post from TAG with details of a North Korean campaign targeting security researchers working on vulnerability research and development.
Stay safe out there everyone!
33
1K
2K
22
419
953
That’s not a polyglot, THIS is a polyglot. Most impressive..
1024 bytes of code that compiles in 190 languages and counting, emits a message with the number of the languages it supports.
9
282
495
Based on the rate of research, you could say fuzzing is kind of a big deal. So many papers are being published it’s hard to track it all, let alone read it all. These repos are doing a good job indexing the papers:
1
137
418
Here's my slides for Fuzzing: Age of Vulnerability Discovery I delivered as a keynote at
@wootsecurity
as well as
@nohatcon
and
@HushCon
this year. It's an overview of how the eco system has evolved with new instrumentation, snapshot fuzzing, and mutators.
For attendees of my
@Hushcon
talk and fuzzing friends, check out
@is_eqv
and
@ms_s3c
projects (Redqueen, kAFL, Nyx, etc),
@0vercl0k
’s WTF fuzzer, TSFFS by
@novafacing
, LibAFL by
@domenuk
@andreafioraldi
et al, Snapchange from
@ctfhacker
, and ofc AFL++ from
@hackerschoice
et al.
1
16
55
2
119
370
Wow, China restricted all researchers from participating in int'l hacking competitions, big change, not good for the public. Chinese teams win these competitions with impressive displays of skill and we all learn and bugs get patched. Foreboding news..
11
305
346
Lightning in a Bottle: 25 Years of Fuzzing - my keynote from FuzzCon 2020
#FuzzCon
#FuzzCon2020
thank you
@ForAllSecure
for organizing!
7
105
303
Dan’s last words to me were “Bring up the next gen”-eration of hackers.
5
15
295
Less than 24h after our Seattle mayor banned the use of tear gas in protests for 30 days, the police just launched some sort of gas against protesters. MF police just won't stop.
Some kind of gas is also being used. I tried getting another video but got a big whif of it
#KOMONews
34
510
3K
4
199
268
In case you missed the key takeaways in the thread:
The real compromise was the chrome 0day on the blog - the lure was the pgp key, which was needed for target to decrypt one of a few offered low value browser or kernel PoC for collab. Shared project was trojaned as backup plan
5
81
271
Okay
@gamozolabs
just blew my mind with this knowledge that x86 is an octal machine. How is this not more commonly understood. The opcode mods use values that are obvious enums when you see them displayed as octal.
10
84
261
Some bittersweet news: after 8.5yrs, I've decided to walk away from the legacy we built at Talos and begin a new adventure. I've accepted a wonderful opportunity as Director of Offensive Research for Oracle Cloud. My team will own deep dives on the entire cloud stack and research
32
28
247
An undervalued/underpaid segment of the information tech/services workforce are going to be working overtime through the weekend/week to restore global services by manually rebooting millions of machines in safe mode to delete a bad security update. Kudos to them.
3
68
233
Ghidra script to config & run WinAFL
Install dynamorio and winafl
Add LaunchWinAFL to ghidra scripts
Set one-time config at top
Load target exe & dlls into ghidra
Go to target func in disasm
Run script to start fuzzing!
#ghidra
@GHIDRA_RE
@Ghidra_tips
2
104
224
Excited to be joining the Advanced Threat Research team as part of the newly formed Trellix company. You can expect to see some new public facing vulnerability research from me in 2022!
Finally able to share this!
We are beyond thrilled to welcome
@richinseattle
to the Trellix Advanced Threat Research team as a senior vulnerability researcher. Rich is a perfect fit for our team and we can't wait to hit the ground running! Welcome Rich!!
#trellix
#atr
6
4
77
21
5
226
Uploaded slides from my Evolutionary Kernel Fuzzing talk today at
@BlackHatEvents
#blackhat2017
2
138
207
This is probably the best discussion of methodology of finding and exploiting bugs in difficult targets. This talk,
@NedWilliamson
’s, and
@5aelo
’s were prob my fav three from
@ccc
and
@offensive_con
. They serve as an excellent quickStart to finding browser bugs.
1
46
203
@daveaitel
Update: I've recovered and decrypted registry keys holding config and neutered the service, I'm RE'ing the driver. I have confirmed with colleagues that only visiting the blog was enough to get popped via Chrome/Brave. I've confirmed my machine connected to their C&C many times.
6
50
199
Media claims that in-memory post exploitation rootkits have been the exclusive domain of state sponsored hackers are so uninformed. It was standard practice for teenage hackers in early 2000s. I wrote shellcode for in memory kernel infection during my Sourcefire hiring interview.
9
28
181
Rereading
@chompie1337
io_uring vuln writeup and the technical details are great, but I really wish tech journalists would create more public awareness and pressure on the abysmal anti-security, anti-awareness Linux patch processes she highlighted as well.
3
48
179
So this is why TrueCrypt was abandoned? The full story is riveting.
@JusticeRage
The sole author was apparently Paul Le Roux. Its shutdown came right about the time that Le Roux agreed to work with the feds, but not on crypto issues like you might think. The story is long but well worth reading.
10
60
225
8
119
176
Fuzz all the things! Pre-built image of American Fuzzy Lop w/ clang, qemu, afl-dyninst, TriforceAFL available here
Great Dockerfile for anyone wanting to spin up AFL or related tools quickly thanks to
@richinseattle
!
0
31
48
4
103
179
Currently zeroday remote preauth code execution on WiFi NICs in Microsoft Surface, Samsung Chromebook and phones, PS4, XBox SteamLink, etc. Talk was in Russian but the slides are informative. Solid RE w/ custom hooking tools to dump memory/calls and afl-unicorn for fuzzing bugs
unauth, unassoc remote code exec on the Marvell Avanstar Wifi chip SoC used in Playstations, Xbox, Surfaces, Chromebooks, Samsung phones and more in under five minutes attack time. Bonus second stage escalation in the linux drivers, PoC on steamlink.
13
604
971
1
104
172
We have two code releases for you today! Windows Intel Processor Trace Driver and FuzzFlow
7
155
170
Lol found a notebook from ~20 years ago, thought I burned it ages ago, it’s full of IPs, logins/passwords, 0day notes, contact info, irc servers and channels I’ve long forgotten. But hey it survived the statute of limitations :)
“Fax a request to SUN for lpd source code” lol
12
13
160
I don't use keybase for anything, but the attackers did compromise my backup paper key which was on my first device compromised. They used it to login to keybase and accessed my empty public/private folders. I'm revoking my keybase account and all pgp/ssh keys.
5
37
159
Shit. Found their stage2 hiding in registry keys on my host. If you visited the hacker blog with chrome or brave, check for the registry keys listed on the Google blog.
5
56
156
I’ll be talking about the architecture and implementation of eBPF on Windows and how to fuzz various layers of attack surface including ioctls, rpc, and VM/JIT engines at Black Hat USA
2
25
153
This week I’ve been giving my first rendition of my online version of Advanced Fuzzing and Crash Analysis and it’s going great. I was concerned about quality control but I gave everyone in class their own cloud VM so my TA and I can monitor real time
7
16
148
Can’t think of a better way to spend the last day of my 30s. Hello 40, I look forward to the many adventures ahead.
25
0
139
Happy to be starting my first day at
@eclypsium
! Eclypsium is a platform security company focusing on securing the layers below applications to ensure OS or network devices are secure. I’m bringing my fuzzing, RE, and tool dev skills to an already excellent team!
9
9
140
New p-code emulator for fuzzing based on ghidra sleigh. Full system fuzzing perf comparable to qemu, CmpLog support etc.
Icicle: A Re-designed emulator for greybox firmware fuzzing
3
43
133
I really would prefer that I didn't find crashes in 90% of the random packages I harness when seeing them mentioned in tweets, but here we are. TP-Link uses ezxml, have some free CVEs, fuzzer friends
@ArdJect
As one might expect from a random XML library. Have you found which binaries that link to this library?
#junkhacking
2
1
11
4
22
135
It’s 2022 and a new OS for the Commodore64 just dropped. Amazing.
1
57
129
PSA: high performance disassemblers exist. Capstone seems to be the industry favorite and it is easy to use but it is also slow and text based. Please consider your choice if writing performance sensitive code.
7
38
129
afl-fuzz -i in -o out -t 2000+ -D \DynamoRIO\bin64\ -- -coverage_module MpClient.dll -target_module MpCmdRun.exe -target_offset 0x1960 -fuzz_iterations 5000 -covtype edge -nargs 2 -- "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File @@ -DisableRemediation
2
16
126
I'm honored to keynote WOOT'23 (co-located with IEEE S&P) and will be discussing the latest advancements in fuzzing technology!
📢Thrilled to announce Richard Johnson (
@richinseattle
) as our first Keynote Speaker!
Register to WOOT at lower rate by *April 21* at We are looking forward to see you in San Francisco on May 25th!
1
4
10
5
14
130
Another great fuzzing training week in progress, one student recently found their first CVE in a target so they brought it to class and just scored a new heap overflow. Always makes it fun when students find 0day in class! This is about the 7th live zeroday find the past 1.5 yrs!
3
8
123
Privately known 0day for 15 months and still no patch on remote preauth RCE in the most commonly installed MTA on the planet?!
0day RCE in Exim, not patched for more than 1 year.
CVE-2023-42115 CVSS 9.8.
"Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application."
from ZDI
1
18
58
9
44
122
I'm slow to respond today because I've been working my way forensically though my machines. So far I can confirm lateral movement to another Windows machine that had shared credentials to the initially compromised host. I assume but cannot yet confirm this is automatic behavior
11
20
119
1.5 years in the making, a reliable type aware syscall tracer for Windows 10 & 11 based on dtrace. As someone who has experimented with dtrace and seen the progress on this, this is quite a feat and a very useful tool.
Presenting D-Generate , syscall tracing as its supposed to be!
usage:
dg cmd.exe - displays all syscalls done by process with cmd.exe as imagefile.
dg 4736 - by pid 4736
dg - just everything
example of recording:
17
248
793
0
35
115
Have you found the 237 scripts you can run on-demand in Ghidra yet? Many examples in python and java, some useful on their own, others starting points. Jython lets you directly interact with Java objects so the entire object model is exposed as well as any java library you need
3
38
113
Many people think of me as a fuzzing expert since I made advanced fuzzing tech my focus for building a team at Cisco. The rabbit hole goes much deeper. My aging reference library is on I hope to add a paper review section to help you go through the catalog
0
23
115
Updated website
Upcoming Advanced Fuzzing and Crash Analysis Training
@hackinthebox
Amsterdam (Sold Out)
@ekoparty
Los Angeles JUN 5-7 (Open Soon)
@reconmtl
Montreal JUN 24-27
()
@_ringzer0
Vegas AUG 3-6
()
0
34
110
Now that we're all back from Vegas, ICYMI, here's the slides from my eBPF ELFs JMPing Through the Windows talk from Black Hat 2022. It covers a security review of the new eBPF for Windows stack including how we fuzzed and found bugs.
0
30
114
The key to fuzzing is writing a good harness, key to writing a good harness is reading and understanding the code.. aka code review. Just reported a fuzzed bug, now writing a poc for a bug I found while reviewing code to write the fuzz harnesses.
0
14
114
Found a random signed driver that gives me arbitrary PhysMem read/write on Win10 so had to drop it in IDA to figure it out and write a client to add another tool to the toolbox. These are still common if you keep your eyes open, like spotting a four leaf clover :)
8
7
110
If you use llamafile, llama.cpp, llama-cpp-python, Oobabooga, LMStudio or any other software that exposes llama.cpp grammar sampling, I found a few remotely exploitable bugs triggered through a single web request that got patched today. More to come from my work at
@Eclypsium
0
36
112
Hi
@ShaneHuntley
see my thread, z0x55g targeted me and is currently still active on Telegram under user kw0dem. I can provide the .suo sample if it will help
4
7
104
Nice thing about fuzzing.. it keeps working while I’m out sailing! Just passed my US Sailing certification.
5
1
109
Pawel is a skilled hacker & also former student of my training where we use domato to fuzz browsers.. he just made $8k by adding a small modification to the domato grammar for <portal> tags. Be like Pawel, fuzz all the things! Take my training in 2020 if you want to learn how!
2
16
107
Congratulations to the AFL++ team (
@hackerschoice
@andreafioraldi
@domenuk
+ others) for officially replacing afl-fuzz in the Google OSS-Fuzz platform that continuously fuzzes hundreds of critical opensource packages. AFL++ improvements are remarkable!
0
22
106
Great convo among fuzzing experts leaders at Google, Microsoft, and academia. Watch the replay here
Our DS3 panel on fuzzing with
@mboehme_
,
@kayseesee
, and
@metr0
has just started but it's not too late to join us live at !
0
4
39
0
28
107
2021 is the year of snapshot fuzzing on the desktop!
2
26
102
I had an emergency surgery yesterday which is always fun. I don’t want you to feel left out, so here’s a quick ghidra script to perform expedited surgery on binaries for auto fuzzing with WinAFL.
Instructions in next tweet.
18
17
104
Haven’t seen the script kids this excited since struts2. I find it funny people openly exploit injection bugs and post on Twitter, but when a pro shop has a remote perimeter capability they haven’t disclosed (which hasn’t been exploited) everyone has a finger wagging opinion.
3
18
106
When you report remotely exploitable Safari or MMS vulns to Apple, bugs are put in a release cycle for patches, phone meetings and working on their schedule w/ no info reciprocated is the norm. When you drop it on Twitter even physical access design flaw vulns are fixed promptly.
Interesting... So it's possible to create and test a patch for a critical vuln in a single day. I suspect I'll be using this example a lot in the following years.
11
36
74
4
52
104
Source archive of all published IDA plugins and a couple extra RE tools
0
90
100
Finishing up my first week at Oracle and I’m very excited about the talented people I’m working with and the future work we will do together. We have 40 heads open in 2019 for Oracle Cloud Offensive Security group: Red Team, PenTest, and Research. Would you like to know more?
Some bittersweet news: after 8.5yrs, I've decided to walk away from the legacy we built at Talos and begin a new adventure. I've accepted a wonderful opportunity as Director of Offensive Research for Oracle Cloud. My team will own deep dives on the entire cloud stack and research
32
28
247
5
26
99
Finally some good news. Through a lot of manual correlation and partial info such as c2 logs and file access times, I’m relatively certain my compromised data was mostly low value. There were some old creds on secondary drive like the keybase key but otherwise loss was minimal
2
5
101
Remote smart TV exploitation via DVB-T digital TV broadcast to inject url to DSMCC resource containing v8 exploit. Completely offline. 🔥
2
17
101
Slides and code from my Extra Better Program Finagling (eBPF) Attack and Defense talk at
@toorcon
2021 have been uploaded to GitHub. Code needs some refactoring from PoC to useful tooling but wanted to get it up.
3
41
101
Looking for home network monitor/honeypot advice to share with people who will read my “I was hacked by APT” write up. Canaries, 2FA/MFA, FW, disposable VMs for web browsing, are covered, what’s good on the network side w/ 1month log retention to correlate net w/ host events etc
17
20
97
It appears patching and root cause analysis is dropping the ball much more often then we’d expect, leaving easy work for black/grey market zeroday exploit developers to find variants. 25% is an order of magnitude higher than it should be. Why is the industry failing at this?
"6 of 24 0-days exploits detected in-the-wild [in 2020] are closely related to publicly disclosed vulnerabilities. Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit."
1
81
217
3
28
93
Microsoft appears to be removing GitHub accounts that post PoC for latest Exchange 0day. I think this came up and has been done before? I seem to recall conversation about them selectively removing only accounts that post 0day for Microsoft products and not others?
7
25
94
Maxim & Mark are breaking all the barriers. Executing code in ME, full DCI JTAG over USB 3.0. This is phenomenal. If you have any interest systems research on Intel,
@ptsecurity
's research team lead by Dmitry Sklyarov should be on your radar.
Game over! We (I and
@_markel___
) have obtained fully functional JTAG for Intel CSME via USB DCI.
#intelme
#jtag
#inteldci
84
2K
2K
0
57
96
Current status hybrid fuzzing and concolic execution with afl, qsym, and moflow. qsym is applying DFS concolic exec to an afl slave .cur_input and moflow is applying generational concolic execution to the afl master .cur_input
5
27
95
I'll be at the Seattle hacker bar tonight remembering Dan
2
2
92
ASLR bypass attack on conservative garbage collectors that avoid freeing objects with pointers on the stack. Chrome and Safari impacted at least. Chrome wontfix
2
31
93
Orange Tsai is especially talented and has rare wisdom to offer in this talk about targeting Sonos for three years in a row. I wish more researchers would talk about research processes / methods that work in long term targeting campaigns.
The video and slides of my talk "A 3-Year Tale of Hacking a Pwn2Own Target..." are out. Hope this presentation somehow could be another reference to your next research!
➡️ Video:
➡️ Slides:
6
267
889
2
18
94
I have posted my slides from The DL on LLM Code Analysis talk at CanSecWest 2024! You can get it and my other talks at
3
31
93
Then they asked to switch to Telegram and eventually sent me the project gpg encrypted
4
12
89
Apparently Apple kernel 0day (I don’t have a test machine for Apple).
thread_set_state() is called on current thread (illegal according to docs) in 32bit process with all registers set to 0xffffffff other than gs=23. Exploit bypasses SMEP
GitHub - A2nkF/macOS-Kernel-Exploit: macOS Kernel Exploit for CVE-????-???? (currently a 0day. I'll add the CVE# once it is published). Credit for the bug go to
@LinusHenze
:).
4
180
325
4
45
91
My Advanced Fuzzing and Crash Analysis training at CanSecWest is over and went really well. Multiple students said it was the best training they’ve taken! It’s rewarding to get the positive feedback and pass on knowledge, I always want to keep brain dumping everything I know! 🧠
1
6
92
Set this global machine environment variable on Windows 10 to enable sandboxing for Windows Defender. Remote Defender 0day from
@taviso
released today and there has been increased researcher activity targeting Defender.
4
45
90
8lgm, Rhino9, HERT, ADM, TESO, LSD, GOBBLES .. these are the most impactful hacking groups I remember who found and exploited the biggest vulns 1995-2003. You may be surprised how many pros that are still around making an impact came from these groups.
Mudge is the new head of security at Twitter, which got me talking about cDc, hacking groups, cliques, and the distinctions between them. I mentioned 8lgm and TESO as examples of hacking groups best understood as hacking groups, unlike cDc.
Someone said: “never heard of them”.
14
105
475
10
8
90
Your browser can run Linux ELF64 binaries now
We've just created a 116kb WASM build of Blink that lets you run x86_64 Linux binaries in the browser. It supports 500 instructions and 130 system calls.
39
501
3K
3
19
90
For those under 40, this ideology “Given enough eyes, all bugs are shallow” comes from the famous 90s essay The Cathedral and the Bazaar by ESR, it hasn’t survived the test of time but know your infosec meme (I’m sure some of you do but just in case) :)
People be like "Open Source is more secure because the code is there for anyone to audit!"
Yeah, but is there ANYONE auditing it at all? Or y'all waiting for someone else to do it?
90
146
1K
7
20
89
Here’s their first contact.. Twitter has deleted the acct but they just said “hi” and “hello” to prompt the first two messages and then asked if I can do Windows kernel exploitation
3
15
83
5
13
83
Hello world, I don't talk about it much here, but I've had ongoing surgeries throughout the year, and had a major operation in September so I haven't been keeping up with email and DMs as well as I should. If I've let something slip, please remind me. I appreciate your patience.
36
0
88
One stop shop to get your Windows development on. Win10 Enterprise preloaded with VS2017, SDK, etc. you just need to redeploy the VM every couple months for license.
Microsoft Releases Windows 10 Development Environment Virtual Machine.
2
77
130
3
41
86
Lighthouse is really great. I use it anytime I can get a trace out of a target and recommend it in my training. What are your other favorite dynamic analysis based reversing tools?
Look familiar? Look a little closer...
It's the HUGE new release of Lighthouse v0.9! So much has changed, and it's SO much better:
3
89
260
2
16
84
Erm, I thought eBPF was supposed to prevent me from crashing my kernel.. heh
4
6
85
We have an open job on the Oracle Cloud Attack Research team. If you like developing tooling or harnesses for fuzzing or writing static analysis related tools or codeql queries to solve big challenges in the cloud, this is the team you are looking for!
1
31
82
With a good understanding of all the tech available under the hood in AFL++/libAFL, fuzzing can discover vulnerabilities that are difficult for expert exploit writers to trigger even with knowledge of the patch. No custom harness needed for this one! (cf: )
2
18
85
This is my last week at the big O. It’s always difficult to leave a team you’ve been with a few years. What’s next? Find out next week :)
7
2
86
For $1,000,000/mo you too can fuzz like Google!
1
4
32
4
4
84
Official WinDBG TTD Live Recording API has arrived. Load TTDLiveRecorder.dll and call APIs from within the traced process. Add custom metadata and events. The docs aren't really indexed, well, here's a link to the interface docs for the LiveRecorder
Do you wish Time Travel Debugging was faster and more lightweight? Our latest version lets you decide exactly what you want recorded! Select modules to record or use the API for full control. Get your recording just the way you like it. Crusts optional.
2
29
79
0
36
80
I am offering a 25% discount to women for my Advanced Fuzzing and Crash Analysis training at CanSecWest (and hopefully future events as well). Please DM me for details.
cc:
@Blackhoodie_RE
10
52
82
We are hiring at OCI Security!
I have a new team - Security Instrumentation & Analysis that is still focused on research, especially fuzzing tooling development and custom static analysis queries with Semmle, Joern, etc.
We also have positions for PenTest/SecArch.
DMs open.
3
38
81
Just realized my eBPF talk at
@toorcon
last week was my 50th industry conference presentation. 24 original research talks delivered at 50 events and I hope to continue to bring cool topics to share and discuss at the next 50!
5
3
82
Cartographer from
@NCCGroupInfosec
Austin Peavy - Nice code coverage visualizer for Ghidra similar to
@gaasedelen
Lighthouse plugin for IDA/Binja. It came up in discussion while I was teaching my Advanced Fuzzing and Crash Analysis training this week.
0
19
82