Finally my article on exploiting CVE-2017-6008 (Pool Overflow) which I talked about at #ndhXV... on Windows 10 ! trackwatch.com/kernel-pool-ov… HF!
cbayet
410 posts
- Full paper of the exploitation of the CVE-2017-6008 (which I talked about in my conference at #ndhXV) on Windows 7 : trackwatch.com/kernel-pool-ov…
- That's indeed the bug I used at Pwn2Own to escape VirtualBox ! We're planning to release the details of the bug and exploit, stay tuned...Patch candidate for Oracle VirtualBox VirtIOCore Buffer Overflow Local Privilege Escalation Vulnerability (Pwn2Own Vancouver 2024 VM Escape exploit) There was an insufficient check for numbers of in/out data segment descriptors supplied by Guest OS into Virtio devices. Check
- The router connected back so fast I thought my exploit crashed with a huge stack trace 😅 never happend so quickly in the lab 😆 #Pwn2OwnWe have a collision in the SOHO Smashup. Corentin BAYET (@OnlyTheDuck) of @Reverse_Tactics used three bugs to go from the QNAP QHora-322 to the QNAP TS-464, but 1 had been previously seen in the contest. He still earns $41,750 and 8.5 Master of Pwn points. #Pwn2Own #P2OIreland
- Replying to @SinSinologyWtf dude I'm still waiting for any actual questions ? You started the research like 10 days ago ? are you okay ?🫥
- If you see hypervisors as magic black boxes that are hard to break, join us to this training and learn to apply your reverse, bug hunting and exploit knowledge to build VM escapes !For the first time, our training "Bug Hunting in Hypervisors" is open to the public at @reconmtl ! Designed for security researchers,we will dive into VM escapes, hypervisor attack surfaces, and real-world exploitation. More info: recon.cx/2025/trainingB…
- So happy! Definitely been lucky on the draw, but very proud of what we've produced there. My adventure @Reverse_Tactics could not start better. It's just the beginning!It's a full win! During the first day of #Pwn2Own Vancouver 2024, we demonstrated a fullchain exploit that escaped from an Oracle Virtualbox's virtual machine, followed by a local elevation of privilege on the Windows 11 host!
- I'm so happy we won this year with @Synacktiv! It was a great competition and we were under pressure until last entry. It's especially a great timing for me because today was my last day @Synacktiv before a sabbatical leave of several months🌎Here are the final Master of Pwn standings. Congrats to @Synacktiv on claiming the title. It was a close race, but they pull through.
- A tiny library to spray the pool ! Use for windows kernel pwn only \_°<
- The slides for the talk "Speedpwning VMware Workstation" we did with @BrunoPujos at Ekoparty are online :)The slides of the talk "Speedpwning VMware Workstation" by @BrunoPujos and @OnlyTheDuck are available! Check them out if you missed their talk at @ekoparty 2020! synacktiv.com/sites/default/…
- Glad to be registered at Pwn2Own with @BrunoPujos :) We will try to escape VMware Workstation tomorrow at 14 PST !.@brunopujos and @OnlyTheDuck are now registered for @thezdi's Pwn2Own, targeting a guest to host escape on VMware Workstation! One more time, Synacktiv team has the last slot, we hope the bad RNG won't affect the exploit :)
- Replying to @ekopartyWe're thrilled to welcome @OnlyTheDuck & @BrunoPujos to talk about "SpeedPwning VMware Workstation"! They're both security researchers at @Synacktiv and share an interest on hypervisors’ security. Full Lineup 👉 ekoparty.org/speakers #ekoparty #pwndemic #eko2020
- Patch your Packet Filter: OpenBSD & FreeBSD remote DoS in 2 IPv6 packets. Please don't fragment the Internet" #CVE-2019-5597 synacktiv.com/ressources/Syn…
