j00ru//vx (@j00ru) / X

j00ru//vx

1,299 posts

j00ru//vx

@j00ru

(Mostly) Windows hacker & vulnerability researcher. Google Project Zero. @DragonSectorCTF

Switzerland

Joined April 2010

j00ru//vx
@j00ru
May 6, 2020
Today I'm happy to release new research I've been working on for a while: 0-click RCE via MMS in all modern Samsung phones (released 2015+), due to numerous bugs in a little-known custom "Qmage" image codec supported by Skia on Samsung devices. Demo:
j00ru//vx
@j00ru
Jun 21, 2018
In summary of the last ~1.5 years of my work, I wrote a comprehensive whitepaper on the limitations of C language, kernel infoleaks, Bochspwn Reloaded and many related topics. It's out now! Thanks to all involved. Feels good 😎
Ben Hawkes
@benhawkes
Jun 21, 2018
Project Zero blog: "Detecting Kernel Memory Disclosure – Whitepaper" by @j00ru - googleprojectzero.blogspot.com/2018/06/detect…
j00ru//vx
@j00ru
Aug 14, 2018
Meet BrokenType – the font fuzzing toolset that helped me find 39 vulns in the Windows kernel and user-mode Uniscribe library in 2015-2017. It includes a font mutator, generator and loader. Now on GitHub:
GitHub - googleprojectzero/BrokenType: TrueType and OpenType font fuzzing toolset
From github.com
j00ru//vx
@j00ru
Feb 20, 2019
I've released an archive of the 13 low-level challenges I developed for CTFs organized with @DragonSectorCTF in 2014-2018, mostly Windows/Linux pwning. This includes task binaries, write-ups and exploits. I hope it'll entertain some more hackers 💻
GitHub - j00ru/ctf-tasks: An archive of low-level CTF challenges developed over the years
From github.com
j00ru//vx
@j00ru
Jul 18, 2018
New blog post: Exploiting a Windows 10 PagedPool off-by-one overflow (WCTF 2018). j00ru.vexillium.org/2018/07/exploi…
j00ru//vx
@j00ru
Aug 12, 2020
The final part 5 of my Samsung MMS exploit blog series is out 🎉 It covers bypassing Android 10 ASLR and getting RCE. Also comes with the exploit source code!
MMS Exploit Part 5: Defeating Android ASLR, Getting RCE
From projectzero.google
j00ru//vx
@j00ru
May 31, 2018
The Windows syscall tables from my blog are now on GitHub, updated with Windows 10 1803 and formatted as CSV/JSON for easier use in software. Enjoy!
GitHub - j00ru/windows-syscalls: Windows System Call Tables (NT/2000/XP/2003/Vista/7/8/10/11)
From github.com
j00ru//vx
@j00ru
Apr 30, 2018
My Infiltrate slides about recent progress in Windows kernel infoleak detection: j00ru.vexillium.org/slides/2018/in… Topics covered: • Windows x64 instrumentation • Leaks to file systems • Double-write conditions • Visual Studio .pdb heap disclosure
j00ru//vx
@j00ru
Oct 10, 2019
I'd assume PE parsing in the Windows kernel would be well tested but surprisingly no, five such bugs were fixed last Patch Tuesday, all found by fuzzing. They crashed the OS as soon as they'd be written to disk or worst case viewed in Explorer. Details: bugs.chromium.org/p/project-zero…
j00ru//vx
@j00ru
Jul 16, 2020
At last, the series begins: MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface. googleprojectzero.blogspot.com/2020/07/mms-ex… I'm excited to start sharing more about this work, starting with a deep dive into the internals and history of the codec.
MMS Exploit Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface
From projectzero.google
j00ru//vx
@j00ru
Aug 22, 2018
In an effort to share more of my source code publicly, I've uploaded Bochspwn Reloaded (the kernel infoleak detector) to GitHub. For those interested, it may shed some light on the implementation details of the project. See: github.com/google/bochspw…
j00ru//vx
@j00ru
Jul 26, 2017
I'm happy and honored to be listed #1 on this year's @msftsecurity researcher list. :) Congratulations to everyone who made it there.
j00ru//vx
@j00ru
May 14, 2020
With Windows 10 20H1 (2004) almost out the door, I've updated the system call tables on my blog and on GitHub. Delta-wise, this seems to be the biggest Windows 10 update yet: +7 syscalls in ntoskrnl and +64,-6 in win32k.sys
GitHub - j00ru/windows-syscalls: Windows System Call Tables (NT/2000/XP/2003/Vista/7/8/10/11)
From github.com
j00ru//vx
@j00ru
May 6, 2019
This weekend, I updated the Windows syscall tables on my blog and GitHub (github.com/j00ru/windows-…) with the upcoming Windows 10 1903 (19H1). There's one new ntoskrnl syscall – NtCreateCrossVmEvent (STATUS_NOT_IMPLEMENTED), with 8 removed and 24 added in win32k since 1809.
GitHub - j00ru/windows-syscalls: Windows System Call Tables (NT/2000/XP/2003/Vista/7/8/10/11)
From github.com