Revisiting Two-Shot Kernel Shellcode Execution From Control Flow Hijacking
One of the inspirations for my work on the System Register Hijacking paper was this blog post by Project Zero written by Andrey Konovalov. In the blog post h...
Recent posts
Securinets Quals 2025: Sukunahikona (v8 Exploitation)
I played Securinets Quals this weekend with Shellphish; we ended up placing 7th, qualifying us for finals! When I logged on to play, all of the released pwn ...
The Joys of Linux Kernel ROP Gadget Scanning
Linux Kernel ROP gadget scanning is one of those things that seems easy in theory – just run ROPgadget --binary vmlinux on it! In practice, however, anyone w...
corCTF 2024: trojan-turtles writeup
This year I played corCTF with Shellphish, and we did pretty well – placing 6th! I worked on two challenges: ‘trojan-turtles’ and ‘its-just-a-dos-bug-bro’, i...
ASLRn’t: How memory alignment broke library ASLR
As it turns out, on recent Ubuntu, Arch, Fedora, and likely other distro’s releases, with kernel versions >=5.18, library ASLR is literally broken for 32-...