Skip to navigation Skip to main content Skip to footer

Research Blog

Insights and research from our global cybersecurity team.

Filter content

Reset filters

Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap

Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap Lua 5.1 Musl’s Next Generation Allocator – aka mallocng mallocng Cycling Offset Exploiting CVE-2022-24834 on the mallocng heap mallocng Heap Shaping Ensuring Correct Target Table->Array Distance Lua Table Confusion redis-server/libc ASLR Bypass and Code Execution Conclusion Resources Tools This […]


HITB Phuket 2023 – Exploiting the Lexmark PostScript Stack

Aaron Adams presented this talk at HITB Phuket on the 24th August 2023. The talk detailed how NCC Exploit Development Group (EDG) in Pwn2Own 2022 Toronto was able to exploit two different PostScript vulnerabilities in Lexmark printers. The presentation is a good primer for those interested in further researching the Lexmark PostScript stack, and also […]


CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a better read/write primitive

The fifth and final blog posts exploring the detailed exploitation of CVE-2018-8611.


25 May 2020

CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive

The fourth of five blog posts exploring the detailed exploitation of CVE-2018-8611.


18 May 2020

CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks

The third of five blog posts exploring the detailed exploitation of CVE-2018-8611.


11 May 2020

CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering

The second of five blog posts exploring the detailed exploitation of CVE-2018-8611.


04 May 2020

CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction

The first of five blog posts exploring the detailed exploitation of CVE-2018-8611.


27 Apr 2020

libtalloc: A GDB plugin for analysing the talloc heap

tl;dr This post is about a GDB plugin I wrote while researching the Samba exploitation earlier in 2015. There is a python script available. See the README for usage examples. Note that the plugin was thrown together while hacking on bugs. Introduction The Samba project developed a custom heap dubbed the “trivial allocator” aka talloc. A […]


Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit

tl;dr Earlier this year I worked on an exploit for an interesting use-after-free vulnerability in win32k.sys (CVE-2015-0057) and was able to develop a reliable exploit on both 32-bit and 64-bit, affecting XP through Windows 8.1 (with a few exceptions). This writeup describes in detail how I approached exploitation on both architectures, which ended up being […]


Some Notes About the Xen XSA-122 Bug

tl;dr; This is a summary of a vulnerability in Xen I found earlier in 2015, and why it’s not very useful in practice. Basically you can leak small amounts of memory from the hypervisor stack, but due to the way the associated hypercall is compiled, it turns out you can’t reliably leak very useful information. […]