Good morning friends....been a minute. But we are SO back. Annnnnyways 👇

In Case You Missed It...

• RE//verse Tickets Still On Sale - If you were just at DistrictCon, escape the snow-pocalypse to Florida next month
• OffensiveCon CFP - 30 days to get-em submitted!

Resources And Write-Ups From This Week:

• On The Coming Industrialization Of Exploit Generation With LLMs - Sean Heelan continues to lead the charge when it comes to practical AI usage for VR and exploit dev. Last spring, he set the world ablaze with his Linux SMB 0-day found by o3 and last week he returned to his blog to discuss how...exploit dev is dead...again. No no, not because mitigations are killing it this time. Rather, some recent experiments with LLMs left him shocked at just how good they were at writing PoCs for bugs. The post follows his letting Claude and ChatGPT frontier models PoC out bugs he (or rather...they) found in QuickJS and let's just say the results were...concerning. He then goes on to abstract what this might mean for the security industry, exploit devs, and threat actors in the coming years.
• General Graboids: Worms and Remote Code Execution in Command & Conquer - One of the best additions to the annual hacker calendar in recent memory has got to be Junkyard at DistrictCon. This year Atredis Partners came with an absolute banger, dropping a wormable RCE on EA's 1990s RTS game, "Command & Conquer". In their subsequent blog post, they walk through the network architecture of the peer-to-peer based multiplayer system, discussing how clients connect and what packets look like. From there they go over the three bugs they found: a stack overflow, an arb file write, and an OOB write. Using the arb file write, they dropped a .dll, which they loaded with their overflow and from there it was off to the races building out a worm from player to player. Pretty sweet.
• Carbonara: The MediaTek exploit nobody served - Bootloader bugs are always a good time. In her recent post, Shomy talks about how she and a band of other Motorola enthusiasts ended up REing a known bootloader unlocking tool to extract the exploit it used for the G24. What they found was it targeted the DA pathway, using boot_to commands to patch the hash DA1 expects of DA2. That way, when DA1 loaded DA2, the hash matched and it continued on its merry way. They then ported this closed source unlocking mechanism to their open source tool, making it more accessible to other enthusiasts.
• On the clock: Escaping VMware Workstation at Pwn2Own Berlin 2025 - Synacktiv was back up to their usual antics of dropping 0-days in hard targets last week. Specifically, their newest post discusses their VMWare p2o bug from earlier this year. The post starts by walking through the subsystem (PVSCSI), and explains the main vulnerability the team identified: a heap overflow in the subsystem's controller emulation code. After this, the post moves to exploitation, discussing the difficulties pulling this off in the Windows 11 Low Fragmentation Heap. Next, it discuss heap shaping objects and a target object for corruption, and then walks through a pretty novel "ping-pong" technique to circumvent the allocator's security mitigation. The heap magic continues, discussing how to get control of a URB, how to get a leak, and finally how to turn those into arb read / write.
• A 0-click exploit chain for the Pixel 9 - Your favorite researcher's favorite researcher is back with more Android 0 click fun. After multiple 0 click audio decoder bug reports, @natashenka decided it was time to show everyone who was saying "these aren't really exploitable 0-click" that they were wrong. In the first entry of the blog series, she goes over her PoC for CVE-2025-54957, gaining arbitrary code execution as mediacodec on a Pixel 9. THEN, part two goes over LPE from mediacodec to kernel. And finally, there is a 3rd entry that goes over lessons learned.
• CVE-2025-38352 (Part 1) - In-the-wild Android Kernel Vulnerability Analysis + PoC - The Android antics and 3-part blog series don't end there. A few months ago, we covered a post from @streypaws on CVE-2025-38352, an ITW TOCTOU in the Android kernel's Timer Subsystem. Over the last month, @farazsth98 decided that it would be a good exercise to PoC this out...and so that is exactly what they did. The first post in the series reviews the vuln, sets up an env, and gets all the way to a KASAN splat. Part 2 works on extending the race window to make the trigger more reliable. Part 3 is where things get really spicy, walking through the full exploitation process of the bug. Pretty much a must read for anyone interested in Android VR and exploit dev.

Interesting Job Postings:

• Vulnerability Researcher @ Magnet Forensics (Remote)
• Offensive Security Researcher @ Apple (On-Site: 10 Locations)
• Senior Attack Engineer - Vulnerability Research (Remote: US)
• Reverse Engineer @ Google (On-Site: Austin, TX)
• Offensive Security Engineer, Agent Security @ OpenAI

A Brief Author's Note:

Sorry for the brief hiatus. We should be mostly back to regularly scheduled programming with one potential caveat:

As many of you know, this is a one man show. I (@_stigward) found short summaries were a good way to 1. build out a personal wiki and 2. more quickly synthesize information I read. Putting myself on a weekly deadline and having to make them somewhat entertaining helped me to stay accountable.

That said, now that this newsletter has been going on for multiple years, I find I often miss papers that I want to read, and never get around to them cause I'm focused on getting the next newsletter ready.

So, while we will be back to our weekly cadence, it might not always be breaking research. There are still some OffensiveCon talks from last year I want to watch. There are papers from NDSS Symposium 2025 that I never got to. But now, it seems like a "waste of time" to read them, cause they can't go in the newsletter because they are "old."

I don't have a perfect answer for this, but my initial idea is:
1. A "summaries" section for things read / watched that week (some new, some old).
2. A "new" section for links and brief one line blurbs weekly research releases.

Still experimenting and open to feedback.

Wrapping Up:

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Want to support us? Buy us a coffee ☕️

Don't forget to check out https://bug.directory!

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️