What's going on ladies and gents - we hope everyone is having a wonderful week...unless you botted the Offensivecon website. Then we hope your week is just mediocre at best.
Interesting Resources From The Week:
- FuzzingLabs January Newsletter - FuzzingLabs put out their January '24 newsletter filled with lots of useful fuzzing videos, blog posts, and research papers. Certainly worth reading through.
- Start Your Engines: Capturing the First Flag in Google's New v8CTF -
- 30 Years of Decompilation and the Unsolved Structuring Problem: Part 2 - Following on from part 1 last week, this post serves
as a follow up to part one and focuses in on the more recent history of decompilation and the structuring problem. It highlights 4 recent approaches to the problem, highlighting their strengths and their inevitable compromises.
- Radek Domanski from FlashBack team on PWN2OWN - A few months ago, a YouTube channel called SysPWN started doing interviews with researchers, having them walk through their typical methodology. The most recent interview with the Radek Domanski just went live, and walks through his approach to Pwn2Own targets.
- Nov/Dec Linux Kernel Exploitation Repo Updates - The popular collection of Linux kernel exploitation resources got an update with the last 2 months of content.
A Few Synaktiv Blogs:
Synacktiv had an active week on their blog, throwing up two posts which gained a bit of traction on social media.
- LEVERAGING BINARY NINJA IL TO REVERSE A CUSTOM ISA: CRACKING THE “POT OF GOLD” 37C3 - A detailed write-up solving a custom architecture PWN challenge from the 37C3 CTF. This post does an excellent job highlighting the Binary Ninja Plugin API, and the solution ends up being relatively straight forward after just writing just a few 100 lines of Python.
- EXPLORING COUNTER-STRIKE: GLOBAL OFFENSIVE ATTACK SURFACE - This post walks through the attack surface of CS:GO, before diving into the team's bug hunting methodology, and ending with the exploitation of an out-of-bounds write. Overall, a fun post and CS:GO/Source Engine continues to yield interesting research.
Interesting Job Postings:
As Q1 hiring begins to pick up, here are a few job openings that stood out this week:
- Staff Security Engineer, Hardware Vulnerability Research @ Google
- Reverse Engineer - Android @ Source Technology
- Senior Security Engineer With MORSE @ Microsoft
- Malware Reverse Engineer @ Peraton
- Anti-cheat Engineer @ Ubisoft
- Security Researcher @ Chip Scan
- Senior Vulnerability Researcher @ Raytheon
As always, thanks for stopping by for this weeks Vulnerability Research Newsletter. If you have comments, questions, or suggestions on how we can improve, feel free to shoot us a DM on X (or just drop us a follow if you are feeling generous).
The exploits.club Discord is live! Feel free to show your interest in joining by filling out the form.
Until next week 🏴☠️