Happy Thursday - don't forget to go out and tell someone you love them. No, you're debugger doesn't count. Annnnnnyways 👇

In Case You Missed It...

• Phrack Submissions - Get them in by June 15th
• PwnDbg Updates - Whether you are a PwnDbg enthusiast or you sit on the Gef side of the fence, you should check out some of the new features in this major updates!

Resources And Write-Ups From This Week:

• Blasting Past iOS 18 - iOS fans rejoice. This week, @b1n4r1b01 from the dfsec iOS team took to the company blog to discuss new mitigations in iOS 17 and 18. The post explores these new mitigations through the lens of the infamous BLASTPASS exploit, diving into its primitives and determining if they would still be viable today. tl;dr - no. After a primer on the heap internals and the new XZone Allocator, the post points out that heap metadata is now out-of-line, meaning the corruption primitive would no longer work. Then, for the second primitive, the post looks at the ability to CFRelease a fake CFObject. Again, this also proves to be not possible because of a new ISA check, paired with a new 3 byte data PAC signature.
• CoreAudio: CVE-2025-31200 - You know that feeling when you start a little side project, and after the first hour you think it will wrap up pretty quickly...and then by day 5 you are wondering what the hell you are doing and all you have is more questions than answers. Yeah, no us either. But @noahhw4646 has managed to perfectly convert that exact feeling to a blog post. His new write-up details his adventures into triaging an ITW CoreAudio bug that he saw pop up on the P0 spreadsheet. He starts by doing all the stuff you would expect - a little bindiffing, keying on the likely culprit, reviewing the changes etc. However, when the bug didn't immediately jump out at him, he had to start doing more reversing. You as the reader get to go on the journey with him, as he uncovers more of the functionality and in turn starts to draw a picture of the actual bug.
• Google Security Research: CVE-2025-21756 kCTF - A good ole kCF write-up hit the Google Security Research GitHub repo this week. The crux of the bug is some improper reference count handling which leads to a UAF. The post first walks through the procedure to trigger this UAF, doing a deep dive on the call stack and explaining how the refcount gets all out of wack and leads to the UAF. Then it jumps over to exploitation, starting with the KASLR leak which was borrowed from WIll's Root, and then discussing the exact sprays used for RIP control and landing a root shell.
• Achieving Persistent Client-Side Attacks with a Single WeChat Message - Who doesn't love a good IM bug. Its sleek, its sexy, its like something out of a movie. This week, DARKNAVY did a write-up discussing what the attack surface for these bugs actually looks like. It dives into things like deep linking, file processing, and built in web browsers. The team then sets its sights on WeChat, taking these theoretical attack vectors and mapping them onto a real-app. We learn that things like XWEB, WeChat's in-app browser, lags behind Chromium releases slightly. We also see some neat sandboxing for the 3rd party mini-apps hat are built on top of WeChat, preventing XSS in those from being detrimental to the core application itself.
• Beating the kCTF PoW with AVX512IFMA for $51k - If you think writing a Linux exploit is the hardest part of kCTF these days, well you're wrong. And this new write-up from Timothy Herchen only proves that point. You see, before you can actually run your exploit, you have to solve a Proof Of Work. These typically take ~4 seconds, but the team noticed that a previous submission had done it faster...much faster. And so, Timothy was tasked with figuring out how to do the same to make sure their entry was first. What follows is a lot of math that frankly we don't really understand. But he was able to make progress on the initial solution by removing a modulus bottleneck and working on some compiler optimizations. From there though, he sets his sights on AVX512 and starts to write some inline assembly. Because of this effort, the team was able to submit their exploit in 3.6 seconds - the fastest ever in kCTF history. The google team has now removed Proof-of-Work...they officially killed it.
• Hypervisors for Memory Introspection and Reverse Engineering - Babe wake up, your other favorite club just posted. @memn0ps hopped on the secret.club blog to talk about Rust-based hypervisors for stealth kernel introspection and function hooking. Specifically, the post reviews two recent PoCs (illusion-rs and matrix-rx) which approach this challenge slightly differently, covering the pros and cons of each implementation. The first runs from UEFI and uses single-stepping to replay displaced instructions, while the second operates as a Windows driver with dual EPT contexts for breakpoint redirection. What follows is a lot of low-level EPT manipulation, VMCALL detours, and Monitor Trap Flag wizardry that makes traditional inline hooking look primitive

Interesting Job Postings:

• Senior Firmware Reverse Engineer @ Legion X (Hybrid: Arlington, VA)
• Senior Reverse Engineer @ WhiteFox Defense (On-Site: San Luis Obispo, CA)
• Offensive AI Security Engineer @ Lucid Motors (On-Site: Newark, CA)
• Offensive Security Engineer @ Praetorian (Remote)
• Security Engineer, Red Team, Vehicle Software @ Tesla (On-Site: Palo Alto, CA)

Wrapping Up...

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Want to support us? Buy us a coffee ☕️

Don't forget to check out https://bug.directory!

We sell mugs, and personally we have seen a drastic uptick in bugs since using ours. Get yours on at https://shop.exploits.club.

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️