We are getting dangerously close to hacking fueled by PSLs. Get your cozy VS Code color schemes ready...Annnnnnyways 👇

In Case You Missed It...

• Phrack 4oth Anniversary Release - If you weren't lucky enough to get snag a physical copy from one of the recent cons, the digital zine is now available! Similarly...
• Phrack CTF - Put together by @chompie1337, the CTF is intended to be recreations of some of her favorite bugs. Be warned though, it is HARD.

Resources And Write-Ups From This Week:

• CVE-2024-30088 Pwning Windows Kernel @ Pwn2Own Vancouver 2024 (Plus Xbox): - Well, @carrot_c4k3 takes the..cake... for domains we wished we owned. In this new post, she walks us through the research and subsequent exploit that got her a Windows win at P20 2024. The post starts by explaining that, yes, much to the disbelief of all non-Windows VR researchers, Windows does not have an SMAP equivalent. That leads to a bug class where users can supply a kernel pointer and have reads/writes to that location. She discusses how Windows attempts to prevent this with probing, but it's a less than idea system. She initially finds a race condition as a result of this design decision, which allows her to write a string to an arbitrary kernel location. However, it turns out this was only on the canary version, and not shipped yet. Turning her attention on NT, she walks through a bit of variant hunting, eventually finding a very similar bug with the same primitive. From there, she is able to use Yarden's technique to corrupt IO Ring Object and get arb read write. The post shows how she was able to re-purpose the exploit to go after the Xbox One. With some adjustments based on the privilege constraints, the same bug was used to get code exec in the kernel of the SystemOS virtual machine on the Xbox.
• Slice: SAST + LLM Interprocedural Context Extractor - Earlier this year, the vuln research community was engaged in quite the discussion after Sean Heelan published a great blog post detailing his use of o3 to find a use-after-free vulnerability in the Linux kernel. While the tech was impressive, it may not have been overly practical for daily workflows. The high signal to noise ratio and the need to balance a realistic context window on something as complicated as the Linux kernel left for some open-ended questions. This week, @noperator took to his blog to announce a new tool he's been working on, inspired by that post 3 months ago. He mainly wanted to build a tool that had a consistent output across multiple runs on the same subsystem, required no builds, and did not require previous knowledge on the subsystem in review. The approach he used (and you can use now, with Slice) involved writing very broad CodeQL queries, narrowing down the initial results with inference from data flow, and then passing them to an LLM for a two-part analysis. When doing this with the same UAF bug from Heelan's post, he was able to identify the bug on 10 runs-out-of-10 with GPT5...a far better result than the 8/100 from the original research.
• How Buttercup Works - Continuing with the LLM theme, AIxCC 2nd place winner Trail Of Bits released some context for how their entry, Buttercup, actually works under the hood. Essentially, the system is built with 3 major parts: a vulnerability discovery agent, context analysis, and a patch generation agent. The vuln research agent uses a bit of static analysis and a lot of dynamic analysis to identify potential bugs, and passes that over to the context agent. The context system adds...well... context. This helps build out a prioritized list of findings by using static analysis (mainly tree-sitter and CodeQL) to model the program. The patch generation agent (which is actually 7 agents) then receives this information and attempts to generate a patch. The post also discusses whats next for the project, and how you can get involved...though they did not offer to cut open-source contributors in on the $3M.
• Should Security Solutions Be Secure? Maybe We're All Wrong: Fortinet FortiSIEM Pre-Auth Command Injection (CVE-2025-25256) - Hardly a week goes by at this point where we don't see an ITW Fortinet bug with a trivial exploit. Watchtowr assumed their regular role of providing all the juicy deats on this new command. Taking a look at the initial advisory, which mentioned that you should maybe just block off port 7900 for now, the team decided to...you guessed it...look at what was listening on port 7900. Starting with a patch diff, they found the buggy functionality pretty easily. Essentially we have a function that is supposed to sanitize attacker controlled input before it goes into system calls. But it just doesn't do that well at all. The post then walks you through the data flow, explaining how user input could actually hit this vulnerable system command. The team rounds out the research with a PoC and a recorded demo, per usual.
• A Fuzzy Escape - A tale of vulnerability research on hypervisors - Long time readers will know that we are sucker for a good methodology post. Bugs and exploits are cool, but how you GOT to those things tends to be just as interesting. Google pulled through this week, with a new post about hunting hypervisor bugs and different approaches that can be taken to do just that. The post starts with the initial research on QEMU's virtual device code, in which researcher Juan Jose Lopez Jaimez outlines how he used CodeQL to find a stack overflow. Because the bug could be triggered by writing to the USB device, it was relatively trivial to trigger. Moving on, he then looks at fuzzing VirtualBox. This part starts with everyone's favorite part of a good VR project....BUILD SYSTEMS. But after walking through the build and instrumentation, as well as his harness, he then triages the integer overflow that the fuzzer found.
• All You Need Is MCP - LLMs Solving A DEF CON CTF Finals Challenge - Well it looks like this is gonna be the LLM edition of Exploits Club. Sorry, we don't make the rules. In this fun "story time" @cl4sm walks through how he was able to solve a pwn challenge at DEF CON Finals this year using a Cursor + MCP + Ida set-up. The post starts with a brief overview of the challenge and how he initially prompted ChatGPT 5 to interact with the binary and the server, guiding it to craft it's initial, albeit wrong, script. However, he found that the more data he provided, the further the LLM was able to make it, eventually having a stroke of genius and finding the flag was stored as an MD5 hash. In fact, it was so surprising that "that literally every person in our suite did not believe me and thought the code was somehow misrepresentative of the output." He poses some meta reflections on the whole thing, noting that this approach did not work for any other challenges and discussing the dichotomy of being impressed with how far the tech has made it and how useful it can be, contrasted with the desire to not become an LLM prompt engineer.

Interesting Job Postings:

• Attack Engineer @ Horizon3.ai (Remote, US)
• Software Reverse Engineer/Vulnerability Researcher @ TwoSix Technologies (On-Site: Arlington, VA)
• Technology Evangelist @ Hex-Rays (Remote, EU)
• Offensive Security Engineer Red Team X @ Meta (On-Site: Washington, DC)
• Senior Product Security Engineer @ World (On-Site: San Francisco, CA)

Wrapping Up:

As always, thanks for stopping by. We here at the club are always trying to improve so if you have comments, questions, or suggestions, feel free to shoot us an email - info@exploits.club.

Follow us on X - we occasionally Tweet poor attempts at memes

Want to support us? Buy us a coffee ☕️

Don't forget to check out https://bug.directory!

Feel free to join the exploits.club Discord server here 👉 https://discord.gg/2dxN2Gtgpx

Same time next week? See you then 🏴‍☠️