This repository is a list of some of the public projects I've worked on.

Bugs / Exploits

• Post-auth Netgear RCE in UPnP Daemon
• Pre-auth Netgear RCE in UPnP Daemon
• Netgear MITM RCE Exploit
• Denial of Service in macOS's necp_client_action syscall (again)
• RHEL Kernel Exploit (Nominated for a Pwnie Award)
• RCE and DoS in the NITRO NITF parsing library
• Information Leak in FreeBSD and OpenBSD kernels
• Unauthenticated RCE Exploit for 79 Netgear Devices (Nominated for a Pwnie Award)
• Denial of Service in iOS Safari
• LPE Exploit for VMware Fusion and Bypass for the Fix
• Denial of Service in Excel
• NULL Pointer and Infinite Recursion bugs in pdftk
• Denial of Service in macOS's necp_client_action syscall
• Heap Corruption and Integer Overflow bugs in ccd2cue
• Heap overflow in macOS's necp_client_action syscall
• Two Denial of Service Bugs in macOS's workq_kernreturn syscall

Blogs / Writeups

• No Hardware, No Problem: Emulation and Exploitation
• Seamlessly Discovering Netgear Universal Plug-and-Pwn (UPnP) 0-days
• Mama Always Told Me Not to Trust Strangers without Certificates
• New Old Bugs in the Linux Kernel
• DJI Privacy Analysis Validation (code)
• SOHO Device Exploitation - Netgear Case Study
• Analyzing SUID Binaries - VMware Fusion Case Study
• Analyzing the Linux Kernel in Userland with AFL and KLEE
• Crash Triage Process
• Delta Debugging
• Heap overflow in the necp_client_action syscall
• DEF CON 2017 Quals CTF - Reeses Revenge Writeup
• Boston Key Party 2017 - barewithme Writeup
• PETS 2016 - SoK: Privacy on Mobile Devices – It’s Complicated
• POC||GTFO 0x8 - On Error Resume Next
• Contributing Author to Google Hacking for Penetration Testers, Volume 2

Talks

• GRIMMCon0x2 - Embedded Device ROP Tips and Tricks - Netgear (presentation materials)
• GRIMMCon - Analyzing SUID Binaries - VMWare Fusion
• BSidesCHS - An Introduction to macOS Kernel Exploitation (presentation materials)
• MTEM: Pyrop: An Open-Source, Multi-Architecture ROP Compiler
• DEF CON Skytalks - Stiltwalker Round 2 - Breaking reCAPTCHA (again)
• BSidesLV - Stiltwalker Round 2 - Breaking reCAPTCHA (again)
• LayerOne - Stiltwalker - Breaking reCAPTCHA
• Outerzone - Stiltwalker Preview
• BSidesCHS - Practical Issues in Virtual Machine Covert Channels
• DEF CON: oCTF: 5 years in 50 minutes

Projects

• Pyrop ROP Compiler
• Binary Ninja Processor Plugin for cLEMENCy
• Stiltwalker
• Linux Kernel ASN.1 Parser and inet_diag Bytecode Interpreter Fuzzers
• SetRegTime - Registry Timestamp Modifier
• String Converter for Bad Byte Avoidance
• Overwrite MBR tools for PCDC Red Teaming
• libnvram-faker