This repository is a list of some of the public projects I've worked on.
Bugs / Exploits
- Post-auth Netgear RCE in UPnP Daemon
- Pre-auth Netgear RCE in UPnP Daemon
- Netgear MITM RCE Exploit
- Denial of Service in macOS's necp_client_action syscall (again)
- RHEL Kernel Exploit (Nominated for a Pwnie Award)
- RCE and DoS in the NITRO NITF parsing library
- Information Leak in FreeBSD and OpenBSD kernels
- Unauthenticated RCE Exploit for 79 Netgear Devices (Nominated for a Pwnie Award)
- Denial of Service in iOS Safari
- LPE Exploit for VMware Fusion and Bypass for the Fix
- Denial of Service in Excel
- NULL Pointer and Infinite Recursion bugs in pdftk
- Denial of Service in macOS's necp_client_action syscall
- Heap Corruption and Integer Overflow bugs in ccd2cue
- Heap overflow in macOS's necp_client_action syscall
- Two Denial of Service Bugs in macOS's workq_kernreturn syscall
Blogs / Writeups
- No Hardware, No Problem: Emulation and Exploitation
- Seamlessly Discovering Netgear Universal Plug-and-Pwn (UPnP) 0-days
- Mama Always Told Me Not to Trust Strangers without Certificates
- New Old Bugs in the Linux Kernel
- DJI Privacy Analysis Validation (code)
- SOHO Device Exploitation - Netgear Case Study
- Analyzing SUID Binaries - VMware Fusion Case Study
- Analyzing the Linux Kernel in Userland with AFL and KLEE
- Crash Triage Process
- Delta Debugging
- Heap overflow in the necp_client_action syscall
- DEF CON 2017 Quals CTF - Reeses Revenge Writeup
- Boston Key Party 2017 - barewithme Writeup
- PETS 2016 - SoK: Privacy on Mobile Devices – It’s Complicated
- POC||GTFO 0x8 - On Error Resume Next
- Contributing Author to Google Hacking for Penetration Testers, Volume 2
Talks
- GRIMMCon0x2 - Embedded Device ROP Tips and Tricks - Netgear (presentation materials)
- GRIMMCon - Analyzing SUID Binaries - VMWare Fusion
- BSidesCHS - An Introduction to macOS Kernel Exploitation (presentation materials)
- MTEM: Pyrop: An Open-Source, Multi-Architecture ROP Compiler
- DEF CON Skytalks - Stiltwalker Round 2 - Breaking reCAPTCHA (again)
- BSidesLV - Stiltwalker Round 2 - Breaking reCAPTCHA (again)
- LayerOne - Stiltwalker - Breaking reCAPTCHA
- Outerzone - Stiltwalker Preview
- BSidesCHS - Practical Issues in Virtual Machine Covert Channels
- DEF CON: oCTF: 5 years in 50 minutes