Lately I've mostly been focusing on iOS kernel exploitation, with Luca Todesco.
just got reliable kernel pc control from this new iOS 10 jailbreak chain I’ve been working on with @CTurtE :)— qwertyoruiop (@qwertyoruiopz) October 25, 2016
Details of the bugs I've found will probably be disclosed at some point in the future.
I've spent a lot of time auditing the FreeBSD kernel for vulnerabilities, (previously as a member of the HardenedBSD team), and have proved successful in finding and patching several.
Below is a list of the critical bugs I have reported and analysed.
A full list of bug reports, including the non-critical bugs, as well as the link to the accepted patch in FreeBSD, where applicable, can be found here.
I decided to research the Sony PlayStation 4 console, using a publicly available WebKit exploit to run my own ROP chains. I used this exploit to dump the available userland modules, and after some reverse engineering of how the JIT system calls were used, I was able to gain unsigned code execution under the WebKit process. Several months later, I developed a kernel exploit for the system using the BadIRET vulnerability. I used this exploit to dump the kernel, before analysing it to help exploit a vulnerability in the kernel's dynamic linker, which I had previously found by fuzzing. I've documented my experiences in the following articles:
sys_dynlib_prepare_dlclosePS4 kernel heap overflow
The Nintendo DS was my first experience of programming; I've used the platform for many different projects!
Buffer overflow exploits in DS games are ridiculously common. Did you know that every single FIFA game on the DS can be used to run unsigned code?
While checking the FIFA games for buffer overflows, I also came across numerous other bugs, including format string vulnerabilities (however they are not exploitable since the official Nitro SDK doesn't appear to support the "%n" format).
Just a funny vulnerability I found in the game EA Sports Football Academy DS.
I've also tried programming for the 3DS. It would be much easier to program for (more RAM, faster processors, less limited video modes), but since it is much newer than the DS, there is not nearly as much documentation or examples available yet.
Most articles written with RMD.