Part 2 of the Syzkaller writeup. Part 1 covered layout, install, and building a fuzzable 6.19 kernel for QEMU. Here I bolt on a deliberately broken driver, wire syzkaller to it with syzlang, run th...

What libFuzzer is libFuzzer is LLVM’s in-process, coverage-guided fuzzer. You compile your target with the fuzzer runtime (-fsanitize=fuzzer), implement a single callback LLVMFuzzerTestOneInput(co...

When you open an Android .so in a disassembler, JNI entry points show up as long, mangled symbols: Java_com_example_app_MainActivity_stringFromJNI. The real story lives in the DEX: class name, meth...

Hey everyone — apologies for the delayed post. I got caught up with a few things and couldn’t publish as planned. Thanks for your patience and continued support. Wishing you all a Happy New Year! ...

I’ve been away for a few weeks because I’ve been learning Windows Kernel Exploitation, and soon I’ll be posting my notes on it here. In this post, I’ll be sharing some tutorials on how to use the B...

In this chapter, we’ll create a reverse TCP shell - a shellcode that connects back to an attacker-controlled machine, providing remote access. This is often more effective than bind shells as it by...

In this chapter, we’ll create a bind TCP shell - a shellcode that opens a network port and binds a shell to it, allowing remote connections. This is extremely useful in penetration testing and netw...

Now in our journey of shellcoding we will try to eliminate bad chars which create nuisance and break our exploit. Common Bad Characters: 0x0A (newline) - breaks in input functions 0x0D (carr...

Now let’s explore how to create shellcode that spawns a shell. This you will mostly use in exploit development. 1. The execve System Call The most common way to spawn a shell in Linux is using th...

Now that we understand the theory, let’s create our first working shellcode! We’ll build a simple “Hello World” shellcode that writes directly to stdout using system calls. The Goal We want to cr...