Numb3rs

"we had a good thing, you stupid son of a bitch! we had Lows. we had Mediums. we had renderer RCE bonuses, and it all ran like clockwork! you could have shut your mouth, let your fuzzers run, and made as much money as you ever needed! it was perfect! but no, you just HAD to go and flood the team with your AI-hallucinated slop reports"

@jamieantisocial @vxunderground 2/3 of it are structures

@vxunderground if 2000+ lines of code is "basic" the rest of us r cookthed

If you're curious what a basic position independent polymorphic mutation engine looks like in C (compiled as C++), this is what it looks like. I'll do a write up later. gist.github.com/vxunderground/…

@vmfunc isn’t it pretty low impact since you need control over indent ?

i am extremely infuriated. heap overflow in ultrajson sitting public with a full PoC + ASAN stacktrace for a MONTH ultrajson has a heap overflow. PoC's been public for a month. i filed the GHSA (correctly), got it closed, got redirected to the public issue, then got lectured about responsible disclosure *on the public bug with the working exploit attached* i wrote the fix out of spite. that's it. that's the whole story. open source security is a fucking joke

@LenSanook @Seifert1969 @vxunderground + you could just spoof it lol

@Seifert1969 @vxunderground The "OS" doesn't make HTTP calls.

Chat, all hell has broken loose in the Linux community. Linux nerds are discussing how they'd implement age verification at the OS level (if need be to comply with laws). Linux nerds are having a psychiatric meltdown. The nerds are revolting.

@cr4zyengineer @m1thr1da @realpastaya i might have been angry for nothing and I am sorry but my point stands: why would you lie about it being a bof ? it doesn’t make sense. Sorry again for the previous tweet 😛

@cr4zyengineer @m1thr1da @realpastaya why would you lie about such thing ? Buffer overflow in a discord bot ? Cmon man wtf… + saying “my kernel research paid off” when you’re just reusing a token - what is wrong with you ?

@guime_guimeLove @5mukx From what I read from the writeup it appears that the sRIP offset is <1000 so the buffer’s size isn’t 1000 bytes (which doesn’t make sense regarding the check i agree)

@5mukx Why does the size check in the center block (cmp rbx, 1000h) fail to prevent a buffer overflow, even though it appears to be a correct security validation?

How to write Kernel exploit? @zayy4699/how-to-write-kernel-exploit-c9c99157cb8c" target="_blank" rel="nofollow noopener">medium.com/@zayy4699/how-…

@UK_Daniel_Card i am glad

@numbrs I’m well chilled 🤣

when people talk about Public WIFI and MITM etc. they talk like it's the year 2000 still...... It's very odd....

@UK_Daniel_Card “Chap” you should take a chill pill, no need to be vindictive. The CVE here isn’t important , my point is that there are some applications who don’t use TLS and use proprietary protocols that are sometimes/usually not the best. I know because that’s what i focus my work on.

I'm not sure I would be surprised that sometimes there are vulnerabilities chap... that assumes some kind of view that I am blind to vulnerabilities, which I'm not. it's 2026.... not 2019 (re CVE date) what is the majority device used out and about? (a smart phone) I know because I go outside. I also tap networks and watch traffic..... I also setup FREE WIFI access points and watch.

@UK_Daniel_Card You’d be surprised ^^ take a look at CVE-2019-18800 for example. Not sure if I understand your message entirely but those applications are also on desktop.

@numbrs so the premise here is: on an iPhone you install an app (please show me which apps do this) and walk around with a cell connection and use apps (where you sign in e.g. Facebook) and the concern is .....

@onejailbreak_ Was the AudioCore bug in audiomxd ?

🧪iOS 26.3 RC→ 26.3 Final shows only CallHistory framework and SpringBoard recompiled. Removed unused Swift deps, added property copy protection on call records, restructured icon logic. Classic late-stage polish. Zero kernel/security changes🩺

@T3chFalcon IMAGINE 😭😭 focusing on the delivery instead of the lesson 🧠✨ Like… argue with the MESSAGE, not the font, the tone, the vibes, the commas 😭💀 If it made you think, it already WON 🏆🔥

@numbrs Imagine focusing on how it was written instead of what it’s teaching you. 😭

Renaming a file is not OPSEC. Windows keeps a permanent diary called Amcache. It doesn't just trust the filename you typed. It extracts metadata from the binary's Version Resource (VS_VERSIONINFO). Rename payload.exe to homework.pdf.exe if you want. If the developer didn't strip the metadata, Windows logs the Original Filename anyway. But it gets worse. Amcache is the ultimate backup: Ghost Execution: You deleted the file? We still have the SHA1 Hash. We know exactly what malware ran even if the disk is clean. Anti-Forensics Trap: Cleared your Prefetch? Almost nobody wipes the Amcache hive. An empty Prefetch + full Amcache = Proof of Intent. The Time Machine: It logs the exact second of First Execution and the Compile Date. Location: C:\Windows\AppCompat\Programs\Amcache.hve You changed the name. Windows kept the identity. 💀

🎄 New Root-Xmas Challenge 🎄 ✨Today, heap your skills and parse your way through Santa’s picture-perfect surprises! 📌Submitted by : Numb3rs 🔗Details & participation here: ctf.xmas.root-me.org Good luck to you all !🎅

@lukOlejnik Doing god’s work by putting the flippers out the street 🙏

Polish police detained three Ukrainians with professional hacking equipment: FLIPPER, spy detector, antennas, laptops, SIM cards. Charges include attempted damage to IT data critical for national security. Suspects couldn't explain equipment's purpose (when asked, they suddenly "forgot" how to communicate in english language). The likely goal was close-access cyber operations.

Dug into a custom router protocol for fun. Turned out to be: type confusion + command injection = RCE 🎉 Full write-up here: 📎numb3rs.re/posts/abusing_…

@NaMi____NaMi @popovicu94 This is how SROP works. We make a segfault so that we can control the state in which the kernel is gonna put the process after the signal.

@popovicu94 What about SROP?

Ever wondered how a Linux program can catch a signal, run custom code, and then resume *exactly* where it left off, as if nothing happened? It's not magic. It's a carefully choreographed dance between your process and the Linux kernel, starring a syscall that never actually returns: rt_sigreturn (#15 on x86_64). Here's how it works. 🧵👇

@ChadSigmaRizz @osec_io Aslr is bypassable with a leak or relative writes

@osec_io Isn't this an operating system issue ? How does it get past ASLR ??

Our research team achieved client RCE on Minecraft Bedrock Edition via a heap overflow to bypass ASLR and sidestep CFG. Writeup to come.

@JDG_1980 @robertgraham this could be a never ending debate and i don’t care that much but those mitigations can be bypassed + i don’t see how the end-user would accept using a software that is vulnerable to such a strong primitive (for this specific vuln)

@numbrs @robertgraham Regarding this particular codec crash (use-after-free), standard OS or compiler-level mitigation measures like ASLR make it considerably less likely that it could actually be used as a vehicle for ACE or other serious exploits.

This is the core tweet of the Google-vs-FFmpeg debate. FFmpeg is justifiably upset, Google is swamping it with vulns that the FFmpeg project doesn't have the resources to fix. This is especially a big deal since such projects struggle to attract necessary talent in writing codecs, and this sort of thing demotivates their volunteers. It can kill the project simply by driving their most talent people away. On the other hand, the existence of vulns is not Google's fault. They are just finding them shortly before hackers do, being only 6months to a year ahead of hackers figuring out the same AI tricks. It's a reality everybody has to deal with.