cbayet

406 posts

cbayet

@OnlyTheDuck

Security expert and CTO @Reverse_Tactics

Katılım Nisan 2017

395 Takip Edilen1.7K Takipçiler

cbayet retweetledi

TheZDIBugs@TheZDIBugs·3d

[ZDI-26-188|CVE-2025-41237] (Pwn2Own) VMware ESXi VMCI Integer Underflow Local Privilege Escalation Vulnerability (CVSS 8.2; Credit: Corentin "@OnlyTheDuck" BAYET from REverse Tactics) zerodayinitiative.com/advisories/ZDI…

English

1.6K

cbayet@OnlyTheDuck·26 Oca

This bug is found and triggered by students of our training 😉 reversetactics.com/trainings/bugh…

English

511

cbayet@OnlyTheDuck·26 Oca

Awesome bp on a Workstation escape using a bug I also found in 2024, and never managed to exploit... Found the ESXi vuln I used at the same #Pwn2Own while looking for interesting objects to overwrite with the LFH OOB 😅 Those guys found the bug and exploited it in a few days !

Synacktiv@Synacktiv

At #Pwn2Own Berlin 2025, a full exploit chain against VMware Workstation was demonstrated via a heap overflow in the PVSCSI controller. Despite Windows 11 LFH mitigations, advanced heap shaping and side-channel techniques enabled a reliable exploit. 🔍 Full technical write-up 👇 synacktiv.com/en/publication…

English

1.7K

cbayet@OnlyTheDuck·16 Oca

Will be at @reconmtl again this year 🥰

REverse_Tactics@Reverse_Tactics

Our training "Bug Hunting in Hypervisors" returns at @reconmtl in 2026! Taught by researchers actively working on real-world hypervisor exploitation #Pwn2Own Designed for security researchers, we will dive into VM escapes, hypervisor attack surfaces, and real-world exploitation

English

2.8K

cbayet retweetledi

REcon@reconmtl·14 Oca

🚨 REcon 2026 is LIVE! 🚀 Call for papers and registration are now open! Join the world's top reverse engineers & exploit devs in Montreal: 🛠 Trainings: June 15-18 (19 hands-on classes – AI agents, kernel exploits, Rust/Go reversing, fault injection & more!) 📅 Conference: June 19-21 Tickets & early bird now open → recon.cx Shoutout to the legends teaching: @SinSinology @KyleMartin @MalachiJonesPhD @andreyknvl @mr_phrazer @yarden_shafir @DrCh40s @pulsoid + more elite instructors! See website for all trainers and session info. Limited spots – see you in MTL! #REcon2026 #ReverseEngineering

English

142

18.7K

cbayet@OnlyTheDuck·5 Kas

@carrot_c4k3 Legend 😂

English

465

emma@carrot_c4k3·4 Kas

FOR IMMEDIATE RELEASE: exploits.forsale's statement on the arrest of Peter Williams

English

213

30.5K

cbayet@OnlyTheDuck·24 Eki

@SinSinology @thezdi @TrendMicro GG !!

275

SinSinology@SinSinology·24 Eki

First and foremost, Thank you God for all of this. Second, our eternal respect to the amazing teams @thezdi and @TrendMicro for making this competition possible! Third, thank you to the film crew (blackrabbitint) working with zdi to make all of those great videos of us! Finally, we have prepared a message from all of us @SummoningTeam (@_mccaulay, @Yogehi, @Ch0pin, @hyprdude, and myself).

TrendAI Zero Day Initiative@thezdi

$1,024,750 - 73 unique bugs - a week of amazing research on display. #Pwn2Own Ireland had it all. Success. Failure. Intrigue. You name it. Congratulations to the Master of Pwn winners @SummoningTeam! Their outstanding work earned them $187,500 and 22 point. See you in Tokyo for Pwn2Own Automotive.

English

291

32.1K

cbayet@OnlyTheDuck·8 Ağu

@theflow0 Impressive exploit and the blog post is so easy to read ! Amazing work 👌

English

434

Andy Nguyen@theflow0·8 Ağu

Speculative rop chain execution in guest-to-host attack 👀

Google VRP (Google Bug Hunters)@GoogleVRP

Our latest post details how we exploited Retbleed (a CPU vulnerability) to compromise a machine from a sandboxed process and VM! Curious? 👇 bughunters.google.com/blog/624373010…

English

124

27.5K

cbayet retweetledi

Google VRP (Google Bug Hunters)@GoogleVRP·7 Ağu

Our latest post details how we exploited Retbleed (a CPU vulnerability) to compromise a machine from a sandboxed process and VM! Curious? 👇 bughunters.google.com/blog/624373010…

English

210

66.5K

cbayet@OnlyTheDuck·7 Tem

Love the top-bottom approach of this blogpost ! A great way to explain internals in my opinion, and the kind of reference you look when you're trying to exploit a heap bug. Also glad to see that our paper (with @paulfariello) of 2020 is still relevant !

ö@r0keb

Good morning! Just published a blog post diving into Windows Kernel Pool internals: basics, memory allocation functions, internal structures, and how Segment Heap, LFH, and VS work. r0keb.github.io/posts/Windows-…

English

2.9K

cbayet@OnlyTheDuck·2 Tem

@roddux Haha forever basically meant as long as I can remember 😅 but yeah there is some commits at least 17 years old there 😉

English

142

roddux@roddux·2 Tem

@OnlyTheDuck I could also simply be misremembering lol-- it's public/release trunks that were different: forums.virtualbox.org/viewtopic.php?… Because, as you say, seems the SVN browser has been around since time immemorial (2007): web.archive.org/web/2007012903…

English

327

roddux@roddux·2 Tem

oh wow, VirtualBox source is now on GitHub! Much better than before; they only had source tarballs-- with no commit history or anything else. Awful to work with, very happy to see this.

Anderson Nascimento@andersonc0d3

Source code for Oracle VirtualBox github.com/VirtualBox/vir…

English

cbayet@OnlyTheDuck·31 May

Jet lag hit hard but still really enjoyed @typhooncon, Seoul and meeting new friends 😁

REverse_Tactics@Reverse_Tactics

@typhooncon is already over, but we enjoyed every minute ! During our talk "Journey To Freedom", we disclosed for the first time the details on the Windows LPE we used at Pwn2Own Vancouver 2024 after escaping from VirtualBox. Slides are already available: reversetactics.com/publications/2…

English

1.1K

cbayet retweetledi

TyphoonCon🌪️@typhooncon·29 May

🌪️ Back from lunch just in time to escape VirtualBox and unchaining objects in the Windows Kernel with Corentin Bayet

English

3.2K

cbayet retweetledi

REverse_Tactics@Reverse_Tactics·22 May

Slides and video of our talk at @offensive_con are already online ! Thanks to @Binary_Gecko for the amazing event reversetactics.com/publications/2…

English

6.9K

cbayet@OnlyTheDuck·18 May

@offensive_con Let me know if you'll be at @typhooncon !

English

525

cbayet@OnlyTheDuck·18 May

Had a blast at @offensive_con and #Pwn2Own ! Going to sleep now, but not for long...

REverse_Tactics@Reverse_Tactics

And that's a wrap for @offensive_con and #Pwn2Own ! We had the best time there and were so glad to reunite with the finest researchers out there. See you next year !

English

1.2K

cbayet retweetledi

TrendAI Zero Day Initiative@thezdi·17 May

Sweet! Corentin BAYET (@OnlyTheDuck) from @Reverse_Tactics barely needed a second to demonstrate his exploit against VMware ESXi. He heads off to the disclosure room to provide the details of his work. #Pwn2Own #P2OBerlin

English

9.5K

cbayet retweetledi

REverse_Tactics@Reverse_Tactics·16 May

It's time for @offensive_con and #Pwn2Own ! Come meet us there and and attend our sessions: 📅 Fri, May 16 @ 18:45 — Our talk “Journey to Freedom” about escaping VirtualBox during Pwn2Own 2024 📅 Sat, May 17 @ 14:00 — Watch our live VMware ESXi escape attempt ar #Pwn2Own

English

2.2K

cbayet@OnlyTheDuck·28 Nis

So proud to speak for the first time @offensive_con ! Excited to be there and meet the finest researchers 🍻

REverse_Tactics@Reverse_Tactics

Our talk "Journey to Freedom" about our Pwn2Own 2024 VirtualBox escape is coming to @offensive_con ! We will dive deeper into the technical challenges and obstacles we faced. @OnlyTheDuck will break down the key research phases and the exploit's most critical components.

English

1.8K

Keşfet

@reconmtl @SinSinology @KyleMartin @MalachiJonesPhD @andreyknvl @mr_phrazer @yarden_shafir @DrCh40s