jeff

I have completed the FORCED ENTRY RCE + SBX chain with a PAC bypass. The calculator payload can be found here: github.com/jeffssh/CVE-20…. I learned a lot about iOS exploitation and can't wait to share that in a blog post, which I'll release along with the code to generate this PDF.

With the help of Claude Mythos Preview, the Firefox team fixed more security bugs in April than in the past 15 months combined.

sorry babe, not tonight 2x claude usage during off-hours

Let's put together the best articles on v8 vr/xd for 2025-2026. Write the most interesting blog posts, issues/reports, exploitation techniques, and so on in replies. I'll start with: Seunghyun Lee(@0x10n) and 303f06e3 issues.chromium.org/issues?q=Seung… issues.chromium.org/issues?q=303f0…

shaking my head while excitedly reading a citizen lab / project zero post so everyone in my work-from-home office knows i disagree with human rights violations

speedrunners reinvented Use After Free and called it "stale reference manipulation" one day theyre gonna invent type confusion and call it item abuse

We really should be talking about this more....KASLR is just not working properly on Android right now, and it hasn't for a long time. googleprojectzero.blogspot.com/2025/11/defeat…

As the operator of a soup kitchen, I don’t see why I should be expected to fix health code violations people report. After all, we are run almost entirely by volunteers

@francisco_oca Amazing!

Take a look at the new BoxPwnr WebUI, you can quickly replay a trace/trajectory, jump around, speed it up, and navigate it through a cool LLM generated attack path. Try it yourself! 0ca.github.io/BoxPwnr-Attemp… Sound: On🎵

@thezdi Who could have seen this coming…

OMG.. whatsapp 0c in pwn2own

Pointer leaks through pointer-keyed data structures googleprojectzero.blogspot.com/2025/09/pointe…

@Fox0x01 They took my FORCEDENTRY PoC too 😕

Oh no, but how will I learn about iOS now? @minacrissDev_, only because the post is a few years old doesn’t meant people won’t remember who wrote it. ;)

googleprojectzero.blogspot.com/2024/10/from-n… issuetracker.google.com/issues?q=compo…

@xvonfers @mistymntncop You beat me 😅

@mistymntncop 😅 x.com/xvonfers/statu…

Over 6 months and no ITW V8 exploits? Have I spoken too soon?..

@boredpentester @rdjgr Lots of jbig2 related code in my forced entry repo: github.com/jeffssh/CVE-20… Adder, comparator, segments for bit reads/writes and a strategy for byte reads/writes. Good luck!

Thought I'd try to write an exploit for @rdjgr's ZDI-CAN-25676 (JBIG2 integer overflow) to finally get a shell on my fairly up-to-date Lexmark. It's going well so far! Big thanks to Rick for the tips along the way!

@dillon_franke From the rop chain it looks like the exploit was done on an intel machine. Did you ever look at arm? Was PAC an issue?

Slides from my talk are here: dillonfrankesecurity.com/OffensiveCon-2… And the recording is here! youtu.be/USQtPedx9Xg?fe…

Me and the homies are dropping browser exploits on the red team engagement 😎. Find out how to bypass WDAC + execute native shellcode using this one weird trick -- exploiting the V8 engine of a vulnerable trusted application. ibm.com/think/x-force/…

I'm thrilled to announce that my talk Ghost Calls: Abusing Web Conferencing for Covert Command & Control was accepted to #BHUSA 2025 (CC: @BlackHatEvents) #ghost-calls-abusing-web-conferencing-for-covert-command--control-45491" target="_blank" rel="nofollow noopener">blackhat.com/us-25/briefing…

@mistymntncop @xvonfers 👀 you'll tweet if you find out right👀

@xvonfers If this vuln requires the --script-context-mutable-heap-int32 flag then how was it exploit in V8CTF i wonder 🧐

🔥🔥🔥 [$50000][386565144][maglev]Incorrect node replacement optimization during Maglev graph construction -> RCE issues.chromium.org/issues/3865651… "This vulnerability is very beautiful, the trigger method is concise, it can be exploited stably" Reported by 303f06e3