Stephen Sims

I’m almost done assembling the author team for the 7th edition of Gray Hat Hacking through McGraw-Hill. I can’t wait to share with the amazing team of authors with you!

I've been regularly blocking anyone who posts a tweet starting with "Holy S#!t" (or similar) and it's done wonders for my mental health around getting worked up over AI FUD! I figured I'd share in case it helps.

The CFP opens on June 1st. The first year of the conference was last October and was a fantastic event. If you're working in the offensive or adversarial AI space I highly recommend submitting to the CFP and look forward to reviewing your submission along with the team.

@alisaesage 🤬

One of my great experiences with Google's Chromium VRP last month

The wait is over! mona v3 is now available. Supports Python 2 & 3, 32- and 64-bit targets, WinDBG/WinDBGX. Faster, leaner, broader built for modern Windows debugging and exploit development. #mona #corelan github.com/corelan/mona3 Sharing is caring 💛

Join us next Friday, May 8th at 11AM with Elias Bachaalany (@allthingsida) for the next @offby1security stream on, "Automated Reverse Engineering with LibGhidra, GhidraSQL, and AI Agents! youtube.com/watch?v=9avSjD…

@thedawgyg I imagine that in the future the amount paid for high value bounties will go up due to the decrease in exploitable bugs available to find once AI is fully integrated into CI/CD pipelines. At least from exploit acquisition companies.

Even Google is reducing bounty amounts.... "We will be reducing some of our reward amounts and bonuses across Android and Chrome. While these adjustments may reduce the payout for a single bug report, we continue to prioritize our VRPs and the total aggregate rewards paid out in 2026 is expected to increase." Yet when I was trying to tell people this would happen a few months ago, people said i was an idiot... lol... If even Google is reducing bounties do you really think these significantly smaller companies arent going to do the same thing?

We at @offby1security saw an interesting defense against AI-powered offensive agents recently. Fingerprinting of the agents performing the testing resulted in misleading, honeypot-like responses, attempting to distract or redirect them. It didn't work but worth noting.

Exploiting Reversing (ER) series: article 09 | Exploitation Techniques: CVE-2024-30085 (part 03) Today I am releasing the nineth article in the Exploiting Reversing Series (ERS). In “Exploitation Techniques | CVE-2024-30085 (Part 09)” I provide a 106-page deep dive and a comprehensive roadmap for vulnerability exploitation: exploitreversing.com/2026/04/28/exp… Key features of this edition: [+] Dual Exploit Strategies: Two distinct exploit editions built on the cldflt.sys heap overflow. [+] PreviousMode Edition: Exploit cldflt.sys via WNF OOB + Pipe Attributes + ALPC + _KTHREAD.PreviousMode flip: elevation of privilege of a regular user to SYSTEM. [+] PPL Bypass Edition: Exploit cldflt.sys via WNF OOB + PreviousMode flip + _EPROCESS.Protection strip + MiniDumpWriteDump: elevation of regular user to SYSTEM. [+] Solid Reliability: Two complete, stable exploits, including a multi-step cleanup phase that restores the corrupted pipe attribute Flink and _KTHREAD.PreviousMode before process exit, preventing crash on cleanup. This article guides you through two additional techniques for exploiting the CVE-2024-30085 Heap Buffer Overflow. While demonstrated here, these methods can be adapted as exploitation techniques for many other kernel targets. I hope this serves as a definitive resource for your research. If you find it helpful, please feel free to share it or reach out with your feedback! I would like to thank Ilfak Guilfanov (@ilfak) and Hex-Rays SA (@HexRaysSA) for their constant and uninterrupted support, which has been vital in helping me produce this series. The following articles will continue the miniseries about iOS and Chrome, which are my areas of research. Enjoy the reading and have an excellent day. #exploit #exploitdevelopment #windows #exploitation #vulnerability #minifilterdriver #kernel #heapoverflow

‼️🚨 BREAKING: An AI found a Linux kernel zero-day that roots every distribution since 2017. The exploit fits in 732 bytes of Python. Patch your kernel ASAP. The vulnerability is CVE-2026-31431, nicknamed "Copy Fail," disclosed today by Theori. It has been sitting quietly in the Linux kernel for nine years. Most Linux privilege-escalation bugs are picky. They need a precise timing window (a "race"), or specific kernel addresses leaked from somewhere, or careful tuning per distribution. Copy Fail needs none of that. It is a straight-line logic mistake that works on the first try, every time, on every mainstream Linux box. The attacker just needs a normal user account on the machine. From there, the script asks the kernel to do some encryption work, abuses how that work is wired up, and ends up writing 4 bytes into a memory area called the "page cache" (Linux's high-speed copy of files in RAM). Those 4 bytes can be aimed at any program the system trusts, like /usr/bin/su, the shortcut to becoming root. Result: the next time anyone runs that program, it lets the attacker in as root. What should worry most: the corruption never touches the file on disk. It only exists in Linux's in-memory copy of that file. If you imaged the hard drive afterwards, the on-disk file would match the official package hash exactly. Reboot the machine, or just put it under memory pressure (any normal system load that needs the RAM), and the cached copy reloads fresh from disk. Containers do not help either. The page cache is shared across the whole host, so a process inside a container can use this bug to compromise the underlying server and reach into other tenants. The original sin was a 2017 "in-place optimization" in a kernel crypto module called algif_aead. It was meant to make encryption slightly faster. The change broke a critical safety assumption, and nobody noticed for nine years. That bug then rode every kernel update from 2017 to today. This vulnerability affects the following: 🔴 Shared servers (dev boxes, jump hosts, build servers): any user becomes root 🔴 Kubernetes and container clusters: one compromised pod escapes to the host 🔴 CI runners (GitHub Actions, GitLab, Jenkins): a malicious pull request becomes root on the runner 🔴 Cloud platforms running user code (notebooks, agent sandboxes, serverless functions): a tenant becomes host root Timeline: 🔴 March 23, 2026: reported to the Linux kernel security team 🔴 April 1: patch committed to mainline (commit a664bf3d603d) 🔴 April 22: CVE assigned 🔴 April 29: public disclosure Mitigation: update your kernel to a build that includes mainline commit a664bf3d603d. If you cannot patch immediately, turn off the vulnerable module: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead 2>/dev/null || true For environments that run untrusted code (containers, sandboxes, CI runners), block access to the kernel's AF_ALG crypto interface entirely, even after patching. Almost nothing legitimate needs it, and blocking it shuts the door on this whole class of bug...

Live Malware Unpacking: Debugging AgentTesla with DotDumper x.com/i/broadcasts/1…

After burning $2.5k on tokens and LLM findings, I have a question about the 270 Firefox bugs: were they all attacker-reachable? The findings I got where often "legitimate bad code" but also "not reachable in any sane scenario".

Please join me on the next @offby1security stream tomorrow (Friday) at 7AM PT / 4PM CEST with @Libranalysis for a session on "Live Malware Unpacking: Debugging AgentTesla with DotDumper!" youtube.com/watch?v=n0P_JG…

@OneCloudEmoji Haha, believe me that definitely isn’t the case!

@Steph3nSims it continues to amaze me how you are better than me in every aspect of life

My band deadcode is playing a show with Filter on Saturday, May 23rd in Destin, FL in case you’re in the area! instagram.com/p/DW7U-sKAQlE/…

New Post: Debugging - WinDBG(X) Automation & Scripting - Part 1 corelan.be/index.php/2026…

Would you be interested in a stream on the @offby1security channel covering the costs between using different Frontier models to discover the same vulnerabilities and the changes to the prompts and testing methodologies to find them?

Offensive Security in Web3 from Exploit Mindset to DeFi Precision Bugs with Josselin Feist x.com/i/broadcasts/1…

Starting up in 15 minutes. A lot of people ask about getting into code auditing and testing Web3 environments for Blockchain and Smart Contract vulnerabilities.

The Exploiting Reversing Series (ERS) currently features 945 pages of exploit development based on real-world targets: [+] ERS 08: exploitreversing.com/2026/03/31/exp… [+] ERS 07: exploitreversing.com/2026/03/04/exp… [+] ERS 06: exploitreversing.com/2026/02/11/exp… [+] ERS 05: exploitreversing.com/2025/03/12/exp… [+] ERS 04: exploitreversing.com/2025/02/04/exp… [+] ERS 03: exploitreversing.com/2025/01/22/exp… [+] ERS 02: exploitreversing.com/2024/01/03/exp… [+] ERS 01: exploitreversing.com/2023/04/11/exp… In the coming weeks, I will publish new articles covering exploration in areas such as Windows, Chrome, iOS/macOS, and hypervisors. Have a great day and enjoy reading. #exploit #exploitation #windows #chrome #macOS #iOS #hypervisors #vulnerabilityresearch