my exploitation for cve2023-1829 😅 github.com/lanleft/CVE202…

"Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability" is by our former intern, Lan Vu before she graduated from Uni. We would also like this opportunity to wish her all the best in her future endeavors. starlabs.sg/blog/2023/06-b…

PoC for CVE-2023-31248. This was used to exploit Ubuntu Desktop at Pwn2Own Vancouver 2023. github.com/kungfulon/nf-t…

True story 👇👩🏻‍💻☺️

In our latest blog post, we're proud of our intern, Kaligula Armblessed for delivering a quality post "prctl anon_vma_name: An Amusing Linux Kernel Heap Spray" starlabs.sg/blog/2023/07-p…

I wrote a new blogpost about adding ksmbd (SMB server in the Linux kernel) fuzzing functionality to Syzkaller. Feel free to send a DM if you have any questions :-) pwning.tech/ksmbd-syzkalle… #syzkaller #linux #ksmbd #vr #vulnres #fuzzing #zeroday #exploit

“Study the science of art and the art of science. Learn how to see. Realize that everything connects to everything else." - Leonardo da Vinci (1452 - 1519)

Some advice from physics laureate Frank Wilczek to kick off 2024.

Our teammate Toan Pham has just pwned V8 JavaScript engine on Google's V8CTF version M120 using a 0-day exploit.

Today, me, Lan Vu and Tri have submitted our latest report on Chromium detailed an information leak in ANGLE, which we discovered during our efforts to achieve a full-chain exploit. In total we reported 4 security issues for google and has been rewarded 56k usd.

Everytime working with opensource projects 🥲

Made a brief slide summarizing OTHERS ’ reports on V8 WebAssembly Engine. Hope you find it helpful! docs.google.com/presentation/d…

Santa gave us freshly new JSC 0day ✌️

A brief JavascriptCore RCE story by Lan Vu and An Nguyễn qriousec.github.io/post/jsc-unini…

Singapore - shout it out for Yuki Chen 🤩 !!! Bringing Day 1 of Off-By-One Conference 2025 to a explosive end with 𝐀 𝐉𝐨𝐮𝐫𝐧𝐞𝐲 𝐢𝐧𝐭𝐨 𝐖𝐢𝐧𝐝𝐨𝐰𝐬 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐒𝐮𝐩𝐩𝐨𝐫𝐭 𝐏𝐫𝐨𝐯𝐢𝐝𝐞𝐫 𝐈𝐧𝐭𝐞𝐫𝐟𝐚𝐜𝐞. 🙇🙇🙇

We released our Fuzzilli-based V8 Sandbox fuzzer: github.com/googleprojectz… It explores the heap to find interesting objects and corrupts them in a deterministic way using V8's memory corruption API. Happy fuzzing!

If you like Chrome IPC shenanigans like this, you might also enjoy my talk from black hat 25: youtu.be/qhhJCLy0YBA?si…

Can not get a cve from this vulnerability, it’s quite sad 😞 By the way, I’d like to give a huge thanks to my mentor Toan Pham 😊

I've built a tool to perform AI automation decompilation vmware workstation binary to see how good it perform on realworld task based on the vulnerable version Thach mentioned in his PoC slides 2024.