Zero Day Engineering
Hypervisor Exploitation One:
System Internals & Vulnerabilities
Learn to discover, analyze, and prototype security vulnerabilities in arbitrary virtualization software through a generalized and systematical perspective, based on effective abstractions, concrete implementation details, inspection of known bugs, and cross-domain insights of the instructor. More details
- 20th May, 06 June, 13 June, 2020: ONLINE (3 days, 09-17 UTC)
- 27-29th August, 2020: ONLINE (3 days, 09-17 UTC)
iBootcamp is an experimental, online-only, multistaged training course on iOS internals, vulnerability discovery and exploit development, created for beginners. More details
- 12-21 December, 2019: ONLINE (10 days)
Stage 0: Reconnaissance
- 25-29 May, 2020: ONLINE (5 days, 2 hours per day)
Stage 3: iOS Kernel
- TBA, 2020
Stage 4: iOS Bootchain
Hyper-V Internals and LIS
Microsoft Hyper-V relies on two core mechanisms for inter-partition and hypervisor communications: the hypercall interface and the VMBUS. This note constitutes a fairly complete and technically concise overview of an implementation of both at the core level.
iBoot Heap Internals
This research note provides a basic technical outline of the Apple bootchain's heap internals, key algorithms, and security mitigations.
iBoot Address Space
This Research Note documents a generalized perspective on Apple devices' bootchain memory layout across all stages of the boot process, and specifically relevant to SecuROM and iBoot. As a case study, a detailed memory map of iPhone 5 during boot is presented.
* links to Alisa's Research Notes
Proof of Concepts
CVE-2018-6981: VMWare Workstation and ESXi vmxnet3 Uninitialized Variable Vulnerability
Proof-of-concept testcase for one of the bugs leveraged at GeekPwn2018 to achieve a full VM escape from VMWare ESXi, recreated
from the respective binary security patch. Technically it's a patch for Linux vmxnet3 kernel mode driver implementation.
CVE-2019-0717: Hyper-V Virtual Network Switch (vmswitch.sys) VmsMpCommonPvtSetRequestCommon Out of Bounds Read DoS Vulnerability
Proof-of-concept testcase for a Tier 1 (host partition kernel) vulnerability in Microsoft Hyper-V. This is a patch for rndis_filter.c Linux kernel mode driver, on of the Hyper-V paravirtualization drivers built-in in the Linux kernel.
CVE-2018-XXXX: VirtualBox 3D Virtualization Memory Corruption Elevation of Privilege Vulnerability (multiple)
In 2018 I found a few dozens of bugs in the Oracle VirtualBox (old) 3D acceleration implementation, based on Chromium. This repo contains a subset of analysis reports sent to the Zero Day Initiative.
* selected links to my github
0days.engineer is an educational project focused on advanced vulnerability discovery and exploit development for modern and popular software systems.
We maintain a continuous internal research process aiming at strategic zero-day vulnerability discovery in many modern software systems; participate in official security bounty programs of major software vendors; share selected research and analysis notes with the community; and develop commercial training classes based on the privately and independently obtained deep technical knowledge.
Feel free to contact us if you want to book a public or private class, purchase e-learning materials based on our past trainings, suggest a collab project, or host our training classes at your venue.
Warning: this email is the only point of contact with us, or in person with Alisa Esage
, creator of the project.