CodeColorist
Abusing tclsh to Load (Remote) Shellcode on macOS

Abusing tclsh to Load (Remote) Shellcode on macOS

Yet another LOOBins

Mistuned Part 3: PAC Bypass

Mistuned Part 3: PAC Bypass

Bypass hardware assisted mitigation using Objective-C runtime.

Mistuned Part 2: Butterfly Effect

Mistuned Part 2: Butterfly Effect

A simple access control issue makes a huge difference, leading to infoleak and use after free.

Mistuned Part 1: Client-side XSS to Calculator and More

Mistuned Part 1: Client-side XSS to Calculator and More

Remotely pwn iOS and pop up arbitrary app with 0 memory corruption.

Quick Analysis for the SSID Format String Bug

Quick Analysis for the SSID Format String Bug

A rogue Wi-Fi hotspot can crash your phone.

See No Eval: Runtime Dynamic Code Execution in Objective-C

See No Eval: Runtime Dynamic Code Execution in Objective-C

There is a turing-complete querying language embeded in Objective-C hidden in plain sight.

X Site eScape (Part II): Look Up a Shell in the Dictionary

X Site eScape (Part II): Look Up a Shell in the Dictionary

A funny bug chain turing inter-process XSS to native code execution for sandbox escape.

X Site eScape (Part III): CVE-2020-9860, A Copycat

X Site eScape (Part III): CVE-2020-9860, A Copycat

Copycat.

X Site eScape (Part I): Exploitation of An Old CoreFoundation Sandbox Bug

X Site eScape (Part I): Exploitation of An Old CoreFoundation Sandbox Bug

Triggering inter-process XSS for fun and profit.

Revisiting An Old MediaRemote Bug (CVE-2018-4340)

Revisiting An Old MediaRemote Bug (CVE-2018-4340)

Useless bugs are just being given up too early.