Jenn's Avatar

Jenn

@zolutal.bsky.social

PhD Student at ASU | blog.zolutal.io Captain of Shellphish | shellphish.net she/her

31 Followers  |  48 Following  |  8 Posts  |  Joined: 07.12.2023  |  1.5087

Latest posts by zolutal.bsky.social on Bluesky

Securinets Quals 2025: Sukunahikona (v8 Exploitation) I played Securinets Quals this weekend with Shellphish; we ended up placing 7th, qualifying us for finals! When I logged on to play, all of the released pwn was already solved or close to solved by @v...

I solved my first ever v8 exploitation challenge this past weekend and did a little writeup on it:
blog.zolutal.io/securinets-s...

08.10.2025 06:07 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
a screenshot of debug output from doing a successful nested page walk

a screenshot of debug output from doing a successful nested page walk

Success :3

03.10.2025 19:24 โ€” ๐Ÿ‘ 1    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

that my normal guest page-walking code for converting an L1 virtual address to an L1 physical address was able to be entirely reused to do an L2 physical address to L1 physical address walk by just using the L1 EPTP in place of the L1 cr3 was pretty neat

03.10.2025 19:24 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

it was actually surprisingly easy to implement, except that I for some reason was treating the result of the nested page walk as an L1 physical address instead of an L2 physical address, just needed one more page walk to finish it off

03.10.2025 19:24 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
a screenshot of debug output from doing a successful nested page walk

a screenshot of debug output from doing a successful nested page walk

Success :3

03.10.2025 19:24 โ€” ๐Ÿ‘ 1    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

"Yes please walk the EPT in L1 for the L2 cr3 to get the L2 PML4 physical address in L1 so you can convert that to a virtual address in your VMM to read the L2 PML4E associated with an L2 virtual address" - Statements dreamed up by the utterly Deranged

03.10.2025 08:03 โ€” ๐Ÿ‘ 2    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0
06.09.2025 21:13 โ€” ๐Ÿ‘ 304    ๐Ÿ” 28    ๐Ÿ’ฌ 3    ๐Ÿ“Œ 1
The Joys of Linux Kernel ROP Gadget Scanning Linux Kernel ROP gadget scanning is one of those things that seems easy in theory โ€“ just run ROPgadget --binary vmlinux on it! In practice, however, anyone who has used that method has likely had to s...

I finally got around to blogging again!

This time its about the fun rabbit hole I went down last year of trying to improve Linux kernel ROP gadget discovery:
blog.zolutal.io/joys-of-kern...

03.09.2025 23:47 โ€” ๐Ÿ‘ 3    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
A hole in FineIBT protection Intel's indirect branch tracking (IBT) is a hardware-implemented control-flow-integrity mechani [...]

We brought the FineIBT bypass to the linux-hardening mailing list a few months ago and it has since been addressed by introducing a new paranoid FineIBT mode that adds caller-side checks.
The LWN article that got written about it does a good job describing the issue and fix: lwn.net/Articles/101...

05.05.2025 22:03 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
System Register Hijacking: Compromising Kernel Integrity By Turning System Registers Against the System | USENIXusenix_logo_notag_white

My first paper is now up on the USENIX Security site :)

We evaluated the prevalence of x86_64/aarch64 system instructions in Linux kernel builds and their applicability to Control Flow Hijacking exploitation, identifying a FineIBT (Kernel CFI) bypass in the process!
www.usenix.org/conference/u...

05.05.2025 21:52 โ€” ๐Ÿ‘ 1    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

@zolutal is following 20 prominent accounts