/tags/exploit/Recent content in Exploit on THALIUMHugoen-usCopyright (c) 2026, all rights reserved.Tue, 16 Dec 2025 08:00:00 +0000/posts/dont-judge-an-audiobook-by-its-cover-taking-over-your-amazon-account-with-a-kindle/Tue, 16 Dec 2025 08:00:00 +0000/posts/dont-judge-an-audiobook-by-its-cover-taking-over-your-amazon-account-with-a-kindle/<p>Although Kindle e-readers are a prime target in modding and jailbreaking communities, there is little public work about vulnerability research in remote code execution scenarios.</p> <p>In this post, we give technical details about a chain of vulnerabilities we identified that can be triggered by downloading a malicious Audible audiobook, allowing to take full control of the device and its registered Amazon account.</p>/posts/ecw-2023-centralized-memory-write-up/Tue, 07 Nov 2023 12:00:00 +0100/posts/ecw-2023-centralized-memory-write-up/<strong>Centralized Memory</strong> was a hard Linux pwn challenge created for the European Cyber Week CTF 2023 qualifiers. This write-up covers the intended method of exploitation through a race condition, an AES padding bug and a stack overflow./posts/ecw-2023-the-calculator-in-shadow-write-up/Tue, 07 Nov 2023 12:00:00 +0100/posts/ecw-2023-the-calculator-in-shadow-write-up/<strong>The Calculator in Shadow</strong> was a hard pwn challenge created for the European Cyber Week CTF 2023 qualifiers. It included exploiting a RISC-V calculator running on top of a customized QEMU that featured a poorly implemented shadow stack./posts/pivoting_to_the_secure_world/Fri, 24 Mar 2023 13:37:00 +0000/posts/pivoting_to_the_secure_world/<ol> <li>Discovery of two vulnerabilities in secure world components</li> <li>Exploitation to get code execution in a trusted driver, while not having a debugger for this obscure environment</li> <li>Leverage of aarch32 T32 instruction set to find nice stack pivots</li> <li>Turning an arbitrary write into an arbitrary code execution</li> </ol>/posts/deserialization-bug-through-rdp-smart-card-extension/Fri, 10 Dec 2021 06:00:01 +0100/posts/deserialization-bug-through-rdp-smart-card-extension/<p>This is the <strong>third installment</strong> in my three-part series of articles on fuzzing Microsoft&rsquo;s RDP client, where I explain a bug I found by fuzzing the <strong>smart card extension</strong>.</p>/posts/leaking-aslr-through-rdp-printer-cache-registry/Fri, 10 Dec 2021 06:00:00 +0100/posts/leaking-aslr-through-rdp-printer-cache-registry/<p>This is the <strong>second installment</strong> in my three-part series of articles on fuzzing Microsoft&rsquo;s RDP client. I will explain a bug I found by fuzzing the <strong>printer sub-protocol</strong>, and how I exploited it.</p>/posts/ecw2021-writeup/Mon, 25 Oct 2021 12:00:01 +0100/posts/ecw2021-writeup/<p>For the <a href="https://www.european-cyber-week.eu/">European Cyber Week</a> CTF 2021 Thalium created some challenges in our core competencies: reverse and exploitation. This blog post presents some of the write-ups:</p> <ul> <li><a href="#chest">Chest (36 solve) - reverse</a></li> <li><a href="#fsb-as-a-service">FSB as a service (3 solve) - exploitation</a></li> <li><a href="#wysiwyg">WYSIWYG (3 solve) - reverse</a></li> <li>Pipe Dream (1 solve) - reverse <ul> <li>the author posted his solution on <a href="https://face.0xff.re/posts/ecw-ctf-2021-pipe-dream-writeup/">his personal blog</a></li> </ul> </li> </ul> <p>Thalium&rsquo;s challenges have been less resolved than others. They were not that difficult, but probably a bit more unexpected. A few additional challenges designed by Thalium are:</p>