We got the keys to decrypt those new Lexmark root filesystems, but why stop there?

Lexmark decided to frustrate vulnerability researchers last minute. Let’s have a look at their new root filesystem encryption.

Last year I (successfully) targeted the CANON Printer for Pwn2Own toronto, this year I decided to do the same. But I made a terrible mistake. The night before my flight to toronto I realized I had.. hacked the wrong printer (firmware). I scrambled to blindly port the exploit to the correct firmware image, without being able to actually test it. The exploit didn’t work during the competition. Anyway, here is the story behind the bug and an 0day exploit for Canon imageCLASS MF743Cdw.

In this post we will exploit a memory corruption issue in AMLogic El3 code that is used by various consumer devices like the Sonos One (2nd generation) and the Lenovo Smart Clock. The goal is to get a copy of the OTP/eFUSE data and dump out the code for the application processor BootROM.

Exploiting a heap overflow in the TIPC subsystem of the Linux kernel. In this post we’ll exploit a N-day vulnerability (CVE-2021-43267) originally discovered by Max van Amerongen.

Generating numeric-only shellcode for Linux/x86. Is it possible? Alphanumeric x86 shellcode is a well-studied and documented subject. But what about only using ascii number characters (0x30-0x39)? Let’s find out!