Hacking the Future: 12 Years at Exodus and the Next Big Leap

Hacking the Future: 12 Years at Exodus and the Next Big Leap

Tl;dr – We are hiring engineers, analysts, and researchers.

This May marked our 12th year of producing world-class vulnerability intelligence at Exodus Intelligence. We have had many ups (and downs) and have worked with a variety of talented people over the years whose collective contributions have made us who we are today. Throughout our history we have stayed true to our founding mission of maintaining a hacking culture, made by hackers, for hackers. We challenge and pride ourselves on researching some of the hardest targets, across a diversity of platforms and operating systems. As a team we have analyzed (I’m’, talking weeks long, thorough, root cause analysis) more than 1,600 Nday, and discovered over 400 0day in enterprise products. Whether software, hardware, server side, client side, IoT… our experts have done it all.

It has been a bit of a waiting game for the industry to build an appreciation for vulnerability intelligence, let alone Zeroday vulnerability intelligence. I would argue that the industry is finally there, and with the help of a lot of the big companies, there are products that can effectively detect and defend against this category of risks.

There is still a degree of “wild west” in the industry where it is hard to design and maintain standards for reporting, tracking and cataloging vulnerabilities (CVE, CVSS, CNAs, CPEs, SBOM,…). At Exodus we have always focused on the core research as our wheelhouse and put less effort on the website, front end, and engineering work that drives how people view, search and ingest our data. The market demands it now.

We are at an inflection point and aim to make our data more widely available and develop what tools we can to aggregate, enrich and curate all the public data, marry it with our own discoveries and analysis, and distribute to our customers. We have developed integrations for Splunk, Demisto (Cortex XSOAR), Slack, Recorded Future, to name a few examples, but the engineering lift is large, and the research support is insurmountable. Even as we jump on the GenAI band wagon with everyone else and invest in LLM, ML and AI, that technology is only as good as its input/data, so our researchers will need to spend the requisite time and effort training these models.

Now to the point of this post, we are hiring. We are looking for engineers with a special motivation to understand these challenges and have a passion to build solutions that chip away at the problems. We intend to make some of this tooling, code, and data available to the public, so the engineers we bring onboard should have an appreciation for open source code. While we’re always looking for elite researchers to join the team, these engineering efforts will soon unlock the need for an army of analysts that are interested in coverage of public data an inch deep, and a mile wide. We will have the incentives and mentorship in place to refine and develop skills towards hacking  more difficult targets and research, but for the first time we will be opening our doors to entry level analysts with the motivation to learn and gain unparalleled experience in the world of vulnerability research.

Current openings include:

  • Full-Stack Software Engineer
  • Web Browser Vulnerability Researcher
  • Mobile Vulnerability Researcher
  • Zero-Day Vulnerability Researcher
  • N-Day Vulnerability Researcher

Please apply at our careers page

Public Mobile Exploitation Training – Fall 2023

Mobile Exploitation Training

We are pleased to announce that the researchers of Exodus Intelligence will be providing publicly available training in person on November 14 2023 in London, England.

This 4 day course is designed to provide students with both an overview of the Android attack surface and an in-depth understanding of advanced vulnerability and exploitation topics. Attendees will be immersed in hands-on exercises that impart valuable skills including static and dynamic reverse engineering, zero-day vulnerability discovery, binary instrumentation, and advanced exploitation of widely deployed mobile platforms.

Taught by Senior members of the Exodus Intelligence Mobile Research Team, this course provides students with direct access to our renowned professionals in a setting conducive to individual interactions.

Emphasis

Hands on with privilege escalation techniques within the Android Kernel, mitigations and execution migration issues with a focus on MediaTek chipsets.

Prerequisites

  • Computer with the ability to run a VirtualBox image (x64, recommended 1GB+ memory)
  • Some familiarity with: IDA Pro, Python, C/C++.
  • ARM ASM fluency strongly recommended.
  • Installed and usable copy of IDA Pro 6.1+, VirtualBox, Python 2.7+.

Course Information

Attendance will be limited to 18 students per course.

Cost: $5000 USD per attendee

Dates: November 14-17, 2023

Location: the London, UK area

Syllabus

Android Kernel

 

  • Process Management
    • General overview
    • Important structures
  • Kernel synchronization
  • Memory Management
    • General overview
    • Virtual memory
    • Memory allocators
  • Debugging environment
    • Build the kernel
    • Boot and Root the kernel
    • Kernel debugging
    • demo
  • SELinux
  • Samsung Knox/RKP
  • Type of kernel vulnerabilities
    • Exploitation primitives
    • kernel vulnerabilities overview
    • heap overflows, UAF
    • Info leakage
  • [CVE-various] Mali GPU bug
    • Mali GPU
    • Vulnerability overview
    • Exploitation
  • [CVE-2020-0466] double-free vulnerability
    • Vulnerability overview
    • Exploitation
      • type confusion to write access to globally shared memory
      • UAF which can lead to arbitrary read and write of kernel memory
    • [CVE-2021-22600] double-free vulnerability
      • Vulnerability overview
      • Exploitation – convert the double free into a use-after-free of a struct page

 

Mediatek / Exynos baseband

  • Introduction
    • exynos baseband overview
    • mediatek baseband overview
  • Environment
  • Previous researches
  • Analyze modem
  • Emulation / Fuzzing
  • Rogue base station
  • secure boot
  • mediatek boot rom vulnerability
    • Vulnerability overview
    • Exploitation
  • baseband debugger
    • use brom exploit to patch the tee
    • write the modem physical memory from EL1

 

Public Browser Exploitation Training – Fall 2023

Browser Exploitation Training

We are pleased to announce that the researchers of Exodus Intelligence will be providing publicly available training in person on November 14 2023 in London, England.

This 4 day course is designed to provide students with both an overview of the current state of the browser attack surface and an in-depth understanding of advanced vulnerability and exploitation topics. Attendees will be immersed in hands-on exercises that impart valuable skills including static and dynamic reverse engineering, zero-day vulnerability discovery, and advanced exploitation of widely deployed browsers such as Google Chrome and Apple Safari.

Taught by Senior members of the Exodus Intelligence Browser Research Team, this course provides students with direct access to our renowned professionals in a setting conducive to individual interactions.

Emphasis

Hands on with privilege escalation techniques within the JavaScript implementations, JIT optimizers and rendering components.

Prerequisites

  • Computer with the ability to run a VirtualBox image (x64, recommended 1GB+ memory)
  • Some familiarity with: IDA Pro, Python, C/C++.
  • ASM fluency.
  • Installed and usable copy of IDA Pro 6.1+, VirtualBox, Python 2.7+.

Course Information

Attendance will be limited to 18 students per course.

Cost: $5000 USD per attendee

Dates:  November 14-17, 2023

Location:  the London, UK area

Syllabus

  • JavaScript Crash Course
  • Browsers Overview
    • Architecture
    • Renderer
    • Sandbox
  • Deep Dive into JavaScript Engines and JIT Compilation
    • Detailed understanding of JavaScript engines and JIT compilation
    • Differences between major JavaScript engines (V8, SpiderMonkey, JavaScriptCore)
  • Introduction to Browser Exploitation
    • Technical aspects and techniques of browser exploitation
    • Focus on JavaScript engine and JIT vulnerabilities
  • Chrome ArrayShift case study
  • Safari NaN Speculation case study
  • JIT Compilers in depth
    • Chrome/V8 Turbofan
    • Firefox/SpiderMonkey Ion
    • Safari/JavaScriptCore DFG/FTL
  • Chrome ArrayShift case study exploitation
    • Object in-memory layout
  • Types of Arrays
  • Chrome ArrayShift case study exploitation continued
    • Garbage collection
  • Running shellcode
    • Common avenues
    • Mitigations
  • Browser Fuzzing and Bug Hunting
    • Introduction to fuzzing
    • Pros and cons of fuzzing
    • Fuzzing techniques for browsers
    • “Smarter” fuzzing
  • Current landscape
  • Hands-on exercises throughout the course
    • Understanding the environment and getting up to speed
    • Analysis and exploitation of a vulnerability

Vulnerability Assessment Course – Spring 2023

We are pleased to announce that the researchers of Exodus Intelligence will be providing publicly available training in person on March 28 2023 in Austin, TX.

The intermediate course, titled the Vulnerability Assessment Class, covers a wide range of vulnerability and exploitation related topics and is intended for the beginner to intermediate level practitioner. This course is intended to prepare the student to fully defend the modern enterprise by being aware and equipped to assess the impact of vulnerabilities across the breadth of the application space.

Attendees should plan to travel and arrive prior to Tuesday, March 28th. The course work will conclude on Friday, March 31st, 2023.

Seating is limited. Since this training will be in person, there are a limited number of seats available.

**Later this year we will also be offering an updated version of our popular Vulnerability Development Master Class. This course will cover advanced topics such as dynamic reverse engineering, kernel exploitation concepts, browser exploitation, mitigation bypasses, and other topics. Later this year we will also be offering our Mobile Vulnerability Exploitation Class. This class will cover advanced topics concerning mobile platforms.

Vulnerability Assessment Class

This 4 day course is designed to provide students with a comprehensive and progressive approach to understanding vulnerability and exploitation topics on both the Linux and Windows platforms. Attendees will be immersed in hands-on exercises that impart valuable skills including a deep dive into the various types of vulnerabilities exploited today, static and dynamic reverse engineering, vulnerability discovery, and exploitation of widely deployed server and client-side applications. This class will cover a lot of material and move very quickly.

Prerequisites

    • Computer with ability to run a virtual machines (recommended 16GB+ memory)

    • Some familiarity with debuggers, Python, C/C++, x86 ASM. IDA Pro or Ghidra experience a plus.

  • No prior vulnerability discovery experience is necessary

Pricing and Registration

The cost for the 4-day course is $4000 USD per student. You may register and pay below, or you can e-mail training@exodusintel.com to register and we will supply a purchase order.

 

Syllabus

Vulnerability and risk assessment

  • NDay risk and patching timelines
  • Vulnerability terminology: CVE, CVSS, CWE, Mitre Attack, Impact, Category
  • Risk assessment
  • Vulnerability mitigation

Web-based vulnerabilities

  • Basics of HTTP
    • Format of HTTP request and response, URI
    • Command Injection and Directory Traversal attacks
    • Cross-site scripting and cross-site request forgery
  • XML External Entity attacks
  • Request Smuggling
  • SQL Injection
  • Deserialization

Modules include examples of affected CVEs and practicals.

Binary exploitation

  • Basics of binaries
    • Platformns: Linux and Windows
    • x86 assembly, PE, and ELF formats
    • Stack, Heap, Dynamic modules
    • PIE, ASLR, DEP
  • Tools
    • Ghidra, WinDBG, and gdb
  • Stack buffer overflow
    • OS/Theme: Linux
    • Return to shellcode, Return to libc, Stack pivot, etc.
    • Linux-based practical and demo
  • Use after free
    • OS/Theme: Windows
    • Overview of NT Heap, LFH
    • Practical and demo

Exodus Wants to help CISA Shields Up

CISA Shields Up in response to looming Russian Cyberattacks, Exodus Intelligence wants to help

Image from wallpaperswide.com

The Cybersecurity and Infrastructure Security Agency (CISA) recently launched the #ShieldsUp Campaign to provide organizations resources and recommended actions to heighten their security posture in light of the Russian invasion of Ukraine.  Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks, and #CISA is calling on every organization – large and small – to be prepared to respond to disruptive cyber incidents.

In response to the renewed calls for the private sector to address known vulnerabilities, Exodus Intelligence is offering their N-Day vulnerability subscription for FREE through July 1st.

The N-Day Vulnerability subscription provides customers with intelligence about critically exploitable, publicly disclosed vulnerabilities on widely used software, hardware, embedded devices, and industrial control systems.  Every vulnerability is analyzed, documented, and enriched with high-impact intelligence derived by some of the best reverse engineers in the world. At times, vendor patches fail to properly secure the underlying vulnerability.  Exodus Intelligence’s proprietary research enhances patch management efforts. Subscribed customers have access to an arsenal of more than 1200 vulnerability intelligence packages to ensure defensive measures are properly implemented.

For those that are concerned about Zero-day vulnerabilities, Exodus is also offering the benefit of our Zero-day vulnerability subscription for up to 50% off for new registrations from April 1st through July 1st. Exodus’ Zero-day Subscription provides customers with critically exploitable vulnerability reports, unknown to the public, affecting widely used and relied upon software, hardware, embedded devices, and industrial control systems. Customers will gain access to a proprietary library of over 200 Zero-day vulnerability reports in addition to proof of concept exploits and highly enriched vulnerability intelligence packages. These Zero-day Vulnerability Intelligence packages, unavailable anywhere else, enable customers to reduce their mean time to detect and mitigate critically exploitable vulnerabilities.

These offerings are available to the United States (and allied countries) Private and Public Sectors to gain the immediate benefit of advanced vulnerability analysis, mitigation guidance/signatures, and proof-of-concepts to test against current defenses.

 

To register for FREE N-day Intelligence, please fill out the webform here

Sample Report

Exodus Answers Biden’s Call to Action

White House issues call to action in light of new intelligence on Russian cyberthreat

The Biden administration renewed calls Monday for the private sector to address known vulnerabilities and shore up cyberdefenses in light of a looming possibility of a cyberattack from Russia on U.S. infrastructure. “The most troubling piece,” Anne Neubeger, the White House’s deputy national security adviser for cyber and emerging technology, said, is that “we continue to see known vulnerabilities for which we have patches available” used by cyberattackers to compromise U.S. companies. The administration has repeatedly warned the critical infrastructure sector about the potential for Russia to engage in malicious cyber activity against the United States in response to the recently imposed economic sanctions.

Exodus Intelligence is answering the call

In response to the renewed calls for the private sector to address known vulnerabilities, Exodus Intelligence is offering their N-Day vulnerability subscription for FREE from April 1st through July 1st.

The N-Day Vulnerability subscription provides customers with intelligence about critically exploitable, publicly disclosed vulnerabilities on widely used software, hardware, embedded devices, and industrial control systems.  Every vulnerability is analyzed, documented, and enriched with high-impact intelligence derived by some of the best reverse engineers in the world. At times, vendor patches fail to properly secure the underlying vulnerability.  Exodus Intelligence’s proprietary research enhances patch management efforts. Subscribed customers have access to an arsenal of more than 1200 vulnerability intelligence packages to ensure defensive measures are properly implemented.

For those that are concerned about Zero-day vulnerabilities, Exodus is also offering the benefit of our Zero-day vulnerability subscription for up to 50% off for new registrations from April 1st through July 1st. Exodus’ Zero-day Subscription provides customers with critically exploitable vulnerability reports, unknown to the public, affecting widely used and relied upon software, hardware, embedded devices, and industrial control systems. Customers will gain access to a proprietary library of over 200 Zero-day vulnerability reports in addition to proof of concept exploits and highly enriched vulnerability intelligence packages. These Zero-day Vulnerability Intelligence packages, unavailable anywhere else, enable customers to reduce their mean time to detect and mitigate critically exploitable vulnerabilities.

These offerings are available to the United States (and allied countries) Private and Public Sectors to gain the immediate benefit of advanced vulnerability analysis, mitigation guidance/signatures, and proof-of-concepts to test against current defenses.

To register for FREE N-day Intelligence, please fill out the webform here

Sample Report

Vulnerability Development Courses for 2021

UPDATE: Postponed. Unfortunately due to travel restrictions related to COVID we will be postponing these trainings until February 14, 2022. We are contacting current registered students and giving them the option of a refund or credit and a guaranteed spot in our February class. We apologize to all those affected by this.

We are pleased to announce that the researchers of Exodus Intelligence will be providing publicly available training in person in early November February 2022 in Austin, TX.

In an effort to fully teach the breadth and depth of Vulnerability Intelligence and Exploitation, we have structured our offerings in the form of three distinct courses.

The intermediate course, titled the Vulnerability Assessment Class, covers a wide range of vulnerability and exploitation related topics and is intended for the beginner to intermediate level practitioner. This course is intended to prepare the student to fully defend the modern enterprise by being aware and equipped to assess the impact of vulnerabilities across the breadth of the application space.

We will also be offering an updated version of our popular Vulnerability Development Master Class. This course will cover advanced topics such as dynamic reverse engineering, kernel exploitation concepts, browser exploitation, mitigation bypasses, and other topics.

Our third offering will be our Mobile Vulnerability Exploitation Class. This class will cover advanced topics concerning mobile platforms.

Dates & Locations

All three courses will run concurrently.

  • November 1st-5th 2021, Austin, TX, USA
  • New Dates: February 14, 2022, Austin, TX, USA

Attendees should plan to travel and arrive prior to Monday, February 14th. The course work will conclude on Friday, February 18th, 2022.

Seating is limited. Since this training will be in person, there are a limited number of seats available.

Vulnerability Assessment Class

This 5 day course is designed to provide students with a comprehensive and progressive approach to understanding vulnerability and exploitation topics on both the Linux and Windows platforms. Attendees will be immersed in hands-on exercises that impart valuable skills including a deep dive into the various types of vulnerabilities exploited today, static and dynamic reverse engineering, vulnerability discovery, and exploitation of widely deployed server and client-side applications. This class will cover a lot of material and move very quickly.

Prerequisites

  • Computer with ability to run a VMWare image (recommended 16GB+ memory)
  • Some familiarity with debuggers, Python, C/C++, x86 ASM. IDA Pro experience a plus.
  • No prior vulnerability discovery experience is necessary

Syllabus to be provided in the near future.

Pricing and Registration

The cost for the 5-day course is $5000 USD per student. You may e-mail training@exodusintel.com to register and we will supply a purchase order.

We will be providing a template request form in the near future to help justify attendance to management.

Vulnerability Development Master Class

This 5 day course is designed to provide students with a comprehensive and progressive approach to understanding vulnerability and exploitation topics on both the Linux and Windows platforms. Attendees will be immersed in hands-on exercises that impart valuable skills including a deep dive into exploiting kernel and browser vulnerabilities, static and dynamic reverse engineering, 0-day vulnerability discovery, and exploitation and workarounds of current mitigations. This is a very hands on deep dive. Course will be taught by Exodus researchers.

Prerequisites

  • Computer with ability to run a VMWare image (recommended 16GB+ memory)
  • Student must be comfortable with debuggers, Python, C/C++, x86 ASM, and IDA Pro.
  • No prior vulnerability discovery experience is necessary

Syllabus to be provided in the near future.

Pricing and Registration

The cost for the 5-day course is $6500 USD per student. You may e-mail training@exodusintel.com to register and we will supply a purchase order.

We will be providing a template request form in the near future to help justify attendance to management.

Mobile Vulnerability Exploitation Class

This 5 day course is designed to provide students with a comprehensive and progressive approach to understanding advanced exploitation topics involving the Android operating system. Attendees will be immersed in hands-on exercises that impart valuable skills including a deep dive into the various types of vulnerabilities exploited today, static and dynamic reverse engineering, vulnerability discovery, and exploitation of widely deployed mobile platforms and applications. This course is highly advanced and will cover difficult materials. Course will be taught by Exodus researchers.

Prerequisites

  • Computer with ability to run a VMWare image (recommended 16GB+ memory)
  • Some comfort with debuggers, Python, C/C++, ARM ASM and IDA Pro
  • No prior vulnerability discovery experience is necessary

Syllabus to be provided in the near future.

Pricing and Registration

The cost for the 5-day course is $7500 USD per student. You may e-mail training@exodusintel.com to register and we will supply a purchase order.

We will be providing a template request form in the near future to help justify attendance to management.

Covid-19 and Travel

We understand that travel conditions are constantly changing due to Covid-19. To that end, Exodus will adjust the course if necessary. If the situation arises that requires adjustment, Exodus will release an official statement and alert all registered students. In the case of cancellation, refunds (or course credit for future offerings at student’s discretion) will be provided.

Exodus Intelligence 2016 Training Course

threat intelligenceVulnerability Development Master Class

Since our inception, Exodus Intelligence has provided training courses on a variety of advanced subjects which have consistently been filled with students from around the world. Over the last few years, we’ve hosted Master Classes in the USA, Asia, and Europe–both publicly and privately (by request).

Once again, our flagship course–the Vulnerability Development Master Class–returns with new content, taught by recognized experts. Known as some of the best in the industry, Exodus instructors are armed with real-world experience, as well as multiple Pwn2Own victories and PWNIE awards.

Read moreExodus Intelligence 2016 Training Course

Stagefright: Mission Accomplished?

Update (2015-08-13 1:16pm CST): We’ve been in contact with Zimperium and are working with them to provide coverage for detection of this flaw through their Stagefright Detector app. They have been very responsive (more so than the affected vendor) and we plan to alert them of similar flaws we’ve recently discovered.

Read moreStagefright: Mission Accomplished?