r/ExploitDev

hello all ,

im now studing OSED, and in the chapter we can overwrite EIP after sending lets say 0x12,000 Bytes .
but they somehow instead they want to overwrite SEH , but why ? they wrote this :

Theoretically, we could overwrite the target return address by precisely calculating the required offset and size for the overflow.However, a huge buffer length is required for a successful overflow, which means we would likely corrupt pointers on the stack that will be used by the target function before returning into the overwritten return address. In short, even if a direct EIP overwrite is possible, it would require a lot of work.

Instead, we’ll perform an even larger copy and attempt to overwrite the SEH chain and trigger anexception by writing beyond the end of the stack.

but also we send more big buffer to overwrite SEH so also this will corrupt more pointers in stack so what is the point ?

Beginner here !So I started pwn.college for RE and binary exploitation and I have completed the "computing 101" module which was quite fun but the next module is "playing with programs" which Is not about the RE or binary-exploitation ,so should I also do that module or not as it is mostly about web ,will it help me in my journey?

I have TS clearance. I'm curious how high can TC goes up in the DMV area. Is 200k+ common if you gain yoe?

I’m currently a second year university student seeking an internship for this summer. My primary interest is reverse engineering, a field I am deeply passionate about. How can I secure an internship in this area?

Hot take but CVSS scores have made us lazy.

A critical is a critical is a critical. 9.8 on a library your app doesnt even load goes to the top of the queue, meanwhile the 6.5 that's reachable sits there for 6 weeks cause nobody looked past the score.

We built entire vuln management programs around a number that tells you severity but zero about exploitability. And we act surprised when teams burn out chasing ghosts.

How are yall prioritizing beyond CVSS?

I wanted to share the workflow I’ve been using lately for Windows n-day research, because it feels like one of the best examples of what I’d call “vibe hacking.”

Not “ask AI to hack Windows” and magically get a 0day.

More like: use AI as a research partner that helps you move faster through the boring, confusing, and repetitive parts of vulnerability research.

The basic loop looks like this:

1. Watch Patch Tuesday
2. Have Hermes cron kick off the first-pass triage automatically every Tuesday
3. Pick an interesting CVE, usually LPE, EoP, or sandbox escape
4. Find the patched component
5. Diff old vs new binaries or source-adjacent artifacts
6. Ask AI to help explain what changed
7. Build small probes to test theories
8. Throw away bad ideas quickly
9. Keep the paths that show real privilege or trust-boundary movement

The important part is that the AI is not “finding the exploit” by itself. It is helping compress the research cycle.

This is also where Hermes cron is useful. Patch Tuesday happens on a schedule, so the first pass should happen on a schedule too. I can set a weekly job that wakes up every Tuesday, pulls the latest Microsoft advisory data, groups CVEs by likely research value, and drops a short briefing into my workspace.

Example Hermes cron prompt:

Every Patch Tuesday, review the latest Microsoft security updates. Prioritize Windows local privilege escalation, sandbox escape, and broker/service boundary bugs. For each interesting CVE, summarize the affected component, likely bug class, available patch artifacts, and the first safe validation steps. Do not write exploit code. Produce a short triage report with the top 5 targets.

The goal is not to wake up to a finished exploit. The goal is to wake up to a useful map.

For example, instead of staring at a patch diff for hours, I’ll ask something like:

Here are the before and after snippets from a Windows component patched in CVE-XXXX-YYYY. Explain the security-relevant behavior change in plain English. Focus on:

- new validation checks
- trust boundary changes
- object lifetime or permission changes
- anything that could indicate the original bug class

Then propose 3 safe local experiments to confirm the root cause without weaponizing it.

That usually gives a useful starting point.

Then I’ll follow up with:

Assume this was an elevation-of-privilege fix. What would need to be true for this bug to matter in practice? List the required attacker privileges, target service behavior, and what evidence would prove this is more than just a crash.

That second question is key. AI is very good at hyping up bugs. You have to force it to separate “interesting crash” from “actual privilege boundary crossed.”

One result from this workflow: we used AI-assisted patch diffing and targeted probing to narrow a Windows local privilege escalation investigation down from “some patched component changed” to a specific broker/service interaction that was worth testing. The valuable part was not that AI gave us an exploit. It helped us build a decision tree:

• What changed?
• Why would Microsoft add this check?
• What caller controls this input?
• What privilege does the service run as?
• What would prove exploitability?
• What negative tests let us kill this path?

That saved a lot of time.

The methodology is basically “research with a copilot”:

• AI summarizes ugly diffs
• AI turns vague ideas into checklists
• AI writes throwaway harnesses and probes
• AI helps document dead ends
• AI reminds you what evidence is missing
• You still do the validation, debugging, and judgment

The biggest lesson so far: don’t ask AI for an exploit. Ask it to help you think like a vulnerability researcher.

Bad prompt:

Write an exploit for this Patch Tuesday CVE.

Better prompt:

Based on this patch diff, what bug class was likely fixed, what assumptions must hold for exploitation, and what safe tests can confirm or disprove those assumptions?

That difference matters.

This is what I mean by vibe hacking: not blindly trusting AI, not replacing skill, but using it to stay in flow while exploring a target. The AI is great at generating hypotheses. The human has to prove them.

If you’re interested in this style of AI-assisted security research, n-day analysis, exploit dev workflows, weird automation, and building agents that actually do useful work, that’s what I want /r/vibehacking to be about.

As the title suggests , a complete beginner with a basic understanding of tech and how it works at a consumer level .

I have got 1 and half to 2 years time to get job ready during my masters .. so any roadmaps or advice or suggestions would be helpful from industry people ? 🙏

And also include your experiences and how you secured your job or if this process or decision was worth it !

How does this stand against layoffs and downsizing and ai incorporation ?

Thanks !

I have been trying to find one myself, I haven't found any for the past two months, am I looking in the wrong places? Or am I doing it wrong

I know Maldev academy isn’t really Exploit dev work but I’m currently working in a SOC currently pivoting as a Junior Malware analyst. I want to get better at reverse engineering and eventually want to pivot into a CNO Developer position in the future. I’ve already looked at pwn.college too but if I have the extra cash is it worth the money?

almost feels like a backdoor

Looking for someone who can reverse engineer api of an android app (mobile game), and can develop a bot using the end points to do specific simple tasks like tracking data and more. I can only pay up to $500 up front. And after development is finished and the bot is ready to be used a service for players, expect around a monthly income of $500-1000 which will be passive income mostly and bug fixes (if bugs show up). If the tools the bot can provide are well done, then after a year, it may be able make a profit of 10-20k, which will be split 50/50. This is just a hobby of mine I would like to pursue for some good side income and if anyone is willing to help out, please send a DM!

I have been trying to do an exploit, I searched the internet looked at older documentation and even asked AI without use the whole internet was agreeing it is impossible even AI was hellucinating at somtimes, I kept reversing structures debugging kernel and user softwares for any sign of clue, in the end I managed to pull it off after 2 months of consistent work, only to find a repo that has like one source file and one header file in cpp in github that perfectly does the exact thing I was looking for, I didn't even commit it to my repo the whole thing is embarresing

For example topic like "format string vulnerability" , you have like 5 blogs and 2 papers and...other resources . Like it makes me feel distracted and frustrated. How you defeat that and should I read all this resources with repeated concepts ?

Hey guys, just wanted to ask what are the best resources people know for learning about iOS/macOS from a vulnerability research point of view? Are there any platforms with practical exercises or is it going to mostly be blog posts and write ups? Thanks in advance