post
This post is about exploiting IOPL privilege escalation using QEMU’s Firmware Configuration (fw_cfg) device.Reviving an old linux novel technique to bypass SMAP through an unimplemented x86 feature in QEMU’s TCGNovel technique I found in the linux kernel useful to exploit restricted dirty pagetable scenarios in a completely reliable and leakless way, through a new kind of “Oriented Programming”.Writeup for the kernel pwn challenge that I wrote for ToH CTF 2025. In this post I will talk about a way of bypassing kCFI (norand) using BPF filters.