Critical Thinking - Bug Bounty Podcast Episode 157: Crushing Pwn2Own & H1 with Kernel Driver Exploits
18 snips
Jan 15, 2026 Joining the discussion is Hyprdude (Hypr), a notable security researcher and exploit developer acclaimed for his kernel driver research on MediaTek. He shares insights on exploiting a MediaTek Wi-Fi driver vulnerability, detailing the technical nuances of heap overflow and chaining primitives for successful exploits. Hypr recounts his experiences at Pwn2Own, highlighting the pressure of live demonstrations and the challenges of navigating bug bounty programs. He encourages other hackers to explore IoT, where low-level bugs abound, emphasizing the practical skills gained from real-world exploit development.
AI Snips
Chapters
Transcript
Episode notes
Built Kernel Exploit Largely Without A Debugger
- Hyprdude developed a kernel exploit against a Netgear router while largely 'blind' with no kernel debugger attached.
- He iterated by reading source and trial-and-error, rebooting the device many times to observe crashes and traces.
Heap Metadata Corruption Yields Arbitrary Allocations
- Small out-of-bounds writes can corrupt slab free-list pointers and create controlled allocations.
- Overwriting a free chunk's next pointer lets a later allocation return memory at an attacker-chosen address.
Use modprobe_path For Simple Kernel-to-User Exec
- Overwrite kernel modprobe_path to get userland code executed from kernel context when you have arbitrary kernel write.
- Drop a controlled binary at the path and trigger execution to gain a shell without complex kernel mapping.