ENGINEERING BLOG

  • Streaming Zero-Fi Shells to Your Smart Speaker

    Exploiting the Sonos Era 300 with a Malicious HLS Playlist

    June 11, 2025 / Jack Dates & Markus Gaasedelen


    In October 2024, RET2 participated in the “Small Office / Home Office” (SOHO) flavor of Pwn2Own, a competition which challenges top security researchers to compromise consumer-focused network devices. This includes popular smart speakers, routers, IP cameras, printers, and network-attached storage (NAS) devices.

    One of the two devices we targeted this year was the Sonos Era 300, a high-end smart speaker which retails for around $500 USD. The Sonos layers several security technologies to establish a chain of trust rooted in hardware, protect device specific secrets (ARM Trustzone, eFuses), and harden its primary runtime service against active exploitation. For a category of devices historically derided as “junk hacking,” things have certainly changed.

    In this post, we’ll touch on how past research was adapted to obtain a foothold on the device, providing us the necessary introspection to discover and exploit a powerful memory corruption vulnerability (CVE-2025-1050) in remotely accessible, unauthenticated attack surface, netting our exploit $60,000 USD from the competition.

    Jack Dates (far-right) of RET2 Systems attacking a Sonos Era 300 with a zero-day exploit at Pwn2Own 2024

    Continue Reading →

    • Exploiting the Synology DiskStation with Null-byte Writes

      Achieving remote code execution as root on the Synology DS1823xs+ NAS

      April 23, 2025 / Jack Dates


      In October, we attended Pwn2Own Ireland 2024 and successfully exploited the Synology DiskStation DS1823xs+ to obtain remote code execution as root. This issue has been fixed as CVE-2024-10442.

      The DiskStation is a popular line of NAS (network-attached storage) products by Synology. It has been succesfully exploited a few times at Pwn2Own events in the past, though it remained untouched in the prior year’s event (Pwn2Own Toronto 2023). Then Ireland 2024 saw three successful entries, all using unique bugs.

      This post will detail our experience researching the Synology DiskStation and writing an exploit against it for the event.

      Prepping to throw an exploit at the Synology DiskStation, Pwn2Own Ireland 2024

      Continue Reading →

      • Pwn2Own Automotive: Popping the CHARX SEC-3100

        Exploiting Unsafe C++ Destructor Ordering on Process Teardown

        July 24, 2024 / Jack Dates


        Our previous post explored some of the bugs we discovered in the CHARX SEC-3100 ControllerAgent service for Pwn2Own Automotive. We’ll now walk through how these bugs were weaponized to produce a fully remote exploit.

        We left off with a use-after-free (UAF) primitive. Notably however, the UAF occurs on process teardown (a “one-shot” style bug), and we don’t have any information leaks to easily deal with ASLR (address space layout randomization).

        If you want to try exploiting a similar bug on your own, we’ve hosted a challenge with an adapted version of the same bug pattern on our in-browser WarGames platform here.

        Continue Reading →

      Pwn2Own Automotive: CHARX Vulnerability Discovery
      Abusing Subtle C++ Destructor Behavior for a UAF
      JTAG 'Hacking' the Original Xbox in 2023
      Using Intel CPU JTAG to dump the secret bootrom in Microsoft's original Xbox
      The LDT, a Perfect Home for All Your Kernel Payloads
      Using the HIB segment to bypass KASLR on x86-based macOS
      Exploiting Intel Graphics Kernel Extensions on macOS
      A Pwn2Own 2021 Apple Safari Sandbox Escape
      Exploiting an Unbounded memcpy in Parallels Desktop
      A Pwn2Own 2021 Guest-to-Host Virtualization Escape
      What's New in Tenet v0.2
      Quality-of-life improvements, cell-based trace visualization, and more...
      Snapcraft Packages Come With Extra Baggage
      Exploiting Ubuntu's Snapcraft Apps with CVE-2020-27348
      All Your Base Are [Still] Belong To Us
      Fuzzing Modern UDP Game Protocols With Snapshot-based Fuzzers
      The Oddest Place You Will Ever Find PAC
      Exploiting the notoriously unsafe gets() on a PAC-protected ARM64 binary
      32 bits, 32 gigs, 1 click...
      Exploitation of a JavaScriptCore WebAssembly Vulnerability
      Tenet: A Trace Explorer for Reverse Engineers
      Conventional Debuggers Are Crumbling to Software Complexity, Now What?
      Lucid: An Interactive Hex-Rays Microcode Explorer
      Studying decompiler internals has never been so easy...
      7 Days to Lift: A Mission in Microcode
      Extending the Hex-Rays Decompiler to Support Intel AVX Instructions
      What's New in Lighthouse v0.9
      Python 3, custom coverage formats, coverage cross-refs, themes & more
      A Cryptocurrency Heist, Starring Your Web Browser
      Abusing well-defined web standards to exploit localhost services
      In Transactional Memory, No One Can Hear You Scream
      Attacking Intel's Transactional Synchronization Extensions
      What's New in Lighthouse v0.8
      Binary Ninja support, HTML coverage reports, consistent styling
      Scaling up Binary Exploitation Education
      Augmenting Esoteric Security Subjects with Gamification & Accessibility
      Exploiting the macOS WindowServer for root
      Four Heap Sprays, Two Dangling Pointers, One Bitflip
      Cracking the Walls of the Safari Sandbox
      Fuzzing the macOS WindowServer for Exploitable Vulnerabilities
      Weaponization of a JavaScriptCore Vulnerability
      Illustrating the Progression of Advanced Exploit Primitives In Practice
      Timeless Debugging of Complex Software
      Root Cause Analysis of a Non-Deterministic JavaScriptCore Bug
      Vulnerability Discovery Against Apple Safari
      Evaluating Complex Software Targets for Exploitable Vulnerabilities
      A Methodical Approach to Browser Exploitation
      The Exploit Development Lifecycle, From A to Z(ero Day)
      Building up from the Ethereum Bytecode
      Practical Decompilation of Ethereum Smart Contracts
      What's New in Lighthouse v0.7
      Frida, C++ demangling, context menu, function prefixing, bugfixes
      Dangers of the Decompiler
      A Sampling of Anti-Decompilation Techniques
      What's New in ripr v1.1
      Function Arguments, Basic Block Mode, and more
      Untangling Exotic Architectures with Binary Ninja
      Supplementing Flare-On 2017 with some sanity
      What's New in Lighthouse v0.6
      Intel pintool, cyclomatic complexity, batch load, bugfixes
      Hello World
      Compiling Executables for the Classic POSIX Subsystem on Windows
GITHUB | TWITTER | BLOG | CONTACT
(C) 2025 RET2 SYSTEMS, INC.