RCE

Safari RCE – 80k$ USD

  • Works on iPhone X or on MacOSX , latest version.

Chrome RCE – 80k$ USD

  • Runs on latest version
  • Works on Latest Version
  • Achieves shellcode with breakpoint popped out
  • Runs on Windows latest Build, RS6, 64-bits

PE

iOS PE

  • iPhone X – 60k$
    • From App / user to Kernel
    • Latest version
  • iPhone XR / XS (A12 device) – 80k$
    • From App / user to Kernel
    • Latest version

Linux PE – 50k$ USD

  • User to root
  • PE should bypass LSM (Linux Security Module) such as AppArmor and SELinux.
  • PE Should run on latest versions on at least 2 of the following distributions:
    • Ubuntu Desktop – currently 19.4
    • Debian – currently 9
    • Fedora – currently 29
    • CentOS – currently 7
  • PE should gain root unconfined.
  • Minimum Kernel version – 4.x
  • Will be tested on Ubuntu Desktop.

Android Kernel PE

  • Samsung Galaxy A8 – SM-A530F – 50k$ USD
    • Kernel 4.4
    • Android 9
    • Exploit has to run code and gain root from untrusted_app
  • Samsung Galaxy S10 – 80k$ USD
  • Google Pixel 3 – 80k$ USD
    • Android 9
    • Latest Kernel
    • Exploit has to run code and gain root from untrusted_app

Windows PE

  • Medium to System – 10k$ USD
  • Should work on latest version (RS6) on default Windows configurations.
  • Success measurement – one of the following:
    • Raise a bp in a system process
    • Pop cmd in system privileges
    • Run an arbitrary shellcode with system privileges
  • From Chrome Sandbox to Kernel – 40K$ USD
    • Should work on latest version (RS6) on default Windows configurations.
    • Success measurement – one of the following:
      • Raise a bp in the kernel
      • Pop cmd in high privileges
      • Run an arbitrary shellcode in the kernel
      • BSOD (This may affect overall payout amount)
  • HVCI Bypass – 50k$ USD
    • From system to kernel, when HVCI turned on
    • Should work on latest version (RS6 – latest insider), on default Windows configurations.
    • Success measurement
      • Run an arbitrary shellcode with an arbitrary size in the kernel (shellcode / unsigned driver).

SBX

Chrome SBX on Windows – 80k$ USD

  • The vulnerability has to be in Chrome browser
  • Researcher should patch Chrome‚Äôs sources in order to demonstrate the exploit.
  • Verification of this vulnerability will take at least an hour for our team. to help us test it more quickly, please provide proper documentation.

Deliverables

  • The participant should have an easy-to-compile code (Visual Studio project or a makefile)

Android SBX

  • Samsung Galaxy A8 –  SM-A530F – 50k$ USD
    • Should run code on 64-bit
  • Samsung Galaxy S10 –  SM-A530F – 80k$ USD
    • Should run code on 64-bit
  • Google Pixel 3 – 80k$ USD
    • Should run code on 64-bit

Deliverables

  • A so file with run () function which would run the vulnerability and gain root privileges to the process.
  • A full makefile which compiles with NDK must be included.
  • PoC – The so file should be a part of the app (so the exploit would run from within an untrusted_app context), along with a demonstration of privileges escalation (by getuid)