MADBugs

MAD Bugs: "cat readme.txt" is not safe in iTerm2

Turning "cat readme.txt" into arbitrary code execution in iTerm2.

Apr 17

We Asked Claude to Audit Sagredo's qmail. It found a RCE.

One prompt, 101 minutes, and a working exploit against a widely deployed qmail fork.

Apr 16 • Calif

Learning to Jailbreak an iPhone with Claude (Part 1)

Claude helped me take apart an iOS Safari exploit, and retune it for my Mac. It even wrote its own variant.

Apr 15

Codex Hacked a Samsung TV

We gave Codex a foothold. It popped a root shell.

Apr 13 • Calif

Claude + Humans vs nginx: CVE-2026-27654

What humans still do when Claude already found the bug.

Apr 10 • Calif

MAD Bugs: Feeding Claude Phrack Articles for Fun and Profit

tl;dr: A teammate gave Claude a Phrack article.

Apr 9

MAD Bugs: Claude Found an Auth Bypass in NSA's Ghidra Server

This bug may resemble a backdoor in effect, but there’s no evidence it was intentional. Really.

Apr 8 • Calif

MAD Bugs: Discovering a 0-Day in Zero Day

Here’s how I used Claude to find and patch a radare2 0-day on my first day at Calif.

Apr 8 • Calif

MAD Bugs: Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell (CVE-2026-4747)

To our knowledge, this is the first remote kernel exploit both discovered and exploited by an AI.

Mar 31 • Calif

MAD Bugs: vim vs emacs vs Claude

We asked Claude to find a bug in Vim. It found an RCE. Just open a file, and you’re owned. We joked: fine, we’ll switch to Emacs. Then Claude found an…

Mar 30 • Calif

#nojs-banner { position: fixed; bottom: 0; left: 0; padding: 16px 16px 16px 32px; width: 100%; box-sizing: border-box; background: red; color: white; font-family: -apple-system, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 13px; line-height: 13px; } #nojs-banner a { color: inherit; text-decoration: underline; } This site requires JavaScript to run correctly. Please turn on JavaScript or unblock scripts