Windows Component Object Model (COM) services run with elevated privileges and are widely accessible to authenticated users, making race conditions in these binaries a critical surface for local privilege escalation. We present SLYP, an end-to-end agentic pipeline that discovers race condition vulnerabilities in COM binaries and generates debugger-verified proof-of-concept (PoC) code. SLYP exposes binary exploration, COM inspection, and dynamic debugging as reusable tool interfaces, giving agents the static context, COM activation metadata, and debugger feedback needed to move from vulnerability discovery to verified PoC generation. On a benchmark of 20 COM objects covering 40 vulnerability cases, SLYP achieves 0.973 F1, outperforming production coding agents by up to 0.208 F1 and the state-of-the-art static analyzer by 3.3x in bug discovery. For PoC generation, production coding agents in their default setup (without our COM inspection and dynamic debugging tools) verify essentially no cases on either frontier model, whereas SLYP's interactive toolsets enable it to autonomously synthesize working PoCs for 67.5% of cases on the strongest configuration. Deployed on production Windows services, SLYP discovers 28 previously unknown vulnerabilities across nine COM services, all confirmed by the Microsoft Security Response Center (MSRC) with 16 CVEs assigned and $140,000 in bounties. Furthermore, SLYP is designed with generalizable binary analysis and debugging interfaces, making it readily applicable to other commercial off-the-shelf (COTS) binaries beyond Windows COM services.

翻译：Windows组件对象模型（COM）服务以高权限运行且对认证用户广泛开放，这使得二进制程序中的竞争条件成为本地权限提升的关键攻击面。我们提出SLYP——一种端到端的智能体化流水线，能够发现COM二进制程序中的竞争条件漏洞，并生成调试器验证的概念验证（PoC）代码。SLYP将二进制探索、COM检测和动态调试抽象为可复用的工具接口，为智能体提供所需的静态上下文、COM激活元数据和调试器反馈，从而完成从漏洞发现到验证性PoC生成的完整流程。在覆盖40个漏洞案例的20个COM对象基准测试中，SLYP达到0.973 F1分数，比生产级编程智能体高出最多0.208 F1，漏洞发现数量比最先进的静态分析器提升3.3倍。在PoC生成方面，默认配置（未使用我们的COM检测和动态调试工具）的生产级编程智能体在两类前沿模型上均未验证通过任何案例，而SLYP的交互式工具集使其能够在最优配置下自主合成67.5%案例的有效PoC。部署于生产环境Windows服务后，SLYP在9个COM服务中发现28个先前未知漏洞，微软安全响应中心（MSRC）已确认全部漏洞，其中16个被分配CVE编号并获14万美元奖金。此外，SLYP设计包含可泛化的二进制分析与调试接口，使其能够直接适用于Windows COM服务之外的其他商用现成（COTS）二进制程序。