The whitepaper is live! Listen to the whispers: web timing attacks that actually work. Read it here -> portswigger.net/research/liste…

Thrilled to release my latest research on Apache HTTP Server, revealing several architectural issues! blog.orange.tw/2024/08/confus… Highlights include: ⚡ Escaping from DocumentRoot to System Root ⚡ Bypassing built-in ACL/Auth with just a '?' ⚡ Turning XSS into RCE with legacy code

I didn't win Pwnie, but I find it very fair. Remote Windows UAF seems very impressive! :)

Better late than never, patches from #Microsoft and #Adobe are finally out - and 6 bugs are under active attack. Check out all the details, including some wormable bugs, as The Dustin Childs breaks down the release. zerodayinitiative.com/blog/2024/8/13…

Microsoft fixed CVE-2024-38213 last Tuesday. It was discovered in the wild by ZDI threat hunter Peter Girnus. Today, he makes the details of the vulnerability and how it's being used by threat actors. zerodayinitiative.com/blog/2024/8/14…

The past year has been amazing. From marriage, to Pwn2Own to a Pwnie Award, I'm so grateful. I'm using the money I've won from hacking competitions, bounties, & RB for two ppl to travel & attend Hexacon, the premier offensive security con in Paris, France. forms.gle/zt9RaR7EEvTxWG…

Updated web page with this year's schedule. But the juiciest talks are the ones we cannot talk about! ;) alligatorcon.eu/#Talks

My team EDG is looking for an experienced exploit developer! RT's welcome! This is a full time research and development role, primarily contributing to the developing of capabilities for consultants, showcasing knowledge, collab with other teams etc. nccgroup.wd3.myworkdayjobs.com/en-US/NCC_Grou…

🔥 Here is my writeup about the Whatsup gold Unauthenticated SQL Injection which is exploitable by default, enjoy P.S: my Friday starts now summoning.team/blog/progress-…

"Exploiting File Writes in Hardened Environments - From HTTP Request to ROP Chain in Node.js" 📝 by Stefan Schiller (scryh)

We've updated our blog on abusing file deletes to escalate privileges. We've also released PoC to demonstrate this. The exploit offers a high degree of reliability and eliminates all race conditions. It has been tested on the latest Windows 11 Enterprise. zerodayinitiative.com/blog/2022/3/16…

I'm arriving in Cracow for 🐊 Ping me if you want to get a beer or two.

community.progress.com/s/article/Unau… Looking at services with custom packet structure processing often lead me to new bugs. Also nice to see my exploit chain being described in detail in this advisory.

As promised, Exchange PowerShell research is getting published in a form of blog posts. Part 1/4 describes two RCEs: MultiValuedProperty internal deserialization + a chain with Command gadget.

First part which covers the bug and finishes off with code allowing us for a controlled overflow in the Paged Pool is up: 3sjay.github.io/2024/09/08/Win…

After not sleeping for 2 days, I finally cooked the exploit, unauthenticated RCE against Veeam backup and Replication CVE-2024-40711, Imma go sleep now

3 more weeks before my Windows Kernel Exploitation training at Hexacon Don't miss out! More info on contents -> hexacon.fr/trainer/halbro…

My SharePoint RCE got fixed: CVE-2024-38018. Site Member privs should be enough to exploit. I also found a DoS vuln that got patched today: CVE-2024-43466 msrc.microsoft.com/update-guide/v…

For those of you who might like it: Here are the slides from my Alligatorcon talk: gergelykalman.com/the-missing-gu… I was thinking of sending it to #POC2024, but the POC_Crew 👨‍👩‍👦‍👦 says it only accepts new talks :'(

2nd part of Exchange series is live. This time, it's CAB extraction gadget, together with a path traversal in Windows extrac32.exe. I also covered a bypass for Defender CAB signatures (spoiler: quite a simple one). 😅