Automated Memory Dumps Using Just-in-Time/Postmortem Debugging
This is not a blog but my notes about setting up the NTSD debugging which I found useful in one of my previous jobs where I had to fuzz the REST API.
Windows Internals Notes
I spent some time over the Christmas break least year learning the basics of Windows Internals and thought it was a good opportunity to use my naive reverse engineering skills to find answers to my own questions. This is not a blog but rather my own notes on Windows Internals. I’ll keep updating them and […]
PATCH DIFFING: MOVEIT TRANSFER PRE-AUTHENTICATED SQL INJECTION VULNERABILITY (CVE-2023-34362) – PART2
In the previous blog post, we analysed the MOVEit Transfer patch that mitigates a SQL injection vulnerability (CVE-2023-34362) and figured out the entire call flow to reach the vulnerable method, SetAllSessionVarsFromHeaders(). It looks like this: /moveitisapi/moveitisapi.dll?action=m2 –> Machine2.aspx –> DoTransaction() –> SetAllSessionVarsFromHeaders(). What we did was just figured out the entry point and we still need to […]
Patch Diffing: MOVEit Transfer Pre-Authenticated SQL Injection Vulnerability (CVE-2023-34362) – Part1
Although, the MOVEit Transfer N-Day exploit party is over, I recently started my Patch Diffing journey, so I was looking for another target to practice my skills and survive the painful journey of patch diffing / exploit development. The analysis of unauthenticated SQL injection vulnerability in MOVEit Transfer (CVE-2023-34362) appeared to be challenging yet rewarding […]
Exploiting Inter-Process Communication through Shared Memory
Update (June 20 2023): This blog is based on the vulnerability I discovered/reported in SAP SQLAnywhere 17.0 (CVE-2023-33990) back in January 2023. SAP patched it in July 2023; however, their product security response team declined to credit me for this disclosure because I reported the vulnerability through their customer support channel, which was the standard […]
Patch Diffing: Windows NTLM Elevation of Privilege Vulnerability (CVE-2025-54918)
I’ve just started looking at the NTLM privilege escalation patch from September 2025. I’m documenting my progress as I go, so these are my initial notes and not a polished blog post! From the advisory, found this KB5065426 article for Windows 11 Version 24H2 (x64) and downloaded the download the file information for cumulative update […]
Analysis of Microsoft IE – jscript.dll ‘Array.sort’ Heap Overflow Vulnerability (CVE-2017-11907)
In December 2017, Google Project Zero disclosed a Heap Overflow vulnerability in Jscript.dll. A proof-of-concept (PoC) exploit can be found here. A CVE-2017-11907 has been assigned to this vulnerability. This disclosure was part of a series of vulnerabilities in WPAD/PAC and JScript that Google Project Zero reported in 2017. An in depth technical write-up can […]
ANALYSIS OF MICROSOFT IE11 SCRIPTING ENGINE MEMORY CORRUPTION VULNERABILITY (CVE-2017-11793) – Part-1
On December 18 2017, Ivan Fratric (@ifsecure) from Google Project Zero disclosed a Use-After-Free (UAF) vulnerability in Microsoft Internet Explorer 11. A proof-of-concept (PoC) exploit can be found here on Google Project Zero website and also on Exploit-DB. A CVE-2017-11793 was assigned to this vulnerability. A UAF vulnerability occurs when an object is created, free-ed and then re-used or […]
Easy RM to MP3 Converter Buffer Overflow Vulnerability (DEP Bypass using ROP)
I wanted to learn and practice DEP bypass technique so I decided to try it on Easy RM to MP3 Converter version 2.7.3.700 (2006.09.29). I started off with a PoC and modified it for DEP bypass. I tried it all manual first and could craft all of the parameters required for VirtualProtect() successfully but then […]
Spring Framework Directory Traversal Vulnerability (CVE-2018-1271)
It’s too late for this blog post but I’ve been caught up with other tasks so couldn’t post this earlier. Anyways, in this blog, we’ll look at how to setup a vulnerable target for CVE-2018-1271 and exploit it. The issue exists in Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, allow applications to configure […]
Qualys ThreatPROTECT Blogs
These are the blogs I’ve published so far….
Vulnerabilities / CVE-IDs Reported
List of CVE-IDs I’ve published so far…
Oracle WebLogic Server Java Deserialization Remote Code Execution Vulnerability (CVE-2018-2628) Bypass
Oracle patched a critical Java RMI Deserialization vulnerability in WebLogic server earlier this month (CPU April 2018). It was assigned CVE-2018-2628. However, as @pyn3rd tweeted this morning, it turns out that it was a blacklist based incomplete fix that could be bypassed easily. #CVE-2018-2628 Weblogic Server Deserialization Remote Command Execution. Unfortunately the Critical Patch Update of 2018.4 […]
Simple Web Server 2.2 rc2 – Remote Buffer Overflow (SEH Bypass + Egg Hunter)
I was looking for a vulnerable application to practice SEH Bypass and Egg Hunting techniques. I found this exploit on Exploit-DB which exploits a remote buffer overflow vulnerability in Simple Web Server 2.2 rc2. The author of this vulnerability tested this exploit on a Windows XP machine and it’s a simple EIP overwrite exploit. I decided to […]
Dell Active Roles Unquoted Service Path Privilege Escalation Vulnerability
# Exploit Title: [Dell Active Roles Unquoted Service Path Privilege Escalation] # Date: [16/06/2017] # Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot # Vendor Homepage: [https://www.oneidentity.com/products/active-roles/] # Version: [Dell Active Roles versions 7.1, 7.0.4, 7.0.3, 7.0.2, and 7.0 ] # Tested on: [Dell ActiveRoles version 7.1.2.3406] # CVE : [GENERIC-MAP-NO-MATCH] ================== #Product:- ================== Dell Active Roles […]
Boxoft WAV to MP3 Converter – ‘convert’ Local Buffer Overflow (SEH Bypass and Egg Hunter)
I was looking for a vulnerable application to practice SEH Bypass and Egg Hunting techniques. I found this exploit on Exploit-DB which exploits a local buffer overflow vulnerability in Boxoft WAV to MP3 Converter. This exploit does nothing much but pops up a message box on the target machine. I decided to modify it for reverse shell […]
Sliding Window 