As I mentioned in the previous post, I’m writing this series while preparing for Offensive Security Exploitation Expert (OSEE). In this post, we will use HackSys Extreme Vulnerable Driver (HEVD) which you can download from Github. Yes, HEVD is open source and its symbols are available, so at first that sounds like it defeats the […]
This is not a blog but my notes about setting up the NTSD debugging which I found useful in one of my previous jobs where I had to fuzz the REST API.
I spent some time over the Christmas break least year learning the basics of Windows Internals and thought it was a good opportunity to use my naive reverse engineering skills to find answers to my own questions. This is not a blog but rather my own notes on Windows Internals. I’ll keep updating them and […]
In the previous blog post, we analysed the MOVEit Transfer patch that mitigates a SQL injection vulnerability (CVE-2023-34362) and figured out the entire call flow to reach the vulnerable method, SetAllSessionVarsFromHeaders(). It looks like this: /moveitisapi/moveitisapi.dll?action=m2 –> Machine2.aspx –> DoTransaction() –> SetAllSessionVarsFromHeaders(). What we did was just figured out the entry point and we still need to […]
Although, the MOVEit Transfer N-Day exploit party is over, I recently started my Patch Diffing journey, so I was looking for another target to practice my skills and survive the painful journey of patch diffing / exploit development. The analysis of unauthenticated SQL injection vulnerability in MOVEit Transfer (CVE-2023-34362) appeared to be challenging yet rewarding […]
Update (June 20 2023): This blog is based on the vulnerability I discovered/reported in SAP SQLAnywhere 17.0 (CVE-2023-33990) back in January 2023. SAP patched it in July 2023; however, their product security response team declined to credit me for this disclosure because I reported the vulnerability through their customer support channel, which was the standard […]
Patch Diffing / Reverse Engineering Blogs Patch Diffing Microsoft Windows Wi-Fi Driver Vulnerability (CVE-2024-30078) – Part 1 Patch Diffing Microsoft Windows Wi-Fi Driver Vulnerability (CVE-2024-30078) – Part 2 PATCH DIFFING: MOVEIT TRANSFER PRE-AUTHENTICATED SQL INJECTION VULNERABILITY (CVE-2023-34362) – PART 1 PATCH DIFFING: MOVEIT TRANSFER PRE-AUTHENTICATED SQL INJECTION VULNERABILITY (CVE-2023-34362) – PART 2 Browser Exploitation ANALYSIS […]
You load a Windows driver into Ghidra, wait for analysis to finish, and then stare at what looks like nonsense: unnamed functions, broken types, generic variables, and no obvious sign of where the real driver logic begins. If you do not have private symbols (.pdb files), this is normal. In this post, we will see […]
I’ve just started looking at the NTLM privilege escalation patch from September 2025. I’m documenting my progress as I go, so these are my initial notes and not a polished blog post! From the advisory, found this KB5065426 article for Windows 11 Version 24H2 (x64) and downloaded the download the file information for cumulative update […]
In December 2017, Google Project Zero disclosed a Heap Overflow vulnerability in Jscript.dll. A proof-of-concept (PoC) exploit can be found here. A CVE-2017-11907 has been assigned to this vulnerability. This disclosure was part of a series of vulnerabilities in WPAD/PAC and JScript that Google Project Zero reported in 2017. An in depth technical write-up can […]
On December 18 2017, Ivan Fratric (@ifsecure) from Google Project Zero disclosed a Use-After-Free (UAF) vulnerability in Microsoft Internet Explorer 11. A proof-of-concept (PoC) exploit can be found here on Google Project Zero website and also on Exploit-DB. A CVE-2017-11793 was assigned to this vulnerability. A UAF vulnerability occurs when an object is created, free-ed and then re-used or […]
I wanted to learn and practice DEP bypass technique so I decided to try it on Easy RM to MP3 Converter version 2.7.3.700 (2006.09.29). I started off with a PoC and modified it for DEP bypass. I tried it all manual first and could craft all of the parameters required for VirtualProtect() successfully but then […]
It’s too late for this blog post but I’ve been caught up with other tasks so couldn’t post this earlier. Anyways, in this blog, we’ll look at how to setup a vulnerable target for CVE-2018-1271 and exploit it. The issue exists in Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, allow applications to configure […]
These are the blogs I’ve published so far….
List of CVE-IDs I’ve published so far…
Oracle patched a critical Java RMI Deserialization vulnerability in WebLogic server earlier this month (CPU April 2018). It was assigned CVE-2018-2628. However, as @pyn3rd tweeted this morning, it turns out that it was a blacklist based incomplete fix that could be bypassed easily. #CVE-2018-2628 Weblogic Server Deserialization Remote Command Execution. Unfortunately the Critical Patch Update of 2018.4 […]
I was looking for a vulnerable application to practice SEH Bypass and Egg Hunting techniques. I found this exploit on Exploit-DB which exploits a remote buffer overflow vulnerability in Simple Web Server 2.2 rc2. The author of this vulnerability tested this exploit on a Windows XP machine and it’s a simple EIP overwrite exploit. I decided to […]
# Exploit Title: [Dell Active Roles Unquoted Service Path Privilege Escalation] # Date: [16/06/2017] # Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot # Vendor Homepage: [https://www.oneidentity.com/products/active-roles/] # Version: [Dell Active Roles versions 7.1, 7.0.4, 7.0.3, 7.0.2, and 7.0 ] # Tested on: [Dell ActiveRoles version 7.1.2.3406] # CVE : [GENERIC-MAP-NO-MATCH] ================== #Product:- ================== Dell Active Roles […]
I was looking for a vulnerable application to practice SEH Bypass and Egg Hunting techniques. I found this exploit on Exploit-DB which exploits a local buffer overflow vulnerability in Boxoft WAV to MP3 Converter. This exploit does nothing much but pops up a message box on the target machine. I decided to modify it for reverse shell […]