Our writeup showing the 0-day we used to escape the linux kvmtools hypervisor to solve the hxp CTF challange indie_vmm! kalmarunionen.dk/writeups/2021/… by alexander krog Viktor Edström N00byEdge

SAERXCIT implemented some recent AD attacks into LDAP relays - for hardened environments where usual techniques are not working, and wrote about why and when to use them: offsec.almond.consulting/ldap-relays-fo…

Today I am releasing the final post of a 3 part series on “modern” browser exploitation targeting Windows. In this post we port our exploit primitives to Edge itself & combine 12 ROP chains in order to defeat ACG, CIG, DEP, ASLR, CFG, "no child processes" connormcgarr.github.io/type-confusion…

Bypassing LDAP Channel Binding with StartTLS, by drm: offsec.almond.consulting/bypassing-ldap…

Wrote an article about #fuzzing the Linux kernel network stack externally with #syzkaller. The article covers: 🧰 Introduction to syzkaller 💉 Using TUN/TAP for packet injection 👽 Integrating TUN/TAP via pseudo-syscalls 🏆 Showcases of found bugs xairy.io/articles/syzka…

No PKINIT? No problem! Thanks to team members Yannick and drm, you now have a way to (ab)use your ill-earned ADCS certificates even when domain controllers do not support PKINIT offsec.almond.consulting/authenticating…

Linux kernel adventures continue. Here's part 2 "Learning Linux kernel exploitation". Took me way longer than expected to work through all the details... How many layers of indirection do one need? The answer is all of them! 0x434b.dev/learning-linux…

Earn $200K by fuzzing for a weekend: Part 1 by @addisoncrump_ko secret.club/2022/05/11/fuz…

Celebrating #Pwn2Own 2022 week (Trend Zero Day Initiative) with a long-overdue writeup of how we successfully exploited a wild (unbounded) memcpy for a guest-to-host virtualization breakout of Parallels at last year's competition: blog.ret2.io/2022/05/19/pwn…

Protocol handlers are such an under-researched area. I don’t think people realize how many custom applications create protocol handlers on installation

Introduction to VirtualBox security research blog.doyensec.com/2022/04/26/vbo…

Curious about exploiting VMs or memory bugs in a safe language? Read my new blog post, where I attack Firecracker, AWS' VMM written in Rust. Learn about the various layers of virtualization + the attack surface, and how design decisions impact security. graplsecurity.com/post/attacking…

a33870d19a4b90c3ac3f07de8a7e74ec1dd03d1e23da93edc334d5d819c5f9c8

Ghostscript RCE CVE-2023-28879 can impact many applications processing images and PDF files. Discovery and exploitation write-up by team member sigabrt : offsec.almond.consulting/ghostscript-cv…

My new blog “Smash PostScript Interpreters Using a Syntax-Aware Fuzzer” zscaler.com/blogs/security…, the findings include 3 vulnerabilities in Acrobat Distiller and 1 vulnerability in Apple’s PSNormalizer. It’s inspired from ⁦ ϻг_ϻε 's ⁩ previous Postscript research.

Heyo ! 🧙‍♂️ Prochain stream Mardi 6 Juin à 21h en compagnie de sigabrt (et peut être voydstack ? 🧐) ! 🔥 Au programme : - Shell in the Ghost | Polishing the CVE-2023-28879 - Google DistroLess 101 | PoC with GoLang & AutoHeal See you soon ! 😎🛠️ twitch.tv/thelaluka

Stream is up, début des hostilités à 21h ! ;) twitch.tv/thelaluka

Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post by drm introduces them through the lens of Python libraries. offsec.almond.consulting/ldap-authentic…

Got root, what now? Practical post-exploitation steps on an F5 Big-IP appliance, by team members drm and myst404 offsec.almond.consulting/post-exploitin…

Team member sigabrt describes a fuzzing methodology he used to find a heap overflow in a public YesWeHack ⠵ bug bounty program for Gnome: offsec.almond.consulting/using-aflplusp…