Dear Fellowlship, How is your summer going? Our N-Day owl lock was bored in his holidays and decided to build an exploit for CVE-2020-9273. Check our post: Having fun with a Use-After-Free in ProFTPd (CVE-2020-9273) adepts.of0x.cc/proftpd-cve-20…

Don't have the Academy Cubes to spare? Head over to the Hack The Box Discord where I am giving away 500 Academy Cubes in 3 days. Once there, check out the giveaways channel :D Good luck! discord.com/invite/hackthe…

We have published the details of our Zoom exploit in this quite long writeup: sector7.computest.nl/post/2021-08-z… tl;dr: heap buffer overflow when handling key exchange messages for chat encryption.

Ok, so don't be alarmed but this is an iPhone connected remotely to a Docker container of macOS VM running on Linux using Nikias Bassen's usbfluxd... Yes, I'm adding it to Docker-OSX... not sure how to feel, but this is too powerful... Can literally install apps OTA worldwide...

A deep-dive into the SolarWinds Serv-U SSH vulnerability -- microsoft.com/security/blog/…

New Project Zero blog post: Fuzzing Closed-Source JavaScript Engines with Coverage Feedback, googleprojectzero.blogspot.com/2021/09/fuzzin…

Slides and code from my Extra Better Program Finagling (eBPF) Attack and Defense talk at toorcon 2021 have been uploaded to GitHub. Code needs some refactoring from PoC to useful tooling but wanted to get it up. github.com/richinseattle/…

Here's a cool project I've been working on during my boring intro CS classes! It's heaptrace, a heap debugger that replaces addresses with symbols to help you understand a program's heap operations. github.com/arinerron/heap…

✨ New Workshop! Android Exploits 101 🔥📱 I put together an introductory overview of the "shape" of modern 0-day exploit chains for Android. Hope it's helpful 😊 youtu.be/squuwVQiPgg

Just watched "Practical HTTP Header Smuggling: Sneaking Past Reverse Proxies to Attack AWS and Beyond" - must-read research by Intruder's Daniel Thatcher intruder.io/research/pract…

Today we're publishing a detailed technical writeup of FORCEDENTRY, the zero-click iMessage exploit linked by Citizen Lab to the exploitation of journalists, activists and dissidents around the world. googleprojectzero.blogspot.com/2021/12/a-deep…

One of my Zoom Client finding CVE-2021-34425 that I discovered when I was still with Walmart Global Tech got announced.

- Use-after-frees from JIT - CodeQL for variant analysis - Never-before-seen exploit primitives - Tenured heap tomfoolery I’ve packed just about everything in this post!

Here are the slides from the "Attacking JavaScript Engines in 2022" talk by itszn and myself offensivecon. It's a high-level talk about JS, JIT, various bug classes, and typical exploitation flows but with lots of references for further digging! saelo.github.io/presentations/…

Here is my writeup and PoC for the AuthN/AuthZ bypass vulnerability in Delinea Secret Server I found some time ago. The patch is available, go update. [Write up/PoC] - straightblast.medium.com/all-your-secre… [Patch Information] - docs.delinea.com/online-help/se… [Vendor Update] - trust.delinea.com/?tcuUid=17aaf4…

Unfortunately I have to reshare this as I'm still looking for a position. Had several good initial opportunities but in a lot of cases they were looking for someone less senior and not a web app SME. If your company are hiring specifically web app testers, please DM me. 😁

Last year, Brandon and Ali went looking for new attack surface area in Microsoft Exchange. Ultimately, they were able to crash the Exchange file scanner by simply sending an email. Read more on our blog: bit.ly/3xVt4Ch

The Delinea Secret Server auth bypass vulnerability I discovered earlier this year, that can net access to all stored secrets, has just been assigned CVE-2024-33891. Relive the story - straightblast.medium.com/all-your-secre…

🔥 XSS on any website with missing charset information? 😳 Attackers may leverage the ISO-2022-JP character encoding to inject arbitrary JavaScript code into a website. Read more in our latest blog post: sonarsource.com/blog/encoding-… #appsec #security #vulnerability

I recently developed and posted about a technique called "First sequence sync", expanding James Kettle's single packet attack. This technique allowed me to send 10,000 requests in 166ms, which breaks the packet size limitation of the single packet attack. flatt.tech/research/posts…