Mastodawn

Miloš Jun 12, 2025

RedTeam Pentesting Jun 11, 2025

🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live:

🪞The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:

https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/

A Look in the Mirror - The Reflective Kerberos Relay Attack

It is a sad truth in IT security that some vulnerabilities never quite want to die and time and time again, vulnerabilities that have long been fixed get revived and come right back at you. While researching relay attacks, the bane of Active …

RedTeam Pentesting - Blog

Miloš Jan 30, 2025

James Forshaw

Jan 30, 2025

The second blog is about an interesting bug class in COM servers that implement IDispatch, which allows you to potentially create other objects in the process. For example every OOP COM server with IDispatch allows you to create a STDFONT object which isn’t really designed to be safely used cross process. To demo its usefulness I then use the trick to get code injection in a Windows-PPL process from where you could open protected LSASS etc. https://googleprojectzero.blogspot.com/2025/01/windows-bug-class-accessing-trapped-com.html

Windows Bug Class: Accessing Trapped COM Objects with IDispatch

Posted by James Forshaw, Google Project Zero Object orientated remoting technologies such as DCOM and .NET Remoting make it very easy ...

Miloš Jan 27, 2025

hasherezade Jan 27, 2025

In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: https://hshrzd.wordpress.com/2025/01/27/process-hollowing-on-windows-11-24h2/

Process Hollowing on Windows 11 24H2

Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique (it allows to run a malicious executable under the cover of a benign process). It is us…

hasherezade's 1001 nights

Miloš Jan 20, 2025

POC for CVE-2025-21298 (Windows OLE RCE CVSS 9.8): https://github.com/ynwarcs/CVE-2025-21298

I'll publish some details about the PoC later, but the vulnerability is pretty boring, a double-free (UAF more generally) with a narrow window of time between the two operations so you'd need a miracle to exploit it.

GitHub - ynwarcs/CVE-2025-21298: Proof of concept & details for CVE-2025-21298

Proof of concept & details for CVE-2025-21298. Contribute to ynwarcs/CVE-2025-21298 development by creating an account on GitHub.

GitHub

Miloš Oct 4, 2024

Exploiting Visual Studio via dump files - #CVE-2024-30052: https://ynwarcs.github.io/exploiting-vs-dump-files

Exploiting Visual Studio via dump files - CVE-2024-30052

###

Miloš Sep 5, 2024

/r/netsec Sep 5, 2024

Windows Wi-Fi Driver RCE Vulnerability - CVE-2024-30078 https://www.crowdfense.com/windows-wi-fi-driver-rce-vulnerability-cve-2024-30078/

Windows Wi-Fi Driver RCE Vulnerability - CVE-2024-30078 - Crowdfense

Analysis of CVE-2024-30078, a Windows Wi-Fi driver vulnerability. Detailed root cause analysis and exploitation constraints.

Crowdfense

Miloš Sep 4, 2024

TrendAI Zero Day Initiative Sep 3, 2024

We've updated our blog on abusing file deletes to escalate privileges. We've also released PoC to demonstrate this. The exploit offers a high degree of reliability and eliminates all race conditions. It has been tested on the latest Windows 11 Enterprise. https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks

Zero Day Initiative — Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks

We would like to thank researcher Abdelhamid Naceri for his great work in developing these exploit techniques, as well as for the vulnerabilities he has been reporting to our program. We look forward to seeing more from him in the future. Until then, follow the team on Twitter , Mastodon , Linked

Zero Day Initiative

Miloš Aug 24, 2024

I released a poc & some details for CVE-2024-38063, a RCE vuln in tcpip.sys patched by MS last week: https://github.com/ynwarcs/CVE-2024-38063

GitHub - ynwarcs/CVE-2024-38063: poc for CVE-2024-38063 (RCE in tcpip.sys)

poc for CVE-2024-38063 (RCE in tcpip.sys). Contribute to ynwarcs/CVE-2024-38063 development by creating an account on GitHub.

GitHub

Miloš Aug 17, 2024

I just released pdbconv, a program to convert PDB files between the plain old MSF format and the new MSFZ format that MS hasn't officially released yet.

It's available on github: https://github.com/ynwarcs/pdbconv

I also made a blog post describing the new format and what lead me to write the converter: https://ynwarcs.github.io/pdbconv-pdb-compression

GitHub - ynwarcs/pdbconv: Converts native PDB files between MSF and MSFZ formats.

Converts native PDB files between MSF and MSFZ formats. - ynwarcs/pdbconv

GitHub

Miloš Aug 10, 2024

fG!Aug 10, 2024

Nice IDA leak LOLOLOL And the server still up? No one working on Saturday morning? OLOLOLOLOLOLOLOL