Miloš

@[email protected]
112 Followers
88 Following
27 Posts

https://ynwarcs.github.io

goodbyeselene

MilošJun 12, 2025
RedTeam PentestingJun 11, 2025

🚨 Our new blog post about Windows CVE-2025-33073 which we discovered is live:

🪞The Reflective Kerberos Relay Attack - Remote privilege escalation from low-priv user to SYSTEM with RCE by applying a long forgotten NTLM relay technique to Kerberos:

https://blog.redteam-pentesting.de/2025/reflective-kerberos-relay-attack/

A Look in the Mirror - The Reflective Kerberos Relay Attack

It is a sad truth in IT security that some vulnerabilities never quite want to die and time and time again, vulnerabilities that have long been fixed get revived and come right back at you. While researching relay attacks, the bane of Active …

RedTeam Pentesting - Blog
Show threadMilošJan 31, 2025

@fonetone hey! I believe the cve affects both rtf emails and regular documents as well. In my proof-of-concept I provided a RTF document for simplicity sakes, as reproducing the vulnerability via e-mail would require a more complicated setup. Nevertheless, any application that parses RTF files is most likely vulnerable, as they will all use the vulnerable ole32. dll library to extract OLE object data from RTF data.

on a separate note, it is indeed confusing that Microsoft makes an effort to single-out outlook/email use-case, I imagine it is so because it's the only application they ship where the vuln could be triggered without user interaction.

MilošJan 30, 2025
James Forshaw Jan 30, 2025
The second blog is about an interesting bug class in COM servers that implement IDispatch, which allows you to potentially create other objects in the process. For example every OOP COM server with IDispatch allows you to create a STDFONT object which isn’t really designed to be safely used cross process. To demo its usefulness I then use the trick to get code injection in a Windows-PPL process from where you could open protected LSASS etc. https://googleprojectzero.blogspot.com/2025/01/windows-bug-class-accessing-trapped-com.html
Windows Bug Class: Accessing Trapped COM Objects with IDispatch

Posted by James Forshaw, Google Project Zero Object orientated remoting technologies such as DCOM and .NET Remoting make it very easy ...

MilošJan 27, 2025
hasherezadeJan 27, 2025
In case if you wonder what broke #ProcessHollowing on Windows 11 24H2, I have something for you: https://hshrzd.wordpress.com/2025/01/27/process-hollowing-on-windows-11-24h2/
Process Hollowing on Windows 11 24H2

Process Hollowing (a.k.a. RunPE) is probably the oldest, and the most popular process impersonation technique (it allows to run a malicious executable under the cover of a benign process). It is us…

hasherezade's 1001 nights
Show threadMilošJan 27, 2025

@jaydinbas thanks! and sorry for a late reply. in theory it should be possible to trigger the vulnerability via OLE2.0 objects. I haven't yet published the details on how the proof of concept works, but I will hopefully do it soon.

In short - as long as the application calls OleLoad (or a variant) on the object, and the object has a CLSID corresponding to StaticDib or StaticMetafile with the clipboard format in data being set to 2 (CF_BITMAP), you should be able to trigger the vuln.

MilošJan 20, 2025

POC for CVE-2025-21298 (Windows OLE RCE CVSS 9.8): https://github.com/ynwarcs/CVE-2025-21298

I'll publish some details about the PoC later, but the vulnerability is pretty boring, a double-free (UAF more generally) with a narrow window of time between the two operations so you'd need a miracle to exploit it.

GitHub - ynwarcs/CVE-2025-21298: Proof of concept & details for CVE-2025-21298

Proof of concept & details for CVE-2025-21298. Contribute to ynwarcs/CVE-2025-21298 development by creating an account on GitHub.

GitHub
MilošOct 4, 2024
Exploiting Visual Studio via dump files - #CVE-2024-30052: https://ynwarcs.github.io/exploiting-vs-dump-files
Exploiting Visual Studio via dump files - CVE-2024-30052

###
MilošSep 5, 2024
/r/netsecSep 5, 2024
Windows Wi-Fi Driver RCE Vulnerability - CVE-2024-30078 https://www.crowdfense.com/windows-wi-fi-driver-rce-vulnerability-cve-2024-30078/
Windows Wi-Fi Driver RCE Vulnerability - CVE-2024-30078 - Crowdfense

Analysis of CVE-2024-30078, a Windows Wi-Fi driver vulnerability. Detailed root cause analysis and exploitation constraints.

Crowdfense
MilošSep 4, 2024
TrendAI Zero Day InitiativeSep 3, 2024
We've updated our blog on abusing file deletes to escalate privileges. We've also released PoC to demonstrate this. The exploit offers a high degree of reliability and eliminates all race conditions. It has been tested on the latest Windows 11 Enterprise. https://www.zerodayinitiative.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-escalate-privilege-and-other-great-tricks
Zero Day Initiative — Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks

We would like to thank researcher Abdelhamid Naceri for his great work in developing these exploit techniques, as well as for the vulnerabilities he has been reporting to our program. We look forward to seeing more from him in the future. Until then, follow the team on Twitter , Mastodon , Linked

Zero Day Initiative
MilošAug 27, 2024
@malwaretech nice, this was pretty much my journey through the investigation too. I added a link to your analysis in the poc repo, it's much more useful than my recap. I normally would've written a blog post too but one of my arms is out of service for the next few weeks due to an injury and I didn't have the patience to do it at 20 wpm.