Ran into a custom xml -> java deserializer. Limited in what it did. Used reflection to set fields, no setter getter. Lot of objects blocked. Deserialized object was not used. Exploited it by overwriting static field values on object that was used in Authentication. #ExploitFun
After mainly writing pocs in python and C I just finished a poc written entirely in Java. I was too lazy to rewrite their auth lib in python, but what a frustrating experience. 1/10 would not recommend. Anyways, auth bypass + command injection means:
@zlowram_@alexjplaskett Looks like I have a bit more than 2 months to waste time trying to find the perfect latex lib to generate slides that can display objects in memory and their relationships. Leaving me 2 weeks for actual content 😁
I’m thinking about turning some recent windows kernel research and exploits into a talk. Does anyone have suggestions for conferences that currently have their CFP open or will open shortly?
@bsdaemon@alexjplaskett@h2hconference 21, that’s quite impressive. I’d joke about finally being able to drink and such, but that only works on Americans :)
After many years and tons of fun I left ExodusIntelligence recently. Enjoying some nice time off right now, spending time with the kids and not IDA 😁 No plans yet for 2024 but I’m sure something exciting will show up.
Hopes are high that some normalcy can return in 2021 and we can see our colleagues again at Blackhat. We're hosting an in-person 5-day training around that time and looking for feedback on timing. Plan before, during, or after the conference?
We're looking for someone to take on our infrastructure, grow it, secure it, modernize it, automate it, and generally make it more awesome. If you live in central Texas and are interested in starting a dialog. Reach out to us via [email protected]
https://t.co/mGMWfuFrNL
2019 was a great year for Exodus and 2020 is going to be even better. We're expecting to expand the team on a variety of fronts.
If interested visit https://t.co/TabRGeAJyP and email [email protected] with a cv and references published work
@_2can of our Nday team takes a closer look at the recently patched Chrome vulnerability spotted in the wild (exploit included)
https://t.co/StjtBHA2Nk
ntdll!LdrpSetProtection(0xaddr, 0) good function for x64 exploits. 2 args and a fake PE Header (9 values) at 0xaddr and it'll mark it as RWX for you. Too bad its not exported. byte match: 48 89 5C 24 08 55 56 57 41 54 41 55 48 83 EC 40 45 33 C0 0F B6 EA 4C 8B E1 48 8B D1
I like how MS keeps insisting that UAC is not a security boundary but they do try to squash bugs and techniques to bypass it. But, it is indeed not as sturdy as some of the other protection they have despite recent changes.