James Shewmaker

Tired of noobs complaining the WINAPI for malware development is weird. It's not. How do you create a file? The CreateFile function. How do you open a file for reading? The CreateFile function. How do you open a file for writing? The CreateFile function. How do you get a handle to a directory? The CreateFile function. How do delete a file? The CreateFile function. How do you get access to a physical disk? The CreateFile function. How do you get access to a file stream? The CreateFile function. How do you get access to the console buffer? The CreateFile function. How do you get access to pipes? The CreateFile function. How do you perform interprocess communication? The CreateFile function. Just make sure you use the appropriate version of CreateFile (CreateFileA for ANSI, or CreateFileW for wide characters). Alternatively, you can use CreateFile2 which is the same as CreateFile except the parameters are passed as a data structure named CREATEFILE2_EXTENDED_PARAMETERS. However, be aware CreateFile2 only works on Windows 8 and above and designed more or less for programs running from the Windows app store. Alternatively, alternatively, you could use CreateFile3 which is nearly identical to CreateFile2 except it uses the CREATEFILE3_EXTENDED_PARAMETERS structure and is more or less designed for sandboxed packaged applications. However, be aware CreateFile3 only works on Windows11 24H2 and above. It's shrimple, honestly.

The Crypto Layer Bug Bounty Misses Every bug bounty hunter tests for SQLi, XSS, IDOR, auth bypass. Almost nobody tests the crypto layer. Not because it's hard. Because nobody showed them where to look. The server doesn't hand you the key. It leaks math through its behavior. A timing delta. A Content-Length difference of three bytes. A distinct HTTP status code on bad padding. That's the oracle. The oracle exists before you exploit it. CVE-2025-22150 undici, the HTTP client behind Node.js fetch, insufficient randomness in session token generation. Every modern Node.js app is a candidate. One curl captures the token. UUIDv1 structure exposes MAC address and timestamp. The Iterate step enumerates a ±1 second window, 10 million 100ns ticks. The Take step hijacks the session. BREACH turns HTTP compression into a CSRF token extractor. The oracle isn't in the app: it's in Nginx, running silently at the proxy layer. Most hunters check "does the app use compression" and move on. The oracle is already there. Padding oracle: one malformed ciphertext, one status code difference. Byte by byte, the plaintext surrenders. Then you forge the admin token and fire it. That's LIT. Leak. Iterate. Take. This work covers 4 attack families. 21 CVEs. 5 chapters. Padding oracles. Compression oracles. PRNG seed recovery. Hash length extension. Every technique has a LIT-labeled PoC. Every command tested on Ubuntu 24. No theory without payload. No placeholder code. Three original detection primitives named here first: Oracle Classifier, Compression Oracle Probe, Signature Surface Probe. No existing scanner packages these as standalone pre-flight checks. Most hunters walk past this every day. Full breakdown in the replies.

Kernel-Exploit-Dojo 📍 Curated archive of 100+ Linux kernel exploitation CTF challenges, organized by bug class, exploitation primitive, final technique, difficulty, and solve count. The goal is to organize practical kernel pwn techniques such as UAF, heap spraying, pipe_buffer abuse, msg_msg, modprobe_path overwrite, and cred overwrite. Resource: https://t.co/h1F2CD70Oc

RSA private keys biased toward 0 bits can be factored by swapping a hard math problem for an easy one: integer factorization becomes polynomial factorization. We found hundreds of real-world keys vulnerable to this. Many traced to a type mismatch in CompleteFTP (now patched): each 32-bit limb got only 8 bits of randomness. We recovered 603 RSA and 74 DSA private keys. https://t.co/C2jcxVW9WG

🚨 Introducing "ITScape" (CVE-2026-46316) A Guest-to-Host Escape in KVM/arm64. Guest-side actions alone exploit a use-after-free to run root-privileged code in the host kernel. Unlike the commonly published QEMU escapes, the bug lives in in-kernel KVM, not QEMU. On a successful exploit, commands run with host kernel privilege rather than the privilege of a user process, threatening the guest-host isolation of multi-tenant arm64 public clouds. To the best of public knowledge, the first Guest-to-Host Escape Exploit targeting in-kernel KVM/arm64. Details: https://t.co/CtZOQEzIdg

Along with extensive refactoring & numerous bug fixes, two new LBR commands have been added: The '!lbr' command: https://t.co/gxVZoKliYy The '!lbrdump' command: https://t.co/RSEvHy5CUt Also, the script engine now includes 5 new functions to support LBR: https://t.co/EEn9oM6J3A

Padding Oracle in MS-BKRP (BackuprKey RPC) “decrypt DPAPI v2/v3 domain backup blobs via distinguishable error codes on the DC's BackuprKey endpoint.” You need the masterkey in users roaming dir: Roaming\Microsoft\Protect\<SID>\<GUID> Creds: Bad-Jubies https://t.co/oohapnM0HP

We helped FFmpeg find and fix 21 security vulnerabilities. In a 1.5M-line codebase, we spent just $1K in API costs. Some of these bugs had been hiding for decades. We also developed a PoC demonstrating an RCE primitive when FFmpeg processes RTSP streams. Full write-up: https://t.co/mIrjirCgcB