Exploiting Windows 10 Kernel Drivers - Stack Overflow

Following on from my earlier post [/windows-warbird-privesc/] in which we walked through creating an exploit for the WARBIRD vulnerability, over the next few posts I'm going to be looking at Windows kernel exploitation. If you haven't had chance to read it, I'd recommend that you pause and give it a quick glance as some of this walkthrough will rely on concepts introduced previously. This post will start off by laying the groundwork for future posts, and walking through a simple stack overflow ... Read More »

ExplodingCan - A vulnerability review

A few months ago, my colleagues over at Secarma released a review of ExplodingCan, one of the many exploits released as part of the ShadowBrokers dump. At the time I was asked to complete a review of the vulnerability, specifically how this affected a vulnerable server and if anything could be done to protect users. My analysis of the vulnerability can now be found over at Secarma Labs: https://www.secarma.co.uk/labs/explodingcan-a-vulnerability-review/ Enjoy :)... Read More »

Foomatic-RIP (CVE-2015-8560)

Just a quick writeup today, recently I uncovered an issue in the Foomatic-RIP package. The bug can be found within the "filter/foomatic-rip/util.c" source and is due to the whitelist used within the following line: const char* shellescapes = "|&!$\'\"`#*?()[]{}"; This blacklist is used to sanitise characters that are later passed to the libc system() call. It seems that this blacklist is missing the ; character, which means that if we can influence an argument passed to footmatic-rip which is... Read More »