0day

Let me store that for you

11 September 2020 ~7 min By Paul van der Haas
0day Dll Hijacking Privilege Escalation
A while ago Jonas Lykkegaard disclosed a zeroday that could be used to create files in the SYSTEM folder. CVE-2020-16885 got assigned for this vulnerability, and was since patched with KB4580346. This vulnerability was very convenient for Dynamic-link library (DLL) side-loading, which I will show in this blog post. Below you can find his original Twitter message. Unprivileged users are not allowed to create files in system32 folder- on hyper-v hosts they finally realised that unprivileged lives matters too as anyone can now create files there , with creater as owner, just open like this: pic.twitter.com/Pd6nnqhcKZ

The hunt for Chromium issue 1072171

29 May 2020 ~29 min By Javier Jimenez
Browser Chrome Exploit Development Vulnerability Research 0day V8 Vulnerability
Intro The last few months I’ve been studying Chrome’s v8 internals and exploits with the focus of finding a type confusion bug. The good news is that I found one, so the fuzzing and analysis efforts didn’t go to waste. The bad news is that I can reliably trigger the vulnerability but I haven’t found a way to weaponise it yet. If you don’t have prior knowledge of v8, I encourage you to take some time and read through the previous post I wrote. It covers all of the basics regarding the v8 compiler and tools that helped me throughout my research. More importantly, it will help newcomers understand all of the research described within this post.

Being Stubborn Pays Off pt. 2 – Tale of two 0days on PRTG Network Monitor

22 May 2020 ~9 min By Javier Jimenez
0day Exploit Development Webapps Dos Monitor Network Poc Proofofconcept Prtg Prtg Network Monitor Rce Shodan
Intro Last year I wrote how to weaponize CVE-2018-19204. This blog post will continue and elaborate on the finding and analysis of two additional vulnerabilities that were discovered during the process; one leading to an arbitrary write as system where the contents can’t be fully controlled and the other leading to Remote Code Execution as SYSTEM. Both vulnerabilities require you to have the administrator password for PRTG Network Monitor. Often you just get lucky, as the software defaults to prtgadmin:prtgadmin for the username and password respectively.

Being Stubborn Pays Off pt. 1 – CVE-2018-19204

18 April 2019 ~10 min By Javier Jimenez
Cve Exploit Development Internals Webapps 0day Cve-2018-19204 Exploit Prtg Network Monitor Web Application
Intro During an internal assessment, I came across monitoring software that had default credentials configured. This monitoring software allowed for the creation of sensors, but, none of which would allow for code execution or any other things that could compromise an underlying system. Turns out, it was a vulnerable version based on a publicly known CVE, but there was no public exploit code. Join me in this quest on building an exploit!