• Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool

    Windows 7 In the past I have spent a lot of time researching web related vulnerabilities and exploitation and whilst I’m relatively versed in usermode exploitation, I needed to get up to speed on windows kernel exploitation. To many times I have tested targets that have kernel device drivers that I have not targeted due to the sheer lack of knowledge. Gaining low privileged code execution is fun, but gaining ring 0 is better!

  • From Serialized to Shell :: Exploiting Google Web Toolkit with EL Injection

    Google Web Toolkit This is a follow up blog post to my on auditing Google Web Toolkit (GWT). Today we are going to focus on a specific vulnerability that I found in a GWT endpoint that Matthias Kaiser helped me exploit. Please note that the code has been changed to protect the not so innocent whilst they patch.

  • From Serialized to Shell :: Auditing Google Web Toolkit

    Google Web Toolkit Recently I have been looking for vulnerabilities in a target that has some API’s developed with the Google Web Toolkit framework. This is the second time I’ve come up against a target using this technology so I figured it was about time I took some notes.

    Its sufficient to say, that I have finally upheld my word. This blog post is more of a reference to my future self, but if some people get something out of it, then more power to them!

  • Word Up! Microsoft Word OneTableDocumentStream Underflow

    Microsoft Office WordToday, Microsoft released the MS16–148 to patch CVE-2016-7290, which addresses an integer underflow issue that I found. The underflow later triggers an out-of-bounds read during a copy operation which could result in a stack based buffer overflow outside of the protected mode winword.exe process when a processing specially crafted binary document file.

  • The Implied Security of memmove()

    tl;dr; Calls to memmove(); that use a source buffer that is smaller than the destination buffer can be at times exploitable if the size value is bit aligned, is mapped in memory and that the original source buffer is also mapped in memory.

  • Once Upon a Type Confusion

    Microsoft Office Excel Last week, Microsoft released the MS16–107 to patch CVE-2016-3363, which is a Type Confusion vulnerability within Microsoft Excel 2007, 2010, 2013 and 2016 both 32 and 64 bit versions. This post will show you how I determined the vulnerability class and some lightweight technical details around the vulnerability.