Articles

How to Use EfiGuard to Disable PatchGuard

Here is a cool video demonstrating how to use EfiGuard: https://www.youtube.com/watch?v=EJGuJp2fqpM. This post will condense the information into a non-video format, and is explicitly for vmware VMs. Download the release version of EfiGuard here: https://github.com/Mattiwatti/EfiGuard Open an administrator powershell and run the following: The mountvol command with the /S flag

Read More »

Debugging a Windows Service

There’s a nice guide on how to debug a service here: https://bugslasher.net/2010/10/14/how-to-debug-a-windows-service/, but in my experience trying to configure the registry with gflags has never actually worked. I also find using regedit to be clumsy and tedious. So here, I am sharing some 1 liners for setting up service debugging.

Read More »

Defeating Anti-Debugging with TitanHide

Recently I was looking for bugs in a Windows program which employs a variety of anti-debugging techniques including: Executing the INT 2d instruction (https://anti-debug.checkpoint.com/techniques/assembly.html#int2d) Hiding threads from the debugger with NtSetInformationThread (https://anti-debug.checkpoint.com/techniques/interactive.html#ntsetinformationthread) Calling IsDebuggerPresent (https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-isdebuggerpresent) These measures and more can be defeated with an off the shelf driver called TitanHide

Read More »

Moodle 2nd Order Sqli

Exploitation Summary Moodle is vulnerable to 2nd order sqli by users with Teacher or higher privileges. The reason these privileges are required is because the sqli is in the badge management functionality. When one has the Teacher role for a course it is possible to add a badge which students

Read More »

ICS Pwn2own 2022 – Ignition

In this blog I’m going to share the details of the vulnerabilities and exploit chain mr_me and I used to try (and fail) to pwn Inductive Automation Ignition at the 2022 ICS Pwn2own. The tl;dr is that the Ignition server is vulnerable to authentication bypass due to a poorly seeded

Read More »

Pwn2Own -> Xxe2Rce

This post is going to describe the exploit chain used by mr_me and myself to pwn the Rockwell Studio 5000 Logix Designer at the 2020 ICS Pwn2Own. This was our favorite chain of the contest. Speaking for myself, the reason this chain is so satisfying is because it is kind

Read More »

Finding a New DataContractSerializer RCE Gadget Chain

I recently started doing some vulnerability analysis against a popular Industrial Control System (ICS) software looking for remote code execution bugs. This bug hunting was motivated by the 2020 Pwn2Own in Miami, which @steventseeley and I ended up winning! The program that was targeted is written in C# and follows

Read More »

HackSys Extreme Vulnerable Nightmare!!!

One of my vulnerability research goals is to find and exploit a privilege escalation bug in a real world driver. In preparation to meet this goal I started working with the HackSys Extreme Vulnerable Driver, specifically the 2.0 version on an x64 Windows 7 sp1 system. Being a new comer

Read More »

Drupal .htaccess

On a recent engagement I encountered a drupal site which allowed for some interesting file uploads. The first file upload form had a whitelist of allowed extensions which I was not able to bypass. The second accepted archive formats including tar, zip, and bz2. It would extract the archive and

Read More »