There has been much discussion in cyber security about the possibility of enabling the private sector to engage in active cyber defense, or colloquially “hacking back”. Several house bills have been introduced to study or enable this, such as the “Study on Cyber-Attack Response Options Act” and “Active Cyber Defense …

Up until recently, I’d never tried the bug hunting part of vulnerability research. I’ve been reverse engineering Windows malware for over a decade, and I’d done the occasional patch analysis, but I never saw a point in bug hunting on a major OS. After all, there are teams of vulnerability …

Due to the serious risk of a BlueKeep based worm, I’ve held back this write-up to avoid advancing the timeline. Now that a proof-of-concept for RCE (remote code execution) has been release as part of Metasploit, i feel it’s now safe for me to post this. This article will be …

In August 2019 Microsoft announced it had patched a collection of RDP bugs, two of which were wormable. The wormable bugs, CVE-2019-1181 & CVE-2019-1182 affect every OS from Windows 7 to Windows 10. There is some confusion about which CVE is which, though it’s possible both refer to the same …

Recently YouTube changed its policy on “hacking” tutorials to an essential blanket ban. In the past, such content was occasionally removed under YouTube’s broad “Harmful and Dangerous Content” clause, which prohibited videos “encouraging illegal activity”. An updated policy now specifically targets instructional hacking videos. One major problem here is that …

I held back this write-up until a proof of concept (PoC) was publicly available, as not to cause any harm. Now that there are multiple denial-of-service PoC on github, I’m posting my analysis. Binary Diffing As always, I started with a BinDiff of the binaries modified by the patch (in …

Anyone who uses RegEx knows how easy it is to shoot yourself in the foot; but, is it possible to write RegEx so badly that it can lead to RCE? With VB Script, the answer is yes! In this article I’ll be writing about what I assume to be CVE-2019-0666. …

Today during RSA Conference, the National Security Agency release their much hyped Ghidra reverse engineering toolkit. Described as  “A software reverse engineering (SRE) suite of tools”, Ghidra sounded like some kind of disassembler framework.Prior to release, my expectation was something more than Binary Ninja, but lacking debugger integration. I figured …

Today I’ll be doing an in-depth write up on CVE-2019-0626, and how to find it. Due to the fact this bug only exists on Windows Server, I’ll be using a Server 2016 VM (corresponding patch is KB4487026). Note: this bug was not found by me, I reverse engineered it from …

Hide and Seek (HNS) is a malicious worm which mainly infects Linux based IoT devices and routers. The malware spreads via bruteforcing SSH/Telnet credentials, as well as some old CVEs. What makes HNS unique is there’s no command and control server; instead, it receives updates using a custom peer-to-peer network …