CVE-2024-31127: Zscaler Client Connector 4.1.500.3 NSXPC Local Privilege escalation
It was possible to achieve local privilege escalation (LPE) through the following high level abuse steps:
Conferences
| Conferences | Topics | Slides/Tools |
|---|---|---|
| BSides BSK 2022 | Who the F Called Me?: Trampoline Hook Caller Function Metadata Acquisition | Presentation |
| DEF CON London (DC4420) 2022 | Who the F Called Me?: Trampoline Hook Caller Function Metadata Acquisition | Presentation |
| x33fcon 2024 | Hunting for macOS Logic Bugs: Logic not Included! | Presentation |
| Beacon C2 2024 | Hunting for macOS Logic Bugs: Logic not Included! | Presentation |
| Balkan Computer Congress (BalCCon) 2024 | Taking the “B” Out of DBA – An Unconventional Attack Path Against AD FS Through Database Administration | Presentation |
| SO-CON (SpecterOps Con) 2025 | Taking the “B” Out of DBA – An Unconventional Attack Path Against AD FS Through Database Administration | |
2024
CVE-2024-30165: Finding and Exploiting the AWS Client VPN on macOS for Local Privilege Escalation
AWS Client VPN 3.9.0 allows a local attacker to maliciously kill the VPN connection, revert/fix the DNS settings and completely uninstall the AWS Client VPN ...
2023
NO-CVE 0day: Logitech Logi Capture 2.08.12 macOS Local Privilege Escalation (CoreMediaIO)
It was possible to achieve local privilege escalation (LPE) through the following high level abuse steps: Identification of weak POSIX directory and file ...
NO-CVE 0day: Logitech Logi Capture 2.08.12 macOS Local Privilege Escalation (LogiFacecamService)
It was possible to achieve local privilege escalation (LPE) through the following high level abuse steps: Identification of weak POSIX directory and file ...
NO-CVE: Upwork 5.8.0.33 TCC Bypass Through Hardened Runtime Bypass
It was possible for an attacker to load an unsigned malicious dylib into the /Applications/Upwork.app/Contents/MacOS/Upwork Mach-O and inherit entitlements w...
NO-CVE wontfix: Windows Zscaler Client Connector 4.2.0.190 Log Export Denial of Service
A directory junction could be created in place of a directory which the Zscaler Client Connector uses as part of the log file export process. This directory ...
Visual Studio-less WDM Windows Kernel Driver Programming: cmake and FindWDK
Visual Studio can be bloat, cmake and FindWDK allows for easy WDM driver compilation on the commandline
2022
CVE-2022-48127: Finding an Open Redirect and Some General Router Tomfoolery, rooting an ASUS Router via UART
Had a ASUS RT-AC1200G+ router that was doing nothing, had been watching Flashback team videos on youtube and was feeling a bit bored. Popped the router open ...
Cleaning CRT and Win32 Dependencies From Your MSVC Compiled Binary
Stripping Win32 and CRT dependencies from windows PEs to solely depend on NTDLL.dll.
Creating tiny 3.50 KB windows shellcode loaders, Its not about the size but how you use it: syscalled
Writing very very simple and tiny shellcode loaders using MASM assembly for the fun of it.
Who the F Called Me?: Trampoline Hook Caller Function Metadata Acquisition
This was research that was done for a University BSc Cyber Security and Digital Forensics dissertation, this project was chosen as a challenge as my Windows ...