█████  ██   ██  █████  ████████  ██     ██   
██   ██ ██  ██  ██   ██    ██    ███      ██  
███████ █████   ███████    ██     ██       ██ 
██   ██ ██  ██  ██   ██    ██     ██      ██ 
██   ██ ██   ██ ██   ██    ██     ██     ██   
[blog] [twitter] [github] [mail/gpg]
Make Dragonfly BSD great again!
2017-03-23 14:29:25
Recently I spent some time reading Dragonfly BSD code. While doing so I spotted a vulnerability in the sysvsem subsystem that let user to point to any piece of memory and write data through it (including the kernel space). This can be turned into execution of arbitrary code in the kernel context and by exploiting this, we're gonna make Dragonfly BSD great again!

Read more >
Spawn your shell like it's 90s again!
2016-07-21 09:09:58
Abusing SUID files should be dead in 90s, but surprisingly it's still alive. I accidentally found a Time To Check To Time To Use issue in mail.local(8) which luckily can be turned into privilege escalation! This article is a quick walk-through to gaining root privileges in the NetBSD.

Read more >
A tale of openssl_seal(), PHP and Apache2handle
2016-02-01 09:11:48
The openssl_seal() is prone to use uninitialized memory that can be turned into a code execution. This document describes our journey to hijack apache2 requests.

Read more >