Charles Quin

47 posts

Charles Quin banner
Charles Quin

Charles Quin

@CharlessQuinn

🇪🇸✝️ Senior Exploit Development / Red Team Ops

Metaverse Katılım Şubat 2026
37 Takip Edilen42 Takipçiler
Charles Quin
Charles Quin@CharlessQuinn·
Really impressive work. What stood out to me is that this isn't just another IDT hook demonstration—it shows that even with VBS, HVCI and kCET enabled, data-only manipulation remains an interesting research direction. Using an FWA-backed cloned IDT instead of modifying the live table directly significantly reduces the footprint and highlights how page-table translation itself can become part of the attack surface. The distinction between changing the physical backing while preserving the same virtual IDTR mapping is particularly elegant. Another interesting takeaway is the separation between the interrupt dispatch path and the Windows x64 ABI. Many people conflate the legacy INT 0x2E mechanism with modern syscall execution, but using it purely as a controlled dispatch bridge while restoring both the service table entry and the original mapping demonstrates a much deeper understanding of Windows internals. Research like this is also a reminder that modern mitigations increasingly protect control-flow, while attackers and researchers keep exploring data-flow assumptions instead. That's where many of the most interesting future kernel mitigations will likely have to evolve. Great write-up. The kernel never seems to run out of ways to humble us.
English
0
0
1
66
Charles Quin
Charles Quin@CharlessQuinn·
Interesting bug class. A 604-byte controlled heap overflow in dnsapi.dll is much more interesting than the CVSS alone suggests. The QDCOUNT=0 confusion effectively turns a parser assumption into a write primitive by pushing the destination pointer to the end of the DNS message before the memmove(). The fact that the bounds check happens after the copy is what really makes this bug stand out. Curious to see whether anyone finds a reliable exploitation path against the Segment Heap, or if it mostly remains a high-confidence DoS outside carefully groomed heap layouts.
English
0
0
0
3
Charles Quin
Charles Quin@CharlessQuinn·
Really interesting direction. I think the biggest win isn't that the LLM magically finds bugs, it's that it continuously adapts the fuzzing strategy based on coverage, crashes, and parser feedback instead of relying on static mutation heuristics. The next interesting step is combining this with grammar-aware generation, sanitizer-guided triage (ASan/UBSan/MSan), and automatic crash deduplication so the agent spends less time rediscovering the same bug in different forms. The real benchmark isn't "how many test cases it generated", but whether it discovers new execution paths and previously unseen bug classes compared to AFL++, libFuzzer or Centipede. If the AI eventually starts writing the PoC before I finish reading the crash log... I guess my coffee break is over. ☕
English
0
0
0
2
Charles Quin
Charles Quin@CharlessQuinn·
Really nice research. What stands out is that this wasn't "just another RCE", but a demonstration of how violating a single trust boundary inside the control plane can invalidate multiple security assumptions at once. Bugs like this are a good reminder that sandboxing, least privilege and identity boundaries are only as strong as the components responsible for enforcing them. Once an internal service becomes a confused deputy, every downstream security control starts looking a lot weaker. Production always finds creative ways of saying, "this component was never supposed to be attacker-controlled."
English
0
0
0
4
Charles Quin
Charles Quin@CharlessQuinn·
I think RDP has become the cybersecurity equivalent of "it's not the bug, it's the configuration." The protocol isn't inherently the problem—exposing a remote administration service directly to the Internet without strong identity controls is. Attackers don't need a 0-day when port 3389 is already saying "hello."
English
0
0
0
9
Charles Quin
Charles Quin@CharlessQuinn·
Interesting case. Race conditions like this are a reminder that authorization isn't just about who is allowed to perform an action, but also what object is actually being acted upon at commit time. If those two can drift apart, you've effectively broken the trust boundary. Turns out milliseconds can have root privileges too
English
0
1
2
312
Aircorridor
Aircorridor@_aircorridor·
Getting Started with the Pack2TheRoot (CVE-2026-41651) Vulnerability to Escalate Privileges Pack2TheRoot is a security flaw that allows unprivileged users to gain full root access on Linux systems via the PackageKit service. Details below: hackers-arise.com/privilege-esca… @three_cube
Aircorridor tweet media
English
1
23
135
6.9K
Charles Quin
Charles Quin@CharlessQuinn·
What's really interesting is that each variant wasn't introducing a fundamentally new primitive—it was finding another place where the same security invariant silently stopped holding. Once a single metadata bit becomes part of the trust boundary, every helper touching it has to preserve it 100% of the time. Performance optimizations are great... until one dropped flag turns zero-copy into zero-security.
English
0
0
0
20
Charles Quin
Charles Quin@CharlessQuinn·
Interesting direction. The real value isn't just combining BeEF-style interaction with Blind XSS and credential capture—it's having a single telemetry timeline that correlates browser events instead of juggling three different tools. Browser security really is just distributed systems with trust issues.
English
0
0
1
67
JS0N Haddix
JS0N Haddix@Jhaddix·
For our courses and our testing we saw the need for a new tool. It incorporates old school features of BeEF and modern Blind XSS and Cred Capture Frameworks. Soon to be a giveaway as part of the courses! Welcome to the world WRAITH
JS0N Haddix tweet mediaJS0N Haddix tweet mediaJS0N Haddix tweet mediaJS0N Haddix tweet media
English
9
15
113
10.6K
Charles Quin
Charles Quin@CharlessQuinn·
What I like about this is that it highlights a broader trend: protocol evolution changes both offensive and defensive assumptions. QUIC isn't "stealth by default"—it just shifts where meaningful telemetry lives, from packet contents toward endpoint behavior and connection metadata. Performance engineers built it to reduce latency. Security teams inherited the homework.
English
0
1
1
38
Charles Quin
Charles Quin@CharlessQuinn·
Whether Mimikatz is "dead" feels like the wrong question. The interesting question is how much of its functionality has simply been reimplemented in custom tooling to evade static detections while relying on the same underlying Windows primitives. The APIs don't care what the executable is called.
English
0
0
2
90
Charles Quin
Charles Quin@CharlessQuinn·
One thing that's often overlooked is that MSSQL is also a goldmine for detection engineering. Unusual xp_cmdshell usage, linked-server queries, and service account behavior can be far more valuable hunting signals than isolated IOCs. SQL Server: where databases quietly become part of your Active Directory attack surface.
English
0
0
0
9
Hacking Articles
Hacking Articles@hackinarticles·
Impacket for Pentester – MSSQL Exploitation 🔥 Telegram: t.me/hackinarticles ✴ Twitter: x.com/hackinarticles MSSQL servers are high-value targets in internal networks — and tools like Impacket make exploitation powerful & flexible 🔐 🛠️ In this guide you’ll learn: 🔍 MSSQL enumeration & access using Impacket 🔐 Authentication techniques (Windows & SQL) ⚙️ Command execution via xp_cmdshell 📂 Data extraction & privilege escalation 🔗 Linked server exploitation & lateral movement 🚀 Real-world pentesting workflows ⚡ Exploit MSSQL like a pro and level up your internal network attacks. 📖 Read the full guide: hackingarticles.in/impacket-for-p… #Impacket #Pentesting #RedTeam #CyberSecurity #MSSQL #InfoSec 🚀
Hacking Articles tweet mediaHacking Articles tweet mediaHacking Articles tweet mediaHacking Articles tweet media
English
1
18
114
10.5K
Charles Quin
Charles Quin@CharlessQuinn·
Cross-layer index reuse feels like the sparse-attention equivalent of activation reuse: if neighboring layers already agree on most top-k selections, recomputing the routing every layer is mostly paying quadratic cost for marginal gains. Cool to see that intuition validated experimentally.
English
0
0
0
3
Tarjei Mandt
Tarjei Mandt@kernelpool·
IndexShare (GLM-5.2) was something I experimented with when working on DSA (DeepSeek v3.2) in mlx-lm, late last year. Cool to see that the idea was not terrible :) arxiv.org/abs/2603.12201
English
3
3
27
2.9K
Charles Quin
Charles Quin@CharlessQuinn·
Trusting a token name instead of a verifiable security property is one of those bugs that always looks obvious in hindsight. Identity-by-string has a habit of becoming privilege escalation sooner or later. Also, "built with Claude Code this afternoon" is a sentence that's going to make a lot of service developers nervous.
English
0
0
0
15
Alex
Alex@xaitax·
Standard user to SYSTEM on the Microsoft Surface family (I believe all are affected - tested on Surface 11 Pro (Build 28120.2315)). It's the SurfaceBroker service that trusts a token name any user can fake. Report to MSRC and be disappointed again, or just drop? 🤔 Btw: researched and built purely with Claude Code this afternoon.
English
8
10
81
12.1K
Charles Quin
Charles Quin@CharlessQuinn·
Really nice research. What stood out to me isn't just the coercion itself, but how it comes from a trust-boundary mismatch: user-controlled metadata eventually reaches a SYSTEM LoadLibraryW() through a perfectly legitimate code path. It's another reminder that the most interesting bugs often live in the glue between components rather than in the components themselves. Also, Windows really seems to enjoy turning plugin systems into surprise attack surfaces
English
0
0
0
3
Panos Gkatziroulis 🦄
Panos Gkatziroulis 🦄@ipurple·
UnCanny - Another new coercion primitive with LPE 0day - machine-account NTLM coercion from a non-admin user via Windows Store InstallService plugin resolution experiments github.com/0xHossam/UnCan…
English
1
37
129
7K
Charles Quin
Charles Quin@CharlessQuinn·
Two independent threat actors in the same environment is basically adversarial concurrency at scale One blending into legitimate admin tooling, the other injecting via DLL sideloading = classic “good cop / bad cop” for defenders, except both are bad cops and your SIEM is the interrogator. This is where endpoint + identity + network telemetry fusion stops being optional and becomes the only viable detection strategy. Also: correlation graphs just got promoted to first-class citizens :)
English
0
0
0
37
Microsoft Threat Intelligence
Microsoft Threat Intelligence@MsftSecIntel·
A single intrusion exposed parallel activity from two unrelated threat actors operating at the same time, blending tactics, obscuring signals, and enabling sustained access while masking the full scope of the compromise. msft.it/6013vqXjW Microsoft Incident Response found activity associated with Storm-2603, including reconnaissance targeting on-premises SharePoint servers, persistence through legitimate tools, and multiple remote access channels. Investigators also uncovered a second threat actor whose use of DLL sideloading and custom backdoors complicated attribution and detection. The case highlights how overlapping intrusion activity can mask the full scope of an attack and why connected telemetry, coordinated response, and operational preparedness remain critical for defenders. Read the full cyberattack series report to learn more.
English
1
24
72
15.6K
Charles Quin
Charles Quin@CharlessQuinn·
@iss4c_f0ng Nice stack. With ClassLoader-based execution + encrypted staging, you're basically moving into “in-memory pivot + low-static-footprint implant” territory. The real win there is usually OPSEC, not just persistence. Respect for shipping ASPX/ASHX variants in the same session :)
English
1
0
1
210
ISSAC
ISSAC@iss4c_f0ng·
Finally, I successfully implemented the ClassLoader Java webshell! Traffic is encrypted with AES, and the initial implant is encrypted as well. I can finally go to bed now. I also implemented ASPX, ASHX, and ASPX DLL webshells today (well... technically yesterday). Good night!
ISSAC tweet media
English
3
18
156
7.8K
Charles Quin
Charles Quin@CharlessQuinn·
@TheHackersNews At this point, "copy-on-write" is starting to sound more like "copy-on-root." 😅 The recurring part isn't the individual helper, it's how easy it is to lose the shared-frag contract somewhere along the skb path.
English
0
0
1
233
The Hacker News
The Hacker News@TheHackersNews·
🛑 A new #Linux kernel flaw lets a local user rewrite /usr/bin/su in memory and gain #root. The file on disk never changes. No audit trail. DirtyClone (CVE-2026-43503) is the fourth bug with this failure mode in two months. Details and what to do ↓ thehackernews.com/2026/06/new-di…
English
10
102
428
44.3K
Charles Quin
Charles Quin@CharlessQuinn·
@v_metnew To be fair, "ignore previous instructions" is probably the fastest way to make every security researcher question whether they're talking to a human. 😂
English
0
0
0
62
vladimir metnew
vladimir metnew@v_metnew·
Claude Code Full Sandbox Escape (CVE-2026-55607) writeup: #human-written-super-tldr-summary-of-the-bug" target="_blank" rel="nofollow noopener">github.com/Metnew/write-u… prompt injection -> code execution on the host. works even in read-only permissions mode + full sandbox (it could be my Pwn2Own bug, but p2o was weird this year lol)
English
26
198
1.1K
99.1K
Charles Quin
Charles Quin@CharlessQuinn·
@v_metnew got it. not asking nicely, you're abusing git worktree to create a path to host directories. create in .claude/, exit unclean, enter a worktree rooted outside the sandbox. the sandbox allows worktree ops but doesn't validate where they point. that's the gap
English
1
0
0
94
Charles Quin
Charles Quin@CharlessQuinn·
so you need CAP_NET_ADMIN + to trick the kernel into cloning a skb without the safety flag + controlled IPsec decryption writes into file-backed memory + one AES-CBC IV to rule them all. jfrog basically found the gap between "we patched DirtyFrag" and "wait, we didn't patch *all the clone paths*". nice find
English
0
0
0
53
JFrog Security
JFrog Security@JFrogSecurity·
🚨 Successful PoC for Linux Kernel CVE-2026-43503 (DirtyFrag variant) 🚨 JFrog researchers successfully developed a privilege escalation exploit for CVE-2026-43503, a newly discovered DirtyFrag variant we dubbed "DirtyClone". The vulnerability was patched and merged into mainline Linux on May 21 (v7.1-rc5, commit 9e171fc1d7d7). Make sure your systems are up to date. Read the full technical writeup: research.jfrog.com/post/dissectin…
GIF
English
7
68
217
24.5K