MrAle98

The time is now. Let you be more.

Tomorrow, python DCShadow will be released, during talk at @_leHACK_ With functional integrity for GSS wrap and unwrap after reversing a couple dlls

On Saturday 28th, 7pm, I will be giving a talk at @_leHACK_, on how @MrAle_98 and I implemented DCShadow in Python, and how this was the worst project idea 🥲 code will be released publicly then 📥

New post from the team!

I just published a blog post where I try to explain and demystify Kerberos relay attacks. I hope it’s a good and comprehensive starting point for anyone looking to learn more about this topic. ➡️decoder.cloud/2025/04/24/fro…

@basedhitller Nope

@alisaesage Yes It's a LPE not a Guest-to-Host escape. Since It was already outlined by Microsoft in the advisory msrc.microsoft.com/update-guide/v… I thought It wasn't needed to repeat it. However, I understand people may confuse It and is better to specify it. Thanks a lot for your feedback!

Nice research. I'd like to add that the bug has nothing to do with VM escapes, although it affects a Hyper-V component and some people seem to confuse it. It's a local elevation of privileges on the hypervisor host system. Very local and last-in-the-chain attack vector in most real deployments. Still an enlightening disclosure of a Windows Kernel exploit!

Developed an exploit for CVE-2025-21333 (quite unreliable): vulnerability in vkrnlintvsp.sys. Exploit code: github.com/MrAle98/CVE-20… Exploits a paged pool overflow overwriting a _IOP_MC_BUFFER_ENTRY*. Hope you find it useful in case not already shown🙂.

@SalvadorOt6470 Exploit code already available here 🙂: github.com/MrAle98/CVE-20…

Hey there, Finally published the article on the exploit for CVE-2025-21333-POC exploit. Here the link to the article: @ale18109800/cve-2025-21333-windows-heap-based-buffer-overflow-analysis-d1b597ae4bae" target="_blank" rel="nofollow noopener">medium.com/@ale18109800/c…

@Zophikel I don't think so. It's an integer overflow followed by a buffer overflow. I think the maximum size of the vulnerable chunk is around 0x60/0x70. So, still in lfh.

@MrAle_98 Is there anyway to make the chunks bigger so you’re not stuck in lfh ?

@maxiwee_ Honestly i did encounter this issue in my env. Try to spawn a windows 11 and enable only the features that you see in the screenshot

@MrAle_98 this is what it says

@maxiwee_ It says something like connection lost when spawning the sandbox? Try to enable also the other features like hyper-v. All the features i've enabled are in the screenshot in the github repo

@MrAle_98 after waiting with sandbox jsut being stuck after i a while i get an error(from windows in a message box) that says something like one of sandboxs requirements werent running or something. i tried reinstalling sandbox but same thing

@maxiwee_ Don't know. Can you see in process hacker that spawns a process with name WindowsSandboxClient.exe? Is there a guid among the params of WindowsSandboxClient.exe?

@MrAle_98 I did, the sandbox is only stuck on it’s loading screen tho

@maxiwee_ Did you enable windows sandbox? Can you start a sandbox from the gui?

@MrAle_98 is it normal that its stuck on CreateProcessA?

Here the outcome to expect when the poc is successful.

@mdmrrr_34 The vulnerability lies in a driver (.sys). Hashes of the vulnerable driver and of ntoskrnl.exe, used for the exploit, are in the readme in github repo.

@Zophikel I couldn't find a way to control the size of the overflow. The overflow is about 0xfff0 bytes. Sometimes it fits in a LFH subsegment sometimes it doesn't and get BSOD. Maybe doing better spraying It is possible to further minimize chances of BOSD

@MrAle_98 How is the exploit unreliable?

Thanks to @_4bhishek for pointing me to the CVE and doing the patch analysis

Thanks to @alexjplaskett @OnlyTheDuck @paulfariello @yarden_shafir for their brilliant work done on kernel heap, WNF and I/O Rings.