heapgrooming

MAD Bugs: Discovering a 0-Day in Zero Day Here’s how I used Claude to find and patch a radare2 0-day on my first day at @calif_io. open.substack.com/pub/calif/p/ma…

the goal? starlabs

no one’s gonna believe me but becoming a good speaker is really easy just record yourself for 10 minutes every day, first thing in the morning. don’t send it to anyone, just force yourself to watch it later. you’ll notice every possible flaw you can imagine.

We also built a free tool to monitor for new Coruna DGA registrations. It watches Certificate Transparency logs for 15-character alphanumeric .xyz domains, checks if they were registered via Gname.com Singapore, scores each match, and alerts you. Runs continuously or on-demand. Webhook support for Slack/Discord. If UNC6691 registers new DGA domains, this catches them. Happy Hunting :) github.com/vuln/breakglas…

You trust login[.]microsoftonline[.]com. So does your email gateway. Attackers know this — and they're using Microsoft's OAuth redirect to send victims from that trusted domain straight to credential harvesting pages. No vulnerability. Just a feature doing exactly what it's told. How: attackers register a multi-tenant Azure OAuth app with a malicious reply URL, then craft an /authorize request with prompt=none. When auth fails silently, Microsoft's JS fires the urlAppError handler and redirects the browser to the attacker's domain. The entire redirect originates from Microsoft's infrastructure. This bypasses URL filters that whitelist Microsoft login domains. Victims see a legitimate address bar the whole time. Lures typically pose as DocuSign, Adobe Acrobat Sign, or "sharing link violation" alerts. Redirect chain ITW: login[.]microsoftonline[.]com/common/oauth2/v2.0/authorize?client_id=... → securedoc9a09b4dfda82e3e[.]rentawareinc[.]com (302) → pub-ac3265049b9b4c1ebf987170df4fcce0[.]r2[.]dev (phishing page) @Microsoft wrote about OAuth redirect abuse here: microsoft.com/en-us/security… #phishing #OAuth #Microsoft

>be me >go to sleep >wake up >vim local code execution >emacs local code execution >axios supply chain

Claude code source code has been leaked via a map file in their npm registry! Code: …a8527898604c1bbb12468b1581d95e.r2.dev/src.zip

My 10k-word writeup on exploiting a heap-overflow in Llama.cpp's RPC Server's Tensor-operation to RCE. This by far is one of the most challenging but fun exploitation I've ever researched on. retr0.blog/blog/llama-rpc…

someone at ANTHROPIC just showed CLAUDE finding ZERO DAY vulnerabilities in a live conference demo claude has found zero day in Ghost, 50,000 stars on github, never had a critical security vulnerability in its entire, history... it found the blind SQL injection in 90 minutes, stole the admin api key, then did the exact, same thing to the linux kernel

I have said this quite a few times, but there is this misconception that the scanning engines on VT tell you whether the AV product detects the malware. They do not.

the ‡ is in the details

Got my first Chrome CVE! This was surfaced by my agentic pipeline, though the PoC was put together with a bit of manual work, AI, and a lot of digging through similar older reports and commits, since it was my first time and I honestly did not understand much of the codebase or how a PoC was supposed to be done for this case initially. I’ve also had a few other CVEs surfaced by my pipeline over the past few months, and I might write about those some other time

The slides from my @REverseConf talk, "Challenges in Decompilation and Reverse Engineering of CUDA-based Kernels", are now online! Slides: nicolo.dev/files/pdf/reve… Plugin: github.com/seekbytes/ptxN…

We promised and we delivered 🔥 Teamed up with my Binja (IDA supremacy but we don't need to talk about that rn 😂) buddy @sudo_Rem 💙 to exorcise this lil Demon 😈 From the spam bombing and fake Outlook patches all the way down to the Havoc Demon. DLL side-loading, Hell's Gate, Halo's Gate... detours... this one had it all. Go give it a read 👇

I need to clarify this after I received feedback. Claude has some benefit for reverse engineering, for low-level Windows stuff it can be iffy. The reason why it's iffy is because it's lots of undocumented material, hence nothing for it to train on. High level and readily documented languages it (apparently) does very well. I haven't used it for anything other than basic Python scripts or Powershell scripts for automation or testing. However, I'll take the audiences word for it that it does very well. Once again, as is tradition, AI is a tool and it can be great when used by the right people. Prior to AI, I had been programming for a very long time, so for me it allows me to move at a much faster pace. If you're a noob then AI can be a recipe for disaster. If you're a noob to programming, I recommend not copy-pasting from AI. Manually type what it gives you so you can "feel" what's happening and makes you actually examine what it's delivering. I also recommend asking lots of questions and doing independent research. Otherwise you won't learn and you'll become dependent on it as a crutch rather than a tool. I also advise noobs to be skeptical of the hype. Vendors want hype to generate more revenue. Skepticism is healthy. Thanks for coming to my TED Talk (again).

Yes, I've tried Claude. It was okay. I primarily do malware development and reverse engineering, so there are many times Claude will say, "that's not in my training data". Alternatively, I'll notice Claude is wrong and it'll say "you're absolutely right!". It's cool, I guess. As is tradition, Claude and ChatGPT feel more like a fancy search engines than anything else. For reverse engineering Claude has been pretty helpful. It helps rapidly speed up what I'm doing. Sometimes Claude picks up on details I've missed. My biggest thing about AI though is that, while I enjoy it as a tool, I learned to program because I like problem solving. Even if AI spoon feeds me the solution I like to review the code, research what it has shown me, etc. I don't like having a machine do all the thinking for me. I enjoy the process of failure and exploration. Maybe others don't want to think, but not thinking defeats the purpose of why I chose this career field. Maybe I sound like a boomer or loser, or something, I don't know, but I still very much like thinking and struggling. Thanks for coming to my TED Talk.

NEW BLOG: The Great VM Escape 💕 We caught threat actors deploying a VMware ESXi exploit toolkit in the wild - potentially was a zero-day developed over a year before VMware's disclosure 👀 If anyone has thoughts on it let me know, but I needed almost a full case of beer to wrap my head around this one 🍺 Full technical breakdown 👇 huntress.com/blog/esxi-vm-e…

@DownWithUpSec This is fucking amazing work downwithup.github.io/blog/post/2023…

Reminder to use #HijackLibs for detecting DLL Hijacking - it would have caught this Notepad++ supply chain compromise from the start. e.g.: * log.dll in unexpected folder * log.dll loaded by unexpected exe * BitDefender signed exe in unexpected folder 💥 hijacklibs.net/entries/3rd_pa…