Peter Vreugdenhil

Following the herd to BlueSky: @wtfuzz.bsky.social Will start tweeting research stuff again in 2025.

Ran into a custom xml -> java deserializer. Limited in what it did. Used reflection to set fields, no setter getter. Lot of objects blocked. Deserialized object was not used. Exploited it by overwriting static field values on object that was used in Authentication. #ExploitFun

It’s always convenient when the app you are poking at has a straight up “please execute this command for me” api endpoint once you bypass the auth.

@mdowd Don’t let it drag you down.

It's exhausting being the anchor being

After mainly writing pocs in python and C I just finished a poc written entirely in Java. I was too lazy to rewrite their auth lib in python, but what a frustrating experience. 1/10 would not recommend. Anyways, auth bypass + command injection means:

@zlowram_ @alexjplaskett Looks like I have a bit more than 2 months to waste time trying to find the perfect latex lib to generate slides that can display objects in memory and their relationships. Leaving me 2 weeks for actual content 😁

@WTFuzz @alexjplaskett Came here to also say OffensiveCon, and they've just opened the CFP today. Hope to see you there, Peter! 🙂

I’m thinking about turning some recent windows kernel research and exploits into a talk. Does anyone have suggestions for conferences that currently have their CFP open or will open shortly?

@bsdaemon @alexjplaskett @h2hconference 21, that’s quite impressive. I’d joke about finally being able to drink and such, but that only works on Americans :)

@WTFuzz @alexjplaskett Offensive is great, I highly recommend. @h2hconference has a revolving CFP (we accept submissions at any time, even though we do announce it only when we have dates/venue for the year). This year will be our 21st year anniversary.

@alexjplaskett Thnx, that’s a good one. I had the pleasure of being there last year, had a great time.

@WTFuzz offensivecon CFP isn’t open yet but I assume will be at some point soon with it in May. Highly recommended..

After many years and tons of fun I left ExodusIntelligence recently. Enjoying some nice time off right now, spending time with the kids and not IDA 😁 No plans yet for 2024 but I’m sure something exciting will show up.

I had almost forgotten what an assault Vegas is on the eyes and ears, but Vegas was luckily kind enough to remind me real quick.

Been a few years, but I'll actually be in Vegas for #bh2022 hoping to run into folks I haven't seen in ages.

Hopes are high that some normalcy can return in 2021 and we can see our colleagues again at Blackhat. We're hosting an in-person 5-day training around that time and looking for feedback on timing. Plan before, during, or after the conference?

We're looking for someone to take on our infrastructure, grow it, secure it, modernize it, automate it, and generally make it more awesome. If you live in central Texas and are interested in starting a dialog. Reach out to us via careers@exodusintel.com ninjajobs.org/job/4d179c3280…

2019 was a great year for Exodus and 2020 is going to be even better. We're expecting to expand the team on a variety of fronts. If interested visit exodusintel.com/careers.html and email careers@exodusintel.com with a cv and references published work

Patch-gapping in practice: Google Chrome edition (by @_2can of our nDay team) blog.exodusintel.com/2019/09/09/pat…

En de finish! #MudRaise mudraise.nl

@_2can of our Nday team takes a closer look at the recently patched Chrome vulnerability spotted in the wild (exploit included) blog.exodusintel.com/2019/02/20/cve…

ntdll!LdrpSetProtection(0xaddr, 0) good function for x64 exploits. 2 args and a fake PE Header (9 values) at 0xaddr and it'll mark it as RWX for you. Too bad its not exported. byte match: 48 89 5C 24 08 55 56 57 41 54 41 55 48 83 EC 40 45 33 C0 0F B6 EA 4C 8B E1 48 8B D1

I like how MS keeps insisting that UAC is not a security boundary but they do try to squash bugs and techniques to bypass it. But, it is indeed not as sturdy as some of the other protection they have despite recent changes.