Next Exploit: Tenda F451 — Multi-CVE Exploitation Framework CVE-2026-11556: WriteFacMac command injection (mac parameter) CVE-2026-11557: Stack overflow chain (fast_setting_wifi_set) Soon on gibliz 0days #exploit #0days #CVE #CVSS #security #hacking

CVE-2024-1065 is a physical-page use-after-free in the ARM Mali GPU kernel driver. Because the freed page lands in MIGRATE_MOVABLE, Dirty Pagetable and Dirty Cred do not apply — so this writeup uses a page-cache spray to swap the freed page into the in-memory copy of /usr/bin/passwd and gets root via execve() without touching disk. core-jmp.org/2026/06/cve-202… #ARMMaliGPU #ARM64 #CVE20241065 #DirtyPagetable #kernel #KernelExploit #KernelExploitation #KernelShellcode #KernelUAF #LinuxKernel #LinuxKernelExploitation #LocalPrivilegeEscalation #MaliExploitation #MIGRATE_MOVABLE #PageCacheCorruption #PageCacheExploitation #PhysicalPageUAF #PrivilegeEscalation #ProjectZero #shellcode #SUIDExploitation #UseAfterFree

A walkthrough of a classic-but-still-effective Active Directory attack: how write access to an SMB share — plus a single .lnk file — lets an attacker capture Net-NTLMv2 hashes from every user who simply browses the folder, with no clicks, no payload execution, and almost no EDR signal. core-jmp.org/2026/06/weaponi… #ActiveDirectory #CredentialTheft #DomainCredentials #ForcedAuthentication #LNK #NetNTLMv2 #NetExec #NTLMCoercion #NTLMRelay #ntlm_theft #PasstheHash #Pentesting #Responder #SCF #SMB #SMBShareMisconfiguration #SMBSigning #Sysmon

Praetorian’s Centurion is a virtualized loader built around a custom x86-64-inspired ISA and freestanding C runtime, where the PE loader, TLS stack and HTTP client all live behind the interpretation layer. The result — a TLS bind shell running inside a custom VM, shipped in roughly a week of LLM-assisted development. core-jmp.org/2026/06/centuri… #AgenticAI #AIAgents #BOF #BYOEE #Bytecode #Centurion #ClaudeCode #CustomISA #EDREvasion #LLMassistedDevelopment #LLVM #loader #mbedTLS #PayloadVirtualization #Praetorian #redteam #RedTeamTools #VirtualizedLoader #x8664

RSA private keys biased toward 0 bits can be factored by swapping a hard math problem for an easy one: integer factorization becomes polynomial factorization. We found hundreds of real-world keys vulnerable to this. Many traced to a type mismatch in CompleteFTP (now patched): each 32-bit limb got only 8 bits of randomness. We recovered 603 RSA and 74 DSA private keys. blog.trailofbits.com/2026/06…

When a Windows stack overflow gives you ~250 bytes of crash-buffer space but a useful Meterpreter payload is 400 bytes, the answer is an egghunter. This walkthrough takes Savant Web Server 3.1 from initial crash to NT-level shell: partial overwrite to defeat the savant.exe null-byte module base, POP EAX RET gadget, a 7-byte conditional jump that exploits pre-zeroed memory, two independent buffers (URL path HTTP body), then both classic egghunters — syscall-based on Windows 10 (with the NEG trick to encode 0x1C8 null-free) and the OS-agnostic SEH-based variant with a custom dispatcher handler. core-jmp.org/2026/06/egghunt… #BadCharacters #bufferoverflow #Egghunter #gadgets #HeapStaging #INT0x2E #KeystoneEngine #Metasploit #Meterpreter #NtAccessCheckAndAuditAlarm #NullFreeShellcode #PartialOverwrite #POPEAXRET #ROP #SavantWebServer #SCASD #SEHEgghunter #shellcode #StackBufferOverflow #StackOverflow #w00tw00tEgg #WinDBG #WindowsExploitDevelopment #x86

Reverse engineers WhatsApp Web API for custom clients github.com/sigalor/whatsapp-…

CVE-2021-1732 is a Win32k local privilege escalation in win32kfull.sys. By flipping the 0x800 bit on tagWND with NtUserConsoleControl and returning a fake value from a user-mode callback inside xxxClientAllocWindowClassExtraBytes, an attacker turns the cbWndExtra length into a controllable kernel write offset and walks the token to NT AUTHORITY SYSTEM. End-to-end Metasploit PoC against Windows 10 20H2. core-jmp.org/2026/06/cve-202… #BITTERAPT #CVE20211732 #ElevationOfPrivilege #KernelExploit #LPE #Metasploit #Meterpreter #MSFVenom #NTAUTHORITYSYSTEM #NtUserConsoleControl #OutofBoundsWrite #ReflectiveDLLInjection #Win32k #win32kfullsys #Windows10 #WindowsKernelExploitation #WindowsKernelVulnerability #WindowsLPE #WndExtra

Upscales videos with machine learning without quality loss github.com/k4yt3x/video2x

After “The Art of Evasion” @x33fcon I’m publishing NimSyscallPacker to the public. This is the most advanced public Packer/Loader I’m aware of: github.com/S3cur3Th1sSh1t/Ni…

Didn't realize @HexRaysSA's IDA has a config to decrypt Apple-protected binaries - neat! Even better, Hopper does it automatically 🙌🏼 btw 🔑 is : "ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc" @ninja_binary, this would be a great feature to add 🍎🔓

GreatXML is a one-file BitLocker bypass against Windows 11 24H2. Drop an attacker-controlled unattend.xml and ReAgent.xml into the root of the recovery partition; the next Defender Offline reboot honours them at the WinPE Setup pass and spawns an Administrator conhost.exe on top of the splash. The C: volume is already TPM-unsealed at that point, so the shell can cd C: and read everything. No crypto attack, no kernel exploit — just physical access plus two XML files. We reproduce the README, both XML files and both proof screenshots, explain why it works, and give a hardening checklist (TPM PIN, reagentc /disable, recovery-partition integrity). core-jmp.org/2026/06/greatxm… #BitLocker #BitLockerbypass #BitLockerSecurity #DefenderOffline #Diskencryptionbypass #GreatXML #MicrosoftDefender #PhysicalAccessAttack #Physicalaccessexploitation #poc #PrivilegeEscalation #TPM #unattendxml #windows #Windows11 #Windows1124H2 #WindowsDefender #WindowsRecoveryEnvironment #WinRE #ZeroDay

New NightmareEclipse Bitlocker Bypass 0-Day github.com/MSNightmare/Great…

CVE-2026-44815 DHCP Client RCE call memcpy; memcpy(out, data, len) <-- NO BOUNDS CHECK rpcrt4!_report_gsfailure 0x129 rpcrt4!Ndr64StubWorker 0x1243 0x41414141`41414141 0x41414141`41414141 0x41414141`41414141 Reaching the trigger requires SCCM managed host?!

THC FUN: Our tmux.conf that we use to upload/download from remote targets (via the terminal/PTY; no new TCP connection): 😜 github.com/hackerschoice/tmu… Try it 👉 Ctrl-b U 👈 No tools installed or needed on the remote target. NO LOGZ == NO CRIME.

A defender-side surface map of Windows kernel/user-mode covert channels — mailslots and ALPC, firmware-table providers and WNF, dispatch tables and writable .data pointers, KernelCallbackTable, MDL-backed mailboxes, GPU/DXGK primitives, page-guard signals, EPT/MMIO, DMA cards, and visual capture. Covers the six-plane channel grammar, PatchGuard exposure classes, and a production detection program with baselines, cross-view validation, and false-positive control. core-jmp.org/2026/06/covert-… #ALPC #AntiCheat #AntiCheatResearch #byovd #CovertChannels #DMA #DMACheats #EDR #EDREvasion #ETW #HVCI #HypervisorSecurity #IPC #KernelAntiCheat #KernelCallbacks #KernelDMAProtection #KernelDriver #MalwareAnalysis #PatchGuard #Rootkit #RootkitResearch #WindowsDriverExploitation #WindowsFilteringPlatform #WindowsInternals #WindowsKernel #Windowssecurity

El negocio de cobrarte cada mes por convertir tus reuniones en un resumen acaba de tener un día muy malo. Microsoft soltó gratis en GitHub un modelo que se traga una hora entera de audio de una sola pasada y la devuelve ordenada: esto lo dijo uno en el minuto 12, esto otro en el 34. Quién, cuándo y qué. Sin trocear el audio. Sin que nadie pase la noche pasándolo a limpio. Media industria que vivía de este marrón lleva el día mirando el repo en silencio. Se llama VibeVoice.

有些事，还没开始就已经结束…… 结果此事件最大受益者，居然是那只老鼠？🤣

zer0matt's Milan0day 2026 talk walks through a clean BYOVD chain: ThrottleStop.sys (CVE-2025-7771) gives arbitrary physical-memory R/W via MmMapIoSpace, used to inline-patch NtAddAtom into a temporary trampoline. Phase 1 redirects to PsLookupProcessByProcessId to lift the target's EPROCESS pointer; phase 2 redirects to PsTerminateProcess to kill the AV/EDR from kernel mode. Original bytes are restored after each shot to dodge PatchGuard. PoC: github.com/zer0matt/Milan0da… core-jmp.org/2026/06/patchin…